Data Protection Bill [HL] Debate
Full Debate: Read Full DebateViscount Hailsham
Main Page: Viscount Hailsham (Conservative - Life peer)Department Debates - View all Viscount Hailsham's debates with the Department for Digital, Culture, Media & Sport
(6 years, 10 months ago)
Lords ChamberMy Lords, the Government introduced quite late in the proceedings in Committee a group of amendments that set up a parallel system under which data processing undertaken by government departments could be considered to be governed. Our Amendment 176 attempts to ask some questions, and in that sense it is a probing amendment. It probably does not work as it stands, on reflection, but it raises important points. Because the Government introduced the amendments so late in the day, I feel justified in asking for a response to some of our questions around them. The scrutiny that we could have given to the amendments did not take place, and I am grateful to the noble Lord, Lord Clement-Jones, for adding his name to the amendment and look forward to his comments later.
The main purpose of the amendment is to get on record from the Secretary of State a set of answers to questions. To be clear, we are talking about the framework for data processing by government to which the original amendments apply, and to which our amendment refers, covering all data held by any public body, including the NHS. It is both outside the ICO’s jurisdiction and under the direct control of Ministers. The courts are bound by the framework, as are tribunals, and a special case exists only for international law. I am not quite sure how that works, so maybe we can get some answers on that. There may well be updates, but if there are changes, they will be applied retrospectively. It is quite a significant package in terms of powers. I understand that there may be nothing wrong with that if everything else is working. In a sense, if one wants efficient government and effectiveness, one is asking for such things to be in place. I am not criticising that.
There are questions. First, on the name, why is it a framework and not a code of practice? Codes of practice are defined in the Bill and have considerable consequences as a result. There is a standard for developing them and a process under which they take place. There are regulatory arrangements and the involvement of Parliament, but that does not apply to the framework. In other words, the Government’s own data does not go through the processes that apply to other data.
Why do the Government’s proposals exempt public sector processing from normal data protection law? Surely if the concern is about making sure that a subject’s data is always looked after properly, and data controllers, whoever they are, are doing it in accordance with the procedures set out at length by the Bill, in the GDPR and in the derived legislation that will take place—if we leave—under Brexit, all we are getting is a way of keeping people out of any consideration regarding the data that is held by government. Citizens’ data should really belong to citizens and we should not have a situation where it is looked after by Ministers on behalf of Ministers and there is no external view.
One could make a strong case—I am not necessarily doing that, but others have—that the Secretary of State has the power to create their own framework for the data protection of their own data and their own department. They can ignore completely what the Information Commissioner may say about that framework—she has no locus in that. The framework can be brought to Parliament but it is a negative procedure, not an affirmative one, so it is very difficult to scrutinise. We can vote against it; we can certainly discuss it if we see it in time, but it will not be at the same level of scrutiny as perhaps applies to other matters. Barriers can be raised, and the ICO’s enforcement mechanisms can be fettered, extended or changed.
I am sure that the Minister will have good answers to that and I am in no sense trying to attack the basic principle. I just wonder whether there is not a case here for Caesar’s wife—excuse the old-fashioned language, but it is a quotation, not a reference. Caesar’s wife was always required to be above suspicion, above any other public person in Rome of the day. I say that with detailed knowledge having just been to the RSC’s performances of the Cicero plays, as I think I already mentioned. Sorry if I am boring people.
Nevertheless, it raises in one’s mind the issues of standards and propriety in public life in a forceful way. Blood was more common then than it might be today, but the issue is right. If you are in a public position and a public responsibility is placed on you, you must not only be above reproach, you must be seen to be above reproach. I am not sure that the government amendments satisfy that. I beg to move.
My Lords, I have only two brief observations to make, one supportive and one otherwise. My supportive observation is that I am very much in favour of the use of the affirmative resolution procedure for the approval of regulations, rather than the negative one. I add in parenthesis that I have always believed that we in Parliament should be able to amend under the affirmative resolution procedure. When we come to the European Bill, that will be particularly important, but that is for another day.
Where I disagree with the noble Lord is on his proposal that the commissioner should be responsible for preparing the document. That seems to me essentially a matter for the Secretary of State, because of the principle of ministerial responsibility. Ministers can be questioned and quizzed in a way which is utterly impossible for Parliament to do with the commissioner. There is also a small technical point. If a Minister has to come to Parliament—for example, under an affirmative resolution procedure—to argue in favour of regulations which he or she has not made, but which have, rather, been made by the commissioner, that could be at least a trifle embarrassing.
My Lords, I hear what the noble Viscount said about the amendment, but the problem is that even the affirmative resolution procedure is not necessarily a good way to test the framework. The noble Lord, Lord Stevenson, was unusually kind about the Government’s framework. As he said, the Secretary of State can produce a framework that applies data protection to his own department; ignore what the Information Commissioner says about the framework; lay his own framework for Parliament through the negative procedure—I take the noble Viscount’s point about the affirmative procedure—which means it is very unlikely to get much scrutiny; and raise barriers against the ICO’s enforcement mechanism. He can then, as part and parcel of the framework, extend or introduce frameworks to include any other public sector body. Frankly, the Secretary of State can pretty much do what he or she wants. We should not be saying that the framework is essentially like a statutory code of practice; it is a very different animal.
This is our first debate on the architecture that the Government have imposed. In Committee the Minister produced a whole raft of amendments introducing the framework and we did not have a chance to scrutinise it properly. The Information Commissioner is not very happy with this architecture either. That is utterly clear. It is not just opposition parties or organisations such as medConfidential that are unhappy. The ICO has stated:
“The Commissioner understands the needs for government departments and public bodies to be clear about the legal basis for undertaking the functions and this is particularly true when processing personal data. However the provisions as drafted appear to go beyond this limited ambition and create different risks that must also be considered. She has made clear her concerns to government and these are set out below”.
I should very much like to hear what sort of dialogue the Government have had with the ICO because, frankly, at the moment they seem to be overriding any powers or involvement that she has in this framework. I am afraid that I am raising the temperature slightly at this time of night, but the framework for government data protection is not in fact data protection at all.