All 10 Lord Kennedy of Southwark contributions to the Data Protection Act 2018

Read Bill Ministerial Extracts

Tue 10th Oct 2017
Data Protection Bill [HL]
Lords Chamber

2nd reading (Hansard - continued): House of Lords
Mon 13th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 3rd sitting (Hansard): House of Lords
Mon 13th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 3rd sitting (Hansard - continued): House of Lords
Wed 15th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 4th sitting (Hansard): House of Lords
Mon 20th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 5th sitting (Hansard): House of Lords
Wed 22nd Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 6th sitting (Hansard): House of Lords
Mon 11th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report: 1st sitting: House of Lords
Mon 11th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report stage (Hansard - continued): House of Lords
Wed 13th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report: 2nd sitting (Hansard): House of Lords
Wed 13th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report: 2nd sitting (Hansard - continued): House of Lords

Data Protection Bill [HL] Debate

Full Debate: Read Full Debate
Department: Home Office

Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
2nd reading (Hansard - continued): House of Lords
Tuesday 10th October 2017

(6 years, 5 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab)
- Hansard - -

My Lords, we welcome the Bill generally and support the main principles, but that is not to say that we do not have issues that we intend to raise during the passage of the Bill where we believe that improvements could be made. We will certainly test the Government’s assertion that the Bill will ensure that we can be confident that our data is safe as we make the transition into a future digital world.

My noble friend Lord Knight of Weymouth highlighted some of the challenges that we face in the use of data, the consent that we give and how we can have greater control—or, in fact, any control at all—as data and the use of data grow exponentially. In his contribution, the noble Lord, Lord Marlesford, highlighted the complexity of these matters. That is the problem—the constant growth in complexity and our ability to understand the changes as they run away with themselves. We are aware that there will be a number of government amendments to the Bill. When we see those, we will be able to take a view on them. But the fact that we can expect such a large number at this early stage of the Bill makes one wonder how prepared the Government are for this new challenge.

The broad aim of the Bill is to update the UK’s data protection regime in accordance with the new rules, as agreed at European level. It is important as we prepare to leave the European Union that we have strong, robust laws on data protection that ensure that we have up-to-date legislation that is on a par with the best in the world to protect individuals, businesses and the UK as a whole and to play our part in ensuring that the UK remains a place where it is difficult for criminals to operate. As the noble Lord, Lord Jay, said in his contribution covering the report of the European Union Home Affairs Sub-Committee, the amount of cross-border data flows to the UK cannot be overstated, with services accounting for 44% of the UK’s total global exports and three-quarters of the UK’s cross-border data flows being with other EU countries. The UK must remain a place where people and organisations all over the world want to do business and a place that has safety and robust protection at its heart.

The noble Baroness, Lady Lane-Fox of Soho, made important points about the need for the UK to be the best and safest place in the world to trade online. Her contribution to debates in your Lordships’ House to make the Bill the best it can be will be of vital importance as the Bill makes progress. The noble Baroness is right that a lot of education is needed to prepare the public and business for the changes.

The concerns of business must be taken into account. When the noble Baroness, Lady Williams of Trafford, responds to the debate, I hope she will refer to the concerns expressed by small businesses. In particular, will she explain what plans the Government have to ensure that small businesses are aware of the changes and the action that they need to take? These are the sorts of businesses that are the backbone of the country. They are not able to employ expensive lawyers or have compliance departments to advise them on the action that needs to be taken. We need a targeted awareness campaign from the Government and the regulator and small-business-friendly support and guidance rolled out in good time so that the necessary changes can be made. I fully understand the concerns that businesses have in this regard and the Government must respond to those positively.

The Bill implements the general data protection regulation—GDPR—standards across all general data processing and the Opposition support that. As we have heard in the debate, the UK will need to satisfy the European Commission that our legislative framework ensures an adequate level of protection. The Commission will need to be satisfied on a wide variety of issues to give a positive advocacy decision, and when we leave the European Union we will still have to satisfy the high adequacy standards to ensure that we can trade with the European Union and the world. Those too are matters that we will test in Committee.

Important principles of lawfulness in obtaining data and the consent of individuals to their data being held are set out in the Bill. My noble friend Lady Jay of Paddington made important points about how to achieve a better-educated public about the use of their data, the media and online literacy, and the risks to them of the abuse of their data.

The additional GDPR rights which strengthen and add to an individual’s rights, as set out in the Data Protection Act 1998, are a positive step forward. We have all seen examples of people’s data being held unlawfully and the measures in this Bill should help in that respect. There is also the issue of data held about all of us that is confidential, such as medical and health data, and ensuring that it is processed in a confidential way is something we would all support, alongside the proper use of health data to combat disease and improve healthcare through proper research. A number of noble Lords have made reference to that, and certainly nothing should be done which would endanger research that saves lives.

The right to be forgotten is an important concept, particularly where the consent was given as a child, although we will want to probe why the right of erasure of personal data is restricted to 18 years and above, particularly when the consent may have been given when the individual was 13 years of age. Cyberbullying is a dreadful experience for anyone and it is important that we are very clear during the passage of the legislation on how people are able to protect themselves from this abuse. The Bill will formalise the age at which a child can consent to the processing of data at 13 years in the UK, which is the lowest possible age in the EU. The right reverend Prelate the Bishop of Chelmsford referred to this point in his contribution and I agree with him about the need for further consultation with parents and the public, a point also made by the noble Baroness, Lady Howe.

The noble Baroness, Lady Kidron, made an excellent contribution and she is right to say that children are no match for a number of the very powerful tech companies. I too read carefully the briefings from the Children’s Society and YoungMinds on this matter. All the major online platforms have a minimum user age of 13, although the vast majority of young people—some 73% according to the survey—have their first social media account before they are 13. This is an issue that will rightly get a lot of attention from noble Lords. On reading the briefing note I could see the point being made that setting the age at 16 could have an adverse effect in tackling grooming, sexual exploitation and abuse. If we wanted to go down the route of increasing the age when someone can consent to the use of their personal data, we must at the same time make significant changes to the grooming and sexual offences legislation, again a point made by the noble Baroness, Lady Howe, in her remarks. It would be wrong to make this change in isolation because it actually risks making the online world more dangerous for young people.

In responding to the debate, will the noble Baroness, Lady Williams of Trafford, set out how the Government decided that 13 was the appropriate age of consent for children to access social media and does she believe, as I do, that the social media companies need to do much more to protect children when they are online? What consultation did the Government undertake before deciding that 13 years was the correct age, a question put by many noble Lords in the debate?

There are also the important issues of protecting vulnerable people in general, not only children but the elderly as well. As my noble friend Lord Stevenson of Balmacara said, the Government have an opportunity to allow independent organisations acting in the public interest to bring collective redress actions or super-complaints for breaches in data protection rules. They have not done so, and this may be an error on their part as the super-complaint system works well in other fields. It would enable an effective system of redress for consumers to be put in place. It could also be contended that just having such a system in place would have a positive effect in terms of organisations making sure that they are compliant and not tempted to cut corners, and generally make for a stronger framework.

The Opposition support the approach of transposing the law enforcement directive into UK law through this Bill. It is important that we have consistent standards across specific law enforcement activities. In the briefing, the Information Commissioner raised the issue of overview and scope as detailed in Clause 41. It would be helpful, when responding to the debate, if the Minister could provide further clarification in respect of the policy intention behind the restriction on individuals being able to approach the Information Commissioner to exercise their rights.

The processing of personal data by the intelligence services is of the utmost importance. Keeping their citizens safe is the number one priority of the Government. We need to ensure that our intelligence services have the right tools and are able to work within modern international standards, including the required safeguards, so that existing, new and emerging threats to the safety and security of the country are met. These are fine lines and it is important that we get them right.

The point made by a number of noble Lords, including the noble Lord, Lord Jay, and the noble Baroness, Lady Ludford, that our position as a third country on leaving the EU may leave us subject to meeting a higher threshold is a matter for concern. I hope the noble Baroness, Lady Williams, will respond to that specific point when she replies to the debate.

The Information Commissioner having an independent authority responsible for regulating the GDPR—which will also act as the supervisory authority in respect of the law enforcement provisions as set out in Part 3 of the Bill—is welcome, as is the designation of the commissioner as the authority under Convention 108. I welcome the proposal to consult the commissioner on legislation and other measures that relate to data processing. The commissioner has an important international role and I fully support her playing a role in the various EU bodies she engages with, up until the point when we leave the EU. We must also be satisfied in this House that we have sufficiently robust procedures in place so that we will work closely with our EU partners after we have left the EU. Failure to do so could have serious repercussions for the UK as a whole, our businesses and our citizens. Data flows in and out of the UK are a complex matter and the regulator needs authority when dealing with others beyond the UK. That is something we will have to test carefully as the Bill passes through your Lordships’ House.

The clauses of the Bill in respect of enforcement are generally to be welcomed. It is important that the commissioner retains the power to ensure data is properly protected. I agree very much with the noble Lord, Lord McNally, about the importance of ensuring that the Information Commissioner remains adequately funded. It is right that those powers are used proportionally in relation to the specific matters at hand, using, where appropriate, non-criminal enforcement, financial penalties and, where necessary, criminal prosecution. As I said, we need a proper programme of information to ensure that small businesses in particular are ready for the changes and new responsibilities they will take on.

One of the issues we have to address is the challenge that technology brings and how our legislation will remain fit for purpose and accepted by other competent authorities outside our jurisdiction—particularly by the European Union after we leave it.

In conclusion, this in an important Bill. As the Opposition, we can support its general direction, but we have concerns about the robustness of what is proposed. We will seek to probe, challenge and amend the Bill to ensure that it really does give us the legalisation the UK needs to protect its citizens’ data and its lawful use.

Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
Committee: 3rd sitting (Hansard): House of Lords
Monday 13th November 2017

(6 years, 4 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Moved by
53: Schedule 1, page 118, line 19, leave out first “substantial”
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab)
- Hansard - -

My Lords, as this amendment involves data provided by local authorities, I should declare my interests as a councillor of the London Borough of Southwark and as a vice-president of the Local Government Association.

Amendment 53 in my name and that of my noble friend Lord Stevenson of Balmacara would delete the first occurrence of the word “substantial” from paragraph 17(2) of Schedule 1 and Amendment 54 would delete its second occurrence from the same provision.

Healthy-functioning political parties are a vital part of our democracy. Campaigners and campaigning have moved on a long way from the days of hand writing envelopes to encompass much more sophisticated methods of contacting voters using all available mechanisms.

Political parties and their members need clarity and certainty as to what they are required to do, what they are able to do and what they are not able to do, so that they act lawfully at all times and in all respects. We cannot leave parties, campaigners and party members with law that is grey and unclear, and with rules that mean that campaigners, in good faith, make wide interpretations that are then found to be incorrect, due largely to the required clarity not having been given to them in the first place by government and Parliament.

I am also very clear that political parties are volunteer armies, with people volunteering to campaign to get members of their party elected to various positions in Parliament and in local authorities and to run various campaigns.

I have a number of questions for the Minister. I do not necessarily expect to get answers today but I hope that when he responds he will agree to meet me along with other interested Peers on the matters I am raising. I know that the noble Lord, Lord Hayward, from the Minister’s Benches would certainly like to meet him, and I am sure that the noble Lord, Lord Tyler, would also wish to be involved in those discussions. I hope that the Minister will agree to that. I also think that it would be useful if any such meeting involved officials from the three parties to discuss how we can get this right; otherwise, there will be all sorts of problems for parties, party members and campaigners, and none of us wants that.

Therefore, my questions to the Minister are as follows—as I said, I shall be happy for him to write to me. Will he provide a list of the characteristics or activities that are required for a political party to conduct operations? Does he believe that the terms in relation to political activity in paragraph 17 of Schedule 1 definitively cover the required activities of UK political parties? Will he clarify what constitutes profiling with regard to the activities of political parties? What activities or operations with reference to paragraph 17(1)(c) of Schedule 1 would be considered necessary for a political party? Does he think that the procedure detailed in paragraph 17(3)(a), whereby a data subject can give written notice to require the data controller—in this case, a political party—to cease the processing of their data, is consistent with Section 13(3) of the RPA 1983, where parties hold and process data on the basis not of consent but of being supplied that data by a local authority via the electoral register? Given the regular transfer of registers to political parties, does the Minister think it is practical or enforceable for a party to cease processing the data, which will likely be resupplied by an authority?

Let me make the point this way: take elector A, who instructs the party to stop processing their data, and the party complies. But the party then gets given data from the local authority in the next round, and elector A’s information is included. As soon as the party processes that data, it will technically have infringed the law. This is very complicated and it would be useful if the Minister’s officials could meet people interested in this area and come back to us. Whatever we end up with following this process, it must be consistent and work, and it should not bring into conflict two different Acts of Parliament. I beg to move.

Baroness Hamwee Portrait Baroness Hamwee (LD)
- Hansard - - - Excerpts

My Lords, the noble Lord referred to the rules as a bit grey and asked for clarity for the volunteer army. I should declare an interest as a foot soldier in that volunteer army.

The noble Lord’s request that party officials should be involved in this process is a good one—I would have thought they would have been. The Minister should be aware of my first question as I emailed him about this, over the weekend I am afraid. Has the Electoral Commission been involved in these provisions?

The noble Lord mentioned the electoral register provided by a local authority. My specific question is about the provision, acquisition and use of a marked electoral register. For those who are not foot soldiers, that document is marked up by the local authority, which administers elections, to show which electors have voted. As noble Lords will understand, this is valuable information for campaigning parties and can identify whether an individual is likely to turn out and vote and so worth concentrating a lot of effort on. I can see that this exercise could be regarded as “campaigning” under paragraph 17(4) of Schedule 1. However, it is necessary, although I do not suppose that every local party in every constituency makes use of the access it has. It is obvious to me that this information does not reveal political opinions, which is also mentioned in the provisions. I would be grateful to hear the Minister’s comments. I am happy to wait until a wider meeting takes place, but that needs to be before Report.

I want to raise a question on a paragraph that is in close geographical proximity in the Bill—I cannot see another place to raise the issue and it occurred to me only yesterday. Why are Members of the House of Lords not within the definition of “elected representatives”? We do not have the casework that MPs do, but we are often approached about individual cases and some Peers pursue those with considerable vigour. This omission—I can see a typo in the email that I sent to the Minister about this; I have typed “mission” but I meant “omission”—is obviously deliberate on the part of the Government.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

No, it is not the first time because this is the position that exists under the Data Protection Act 1998.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, I thank all noble Lords for speaking in this debate. As I think the noble Lord, Lord McNally, said, these amendments would delete just two words, but we have had a very important debate. We tabled the amendments to probe these issues, which are very important.

I am pleased that the noble Lord, Lord Ashton of Hyde, has agreed to meet us because we need to discuss this. It would be much better if we could get interested Peers from this House and officials from various parties together to sort this matter out, rather than leave it and let it go to the other place. We have a much better record of sitting down and sorting such issues out. I hope, if we need to amend the Bill, we do so on Report. Before we have our meeting—I accept it will be quite a big meeting—it would be useful if the noble Lord wrote to me, if he can, and to other interested Lords so we can have the Government’s position on paper before we sit down. That would help our discussions and move them on. There is a community of interest among noble Lords.

I certainly agree with the points made by the noble Lord, Lord McNally, and by my noble friends Lord Whitty and Lady Jay, but we need to focus on these issues, get them right and get proper amendments in place to protect parties and campaigners as they do their proper and lawful work. At this stage, I am happy to withdraw the amendment.

Amendment 53 withdrawn.

Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
Committee: 3rd sitting (Hansard - continued): House of Lords
Monday 13th November 2017

(6 years, 4 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Lord Lucas Portrait Lord Lucas
- Hansard - - - Excerpts

My Lords, I thoroughly support this amendment. I really hope that the Home Office has noticed that the Bill is starting in this House and that therefore this is a paragraph we can kill—and should, as we did in 1983. If the Home Office needs something more, it should make a case for it and we should listen, but to have a blanket provision such as this is very destructive of data collection as a whole. To take again the example of the NPD, the fact that data is passed from the NPD to the Home Office has made the bits of data that are being passed totally corrupt: one can no longer rely on that data because so many schools, not unnaturally, are unwilling to shop their parents and drop their parents into what can be extremely difficult circumstances. You destroy the purpose of the data that you pollute in this way; you make it unreliable. I suspect that you also undermine the research exemption: if data is actually being collected to give to the Home Office, how can you claim that it is for research? You start to undermine the Bill in all sorts of insidious ways by having such a broad and unjustified paragraph— unjustified in the sense that no one has made a justification for it. I really hope that the Home Office will think again.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab (Co-op))
- Hansard - -

My Lords, first, I welcome the noble Baroness, Lady Williams of Trafford, back to the Committee. Every time I get to the Bill I speak either to her or to the noble Lord, Lord Bourne of Aberystwyth, so I am glad we are back again in Committee.

Amendment 80, moved by the noble Lord, Lord Clement-Jones, would delete paragraph 4 from Part 1 of Schedule 2 to the Bill, as we have heard. I have added my name to the amendment, as have the noble Lord, Lord Paddick, and the noble Baroness, Lady Jones of Moulsecoomb. The amendment deletes the whole paragraph which exempts personal data from the GDPR provisions as they relate, first, to the maintenance of effective immigration control and, secondly, to the investigation or detection of activities that would undermine the maintenance of effective immigration control. I want to be very clear that the intention of this amendment is to enable the Government to explain to us why they think the paragraph is necessary. As we have heard, it is very wide ranging and has been rejected in the past, so I hope the Minister can explain why it is so important that this paragraph gets through in the Bill. The noble Lord, Lord Clement-Jones, raised important points about the broad potential risks to data subjects’ rights, as did the noble Baroness, Lady Hamwee, and my noble friend Lady Jones of Moulsecoomb.

I certainly want an effective immigration service and policy, along with proper immigration controls. Having said that, I am not happy with many aspects of the policies being pursued by the Government with respect to immigration. They are ones that I do not support and they have damaged our reputation as a generous country that has been respected around the world. Unfortunately, that is not the only area where the Government have damaged our reputation. I should like the noble Baroness to explain very carefully why she believes that there is a need for this provision and where it differs from what is already in force. As we have heard, under other provisions the Government have what they need in terms of ensuring that these matters are dealt with properly. The exemptions certainly appear to be wide ranging and I want to be convinced that they are absolutely necessary. As I said, there are provisions in other Acts that the Government can rely on. At this stage, I await the response of the noble Baroness.

Data Protection Bill [HL] Debate

Full Debate: Read Full Debate
Department: Home Office

Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
Committee: 4th sitting (Hansard): House of Lords
Wednesday 15th November 2017

(6 years, 4 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV(b) Amendment for Committee, supplementary to the fourth marshalled list (PDF, 52KB) - (15 Nov 2017)
Moved by
93A: Schedule 3, page 140, line 16, leave out “or another individual”
--- Later in debate ---
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab Co-op)
- Hansard - -

My Lords, Amendment 93A in my name and that of my noble friend Lord Stevenson of Balmacara is the first amendment in a small group before the Committee this afternoon. They are probing amendments to allow us to begin to debate the issues around Schedule 3, specifically Part 2 and matters concerning health data and social work data.

Amendment 93A would delete the words “or another individual”. I want to understand clearly what the Government mean when they refer to the “serious harm test” for the data subject and to this very wide catch-all phrase, “or another individual”. Amendment 94A would delete specific wording as detailed in the Bill and replace it with the wording in my amendment.

I can see the point of paragraph 4(1)(c) of Schedule 3, but do not see why the Government would not wish to rely on the definition of lacking mental capacity, as defined by the Mental Capacity Act 2005. Can the Minister explain, if my amendment is not going to be accepted, why the Government appear to be relying on weaker words in this section?

Amendment 94B would delete paragraph 4(2)(a) of Schedule 3. Again, I stress that this is a probing amendment to give the Minister the opportunity to set out clearly how this is going to work so that it does not cause problems for research but respects people’s privacy regarding the data that they have been provided with.

On the other amendments in the group, Amendment 94C looks to broaden the definition of social work data to include education data and data concerning health, by probing what the Government mean by their definition of social work data in the Bill. Amendment 94D probes, regarding paragraph 8, the details on data processed by local authorities, by the regional health and social care boards, by health and social care trusts and by education authorities.

With Amendments 95A and 95B, I am looking for a greater understanding of what the Government mean. The wording in the Bill which these amendments would delete is quite vague. We want to understand much more what the Government are talking about here. I beg to move.

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen (Con)
- Hansard - - - Excerpts

My Lords, the Bill sets new standards for protecting general data, in accordance with the GDPR, which will give people more control over use of their data and provide new rights to move or delete personal data. However, there will be occasions when it is not in the best interests of the data subject for these rights to be exercised, or where exercising them might impinge on the rights and freedoms of others. Schedule 3 considers this issue in the specific context of health, social work, education and child abuse data. It provides organisations operating in these fields with targeted exemptions where it is necessary for the protection of the data subject or the rights and freedoms of others. Importantly, much of Schedule 3 is directly imported from existing legislation.

The amendments which the noble Lords, Lord Stevenson and Lord Kennedy, have tabled focus on exemptions available for healthcare and social services providers. Let me deal first with the amendments relating to the healthcare exemptions. Amendment 93A would amend the serious harm test, in paragraph 2 of Schedule 3, by removing the reference to harm caused to other individuals. This is an important safeguard. For example, if a child informed a healthcare provider that they had been abused by a relative and then that person made a subject access request, it is obvious that disclosure could have serious consequences for the child. I am sure that this is not what the noble Lords envisage through their amendment; we consider there are good reasons for retaining the current wording. As I said earlier, these provisions are not new: they have been imported from paragraph 5 of the Data Protection (Subject Access Modification) (Health) Order 2000.

Amendments 94A and 94B would amend the exemption in paragraph 4 which allows health professionals to withhold personal data from parents or carers where the data in question has been provided by the data subject on the basis that it would not be disclosed to the persons making the request. Again, neither of these provisions is new. They too were provided for in paragraph 5 of the 2000 order and we think they remain appropriate.

--- Later in debate ---
Amendment 95A would amend paragraph 8(1)(k) by removing the ability of the Secretary of State or the Department of Health in Northern Ireland to designate voluntary organisations which can carry out social services functions similar to those carried out by a local authority. Amendment 95B would amend paragraph 8(1)(m) by removing the reference to NHS bodies that exercise functions similar to those carried out by the local authority. However, I stress that none of these provisions is new and that they were imported from paragraph 1 of the schedule to the Data Protection (Subject Access Modification) (Social Work) Order 2000. Given current trends in health and social care delivery, we believe that they are still necessary requirements and can see no benefit in their removal. I urge the noble Lord to withdraw his amendment.
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for that full response to this group of amendments. As I said, they were only probing amendments to get the response that we have received from the Minister this afternoon, just so that we could see what is behind the Government’s proposals. I accept that in large part they are carried forward from existing legislation and I am therefore happy to withdraw my amendment.

Amendment 93A withdrawn.
--- Later in debate ---
Moved by
124A: Clause 24, page 14, line 40, at end insert “where the provision is likely to prejudice the combat effectiveness of the armed forces.”
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

Amendment 124A, in my name and that of my noble friend Lord Stevenson of Balmacara, would amend Clause 24, which concerns national security and defence exemptions. Comparing the Bill to the 1998 Act, it appears to us that what is proposed is of a much wider scope. I would like to hear a justification from the noble Baroness, Lady Williams of Trafford, as to why we need this wider definition. If it is the noble Baroness’s contention that this is not the case, will she tell the Committee why the Government have not merely taken the words directly from the 1998 Act?

Amendment 124N does the same thing in respect of Clause 26. Amendments 124K and 148J are the same and seek to put into the Bill matters raised by the Constitution Committee. These amendments require the Secretary of State to,

“specify in regulations the grounds of appeal for proceedings under subsection (3)”.

This seems to me perfectly reasonable, giving much-needed clarity, so I hope that the noble Baroness can accept my amendments in this regard, or at least agree to reflect on them before Report. I feel that the clause as presently worded is too vague, and that cannot be a good thing when dealing with these serious matters. The amendments also require that these regulations be subject to scrutiny by both Houses of Parliament through the affirmative resolution procedure, which is an important further layer of parliamentary scrutiny.

The final amendment in my name in this group is another probing amendment. It would delete the measures which limit the power of the Information Commissioner to satisfy themselves that the obligations under Part 4 are being observed. In addition, there are amendments in the group in the names of the noble Baroness, Lady Hamwee, and the noble Lords, Lord Clement-Jones and Lord Paddick. I look forward to them explaining those further to the Committee during the debate. I beg to move.

--- Later in debate ---
Baroness Hamwee Portrait Baroness Hamwee
- Hansard - - - Excerpts

My Lords, the Minister has just proved a point that I made to a colleague who asked me whether I could explain all my amendments, and I said, “If I don’t, the Minister will”. Let us see what the Constitution Committee has to say, as I take its concerns seriously. To dispose of one small point, I accept what she says about the “timelessness”, which I think was the word she used, of certificates. I accept that some must always apply, but perhaps it is a point that the Government can take into account when thinking about publication of certificates whose relevance has—“expired” is probably the wrong term—passed.

I am still concerned about what is meant by “defence purposes”. The Minister referred to civilian staff. I cannot remember what the object was in the sentence, but we all know what she means by civilian staff. To take a trite example, can the Minister confirm that in “defence purposes”, we are not talking about records of holiday leave taken by cleaners, secretaries and so on working in the Ministry of Defence? “Defence purposes” could be read as something very broad. I will not ask the Minister to reply to that now, but perhaps I can leave the thought in her head.

Finally, I do not think that the right of appeal provides the same protection as applying oversight from the very start of the process. We have had that debate many times, but I shall leave it there for now. There is quite a lot to read, so I am grateful to the Minister for replying at such length.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, I thank the Minister for her response, which was very detailed. It was helpful to the House to get it on record. These are serious matters. The rights of the data subject must be protected, but equally there are issues of national security, and we must get that balance right. The House has been assured that we will get the balance right, which is an important part of our work here today. I am very pleased with the detailed response, and I have no issue with it whatever.

I shall read Hansard again tomorrow, as these are very serious matters, to fully take in all that the Minister has said. At this stage, I am happy to withdraw my amendment.

Amendment 124A withdrawn.
--- Later in debate ---
The last of the group is a converse argument—I am probing of course. Behaviour, location and movement may be relevant to crime prevention and detection, but are performance at work, reliability and so on relevant? Not obviously so to me. I beg to move.
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, the noble Baroness’s clarification of these probing amendments is very helpful. As we have heard, a competent authority in this context of the Bill means a person as specified in Schedule 7, to the extent that the person has functions for law enforcement purposes.

Amendments 124Q and 124R would add useful clarifications that the persons listed in Schedule 7 come under the same classification as “any other person” referred to in Clause 28(1)(b) and the persons listed in Clause 28(3)(b). That would be a useful clarification in the Bill.

I do not support Amendment 124S in the name of the noble Baroness, Lady Hamwee, but support the three government amendments in the name of the noble Lord, Lord Ashton of Hyde. As I say, I do not support Amendment 124S, which makes the case for Amendments 124Q and 124R even more important.

I support the amendment that would add police and crime commissioners to the schedule, and the other amendments in the group which would widen the definitions, as that would be very useful. I look forward to the noble Baroness’s response to the points that have been raised.

Lord Young of Cookham Portrait Lord Young of Cookham (Con)
- Hansard - - - Excerpts

The co-pilot is in charge of this leg of the legislative journey, so there may be some turbulence.

I am very grateful to the noble Baroness for her explanation of these amendments. I particularly welcome what she said at the beginning of her remarks—namely, that these were probing amendments designed to improve the style. We are all in favour of improving style. Having read previous Hansards, I know that there has been broad cross-party support for the Bill’s provisions, particularly this part of it. I know that the Liberal Democrat Benches are particular enthusiasts for enshrining in UK law the provisions of the EU law enforcement directive.

As the noble Baroness has indicated, this group of amendments relates to the definition of various terms used in Part 3, including that of a competent authority and the meaning of “profiling”. I also welcome the contribution of the noble Lord, Lord Kennedy, in support of some of the amendments.

The scope of the law enforcement processing regime is provided for in Part 3 of the Bill. Unlike Part 4, which applies to all processing of personal data by the intelligence services, the scheme in Part 3 is purpose-driven. The Part 3 scheme applies to processing by competent authorities, as defined in Clause 28, for any of the law enforcement purposes, as defined in Clause 29. This approach is clear from a reading of Part 3 as a whole. For example, each of the data protection principles in Clauses 33 to 38 refers to processing for any of the law enforcement purposes.

The definition of a competent authority needs to be viewed in that context. Competent authorities will process personal data under the scheme in Part 3 only where such processing is for one of the law enforcement purposes. If they process data for another purpose, as the noble Baroness indicated—for example, for HR management purposes—the processing would be undertaken under either the GDPR or applied GDPR scheme, as the case may be. That would be the default regime. I am not sure there is a case for yet another regime on top of the two we already have. As paragraph 167 of the Explanatory Notes to the Bill makes clear, a government department will be a competent authority for the purposes of Part 3 only to the extent that it processes personal data for a law enforcement purpose. For example, where DWP processes data in the course of investigating criminal offences linked to benefit fraud, it will do so as a competent authority.

The approach we have taken in Schedule 7 is to list all the principal law enforcement agencies, including police forces, prosecutors and those responsible for offender management, but also to list other office holders and organisations that have law enforcement functions supplementary to their primary function. For example, the list in Schedule 7 includes some significant regulators. We should remember that the definition of “law enforcement purposes” includes the “execution of criminal penalties”, as set out in Clause 29. That being the case, it is entirely appropriate to list contractors providing offender management services. I hope this explanation deals with Amendment 129A. As I explained a moment ago, where such contractors process data for a non-law enforcement purpose—again, an example given by the noble Baroness—they will do so under the GDPR or applied GDPR scheme.

Schedule 7 is not, and is not intended to be, a wholly exhaustive list, and other organisations with incidental law enforcement functions will come within the scope of the definition of a competent authority by virtue of Clause 28(1)(b). Police and crime commissioners, to which Amendment 127A relates, may be a case in point, but if they process personal data for a law enforcement purpose, they will do so as a competent authority by virtue of Clause 28(1)(b). The government amendments in this group should be viewed against that backdrop.

Since the Bill was introduced, we have identified a number of other organisations that it would be appropriate to add to the list in Schedule 7, and Amendments 125, 126, 128 and 129 are directed to that end. Government Amendment 127 modifies the existing entry in respect of the independent office for police conduct in recognition of the fact that under the reforms we are making to the Independent Police Complaints Commission, the director-general will be the data controller of the reformed organisation.

The amendments to Clause 31 all seek to amend the definition of profiling. First, Amendment 129C seeks to include “attributes” in the definition of profiling, which currently refers to “aspects”. The existing wording reflects the terminology used in the LED, which is clear. In any event, the two words do not differ much in substance, so little is gained by the proposed addition.

In Amendment 129B and Amendments 129D to 129F the noble Baroness seeks to widen the definition of profiling so that it is not restricted to “certain” areas of profiling or to the aspects listed. However, the personal aspects itemised in the definition are not intended to act as an exhaustive list, and the inclusion of the words “certain” and “in particular” do not have this effect. The list refers to those aspects considered of most importance to profiling. Again, for these reasons, these amendments are not necessary. I think the noble Baroness conceded that we were simply replicating the existing terminology.

I hope I have been able to reassure her on these points and that she will be content to withdraw her Amendment 124Q and support the government amendments.

--- Later in debate ---
Baroness Hamwee Portrait Baroness Hamwee
- Hansard - - - Excerpts

My Lords, Amendment 133ZL is an amendment to Clause 42. Clause 43 deals with a data subject’s right of access. The onus is on the data subject to ask whether their personal data is being processed. If so, they have a right of access, although there are provisions about restrictions and the controller must tell them.

We have already touched on how you know that you are a data subject. The amendment would place an obligation on the controller to tell you. I appreciate that there would be considerable practical considerations. However, in a different context, time and again during the passage of the Bill we have heard noble Lords express surprise about what organisations know about each of us. It is irritating when it is a commercial organisation; it is a different matter when it is a law enforcement body.

Amendment 133ZM is a way of asking why the information to be given to a data subject under Clause 42(2) is limited to “specific cases”. Is this is a bit of the narrative style that I referred to earlier? Restrictions are set out later in the clause. What are the specific cases to which the controller’s duties are restricted? Should there be a cross-reference somewhere? The term suggests something more—or maybe something less—than the clause provides.

Amendment 133ZN takes us to Clause 42(4), which refers to the data subject’s “fundamental rights”— this phrase is used also in a number of other clauses. My amendment would insert references to the Human Rights Act and the European Charter of Fundamental Rights, seeking not to reopen the argument about the retention of the charter but to probe how fundamental rights are identified in UK law. It is not an expression that I recognise other than as a narrative term. This is fundamental—if noble Lords will forgive the pun—to my questioning and the workability of all this.

On Amendment 133ZP, the same subsection refers to an “official” inquiry. I know what that means in common sense—in human speak, if you like—but what does it mean in legislative speak?

Amendment 133ZQ is a cross-reference. I queried what was in the clause and have had exchanges with officials about it. I thought that the Minister’s name would be added to the amendment. I would have been very happy if the correction had been made quietly, but apparently that was not possible. So the drafting is not mine, but it corrects a mis-drafting—would that be a gentle term for it? At any rate, that is what the amendment is about. I beg to move.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, the five amendments in this group are all in the name of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Paddick. I should say at the start that I am not convinced by Amendment 133ZL and I look forward to the response of the Government. I am not sure that it is proportionate in respect of law enforcement processing. I had concerns about it before the debate and I have heard nothing to change my mind.

Amendment 133ZM widens the scope of the provisions and I am content with that. I am interested to hear from the Government why the three words to be deleted are so important: perhaps they can convince me of the merits of having them in the Bill.

Amendment 133ZN is proportionate and I happy to support it. I do not support Amendment 133ZP and, again, I have heard nothing yet to convince me otherwise. I await a response from the Government. Amendment 133ZQ seems proportionate to me in respect of the data controller being able to record reasons to restrict provision of information to a data subject and the reasons for refusing requests.

Baroness Williams of Trafford Portrait Baroness Williams of Trafford
- Hansard - - - Excerpts

I thank the noble Baroness, Lady Hamwee, for explaining her amendments in relation to the rights of data subjects. Having disappointed her so much in the last group of amendments, I have some very good news: the Government are content to agree to her Amendment 133ZQ. Perhaps it is right that I did not put my name to it, because she can claim full credit for the amendment, which corrects an erroneous cross-reference in Clause 46(6).

I turn to the other amendments in the group, which have a little more substance. Amendment 133ZL seeks to place a duty on controllers to inform individuals without undue delay that they are a data subject. The right of access conferred on data subjects by Clause 43 largely replicates the existing provision in Section 7 of the Data Protection Act 1998, as I think the noble Lord, Lord Kennedy, pointed out. Clause 42 already includes obligations on the controller to provide individuals with information in general terms and in specific cases to enable a data subject to access their rights. We consider that this is the right approach and one which reflects the terms of the LED. We welcome the enhanced rights for data subjects provided for in Part 3, but it is important that such rights are proportionate and that we take account of the resource implications for police forces and other competent authorities. Placing a duty on controllers proactively to notify individuals that they are data subjects would, we believe, place an unnecessary burden on competent authorities. In practice, many individuals will know that their personal data is being processed by a particular controller; where they are unsure they can submit a subject access request. It is important to note that under the new regime subject access requests will generally be free of charge.

Amendment 133ZM seeks to probe the need for the phrase “in specific cases” in Clause 42(2). This phrase, which appears in article 13(2) of the law enforcement directive, is simply designed to distinguish between the duty on a controller, under Clause 42(1), to provide certain general information to data subjects which might be discharged by posting the information on the controller’s website, and the separate duty, in Clause 42(2), to provide certain additional information directly to a data subject to enable them to exercise their rights. Moreover, the information which must be provided under Clause 42(2) may be person-specific and the drafting makes this clear.

Amendment 133ZN seeks to define the term “fundamental rights” as used in Clause 42(4) and elsewhere in this part. This is not the occasion to reopen the debate we had at the start of Committee on article 8 of the European Charter of Fundamental Rights. The Committee will be aware that it is not the Government’s intention to enshrine the charter into UK law. That being the case, and recognising that Part 3 of the Bill provides for a scheme for law enforcement processing which is enshrined in our domestic law, the reference to fundamental rights should be interpreted in accordance with UK law by the UK courts, rather than seeking to enshrine the charter.

In Amendment 133ZP to Clause 42(4)(a), the noble Baroness seeks clarification of what constitutes an “official inquiry”, as opposed to a “legal inquiry”. I start by pointing out that the law enforcement directive uses both terms, and we have followed our usual practice of copying the directive wherever possible. There are, of course, legally constituted inquiries established under the Inquiries Act 2005, but not all official inquiries are formally constituted under that Act. The use of both terms recognises that formally constituted inquiries may take different forms and be conducted by different entities. It is important to emphasise that a controller is subject to the limitations in the opening words of Clause 42(4) and cannot restrict the provision of information simply by virtue of the fact that the information pertains to an inquiry.

I hope that I have been able to reassure the noble Baroness—she certainly looks happier than on the previous group of amendments—and that she will be content to withdraw her Amendment 133ZL. As I have indicated, I will be happy to endorse Amendment 133ZQ when she comes to move it formally.

Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
Committee: 5th sitting (Hansard): House of Lords
Monday 20th November 2017

(6 years, 4 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Moved by
163ZC: Clause 142, page 79, line 2, at end insert—
“( ) Within three months of this Act coming into force, the Commissioner must specify in guidance what constitutes “other failures” under subsection (8).”
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, the amendments in this group, in my name and that of my noble friend Lord Stevenson of Balmacara, take up a number of issues raised by the Delegated Powers and Regulatory Reform Committee in its report on the Data Protection Act. Our Amendment 163ZC adds a requirement on the commissioner to specify in guidance what constitutes “other failures” under subsection (8). Amendment 164C adds a requirement on the commissioner to specify, within three months of the Act coming into force, what constitutes “other failures”. I think it is important that we are clear, at least in guidance, what these “other failures” are.

Amendment 168A concerns the regulations for non-compliance with the charges regulations, deleting all the subsections and inserting new ones. The new subsections make provision for proper consultation with the commissioner and other persons that the Secretary of State considers appropriate, and state that any regulations made must be subject to the affirmative resolution procedure. The amendment sets a maximum penalty and the amount of penalty for different types of failure.

Amendment 168B seeks to replace “produce and publish” with “prepare”, which we think is better in this context. Amendment 168C seeks to put in the Bill a procedure that was recommended in the report of the Delegated Powers and Regulatory Reform Committee, which suggested that the guidance should be subject to some form of parliamentary scrutiny. Amendment 168D seeks to set out how the guidance can be amended or altered with the new procedures outlined in Amendment 168C.

The final four amendments in the group—Amendments 182D to 182G—take up the issue of the power in the Bill to make Henry VIII changes to reflect changes to the data protection convention. We are seeking to delete “or appropriate” from Clause 170(1) to make it only,

“as the Secretary of State considers necessary”.

We think that presently the subsection is worded too broadly. We also seek to delete “includes” and insert “is limited to” in respect of the powers. Then we make it clear that the power is in respect only of Part 4. Finally, as highlighted by the committee, we time-limit the period for changes to three years. I beg to move.

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen
- Hansard - - - Excerpts

My Lords, the amendments tabled by the noble Lords, Lord Stevenson and Lord Kennedy, reflect the recommendations made by the Delegated Powers and Regulatory Reform Committee in its report on the Bill. As noble Lords will be aware, the Government hold the committee in high regard and, as always, we are grateful for its consideration of the delegated powers in the Bill. As set out in our previous discussions on delegated powers, the Government are considering the committee’s recommendations with a view to bringing forward amendments on Report. For that reason, I will keep my remarks brief but noble Lords should be reassured that I have listened to and will reflect on our discussions today.

As noble Lords know only too well, delegated powers are inserted into legislation to allow a degree of adaptability in law. As we have touched on in our earlier discussions of delegated powers, and as I am sure noble Lords will agree, no other sector or industry is evolving as quickly as the digital and data economy. The pace at which new forms of data processing are being developed, and the sophistication and complexity with which new data systems are being designed, will render any current governance obsolete in a very short time. It is for this reason that we consider it necessary to be able to adapt and update the Information Commissioner’s enforcement powers.

However, the Government recognise the need to provide certainty through clauses on the statute book. I therefore thank the noble Lord for his suggestions in Amendments 163ZC and 164C for how regulation-making powers relating to the commissioner’s enforcement and penalty notices in Clauses 142 and 148 could be more appropriately defined; this is certainly something that I will reflect upon. In Amendments 168A to 168D, I recognise other recommendations of the DPRRC relating to the Information Commissioner’s guidance and penalties.

As I have already set out, it is important that the Information Commissioner’s powers are subject to a degree of flexibility. She must be able not only to identify new areas of concern but to tackle them with proportionate but effective enforcement measures. In an ideal world, we would have a crystal ball that could tell us all but the reality is that we do not. We do not have one now and the Information Commissioner will not have one three months after Royal Assent. We must preserve the ability of the regulatory toolkit to constantly adapt to changing circumstances and keep data subjects’ rights protected.

I note the proposals in Amendments 182D to 182G, which would limit the scope of the regulation-making power in Clause 170. Clause 170 is intended to allow the Government to update the Bill to reflect amendments to convention 108.

As with previous amendments based on the Delegated Powers and Regulatory Reform Committee’s report, it is important that we consider these amendments alongside the broader recommendations given by that committee. The Government are keen to give proper consideration to these recommendations and, although this is ongoing, I am confident that we will have concluded our position on these amendments before we come to the next stage of the Bill. I am grateful for the informative discussion we have had today, which forms the final part of our reflection upon the committee’s report. I hope that the noble Lord will feel able to withdraw his amendment and I look forward to returning to these issues on Report.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, the Delegated Powers and Regulatory Reform Committee is one which the Opposition hold in high regard, as the Government do. It does an important job for the Government by going through legislation and looking at whether the powers the Government seek to take are applied appropriately. I thank the noble Baroness, Lady Chisholm, for that very much and I am pleased that she confirmed that the Government were looking at the matters in the report carefully. When they come back on Report, I hope that they will address the issues I have raised and others in that report. On that basis, I am happy at this stage to withdraw my amendment.

Amendment 163ZC withdrawn.

Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
Committee: 6th sitting (Hansard): House of Lords
Wednesday 22nd November 2017

(6 years, 4 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Moved by
170J: Clause 163, page 92, line 24, at end insert—
“( ) In this section, a request made by a data subject under subsection (1)(a) includes, but is not limited to, requests about reviews written by a third party about workers.”
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab Co-op)
- Hansard - -

My Lords, Amendment 170J, which stands in my name and that of my noble friend Lord Stevenson of Balmacara, seeks to address an issue that I am not convinced is sufficiently covered in the Bill as it stands.

Freelance workers or self-employed people—whatever you want to call them—offering a range of services and seeking work through various platforms, have sprung up in recent years. In many cases, their customers are able to rate them and the work they have done. However, these individuals often find that they cannot take that rating information with them if they move on to another platform. The reviews are written by third parties, who rate the quality of the work, and understandably it is very valuable to the trades- persons if they can carry those reviews forward with them.

This is a very strange situation. Various companies often maintain that they do not have employees and that they are merely acting as a platform, a noticeboard or a portal where people can find tradespersons. However, those tradespersons then find that it is not very easy to take information about them with them when they move on. This is intended as an enabling amendment to put on the face of the Bill that data subjects have the right to take with them the information written about them by third parties when they move on to another platform.

At this stage, this is obviously a probing amendment but I am keen to hear what the noble Lord has to say about this issue. It is important for the people concerned—if you have done a good job, you want to take recognition of that with you. I look forward to the noble Lord’s response.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I am grateful to the noble Lord, Lord Kennedy, for turning the Committee’s attention to the provisions in Clause 163. The clause makes it a criminal offence for a data controller, or somebody employed by the controller, to deliberately frustrate a subject access request by altering, defacing or destroying information that a person would have been entitled to receive.

This offence is not new. A similar offence was provided for in Section 77 of the Freedom of Information Act 2000. The only difference between the offence in Clause 163 and the offence in the Act is that the latter was limited to the handling of subject access requests by public authorities and their employees and agents, whereas Clause 163 extends this to apply to all controllers.

The noble Lord’s amendment would make it clear that the offence applies where a data subject requests personal data about them contained in a review about workers written by a third party. I am grateful to the noble Lord for explaining the background to the amendment; nevertheless, I submit that it is unnecessary. Article 15 of the GDPR makes it clear that the data subject has the right to obtain from the controller confirmation as to whether data about him or her is being processed, as well as access to that data. Whether a report about the data subject was compiled by a third party or processor acting on the controller’s behalf is irrelevant, as it still amounts to personal data held by the controller.

It is always unacceptable for any controller to destroy or deface personal data with the sole intention of preventing somebody accessing what they were entitled to. That is precisely why Clause 163 creates a criminal offence targeted on that particular activity.

I hope that I have addressed the noble Lord’s concerns. If I have not, of course I will be more than happy to discuss them with him later. Therefore, I hope that he will be able to withdraw the amendment.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

I thank the noble Lord for his response. He has not really addressed the point that I was making, so I will be very happy to have a discussion outside the Chamber. This is a real problem that is happening now and I am not convinced that what we have in the Bill will be enough to deal with it. It may well be that my amendment is not in the right place, but there is an issue with people not easily accessing data that is held on them, particularly for the self-employed and others seeking work through various platforms.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

If we have misunderstood the noble Lord’s intention behind the amendment, I apologise. As I said, we will be happy to discuss it with him.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

I do not think that the noble Lord misunderstood; it is just that there are several issues around the gig economy that we need to look at, and I shall be happy to discuss them outside the Chamber. I beg leave to withdraw the amendment.

Amendment 170J withdrawn.
--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point that has not been lost on noble Lords, nor the Government. That is why the Government have tabled Amendments 185A, 185B, 185C and 185D, which provide for a framework for data processing by government.

Inherent in the execution of the Government’s function is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is intended to set out the principles and processes that the Government must have regard to when processing personal data.

All government and public sector activities require some form of power to process personal data, which is derived from both statute and common law. In light of the requirements of the GDPR, such processing should be undertaken in a clear, precise and foreseeable way. The Government’s view is that the framework will serve further to improve the transparency and clarity of existing government data processing. The Government can, and should, lead by example on data protection. To that end, the proposed clauses provide the Secretary of State with the power to issue guidance in relation to the processing of personal data by government under existing powers. As I have already stated, government departments will be required to have regard to the guidance when processing personal data.

The Government have consulted the Information Commissioner in preparing the amendment and will, as required in Amendment 185A, consult the commissioner before preparing the framework. The Government are keen to benefit from the commissioner’s expertise in this area and to ensure that the framework does not conflict with the commissioner’s codes of practice. The guidance should provide reassurance to data subjects about the approach that government takes to processing data and the procedures it follows when doing so. It will also help to strengthen further the Government’s compliance with the GDPR’s principles. I beg to move.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, government Amendments 185A, 185B, 185C and 185D add four fairly substantial new clauses to the Bill on the last day of Committee. I can see the point made by the Minister when he moved the amendments, but it is disappointing that they were not included right at the start. Have the Government just thought about them as a good thing?

The Delegated Powers and Regulatory Reform Committee has not had time to look at these matters. I note that in Amendment 185A, the Government suggest that regulations be approved by Parliament under the negative procedure. I will look very carefully at anything that the committee wants to bring to the attention of the House when we look at these matters again on Report. I am sure the committee will have reported by then.

I will not oppose the amendments today, but that is not to say that I will not move some amendments on Report—particularly if the committee draws these matters to the House’s attention.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - - - Excerpts

My Lords, I want to echo that point. There is time for reflection on this set of amendments and I sympathise with what the noble Lord, Lord Kennedy, said.

Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
Report: 1st sitting: House of Lords
Monday 11th December 2017

(6 years, 3 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

My Lords, I hope to be as brief as the Minister, who I thought was admirably so in introducing the government amendments. However, there are some issues that arise. I applaud the noble Baroness, Lady Royall, and others who have been so instrumental in persuading the Government on this. As the noble Lord, Lord Patel, indicated in various ways, there are ambiguities; the particular way in which the Government have chosen to amend the Bill potentially leaves a gap. I wonder, for instance, whether alumni fundraising for, say, a research institute can never be in the public interest. Is there not a possibility that it might fall outside the exemptions as a result? Perhaps the Minister can give me the correct interpretation. It is very important that this is on the record and that it is very clear what the formulation means. It would have been much more straightforward to have approached the subject directly in the Freedom of Information Act, but that is not the way the Government have chosen to help alumni fundraising in universities. In talking about universities, I should declare an interest as chairman of the council of Queen Mary University as well.

Another question arises. By and large there is nothing particularly controversial in the remainder of the amendments, but I do not quite understand why new Section 76C of the Freedom of Information Act, which was introduced in the original version of the Bill, is now being taken out by Amendment 198. Is it because Clause 127 already provides the necessary duty of confidentiality of information by the commissioner and employees of the Information Commissioner’s Office? The Minister might have given us a bit of explanation about that, which would have been extremely helpful.

Otherwise, many of the other provisions are welcome. Amendments 119, 182 and 197 demonstrate that it would be a good idea to have prompt enactment or implementation of legislation, so that weird and wonderful new clauses such as are introduced by those amendments would be unnecessary.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab Co-op)
- Hansard - -

My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for her explanation of the government amendments in this group, which are largely in response to issues raised in Committee. I do not intend to speak for long on this group, because the amendments are largely to be welcomed. I want to pay particular tribute to my noble friend Lady Royall of Blaisdon, who raised the concern of the university sector during Committee that, under the Bill, universities could find themselves in difficulty over fundraising activities with alumni. We were pleased to see today that the Government have listened and addressed that. My noble friend cannot be with us today because of the weather making it difficult for her to travel to London. Generally, the higher education sector and others are grateful for what is proposed, although a couple of noble Lords have raised particular concerns, so it would be useful if the Minister could address those in her response. There may be one area that has not quite been resolved.

There are a couple of issues to mention. We are happy to support the amendment on police sharing of information for law enforcement purposes, as I am the amendment in respect of the Prisoner Ombudsman for Northern Ireland and the technical amendments on tribunals and courts to ensure consistency of language.

I shall not go on any further, because I am conscious that we have two Statements today and one will take at least an hour and the other 40 minutes, and the dinner break business for an hour, which will eat in to our time for Report today. I shall leave it here and say well done to the Government: thank you very much for that. It is better that we spend our day looking at issues that we have not quite resolved.

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen
- Hansard - - - Excerpts

My Lords, I thank all noble Lords for the points they made. In answer to the noble Lord, Lord Patel, as my noble friend Lord Ashton explained in previous debates, Clause 7 was never intended to provide an exhaustive list of public interest tasks but, rather, to ensure continuity with respect to those processing activities that cover paragraph 5 of Schedule 2 to the 1968 Act. However, I am happy to reiterate that medical research—and other types of research carried out by universities for the benefit of society—will almost always be seen as a public interest task. I appreciate the sector’s desire to have greater guidance from the Information Commissioner on the issue, and I shall certainly pass that on, but the noble Lord will appreciate that it is not for me to dictate the Information Commissioner’s precise programme of work from the Dispatch Box.

I thank the noble Lords, Lord Smith and Lord Macdonald, for their kind words. I think we have put universities on a safe footing in this regard. I reiterate my thanks to them for coming to see us and helping us with that amendment.

The noble Lord, Lord Clement-Jones, asked: is alumni fundraising always in the public interest, and what about medical research?

Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
Report stage (Hansard - continued): House of Lords
Monday 11th December 2017

(6 years, 3 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

My Lords, the noble Baroness having sat through my last speech, I am in no position to judge. That was a skilful summary of the memorandum put to the Delegated Powers and Regulatory Reform Committee and it is useful to have it on the parliamentary record.

I remind the House that the amendments we have brought forward do not take the ultra position, if you like. They are about having an appropriate level of parliamentary control over delegated legislation in a field where these are important matters—rights which are inextricably linked to human rights. To boil down a long memorandum, the Minister’s arguments are about flexibility and future proofing. However, the horse has bolted. In previous legislation such regulations were permitted to be made by government and therefore we should roll over and put them into the next bit of legislation.

The one essence that I take away is that the consultation duty is enshrined. I accept that it is a considerable improvement that the Secretary of State must consult the commissioner and such other persons as the Secretary of State considers appropriate. It would be useful at this stage at least to have on the record the kinds of bodies the Minister thinks are appropriate in these circumstances.

The real issue and the reason why we have tabled our amendments—I am not saying they are perfect but they allow for a parliamentary process in which there is an ability to suggest amendments and to have a full consultation on regulation changes—is the controversy about “omission”, “addition” and “varying”. The Government have clearly come to the view that omitting provisions is permissible in certain circumstances but they are relying on adding or varying. They say that varying is a light-touch aspect but why, in certain circumstances, is it permissible to omit provisions added by regulations? Is this a kind of second thoughts aspect, whereby regulations are brought forward under this Bill and then the Government think they want to omit some of them? I do not quite understand the rationale behind that.

I accept that in some of the crucial cases they are limiting themselves to “adding” or “varying”. However, variation can be extremely broad and virtually equivalent to omitting. It seems that one can vary a right all the way down to a minuscule situation which can impinge on the human rights of an individual, even though it is not technically an omission where a safeguard is provided. These are very broad rights. They are broad powers to create new exemptions to data protection rules as they affect a data subject and they can add exemptions to safeguards for processing sensitive personal data. These matters could have a powerful effect on individuals.

I should remind the Minister of a sad aspect, which is that in its procedures, the Delegated Powers and Regulatory Reform Committee does not seem to have a second bite of the cherry—something I am sure the Minister approves of entirely. But for those of us who relied on the very useful original DPRRC report, it is unfortunate that the committee has not come back and said what it thinks of the ministerial memorandum. In the original report the committee went as far as to say:

“We consider that clause 9(6) is inappropriately wide and recommend its removal from the Bill”.


That is pretty heavy stuff, even for this useful committee. It had even more to say about Clause 15:

“We regard this is an insufficient and unconvincing explanation for such an important power”.


I must put on the record that we on these Benches do not think that the Government have discharged the onus of proof, showing why they need these extraordinary powers under the Bill, and we hope that they will further reduce their regulation-making powers.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab Co-op)
- Hansard - -

My Lords, this group of overwhelmingly government amendments seeks to address issues raised by the Delegated Powers and Regulatory Reform Committee in its sixth report, published on 24 October this year, the only addition being Amendments 10 and 69 in the names of the noble Lords, Lord Clement-Jones and Lord Paddick. As we have heard, the Delegated Powers and Regulatory Reform Committee is widely respected in the House and I am pleased that the government amendments address the concerns raised by the committee. But as we have heard from the noble Baroness, Lady Chisholm of Owlpen, those concerns have not been accepted in full, and she has given the reasons for that.

I was particularly pleased to see government Amendments 9, 67 and 68, among others, which would limit the powers to amend the processing conditions and exemptions found in various schedules to the Bill. I am equally pleased to see the Government act in respect of the powers to make regulations. This will be done using the affirmative rather the negative procedure, starting with government Amendment 71. It gives Parliament the right level of scrutiny and the ability to reject or express regret about a particular decision, and allows for a proper level of scrutiny, a debate having to take place in both Houses.

In respect of Clauses 9 and 15, Amendments 10 and 69 seek to change the scrutiny procedure from the affirmative, as presently in the Bill, to the super-affirmative. I am not convinced that this is necessary as we have the tools at our disposal to scrutinise the proposals using the affirmative procedure. Starting with government Amendment 130, we have a series of amendments relating to the enforcement powers of the ICO, and again these are to be welcomed.

As I say, in general I welcome the government amendments and the explanation given by the noble Baroness.

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen
- Hansard - - - Excerpts

I thank the noble Lord for those kind words. The noble Lord, Lord Clement-Jones, asked who would be consulted. While it is clearly impossible to be specific, the Secretary of State might consider it appropriate to consult, for example, representatives of data subjects or trade bodies, depending on the circumstances and regulations in question. I hope that that answers his question.

On why it is permissible to admit provisions added by regulations, we believe it is qualitatively different from admitting those added during the extensive parliamentary debate and scrutiny afforded to primary legislation. As I said, many other powers are not new. The 1998 Act already provides a power to add to conditions for sensitive processing. We feel it is prudent to retain the ability to amend Schedules 2 to 4 if necessary. As I said, this is a fast-moving area. We want to make sure that the Bill provides a framework for the constant evolution and developments in how we use and apply data, but it must be supportive rather than stifle innovation and growth.

--- Later in debate ---
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - - - Excerpts

My Lords, it is a pleasure to follow the noble Earl, Lord Kinnoull, who has very impressively pursued these issues with considerable care and determination. He has said pretty much everything that needs to be said. Processing special category data, including health data and criminal convictions is, as he said, fundamental to calculating levels of risk and underwriting. I hardly need to say that to the Minister. His amendments are welcome, but of course the essence of the noble Earl’s amendments is to get from the Minister a progress report on how things are moving on in terms of enabling the continued processing of special category and criminal conviction data and whether we can get something along the right lines that allows a derogation for processing of special category and criminal conviction data where it is necessary in relation to insurance policies and claims. That would prevent disruption to consumers in the way the noble Earl mentioned. Then, of course, there is the guidance produced by Amendment 26; this is what you might call a sprat to catch a mackerel and I hope that the Minister will deliver the mackerel.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, I welcome government Amendments 11 and 12. As we have heard, they address some of the concerns that were raised in Committee. The Government have said that they never intended to have a narrow interpretation and they have put back the words of the 1998 Act, which is very welcome. As was said earlier, the noble Earl, Lord Kinnoull, has laid out in great detail the issues addressed in his Amendments 25 and 26. He makes a very important and clear case and raised some important issues. I hope that the noble Lord, Lord Ashton of Hyde, will respond to those. I certainly think that there is a case for bringing these things back at Third Reading to address the points the noble Earl has raised.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I am grateful to everyone who has spoken in this debate. As we have just heard, Amendment 25 would replace the existing processing conditions:

“Insurance and data concerning health of relatives of insured person”,


and:

“Third party data processing insurance policies and insurance on the life of another”,


with a broader insurance processing condition. Amendment 26 would require the Information Commissioner to produce sector-specific guidance for the insurance sector. These processing conditions are made under article 9(2)(g), the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited by the need to meet this substantial public interest test. We are also required to provide appropriate safeguards for data subjects.

The Government recognise the importance of insurance products, in particular compulsory classes and the protection afforded by third-party liability. As the noble Earl mentioned, engagement between the insurance sector and government officials has continued since this matter was discussed in Committee and, indeed, since I met him and representatives of the insurance industry after Committee. There is still some work to do on the precise drafting of the relevant provisions, but I am grateful for the opportunity to place on record the Government’s intention to table an amendment addressing this issue at Third Reading, if we can finalise the drafting in time and the House is content for us to do so. At the moment I am not aware of any insuperable problems in that regard, but noble Lords will recognise that this is a complex issue and one that we want to get absolutely right.

As for the Information Commissioner producing sector-specific guidance, as proposed by Amendment 26, I will certainly take that back and pass it on to the department. With that reinsurance, or rather reassurance—“reinsurance” was a bit of a Freudian slip there—I respectfully invite the noble Earl not to move his amendments this evening. I beg to move.

--- Later in debate ---
Moved by
27: Schedule 1, page 121, line 27, at end insert “and any additional activities determined to be appropriate by the Electoral Commission”
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, I tabled this amendment to keep the issue that I raised in Committee on the agenda. I spoke about it at some length in Committee. I think it is better determined by your Lordships’ House, rather than going off to the other place. I know the Minister has kindly agreed to a meeting. We have not had a chance to have it yet, but we will later this week.

I know that the noble Lord, Lord Hayward, who sits on the Government Benches, fully supports this issue being debated. He, like me, hopes it can be sorted out here by Third Reading, rather than going to the other place. The basic problem is that provisions in the Bill potentially conflict with legislation in respect of elections and other matters already on the statute book. I went through those in Committee. I am sure we do not want to pass legislation that conflicts with existing legislation, but we risk doing that here. That cannot be right. What political parties, campaigners and politicians need—and certainly what the regulators need—is crystal clear legislation and regulation that they can apply. To pass something that is in direct conflict with the Representation of the People Act would be unwise. We need to have our meeting later this week and I hope we can bring something back at Third Reading. These are important issues that we need to get right to ensure that all legislation is working together. I beg to move.

Baroness Hamwee Portrait Baroness Hamwee
- Hansard - - - Excerpts

My Lords, I am very glad that the noble Lord is keeping this on the agenda. I had a note to ask what was happening about the meeting to which lots of people were invited at the previous stage. I do not believe that we have heard anything about it. This is not a whinge but a suggestion that it is important to discuss this very widely.

I find this paragraph in Schedule 1 very difficult. One of the criteria is that the processing is necessary for the purposes of political activities. I honestly find that really hard to understand. Necessary clearly means more than desirable, but you can campaign, which is one of the activities, without processing personal data. What does this mean in practice? I have a list of questions, by no means exhaustive, one of which comes from outside, asking what is meant by political opinion. That is not voting intention. Political opinion could mean a number of things across quite a wide spectrum. We heard at the previous stage that the Electoral Commission had not been involved in this, and a number of noble Lords urged that it should be. It did not respond when asked initially, but that does not mean it should be kept out of the picture altogether. After all, it will have to respond to quite a lot of what goes on. It might not be completely its bag, but it is certainly not a long way from it.

We support pinning down the detail of this. I do not actually agree with the noble Lord’s amendment as drafted, but I thank him for finding a mechanism to raise the issue again.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

I am grateful to the noble Lord, Lord Kennedy, for raising this issue, and to the noble Baroness for her comments. These issues are vital to our system of government, and we agree with that.

Amendment 27 seeks to expand the umbrella term “political activities” to include any additional activities determined to be appropriate by the Electoral Commission. Noble Lords will agree that engaging and interacting with the electorate is crucial in a democratic society, and we must therefore ensure that all activity to facilitate this is done in a lawful manner. Although paragraph 18(4) includes campaigning, fundraising, political surveys and case work as illustrative examples of political activities, it should not be taken to represent an exhaustive list.

Noble Lords will be aware that the Electoral Commission’s main areas of expertise concern the regulation of political funding and spending, and we are of the opinion that much, if not all the activities they regulate will be captured under the heading “political activity”. As I have just set out, fundraising is included as an illustrative example, which ought to provide some reassurance on this point. Moreover, the greater the number of activities denoted by the Electoral Commission, the less likely it is that any other activity would be considered by a court to be a political activity by dint of its omission. The commission, a body which as far as I am aware claims no expertise in data protection matters, would find itself in an endless spiral of denoting new activities as being permissible under the GDPR. Nevertheless, in recognition of the importance of such processing to the democratic process, the Government are continuing to consider the broader issues at stake and may well return to them in the second House. In this vein, the noble Lord made a number of good points, and I look forward to meeting him with the Minister for Digital, my right honourable friend Matt Hancock, on Thursday this week to discuss the matter in more detail than the parameters of this debate allow. We will see what the noble Lord feels about the timing of that after the meeting.

As for the noble Baroness, Lady Hamwee, we talked about having bigger meetings, and I am sure the time will come. This is just a preliminary meeting to decide on timings and to give the noble Lord, Lord Kennedy, the chance to discuss this with the Minister for Digital. I envisage that further meetings will include the noble Baroness.

I appreciate the sentiment behind the noble Lord’s amendment. In the light of our forthcoming discussions, I hope he feels able to withdraw it.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

I thank the Minister for his response. I tabled the amendment to keep the issue live and to illustrate the problem we have here. In his response, he talked about the responsibilities of the commission and data protection responsibilities and how they may conflict, belonging to different bodies. That begins to highlight the problem that we potentially have here. You could have different regulators trying to enforce different bits of legislation, all on the statute book at the same time and equally legitimate. We have got a real problem here.

I look forward to the meeting on Thursday. It is very important that we have a meeting after that, though, with a much wider group of people from different parties and campaigns. It is a genuine problem that affects every political party represented in this House and the other place and those that are not in either House. There is no advantage here—it is a question of getting a procedure in place that allows political parties to campaign and do their job properly and fairly. Equally, it protects the volunteers so that they understand what they can and cannot do so that they do not unintentionally get themselves in difficulty. I look forward to the meeting, but there are one or two things to sort out before then. I hope that it can get done by Thursday but, if it cannot, we have the other place. But it would be much better to sort it out at this end rather than the other end. I beg leave to withdraw the amendment.

Amendment 27 withdrawn.

Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
Report: 2nd sitting (Hansard): House of Lords
Wednesday 13th December 2017

(6 years, 3 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, Amendment 42, moved by the noble Baroness, Lady Hamwee, was also debated in Committee. The noble Baroness, her noble friend and other noble Lords raised concerns in Committee about paragraph 4 of Schedule 2 in respect of the broad nature, the wide-ranging exemptions and the application of those exemptions. I see the point about the application of this part of the Bill. The amendments tabled by the noble Lord, Lord Ashton of Hyde, set out in the Bill those rights which might be restricted by virtue of article 23(1) of the GDPR and so give more focus to this part of the schedule.

I want to see effective immigration controls and also fair immigration controls, but I do not want to see people unable to get access to data held on them or to how that data is being used and shared except in limited circumstances. I hope the Minister can confirm that the government amendments will do this on a case-by-case basis and do not provide a blanket power. These things are very sensitive and are a matter of balancing important principles, protections and rights carefully and coming down with the right protections in place. I think it would be a problem if we were left in a situation where we could disclose to data subjects information that could give them the opportunity to circumvent our immigration controls.

The noble Baroness, Lady Williams of Trafford, gave a detailed explanation of the Government’s opposition to the amendment in Committee and highlighted a number of the issues that would come forward. I do not think anyone wants a situation where we are making things worse for ourselves. I recall the examples given of an overstayer where the authorities are seeking to enforce an administrative removal or where there is an application to extend the leave to stay and it is suspected that false information has been given. These seem perfectly reasonable to me. The amendments tabled by the Government provide important clarification on what is exempt, limit the power in the Bill and seek to address the concerns highlighted during the previous debate and today.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - - - Excerpts

Before the noble Lord sits down, does he therefore agree with the Government that this is all about the circumvention of immigration controls? Does he not think that essentially, as my noble friend Lady Hamwee mentioned, most of the circumstances are about people asserting their rights?

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

I accept that people want to assert their rights. Of course I do. I also think that we had a very detailed debate in Committee. Points were raised about the broad-brush approach; the Government have responded, and I am happy to support their amendments.

Baroness Williams of Trafford Portrait Baroness Williams of Trafford
- Hansard - - - Excerpts

My Lords, these amendments bring us back to the immigration exemption in paragraph 4 of Schedule 2 which, as the noble Lord, Lord Kennedy, said, was debated at some length in Committee. As this is Report, I am not going to repeat all the arguments I made in the earlier debate, not least because noble Lords will have seen my follow-up letter of 23 November, but it is important to reiterate a few key points about the nature of this provision, not least to allay the concerns that have been expressed by noble Lords.

Let me begin by restating the core objective underpinning this provision. The noble Lord, Lord Kennedy, specifically asked for further clarity on this point. The UK’s ability to maintain an effective system of immigration control and to enforce our immigration laws should not be threatened by the impact of the GDPR. It is therefore entirely appropriate to restrict, on a case-by-case basis, certain rights of a data subject in circumstances where giving effect to those rights would undermine that objective. That is the sole purpose and effect of this provision—nothing more, nothing less.

The GDPR recognises this by enabling member states to place restrictions on the rights of data subjects where it is necessary and proportionate to do so to safeguard,

“important objectives of general public interest”.

The maintenance of effective immigration control is one such objective. This is the basis for the provision in paragraph 4 of Schedule 2.

The noble Baroness referred to article 23 of the GDPR. It does not expressly allow restrictions for the purposes of immigration control. She asked whether the immigration restriction is legal. She pointed to Liberty’s claim that the exemption is unlawful. It is not the case.

Data Protection Bill [HL]

Lord Kennedy of Southwark Excerpts
Report: 2nd sitting (Hansard - continued): House of Lords
Wednesday 13th December 2017

(6 years, 3 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Moved by
78A: After Clause 18, insert the following new Clause—
“Duty to notify of data protection breaches due to ransomware attacks
(1) In addition to notifying the Commissioner of a personal data breach under Article 33 of the GDPR, a data controller must also notify the relevant police force if the data breach was the result of a ransomware attack.(2) In this section,“ransomware attack” means an attack of a form of malware which holds the information on a user's computer hostage until a ransom fee is paid; and“police force” has the same meaning as in section 3 of the Prosecution of Offences Act 1985.”
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

My Lords, the amendment in my name, and that of my noble friend Lord Stevenson of Balmacara, would insert a new clause in the Bill that requires a data controller to notify both the Information Commissioner and the police if they are subject to a ransomware attack. Ransomware attacks involve hackers taking control of your information held on a computer and agreeing to release the information back to you only on the payment of a large sum of money. It is kidnapping not of a person but of information.

Apparently thousands of UK businesses have paid these ransom demands and do not bring these issues to the attention of the authorities for fear of damaging their reputation. This is a really serious issue, and one that we cannot allow not to be addressed. I find it shocking that companies are paying these ransom demands, effectively on the quiet. The amendment would make it a legal requirement to notify. It is only by being able to understand the scale of these attacks and understand what has happened—whether or not it is successful is irrelevant—that the authorities can undertake the important work of analysis needed to prevent these attacks happening in the future.

I would go further, and say that it is irresponsible of data controllers or their businesses and organisations not to come forward to notify the proper authorities. They are vulnerable and making the problem worse by hindering the efforts to tackle the problem. Not only are they at risk of whoever is behind the attack coming back for more money later—having paid the hacker, the person will be seen as an easy touch—they are exposing other people, businesses and organisations to this form of attack in the future. My amendment would require notification, and I look forward to a detailed response to the issues I have raised. I beg to move.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I am grateful to the noble Lord, Lord Kennedy, for his amendment on data protection breaches and ransomware attacks. The repercussions of such attacks are felt by everyone, whether or not they are a direct victim of the crime. It is estimated that in 2016 the cost of fraud and cybercrime in the UK was £193 billion, with the full social cost likely to be much higher. It is therefore essential that stringent measures are in place in legislation to ensure that cyberattacks and fraud are prevented, and any perpetrators found and stopped.

We, nevertheless, believe that Amendment 78A is unnecessary. Article 33 of the GDPR, referenced in the noble Lord’s amendment, requires the data controller to inform the Information Commissioner within 72 hours of all data breaches, including as a result of ransomware attacks. The controller is required to provide information of the likely consequences of the personal data breach, and to describe the measures taken or proposed by the controller to address the breach. There is one exception, given in Article 33, for breaches unlikely to result in a risk to data subjects, but that hardly seems relevant in cases where hackers have proven access to the data in question.

The GDPR does not require data controllers to report cyberattacks to the relevant police forces, for good reason. It is well understood that the Information Commissioner has the expertise and resources to take the appropriate and necessary action in the first instance, including, if she deems it appropriate, referrals to the police or to investigate and bring prosecutions herself under data protection law. I am also puzzled by the amendment’s intention to single out ransomware as the only form of cyberattack worth reporting to the police. A huge range of cyberattacks cause substantial distress and harm to individuals, such as insider attacks, attacks from third countries and other cybercrimes, such as malware and phishing. In addition, organisations can report cyberattacks or fraud to Action Fraud, which in turn ensures that the correct crime reporting procedures are followed. This organisation is overseen by the City of London Police, the national lead for economic crime, and we believe that it represents an effective and scalable structure. For the reasons I have stated, therefore, I would be grateful if the noble Lord would withdraw his amendment this evening.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

I am happy to withdraw my amendment this evening. I wanted to raise the issue here. The Minister cited the figure of £193 billion lost through these and other forms of attacks—he went through a number of them—and this is a very serious matter. I hope that he is correct that companies are required to notify the Information Commissioner on the back of this legislation. This is very serious. I hope that he is correct that it is not necessary to go to the police—the sums of money that he mentioned are absolutely shocking. At one point, he said that the Information Commissioner can start prosecutions. That is fine, if we can find the people behind the crime and if they are in this country. If they are somewhere in lands far away, I wish him all the best, but I suspect that we will have some trouble in catching the perpetrators or bringing them to justice. My worry is that, because of reputational damage, companies will be reluctant to notify anyone about this stuff. It is very serious.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

Can I just echo what the noble Lord says? We agree that it is serious, which is why we have set up the National Cyber Security Centre to help to protect public services online and why the Chancellor allocated nearly £2 billion for cybersecurity when he launched that centre.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - -

It is very pleasing to hear that. I welcome that, but these are matters that we will have to keep under review. Unfortunately in this world, the people involved in this stuff are usually quite skilful and bright and can keep one step ahead of the law or the people trying to catch them. We should keep these matters under review but, unfortunately, they are not going to go away. My worry is that these crimes are committed many miles from these shores and catching the perpetrators is the problem. However, I am very happy at this stage to withdraw my amendment.

Amendment 78A withdrawn