(6 years, 9 months ago)
Lords ChamberMy Lords, we have heard an impressive range of speeches in this debate which have demonstrated the enthusiasm of this House for museums and galleries but also, I am sad to say, illustrating many of the severe problems that they face. I must congratulate that great heritage champion, the noble Lord, Lord Cormack, on instituting this timely debate. It is only too rare that we discuss this sector which, as we have heard, makes a great contribution to our culture, our creative economy, our tourism economy, to social well-being and the quality of our lives, and to our communities. I was taken by the description of the noble Lord, Lord Monks, of museums and galleries being a stimulant for creativity and innovation, and by what the noble Lord, Lord Rees, had to say about the ongoing impact on why people eventually do what they do; it is not purely down to the schools and universities they go to. Like him, I declare a strong interest not only as a regular visitor to national museums—only last night I was at the Science Museum for “Tomorrow’s World Live”, which was pretty exciting—but to university museums as the chair of the Queen Mary University of London Council. If any noble Lord has a slight taste for the macabre, it is certainly worth while going to see the astonishing Barts Pathology Museum in the West Smithfield campus.
As the National Museum Directors’ Council points out, eight out of the 10 most popular attractions in the UK are national museums, and 51.3% of UK adults visited a museum or gallery in 2012. But as the noble Lord, Lord Cormack, made clear, inevitably the context for today’s debate was provided by the Mendoza review published last November, entitled An Independent Review of Museums in England. Before that, we had the Government’s ambitious Culture White Paper and the Culture, Media and Sport Select Committee report in December 2016. At the time of the Select Committee’s report, the then Minister for Culture, Mr Matt Hancock MP, who is now the Secretary of State of course, said that he supported the aims of the White Paper and that he would continue putting its recommendations into practice, so I take some comfort from that.
The Select Committee and the Culture White Paper both emphasise the need for access, diversification and partnership working. I say “hear, hear!” to that. The principal recommendations set out in the Mendoza review were described succinctly by the noble Lord, Lord Kirkham, while the noble Viscount, Lord Eccles, was right to pick out a particular recommendation for a clearer museums role for DDCMS. If that is not a veiled criticism, I do not know what is, and I strongly support what the noble Viscount had to say. Some good recommendations were made in the review, and I welcome the response made by Arts Council England. It states that over the period 2018 to 2022 it will invest £36.6 million per annum in museums, which is 9% of the total national portfolio spend. It has also committed that from 1 April 2018 it will open up its redesigned grants for the arts funding programme.
There are some important elements in terms of the response to the review, and I welcome the museums action plan recommended by Mendoza, which I understand will be delivered by Arts Council England and the Heritage Lottery Fund by September this year. It will also be facilitated by DDCMS, so perhaps the department is beginning to become more engaged. However, given the financial problems that many museums face, this is no guarantee of survival and we need to do more. As the noble Earl, Lord Clancarty, pointed out, the bare fact is that the Museums Association has stated that despite recognising the severe funding difficulties being experienced by many museums—the Government’s own figures show that local authority funding for museums in England was 31% lower in 2016 than in 2010—the report fails to identify any new resources or capacity to improve the sustainability of the sector, although, as the noble Lord, Lord Cormack, has pointed out, the sums involved are rather small.
There are funding issues that need tackling. When we were in coalition, a four-year pilot of operational and financial flexibilities for national museums to assist their capacity to generate commercial and philanthropic revenue and to operate efficiently was set up. What has been the evaluation of that pilot scheme? Much mention has been made throughout the debate of the importance of the National Lottery, but one of its founding principles was that there should only be one National Lottery. This is not the situation today. There is the Health Lottery, which is one in all but name. This damages its ability to raise funds for good causes, such as museums. What do the Government plan to do about that?
As a number of noble Lords pointed out, including the noble Viscount, Lord Falkland, we need to increase the appetite for philanthropic giving. There is kudos involved, but matched funding from public funds acting as an inducement is additional to that. A crucial lesson has been learned on the importance of investing in the teaching of fundraising skills. The Creative Industries Federation has argued that we need to incentivise greater corporate giving and we should consider something like the Rouanet law in Brazil, which allows companies to offset donations to the cultural sector against the corporate tax bill. There are a number of aspects that the Select Committee asked the DDCMS to work on in VAT business rates, tax incentives and so on. My noble friend Lady Grender talked of creative enterprise zones. Those are of course important.
What is the Tourism Industry Council now doing relative to museums? Why are museums not represented on it anymore? Will the tourism sector deal agreed as part of the industrial strategy encompass museums? There are many other issues that I could raise relative to museums. I hope that the DDCMS gets into hyperactive mode.
(6 years, 9 months ago)
Lords ChamberMy Lords, I strongly support this group of amendments, perhaps unsurprisingly given that they have now been brought forward in place of a series of broadly similar amendments which, as the Minister has mentioned, I tabled on Report. They achieve the same basic objective, which is to safeguard parliamentary privilege and thereby ensure that this House, along with the other place, can continue to go about its business and fulfil its vital constitutional role without inappropriate inhibitions and concerns with regard to the protection of data and privacy, which of course the Bill as a whole is rightly designed to protect.
As I made plain on Report, I was prompted to table the original amendments by and on behalf of the officials of both Houses, that is to say, the clerks and counsel, because of their concern about how, unamended as it then was, the Bill risked infringing parliamentary privilege in the various ways that the Minister has recounted. These concerns were raised and over recent months they have been discussed extensively between officials and the Bill team. Again I express my gratitude and pay tribute to the Bill team for its hugely constructive help and co-operation throughout. As now formulated, these amendments substantially and realistically meet the concerns of officials, and accordingly I welcome them.
My Lords, we should all thank the noble and learned Lord, Lord Brown, together with officials of the House, for having prompted these amendments. In thanking the Minister I want also to mention in dispatches my noble friend Lady Hamwee. She highlighted this point early on in Committee, I think to the incredulity of the House at the time because it was thought that it was only Members of Parliament who should have the exemptions in the Bill. These elegant solutions demonstrate that parliamentary privilege covers both Houses.
I too thank the noble and learned Lord, Lord Brown of Eaton-under-Heywood, for his stalwart work in bringing forward these important amendments. What he did not say but we should also recognise is that on a couple of occasions he had to stay late in order to do that, I am sure far beyond his normal bedtime.
Unfortunately, squeezed out in the second group of amendments which I also supported but which did not find favour with the Government, was an effort to try to retain the current arrangements under which noble Lords of this House who wish to speak about individual cases would be able to do so on the basis that they would be treated as elected representatives. That did not win the support of the Government and therefore will be left to the other place, which I am sure will immediately seize on it and see the injustice reversed. In due course it will come back to us. With that, I support the amendment.
My Lords, I strongly support this excellent group of amendments. I declare my interests as set out in the register, particularly those in respect of the insurance industry. I am enormously grateful to the Minister for being so generous with his time in the process that has led to the birth of these amendments. His Bill team has been quite outstanding—I see some of them sitting over there—and I thank them as well. I also thank three other Members of your Lordships’ House: the noble Lord, Lord Clement-Jones —who yet again was emailing me at 11 o’clock last night —and the noble Lords, Lord Hunt of Wirral and Lord Stevenson of Balmacara, who have been great supporters in trying to make sure that the ordinary man in the street can continue to buy insurance at a good price.
I have one tiny point of clarification, which will be very easy for the Minister to answer. He talked about insurance and I have talked about insurance, but it is important that reinsurance is understood, as well as retrocession and all the other words. We are talking about the whole concept of insurance and if he could confirm that reinsurance, retrocession and other things are included, that would be very helpful.
Anyway, with this change the man in the street will be able to buy personal and business insurances that involve special category personal data and yet the GDPR will have arrived. Insurers will have to improve their game somewhat—never a problem for the good, and important for the back-markers in the industry.
My Lords, I congratulate the noble Earl on the assiduous way in which he has pursued these issues on behalf of the insurance industry, and thank the Minister for his close engagement on them. We very much welcome these amendments but I have a couple of clarificatory questions for the Minister, the answers to which would be helpful in making sure that we all understand the exact position of the insurance industry relative to these new provisions.
The proposed derogation to paragraph 13A of Part 2 of Schedule 1 does not specifically address the processing of data relating to criminal convictions or offences. First, can the Minister confirm that paragraph 28 of Part 3 of Schedule 1 may be read in conjunction with paragraph 13A of Part 2 to permit the processing of data relating to criminal convictions or offences where it is necessary for an insurer to process this data for policy underwriting and claims management or related money laundering and anti-fraud activities? The reference in paragraph 13A to,
“racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health”,
would appear to preclude this, but we assume that this is not the intent.
Secondly, can the Minister confirm that the processing of special category data or data relating to criminal convictions or offences by insurance companies and related intermediaries, such as reinsurers and brokers, for the purposes of conducting insurance-related business and managing claims will be regarded by the Government as purposes that are in the “substantial public interest”?
My Lords, I welcome these amendments and it is nice to hear the story that has come through of a listening Bill team and a listening Minister, and the way in which the industry has organised itself to make sure that the perceived faults were remedied.
If it is of interest to the House, a lot of us have been doing events with professional bodies and others interested in this whole area since the Bill started. I was reflecting just before this Third Reading debate that there were really only three things that came up time and again at these sessions, after the presentations by the experts and others such as us who were trying to keep up with what they were saying. The first was Article 8 of the European Charter of Fundamental Rights—that came up time and again. People did not understand the basis on which their rights would be retained, but we have dealt with that.
The second was the—unpronounceable—re-identification of previously anonymised data. I suspect that was because there are one or two very active persons going around all these groups—I seemed to recognise their faces every time it came up—who were anxious to make sure that this point was drilled back to Ministers. We have found a way forward on that, which is good.
The third item was the insurance industry time and time again raising points similar to those raised by the noble Earl, Lord Kinnoull, by suggesting that there was a problem with efficient markets and the operation of customer good, and that the Government had to look again. We are very glad that the Government have done so. I have now ticked off all my list and it is done.
My Lords, in moving that the Bill do now pass, I shall say a few words about it. The Bill has been central to my life and the lives of a number of noble Lords for many weeks now. It was accepted right from the word go as a necessary Bill, and there was almost unanimity about the importance and necessity of getting it in place by next May, taking into account that it still has to go through the other place. I am very relieved to have got to this stage. Despite that unanimity, we have managed to deal with 692 amendments during the passage of the Bill, which is a very good indication of unanimity as far as I am concerned. I have to admit that of those 692, 255 were government amendments, but that is not necessarily a bad thing. The GDPR takes effect in May and many of the things that would have been put into secondary legislation have been dealt with in the Bill. I think most noble Lords would agree that that is a good precedent. Data protection is so pervasive that the previous Data Protection Act, passed 20 years ago in 1998, is referred to around 1,000 times in other legislation, so a lot of the amendments were to make sure that when we repeal that Act and this Bill becomes law it will be consistent with other legislation.
I am very appreciative of what we achieved and the way that we did it. One thing we managed to achieve was to accept a number of recommendations from your Lordships’ House, so we changed the way that universities, schools and colleges can process personal data in respect of alumni relations; we ensured that medical researchers can process necessary personal data they need without any chilling effect; we agreed that patient support groups can process health data; we ensured a fair balance between privacy and the right to freedom of expression when journalists process personal data; and we have talked about insurers today. The noble Baroness, Lady Kidron, one of the heroes of the Bill, helped us protect children online, which we all agreed with—in the end. We amended the way that some of the delegated powers in the Bill are effective and subject to the right parliamentary oversight.
I thank the Front Benches for their co-operation. This is meant to be the last Bill for the noble Lord, Lord Stevenson. I doubt that. Every time he says that, he comes back. He had a good team to help him: the noble Lords, Lord Kennedy and Lord Griffiths of Burry Port. It was the first Bill for the noble Lord, Lord Griffiths; if he can survive this, he can survive anything. I am sure we will see a lot of him in future. I thank the noble Lords, Lord Clement-Jones and Lord Paddick. I should have mentioned the noble Baroness, Lady Hamwee, and acknowledged her position on the privilege amendment. I must say that the way she withdrew her amendments one after the other on Report is a very good precedent for other legislation that might be coming before your Lordships’ House soon.
The Bill team has been mentioned several times, not only today but all through the passage of the Bill. The members of the team have been outstanding. They have worked incredibly hard. I should like to mention Andrew Elliot, the Bill manager, Harry Burt, who worked with him, Jagdeep Sidhu and, from the Home Office, Charles Goldie. They have all done a tremendous job and been great to work with.
Lastly, I have had a galaxy of talent to help me with large parts of the Bill. My noble friends Lady Williams, Lady Chisholm and Lord Young of Cookham and my noble and learned friend Lord Keen have made my life very easy and I am very grateful to them. I beg to move.
My Lords, I will just slip in for a couple of minutes in the light of the Minister’s very shrewd appraisal of the progress on the Bill. I had not quite realised that the Bill team were treating the Digital Economy Bill as a dress rehearsal for the Data Protection Bill, but that is really why this has gone so smoothly, with very much the same cast on the Front Benches.
We on these Benches welcomed many aspects of the Bill on its introduction last October and continue to do so. Indeed, it has improved on the way through, as the Minister pointed out. I thank my noble friends Lord Paddick, Lady Hamwee, Lord McNally, Lady Ludford and Lord Storey for helping to kick the tyres on this Bill so effectively over the last four months. I also thank the noble Lord, Lord Stevenson, and all his colleagues for a generally harmonious collaboration in so many areas of common interest.
I very much thank the Minister and all his colleagues on the Front Bench and the excellent Bill team for all their responses over time to our particular issues. The Minister mentioned a number of areas that have been significant additions to the Bill. I thank the Minister for his good humour throughout, even at late hours and on many complicated areas. We are hugely pleased with the outcome obtained by the campaign of the noble Baroness, Lady Kidron, for age-appropriate design, which many of us on these Benches think is a real game-changer.
There is just a slight sting in the tale. We are less happy with a number of aspects of the Bill, such as, first, the continuing presence of exemptions in paragraph 4 of Schedule 2 for immigration control. Solicitors need the facts to be able to represent their clients, and I am afraid these immigration exceptions will deny access to justice.
Secondly, the Minister made a pretty good fist of explaining the way the new framework for government use of personal data will operate, but I am afraid, in the light of examples given, for instance by the noble Earl, Lord Clancarty, in relation to the Department for Education’s approach to the national pupil database, and now concerns over Public Health England’s release of data on 180,000 patients to a tobacco firm, that there will be continuing concerns about that framework.
Finally, one of the triumphs of debate in this House was the passing of the amendment from the noble Baroness, Lady Hollins, calling for, in effect, Leveson 2. The response of the Secretary of State, whose appointment I very much welcomed at the time, was rather churlish:
“This vote will undermine high quality journalism, fail to resolve challenges the media face and is a hammer blow to local press”.
On Sunday he did even better, saying it could be the “death knell” of democracy, which is pretty strong and unnecessary language. I very much hope that a sensible agreement to proceed is reached before we start having to play ping-pong. I am sorry to have to end on that slightly sour note, but it is an important amendment and I very much hope that it stands.
My Lords, from this side of the House, I also thank the Bill team, as I think I can call them. What we faced when we first came across the Bill was a beast—a beast dressed up as legislation but a beast in many ways. As the Minister said, we got round most of it but then discovered there were another 250 amendments coming down the track from the Government. Although they were dressed up as being small, trivial things, you have to read them and understand them, and they add a little to one’s workload.
If we did not learn to love the Bill, we certainly at least respect it. It is a good Bill, now much better than it was before. I hope it will have the longevity of its predecessor, the 1998 Act. It has the same aspirations and aims but, because of the inclusivity of the age-appropriate design and other matters that the noble Lord, Lord Clement-Jones, mentioned, it also begins to shape the debate that we still need to have about how and under what conditions we as a mature democratic society wish to engage with those who provide information, data, statistics, facts, communications and other things in relation to the electronic world in a way that is, if not comparable to, at least as effective as what is applied in the current non-virtual world. That is not the subject of the Bill, I am afraid, but it is something that will trouble this House now and in the future. We should not shy away from it because at its heart lies the future of our society. Morality and ethics are dimensions that we have not yet touched on in the Bill; they are still to come. They may well be foreshadowed for us by the creation of a data ethics commissioner of some kind. I welcome that and hope it will come forward quickly. Without it, we really are not in a very good place, despite the strength of the Bill.
For my part I am grateful to my noble friend Lord Kennedy and to my apprentice—if I can call someone of such distinguished age and experience that—my noble friend Lord Griffiths of Burry Port, who is going to take over my responsibility here in the main, although, as the Minister said, I am not leaving the Front Bench; I am simply moving sideways to accommodate those with greater skills and abilities than I have myself.
I have enjoyed the Bill tremendously. It is the sixth Bill that I have done with DCMS, and five of those have been with the current team. With familiarity comes a certain ability both to see through the artifices as they come at you but also to recognise a true offer when it comes, and both sides have benefited from that. We understand some of the pressures a bit more, particularly the difficult time that any Bill team has when it is agreed to move forward but the processes and procedures in Whitehall are so slow that they cannot keep pace with our aspirations for doing it. That is very frustrating for all concerned.
On that point, but not related to the mechanics, there is a question that the House must address at some point in the near future. What happens when it is agreed around the House, through Second Reading and Committee and approaching Report, that a desired amendment would bring public good but it cannot be moved because it falls outwith the narrow scope of the Bill, is a frustration that we have all encountered on this Bill and the previous Bill that I was involved with. There is a solution to that which should be discussed by the Procedure Committee. I hope it will do so in the near future, and I will be writing to it to that effect.
The Bill team have been absolutely fantastic. I gave them a rousing welcome when they first arrived because they have a trick at DCMS, which I recommend to all departments, of bringing together in one place at the very beginning of the process all the documents that you need to work out what you are talking about. If only every Bill team did that, we would all have much easier lives. They did it again this time, and it was fantastic. I have enjoyed working with them; their professionalism and efficiency were wonderful and a great help to us. Our support is minuscule in comparison; effective and efficient though Nicola Jayawickreme and Dan Stevens are, there are only two of them to support all our work. I wish to ensure that our sincere appreciation is on the record.
This has been an enjoyable ride. I have had a great time, waxing lyrical on things I did not think I would ever want to talk about. I hope that the Bill passes, and that when it comes back we will be able to deal with it expeditiously and appropriately.
(6 years, 9 months ago)
Lords ChamberMy Lords, we have had something of a break, so perhaps I should remind the House what lies behind my Amendments 106, 125 and 127. It is the wish to reduce, as far as possible, the burden that the GDPR and the Bill will place especially on small entities—notably, small businesses, small charities and parish councils. I might add that it behoves us to stand back from time to time and recognise the burdens we all too often impose on people and businesses. This is very often for good reasons, but it can seem overwhelming for those at the receiving end, and it is important to minimise the burden where we can legitimately do so.
I also place on record my thanks to the Minister for a helpful meeting about my concerns. Against this background, Amendment 106 would place a duty on the Information Commissioner to support such small entities in meeting their obligations under the GDPR and the Bill. It gives examples of how this should be done, including compliance advice and zero or discounted fees. This is important both practically and as a manifestation of how the state expects the commissioner to approach her duties. We should always remember that data protection will sound forbidding to some small organisations.
Furthermore, parish councils are fearful that they could face new costs of up to £20 million in total on one reasonable interpretation of the present text. They have been advised that an existing officer of a council could not act as a DPO because they are not independent. My noble friend Lord Marlesford mentioned this issue at Questions in December but, happily, I believe the Government take a different view, and it would be helpful to hear that on the record from my noble friend.
On the same lines, Amendment 125 would require the Secretary of State to consider fixing charges levied on small entities by the commissioner at a discounted or zero level. We need to find a way to avoid the imposition of significant costs for small entities into the future as cost recovery escalates in the administration of data protection.
Amendment 127 goes a little further. It would require the commissioner to have regard to economic factors in conducting her business. This is a fundamental point. The commissioner’s remit contains elements which are similar to those of a judge and focuses predominantly on individual rights and protections. But the analogy is imperfect. Judges must go where justice takes them. The commissioner’s role is different in important respects, and economic factors ought to hold a high place in her consideration. This is important for UK competitiveness and for continued growth and innovation, which is also of benefit to business, citizens and data science—and, indeed, UK plc.
The amendment seeks to ensure that the commissioner concentrates on this economic angle by reference to the commissioner’s annual report. The noble Lord, Lord Stevenson, may remember that we introduced a special reporting requirement into intellectual property legislation which helped to ensure the right culture in that increasingly important area.
I should add that I am grateful to my noble friend Lord Arbuthnot and to the noble Lord, Lord Stevenson, for their involvement, and I am hopeful that the Minister will be able to meet the concerns I have outlined in my three amendments in a sympathetic and practical way.
My Lords, I rise briefly to support the noble Baroness, Lady Neville-Rolfe, in her amendment. She made a very good case. Current fee proposals really are very flawed. Clause 132, “Charges payable to the Commissioner by controllers”, states:
“The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner”.
That, compared to the existing regime of registration, seems far more arbitrary and far less certain in the way it will provide the resources that the Minister, in a very welcome fashion, pledged to the noble Lord, Lord Puttnam. It is far from clear on what basis those fees will be payable. Registration is a much sounder basis on which to levy fees by the Information Commissioner, as it was from the 1998 Act onwards.
I wish to be very brief; this has already been brought up. The Minister prayed in aid the fact that there are already some 400,000 data controllers and it was already getting out of hand. If the department—indeed, if the ICO—is going to be in contact with all those it believes to hold data as data controllers, it will have to have some kind of records. If that is not registration, I do not know what is. The department has not really thought through what the future will be, or how the Information Commissioner will secure the resources she needs. I hope that there is still time for the Minister to rethink the approach to the levying of future tariffs.
I just want to ask briefly whether small organisations will also include clubs and societies. I do not know whether that has been dealt with before. For instance, I am the chief of Clan Hay and we have a Clan Hay society. It does not make money, but it has membership lists and branches abroad. I discussed it with the ICO before this came up, and it thought we would definitely have to comply. I hope we will be covered as a small organisation.
We were going to have a debate on that—I gather that the Liberal Democrats did not want to bring it forward—but the basic answer is that schools have responsibilities under the GDPR. They particularly have responsibility for personal data relating to children; they already have extensive responsibilities under the current Data Protection Act. So it is very much an issue for schools. In this case, to help them, the Department for Education is going to provide guidance—and I am assured that it will be out very soon. So they have particular responsibilities. The kind of personal data that they handle on a regular basis is very important; I believe that the noble Lord, Lord Clement-Jones, mentioned an example of some of the personal data that they hold in relation to free school meals, which has to be protected and looked after carefully. One benefit for the school system, as far as other organisations are concerned, is that they will have central guidance from the Department for Education—and I repeat that that is due to come out very soon.
I turn to Amendment 125, also proposed by my noble friend. It seeks to introduce a requirement on the Secretary of State, when making regulations under Clause 132, to consider making provision for a discounted charge—or no charge at all—to be payable by small businesses, small charities and parish councils to the Information Commissioner. Clause 132(3) already allows the Secretary of State to make provision for cases in which a discounted charge or no charge is payable. The new charge structure will take account of the need not to impose additional burdens on small businesses. This may include a provision in relation to small organisations.
I am happy to confirm that the Government have given very serious consideration to the appropriate charges for smaller businesses as part of the broader process for setting the Information Commissioner’s 2018 charges. The new charge structure will take account of the need to not impose additional burdens on small businesses. It is important to note, however, that small and medium organisations form a significant proportion of the data controllers currently registered with the ICO—approximately 99%, in fact. The process of determining a new charge structure is nearly complete and we will bring forward the resulting statutory instrument shortly. I would, however, like to put one thing on the record: in putting together that charging regime, we have been mindful of the need to ensure that the Information Commissioner is adequately resourced during this crucial transitional period, but I want to be clear that the Government do not consider the 2018 charges to be the end of the story. There may well be more we can do further down the line to modernise a regime that has not been touched for the best part of a decade.
Amendment 127 would place an obligation on the commissioner, in her annual report to Parliament, to include an economic assessment of the actions that the commissioner has taken on small businesses, charities and parish councils. I agree with my noble friend about the importance of the commissioner being aware of the impact of her approach to regulation during this crucial period. As I said to the commissioner when we met, we must nevertheless also be mindful of maintaining her independence in selecting an approach. Even if we did not think that having an independent regulator was important—I want to be clear: we do —articles 51 to 59 of the GDPR impose a series of particular requirements in that regard. But, all of the above notwithstanding, I agree with a lot of what my noble friend has said this afternoon.
Turning to amendment 107A, in the name of the noble Lord, Lord Clement-Jones, concerning the registration of data controllers, I remember the Committee debate where the noble Lord tabled a similar amendment. I hope that I can use this opportunity to provide further reassurance that it is unnecessary. The Government replaced the existing notification system with a new system of charges payable by data controllers in the Digital Economy Act. We did this for two reasons. First, the new GDPR has done away with the need for notification. Secondly, and consequentially, we needed a replacement system to fund the important work of the Information Commissioner. All this Bill does is re-enact what was done and agreed in the Digital Economy Act last year. We legislated on this a year earlier than the GDPR would come into force because changes to fees and charges need more of a lead time to take effect. As I have already said, these new charges must be in place by the time the GDPR takes effect in May and we will shortly be laying regulations before Parliament which set those fees.
Returning to the subject matter of the amendment, under the current data protection law, notification, accompanied by a charge, is the first step to compliance. Similarly, under the new law, a charge will also need to be paid and, as under the previous law, failure to pay the charge is enforceable. We have replaced the unwieldy criminal sanction with a new penalty scheme—found in Clause 151 of the Bill.
My Lords, can the Minister explain what the trigger is for the payment of the fees?
A charge will need to be paid if you are the data controller.
That is not what I meant. That is not a trigger; it is notification by the data controller.
If you process and control data, you will need to make a notification to the data commissioner. I do not understand why that is not a trigger.
Exactly, so my point, which I was coming to but which the noble Lord has very carefully made for me, is that, in doing this, the Information Commissioner will obviously keep a list of the names and addresses of those people who have paid the charge. The noble Lord may even want to call that a register. The difference is, unlike the previous register, it will not have all the details included in the previous one. That was fine in 1998, and had some benefit, but the Information Commissioner finds it extremely time-consuming to maintain this. In addition, as regards the information required in the existing register, under the GDPR that now has to be notified to the data subjects anyway. Therefore, if the noble Lord wants to think of this list of people who have paid the charge as a register, he may feel happier.
I have talked about the penalty sanction. When the noble Lord interrupted me, I was just about to say—I will repeat it—that the commissioner will maintain a database of those who have paid the new charge, and will use the charge income to fund her operation. So what has changed? The main change is that the same benefits of the old scheme are achieved with less burden on business and less unnecessary administration for the commissioner. The current scheme is cumbersome, demanding lots of information from the data processors and controllers, and for the commissioner, and it demands regular updates. It had a place in 1998 and was introduced then to support the proper implementation of data protection law in the UK. However, in the past two decades, the use of data in our society has changed dramatically. In our digital age, in which an ever-increasing amount of data is being processed, data controllers find this process unwieldy. It takes longer and longer to complete the forms and updates are needed more and more often, and the commissioner herself tells us that she has limited use for this information.
My hope is that Amendment 107A is born out of a feeling shared by many, which is to a certain extent one of confusion. I hope that with this explanation the situation is now clearer. When we lay the charges regulations shortly, it will, I hope, become clearer still. The amendment would simply create unnecessary red tape and may even be incompatible with the GDPR as it would institute a register which is not required by the GDPR. I am sure that cannot be the noble Lord’s intention. For all those reasons, I hope he will withdraw the amendment.
My Lords, I will also speak to Amendment 108. The points I am addressing were glossed over in Committee, and I now wish to expand on this important issue.
Data is the new oil. This has been said many times in your Lordships’ House, but as each day passes it becomes more true. Without stretching the analogy too far, in our country big data is about to become the 21st-century equivalent of North Sea oil. Because big data has such value, it will come as no surprise to see big tech companies swarming all over it. They have to because it is their lifeline. Many of our public bodies, particularly the NHS, are custodians of massive amounts of data, which big tech is eager to get its hands on. But we as legislators who act for the public good also have a responsibility to ensure that the public are protected and that, simply put, our treasure is not taken from us without clear authority or appropriate recompense. The data the public bodies hold belongs to us all. It is ours—our communal property—and we must tread carefully.
I will make one point as strongly as I can. I am a product of the data revolution; I have been professionally involved in the digital industry for over 50 years. For 40 of those I was an IT serial entrepreneur. This industry has been good to me; I fully understand that the tech sector needs light regulation. I know that at its best the digital revolution is a force for good but, equally, I know the dangers it poses, so I am trying to be cautious in what I propose. We stand at a crossroads. Computing power has reached astronomical capabilities, software is increasingly complex and artificial intelligence is now making dramatic inroads. Plus, we see the exponential availability of digital data. All these have contributed to the creation and brilliance of algorithms. The one thing we know for certain is that these exciting developments will keep on growing at exponential rates. In medicine, for example, new tools are being developed that are already enhancing diagnostic and treatment capabilities that could benefit all manner of healthcare, in particular our ageing population.
I welcome these developments, as I am sure we all do, many of which have come from our own private sector, and we should rejoice at this example of British expertise. However, at the same time we need to strike a balance between the ambitions of 21st century businesses and the responsibility of government to steward assets and resources of national significance so that the proceeds of technological developments benefit us all. My two amendments seek to codify how valuable, publicly controlled personal data is shared with big tech companies, and to ensure that financial returns, combined with wider social, economic and environmental benefits, are optimised.
I can best demonstrate the scale of this issue if I refer to the NHS. Ever since its formation in 1948—maybe they were kept even before that—the NHS has kept records of tens of millions of patients, literally from cradle to grave. These records are either in written form, or increasingly in digital format, but the magnitude of the collected data is huge. Very few countries can match the length and depth of the health records that the NHS is trusted to retain on behalf of the general public. Such data is called longitudinal data and, when it is bundled together, has great commercial value.
At Second Reading I gave the example of a company called DeepMind, which is a British subsidiary of Google. I visited DeepMind, which is an impressive organisation based here in London. It has purchased access to millions of anonymised data records from institutions such as the Royal Free and Moorfields Eye Hospital. It does not buy this data outright—it does not have to. It simply buys access. Such access enables it and companies like it to use very powerful computers and very sophisticated software to process millions of records with the help of artificial intelligence and machine learning.
This synthesising of data using AI capabilities is designed to produce algorithms, and it is these algorithms that become the product that companies such as DeepMind are able to monetise. They do this by selling the algorithms and their consulting services to the likes of pharmaceutical companies and healthcare providers and even back to the NHS itself. It is a global business and very profitable. At the Royal Free, these algorithms are being used to detect the early onset of kidney disease. At Moorfields Eye Hospital, also here in London, spectacular advances have occurred in similarly detecting potential optical problems.
This is data processing used for the benefit and enhancement of all mankind and we should welcome it. However, I am concerned that this precious and unique data is being offered to big tech companies by our public bodies in the absence of clear and consistent guidelines and without asking how best to obtain value for money in the broadest sense of the term.
Having dealt with big tech companies for most of my life, I know that they are staffed with exceptionally clever people and are no slouches at driving hard bargains. Unlike our NHS, they are not consumed with the day-to-day preoccupation of trying to balance their current budgets; with hundreds of billions of dollars in the bank, they can afford to play the long game, and it is easy to see who holds the aces in any negotiation. Put simply, I wish to protect our public bodies and ensure that we do not give away our inheritance. That is why we need to codify how we will obtain value for money from the sharing of data of national significance with the private sector.
My proposal is not just for the NHS and it is not just for now. All public bodies need protection and guidelines today and well into the future. That is why I have introduced my amendments. In Amendment 107B I seek, first, to require the Information Commissioner to maintain a register of publicly controlled personal data of national significance and, secondly, to prepare a code of practice containing practical guidance in relation to personal data of national significance. These are defined in subsection (2). In Amendment 108 I have set out the requirements of the code on personal data of national significance.
My Lords, I want briefly to express sympathy with the noble Lord, Lord Mitchell. I share many of his concerns but essentially I think that we should look on the most optimistic side. I hope that he is also really describing the opportunities that can be made available with this kind of data, provided that it is accessible in the way described. I know that the noble Lord takes considerable inspiration from Future Care Capital’s report on intelligence-sharing unleashing the potential of health and care data in the UK to transform outcomes. I thought that it was very good and well considered.
The noble Lord has put down a very important marker today but my one caveat is that I am not sure that there is yet a settled view about how to deal with this kind of data. In Committee we talked about data trusts. In her AI review, Dame Wendy Hall also talked about data trusts. I know that we need to head in a direction that gives us much more assurance about the use of the data in the way that the noble Lord, Lord Mitchell, has described, but I am not sure we have quite reached a consensus around these things to come to the decision that this is the best possible model.
(6 years, 9 months ago)
Lords ChamberMy Lords, I turn to the new offence of reidentifying de-identified personal data. As a new clause, with no corresponding parallel in the 1998 Act, it has been a hot topic throughout the passage of the Bill and the Government welcome the insightful debates on it that took place in Committee. Those debates have influenced our thinking on aspects of the clause and I will elaborate on the amendments we have tabled in response to concerns raised by noble Lords.
By way of background, Clause162(3) and (4) provide a number of defences for circumstances where reidentification may be lawful, including where it was necessary for the prevention or detection of crime, to comply with a legal obligation, or was otherwise justified as being in the public interest. Further defences are available where the controller responsible for de-identifying the personal data, or the data subjects themselves, consented to its reidentification.
As noble Lords will recall, concerns were raised in Committee that researchers who acted in good faith to test the robustness of an organisation’s de-identification mechanisms may not be adequately protected by the defences in the current clause. Although we continue to believe that the public interest defence would be broad enough to cover this type of activity, we recognise that the perception of a gap in the law may itself be capable of creating harm. We therefore tabled Amendments 151A, 156A and 161A to fix this. These amendments introduce a new, bespoke defence for those for whom reidentification is a product of their testing of the effectiveness of the de-identification systems used by other controllers.
A number of safeguards are included to prevent abuse. I particularly draw noble Lords’ attention to the requirement to notify either the original controller or the Information Commissioner. In addition, the researcher cannot intend to cause, or threaten to cause, damage or distress to a legal person. That means, for example, that those self-styled researchers who attempt to use their discovery to extort money from either the data controller or the data subjects they have reidentified are not protected by this new defence.
We fully appreciate the importance of the work undertaken by legitimate security researchers. I assured noble Lords in Committee that it was in no way our intention to put a halt on this activity where it is done in good faith, and the amendments I am moving today make good on that commitment. On that basis, I beg to move.
My Lords, I thank the Minister. We on these Benches had considerable activity from the academic community, security researchers and so on. I am delighted that the Minister has reflected those concerns with the new amendments.
My Lords, I echo the noble Lord’s words. We also welcome these amendments. As has been said, this issue was raised by the academic community, whose primary concern was that the way the Bill had originally been phrased would make important security research illegal and weaken data protection for everyone by that process. It would also mean that good and valid research going on in our high-quality institutions might be at risk.
I do not in any sense want to question the amendments’ approach, but I have been in further correspondence with academics who have asked us to make a few points. I am looking for a sense that the issues raised are being dealt with. Either a letter or a confirmation that these will be picked up later in the process of the Bill is all that is necessary.
First, it is fairly common-sense to say that companies probably would not be very happy if a researcher picks up that they are not doing what they say on the tin—in other words, if their claim that their data has been anonymised turns out not to be the case. Therefore, proposed new subsection (2)(b) may well be used against researchers to threaten or shut down their work. The wording refers to “distress” that might be caused, but,
“without intending to cause, or threaten to cause, damage or distress to a person”,
seems a particularly weak formulation. If it is only a question of distress, I could be distressed by something quite different from what might distress the noble Lord, who may be more robust about such matters. I think that is a point to take away.
Secondly, we still do not have, despite the way the Minister introduced the amendment, definitions in the Bill that will work in law. “Re-identification”, which is used in the description and is part of the argument around it, is still not defined. Therefore, in proposed new Clause 161A(3), as mentioned by the noble Lord who introduced the amendment, the person who,
“notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification”,
has to do this,
“without undue delay, and … where feasible, not later than 72 hours after becoming aware of it”.
That is a very tight timetable. Again, I wonder if there might be a bit more elasticity around that. It does say “where feasible”, but it puts rather tight cordon around that.
We are trying to make it safe for researchers and data scientists to report improperly de-identified data, but in the present arrangements the responsibility for doing all this lies with the researcher. We are asking a researcher to go to court, perhaps, and defend themselves, including arguing that they have satisfied Clause 162(2)(a) and (b) and Clause 162(3)(a), (b) and (c), which is a fairly high burden. All in all, we just wonder whether how this has been framed does the trick satisfactorily. I would be grateful for further correspondence with the Minister on this point.
Finally, there is nothing in this amendment about industry. It may not be necessary but it raises a question that has been picked up by a couple of people who have corresponded with us. The burden, again, is on the researcher. Is there not also a need to try to inculcate a culture of transparency in the anonymisation processes which are being carried out in industry? In other words, if there is a duty on researchers to behave properly and do certain things at a certain time, should there not also be a parallel responsibility, for example, on companies to properly and transparently anonymise the data? If there is no duty for them to do it properly, what is in it for them? It may well be that that is just a natural aspect of the work they are doing, but maybe the Government should reflect on whether they are leaving this a little one-sided. I put that to the Minister and hope to get a response in due course.
My Lords, as a result of the vagaries of grouping, redrafting and so on, I am in danger of being the tail that wags the dog on this group of amendments, especially as Amendment 175 deals with the processing of personal data to which the GDPR does not apply. Amendment 175A is a much broader amendment, dealing with the implementation of not only article 82 but other aspects that are extremely desirable.
I know that the Minister will be fairly brief in response, so I will not rehearse all the arguments we put forward in Committee. The noble Lord, Lord Stevenson, led on this group of amendments and put forward many of the arguments made by a great number of organisations, such as Which?, Age UK, Privacy International and the Open Rights Group, for this kind of group representation, along the lines of the super-complaints in the Consumer Rights Act, which are highly desirable. I recommend—which shortens the job I have of introducing this amendment—that the Minister reads the blog on the Privacy International site written by the chair emeritus of PI’s board of trustees, Anna Fielder. She puts the arguments extremely well and wrestles with some of the points that the Minister made in Committee, which is extremely useful. I am certainly not going to go through all that, let alone the polling data, which I think refutes quite a lot of what the Minister said. This is extremely desirable. I support very strongly what the noble Lord, Lord Stevenson, has tabled. It is quite comprehensive in many ways. I look forward to his introduction of his amendment.
Finally, a very important factor in all of this is the support of the Information Commissioner. She has come to the conclusion, as she wrote very convincingly in her second memorandum, that we need to have this kind of right of representation where consent has not necessarily been obtained. I think we should listen very carefully to what she has to say. I beg to move.
My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for his introduction and for paving the way to the comments I want to make. He suggested further reading but I might be able to shorten the reading list for the Minister, because I am going to cite a bit of what has been sent as part of that package. We went through most of the main issues and had a full response from Ministers the last time this was raised, in Committee. But since then we have of course amended the Bill substantially to provide for a significant amount of age-appropriate design work to be done to protect children who, either lawfully or unlawfully as it might be, come into contract arrangements with processors of their data.
That data processing will almost certainly be done properly under the procedures here. We hope that, within a year of Royal Assent, we will see the fruits of that coming through. But after that, we will be in uncharted territory as far as younger persons and the internet are concerned. They will obviously be on there and using substantial quantities of data—a huge amount, as is picked up when one sees one’s bills and how much time they spend on downloading material from the internet and has to find the wherewithal to provide for them. But I am pretty certain there will also be occasions where things do not work out as planned. They may well find that their data has been misused or sold in a way they do not like, or processed in a way which is not appropriate for them. In those circumstances, what is the child to do? This is why I want to argue that the current arrangements, and the decision by the Government not to allow for the derogation provided for in the GDPR under article 82 to apply, may have unforeseen consequences.
I am grateful to the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for supporting Amendment 175A, and I look forward to her comments later on, particularly in relation to children’s use. It is important to recognise that, if there is a derogation and it is not taken up, there has to be a good reason for that. The arguments brought up last time were largely along the lines that it would be overcomplicated to have two types of approach and that, in any case, there was sufficient evidence to suggest that individual consumers would prefer to be represented when they do so—of course, that falls away when we talk about children.
In Amendment 175A, we are trying to recognise two things: first, the right of adults to seek collective redress on issues taken up on their behalf by bodies that have a particular skill or knowledge in that area and, secondly, to do this without the need to form an association with an individual or group, or a particular body that has a responsibility for it. The two parts of the amendment will provide a comprehensive regime to allow victims of data breaches to bring proceedings to vindicate rights to proper protection of their personal data, always bearing in mind that children will have the additional cover provided by theirs being a third-party involvement. We hope that there will not be serious breaches of data protection. We think that the Bill is well constructed and that in most cases it will be fine, but the possibility that it will happen cannot be ignored. This parallels other arrangements, including those in the Consumer Rights Act 2015, which apply to infringements of competition law—not a million miles away from where we are here—and for which there is a procedure in place.
To anticipate where the Government will come from on this, first, I think they will say that there is a lot going on here and no evidence to suggest that it should work. I suggest to them that we would be happy with a recognition that this issue is being applied elsewhere in Europe and that there is a discrepancy if it is not in Britain. Secondly, there may be a good case for waiting some time until we understand how the main provisions work out. But a commitment to keep this under review, perhaps within a reasonable time after the commencement of the procedures—particularly in relation to children and age-appropriate design—to carry out a formal assessment of the process and to consider its results would, I think, satisfy us. I accept the argument that doing too much too soon might make this difficult, but the principle is important and I look forward to the responses.
It absolutely will not and cannot languish, because we are going to put in the Bill—so on a statutory basis—that this has to be reviewed in two years. It will not languish. As I said, if we were just going to kick it into the long grass, I would not have said what I just said, which everyone can read. We would not have put it in the Bill and made the commitments we have made tonight.
My Lords, I thank the Minister for his response and am only sorry that I, rather than the noble Lord, Lord Stevenson, have the privilege of responding. The Minister came back, I thought, very helpfully. The noble Baroness, Lady Kidron, made a superb case for these rights to be implemented earlier rather than later. If we are creating all those new rights for children under the Bill, as she says, we must have a mechanism to enforce them. I believe the Minister said that the review would be two years after the Bill comes into effect. I hope that that is an absolute—
Let us hope that that is treated as an important timetable. I was interested that the Minister expressed his sympathy—I know that that was genuine—but then went on to talk about risks and pitfalls, and very significant developments, which all sounded a bit timid. I understand that we are in relatively novel territory, but it sounded rather timid in the circumstances, especially where the rights of children are concerned.
One point the Minister did come back on was group litigation orders. Class actions are very different from the kinds of representative action that we are talking about under these amendments. For example, they would be anonymous and the consent of the data subject would not have had to be acquired, unlike with a class action. They are very different, which is worth pointing out. There are some egregious issues in terms of the use of people’s data—the Equifax case, Uber, and so on. We need to remind ourselves that these are really important data breaches and there need to be remedies available. We, on this side of the House, and those on the Benches of the noble Baroness, Lady Kidron, will be vigilant on this aspect.
The one area of clarification that I did not receive from the Minister was whether this would apply to processing of personal data that was not under the GDPR. Will it be under the applied GDPR, and would that apply?
I think it applies to the whole thing, but if I am wrong, I will certainly write to everyone who is here.
My Lords, I have only two brief observations to make, one supportive and one otherwise. My supportive observation is that I am very much in favour of the use of the affirmative resolution procedure for the approval of regulations, rather than the negative one. I add in parenthesis that I have always believed that we in Parliament should be able to amend under the affirmative resolution procedure. When we come to the European Bill, that will be particularly important, but that is for another day.
Where I disagree with the noble Lord is on his proposal that the commissioner should be responsible for preparing the document. That seems to me essentially a matter for the Secretary of State, because of the principle of ministerial responsibility. Ministers can be questioned and quizzed in a way which is utterly impossible for Parliament to do with the commissioner. There is also a small technical point. If a Minister has to come to Parliament—for example, under an affirmative resolution procedure—to argue in favour of regulations which he or she has not made, but which have, rather, been made by the commissioner, that could be at least a trifle embarrassing.
My Lords, I hear what the noble Viscount said about the amendment, but the problem is that even the affirmative resolution procedure is not necessarily a good way to test the framework. The noble Lord, Lord Stevenson, was unusually kind about the Government’s framework. As he said, the Secretary of State can produce a framework that applies data protection to his own department; ignore what the Information Commissioner says about the framework; lay his own framework for Parliament through the negative procedure—I take the noble Viscount’s point about the affirmative procedure—which means it is very unlikely to get much scrutiny; and raise barriers against the ICO’s enforcement mechanism. He can then, as part and parcel of the framework, extend or introduce frameworks to include any other public sector body. Frankly, the Secretary of State can pretty much do what he or she wants. We should not be saying that the framework is essentially like a statutory code of practice; it is a very different animal.
This is our first debate on the architecture that the Government have imposed. In Committee the Minister produced a whole raft of amendments introducing the framework and we did not have a chance to scrutinise it properly. The Information Commissioner is not very happy with this architecture either. That is utterly clear. It is not just opposition parties or organisations such as medConfidential that are unhappy. The ICO has stated:
“The Commissioner understands the needs for government departments and public bodies to be clear about the legal basis for undertaking the functions and this is particularly true when processing personal data. However the provisions as drafted appear to go beyond this limited ambition and create different risks that must also be considered. She has made clear her concerns to government and these are set out below”.
I should very much like to hear what sort of dialogue the Government have had with the ICO because, frankly, at the moment they seem to be overriding any powers or involvement that she has in this framework. I am afraid that I am raising the temperature slightly at this time of night, but the framework for government data protection is not in fact data protection at all.
To regain some favour with my noble friend the Minister, may I just say a little word about affirmative orders? It is tempting to say that we should have affirmative procedure but, at the end of the day, we will have at some point to debate those affirmative orders, and they keep mounting up. In respect of negative instruments, there is a praying period and we can flag them up for debate and have them debated in the Chamber in exactly the same way as we can an affirmative order.
My Lords, I am grateful to all those who have participated. I take on board what the noble Lord, Lord Clement-Jones, said about our brief debate on the final day in Committee, so we can do a bit tonight. I hope that by the end I will be able to convince noble Lords that this is not quite as sinister as has been made out. I am going to duck, if I may, the argument about the affirmative procedure and whether it should be amendable, particularly given other Bills that are coming before this House soon. After all, I was only reappointed yesterday.
It is helpful to have this opportunity to further set out the purpose and operation of Clauses 175 to 178 and, in doing so, explain why the amendments in this group are unnecessary—except, of course, the government amendments. As noble Lords will now be aware, the Bill creates a comprehensive and modern scheme for data protection in the UK. No one is above the law, including the Government. That partly answers the point made by the noble Lord, Lord Clement-Jones. The Secretary of State cannot do whatever she or he wants because they are subject to the GDPR and the Bill, like everyone else. When I go further and explain the relationship between this framework and the ICO’s guidance, if it is issued, I hope that will further reassure noble Lords.
While we are on this subject, the reason the Bill uses the term “framework” is that it uses the term “code of practice” to refer to a number of documents produced by the Information Commissioner. As this document will be produced by the Government, we felt that it would be clearer not to use that term in this case. It is purely a question of naming conventions—nothing significant at all.
Inherent in the execution of the Government’s functions is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is therefore intended to set out the principles and processes that the Government must have regard to when processing personal data. Government departments will be required to have regard to the framework when processing personal data. This is not a novel concept. Across the country, organisations and businesses produce guidance on data processing that addresses the specific circumstances relevant to them or the sector in which they operate. This sector, or organisation-specific guidance, coexists with the overarching guidance provided by the Information Commissioner.
This framework adopts a similar approach; it is the Government producing guidance on their own processing of data. The Information Commissioner was consulted during the preparation of these clauses and will be consulted during the preparation of the framework itself to ensure that the framework complements the commissioner’s high-level national guidance when setting out more detailed provision for government.
My Lords, the Minister said that the Information Commissioner was consulted, but what was her view? Can the Minister put on record what the Information Commissioner’s view about the final architecture was? She has made it fairly clear to us that this is not satisfactory, as far as she is concerned.
When I said that she was consulted, I said what I meant. This is one of the few areas in the whole Bill, I think, where we do not have complete agreement with the Information Commissioner. I think that she is worried about complications regarding independence and the extent of her authority in this. I am not pretending that she is completely happy with this, but I hope that I will address how the two interlink and we can come back to this if the noble Lord wants. I acknowledge his point that she is not completely happy with this but, as I said before, it is one of the few areas in the whole Bill where that is the case. Certainly, we have a very good relationship with the Information Commissioner, as evidenced earlier this evening by her agreement on pay and flexibility. Importantly though, whatever she thinks of it, she will be consulted during the preparation of the framework itself to ensure that it complements the commissioner’s high-level national guidance when setting out more detailed provision for the Government.
As I explained in Committee, the Government’s view is that the framework will serve to further improve the transparency and clarity of existing government data processing. The Government can and should lead by example on data protection. Amendment 176 is designed to address concerns about the potential for confusion if the framework is produced by the Government, I respectfully suggest that these concerns are misplaced. The Secretary of State’s framework will set out principles for the specific context of data processing by government. It will, as I have set out, complement rather than supplant the commissioner’s statutory codes of practice and guidance, which will, by necessity, be high level and general as they will apply to any number of sectors and organisations.
Requiring the commissioner to dedicate time and resources to producing guidance specifically for the Government, as the noble Lord’s amendment would require, would hardly seem to the best use of her resources. Just like a sectoral representative body, it is the Government who have the experience and knowledge to devise a framework that speaks to their own context in more specific terms.
I am sorry to keep interrupting the Minister, but is he therefore saying that the frameworks cover government and that the ICO’s codes of practice cover government as well?
Absolutely. The framework exists like other sectoral guidance that is produced, under the overarching guidance produced by the Information Commissioner. In a minute I will provide further reassurance on how the two interlink.
As I have already set out, the Government will consult the commissioner in preparing the framework. Importantly, she is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents.
My Lords, we can be quite brief on this matter. It is an open secret that both the Government and Her Majesty’s loyal Opposition, joined by others who have signed Amendment 181, were keen to try to move ahead with the idea of setting up a data ethics board or panel and giving it powers and teeth, particularly in light of the recent Budget, in which it was clear that there was money available for it to be established and start spending. We felt that it would be nice to get that going. Unfortunately, the rules of the House are so tight that it has not been possible to find a form of words for the powers that would be used to set up this advisory board which would be sufficiently broad to give a proper basis for the ambitions that we all share for it. On the basis that I think the Government may have something to say about this, I will not extend the discussion on this, because there is so much common ground. I look forward to hearing from the Minister, but to get the debate going I beg to move.
My Lords, we are at the last knockings on most of the Bill. It is rather ironic that one of the most important concepts that we need to establish is a new data ethics body—a new stewardship body—called for by the Government in their manifesto, by the Royal Society, by the British Academy and by many others. Many of those who gave evidence to our Select Committee want to see an overarching body of the kind that is set out, and with a code of ethics to go with it. We all heard what the Minister had to say last time; we hope that he can perhaps give us more of an update on the work being carried out in this area.
This should not be and I do not think it will be a matter of party contention; I think there will be a great deal of consensus on the need to have this kind of body, not just for the narrow field of data protection and the use of data but generally, for the wider application in the whole field, whether it is the internet of things or artificial intelligence, and so on. There is therefore a desire to see progress in fairly short order in this kind of area. One of the reasons for that is precisely because of the power of the tech majors. We want to see a much more muscular approach to the use of data by those tech majors. It is coming down the track in all sorts of different varieties. We have seen it in debates in this House; no doubt there will be a discussion tomorrow about social media platforms and their use of news and content and so on. This is therefore a live issue, and I very much hope that the Minister will be able to tell us that the new Secretary of State is dynamically taking this forward as one of the top items on his agenda.
My Lords, I can certainly confirm that the new Secretary of State is dynamic. In this group we are in danger of violently agreeing with each other. There is a definite consensus on the need for this; whether there will be consensus on the results is another matter. I agree with the analysis given by the noble Lord, Lord Stevenson, that the trouble is that to get this into the Bill, we have to concentrate on data. As the noble Lord, Lord Clement-Jones, outlined, many other things need to be included in this grouping, not least artificial intelligence.
I will briefly outline what we would like to do. For the record, we understand that the use of data and the data-enabled technologies is transforming our society at unprecedented speed. We should expect artificial intelligence and machine learning to inform ever more aspects of our life in increasingly important ways. These new advances have the potential to deliver enormous benefits to society and the economy but, as we are made aware on a daily basis—like the noble Lord, Lord Clement-Jones, I am sure that this will be raised tomorrow in the debate that we are all looking forward to on social media—they are also raising a host of new and profoundly important challenges that we need to consider. One of those challenges, and the focus of this Bill, is protecting people’s personal data—ensuring that it is collected, retained and used appropriately. However, the other challenges and opportunities raised by these technologies go far beyond that, and there are many examples that I could give.
Therefore, in the Autumn Budget the Government announced their intention to create a centre for data ethics and innovation to maximise the benefits of AI and data technologies to society and the economy, and to help identify and address the ethical challenges that they pose. The centre will advise the Government and regulators on how they can strengthen and improve the way that data and artificial intelligence are governed. It will also support the effective, innovative and ethical use of data and artificial intelligence so that we maximise the positive impact that these technologies can have on our economy and society.
We are in the process of working up the centre’s terms of reference in more detail and will consult on this soon. The issues it will consider are pressing, and we intend to set it up in an interim form as soon as possible, in parallel to this consultation. However, I fully share the noble Lord’s view that the centre, whatever its precise form, should be placed on a statutory footing, and I can commit that we will bring forward appropriate legislation to do so at the earliest opportunity. I accept the reasoning from the noble Lord, Lord Stevenson, on why this is not the appropriate place due to the limitations of this Bill, and I therefore hope that he will be able to withdraw his amendment.
(6 years, 10 months ago)
Lords ChamberMy Lords, the Government must be quaking in their shoes whenever a Back-Bencher offers to come to their help. I looked across at the Dispatch Box when I heard the noble Lord, Lord Moynihan, make that offer and I saw a definite quiver come over the Minister’s face. Clearly, we are in for something rather interesting. We were entertained by the noble Viscount, Lord Falkland, with his worries about the BHA, but he said he thought that it is really quite simple at the end of the day—we need to keep the money out and sort out the betting influences that are affecting all our sports. He is absolutely right. The public have come to the end of their tether and it is time that we got this sorted: we have to keep sport clean and eliminate cheating. The data is key to this, as the noble Lord, Lord Moynihan, said.
We expect a great deal of our athletes in terms of their whereabouts and their strict liability, so we have to make sure that the systems under which they operate are fair, properly organised and regulated. In short, we have such high stakes in this that we have to be sure that we up our game—I am sorry about the puns. We should be clearer than we are at the moment about who has responsibility for what and how it is operated, and that is what this amendment is about. DCMS needs a stronger NDPB, in the form of UKAD or a successor body, and there needs to be an authority exercised with care and consideration as to how the rules will apply and to whom they apply. All these definitional points, all the concern about where it goes, are tied up in that set of constructs, which is what this amendment deals with. I think it is very powerful.
If noble Lords look back at the way in which a state was able to influence the way that the drug-testing system operated in the winter Olympic Games in Russia, they will understand how this thing has got to a new level of concern. We must have appropriate safeguards and ways of operating in place to insulate those who are trying to do the right thing from the charge that they are involved too closely. The public will stand for no less. I recommend this amendment very strongly and we will support it should it be necessary to take it to a vote. I hope that that will not be necessary, because as the noble Lord, Lord Moynihan, said, this is an area of such importance that the right thing to do would surely be for the Government to accept this amendment today and bring it back at Third Reading with a proper wording and proper consideration that will reassure any who still doubt it. In the interim, we will support it if necessary.
My Lords, as ever the noble Lord, Lord Moynihan, made his case extremely well. We on these Benches share his objectives and, indeed, most of the objectives of the noble Lord, Lord Stevenson, around clean sport, particularly putting UKAD on a statutory footing and having a proper framework around the powers in the Bill.
I know that the noble Lord, Lord Moynihan, feels that these need a proper definition and control. However, despite the noble Lord’s best efforts this amendment is not the finished article. Sadly, there are still discussions taking place. Noble Lords have had a great deal of material from governing bodies, including the England and Wales Cricket Board, the Rugby Football Union, the British Horseracing Authority and the Sport and Recreation Alliance, which by itself represents some 320 organisations.
Further discussions need to take place so that we get to an agreed position. I feel very uncomfortable at this point. All those governing bodies may be speaking with different voices, as the noble Lord, Lord Moynihan, suggests, and he has entered discussion with them in good faith, but other voices have come to us saying that they are not yet able to accept what he has put forward. There is still work to be done. I very much hope that the Minister will take on board the fact that many of us around the House, particularly on these Benches, want those conversations to continue and an agreed amendment to be brought forth at Third Reading.
My Lords, I will speak also to a number of other amendments to Clause 13 in this group. I regret that the rules of drafting on Report mean that I was not able to produce a consolidated clause; it is rather bitty in the way it is presented in the amendments, but I very much hope that the Minister will be able to interpret the bits as eventually forming a perfectly-formed whole and a much preferable alternative Clause 13. In addition to those amendments I will speak to Amendment 41, which constitutes a new clause after Clause 13.
Clause 13 concerns the prohibition and exemptions around significant solely automated decisions. However, it can be confusing. There are three grounds on which such decisions are permitted under the GDPR: to enter or to perform a contract, to give explicit consent or to be authorised under UK law. Clause 13 concerns only the safeguards for the last category. Therefore, our amended version of Clause 13 has the following important four aims.
First, it clarifies that an individual’s ability to claim that a decision had a significant effect on them—a prerequisite for triggering any of the protections that the GDPR has to offer relating to automated decision-making—can be grounded in a significant effect on a protected group under the Equality Act 2010. The Equality Act is a strong piece of legislation, but it contains no information rights for individuals to investigate suspicions of machine bias or illegal discrimination. Given that the Information Commissioner will already be overloaded with work, given the changes accompanying the GDPR and the speed of technological development, this is a simple and crucial check and balance that will strengthen enforcement of not just data protection but many UK laws.
Secondly, the amendments further clarify that in order to claim that a decision was not solely automated—and therefore benefiting from none of this clause’s protections—there must be “meaningful human input”. The Minister argued in Committee that this is,
“precisely the meaning that that phrase already has”.—[Official Report, 13/11/17; col. 1869.]
Unfortunately, we have reason for concern because, in respect of identical wording in the 1995 data protection directive, German courts, for instance, have previously read “solely” in a restricted, narrow sense. Therefore, having such clarification in the Bill would ensure that the Minister’s understanding of the protection afforded to data subjects is the protection they will receive. This clarification is in line with the article 29 working party guidance—I recognise that the Minister corresponded with me on the subject of article 29 guidance—but it takes us closer to an adequacy agreement if one is sought upon leaving the EU.
Thirdly, the Explanatory Notes in paragraph 115 promise a safeguard that is not found in any of the articles of the GDPR, nor the safeguards laid out by the Government: a right to,
“an explanation of the decision reached after an assessment”.
The cause of this is that its position is in a non-binding recital, and there is a contradiction between the recitals and the main text. This is easily rectified for the decisions authorised by law, as the purpose of Clause 13 is to specify safeguards for these particularly impactful and largely public sector decisions.
It is included as well to indicate—in a very similar way to a recent French law on exactly the same issue—what such an explanation should provide to be useful. These explanations are possible even with black box algorithms. I have tabled an additional simple amendment to include this safeguard explicitly for automated decisions authorised by consent or contract, not just those authorised by law.
My Lords, I thank the Minister for that helpful unpacking of the amendments. I hope that the ICO will read her speech because, in essence, it has helpfully brought together a series of glosses on automated decision-making and the rights of the data subject. My amendments tried to bring together those rights specifically on the face of the Bill. The fact that the Minister had to unpack them from quite a number of articles and recitals demonstrates just how opaque is the GDPR for many of us, including those of us who have spent many weeks in the salt mines—it is no less opaque than when we started. Her response was extremely helpful. I hope that some sort of explanatory memorandum produced by the ICO might help because many of us around the House are trying to future-proof the Data Protection Bill so that we do not have to keep coming back and invoking Clause 15, Clause 9 and so on—whatever our differences may be about Henry VIII powers. We want to come to some conclusions while the Bill is going through and really understand what the rights of the data subject are in the face of increasing use of algorithms and so on.
There are just a couple of areas in which I should push, in particular the article 29 working group guidance on “meaningful”. None of us really knows what the status of the article 29 working group will be. Will we have a 29 March 2019 working group? Does everything change after that or not? If we are relying on that kind of interpretation, we need to have a pretty clear idea and a pretty good statement from the Government that it will continue after Brexit.
Where I am still unpersuaded and thought the argument was not really as good as it could have been was over my Amendment 41, on recital 71. Children are not adequately drawn into the legislation or protected from automated decision-making—that was the reason for proposing that additional clause.
I will withdraw my amendment, but I will read very carefully what the Minister has had to say. I am sure we will have many more happy hours corresponding in this area, because it will provide grist to the mill for quite a number of observers who are extremely interested in the consequences of artificial intelligence and the data it uses. I beg leave to withdraw the amendment.
I, too, support the amendment. I raised this issue at Second Reading and pointed to the work of the ethics committee of the IEEE, which has done a lot of work on this. This is not as blue sky as the noble Lord suggested; this is indeed the direction of travel.
My Lords, I am inspired by the last two speeches to add some words here. This is a very imaginative amendment. There is a great debate about ownership or control of one’s personal data, and this may be an elegant solution to some of that in future, although I suspect that the noble Lord, Lord Stevenson, may be right in his prediction about the Government’s response at this stage. Again, it is a bit of future-proofing that we really should think about.
If the Government do not like this, how do they think portability will work? If portability is to be a substantive right that can be taken advantage of under the GDPR, this is a very good way to make sure that data can then be inserted into a vehicle as a result of it having been sought in a portable way. This could be a very imaginative way to give teeth to the right of portability. I shall be extremely interested to hear how, otherwise, the Government think it will take effect.
My Lords, I thank the noble Lord, Lord Stevenson, for explaining the amendment, and the noble Earl, Lord Erroll, the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, for their words. The amendment is fascinating. When I talked to the noble Lord, Lord Stevenson, about it earlier today, I thought that it just shows how interesting it is, how fast everything is moving in this world and how difficult it will be for us to keep up. I feel rather relieved that I may not be around to have to grapple with it myself and that there will be younger people better at dealing with it than I am.
The amendment would require the Information Commissioner to consult on the use of private personal data accounts, which provide for people to retain greater ownership of their data. While I recognise the intention behind this amendment—to stimulate debate and a shift in public attitudes towards personal data and its value—this is not the appropriate means through which to pursue these aims.
By way of explanation, I have three quick points to make. First, I question the value of the Information Commissioner consulting on the use of private data accounts, which are already available to those members of the public who wish to use them. Importantly, the priority for the commissioner at the moment and for the foreseeable future is helping companies and organisations of all sizes to implement the new law to ensure that the UK has the comprehensive data protection regime we need in place, and to help prepare the UK for our exit from the EU. I hardly need to point out that these are massive tasks, and we must not divert the commissioner’s resources from them at this point.
Secondly, it is a question not only of resource, but of remit. It is right that the commissioner monitors and advises on developments in the use and storage of personal data, but it is not her role to advise on broader issues in society. The question of whether individuals should have ownership of their personal data and be remunerated by companies for its use falls squarely into that category. The commissioner is first and foremost a regulatory body.
Thirdly, I take this opportunity to highlight that there are already mechanisms in the new regime which will support individuals to have more control over their data and place additional requirements on data subjects. For example, data controllers will be required, when obtaining personal data from an individual, to inform that person of: the purposes for which their personal data are being processed; the period for which their data will be stored, to the extent that this possible; their right, where applicable, to withdraw consent for their data to be used; and their right to lodge a complaint with the supervisory authority. Obviously, that is not an exhaustive list but it is illustrative of the protections that will be put in place. Such information must also be updated if the controller intends to process the personal data for any new purpose.
I fully agree with the noble Lord that the questions of an individual’s control over their data and the value of that data are worthy of debate and, as I said earlier, we will have to wrestle with them for years to come as the digital economy evolves. However, the Government’s view is that the Bill strikes the right balance between protecting the rights of data subjects and facilitating growth and innovation in the digital economy, and that placing an arbitrary requirement on the commissioner to consult would not be appropriate or the best use of her resources at this point. On that basis, I urge the noble Lord to withdraw his amendment.
My Lords, Amendment 42, moved by the noble Baroness, Lady Hamwee, was also debated in Committee. The noble Baroness, her noble friend and other noble Lords raised concerns in Committee about paragraph 4 of Schedule 2 in respect of the broad nature, the wide-ranging exemptions and the application of those exemptions. I see the point about the application of this part of the Bill. The amendments tabled by the noble Lord, Lord Ashton of Hyde, set out in the Bill those rights which might be restricted by virtue of article 23(1) of the GDPR and so give more focus to this part of the schedule.
I want to see effective immigration controls and also fair immigration controls, but I do not want to see people unable to get access to data held on them or to how that data is being used and shared except in limited circumstances. I hope the Minister can confirm that the government amendments will do this on a case-by-case basis and do not provide a blanket power. These things are very sensitive and are a matter of balancing important principles, protections and rights carefully and coming down with the right protections in place. I think it would be a problem if we were left in a situation where we could disclose to data subjects information that could give them the opportunity to circumvent our immigration controls.
The noble Baroness, Lady Williams of Trafford, gave a detailed explanation of the Government’s opposition to the amendment in Committee and highlighted a number of the issues that would come forward. I do not think anyone wants a situation where we are making things worse for ourselves. I recall the examples given of an overstayer where the authorities are seeking to enforce an administrative removal or where there is an application to extend the leave to stay and it is suspected that false information has been given. These seem perfectly reasonable to me. The amendments tabled by the Government provide important clarification on what is exempt, limit the power in the Bill and seek to address the concerns highlighted during the previous debate and today.
Before the noble Lord sits down, does he therefore agree with the Government that this is all about the circumvention of immigration controls? Does he not think that essentially, as my noble friend Lady Hamwee mentioned, most of the circumstances are about people asserting their rights?
I accept that people want to assert their rights. Of course I do. I also think that we had a very detailed debate in Committee. Points were raised about the broad-brush approach; the Government have responded, and I am happy to support their amendments.
(6 years, 10 months ago)
Lords ChamberMy Lords, I am very keen to support this extremely useful amendment from the noble Lord, Lord Stevenson. If I had £5 for every mention of a recital in Committee and on Report, I would have the price of an extremely good Christmas dinner for me and quite a few of my friends. Only today, the noble Baroness, Lady Williams, prayed in aid a recital in an earlier rather useful debate on Clause 13. We really need to know what the status of these recitals is both pre and post Brexit. Is it that of an immediate aid to interpretation or an integral part of the law, or is it more like that of a Pepper v Hart statement, to be used only when the meaning is not clear in the Bill or the GDPR, or where there is ambiguity? Or do these recitals impose certain obligations, as I think has been implied on a number of occasions by Ministers?
At this time of night I cannot remember whether it was in Alice in Wonderland or Through the Looking Glass that a phrase was used along the lines of, “Words mean what I say they mean”. I rather feel that recitals are prayed in aid at every possible opportunity when it is convenient to do so without specifying exactly what their status is. We will need to establish that very clearly by the time we come to the end of the Bill.
At the risk of making myself unpopular for one more minute, all I can say to my noble friend is: Humpty Dumpty.
At an earlier stage of the Bill I asked how we would interpret a particular provision when we were no longer tethered to the European Court of Justice. The response I received was that it would be interpreted in accordance with UK law at the time. If this amendment is agreed, it will be an extremely helpful contribution to UK law applying while taking into account the impact of the recitals.
My Lords, I cannot think of a better way to end our debate than with a discussion on recitals, which we have talked about a lot during the course of this Bill. I point out to both noble Lords that it was not only me who referred to recitals; they have both done so ad nauseam.
Sorry, I should have said “ad infinitum”—that is perfectly correct.
The Government do not dispute that recitals form an important part of the GDPR. As I said, we have all referred to one recital or another many times. There is nothing embarrassing or awkward about that. It is a fact of EU law that courts often require assistance in properly interpreting the articles of a directly applicable regulation—and we, as parliamentarians, need to follow that logic, too.
I would remind noble Lords that the Government have been clear that the European Union (Withdrawal) Bill will be used to deliver two things which are very important in this context. First, under Clause 3 of the withdrawal Bill, recitals of directly applicable regulations will be transferred into UK law at the same time as the articles are transferred. There is no risk of them somehow being cast adrift. Where legislation is converted under this clause, it is the text of the legislation itself which will form part of domestic legislation. This will include the full text of any EU instrument, including its recitals.
Secondly, Clause 6 of the withdrawal Bill ensures that recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a substantive legal rule. Clause 20(5) of this Bill ensures that whatever is true for the interpretation of the GDPR proper is also true for the applied GDPR.
More than 10,000 regulations are currently in force in the European Union. Some are more important than others but, however you look at it, there must be more than 100,000 recitals across the piece. The European Union (Withdrawal) Bill provides a consistent solution for every single one of them. It seems odd that we would want to use this Bill to highlight the status of 0.1% of them. Nor, as I say, is there a need to: Clause 20 already ensures that the applied GDPR will be interpreted consistently with the GDPR, which means that it will be interpreted in accordance with the GDPR’s recitals wherever relevant, both before and after exit.
There is one further risk that I must draw to the House’s attention. Recitals are not the only interpretive aid available to the courts. Other sources, such as case law or definitions of terms in other EU legislation, may also be valid depending on the circumstances. Clause 20(5) as drafted provides for all interpretive aids to the GDPR to apply to the applied GDPR. By singling out recitals the amendment could uniquely elevate their status in the context of the applied GDPR above any other similar aids. This, in turn, may cause the GDPR and applied GDPR to diverge.
The drafting of the noble Lord’s amendment is also rather perplexing. It seeks to affect only the interpretation of the applied GDPR. The applied GDPR is an important part of the Bill but it is relatively narrow in its application. I am not sure it has the importance that the noble Lord’s amendment seeks to attach to it. It is, at most, a template for what will follow post exit.
I will not stand here and say that the noble Lord’s amendment would be the end of the world. That would be disingenuous. However, it is unnecessary, it risks unintended consequences and it does not achieve what the noble Lord is, I think, attempting. For those reasons, I am afraid I am unable to support his amendment this evening and I ask him to withdraw it.
(6 years, 10 months ago)
Lords ChamberMy Lords, I remind the House of my interest as master of Pembroke College, Cambridge. I give a warm welcome to Amendments 3, 4 and 5, and I am grateful that Ministers have listened to the concerns of universities and colleges and very helpfully addressed them in these amendments. I know I speak also for the noble Baroness, Lady Royall, in this respect.
The two most important issues that have been of concern to universities and colleges have been, first, maintaining good relationships with alumni and the way in which that can lead to successful fundraising for universities and, secondly, the need constantly to improve what we do in outreach work to schools and the widening of participation from the broadest base of potential students to draw them into the best of our universities. In both these respects, relying on legitimate interests, as we do at the moment, is going to be extremely helpful. I very much hope that that is the Government’s understanding of the purpose and effect of the amendments.
My Lords, I hope to be as brief as the Minister, who I thought was admirably so in introducing the government amendments. However, there are some issues that arise. I applaud the noble Baroness, Lady Royall, and others who have been so instrumental in persuading the Government on this. As the noble Lord, Lord Patel, indicated in various ways, there are ambiguities; the particular way in which the Government have chosen to amend the Bill potentially leaves a gap. I wonder, for instance, whether alumni fundraising for, say, a research institute can never be in the public interest. Is there not a possibility that it might fall outside the exemptions as a result? Perhaps the Minister can give me the correct interpretation. It is very important that this is on the record and that it is very clear what the formulation means. It would have been much more straightforward to have approached the subject directly in the Freedom of Information Act, but that is not the way the Government have chosen to help alumni fundraising in universities. In talking about universities, I should declare an interest as chairman of the council of Queen Mary University as well.
Another question arises. By and large there is nothing particularly controversial in the remainder of the amendments, but I do not quite understand why new Section 76C of the Freedom of Information Act, which was introduced in the original version of the Bill, is now being taken out by Amendment 198. Is it because Clause 127 already provides the necessary duty of confidentiality of information by the commissioner and employees of the Information Commissioner’s Office? The Minister might have given us a bit of explanation about that, which would have been extremely helpful.
Otherwise, many of the other provisions are welcome. Amendments 119, 182 and 197 demonstrate that it would be a good idea to have prompt enactment or implementation of legislation, so that weird and wonderful new clauses such as are introduced by those amendments would be unnecessary.
My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for her explanation of the government amendments in this group, which are largely in response to issues raised in Committee. I do not intend to speak for long on this group, because the amendments are largely to be welcomed. I want to pay particular tribute to my noble friend Lady Royall of Blaisdon, who raised the concern of the university sector during Committee that, under the Bill, universities could find themselves in difficulty over fundraising activities with alumni. We were pleased to see today that the Government have listened and addressed that. My noble friend cannot be with us today because of the weather making it difficult for her to travel to London. Generally, the higher education sector and others are grateful for what is proposed, although a couple of noble Lords have raised particular concerns, so it would be useful if the Minister could address those in her response. There may be one area that has not quite been resolved.
There are a couple of issues to mention. We are happy to support the amendment on police sharing of information for law enforcement purposes, as I am the amendment in respect of the Prisoner Ombudsman for Northern Ireland and the technical amendments on tribunals and courts to ensure consistency of language.
I shall not go on any further, because I am conscious that we have two Statements today and one will take at least an hour and the other 40 minutes, and the dinner break business for an hour, which will eat in to our time for Report today. I shall leave it here and say well done to the Government: thank you very much for that. It is better that we spend our day looking at issues that we have not quite resolved.
My Lords, I thank all noble Lords for the points they made. In answer to the noble Lord, Lord Patel, as my noble friend Lord Ashton explained in previous debates, Clause 7 was never intended to provide an exhaustive list of public interest tasks but, rather, to ensure continuity with respect to those processing activities that cover paragraph 5 of Schedule 2 to the 1968 Act. However, I am happy to reiterate that medical research—and other types of research carried out by universities for the benefit of society—will almost always be seen as a public interest task. I appreciate the sector’s desire to have greater guidance from the Information Commissioner on the issue, and I shall certainly pass that on, but the noble Lord will appreciate that it is not for me to dictate the Information Commissioner’s precise programme of work from the Dispatch Box.
I thank the noble Lords, Lord Smith and Lord Macdonald, for their kind words. I think we have put universities on a safe footing in this regard. I reiterate my thanks to them for coming to see us and helping us with that amendment.
The noble Lord, Lord Clement-Jones, asked: is alumni fundraising always in the public interest, and what about medical research?
I think that gets more rather than less muddling, but I think I see where the noble Lord is coming from.
The amendment should relate to and rely either on article 6(1)(e) or (f). That should solve any possibility raised by the noble Lord.
(6 years, 10 months ago)
Lords ChamberMy Lords, I will speak to Amendment 117 in my name, but before I do I warmly congratulate my noble friend Lady Kidron on obtaining this important code of practice for children. I apologise for not having spoken in the debate on this Bill previously, but Amendment 117 is significant and is also a children’s rights issue.
If there is to be—correctly—a sensitivity concerning age-appropriate understanding by children in relation to information services, the same should be no less true in the school setting, where personal data given out ranges from a new maths app to data collected by the DfE for the national pupil database. A code of practice needs to be introduced that centres on the rights of the child—children are currently disempowered in relation to their own personal data in schools. Although not explicitly referred to in this amendment, such a code ought to reflect the child’s right to be heard as set out in Article 12 of the UN Convention on the Rights of the Child. Among other things, it would allow children, parents, school staff and systems administrators to build trust together in safe, fair and transparent practice.
The situation is complicated in part by the fact that it is parents who make decisions on behalf of children up to the age of 18; although that in itself makes it even more necessary that children are made aware of the data about themselves that is collected and every use to which that data may be put, including the handing on to third-party users, as well as the justification for so doing. The current reality is that children may well go through life without knowing that data on a named basis is held permanently by the DfE, let alone passed on to others. There may, of course, be very good research reasons why data is collected, but such reasons should not override children’s rights, even as an exemption.
It is because there is no clear code of practice for a culture of increased data gathering in the school setting that we now have the current situation of growing controversy, enforcement and misuse. It is important, for instance, that both parents and children, in their capacity to understand, are made aware—as schools should be—of what data can be provided optionally. However, when nationality and place of birth were introduced by the DfE last year, many schools demanded that passports be brought into the classroom. In effect, the DfE operated an opt-out system. The introduction of nationality and place of birth data also raises the question of the relevance of data to improving education and its ultimate use. Many parents do not believe that such data has anything to do with the improvement of education. Last week, Against Borders for Children, supported by Liberty, launched an action against the Government on this basis.
There is now also considerable concern about the further expansion of the census data in January next year to include alternative provision data on mental health, pregnancy and other sensitive information without consent from parents or children, with no commitment to children’s confidentiality and without ceasing the use of identifying data for third-party use.
It was only after FOI requests and questions from Caroline Lucas that we discovered that the DfE had passed on individual records to the Home Office for particular immigration purposes. As defenddigitalme said, such action,
“impinges on fundamental rights to privacy and the basic data protection principles of purposes limitation and fairness”.
I appreciate that as the Bill stands such purposes are an exemption, but teachers are not border guards.
In 2013, a large number of records were passed to the Daily Telegraph by the DfE. In an Answer given on 31 October this year by Nick Gibb to a Question by Darren Jones, he incorrectly said that individuals could not be identified. There is no suggestion that there was any sinister intent, but many parents and schoolchildren would be appalled that a newspaper had possession of this data or that such a transfer of information was possible. Moreover, in the same Answer he said that he did not know how many datasets had been passed on. This is unacceptable. There needs to be a proper auditing process, as data needs to be safe. It is wrong too that a company may have more access to a pupil’s data than the pupil themselves, or indeed have such data corrected if wrong.
It is clear that from the Government’s point of view, one reason for having a good code of practice is to restore confidence in the Government, but this should not be the main reason. In September, Schools Week reported that the Information Commissioner’s Office was critical of the current DfE guidance, which is aimed at schools rather than parents or children and is, in the main, procedural. It said that rights were not given enough prominence. Both children and parents need to be properly informed of these rights and the use to which data is put at every stage throughout a child’s school life and, where applicable, beyond.
My Lords, I add my very strong welcome for this amendment to the very strong welcome from these Benches. I endorse everything that my noble friend Lord McNally said about the noble Baroness, Lady Kidron, and her energy and efforts. In fact, I believe that she was far too modest in her introduction of the amendment. I agree with the noble Lord, Lord Best, that, quite honestly, this is essentially a game-changer in the online world for children. As he said, the process of setting standards could be much wider than simply the UK. As the noble Lord, Lord Puttnam, said, these major tech companies need to wake up and understand that they have to behave in an ethical fashion. Having been exposed to some of the issues in recent weeks, it is obvious to me that as technology becomes ever more autonomous, the way tech companies adopt ethical forms of behaviour becomes ever more important. This is the start of something important in this field. Otherwise, the public will turn away and will not understand why all this is happening. That will inevitably be the consequence.
My Lords, in moving Amendment 8 I will speak to Amendment 21. I will be a little longer than perhaps those waiting on their dinner would like. I apologise for that, but this is an important set of amendments for those wishing to make use of new technologies using biometrics.
In Committee the Minister focused on the use of biometrics in a clear context, such as using a fingerprint to unlock a mobile device. In that context he may be correct to say that the enabling of this security feature by the user constitutes consent—although without a record of the consent it would still fall short of GDPR requirements. However, the contexts I was aiming to cover are those where the biometric data processing is an integral part of a service or feature, and the service or feature simply will not function without it.
Other contexts I was looking to cover include where banks decide to use biometric technology as extra security when you phone up or access your account online. Some banks offer this as an option, but it is not hard to envisage this becoming a requirement as banks are expected to do more to protect account access. If it is a mandatory requirement, consent is not appropriate—nor would it be valid. HMRC has begun to use voice recognition so that people will not have to go through all the usual security questions. If HMRC does this after 25 May 2018 it could be unlawful.
This is certainly the case with biometric access systems at employment premises. It is also the case where biometrics are used in schools and nurseries, such as for access controls and identifying who is picking up a child. In schools, biometrics are sometimes used to determine entitlements, such as free meals, in a way that does not identify or risk stigmatising those who receive them, and avoids children having to remember swipe cards or carry money.
In these contexts, providing an alternative system that does not use biometrics would probably undermine the security and other reasons for having biometrics in the first place. Without any specific lawful basis for biometric data, organisations will rely entirely on the Government, the ICO and the courts, accepting that their uses fall within the fraud prevention/substantial public interest lawful bases and within the definition of “scientific research”.
The amendments are designed to meet all these objections. In particular, the research elements of the amendments replicate the research exemption in Section 33 the Data Protection Act 1998. The effect of this exemption is that organisations processing personal data for research purposes are exempt from certain provisions of the Act, provided that they meet certain conditions. The key conditions are that the data is not used to support measures or decisions about specific individuals and that there is no substantial damage or distress caused by the processing.
In this context—I am afraid this is the reason for taking rather longer than I had hoped—it is important to place on the record a response to a number of points made in the Minister’s letter of 5 December to me about biometric data. First, he said:
“As you are aware, the General Data Protection Regulation … regards biometric data as a ‘special category’ of data due to its sensitivity”.
This is precisely why the amendment is needed. The change in status risks current lawful processing becoming unlawful. This type of data is being processed now using conditions for processing that will no longer be available once it becomes sensitive data.
I may have to add later to what I have said, which I think the Minister will find totally unpalatable. I will try to move on.
The Minister also said:
“You are concerned that if consent is not a genuine option in these situations and there are no specific processing conditions in the Bill to cover this on grounds of substantial public interest. Processing in these circumstances would be unlawful. To make their consent GDPR compliant, an employer or school must provide a reasonable alternative that achieves the same ends, for example, offering ‘manual’ entry by way of a reception desk”.
Consent is rarely valid in an employment context. If an employer believes that certain premises require higher levels of security, and that biometric access controls are a necessary and proportionate solution, it cannot be optional with alternative mechanisms that are less secure, as that undermines the security reasons for needing the higher levels of security in the first place: for example, where an employer secures a specific office or where the staff are working on highly sensitive or confidential matters, or where the employer secures a specific room in an office, such as a server room, where only a small number of people can have access and the access needs to be more secure.
Biometrics are unique to each person. A pass card can easily be lost or passed to someone else. It is not feasible or practical to insist that organisations employ extra staff for each secure office or secure room to act as security guards to manually let people in.
The Minister further stated:
“You also queried whether researchers involved in improving the reliability or ID verification mechanisms would be permitted to carry on their work under the GDPR and the Bill. Article 89(1) of the GDPR provides that processing of special categories of data is permitted for scientific research purposes, providing that appropriate technical and organisational safeguards are put in place to keep the data safe. Article 89(1) is supplemented by the safeguards of clause 18 of the Bill. For the purposes of GDPR, ‘scientific research’ has a broad meaning. When taken together with the obvious possibility of consent-based research, we are confident that the Bill allows for the general type of testing you have described”.
It is good to hear that the Government interpret the research provisions as being broad enough to accommodate the research and development described. However, for organisations to use these provisions with confidence, they need to know whether the ICO and courts will take the same broad view.
There are other amendments which would broaden the understanding of the research definition, which no doubt the Minister will speak to and which the Government could support to leave no room for doubt for organisations. However, it is inaccurate to assume that all R&D will be consent based; in fact, very little of it will be. Given the need for consent to be a genuine choice to be valid, organisations can rarely rely on this as they need a minimum amount of reliable data for R&D that presents a representative sample for whatever they are doing. That is undermined by allowing individuals to opt in and out whenever they choose. In particular, for machine learning and AI, there is a danger of discrimination and bias if R&D has incomplete datasets and data that does not accurately represent the population. There have already been cases of poor facial recognition programmes in other parts of the world that do not recognise certain races because the input data did not contain sufficient samples of that particular ethnicity with which to train the model.
This is even more the case where the biometric data for research and development is for the purpose of improving systems to improve security. Those employing security and fraud prevention measures have constantly to evaluate and improve their systems to stay one step ahead of those with malicious intent. The data required for this needs to be guaranteed and not left to chance by allowing individuals to choose. The research and development to improve the system is an integral aspect of providing the system in the first place.
I hope that the Minister recognises some of those statements that he made in his letter and will be able, at least to some degree, to respond to the points that I have made. There has been some toing and froing, so I think that he is pretty well aware of the points being raised. Even if he cannot accept these amendments, I hope that he can at least indicate that biometrics is the subject of live attention within his department and that work will be ongoing to find a solution to some of the issues that I have raised. I beg to move.
My Lords, I wonder whether I might use this opportunity to ask a very short question regarding the definition of biometric data and, in doing so, support my noble friend. The definition in Clause 188 is the same as in the GDPR and includes reference to “behavioural characteristics”. It states that,
“‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data”.
Well:
“There’s no art
To find the mind’s construction in the face”.
How do behavioural characteristics work in this context? The Minister may not want to reply to that now, but I would be grateful for an answer at some point.
My Lords, I thank the noble Lord, Lord Clement-Jones, for engaging constructively on this subject since we discussed it in Committee. I know that he is keen for data controllers to have clarity on the circumstances in which the processing of biometric data would be lawful. I recognise that the points he makes are of the moment: my department is aware of these issues and will keep an eye on them, even though we do not want to accept his amendments today.
To reiterate some of the points I made in my letter so generously quoted by the noble Lord, the GDPR regards biometric data as a “special category” of data due to its sensitivity. In order to process such data, a data controller must satisfy a processing condition in Article 9 of the GDPR. The most straightforward route to ensure that processing of such data is lawful is to seek the explicit consent of the data subject. However, the GDPR acknowledges that there might be occasions where consent is not possible. Schedule 1 to the Bill makes provision for a range of issues of substantial public interest: for example, paragraph 8, which permits processing such as the prevention or detection of an unlawful act. My letter to noble Lords following day two in Committee went into more detail on this point.
The noble Lord covered much of what I am going to say about businesses such as banks making use of biometric identification verification mechanisms. Generally speaking, such mechanisms are offered as an alternative to more conventional forms of access, such as use of passwords, and service providers should have no difficulty in seeking the data subject’s free and informed consent, but I take the point that obtaining proper, GDPR-compliant consent is more difficult when, for example, the controller is the data subject’s employer. I have considered this issue carefully following our discussion in Committee, but I remain of the view that there is not yet a compelling case to add new exemptions for controllers who wish to process sensitive biometric data without the consent of data subjects. The Bill and the GDPR make consent pre-eminent wherever possible. If that means employers who wish to install biometric systems have to ensure that they also offer a reasonable alternative to those who do not want their biometric data to be held on file, then so be it.
There is legislative precedent for this principle. Section 26 of the Protection of Freedoms Act 2012 requires state schools to seek parental consent before processing biometric data and to provide a reasonable alternative mechanism if consent is not given or is withdrawn. I might refer the noble Lord to any number of speeches given by members of his own party—the noble Baroness, Lady Hamwee, for example—on the importance of those provisions. After all, imposing a legislative requirement for consent was a 2010 Liberal Democrat manifesto commitment. The GDPR merely extends that principle to bodies other than schools. The noble Lord might respond that his amendment’s proposed subsection (1) is intended to permit processing only in a tight set of circumstances where processing of biometric data is undertaken out of necessity. To which I would ask: when is it genuinely necessary to secure premises or authenticate individuals using biometrics, rather than just cheaper or more convenient?
We also have very significant concerns with the noble Lord’s subsections (4) and (5), which seek to drive a coach and horses through fundamental provisions of the GDPR—purpose limitation and storage limitation, in particular. The GDPR does not in fact allow member states to derogate from article 5(1)(e), so subsection (5) would represent a clear breach of European law.
For completeness, I should also mention concerns raised about whether researchers involved in improving the reliability of ID verification mechanisms would be permitted to carry on their work under the GDPR and the Bill. I reassure noble Lords, as I did in Committee, that article 89(1) of the GDPR provides that processing of special categories of data is permitted for scientific research purposes, providing appropriate technical and organisational safeguards are put in place to keep the data safe. Article 89(1) is supplemented by the safeguards in Clause 18 of the Bill. Whatever your opinion of recitals and their ultimate resting place, recital 159 is clear that the term “scientific research” should be interpreted,
“in a broad manner including for example technological development and demonstration”.
This is a fast-moving area where the use of such technology is likely to increase over the next few years, so I take the point of the noble Lord, Lord Clement-Jones, that this is an area that needs to be watched. That is partly why Clause 9(6) provides a delegated power to add further processing conditions in the substantial public interest if new technologies, or applications of existing technologies, emerge. That would allow us to make any changes that are needed in the future, following further consultation with the parties that are likely to be affected by the proposals, both data controllers and, importantly, data subjects whose sensitive personal data is at stake. For those reasons, I hope the noble Lord is persuaded that there are good reasons for not proceeding with his amendment at the moment.
The noble Baroness, Lady Hamwee, asked about behavioural issues. I had hoped that I might get some inspiration, but I fear I have not, so I will get back to her and explain all about behavioural characteristics.
My Lords, I realise that, ahead of the dinner break business, the House is agog at details of the Data Protection Bill, so I will not prolong the matter. The Minister said that things are fast-moving, but I do not think the Government are moving at the pace of the slowest in the convoy on this issue. We are already here. The Minister says it is right that we should have alternatives, but for a lab that wants facial recognition techniques, having alternatives is just not practical. The Government are going to have to rethink this, particularly in the employment area. As more and more banks require it as part of their identification techniques, it will become of great importance.
We are just around the corner from these things, so I urge the Minister, during the passage of the Bill, to look again at whether there are at least some obvious issues that could be dealt with. I accept that some areas may be equivocal at this point, only we are not really talking about the future but the present. I understand what the Minister says and I will read his remarks very carefully, as no doubt will the industry that increasingly uses and wants to use biometrics. In the meantime, I beg leave to withdraw the amendment.
(6 years, 10 months ago)
Lords ChamberMy Lords, the noble Baroness having sat through my last speech, I am in no position to judge. That was a skilful summary of the memorandum put to the Delegated Powers and Regulatory Reform Committee and it is useful to have it on the parliamentary record.
I remind the House that the amendments we have brought forward do not take the ultra position, if you like. They are about having an appropriate level of parliamentary control over delegated legislation in a field where these are important matters—rights which are inextricably linked to human rights. To boil down a long memorandum, the Minister’s arguments are about flexibility and future proofing. However, the horse has bolted. In previous legislation such regulations were permitted to be made by government and therefore we should roll over and put them into the next bit of legislation.
The one essence that I take away is that the consultation duty is enshrined. I accept that it is a considerable improvement that the Secretary of State must consult the commissioner and such other persons as the Secretary of State considers appropriate. It would be useful at this stage at least to have on the record the kinds of bodies the Minister thinks are appropriate in these circumstances.
The real issue and the reason why we have tabled our amendments—I am not saying they are perfect but they allow for a parliamentary process in which there is an ability to suggest amendments and to have a full consultation on regulation changes—is the controversy about “omission”, “addition” and “varying”. The Government have clearly come to the view that omitting provisions is permissible in certain circumstances but they are relying on adding or varying. They say that varying is a light-touch aspect but why, in certain circumstances, is it permissible to omit provisions added by regulations? Is this a kind of second thoughts aspect, whereby regulations are brought forward under this Bill and then the Government think they want to omit some of them? I do not quite understand the rationale behind that.
I accept that in some of the crucial cases they are limiting themselves to “adding” or “varying”. However, variation can be extremely broad and virtually equivalent to omitting. It seems that one can vary a right all the way down to a minuscule situation which can impinge on the human rights of an individual, even though it is not technically an omission where a safeguard is provided. These are very broad rights. They are broad powers to create new exemptions to data protection rules as they affect a data subject and they can add exemptions to safeguards for processing sensitive personal data. These matters could have a powerful effect on individuals.
I should remind the Minister of a sad aspect, which is that in its procedures, the Delegated Powers and Regulatory Reform Committee does not seem to have a second bite of the cherry—something I am sure the Minister approves of entirely. But for those of us who relied on the very useful original DPRRC report, it is unfortunate that the committee has not come back and said what it thinks of the ministerial memorandum. In the original report the committee went as far as to say:
“We consider that clause 9(6) is inappropriately wide and recommend its removal from the Bill”.
That is pretty heavy stuff, even for this useful committee. It had even more to say about Clause 15:
“We regard this is an insufficient and unconvincing explanation for such an important power”.
I must put on the record that we on these Benches do not think that the Government have discharged the onus of proof, showing why they need these extraordinary powers under the Bill, and we hope that they will further reduce their regulation-making powers.
My Lords, this group of overwhelmingly government amendments seeks to address issues raised by the Delegated Powers and Regulatory Reform Committee in its sixth report, published on 24 October this year, the only addition being Amendments 10 and 69 in the names of the noble Lords, Lord Clement-Jones and Lord Paddick. As we have heard, the Delegated Powers and Regulatory Reform Committee is widely respected in the House and I am pleased that the government amendments address the concerns raised by the committee. But as we have heard from the noble Baroness, Lady Chisholm of Owlpen, those concerns have not been accepted in full, and she has given the reasons for that.
I was particularly pleased to see government Amendments 9, 67 and 68, among others, which would limit the powers to amend the processing conditions and exemptions found in various schedules to the Bill. I am equally pleased to see the Government act in respect of the powers to make regulations. This will be done using the affirmative rather the negative procedure, starting with government Amendment 71. It gives Parliament the right level of scrutiny and the ability to reject or express regret about a particular decision, and allows for a proper level of scrutiny, a debate having to take place in both Houses.
In respect of Clauses 9 and 15, Amendments 10 and 69 seek to change the scrutiny procedure from the affirmative, as presently in the Bill, to the super-affirmative. I am not convinced that this is necessary as we have the tools at our disposal to scrutinise the proposals using the affirmative procedure. Starting with government Amendment 130, we have a series of amendments relating to the enforcement powers of the ICO, and again these are to be welcomed.
As I say, in general I welcome the government amendments and the explanation given by the noble Baroness.
I thank the noble Lord for those kind words. The noble Lord, Lord Clement-Jones, asked who would be consulted. While it is clearly impossible to be specific, the Secretary of State might consider it appropriate to consult, for example, representatives of data subjects or trade bodies, depending on the circumstances and regulations in question. I hope that that answers his question.
On why it is permissible to admit provisions added by regulations, we believe it is qualitatively different from admitting those added during the extensive parliamentary debate and scrutiny afforded to primary legislation. As I said, many other powers are not new. The 1998 Act already provides a power to add to conditions for sensitive processing. We feel it is prudent to retain the ability to amend Schedules 2 to 4 if necessary. As I said, this is a fast-moving area. We want to make sure that the Bill provides a framework for the constant evolution and developments in how we use and apply data, but it must be supportive rather than stifle innovation and growth.
With the greatest respect, the point I was making was whether the right to vary was not omission by the backdoor. Perhaps I was not clear enough.
No, we do not believe it is omission by the backdoor.
My Lords, it is a pleasure to follow the noble Earl, Lord Kinnoull, who has very impressively pursued these issues with considerable care and determination. He has said pretty much everything that needs to be said. Processing special category data, including health data and criminal convictions is, as he said, fundamental to calculating levels of risk and underwriting. I hardly need to say that to the Minister. His amendments are welcome, but of course the essence of the noble Earl’s amendments is to get from the Minister a progress report on how things are moving on in terms of enabling the continued processing of special category and criminal conviction data and whether we can get something along the right lines that allows a derogation for processing of special category and criminal conviction data where it is necessary in relation to insurance policies and claims. That would prevent disruption to consumers in the way the noble Earl mentioned. Then, of course, there is the guidance produced by Amendment 26; this is what you might call a sprat to catch a mackerel and I hope that the Minister will deliver the mackerel.
My Lords, I welcome government Amendments 11 and 12. As we have heard, they address some of the concerns that were raised in Committee. The Government have said that they never intended to have a narrow interpretation and they have put back the words of the 1998 Act, which is very welcome. As was said earlier, the noble Earl, Lord Kinnoull, has laid out in great detail the issues addressed in his Amendments 25 and 26. He makes a very important and clear case and raised some important issues. I hope that the noble Lord, Lord Ashton of Hyde, will respond to those. I certainly think that there is a case for bringing these things back at Third Reading to address the points the noble Earl has raised.
My Lords, I introduced the same amendment in Committee and do not intend to repeat what I said then. I am glad to say that, since I put down that amendment, there has been a very helpful meeting between DCMS officials, the Genetic Alliance UK and Unique. I very much hope that that meeting will form the basis of a solution on which we can build for Third Reading. I thank my noble friend the Minister for his personal contribution to the progress that we have made.
My understanding is that at that meeting it was accepted that an amendment would have to be brought forward to ensure the legality of the work of patient support groups. My understanding also is that the Government would prefer to do this by their own amendment, and I am certainly very happy to accept that. I also hope that it will be possible to agree such an amendment before Third Reading.
My noble friend has said that he is concerned about defining the scope of the amendment. I certainly accept that that is a legitimate issue. The family of patient support groups is quite large, but I accept that it is right to prevent any amendment becoming a loophole for evasion of the Bill’s provisions. I am conscious of that issue. However, the purpose of the amendment is not controversial and I am happy to look to finding words and drafting that will both safeguard the points that we want to make and provide the right scope for the amendment. It would be highly desirable to be able to deal with this matter in our House.
I hope and trust that my noble friend will be able to confirm that he shares my understanding of the point that we have now reached and that he will be able to give me an assurance at least of best endeavours to present a government amendment at Third Reading. I might say that Genetic Alliance and other patient support groups stand ready to help in any way that they can to meet this deadline.
My Lords, I will speak briefly to support the noble Baroness, Lady Neville-Jones, in her amendment. Clearly, this is of great importance to patient groups. I very much hope that the Minister will carry on the good work and come back at Third Reading with something substantive for the benefit of patient organisations that collect vital health information from their members, so that they will not be required to destroy or anonymise data. Without amendment, the Data Protection Bill has the potential to seriously damage the work of these patient support groups and hinder the work of certain public agencies, too, such as Public Health England and NICE—so I very much support the noble Baroness.
(6 years, 11 months ago)
Grand CommitteeMy Lords, I intend to be brief. Noble Lords will recall that the Digital Economy Act 2017 received Royal Assent in April this year. That Act included reforms to the Electronic Communications Code, which provides the statutory framework for agreements between site providers and digital communications network operators.
The purpose of the reforms is to make it easier and cheaper for digital communications infrastructure to be installed and maintained, ensuring that this statutory framework supports the wider benefits of the UK’s world-leading digital communications services. The reformed code is subject to commencement by a separate statutory instrument, which will not require parliamentary scrutiny. We expect to bring the code into force by the end of December. However, before taking this step, we need to ensure that a number of sets of supporting regulations are in place.
In addition to the regulations before the Committee today, the supporting measures include two sets of regulations that were laid on 19 October 2017 under the negative procedure, which amend secondary legislation and make specific transitional provisions. Together, the purpose of all these regulations is to ensure a smooth transition from the existing legislation to the new code. They will therefore take effect only when the new code commences, which, as I mentioned, we expect to be by the end of December.
The draft Communications Act 2003 and the Digital Economy Act 2017 (Consequential Amendments to Primary Legislation) Regulations 2017 amend references in other primary legislation to the existing code and to provisions in the existing code, replacing them with terminology and cross-referencing aligned to the new code.
The draft Electronic Communications Code (Jurisdiction) Regulations 2017 bring into effect one of the code’s key reforms: transferring the jurisdiction for code disputes from the county courts to the Lands Tribunal in England and Wales, and from the sheriff court to the Lands Tribunal in Scotland. This reform was strongly recommended by the Law Commission following its consultation on the code, and is expected to ensure that code disputes can be dealt with more quickly and efficiently. The DCMS has worked closely with colleagues in the Ministry of Justice, and their counterparts in Scotland, to prepare for this change. I beg to move.
My Lords, the Minister has reminded us of our happy days during the passage of the Digital Economy Bill—now the Digital Economy Act. Of course, we all like to be reminded of our days in the salt mines. These regulations are straightforward and we welcome them. I certainly do not intend to raise again any issues relating to the Electronic Communications Code. Certainly, I would not want to provoke another speech from the noble Lord, Lord Grantchester; that would be very unwise.
However, I will make a couple of comments relating to the implementation of the code. As I understand it, Ofcom is issuing a code of practice on top of that. There is some concern that although the direction of travel of the ECC was very clear, the code of practice is in a sense bringing back a slight bias in favour of the landowners. That is a concern of some commentators. One says:
“While the consultation around the code of practice is to be welcomed, if implemented in its current form, the code of practice is in danger of swinging the pendulum back too far in favour of landowners who will be able to challenge operators at every stage”.
I know that the Government were very keen to get the balance right. It will be interesting to hear what the Minister has to say about that.
The Minister may want to write to me about this, but this is a useful opportunity to ask about the direction of government policy in terms of EU regulatory reforms—if we can bear it. It looks like there are plans from Brussels for a new Electronic Communications Code which includes e-privacy regulation. Obviously, before we exit—if we exit—it will continue to be important to keep the digital single market and the single telecoms market in place. The question arises: will there be time? Will the new Electronic Communications Code, however it is brought in—whether by directive or regulation, I am not quite sure—happen? Will it fall outside? Will it be after 29 March? Will it fall during a transition period? I suspect there are many in the telecoms field and the general area of technology infrastructure who will be extremely interested in the answer to that.
Those are the two areas on which I would very much like to have an answer from the Minister, either now or at some stage in the future.
My Lords, I do not have very much to add. The allusion to happy days in the past, which I missed, unfortunately—