Lord Kennedy of Southwark contributions to the Data Protection Act 2018


Wed 13th December 2017 Data Protection Bill [HL] (Lords Chamber)
Report: 2nd sitting (Hansard): House of Lords
5 interactions (398 words)
Wed 13th December 2017 Data Protection Bill [HL] (Lords Chamber)
Report: 2nd sitting (Hansard - continued): House of Lords
7 interactions (591 words)
Mon 11th December 2017 Data Protection Bill [HL] (Lords Chamber)
Report: 1st sitting: House of Lords
3 interactions (304 words)
Mon 11th December 2017 Data Protection Bill [HL] (Lords Chamber)
Report stage (Hansard - continued): House of Lords
14 interactions (943 words)
Wed 22nd November 2017 Data Protection Bill [HL] (Lords Chamber)
Committee: 6th sitting (Hansard): House of Lords
11 interactions (593 words)
Mon 20th November 2017 Data Protection Bill [HL] (Lords Chamber)
Committee: 5th sitting (Hansard): House of Lords
5 interactions (473 words)
Wed 15th November 2017 Data Protection Bill [HL] (Lords Chamber)
Committee: 4th sitting (Hansard): House of Lords
23 interactions (1,246 words)
Mon 13th November 2017 Data Protection Bill [HL] (Lords Chamber)
Committee: 3rd sitting (Hansard): House of Lords
7 interactions (953 words)
Mon 13th November 2017 Data Protection Bill [HL] (Lords Chamber)
Committee: 3rd sitting (Hansard - continued): House of Lords
3 interactions (408 words)
Tue 10th October 2017 Data Protection Bill [HL] (Lords Chamber)
2nd reading (Hansard - continued): House of Lords
3 interactions (2,095 words)

Data Protection Bill [HL] Debate

Full Debate: Read Full Debate
Department: Ministry of Justice

Data Protection Bill [HL]

(Report: 2nd sitting (Hansard): House of Lords)
Lord Kennedy of Southwark Excerpts
Wednesday 13th December 2017

(2 years, 9 months ago)

Lords Chamber
Read Full debate Read Hansard Text
Ministry of Justice

Administrative procedures should not be exempt from transparency and accountability. I beg to move.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, Amendment 42, moved by the noble Baroness, Lady Hamwee, was also debated in Committee. The noble Baroness, her noble friend and other noble Lords raised concerns in Committee about paragraph 4 of Schedule 2 in respect of the broad nature, the wide-ranging exemptions and the application of those exemptions. I see the point about the application of this part of the Bill. The amendments tabled by the noble Lord, Lord Ashton of Hyde, set out in the Bill those rights which might be restricted by virtue of article 23(1) of the GDPR and so give more focus to this part of the schedule.

I want to see effective immigration controls and also fair immigration controls, but I do not want to see people unable to get access to data held on them or to how that data is being used and shared except in limited circumstances. I hope the Minister can confirm that the government amendments will do this on a case-by-case basis and do not provide a blanket power. These things are very sensitive and are a matter of balancing important principles, protections and rights carefully and coming down with the right protections in place. I think it would be a problem if we were left in a situation where we could disclose to data subjects information that could give them the opportunity to circumvent our immigration controls.

The noble Baroness, Lady Williams of Trafford, gave a detailed explanation of the Government’s opposition to the amendment in Committee and highlighted a number of the issues that would come forward. I do not think anyone wants a situation where we are making things worse for ourselves. I recall the examples given of an overstayer where the authorities are seeking to enforce an administrative removal or where there is an application to extend the leave to stay and it is suspected that false information has been given. These seem perfectly reasonable to me. The amendments tabled by the Government provide important clarification on what is exempt, limit the power in the Bill and seek to address the concerns highlighted during the previous debate and today.

Lord Clement-Jones Portrait Lord Clement-Jones - Hansard

Before the noble Lord sits down, does he therefore agree with the Government that this is all about the circumvention of immigration controls? Does he not think that essentially, as my noble friend Lady Hamwee mentioned, most of the circumstances are about people asserting their rights?

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

I accept that people want to assert their rights. Of course I do. I also think that we had a very detailed debate in Committee. Points were raised about the broad-brush approach; the Government have responded, and I am happy to support their amendments.

Baroness Williams of Trafford Portrait Baroness Williams of Trafford - Hansard

My Lords, these amendments bring us back to the immigration exemption in paragraph 4 of Schedule 2 which, as the noble Lord, Lord Kennedy, said, was debated at some length in Committee. As this is Report, I am not going to repeat all the arguments I made in the earlier debate, not least because noble Lords will have seen my follow-up letter of 23 November, but it is important to reiterate a few key points about the nature of this provision, not least to allay the concerns that have been expressed by noble Lords.

Let me begin by restating the core objective underpinning this provision. The noble Lord, Lord Kennedy, specifically asked for further clarity on this point. The UK’s ability to maintain an effective system of immigration control and to enforce our immigration laws should not be threatened by the impact of the GDPR. It is therefore entirely appropriate to restrict, on a case-by-case basis, certain rights of a data subject in circumstances where giving effect to those rights would undermine that objective. That is the sole purpose and effect of this provision—nothing more, nothing less.

The GDPR recognises this by enabling member states to place restrictions on the rights of data subjects where it is necessary and proportionate to do so to safeguard,

“important objectives of general public interest”.

The maintenance of effective immigration control is one such objective. This is the basis for the provision in paragraph 4 of Schedule 2.

The noble Baroness referred to article 23 of the GDPR. It does not expressly allow restrictions for the purposes of immigration control. She asked whether the immigration restriction is legal. She pointed to Liberty’s claim that the exemption is unlawful. It is not the case.

Data Protection Bill [HL]

(Report: 2nd sitting (Hansard - continued): House of Lords)
Lord Kennedy of Southwark Excerpts
Wednesday 13th December 2017

(2 years, 9 months ago)

Lords Chamber
Read Full debate Read Hansard Text
Department for Digital, Culture, Media and Sport

78A: After Clause 18, insert the following new Clause—

“Duty to notify of data protection breaches due to ransomware attacks

(1) In addition to notifying the Commissioner of a personal data breach under Article 33 of the GDPR, a data controller must also notify the relevant police force if the data breach was the result of a ransomware attack.(2) In this section,“ransomware attack” means an attack of a form of malware which holds the information on a user's computer hostage until a ransom fee is paid; and“police force” has the same meaning as in section 3 of the Prosecution of Offences Act 1985.”

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, the amendment in my name, and that of my noble friend Lord Stevenson of Balmacara, would insert a new clause in the Bill that requires a data controller to notify both the Information Commissioner and the police if they are subject to a ransomware attack. Ransomware attacks involve hackers taking control of your information held on a computer and agreeing to release the information back to you only on the payment of a large sum of money. It is kidnapping not of a person but of information.

Apparently thousands of UK businesses have paid these ransom demands and do not bring these issues to the attention of the authorities for fear of damaging their reputation. This is a really serious issue, and one that we cannot allow not to be addressed. I find it shocking that companies are paying these ransom demands, effectively on the quiet. The amendment would make it a legal requirement to notify. It is only by being able to understand the scale of these attacks and understand what has happened—whether or not it is successful is irrelevant—that the authorities can undertake the important work of analysis needed to prevent these attacks happening in the future.

I would go further, and say that it is irresponsible of data controllers or their businesses and organisations not to come forward to notify the proper authorities. They are vulnerable and making the problem worse by hindering the efforts to tackle the problem. Not only are they at risk of whoever is behind the attack coming back for more money later—having paid the hacker, the person will be seen as an easy touch—they are exposing other people, businesses and organisations to this form of attack in the future. My amendment would require notification, and I look forward to a detailed response to the issues I have raised. I beg to move.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde - Hansard

My Lords, I am grateful to the noble Lord, Lord Kennedy, for his amendment on data protection breaches and ransomware attacks. The repercussions of such attacks are felt by everyone, whether or not they are a direct victim of the crime. It is estimated that in 2016 the cost of fraud and cybercrime in the UK was £193 billion, with the full social cost likely to be much higher. It is therefore essential that stringent measures are in place in legislation to ensure that cyberattacks and fraud are prevented, and any perpetrators found and stopped.

We, nevertheless, believe that Amendment 78A is unnecessary. Article 33 of the GDPR, referenced in the noble Lord’s amendment, requires the data controller to inform the Information Commissioner within 72 hours of all data breaches, including as a result of ransomware attacks. The controller is required to provide information of the likely consequences of the personal data breach, and to describe the measures taken or proposed by the controller to address the breach. There is one exception, given in Article 33, for breaches unlikely to result in a risk to data subjects, but that hardly seems relevant in cases where hackers have proven access to the data in question.

The GDPR does not require data controllers to report cyberattacks to the relevant police forces, for good reason. It is well understood that the Information Commissioner has the expertise and resources to take the appropriate and necessary action in the first instance, including, if she deems it appropriate, referrals to the police or to investigate and bring prosecutions herself under data protection law. I am also puzzled by the amendment’s intention to single out ransomware as the only form of cyberattack worth reporting to the police. A huge range of cyberattacks cause substantial distress and harm to individuals, such as insider attacks, attacks from third countries and other cybercrimes, such as malware and phishing. In addition, organisations can report cyberattacks or fraud to Action Fraud, which in turn ensures that the correct crime reporting procedures are followed. This organisation is overseen by the City of London Police, the national lead for economic crime, and we believe that it represents an effective and scalable structure. For the reasons I have stated, therefore, I would be grateful if the noble Lord would withdraw his amendment this evening.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

I am happy to withdraw my amendment this evening. I wanted to raise the issue here. The Minister cited the figure of £193 billion lost through these and other forms of attacks—he went through a number of them—and this is a very serious matter. I hope that he is correct that companies are required to notify the Information Commissioner on the back of this legislation. This is very serious. I hope that he is correct that it is not necessary to go to the police—the sums of money that he mentioned are absolutely shocking. At one point, he said that the Information Commissioner can start prosecutions. That is fine, if we can find the people behind the crime and if they are in this country. If they are somewhere in lands far away, I wish him all the best, but I suspect that we will have some trouble in catching the perpetrators or bringing them to justice. My worry is that, because of reputational damage, companies will be reluctant to notify anyone about this stuff. It is very serious.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde - Hansard

Can I just echo what the noble Lord says? We agree that it is serious, which is why we have set up the National Cyber Security Centre to help to protect public services online and why the Chancellor allocated nearly £2 billion for cybersecurity when he launched that centre.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

It is very pleasing to hear that. I welcome that, but these are matters that we will have to keep under review. Unfortunately in this world, the people involved in this stuff are usually quite skilful and bright and can keep one step ahead of the law or the people trying to catch them. We should keep these matters under review but, unfortunately, they are not going to go away. My worry is that these crimes are committed many miles from these shores and catching the perpetrators is the problem. However, I am very happy at this stage to withdraw my amendment.

Amendment 78A withdrawn

Data Protection Bill [HL]

(Report: 1st sitting: House of Lords)
Lord Kennedy of Southwark Excerpts
Monday 11th December 2017

(2 years, 9 months ago)

Lords Chamber
Read Full debate Read Hansard Text
Department for Digital, Culture, Media and Sport
Lord Clement-Jones Portrait Lord Clement-Jones (LD) - Hansard

My Lords, I hope to be as brief as the Minister, who I thought was admirably so in introducing the government amendments. However, there are some issues that arise. I applaud the noble Baroness, Lady Royall, and others who have been so instrumental in persuading the Government on this. As the noble Lord, Lord Patel, indicated in various ways, there are ambiguities; the particular way in which the Government have chosen to amend the Bill potentially leaves a gap. I wonder, for instance, whether alumni fundraising for, say, a research institute can never be in the public interest. Is there not a possibility that it might fall outside the exemptions as a result? Perhaps the Minister can give me the correct interpretation. It is very important that this is on the record and that it is very clear what the formulation means. It would have been much more straightforward to have approached the subject directly in the Freedom of Information Act, but that is not the way the Government have chosen to help alumni fundraising in universities. In talking about universities, I should declare an interest as chairman of the council of Queen Mary University as well.

Another question arises. By and large there is nothing particularly controversial in the remainder of the amendments, but I do not quite understand why new Section 76C of the Freedom of Information Act, which was introduced in the original version of the Bill, is now being taken out by Amendment 198. Is it because Clause 127 already provides the necessary duty of confidentiality of information by the commissioner and employees of the Information Commissioner’s Office? The Minister might have given us a bit of explanation about that, which would have been extremely helpful.

Otherwise, many of the other provisions are welcome. Amendments 119, 182 and 197 demonstrate that it would be a good idea to have prompt enactment or implementation of legislation, so that weird and wonderful new clauses such as are introduced by those amendments would be unnecessary.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab Co-op) - Hansard

My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for her explanation of the government amendments in this group, which are largely in response to issues raised in Committee. I do not intend to speak for long on this group, because the amendments are largely to be welcomed. I want to pay particular tribute to my noble friend Lady Royall of Blaisdon, who raised the concern of the university sector during Committee that, under the Bill, universities could find themselves in difficulty over fundraising activities with alumni. We were pleased to see today that the Government have listened and addressed that. My noble friend cannot be with us today because of the weather making it difficult for her to travel to London. Generally, the higher education sector and others are grateful for what is proposed, although a couple of noble Lords have raised particular concerns, so it would be useful if the Minister could address those in her response. There may be one area that has not quite been resolved.

There are a couple of issues to mention. We are happy to support the amendment on police sharing of information for law enforcement purposes, as I am the amendment in respect of the Prisoner Ombudsman for Northern Ireland and the technical amendments on tribunals and courts to ensure consistency of language.

I shall not go on any further, because I am conscious that we have two Statements today and one will take at least an hour and the other 40 minutes, and the dinner break business for an hour, which will eat in to our time for Report today. I shall leave it here and say well done to the Government: thank you very much for that. It is better that we spend our day looking at issues that we have not quite resolved.

Baroness Chisholm of Owlpen - Hansard

My Lords, I thank all noble Lords for the points they made. In answer to the noble Lord, Lord Patel, as my noble friend Lord Ashton explained in previous debates, Clause 7 was never intended to provide an exhaustive list of public interest tasks but, rather, to ensure continuity with respect to those processing activities that cover paragraph 5 of Schedule 2 to the 1968 Act. However, I am happy to reiterate that medical research—and other types of research carried out by universities for the benefit of society—will almost always be seen as a public interest task. I appreciate the sector’s desire to have greater guidance from the Information Commissioner on the issue, and I shall certainly pass that on, but the noble Lord will appreciate that it is not for me to dictate the Information Commissioner’s precise programme of work from the Dispatch Box.

I thank the noble Lords, Lord Smith and Lord Macdonald, for their kind words. I think we have put universities on a safe footing in this regard. I reiterate my thanks to them for coming to see us and helping us with that amendment.

The noble Lord, Lord Clement-Jones, asked: is alumni fundraising always in the public interest, and what about medical research?

Data Protection Bill [HL]

(Report stage (Hansard - continued): House of Lords)
Lord Kennedy of Southwark Excerpts
Monday 11th December 2017

(2 years, 9 months ago)

Lords Chamber
Read Full debate Read Hansard Text
Department for Digital, Culture, Media and Sport
Lord Clement-Jones Portrait Lord Clement-Jones (LD) - Hansard

My Lords, the noble Baroness having sat through my last speech, I am in no position to judge. That was a skilful summary of the memorandum put to the Delegated Powers and Regulatory Reform Committee and it is useful to have it on the parliamentary record.

I remind the House that the amendments we have brought forward do not take the ultra position, if you like. They are about having an appropriate level of parliamentary control over delegated legislation in a field where these are important matters—rights which are inextricably linked to human rights. To boil down a long memorandum, the Minister’s arguments are about flexibility and future proofing. However, the horse has bolted. In previous legislation such regulations were permitted to be made by government and therefore we should roll over and put them into the next bit of legislation.

The one essence that I take away is that the consultation duty is enshrined. I accept that it is a considerable improvement that the Secretary of State must consult the commissioner and such other persons as the Secretary of State considers appropriate. It would be useful at this stage at least to have on the record the kinds of bodies the Minister thinks are appropriate in these circumstances.

The real issue and the reason why we have tabled our amendments—I am not saying they are perfect but they allow for a parliamentary process in which there is an ability to suggest amendments and to have a full consultation on regulation changes—is the controversy about “omission”, “addition” and “varying”. The Government have clearly come to the view that omitting provisions is permissible in certain circumstances but they are relying on adding or varying. They say that varying is a light-touch aspect but why, in certain circumstances, is it permissible to omit provisions added by regulations? Is this a kind of second thoughts aspect, whereby regulations are brought forward under this Bill and then the Government think they want to omit some of them? I do not quite understand the rationale behind that.

I accept that in some of the crucial cases they are limiting themselves to “adding” or “varying”. However, variation can be extremely broad and virtually equivalent to omitting. It seems that one can vary a right all the way down to a minuscule situation which can impinge on the human rights of an individual, even though it is not technically an omission where a safeguard is provided. These are very broad rights. They are broad powers to create new exemptions to data protection rules as they affect a data subject and they can add exemptions to safeguards for processing sensitive personal data. These matters could have a powerful effect on individuals.

I should remind the Minister of a sad aspect, which is that in its procedures, the Delegated Powers and Regulatory Reform Committee does not seem to have a second bite of the cherry—something I am sure the Minister approves of entirely. But for those of us who relied on the very useful original DPRRC report, it is unfortunate that the committee has not come back and said what it thinks of the ministerial memorandum. In the original report the committee went as far as to say:

“We consider that clause 9(6) is inappropriately wide and recommend its removal from the Bill”.

That is pretty heavy stuff, even for this useful committee. It had even more to say about Clause 15:

“We regard this is an insufficient and unconvincing explanation for such an important power”.

I must put on the record that we on these Benches do not think that the Government have discharged the onus of proof, showing why they need these extraordinary powers under the Bill, and we hope that they will further reduce their regulation-making powers.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab Co-op) - Hansard

My Lords, this group of overwhelmingly government amendments seeks to address issues raised by the Delegated Powers and Regulatory Reform Committee in its sixth report, published on 24 October this year, the only addition being Amendments 10 and 69 in the names of the noble Lords, Lord Clement-Jones and Lord Paddick. As we have heard, the Delegated Powers and Regulatory Reform Committee is widely respected in the House and I am pleased that the government amendments address the concerns raised by the committee. But as we have heard from the noble Baroness, Lady Chisholm of Owlpen, those concerns have not been accepted in full, and she has given the reasons for that.

I was particularly pleased to see government Amendments 9, 67 and 68, among others, which would limit the powers to amend the processing conditions and exemptions found in various schedules to the Bill. I am equally pleased to see the Government act in respect of the powers to make regulations. This will be done using the affirmative rather the negative procedure, starting with government Amendment 71. It gives Parliament the right level of scrutiny and the ability to reject or express regret about a particular decision, and allows for a proper level of scrutiny, a debate having to take place in both Houses.

In respect of Clauses 9 and 15, Amendments 10 and 69 seek to change the scrutiny procedure from the affirmative, as presently in the Bill, to the super-affirmative. I am not convinced that this is necessary as we have the tools at our disposal to scrutinise the proposals using the affirmative procedure. Starting with government Amendment 130, we have a series of amendments relating to the enforcement powers of the ICO, and again these are to be welcomed.

As I say, in general I welcome the government amendments and the explanation given by the noble Baroness.

Baroness Chisholm of Owlpen - Hansard

I thank the noble Lord for those kind words. The noble Lord, Lord Clement-Jones, asked who would be consulted. While it is clearly impossible to be specific, the Secretary of State might consider it appropriate to consult, for example, representatives of data subjects or trade bodies, depending on the circumstances and regulations in question. I hope that that answers his question.

On why it is permissible to admit provisions added by regulations, we believe it is qualitatively different from admitting those added during the extensive parliamentary debate and scrutiny afforded to primary legislation. As I said, many other powers are not new. The 1998 Act already provides a power to add to conditions for sensitive processing. We feel it is prudent to retain the ability to amend Schedules 2 to 4 if necessary. As I said, this is a fast-moving area. We want to make sure that the Bill provides a framework for the constant evolution and developments in how we use and apply data, but it must be supportive rather than stifle innovation and growth.

Break in Debate

Lord Clement-Jones Portrait Lord Clement-Jones - Hansard

My Lords, it is a pleasure to follow the noble Earl, Lord Kinnoull, who has very impressively pursued these issues with considerable care and determination. He has said pretty much everything that needs to be said. Processing special category data, including health data and criminal convictions is, as he said, fundamental to calculating levels of risk and underwriting. I hardly need to say that to the Minister. His amendments are welcome, but of course the essence of the noble Earl’s amendments is to get from the Minister a progress report on how things are moving on in terms of enabling the continued processing of special category and criminal conviction data and whether we can get something along the right lines that allows a derogation for processing of special category and criminal conviction data where it is necessary in relation to insurance policies and claims. That would prevent disruption to consumers in the way the noble Earl mentioned. Then, of course, there is the guidance produced by Amendment 26; this is what you might call a sprat to catch a mackerel and I hope that the Minister will deliver the mackerel.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, I welcome government Amendments 11 and 12. As we have heard, they address some of the concerns that were raised in Committee. The Government have said that they never intended to have a narrow interpretation and they have put back the words of the 1998 Act, which is very welcome. As was said earlier, the noble Earl, Lord Kinnoull, has laid out in great detail the issues addressed in his Amendments 25 and 26. He makes a very important and clear case and raised some important issues. I hope that the noble Lord, Lord Ashton of Hyde, will respond to those. I certainly think that there is a case for bringing these things back at Third Reading to address the points the noble Earl has raised.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde - Hansard

My Lords, I am grateful to everyone who has spoken in this debate. As we have just heard, Amendment 25 would replace the existing processing conditions:

“Insurance and data concerning health of relatives of insured person”,

and:

“Third party data processing insurance policies and insurance on the life of another”,

with a broader insurance processing condition. Amendment 26 would require the Information Commissioner to produce sector-specific guidance for the insurance sector. These processing conditions are made under article 9(2)(g), the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited by the need to meet this substantial public interest test. We are also required to provide appropriate safeguards for data subjects.

The Government recognise the importance of insurance products, in particular compulsory classes and the protection afforded by third-party liability. As the noble Earl mentioned, engagement between the insurance sector and government officials has continued since this matter was discussed in Committee and, indeed, since I met him and representatives of the insurance industry after Committee. There is still some work to do on the precise drafting of the relevant provisions, but I am grateful for the opportunity to place on record the Government’s intention to table an amendment addressing this issue at Third Reading, if we can finalise the drafting in time and the House is content for us to do so. At the moment I am not aware of any insuperable problems in that regard, but noble Lords will recognise that this is a complex issue and one that we want to get absolutely right.

As for the Information Commissioner producing sector-specific guidance, as proposed by Amendment 26, I will certainly take that back and pass it on to the department. With that reinsurance, or rather reassurance—“reinsurance” was a bit of a Freudian slip there—I respectfully invite the noble Earl not to move his amendments this evening. I beg to move.

Break in Debate

27: Schedule 1, page 121, line 27, at end insert “and any additional activities determined to be appropriate by the Electoral Commission”

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, I tabled this amendment to keep the issue that I raised in Committee on the agenda. I spoke about it at some length in Committee. I think it is better determined by your Lordships’ House, rather than going off to the other place. I know the Minister has kindly agreed to a meeting. We have not had a chance to have it yet, but we will later this week.

I know that the noble Lord, Lord Hayward, who sits on the Government Benches, fully supports this issue being debated. He, like me, hopes it can be sorted out here by Third Reading, rather than going to the other place. The basic problem is that provisions in the Bill potentially conflict with legislation in respect of elections and other matters already on the statute book. I went through those in Committee. I am sure we do not want to pass legislation that conflicts with existing legislation, but we risk doing that here. That cannot be right. What political parties, campaigners and politicians need—and certainly what the regulators need—is crystal clear legislation and regulation that they can apply. To pass something that is in direct conflict with the Representation of the People Act would be unwise. We need to have our meeting later this week and I hope we can bring something back at Third Reading. These are important issues that we need to get right to ensure that all legislation is working together. I beg to move.

Baroness Hamwee Portrait Baroness Hamwee - Hansard

My Lords, I am very glad that the noble Lord is keeping this on the agenda. I had a note to ask what was happening about the meeting to which lots of people were invited at the previous stage. I do not believe that we have heard anything about it. This is not a whinge but a suggestion that it is important to discuss this very widely.

I find this paragraph in Schedule 1 very difficult. One of the criteria is that the processing is necessary for the purposes of political activities. I honestly find that really hard to understand. Necessary clearly means more than desirable, but you can campaign, which is one of the activities, without processing personal data. What does this mean in practice? I have a list of questions, by no means exhaustive, one of which comes from outside, asking what is meant by political opinion. That is not voting intention. Political opinion could mean a number of things across quite a wide spectrum. We heard at the previous stage that the Electoral Commission had not been involved in this, and a number of noble Lords urged that it should be. It did not respond when asked initially, but that does not mean it should be kept out of the picture altogether. After all, it will have to respond to quite a lot of what goes on. It might not be completely its bag, but it is certainly not a long way from it.

We support pinning down the detail of this. I do not actually agree with the noble Lord’s amendment as drafted, but I thank him for finding a mechanism to raise the issue again.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde - Hansard

I am grateful to the noble Lord, Lord Kennedy, for raising this issue, and to the noble Baroness for her comments. These issues are vital to our system of government, and we agree with that.

Amendment 27 seeks to expand the umbrella term “political activities” to include any additional activities determined to be appropriate by the Electoral Commission. Noble Lords will agree that engaging and interacting with the electorate is crucial in a democratic society, and we must therefore ensure that all activity to facilitate this is done in a lawful manner. Although paragraph 18(4) includes campaigning, fundraising, political surveys and case work as illustrative examples of political activities, it should not be taken to represent an exhaustive list.

Noble Lords will be aware that the Electoral Commission’s main areas of expertise concern the regulation of political funding and spending, and we are of the opinion that much, if not all the activities they regulate will be captured under the heading “political activity”. As I have just set out, fundraising is included as an illustrative example, which ought to provide some reassurance on this point. Moreover, the greater the number of activities denoted by the Electoral Commission, the less likely it is that any other activity would be considered by a court to be a political activity by dint of its omission. The commission, a body which as far as I am aware claims no expertise in data protection matters, would find itself in an endless spiral of denoting new activities as being permissible under the GDPR. Nevertheless, in recognition of the importance of such processing to the democratic process, the Government are continuing to consider the broader issues at stake and may well return to them in the second House. In this vein, the noble Lord made a number of good points, and I look forward to meeting him with the Minister for Digital, my right honourable friend Matt Hancock, on Thursday this week to discuss the matter in more detail than the parameters of this debate allow. We will see what the noble Lord feels about the timing of that after the meeting.

As for the noble Baroness, Lady Hamwee, we talked about having bigger meetings, and I am sure the time will come. This is just a preliminary meeting to decide on timings and to give the noble Lord, Lord Kennedy, the chance to discuss this with the Minister for Digital. I envisage that further meetings will include the noble Baroness.

I appreciate the sentiment behind the noble Lord’s amendment. In the light of our forthcoming discussions, I hope he feels able to withdraw it.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

I thank the Minister for his response. I tabled the amendment to keep the issue live and to illustrate the problem we have here. In his response, he talked about the responsibilities of the commission and data protection responsibilities and how they may conflict, belonging to different bodies. That begins to highlight the problem that we potentially have here. You could have different regulators trying to enforce different bits of legislation, all on the statute book at the same time and equally legitimate. We have got a real problem here.

I look forward to the meeting on Thursday. It is very important that we have a meeting after that, though, with a much wider group of people from different parties and campaigns. It is a genuine problem that affects every political party represented in this House and the other place and those that are not in either House. There is no advantage here—it is a question of getting a procedure in place that allows political parties to campaign and do their job properly and fairly. Equally, it protects the volunteers so that they understand what they can and cannot do so that they do not unintentionally get themselves in difficulty. I look forward to the meeting, but there are one or two things to sort out before then. I hope that it can get done by Thursday but, if it cannot, we have the other place. But it would be much better to sort it out at this end rather than the other end. I beg leave to withdraw the amendment.

Amendment 27 withdrawn.

Data Protection Bill [HL]

(Committee: 6th sitting (Hansard): House of Lords)
Lord Kennedy of Southwark Excerpts
Wednesday 22nd November 2017

(2 years, 10 months ago)

Lords Chamber
Read Full debate Read Hansard Text
Department for Digital, Culture, Media and Sport

170J: Clause 163, page 92, line 24, at end insert—

“( ) In this section, a request made by a data subject under subsection (1)(a) includes, but is not limited to, requests about reviews written by a third party about workers.”

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab Co-op) - Hansard

My Lords, Amendment 170J, which stands in my name and that of my noble friend Lord Stevenson of Balmacara, seeks to address an issue that I am not convinced is sufficiently covered in the Bill as it stands.

Freelance workers or self-employed people—whatever you want to call them—offering a range of services and seeking work through various platforms, have sprung up in recent years. In many cases, their customers are able to rate them and the work they have done. However, these individuals often find that they cannot take that rating information with them if they move on to another platform. The reviews are written by third parties, who rate the quality of the work, and understandably it is very valuable to the trades- persons if they can carry those reviews forward with them.

This is a very strange situation. Various companies often maintain that they do not have employees and that they are merely acting as a platform, a noticeboard or a portal where people can find tradespersons. However, those tradespersons then find that it is not very easy to take information about them with them when they move on. This is intended as an enabling amendment to put on the face of the Bill that data subjects have the right to take with them the information written about them by third parties when they move on to another platform.

At this stage, this is obviously a probing amendment but I am keen to hear what the noble Lord has to say about this issue. It is important for the people concerned—if you have done a good job, you want to take recognition of that with you. I look forward to the noble Lord’s response.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde - Hansard

My Lords, I am grateful to the noble Lord, Lord Kennedy, for turning the Committee’s attention to the provisions in Clause 163. The clause makes it a criminal offence for a data controller, or somebody employed by the controller, to deliberately frustrate a subject access request by altering, defacing or destroying information that a person would have been entitled to receive.

This offence is not new. A similar offence was provided for in Section 77 of the Freedom of Information Act 2000. The only difference between the offence in Clause 163 and the offence in the Act is that the latter was limited to the handling of subject access requests by public authorities and their employees and agents, whereas Clause 163 extends this to apply to all controllers.

The noble Lord’s amendment would make it clear that the offence applies where a data subject requests personal data about them contained in a review about workers written by a third party. I am grateful to the noble Lord for explaining the background to the amendment; nevertheless, I submit that it is unnecessary. Article 15 of the GDPR makes it clear that the data subject has the right to obtain from the controller confirmation as to whether data about him or her is being processed, as well as access to that data. Whether a report about the data subject was compiled by a third party or processor acting on the controller’s behalf is irrelevant, as it still amounts to personal data held by the controller.

It is always unacceptable for any controller to destroy or deface personal data with the sole intention of preventing somebody accessing what they were entitled to. That is precisely why Clause 163 creates a criminal offence targeted on that particular activity.

I hope that I have addressed the noble Lord’s concerns. If I have not, of course I will be more than happy to discuss them with him later. Therefore, I hope that he will be able to withdraw the amendment.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

I thank the noble Lord for his response. He has not really addressed the point that I was making, so I will be very happy to have a discussion outside the Chamber. This is a real problem that is happening now and I am not convinced that what we have in the Bill will be enough to deal with it. It may well be that my amendment is not in the right place, but there is an issue with people not easily accessing data that is held on them, particularly for the self-employed and others seeking work through various platforms.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde - Hansard

If we have misunderstood the noble Lord’s intention behind the amendment, I apologise. As I said, we will be happy to discuss it with him.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

I do not think that the noble Lord misunderstood; it is just that there are several issues around the gig economy that we need to look at, and I shall be happy to discuss them outside the Chamber. I beg leave to withdraw the amendment.

Amendment 170J withdrawn.

Break in Debate

Lord Ashton of Hyde Portrait Lord Ashton of Hyde - Hansard

My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point that has not been lost on noble Lords, nor the Government. That is why the Government have tabled Amendments 185A, 185B, 185C and 185D, which provide for a framework for data processing by government.

Inherent in the execution of the Government’s function is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is intended to set out the principles and processes that the Government must have regard to when processing personal data.

All government and public sector activities require some form of power to process personal data, which is derived from both statute and common law. In light of the requirements of the GDPR, such processing should be undertaken in a clear, precise and foreseeable way. The Government’s view is that the framework will serve further to improve the transparency and clarity of existing government data processing. The Government can, and should, lead by example on data protection. To that end, the proposed clauses provide the Secretary of State with the power to issue guidance in relation to the processing of personal data by government under existing powers. As I have already stated, government departments will be required to have regard to the guidance when processing personal data.

The Government have consulted the Information Commissioner in preparing the amendment and will, as required in Amendment 185A, consult the commissioner before preparing the framework. The Government are keen to benefit from the commissioner’s expertise in this area and to ensure that the framework does not conflict with the commissioner’s codes of practice. The guidance should provide reassurance to data subjects about the approach that government takes to processing data and the procedures it follows when doing so. It will also help to strengthen further the Government’s compliance with the GDPR’s principles. I beg to move.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, government Amendments 185A, 185B, 185C and 185D add four fairly substantial new clauses to the Bill on the last day of Committee. I can see the point made by the Minister when he moved the amendments, but it is disappointing that they were not included right at the start. Have the Government just thought about them as a good thing?

The Delegated Powers and Regulatory Reform Committee has not had time to look at these matters. I note that in Amendment 185A, the Government suggest that regulations be approved by Parliament under the negative procedure. I will look very carefully at anything that the committee wants to bring to the attention of the House when we look at these matters again on Report. I am sure the committee will have reported by then.

I will not oppose the amendments today, but that is not to say that I will not move some amendments on Report—particularly if the committee draws these matters to the House’s attention.

Lord Clement-Jones Portrait Lord Clement-Jones - Hansard

My Lords, I want to echo that point. There is time for reflection on this set of amendments and I sympathise with what the noble Lord, Lord Kennedy, said.

Data Protection Bill [HL]

(Committee: 5th sitting (Hansard): House of Lords)
Lord Kennedy of Southwark Excerpts
Monday 20th November 2017

(2 years, 10 months ago)

Lords Chamber
Read Full debate Read Hansard Text
Department for Digital, Culture, Media and Sport

163ZC: Clause 142, page 79, line 2, at end insert—

“( ) Within three months of this Act coming into force, the Commissioner must specify in guidance what constitutes “other failures” under subsection (8).”

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, the amendments in this group, in my name and that of my noble friend Lord Stevenson of Balmacara, take up a number of issues raised by the Delegated Powers and Regulatory Reform Committee in its report on the Data Protection Act. Our Amendment 163ZC adds a requirement on the commissioner to specify in guidance what constitutes “other failures” under subsection (8). Amendment 164C adds a requirement on the commissioner to specify, within three months of the Act coming into force, what constitutes “other failures”. I think it is important that we are clear, at least in guidance, what these “other failures” are.

Amendment 168A concerns the regulations for non-compliance with the charges regulations, deleting all the subsections and inserting new ones. The new subsections make provision for proper consultation with the commissioner and other persons that the Secretary of State considers appropriate, and state that any regulations made must be subject to the affirmative resolution procedure. The amendment sets a maximum penalty and the amount of penalty for different types of failure.

Amendment 168B seeks to replace “produce and publish” with “prepare”, which we think is better in this context. Amendment 168C seeks to put in the Bill a procedure that was recommended in the report of the Delegated Powers and Regulatory Reform Committee, which suggested that the guidance should be subject to some form of parliamentary scrutiny. Amendment 168D seeks to set out how the guidance can be amended or altered with the new procedures outlined in Amendment 168C.

The final four amendments in the group—Amendments 182D to 182G—take up the issue of the power in the Bill to make Henry VIII changes to reflect changes to the data protection convention. We are seeking to delete “or appropriate” from Clause 170(1) to make it only,

“as the Secretary of State considers necessary”.

We think that presently the subsection is worded too broadly. We also seek to delete “includes” and insert “is limited to” in respect of the powers. Then we make it clear that the power is in respect only of Part 4. Finally, as highlighted by the committee, we time-limit the period for changes to three years. I beg to move.

Baroness Chisholm of Owlpen - Hansard

My Lords, the amendments tabled by the noble Lords, Lord Stevenson and Lord Kennedy, reflect the recommendations made by the Delegated Powers and Regulatory Reform Committee in its report on the Bill. As noble Lords will be aware, the Government hold the committee in high regard and, as always, we are grateful for its consideration of the delegated powers in the Bill. As set out in our previous discussions on delegated powers, the Government are considering the committee’s recommendations with a view to bringing forward amendments on Report. For that reason, I will keep my remarks brief but noble Lords should be reassured that I have listened to and will reflect on our discussions today.

As noble Lords know only too well, delegated powers are inserted into legislation to allow a degree of adaptability in law. As we have touched on in our earlier discussions of delegated powers, and as I am sure noble Lords will agree, no other sector or industry is evolving as quickly as the digital and data economy. The pace at which new forms of data processing are being developed, and the sophistication and complexity with which new data systems are being designed, will render any current governance obsolete in a very short time. It is for this reason that we consider it necessary to be able to adapt and update the Information Commissioner’s enforcement powers.

However, the Government recognise the need to provide certainty through clauses on the statute book. I therefore thank the noble Lord for his suggestions in Amendments 163ZC and 164C for how regulation-making powers relating to the commissioner’s enforcement and penalty notices in Clauses 142 and 148 could be more appropriately defined; this is certainly something that I will reflect upon. In Amendments 168A to 168D, I recognise other recommendations of the DPRRC relating to the Information Commissioner’s guidance and penalties.

As I have already set out, it is important that the Information Commissioner’s powers are subject to a degree of flexibility. She must be able not only to identify new areas of concern but to tackle them with proportionate but effective enforcement measures. In an ideal world, we would have a crystal ball that could tell us all but the reality is that we do not. We do not have one now and the Information Commissioner will not have one three months after Royal Assent. We must preserve the ability of the regulatory toolkit to constantly adapt to changing circumstances and keep data subjects’ rights protected.

I note the proposals in Amendments 182D to 182G, which would limit the scope of the regulation-making power in Clause 170. Clause 170 is intended to allow the Government to update the Bill to reflect amendments to convention 108.

As with previous amendments based on the Delegated Powers and Regulatory Reform Committee’s report, it is important that we consider these amendments alongside the broader recommendations given by that committee. The Government are keen to give proper consideration to these recommendations and, although this is ongoing, I am confident that we will have concluded our position on these amendments before we come to the next stage of the Bill. I am grateful for the informative discussion we have had today, which forms the final part of our reflection upon the committee’s report. I hope that the noble Lord will feel able to withdraw his amendment and I look forward to returning to these issues on Report.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, the Delegated Powers and Regulatory Reform Committee is one which the Opposition hold in high regard, as the Government do. It does an important job for the Government by going through legislation and looking at whether the powers the Government seek to take are applied appropriately. I thank the noble Baroness, Lady Chisholm, for that very much and I am pleased that she confirmed that the Government were looking at the matters in the report carefully. When they come back on Report, I hope that they will address the issues I have raised and others in that report. On that basis, I am happy at this stage to withdraw my amendment.

Amendment 163ZC withdrawn.

Data Protection Bill [HL] Debate

Full Debate: Read Full Debate
Department: Home Office

Data Protection Bill [HL]

(Committee: 4th sitting (Hansard): House of Lords)
Lord Kennedy of Southwark Excerpts
Wednesday 15th November 2017

(2 years, 10 months ago)

Lords Chamber
Read Full debate Read Hansard Text
Home Office

93A: Schedule 3, page 140, line 16, leave out “or another individual”

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab Co-op) - Hansard

My Lords, Amendment 93A in my name and that of my noble friend Lord Stevenson of Balmacara is the first amendment in a small group before the Committee this afternoon. They are probing amendments to allow us to begin to debate the issues around Schedule 3, specifically Part 2 and matters concerning health data and social work data.

Amendment 93A would delete the words “or another individual”. I want to understand clearly what the Government mean when they refer to the “serious harm test” for the data subject and to this very wide catch-all phrase, “or another individual”. Amendment 94A would delete specific wording as detailed in the Bill and replace it with the wording in my amendment.

I can see the point of paragraph 4(1)(c) of Schedule 3, but do not see why the Government would not wish to rely on the definition of lacking mental capacity, as defined by the Mental Capacity Act 2005. Can the Minister explain, if my amendment is not going to be accepted, why the Government appear to be relying on weaker words in this section?

Amendment 94B would delete paragraph 4(2)(a) of Schedule 3. Again, I stress that this is a probing amendment to give the Minister the opportunity to set out clearly how this is going to work so that it does not cause problems for research but respects people’s privacy regarding the data that they have been provided with.

On the other amendments in the group, Amendment 94C looks to broaden the definition of social work data to include education data and data concerning health, by probing what the Government mean by their definition of social work data in the Bill. Amendment 94D probes, regarding paragraph 8, the details on data processed by local authorities, by the regional health and social care boards, by health and social care trusts and by education authorities.

With Amendments 95A and 95B, I am looking for a greater understanding of what the Government mean. The wording in the Bill which these amendments would delete is quite vague. We want to understand much more what the Government are talking about here. I beg to move.

Baroness Chisholm of Owlpen (Con) - Hansard

My Lords, the Bill sets new standards for protecting general data, in accordance with the GDPR, which will give people more control over use of their data and provide new rights to move or delete personal data. However, there will be occasions when it is not in the best interests of the data subject for these rights to be exercised, or where exercising them might impinge on the rights and freedoms of others. Schedule 3 considers this issue in the specific context of health, social work, education and child abuse data. It provides organisations operating in these fields with targeted exemptions where it is necessary for the protection of the data subject or the rights and freedoms of others. Importantly, much of Schedule 3 is directly imported from existing legislation.

The amendments which the noble Lords, Lord Stevenson and Lord Kennedy, have tabled focus on exemptions available for healthcare and social services providers. Let me deal first with the amendments relating to the healthcare exemptions. Amendment 93A would amend the serious harm test, in paragraph 2 of Schedule 3, by removing the reference to harm caused to other individuals. This is an important safeguard. For example, if a child informed a healthcare provider that they had been abused by a relative and then that person made a subject access request, it is obvious that disclosure could have serious consequences for the child. I am sure that this is not what the noble Lords envisage through their amendment; we consider there are good reasons for retaining the current wording. As I said earlier, these provisions are not new: they have been imported from paragraph 5 of the Data Protection (Subject Access Modification) (Health) Order 2000.

Amendments 94A and 94B would amend the exemption in paragraph 4 which allows health professionals to withhold personal data from parents or carers where the data in question has been provided by the data subject on the basis that it would not be disclosed to the persons making the request. Again, neither of these provisions is new. They too were provided for in paragraph 5 of the 2000 order and we think they remain appropriate.

Break in Debate

Amendment 95A would amend paragraph 8(1)(k) by removing the ability of the Secretary of State or the Department of Health in Northern Ireland to designate voluntary organisations which can carry out social services functions similar to those carried out by a local authority. Amendment 95B would amend paragraph 8(1)(m) by removing the reference to NHS bodies that exercise functions similar to those carried out by the local authority. However, I stress that none of these provisions is new and that they were imported from paragraph 1 of the schedule to the Data Protection (Subject Access Modification) (Social Work) Order 2000. Given current trends in health and social care delivery, we believe that they are still necessary requirements and can see no benefit in their removal. I urge the noble Lord to withdraw his amendment.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for that full response to this group of amendments. As I said, they were only probing amendments to get the response that we have received from the Minister this afternoon, just so that we could see what is behind the Government’s proposals. I accept that in large part they are carried forward from existing legislation and I am therefore happy to withdraw my amendment.

Amendment 93A withdrawn.

Break in Debate

124A: Clause 24, page 14, line 40, at end insert “where the provision is likely to prejudice the combat effectiveness of the armed forces.”

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

Amendment 124A, in my name and that of my noble friend Lord Stevenson of Balmacara, would amend Clause 24, which concerns national security and defence exemptions. Comparing the Bill to the 1998 Act, it appears to us that what is proposed is of a much wider scope. I would like to hear a justification from the noble Baroness, Lady Williams of Trafford, as to why we need this wider definition. If it is the noble Baroness’s contention that this is not the case, will she tell the Committee why the Government have not merely taken the words directly from the 1998 Act?

Amendment 124N does the same thing in respect of Clause 26. Amendments 124K and 148J are the same and seek to put into the Bill matters raised by the Constitution Committee. These amendments require the Secretary of State to,

“specify in regulations the grounds of appeal for proceedings under subsection (3)”.

This seems to me perfectly reasonable, giving much-needed clarity, so I hope that the noble Baroness can accept my amendments in this regard, or at least agree to reflect on them before Report. I feel that the clause as presently worded is too vague, and that cannot be a good thing when dealing with these serious matters. The amendments also require that these regulations be subject to scrutiny by both Houses of Parliament through the affirmative resolution procedure, which is an important further layer of parliamentary scrutiny.

The final amendment in my name in this group is another probing amendment. It would delete the measures which limit the power of the Information Commissioner to satisfy themselves that the obligations under Part 4 are being observed. In addition, there are amendments in the group in the names of the noble Baroness, Lady Hamwee, and the noble Lords, Lord Clement-Jones and Lord Paddick. I look forward to them explaining those further to the Committee during the debate. I beg to move.

Baroness Hamwee Portrait Baroness Hamwee (LD) - Hansard

My Lords, from these Benches we also have some concerns about the national security and defence exemption. My noble friends Lord Clement-Jones and Lord Paddick have their names to a clutch of amendments to Clauses 24 and 26, and to a replacement for Clause 25—these are Amendment 124C and so on. These amendments essentially probe what Clause 24 means and question whether the requirements for national security certificates are adequate.

My first question is: what processing is outside the scope of EU law, and so would fall within Part 2 and not within Parts 3 and 4, the parts of the Bill on law enforcement and the intelligence services? Many of these amendments were suggested to us by Privacy International and one or two by Big Brother Watch. Those who know about these things say that they do not know what certificates exist under the current regime, so they do not know what entities may benefit from Clauses 24 to 26. However, Privacy International says that in their current form certificates are timeless in nature, lack transparency, are near impossible to challenge and offer overly broad exemptions from data protection principles, and all the rights of the data subject.

My second question is: what are “defence purposes”? That phrase does not feature in the interpretation clause of the Bill. The Explanatory Notes, in referring to the 1998 Act, refer to the section about national security. Is defence not a national security matter? There are very broad exemptions in Clause 24 and Privacy International even says that the clause has the potential to undermine an adequacy decision. For us, we are not convinced that the clause does not undermine the data protection principles—fairness, transparency, and so on—and the remedies, such as notification to the commissioner and penalties.

I note that under Clause 25(2)(a), a certificate may identify data,

“by means of a general description”.

A certificate from a Minister is conclusive evidence that the exemption is, or was, required for a purpose of safeguarding national security, so is “general description” adequate in this context?

Amendment 124L proposes a new Clause 25 and is put forward against the background that national security certificates have not been subject to immediate, direct oversight. When parliamentary committees consider them, they are possibly tangential and post hoc. Crucially, certificates are open-ended in time. There may be an appeal but the proposed new clause would allow for an application to a judicial commissioner, who must consider the Minister’s request as to necessity and proportionality—words that I am sure we will use quite a bit in the next few hours—applying these to each and every provision from which exemption is sought. The Committee may spot that this could owe something to the Investigatory Powers Act.

Amendment 137P takes us forward to Part 3, the law enforcement part of the Bill. Clause 77(5) gives individuals the right to appeal against a national security certificate, but individuals will not know that they have been subject to such a national security certificate if the certificate itself takes away the specific rights which would require a controller or a processor to inform individuals that there was such a restriction in effect against them. The whole point of a right to access personal information and, on the basis of that, the right to appeal against a restriction, does not seem to us to work. The amendment provides for informing the data subject that he is a subject to a certificate.

Amendment 148C is an amendment to Part 4, which is the intelligence services part of the Bill. Clause 108 refers to an exemption being “required” for the purposes of national security. Our amendment would substitute “necessary”, which is a more objective test. I might require something to be done, but it might not be necessary. It is more subjective. Amendment 148D would—I note the irony here—require a certificate because Clause 109 seems not to require it, although the certificate itself would be conclusive. Finally, Amendment 148H is our response to the Constitution Committee, which recommended that the Government clarify the grounds of appeal for proceedings relating to ministerial certificates under Clause 109, other than judicial review. We have set out some provisions which I hope will enable the Minister to respond to the committee’s recommendation.

Break in Debate

Baroness Hamwee Portrait Baroness Hamwee - Hansard

My Lords, the Minister has just proved a point that I made to a colleague who asked me whether I could explain all my amendments, and I said, “If I don’t, the Minister will”. Let us see what the Constitution Committee has to say, as I take its concerns seriously. To dispose of one small point, I accept what she says about the “timelessness”, which I think was the word she used, of certificates. I accept that some must always apply, but perhaps it is a point that the Government can take into account when thinking about publication of certificates whose relevance has—“expired” is probably the wrong term—passed.

I am still concerned about what is meant by “defence purposes”. The Minister referred to civilian staff. I cannot remember what the object was in the sentence, but we all know what she means by civilian staff. To take a trite example, can the Minister confirm that in “defence purposes”, we are not talking about records of holiday leave taken by cleaners, secretaries and so on working in the Ministry of Defence? “Defence purposes” could be read as something very broad. I will not ask the Minister to reply to that now, but perhaps I can leave the thought in her head.

Finally, I do not think that the right of appeal provides the same protection as applying oversight from the very start of the process. We have had that debate many times, but I shall leave it there for now. There is quite a lot to read, so I am grateful to the Minister for replying at such length.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, I thank the Minister for her response, which was very detailed. It was helpful to the House to get it on record. These are serious matters. The rights of the data subject must be protected, but equally there are issues of national security, and we must get that balance right. The House has been assured that we will get the balance right, which is an important part of our work here today. I am very pleased with the detailed response, and I have no issue with it whatever.

I shall read Hansard again tomorrow, as these are very serious matters, to fully take in all that the Minister has said. At this stage, I am happy to withdraw my amendment.

Amendment 124A withdrawn.

Break in Debate

The last of the group is a converse argument—I am probing of course. Behaviour, location and movement may be relevant to crime prevention and detection, but are performance at work, reliability and so on relevant? Not obviously so to me. I beg to move.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, the noble Baroness’s clarification of these probing amendments is very helpful. As we have heard, a competent authority in this context of the Bill means a person as specified in Schedule 7, to the extent that the person has functions for law enforcement purposes.

Amendments 124Q and 124R would add useful clarifications that the persons listed in Schedule 7 come under the same classification as “any other person” referred to in Clause 28(1)(b) and the persons listed in Clause 28(3)(b). That would be a useful clarification in the Bill.

I do not support Amendment 124S in the name of the noble Baroness, Lady Hamwee, but support the three government amendments in the name of the noble Lord, Lord Ashton of Hyde. As I say, I do not support Amendment 124S, which makes the case for Amendments 124Q and 124R even more important.

I support the amendment that would add police and crime commissioners to the schedule, and the other amendments in the group which would widen the definitions, as that would be very useful. I look forward to the noble Baroness’s response to the points that have been raised.

Lord Young of Cookham Portrait Lord Young of Cookham (Con) - Hansard

The co-pilot is in charge of this leg of the legislative journey, so there may be some turbulence.

I am very grateful to the noble Baroness for her explanation of these amendments. I particularly welcome what she said at the beginning of her remarks—namely, that these were probing amendments designed to improve the style. We are all in favour of improving style. Having read previous Hansards, I know that there has been broad cross-party support for the Bill’s provisions, particularly this part of it. I know that the Liberal Democrat Benches are particular enthusiasts for enshrining in UK law the provisions of the EU law enforcement directive.

As the noble Baroness has indicated, this group of amendments relates to the definition of various terms used in Part 3, including that of a competent authority and the meaning of “profiling”. I also welcome the contribution of the noble Lord, Lord Kennedy, in support of some of the amendments.

The scope of the law enforcement processing regime is provided for in Part 3 of the Bill. Unlike Part 4, which applies to all processing of personal data by the intelligence services, the scheme in Part 3 is purpose-driven. The Part 3 scheme applies to processing by competent authorities, as defined in Clause 28, for any of the law enforcement purposes, as defined in Clause 29. This approach is clear from a reading of Part 3 as a whole. For example, each of the data protection principles in Clauses 33 to 38 refers to processing for any of the law enforcement purposes.

The definition of a competent authority needs to be viewed in that context. Competent authorities will process personal data under the scheme in Part 3 only where such processing is for one of the law enforcement purposes. If they process data for another purpose, as the noble Baroness indicated—for example, for HR management purposes—the processing would be undertaken under either the GDPR or applied GDPR scheme, as the case may be. That would be the default regime. I am not sure there is a case for yet another regime on top of the two we already have. As paragraph 167 of the Explanatory Notes to the Bill makes clear, a government department will be a competent authority for the purposes of Part 3 only to the extent that it processes personal data for a law enforcement purpose. For example, where DWP processes data in the course of investigating criminal offences linked to benefit fraud, it will do so as a competent authority.

The approach we have taken in Schedule 7 is to list all the principal law enforcement agencies, including police forces, prosecutors and those responsible for offender management, but also to list other office holders and organisations that have law enforcement functions supplementary to their primary function. For example, the list in Schedule 7 includes some significant regulators. We should remember that the definition of “law enforcement purposes” includes the “execution of criminal penalties”, as set out in Clause 29. That being the case, it is entirely appropriate to list contractors providing offender management services. I hope this explanation deals with Amendment 129A. As I explained a moment ago, where such contractors process data for a non-law enforcement purpose—again, an example given by the noble Baroness—they will do so under the GDPR or applied GDPR scheme.

Schedule 7 is not, and is not intended to be, a wholly exhaustive list, and other organisations with incidental law enforcement functions will come within the scope of the definition of a competent authority by virtue of Clause 28(1)(b). Police and crime commissioners, to which Amendment 127A relates, may be a case in point, but if they process personal data for a law enforcement purpose, they will do so as a competent authority by virtue of Clause 28(1)(b). The government amendments in this group should be viewed against that backdrop.

Since the Bill was introduced, we have identified a number of other organisations that it would be appropriate to add to the list in Schedule 7, and Amendments 125, 126, 128 and 129 are directed to that end. Government Amendment 127 modifies the existing entry in respect of the independent office for police conduct in recognition of the fact that under the reforms we are making to the Independent Police Complaints Commission, the director-general will be the data controller of the reformed organisation.

The amendments to Clause 31 all seek to amend the definition of profiling. First, Amendment 129C seeks to include “attributes” in the definition of profiling, which currently refers to “aspects”. The existing wording reflects the terminology used in the LED, which is clear. In any event, the two words do not differ much in substance, so little is gained by the proposed addition.

In Amendment 129B and Amendments 129D to 129F the noble Baroness seeks to widen the definition of profiling so that it is not restricted to “certain” areas of profiling or to the aspects listed. However, the personal aspects itemised in the definition are not intended to act as an exhaustive list, and the inclusion of the words “certain” and “in particular” do not have this effect. The list refers to those aspects considered of most importance to profiling. Again, for these reasons, these amendments are not necessary. I think the noble Baroness conceded that we were simply replicating the existing terminology.

I hope I have been able to reassure her on these points and that she will be content to withdraw her Amendment 124Q and support the government amendments.

Break in Debate

Baroness Hamwee Portrait Baroness Hamwee - Hansard

My Lords, Amendment 133ZL is an amendment to Clause 42. Clause 43 deals with a data subject’s right of access. The onus is on the data subject to ask whether their personal data is being processed. If so, they have a right of access, although there are provisions about restrictions and the controller must tell them.

We have already touched on how you know that you are a data subject. The amendment would place an obligation on the controller to tell you. I appreciate that there would be considerable practical considerations. However, in a different context, time and again during the passage of the Bill we have heard noble Lords express surprise about what organisations know about each of us. It is irritating when it is a commercial organisation; it is a different matter when it is a law enforcement body.

Amendment 133ZM is a way of asking why the information to be given to a data subject under Clause 42(2) is limited to “specific cases”. Is this is a bit of the narrative style that I referred to earlier? Restrictions are set out later in the clause. What are the specific cases to which the controller’s duties are restricted? Should there be a cross-reference somewhere? The term suggests something more—or maybe something less—than the clause provides.

Amendment 133ZN takes us to Clause 42(4), which refers to the data subject’s “fundamental rights”— this phrase is used also in a number of other clauses. My amendment would insert references to the Human Rights Act and the European Charter of Fundamental Rights, seeking not to reopen the argument about the retention of the charter but to probe how fundamental rights are identified in UK law. It is not an expression that I recognise other than as a narrative term. This is fundamental—if noble Lords will forgive the pun—to my questioning and the workability of all this.

On Amendment 133ZP, the same subsection refers to an “official” inquiry. I know what that means in common sense—in human speak, if you like—but what does it mean in legislative speak?

Amendment 133ZQ is a cross-reference. I queried what was in the clause and have had exchanges with officials about it. I thought that the Minister’s name would be added to the amendment. I would have been very happy if the correction had been made quietly, but apparently that was not possible. So the drafting is not mine, but it corrects a mis-drafting—would that be a gentle term for it? At any rate, that is what the amendment is about. I beg to move.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, the five amendments in this group are all in the name of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Paddick. I should say at the start that I am not convinced by Amendment 133ZL and I look forward to the response of the Government. I am not sure that it is proportionate in respect of law enforcement processing. I had concerns about it before the debate and I have heard nothing to change my mind.

Amendment 133ZM widens the scope of the provisions and I am content with that. I am interested to hear from the Government why the three words to be deleted are so important: perhaps they can convince me of the merits of having them in the Bill.

Amendment 133ZN is proportionate and I happy to support it. I do not support Amendment 133ZP and, again, I have heard nothing yet to convince me otherwise. I await a response from the Government. Amendment 133ZQ seems proportionate to me in respect of the data controller being able to record reasons to restrict provision of information to a data subject and the reasons for refusing requests.

Baroness Williams of Trafford Portrait Baroness Williams of Trafford - Hansard

I thank the noble Baroness, Lady Hamwee, for explaining her amendments in relation to the rights of data subjects. Having disappointed her so much in the last group of amendments, I have some very good news: the Government are content to agree to her Amendment 133ZQ. Perhaps it is right that I did not put my name to it, because she can claim full credit for the amendment, which corrects an erroneous cross-reference in Clause 46(6).

I turn to the other amendments in the group, which have a little more substance. Amendment 133ZL seeks to place a duty on controllers to inform individuals without undue delay that they are a data subject. The right of access conferred on data subjects by Clause 43 largely replicates the existing provision in Section 7 of the Data Protection Act 1998, as I think the noble Lord, Lord Kennedy, pointed out. Clause 42 already includes obligations on the controller to provide individuals with information in general terms and in specific cases to enable a data subject to access their rights. We consider that this is the right approach and one which reflects the terms of the LED. We welcome the enhanced rights for data subjects provided for in Part 3, but it is important that such rights are proportionate and that we take account of the resource implications for police forces and other competent authorities. Placing a duty on controllers proactively to notify individuals that they are data subjects would, we believe, place an unnecessary burden on competent authorities. In practice, many individuals will know that their personal data is being processed by a particular controller; where they are unsure they can submit a subject access request. It is important to note that under the new regime subject access requests will generally be free of charge.

Amendment 133ZM seeks to probe the need for the phrase “in specific cases” in Clause 42(2). This phrase, which appears in article 13(2) of the law enforcement directive, is simply designed to distinguish between the duty on a controller, under Clause 42(1), to provide certain general information to data subjects which might be discharged by posting the information on the controller’s website, and the separate duty, in Clause 42(2), to provide certain additional information directly to a data subject to enable them to exercise their rights. Moreover, the information which must be provided under Clause 42(2) may be person-specific and the drafting makes this clear.

Amendment 133ZN seeks to define the term “fundamental rights” as used in Clause 42(4) and elsewhere in this part. This is not the occasion to reopen the debate we had at the start of Committee on article 8 of the European Charter of Fundamental Rights. The Committee will be aware that it is not the Government’s intention to enshrine the charter into UK law. That being the case, and recognising that Part 3 of the Bill provides for a scheme for law enforcement processing which is enshrined in our domestic law, the reference to fundamental rights should be interpreted in accordance with UK law by the UK courts, rather than seeking to enshrine the charter.

In Amendment 133ZP to Clause 42(4)(a), the noble Baroness seeks clarification of what constitutes an “official inquiry”, as opposed to a “legal inquiry”. I start by pointing out that the law enforcement directive uses both terms, and we have followed our usual practice of copying the directive wherever possible. There are, of course, legally constituted inquiries established under the Inquiries Act 2005, but not all official inquiries are formally constituted under that Act. The use of both terms recognises that formally constituted inquiries may take different forms and be conducted by different entities. It is important to emphasise that a controller is subject to the limitations in the opening words of Clause 42(4) and cannot restrict the provision of information simply by virtue of the fact that the information pertains to an inquiry.

I hope that I have been able to reassure the noble Baroness—she certainly looks happier than on the previous group of amendments—and that she will be content to withdraw her Amendment 133ZL. As I have indicated, I will be happy to endorse Amendment 133ZQ when she comes to move it formally.

Data Protection Bill [HL]

(Committee: 3rd sitting (Hansard): House of Lords)
Lord Kennedy of Southwark Excerpts
Monday 13th November 2017

(2 years, 10 months ago)

Lords Chamber
Read Full debate Read Hansard Text
Department for Digital, Culture, Media and Sport

53: Schedule 1, page 118, line 19, leave out first “substantial”

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab) - Hansard

My Lords, as this amendment involves data provided by local authorities, I should declare my interests as a councillor of the London Borough of Southwark and as a vice-president of the Local Government Association.

Amendment 53 in my name and that of my noble friend Lord Stevenson of Balmacara would delete the first occurrence of the word “substantial” from paragraph 17(2) of Schedule 1 and Amendment 54 would delete its second occurrence from the same provision.

Healthy-functioning political parties are a vital part of our democracy. Campaigners and campaigning have moved on a long way from the days of hand writing envelopes to encompass much more sophisticated methods of contacting voters using all available mechanisms.

Political parties and their members need clarity and certainty as to what they are required to do, what they are able to do and what they are not able to do, so that they act lawfully at all times and in all respects. We cannot leave parties, campaigners and party members with law that is grey and unclear, and with rules that mean that campaigners, in good faith, make wide interpretations that are then found to be incorrect, due largely to the required clarity not having been given to them in the first place by government and Parliament.

I am also very clear that political parties are volunteer armies, with people volunteering to campaign to get members of their party elected to various positions in Parliament and in local authorities and to run various campaigns.

I have a number of questions for the Minister. I do not necessarily expect to get answers today but I hope that when he responds he will agree to meet me along with other interested Peers on the matters I am raising. I know that the noble Lord, Lord Hayward, from the Minister’s Benches would certainly like to meet him, and I am sure that the noble Lord, Lord Tyler, would also wish to be involved in those discussions. I hope that the Minister will agree to that. I also think that it would be useful if any such meeting involved officials from the three parties to discuss how we can get this right; otherwise, there will be all sorts of problems for parties, party members and campaigners, and none of us wants that.

Therefore, my questions to the Minister are as follows—as I said, I shall be happy for him to write to me. Will he provide a list of the characteristics or activities that are required for a political party to conduct operations? Does he believe that the terms in relation to political activity in paragraph 17 of Schedule 1 definitively cover the required activities of UK political parties? Will he clarify what constitutes profiling with regard to the activities of political parties? What activities or operations with reference to paragraph 17(1)(c) of Schedule 1 would be considered necessary for a political party? Does he think that the procedure detailed in paragraph 17(3)(a), whereby a data subject can give written notice to require the data controller—in this case, a political party—to cease the processing of their data, is consistent with Section 13(3) of the RPA 1983, where parties hold and process data on the basis not of consent but of being supplied that data by a local authority via the electoral register? Given the regular transfer of registers to political parties, does the Minister think it is practical or enforceable for a party to cease processing the data, which will likely be resupplied by an authority?

Let me make the point this way: take elector A, who instructs the party to stop processing their data, and the party complies. But the party then gets given data from the local authority in the next round, and elector A’s information is included. As soon as the party processes that data, it will technically have infringed the law. This is very complicated and it would be useful if the Minister’s officials could meet people interested in this area and come back to us. Whatever we end up with following this process, it must be consistent and work, and it should not bring into conflict two different Acts of Parliament. I beg to move.

Baroness Hamwee Portrait Baroness Hamwee (LD) - Hansard

My Lords, the noble Lord referred to the rules as a bit grey and asked for clarity for the volunteer army. I should declare an interest as a foot soldier in that volunteer army.

The noble Lord’s request that party officials should be involved in this process is a good one—I would have thought they would have been. The Minister should be aware of my first question as I emailed him about this, over the weekend I am afraid. Has the Electoral Commission been involved in these provisions?

The noble Lord mentioned the electoral register provided by a local authority. My specific question is about the provision, acquisition and use of a marked electoral register. For those who are not foot soldiers, that document is marked up by the local authority, which administers elections, to show which electors have voted. As noble Lords will understand, this is valuable information for campaigning parties and can identify whether an individual is likely to turn out and vote and so worth concentrating a lot of effort on. I can see that this exercise could be regarded as “campaigning” under paragraph 17(4) of Schedule 1. However, it is necessary, although I do not suppose that every local party in every constituency makes use of the access it has. It is obvious to me that this information does not reveal political opinions, which is also mentioned in the provisions. I would be grateful to hear the Minister’s comments. I am happy to wait until a wider meeting takes place, but that needs to be before Report.

I want to raise a question on a paragraph that is in close geographical proximity in the Bill—I cannot see another place to raise the issue and it occurred to me only yesterday. Why are Members of the House of Lords not within the definition of “elected representatives”? We do not have the casework that MPs do, but we are often approached about individual cases and some Peers pursue those with considerable vigour. This omission—I can see a typo in the email that I sent to the Minister about this; I have typed “mission” but I meant “omission”—is obviously deliberate on the part of the Government.

Break in Debate

Lord Ashton of Hyde Portrait Lord Ashton of Hyde - Hansard

No, it is not the first time because this is the position that exists under the Data Protection Act 1998.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark - Hansard

My Lords, I thank all noble Lords for speaking in this debate. As I think the noble Lord, Lord McNally, said, these amendments would delete just two words, but we have had a very important debate. We tabled the amendments to probe these issues, which are very important.

I am pleased that the noble Lord, Lord Ashton of Hyde, has agreed to meet us because we need to discuss this. It would be much better if we could get interested Peers from this House and officials from various parties together to sort this matter out, rather than leave it and let it go to the other place. We have a much better record of sitting down and sorting such issues out. I hope, if we need to amend the Bill, we do so on Report. Before we have our meeting—I accept it will be quite a big meeting—it would be useful if the noble Lord wrote to me, if he can, and to other interested Lords so we can have the Government’s position on paper before we sit down. That would help our discussions and move them on. There is a community of interest among noble Lords.

I certainly agree with the points made by the noble Lord, Lord McNally, and by my noble friends Lord Whitty and Lady Jay, but we need to focus on these issues, get them right and get proper amendments in place to protect parties and campaigners as they do their proper and lawful work. At this stage, I am happy to withdraw the amendment.

Amendment 53 withdrawn.

Data Protection Bill [HL]

(Committee: 3rd sitting (Hansard - continued): House of Lords)
Lord Kennedy of Southwark Excerpts
Monday 13th November 2017

(2 years, 10 months ago)

Lords Chamber
Read Full debate Read Hansard Text
Department for Digital, Culture, Media and Sport
Lord Lucas Portrait Lord Lucas - Hansard

My Lords, I thoroughly support this amendment. I really hope that the Home Office has noticed that the Bill is starting in this House and that therefore this is a paragraph we can kill—and should, as we did in 1983. If the Home Office needs something more, it should make a case for it and we should listen, but to have a blanket provision such as this is very destructive of data collection as a whole. To take again the example of the NPD, the fact that data is passed from the NPD to the Home Office has made the bits of data that are being passed totally corrupt: one can no longer rely on that data because so many schools, not unnaturally, are unwilling to shop their parents and drop their parents into what can be extremely difficult circumstances. You destroy the purpose of the data that you pollute in this way; you make it unreliable. I suspect that you also undermine the research exemption: if data is actually being collected to give to the Home Office, how can you claim that it is for research? You start to undermine the Bill in all sorts of insidious ways by having such a broad and unjustified paragraph— unjustified in the sense that no one has made a justification for it. I really hope that the Home Office will think again.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab (Co-op)) - Hansard

My Lords, first, I welcome the noble Baroness, Lady Williams of Trafford, back to the Committee. Every time I get to the Bill I speak either to her or to the noble Lord, Lord Bourne of Aberystwyth, so I am glad we are back again in Committee.

Amendment 80, moved by the noble Lord, Lord Clement-Jones, would delete paragraph 4 from Part 1 of Schedule 2 to the Bill, as we have heard. I have added my name to the amendment, as have the noble Lord, Lord Paddick, and the noble Baroness, Lady Jones of Moulsecoomb. The amendment deletes the whole paragraph which exempts personal data from the GDPR provisions as they relate, first, to the maintenance of effective immigration control and, secondly, to the investigation or detection of activities that would undermine the maintenance of effective immigration control. I want to be very clear that the intention of this amendment is to enable the Government to explain to us why they think the paragraph is necessary. As we have heard, it is very wide ranging and has been rejected in the past, so I hope the Minister can explain why it is so important that this paragraph gets through in the Bill. The noble Lord, Lord Clement-Jones, raised important points about the broad potential risks to data subjects’ rights, as did the noble Baroness, Lady Hamwee, and my noble friend Lady Jones of Moulsecoomb.

I certainly want an effective immigration service and policy, along with proper immigration controls. Having said that, I am not happy with many aspects of the policies being pursued by the Government with respect to immigration. They are ones that I do not support and they have damaged our reputation as a generous country that has been respected around the world. Unfortunately, that is not the only area where the Government have damaged our reputation. I should like the noble Baroness to explain very carefully why she believes that there is a need for this provision and where it differs from what is already in force. As we have heard, under other provisions the Government have what they need in terms of ensuring that these matters are dealt with properly. The exemptions certainly appear to be wide ranging and I want to be convinced that they are absolutely necessary. As I said, there are provisions in other Acts that the Government can rely on. At this stage, I await the response of the noble Baroness.

Baroness Williams of Trafford Portrait The Minister of State, Home Office (Baroness Williams of Trafford) (Con) - Hansard

My Lords, I thank all noble Lords who have taken part in the debate. There is clearly a lot of interest, as is evident from what has been said. I am also glad to be back opposite the noble Lord, Lord Kennedy of Southwark, as we have been on so many occasions, and I am sure we will be in the future. It is probably worth addressing some of the evident misunderstandings that have arisen around the purpose and the scope of this provision, and I hope to be able to persuade the Committee that this is a necessary and proportionate measure to protect the integrity of our immigration system.

The Government welcome the enhanced rights and protections for data subjects afforded by the GDPR and in negotiating, it was accepted by all parties that at times these rights needed to be qualified in the general public interest, whether that is to prevent and detect crime, safeguard legal professional privilege or journalists’ sources, or in this case maintain an effective system of immigration control. A number of articles of the GDPR therefore make express provision for such derogations, including article 23, which enables restrictions to be placed on certain rights of data subjects. Given the extension of data subjects’ rights under the GDPR, it is necessary that we include in the Bill an express targeted exemption in the immigration context. The exemption would apply to the processing of personal data by immigration officers and the Secretary of State for the purposes of maintaining effective immigration control or the detection and investigation of activities which would undermine the system of immigration control. It would also apply to other public authorities required or authorised to share information with the Secretary of State for either of those purposes.

It is important that it is clear to the Committee what paragraph 4 of Schedule 2 does not do. It emphatically does not set aside the whole of the GDPR for all processing of personal data for all immigration purposes. The opening words of paragraph 4 make it clear that only “the listed GDPR provisions” may be set aside. The listed GDPR provisions are those set out in paragraph 1 of Schedule 2. The provisions in question relate to various rights of data subjects as provided for in chapter 3 of the GDPR, such as the rights to information and to access to personal data, and to two of the data protection principles: those relating to fair and transparent processing and the purpose limitation. Except to that extent, all the data protection principles, including those relating to the lawfulness of processing, data minimisation, accuracy, storage limitation, and integrity and confidentiality will continue to apply. So too will all the obligations on data controllers and processors, all the safeguards around cross-border transfers and all the oversight and enforcement powers of the Information Commissioner. The latter is particularly relevant here as it is open to any data subject affected by the provisions in paragraph 4 of Schedule 2 to lodge a complaint with the Information Commissioner, which the commissioner is then obliged to investigate.

Moreover, paragraph 4 does not give the Home Office carte blanche to invoke the permitted exceptions as a matter of routine. The Bill is clear: the exceptions may be applied only to the extent that the application of the rights of data subjects or the two relevant data protection principles,

“would be likely to prejudice … the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control”.

This is a significant and important qualification. The noble Lord, Lord Clement-Jones, asked why we have not listed exactly what we mean by,

“the maintenance of effective immigration control”.

The maintenance of that control does not merely encompass physical immigration controls at points of entry but, more generally, the arrangements made in connection with a person’s entry into and stay within the United Kingdom. A system of effective immigration control depends on our ability to control the entry and stay of those who wish to come to our country; to identify those who should not be admitted; and to pursue enforcement action against those who are liable to removal for failure to comply with restrictions and conditions on their stay, or otherwise in the public interest.

To use the example of the right conferred by article 15 of the GDPR, each subject access request would need to be considered on its own merits. We could not, for example, and would not want to limit the information given to visa applicants as to how their personal data will be processed as part of that application. Rather, the restrictions would bite only where there is a real likelihood of prejudice to immigration controls in disclosing the information concerned. It is equally important to dispel one other myth. Some of the briefing I have seen on this provision suggests that it creates new information-sharing gateways. This is simply not the case. As I have indicated, Schedule 2 sets out certain exceptions from the GDPR; it does not in and of itself create new powers to share data between data controllers. However, where personal data is shared between controllers for the limited immigration purposes specified in paragraph 4, it does mean that the data subject does not need to be notified if to do so would be prejudicial to the maintenance of effective immigration control.

It may assist the Committee if I explain the kind of information that it might be necessary to withhold from data subjects, and offer a couple of examples of the circumstances requested by the noble Baroness, Lady Hamwee, where to do so would be necessary to maintain the effectiveness of our immigration controls. The classes of information which the Home Office may need to withhold include a description of the data held, our data sources, the purposes for which the data was held, and details of the recipients to whom the data has been disclosed. There will be circumstances where the disclosure to data subjects of such information could afford them the opportunity to circumvent our immigration controls. Two examples will, I hope, help to illustrate where the disclosure of such information may have precisely the adverse effect.

First, in the case of a suspected overstayer, if we had to disclose in response to a subject access request what we are doing to track their whereabouts with a view to effecting administrative removal, it is clearly possible that they might then be able to evade enforcement action. A second example relates to circumstances where we seek to establish the legitimacy of a particular claim, such as an extension of leave to remain in the UK, and suspect that the claimant has provided false information to support that claim. In such a case, we may contact third parties to evidence the claim. If we are then obliged to inform the claimant that we are accessing records held by third parties, they may abscond and evade detection. Such procedures may then become common knowledge and further undermine our ability to maintain effective controls.

Immigration is, naturally, a very sensitive subject area and a topic of huge importance to the public, to the economic well-being of this country and to the social cohesion of our society. Being able to effectively control immigration is, therefore, in the words of the GDPR,

“an important objective of general public interest”.

As I have indicated, having a new data protection regime which seeks to give broader rights to data subjects is to be welcomed. But in an area as sensitive as the immigration system, we need to make appropriate use of the limited exemptions available to us so that we can continue to maintain effective control of that system in the wider public interest.

I hope that I have been able to satisfy noble Lords that this provision is necessary and proportionate. It is not the wholesale carve-out of subject access rights that some have suggested but a targeted provision wholly in line with the discretion afforded to member states by the GDPR, and it is vital to maintaining the integrity of the immigration system.

Having given this provision a good airing, I hope the noble Lord, Lord Clement-Jones, will feel happy to withdraw his amendment.

Data Protection Bill [HL] Debate

Full Debate: Read Full Debate
Department: Home Office

Data Protection Bill [HL]

(2nd reading (Hansard - continued): House of Lords)
Lord Kennedy of Southwark Excerpts
Tuesday 10th October 2017

(2 years, 11 months ago)

Lords Chamber
Read Full debate Read Hansard Text
Home Office
Lord Paddick Portrait Lord Paddick (LD) - Hansard

My Lords, this has been an interesting, and for me at times a rather confusing, debate on the issues associated with the Bill. The Bill is complex, but I understand that it is necessarily complex. For example, under European law it is not allowed to reproduce the GDPR in domestic legislation. The incorporation of the GDPR into British law is happening under the repeal Bill, not under this legislation. Therefore, the elephant and the prints are in the other place rather than here.

We on these Benches welcome the Bill. It provides the technical underpinnings that will allow the GDPR to operate in the UK both before and after Brexit, together with the permitted derogations from the GDPR available to all EU member states. For that reason it is an enabling piece of legislation, together with the GDPR, which is absolutely necessary to allow the UK to continue to exchange data, whether it is done by businesses for commercial purposes or by law enforcement or for other reasons, once we are considered to be a third-party nation rather than a member of the European Union.

We also welcome the extension of the effect of the GDPR—the rules and regulations that the GDPR provides—to other areas that are currently covered by the Data Protection Act 1998 but which are outside the scope of the GDPR, thus, as far as I understand it, providing a consistent approach to data protection across the piece. This leaves law enforcement and national security issues outside of the scope of GDPR and the “applied GDPR”, which are covered in Parts 3 and 4.

The enforcement regime, the Information Commissioner, is covered in Part 5, because we will repeal the Data Protection Act 1998 and so we need to restate the role of the Information Commissioner as the person who will enforce, and we will need to explore concerns that we have in each part of the Bill as we go through Committee. However, generally speaking, we welcome the Bill and its provisions.

Of course, what the Government, very sensibly, are trying to do but do not want to admit, is to ensure that the UK complies with EU laws and regulations—in this case in relation to data protection—so that it can continue to exchange data with the EU both before and after Brexit. All this government hype about no longer being subject to EU law after Brexit is merely the difference between having to be subject to EU law because we are a member of the EU and having to be subject to EU law because, if we do not, we will not be able to trade freely with the EU or exchange crime prevention and detection intelligence, and counterterrorism intelligence, with the EU. That is the only difference.

For most aspects of data exchange, compliance with the GDPR is required. The GDPR is directly applicable, so it cannot simply be transposed into this Bill. Coupled with the derogations and applying the GDPR to other aspects of data processing not covered by the GDPR makes this part of the Bill complex—and, as I suggest, probably necessarily so.

For law enforcement purposes, data exchange is covered by an EU law enforcement directive, which can be, and has been, transposed to form Part 3 of the Bill as far as I understand it. A data protection regime for the processing of personal data by the intelligence services—in the case of the UK, MI5, MI6 and GCHQ —is covered by Council of Europe Convention 108. Part 4 of the Bill is based on a modernised draft of Convention 108, which has yet to be formally agreed, but this puts the UK in effect slightly ahead of the curve on that aspect of regulation.

Clearly, we need to probe and test the derogations allowed under the GDPR that are proposed in the Bill, particularly when hearing about the potential consequences, as outlined by, for example, the noble Viscount, Lord Colville of Culross. We also need to examine whether applying GDPR rules and regulations to other areas of data processing provides equivalent or enhanced safeguards compared with those provided by the Data Protection Act, and we need to ensure that the safeguards provided by the law enforcement directive and Council of Europe Convention 108 are provided by the Bill.

As regards our specific concerns, as my noble friend Lord McNally mentioned in his opening remarks and as reinforced by my noble friend Lady Ludford, if the Bill results in a refusal to allow not-for-profit bodies to exercise Articles 77 to 79 to pursue data protection infringements on their own accord, we will have to challenge that, but perhaps the Minister can clarify whether that is the case.

As my noble friend Lady Ludford also mentioned, along with the noble Baroness, Lady Jay of Paddington, various provisions to allow Ministers to alter the application of the GDPR by regulation is something that we need much further scrutiny of, albeit that Ministers’ hands are likely to be tied by the requirement to comply with changing EU law after Brexit—de facto even if not de jure. Could it be—perhaps the Minister can help us here—that the purpose of these powers, put into secondary legislation, is to enable the UK to keep pace with changes in EU law after Brexit?

Although we welcome the ability of individuals to challenge important wholly automated decisions, requiring human intervention at the request of the data subject, research shows that the application of algorithms and artificial intelligence, even in machine learning of language, can result in unfair discrimination. Even when human decision-making is informed by automated processes, safeguards still need to be in place to ensure fairness, such as transparency around what the automated processes involve. While decisions around personal finance, such as credit scoring and the assessment of insurance risk, are important, in the United States the application of algorithms in the criminal justice arena has resulted in unfair discrimination that has even more serious consequences for individuals. Even if such automated processes are yet to apply to the UK criminal justice system, the Bill must safeguard against future developments that may have unintended negative consequences.

As other noble Lords have said, we have concerns about the creation of a criminal offence of re-identification of individuals. As the noble Lord, Lord Arbuthnot of Edrom, said, criminalising re-identification could allow businesses to relax the methods that they use to try to anonymise data on the basis that people will not try to re-identify individuals because it is a criminal offence.

Despite what is contained in this Bill, we have serious concerns that there are likely to be delays to being granted data adequacy status by the European Commission when we leave the EU. That means that there would not be a seamless continuation of data exchange with the EU 27 after Brexit. We also have serious concerns, as does the Information Commissioner, that there are likely to be objections to being granted data adequacy status because of the bulk collection of data allowed for under the Investigatory Powers Act, as the noble Lord, Lord Stevenson of Balmacara, said in his opening remarks. We also intend to revisit the issue of the requirement under international human rights law, and upheld by the European Court of Human Rights in 2007, that as soon as notification can be made without prejudicing the purpose of surveillance after its termination, information should be provided to the persons concerned.

As the noble Baroness, Lady Lane-Fox, mentioned, it is essential that the Information Commissioner is provided with adequate resources. My understanding is that there has been a considerable loss of staff in recent times, not least because commercial organisations want to recruit knowledgeable staff to help them with the implementation of GDPR, plus the 1% cap on public sector pay has diminished the number of people working for the Information Commissioner. It is absolutely essential that she has the resources she needs, bearing in mind the additional responsibilities that will be placed upon her.

The age of consent will clearly be an interesting topic for discussion. What we are talking about here is at what age young people should be allowed to sign up to Facebook or other social media. Most of us would acknowledge that children have a greater knowledge and are more computer literate than their parents and grandparents. As one of the surveys mentioned this evening showed, it would be very easy for young people to circumvent rules around the age of consent as set in legislation. For example, any teenager would know how to make the internet believe that they were in the United States when they were physically in the United Kingdom, and therefore they would have to comply only with any age of consent set in America. While I understand the burning desire for people to protect children and ensure that they are not exploited through social media, one has to live in the real world and look for solutions that are actually going to work: for example, educating young people on how to avoid being groomed online and the dangers of social media, and informing parents about how they can keep an eye on their children’s activities, rather than trying to set an unrealistic target for the age at which someone could sign up.

Finally, the noble Lord, Lord Mitchell, talked about the data privately stored on iPhones, which was informative. Last week, I was rather shocked when, in California, I went to a gym that was rather busy. I looked on Google Maps, which very helpfully informed me when the busiest times were in that particular gym on that particular day. I found that very useful, but I found it very frightening that it also told me that I had been at that gym three hours before.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab) - Hansard

My Lords, we welcome the Bill generally and support the main principles, but that is not to say that we do not have issues that we intend to raise during the passage of the Bill where we believe that improvements could be made. We will certainly test the Government’s assertion that the Bill will ensure that we can be confident that our data is safe as we make the transition into a future digital world.

My noble friend Lord Knight of Weymouth highlighted some of the challenges that we face in the use of data, the consent that we give and how we can have greater control—or, in fact, any control at all—as data and the use of data grow exponentially. In his contribution, the noble Lord, Lord Marlesford, highlighted the complexity of these matters. That is the problem—the constant growth in complexity and our ability to understand the changes as they run away with themselves. We are aware that there will be a number of government amendments to the Bill. When we see those, we will be able to take a view on them. But the fact that we can expect such a large number at this early stage of the Bill makes one wonder how prepared the Government are for this new challenge.

The broad aim of the Bill is to update the UK’s data protection regime in accordance with the new rules, as agreed at European level. It is important as we prepare to leave the European Union that we have strong, robust laws on data protection that ensure that we have up-to-date legislation that is on a par with the best in the world to protect individuals, businesses and the UK as a whole and to play our part in ensuring that the UK remains a place where it is difficult for criminals to operate. As the noble Lord, Lord Jay, said in his contribution covering the report of the European Union Home Affairs Sub-Committee, the amount of cross-border data flows to the UK cannot be overstated, with services accounting for 44% of the UK’s total global exports and three-quarters of the UK’s cross-border data flows being with other EU countries. The UK must remain a place where people and organisations all over the world want to do business and a place that has safety and robust protection at its heart.

The noble Baroness, Lady Lane-Fox of Soho, made important points about the need for the UK to be the best and safest place in the world to trade online. Her contribution to debates in your Lordships’ House to make the Bill the best it can be will be of vital importance as the Bill makes progress. The noble Baroness is right that a lot of education is needed to prepare the public and business for the changes.

The concerns of business must be taken into account. When the noble Baroness, Lady Williams of Trafford, responds to the debate, I hope she will refer to the concerns expressed by small businesses. In particular, will she explain what plans the Government have to ensure that small businesses are aware of the changes and the action that they need to take? These are the sorts of businesses that are the backbone of the country. They are not able to employ expensive lawyers or have compliance departments to advise them on the action that needs to be taken. We need a targeted awareness campaign from the Government and the regulator and small-business-friendly support and guidance rolled out in good time so that the necessary changes can be made. I fully understand the concerns that businesses have in this regard and the Government must respond to those positively.

The Bill implements the general data protection regulation—GDPR—standards across all general data processing and the Opposition support that. As we have heard in the debate, the UK will need to satisfy the European Commission that our legislative framework ensures an adequate level of protection. The Commission will need to be satisfied on a wide variety of issues to give a positive advocacy decision, and when we leave the European Union we will still have to satisfy the high adequacy standards to ensure that we can trade with the European Union and the world. Those too are matters that we will test in Committee.

Important principles of lawfulness in obtaining data and the consent of individuals to their data being held are set out in the Bill. My noble friend Lady Jay of Paddington made important points about how to achieve a better-educated public about the use of their data, the media and online literacy, and the risks to them of the abuse of their data.

The additional GDPR rights which strengthen and add to an individual’s rights, as set out in the Data Protection Act 1998, are a positive step forward. We have all seen examples of people’s data being held unlawfully and the measures in this Bill should help in that respect. There is also the issue of data held about all of us that is confidential, such as medical and health data, and ensuring that it is processed in a confidential way is something we would all support, alongside the proper use of health data to combat disease and improve healthcare through proper research. A number of noble Lords have made reference to that, and certainly nothing should be done which would endanger research that saves lives.

The right to be forgotten is an important concept, particularly where the consent was given as a child, although we will want to probe why the right of erasure of personal data is restricted to 18 years and above, particularly when the consent may have been given when the individual was 13 years of age. Cyberbullying is a dreadful experience for anyone and it is important that we are very clear during the passage of the legislation on how people are able to protect themselves from this abuse. The Bill will formalise the age at which a child can consent to the processing of data at 13 years in the UK, which is the lowest possible age in the EU. The right reverend Prelate the Bishop of Chelmsford referred to this point in his contribution and I agree with him about the need for further consultation with parents and the public, a point also made by the noble Baroness, Lady Howe.

The noble Baroness, Lady Kidron, made an excellent contribution and she is right to say that children are no match for a number of the very powerful tech companies. I too read carefully the briefings from the Children’s Society and YoungMinds on this matter. All the major online platforms have a minimum user age of 13, although the vast majority of young people—some 73% according to the survey—have their first social media account before they are 13. This is an issue that will rightly get a lot of attention from noble Lords. On reading the briefing note I could see the point being made that setting the age at 16 could have an adverse effect in tackling grooming, sexual exploitation and abuse. If we wanted to go down the route of increasing the age when someone can consent to the use of their personal data, we must at the same time make significant changes to the grooming and sexual offences legislation, again a point made by the noble Baroness, Lady Howe, in her remarks. It would be wrong to make this change in isolation because it actually risks making the online world more dangerous for young people.

In responding to the debate, will the noble Baroness, Lady Williams of Trafford, set out how the Government decided that 13 was the appropriate age of consent for children to access social media and does she believe, as I do, that the social media companies need to do much more to protect children when they are online? What consultation did the Government undertake before deciding that 13 years was the correct age, a question put by many noble Lords in the debate?

There are also the important issues of protecting vulnerable people in general, not only children but the elderly as well. As my noble friend Lord Stevenson of Balmacara said, the Government have an opportunity to allow independent organisations acting in the public interest to bring collective redress actions or super-complaints for breaches in data protection rules. They have not done so, and this may be an error on their part as the super-complaint system works well in other fields. It would enable an effective system of redress for consumers to be put in place. It could also be contended that just having such a system in place would have a positive effect in terms of organisations making sure that they are compliant and not tempted to cut corners, and generally make for a stronger framework.

The Opposition support the approach of transposing the law enforcement directive into UK law through this Bill. It is important that we have consistent standards across specific law enforcement activities. In the briefing, the Information Commissioner raised the issue of overview and scope as detailed in Clause 41. It would be helpful, when responding to the debate, if the Minister could provide further clarification in respect of the policy intention behind the restriction on individuals being able to approach the Information Commissioner to exercise their rights.

The processing of personal data by the intelligence services is of the utmost importance. Keeping their citizens safe is the number one priority of the Government. We need to ensure that our intelligence services have the right tools and are able to work within modern international standards, including the required safeguards, so that existing, new and emerging threats to the safety and security of the country are met. These are fine lines and it is important that we get them right.

The point made by a number of noble Lords, including the noble Lord, Lord Jay, and the noble Baroness, Lady Ludford, that our position as a third country on leaving the EU may leave us subject to meeting a higher threshold is a matter for concern. I hope the noble Baroness, Lady Williams, will respond to that specific point when she replies to the debate.

The Information Commissioner having an independent authority responsible for regulating the GDPR—which will also act as the supervisory authority in respect of the law enforcement provisions as set out in Part 3 of the Bill—is welcome, as is the designation of the commissioner as the authority under Convention 108. I welcome the proposal to consult the commissioner on legislation and other measures that relate to data processing. The commissioner has an important international role and I fully support her playing a role in the various EU bodies she engages with, up until the point when we leave the EU. We must also be satisfied in this House that we have sufficiently robust procedures in place so that we will work closely with our EU partners after we have left the EU. Failure to do so could have serious repercussions for the UK as a whole, our businesses and our citizens. Data flows in and out of the UK are a complex matter and the regulator needs authority when dealing with others beyond the UK. That is something we will have to test carefully as the Bill passes through your Lordships’ House.

The clauses of the Bill in respect of enforcement are generally to be welcomed. It is important that the commissioner retains the power to ensure data is properly protected. I agree very much with the noble Lord, Lord McNally, about the importance of ensuring that the Information Commissioner remains adequately funded. It is right that those powers are used proportionally in relation to the specific matters at hand, using, where appropriate, non-criminal enforcement, financial penalties and, where necessary, criminal prosecution. As I said, we need a proper programme of information to ensure that small businesses in particular are ready for the changes and new responsibilities they will take on.

One of the issues we have to address is the challenge that technology brings and how our legislation will remain fit for purpose and accepted by other competent authorities outside our jurisdiction—particularly by the European Union after we leave it.

In conclusion, this in an important Bill. As the Opposition, we can support its general direction, but we have concerns about the robustness of what is proposed. We will seek to probe, challenge and amend the Bill to ensure that it really does give us the legalisation the UK needs to protect its citizens’ data and its lawful use.

Baroness Williams of Trafford Portrait The Minister of State, Home Office (Baroness Williams of Trafford) (Con) - Hansard

My Lords, this has been a lengthy but excellent debate. I very much welcome the broad support from across the House for the Bill’s objectives; namely, that we have a data protection framework that is fit for the digital age, supports the needs of businesses, law enforcement agencies and other public sector bodies, and—as the noble Lord, Lord Kennedy, said—safeguards the rights of individuals in the use of their personal data.

In bringing the Bill before your Lordships’ House at this time, it is fortunate that we have the benefit of two recent and very pertinent reports from the Communications Committee and the European Union Committee. Today’s debate is all the better for the insightful contributions we have heard from a number of members of those committees, namely the noble Lord, Lord Jay, the noble Viscount, Lord Colville, the noble Baroness, Lady Kidron, the right reverend Prelate the Bishop of Chelmsford and my noble friend Lady Neville-Rolfe.

In its report Growing Up with the Internet, the Communications Committee noted with approval the enhanced rights that the GDPR would confer on children, including the right to be forgotten, and asked for those rights to be enshrined in UK law as a minimum standard. I am pleased to say the Bill does just that. The European Union Committee supported the Government’s objective to maintain the unhindered and uninterrupted flow of data with other member states following the UK’s exit from the EU. Understandably, the committee pressed the Government to provide further details of how that outcome will be achieved.

With the provisions in the Bill, the UK starts from an unprecedented point of alignment with the EU in terms of the legal framework underpinning the exchange and protection of personal data. In August, the Government set out options for the model for protecting and exchanging personal data. That model would allow free flows of data to continue between the EU and the UK and provide for ongoing regulatory co-operation and certainty for businesses, public authorities and individuals. Such an approach is made possible by the strong foundations laid by the provisions in the Bill.

In other contributions to this debate, we have had the benefit of a wide range of experiences, including from noble Lords who are able to draw on distinguished careers in business, education, policing or the Security Service. In doing so, noble Lords raised a number of issues. I will try to respond to as many of those as I can in the time available, but if there are specific points, as I am sure there will be, that I cannot do justice to now, both my noble friend Lord Ashton and I will of course follow up this debate with a letter. 

A number of noble Lords, including the noble Lord, Lord Kennedy, the noble Baroness, Lady Lane-Fox, and my noble friend Lady Neville-Rolfe, asked whether the Bill was too complex. It was suggested that data controllers would struggle to understand the obligations placed on them and data subjects to understand and access their rights. As the noble Lord, Lord Paddick, said, the Bill is necessarily so, because it provides a complete data protection framework for all personal data. Most data controllers will need to understand only the scheme for general data, allowing them to focus just on Part 2. As now, the Information Commissioner will continue to provide guidance tailored to data controllers and data subjects to help them understand the obligations placed on them and exercise their rights respectively. Indeed, she has already published a number of relevant guidance documents, including—the noble Lord, Lord Kennedy, will be interested to know this—a guide called Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now. It sounds like my type of publication.

Other noble Lords rightly questioned what they saw as unnecessary costs on businesses. My noble friends Lord Arbuthnot and Lady Neville-Rolfe and the noble Lord, Lord Kennedy, expressed concern that the Bill would impose a new layer of unnecessary regulation on businesses—for example, in requiring them to respond to subject access requests. Businesses are currently required to adhere to the Data Protection Act, which makes similar provision. The step up to the new standards should not be a disproportionate burden. Indeed, embracing good cybersecurity and data protection practices will help businesses to win new customers both in the UK and abroad.

A number of noble Lords, including the noble Lord, Lord Jay, asked how the Government would ensure that businesses and criminal justice agencies could continue, uninterrupted, to share data with other member states following the UK’s exit from the EU. The Government published a “future partnership” paper on data protection in August setting out the UK’s position on how to ensure the continued protection and exchange of personal data between the UK and the EU. That drew on the recommendations of the very helpful and timely report of the European Union Committee, to which the noble Lord referred. For example, as set out in the position paper, the Government believe that it would be in our shared interest to agree early to recognise each other’s data protection frameworks as the basis for continued flow of data between the EU and the UK from the point of exit until such time as new and more permanent arrangements came into force. While the final arrangements governing data flows are a matter for the negotiations—I regret that I cannot give a fuller update at this time—I hope that the paper goes some way towards assuring noble Lords of the importance that the Government attach to this issue.

The noble Baroness, Lady Kidron, queried the status of Article 8 of the European Charter of Fundamental Rights, which states:

“Everyone has the right to the protection of personal data concerning him or her”.

The Bill will ensure that the UK continues to provide a world-class standard of data protection both before and after we leave the European Union.

Several noble Lords, including the noble Lord, Lord Paddick, in welcoming the Bill asked whether the Information Commissioner would have the resource she needs to help businesses and others prepare for the GDPR and LED and to ensure that the new legislation is properly enforced, especially once compulsory notification has ended. The Government are committed to ensuring that the Information Commissioner is adequately resourced to fulfil both her current functions under the Data Protection Act 1998 and her new ones. Noble Lords will note that the Bill replicates relevant provisions of the Digital Economy Act 2017, which ensures that the Information Commissioner’s functions in relation to data protection continue to be funded through charges on data controllers. An initial proposal on what those changes might look like is currently being consulted upon. The resulting regulations will rightly be subject to parliamentary scrutiny in due course.

Almost every noble Lord spoke in one way or another about protecting children online, particularly the noble Baroness, Lady Kidron, and the right reverend Prelate the Bishop of Chelmsford, who referred to the Select Committee on Communications report Growing Up with the Internet. The focus of that report was on addressing concerns about the risk to children from the internet. The Government believe that Britain should be the safest place in the world to go online and we are determined to make that a reality. I am happy to confirm that the Government will publish an internet safety strategy Green Paper imminently. This will be an important step forward in tackling this crucial issue. Among other things, the Green Paper will set out plans for an online code of practice that we want to see all social media companies sign up to, and a plan to ensure that every child is taught the skills they need to be safe online.

The other point that was brought up widely, including by the noble Lord, Lord Kennedy, was whether it was appropriate for 13 year-olds to be able to hand over their personal data to social media companies without parental consent. We heard alternative perspectives from my noble friend Lord Arbuthnot and the noble Baroness, Lady Lane-Fox. Addressing the same clause, the right reverend Prelate the Bishop of Chelmsford questioned the extent to which the Government had consulted on this important issue. The noble Baroness, Lady Howe, and the noble Lord, Lord Kennedy, made a similar point. In answer to their specific questions, 170 organisations and numerous individuals responded to the Government’s call for views, published in April, which addressed this issue directly. The Government’s position reflects the responses received. Importantly, it recognises the fundamental role that the internet already plays in the lives of teenagers. While we need to educate children on the risks and to work with internet companies to keep them safe, online platforms and communities provide children and young people with an enormous educational and social resource, as the noble Baroness, Lady Lane-Fox, pointed out. It is not an easy balance to strike, but I am convinced that, in selecting 13, the Government has made the right choice and one fully compatible with the UN Convention on the Rights of the Child, to which the noble Lord, Lord Stevenson, referred.

The noble Baronesses, Lady Jay and Lady Hamwee, stressed the importance of adequate understanding of digital issues, particularly among children. Improving digital skills is a priority of the Government’s digital strategy, published earlier this year. As noble Lords will be aware, the Digital Economy Act created a new statutory entitlement to digitals skills training, which is certainly an important piece of the puzzle. As I have already said, the Government will publish a comprehensive Green Paper on internet safety imminently which will explore further how to develop children’s digital literacy and provide support for parents and carers.

The noble Baroness, Lady Ludford, and the noble Lord, Lord Paddick, I think it was, asked about the Government choosing not to exercise the derogation in article 80 of the GDPR to allow not-for-profit organisations to take action on behalf of data subjects without their consent. This is a very important point. It is important to note that not-for-profit organisations will be able to take action on behalf of data subjects where the individuals concerned have mandated them to do so. This is an important new right for data subjects and should not be underestimated.

The noble Baroness, Lady Manningham-Buller, the noble Lords, Lord Kennedy and Lord Patel, and my noble friend Lady Neville-Jones all expressed concern about the effect that safeguards provided in the Bill might have on certain types of long-term medical research, such as clinical trials and interventional research. My noble friend pointed out that such research can lead to measures or decisions being taken about individuals but it might not be possible to seek their consent in every case. The noble Lord, Lord Patel, raised a number of related issues, including the extent of Clause 7. I assure noble Lords that the Government recognise the importance of these issues. I would be very happy to meet noble Lords and noble Baronesses to discuss them further.

The noble Baroness, Lady Ludford, and the noble Lord, Lord Patel, noted that the Bill is not going to be used to place the National Data Guardian for Health and Social Care on a statutory footing. I assure them that the Government are committed to giving the National Data Guardian statutory force. A Bill to this end was introduced in the House of Commons on 5 September by my honourable friend Peter Bone MP, and the Government look forward to working with him and parliamentary colleagues over the coming months.

My noble friend Lord Arbuthnot and others questioned the breadth of delegated powers provided for in Clause 15, which allows the Secretary of State to use regulations to permit organisations to process personal data in a wider range of circumstances where needed to comply with a legal obligation, to perform a task in the public interest or in the exercise of official authority. Given how quickly technology evolves and the use of data can change, there may be occasions when it is necessary to act relatively quickly to provide organisations with a legal basis for a particular processing operation. The Government believe that the use of regulations, rightly subject to the affirmative procedure, is entirely appropriate to achieve that. But we will of course consider very carefully any recommendations made on this or any other regulation-making power in the Bill by the Delegated Powers and Regulatory Reform Committee, and I look forward to seeing its report in due course.

The noble Viscount, Lord Colville, queried the role of the Information Commissioner in relation to special purposes processing, including in relation to journalism. In keeping with the approach taken in the 1998 Act, the Bill provides for broad exemptions when data is being processed for journalism, where the controller reasonably believes that publication is in the public interest. I reassure noble Lords that the Information Commissioner’s powers, as set out in Clause 164, are tightly focused on compliance with these requirements and not on media conduct more generally. There is a right of appeal to ensure that the commissioner’s determination can be challenged. This is an established process which the Bill simply builds upon.

The noble Lord, Lord Black, questioned the power given to the Information Commissioner to assist a party or prospective party in special purposes proceedings. In this sense, “special purposes” refers to journalistic, literary, artistic or academic purposes. The clause in question, Clause 165, replicates the existing provision in Section 53 of the 1998 Act. It simply reflects the potential public importance of a misuse of the otherwise vital exemptions granted to those processing personal data for special purposes. In practice, I am not aware of the commissioner having provided such assistance but the safeguard is rightly there.

The noble Lord, Lord Janvrin, spoke eloquently about the potential impact of the Bill on museums and archives. The Government agree about the importance of this public function. It is important to note that the Data Protection Act 1998 made no express provision relating to the processing of personal data for archiving purposes. In contrast, the Bill recognises that archives may need to process sensitive personal data, and there is a specific condition to allow for this. The Bill also provides archives with specific exemptions from certain rights of data subjects, such as rights to access and rectify data, where this would prevent them fulfilling their purposes.

The noble Lord, Lord Knight, queried the safeguards in place to prevent the mining of corporate databases for other, perhaps quite distinct, purposes, and the noble Lord, Lord Mitchell, made a similar point. I can reassure them that any use of personal data must comply with the relevant legal requirements. This would include compliance with the necessary data protection principles, including purpose limitation. These principles will be backed by tough new rules on transparency and consent that will ensure that once personal data is obtained for one purpose it cannot generally be used for other purposes without the data subject’s consent.

My noble friend Lord Marlesford raised the desirability of a central system of unique identifying numbers. The Bill will ensure that personal data is collected only for a specific purpose, that it is processed only where there is a legal basis for so doing and that it is always used proportionately. It is not clear to me that setting out to identify everybody in the same way in every context, with all records held centrally, is compatible with these principles. Rather, this Government believe that identity policy is context-specific, that people should be asked to provide only what is necessary, and that only those with a specific need to access data should be able to do so. The Bill is consistent with that vision.

I look forward to exploring all the issues that we have discussed as we move to the next stage. As the Information Commissioner said in her briefing paper, it is vital that the Bill reaches the statute book, and I look forward to working with noble Lords to achieve that as expeditiously as possible. Noble Lords will rightly want to probe the detailed provisions in the Bill and subject them to proper scrutiny, as noble Lords always do, but I am pleased that we can approach this task on the basis of a shared vision; namely, that of a world-leading Data Protection Bill that is good for business, good for the law enforcement community and good for the citizen. I commend the Bill to the House.