(11 months, 1 week ago)
Lords ChamberMy Lords, I too welcome the noble Lord, Lord de Clifford, and look forward to his maiden speech. We on these Benches appreciate that there is a need for updated data protection legislation in order to keep up with the many technological advances that are taking place and, wherever possible, to simplify the processes for data processing. From this perspective, we welcome the Government’s ambition to remove unnecessary red tape and to support British businesses and our economy. However, as ever, these priorities need to be balanced alongside appropriate security of new legislation and we must ensure that there are appropriate safeguards in the Bill to protect human rights that are fundamental to our democracy.
I have been struck by just how many briefing papers I have received from the most extraordinarily diverse group of organisations. One thing that many of them highlight is the fact that, for many businesses that operate between the UK and the EU, this new legislation is no guarantee of simplified data processing. In fact, with the increased divergence between UK and EU data protection that this Bill will bring, it is worrying that we may struggle to work more closely with the EU. Working to two different standards and trying to marry two frameworks that are far less aligned does not sound like less red tape, nor does it sound particularly pro-business.
However, there is an important point in respect of the stated aims of the Bill. There are serious concerns from businesses, organisations and civil society groups across a wide range of sectors about the weakening of data protection law under this new Bill. Clause 1(2) tightens the definition of personal data, meaning that only data that could allow a processor or another party to identify the individual by
“reasonable means at the time of processing”
would count as personal data and be protected by law. As many others have drawn attention to, the use of the phrase “reasonable means” is imprecise and troubling. This will need to be more clearly defined as a minimum or the clause revoked altogether. “Reasonable means” would include the cost of identifying the individual, as well as the time, effort and other factors besides. This would allow organisations to assess whether they have the resources to identify an individual, which would be an extremely subjective test, to say the least, and puts the power firmly in the hands of data processors when it comes to defining what is or is not personal data.
As an example, GeneWatch has highlighted that, under the new Bill, some genetic information will no longer be classed as “personal data” and safeguarded as such, allowing the police and security services to access huge amounts of the public’s genetic information without needing to go to court or to justify the requirement for this data. Crucially, data protection legislation should define what is or is not personal data by the type of data it is, not by how easy or feasible it may be for an organisation or third party to use that data to identify an individual at every given point. Personal data rights must continue to be protected in this country and in our law.
The new Bill also provides vastly expanded powers to the police and security services via Clause 19 and Clauses 28 to 30. As I read them, on the surface they do not look as though they provide proper accountability; perhaps the Minister can reassure me on that. Clause 19 would review the requirement in the Data Protection Act 2018 for the police to justify why they have accessed an individual’s personal data. Clauses 28 to 30 allow the Home Secretary to authorise the police so that they do not need to comply with certain data protection laws via a national security certificate; this would give the police immunity even if they commit what would otherwise be a crime.
Taken together, these two measures give an extraordinary amount of unchecked power to the police and security services. With the amended approach to national security certificates, the police could not be challenged before the courts for how and why they had accessed data, so there would be no way to review what the Government are doing here or ensure that abuses of these powers do not take place. Can the Minister explain how such measures align with the democratic values on which this country and government are based?
The National AIDS Trust has been involved in cases where people living with HIV have had their HIV status shared, without their consent, by police officers, with a huge impact on the life of the individual in question. This is a serious breach of current data protection law. We must ensure that police officers are still required to justify why they have accessed specific personal data, as this evidence is vital in cases of police misconduct.
I am aware that there are many other concerns about this Bill. Noble Lords have touched on some of them, not least around online pornography, gambling and other matters that I hope other noble Lords will pick up on. In particular, there are doubts around the Bill’s compliance with the European Convention on Human Rights. We in this House must do our duty to properly scrutinise and, wherever necessary, amend this Bill to ensure that we have the proper legislation in place to protect and safeguard our data. I look forward to working with Ministers and Members of this House when we move into Committee on this Bill.