Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Baroness Chisholm of Owlpen Excerpts(6 years, 8 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Baroness Chisholm of Owlpen (Con)
My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point which has not been lost on noble Lords; nor has it been lost on organisations, business groups and others. We are grateful for all the feedback we have received through responses to the Government’s call for views and on our statement of intent, and, most recently, on the drafting of the Bill itself. Hence this large group of technical amendments seek to polish various provisions of the Bill in response to that feedback. If I may, I will save noble Lords from the tedium of going through each amendment in turn—we would be here all night—and instead focus on the small number of substantive amendments in the group.
I begin with Amendment 51, which ensures that automatic renewal insurance products purchased before 25 May 2018 can continue to function. Automatic renewal products work on the principle that, if the insured person does not respond to the renewal notice, their insurance continues uninterrupted. Without the amendment this would not be possible for products such as motor insurance, which require processing of special categories of personal data and criminal convictions and offences data, potentially leaving individuals unwittingly uninsured.
Amendment 55 responds to a request from the Welsh Government to extend an exemption on passing information about a prisoner to an elected representative to Members of the Welsh Assembly. I am very happy to give effect to that request.
Amendment 56 ensures that existing court reporting—so important for ensuring open justice—can continue. Judgments may include personal data, so this amendment will allow the courts to continue with current reporting practices.
Paragraph 9 of Schedule 2 provides a limited exemption in respect of certain regulatory activities which could otherwise be obstructed by a sufficiently determined individual. Amendment 86 adds five additional regulatory activities to that list to allow relevant existing data processing activities to continue.
Amendment 87 extends the common-sense protection provided by paragraph 22 of Schedule 2 for confidential employment references, so that it also expressly covers confidential references given for voluntary work.
Amendments 90 and 186 ensure a consistent definition of “publish” and “publication” throughout the Bill.
I conclude my brief tour—it did not seem very brief to me—of these amendments with reference to the amendments to Schedule 6. As noble Lords will recall, in creating the applied GDPR Schedule 6 anglicises its language, so as to ensure that it makes sense in a UK context. This is a mechanical process involving, for example, replacing the term “member state” with “United Kingdom”. Amendments 112 to 114, 116 to 118 and 120 to 124 refine that process further.
The remaining amendments that I have failed to mention will dot the “i”s and cross the “t”s, as detailed in the letter from my noble friends Lord Ashton and Lady Williams when the amendments were tabled on 20 October. For these reasons, I beg to move Amendment 8 and ask the House to support the other government amendments in this group.
Lord Knight of Weymouth
My Lords, I will be brief on this group but I have two points to make. One is a question in respect of Amendment 51, where I congratulate the insurance industry on its lobbying. Within proposed new paragraph 15A(1)(b) it says,
“if … the controller has taken reasonable steps to obtain the data subject’s consent”.
Can the Minister clarify, or give some sense of, what “reasonable” means in this context? It would help us to understand whether that means an email, which might go into spam and not be read. Would there be a letter or a phone call to try to obtain consent? What could we as citizens reasonably expect insurance companies to do to get our consent?
Assuming that we do not have a stand part debate on Clause 4, how are the Government getting on with thinking about simplifying the language of the Bill? The noble Baroness, Lady Lane-Fox, is temporarily not in her place, but she made some good points at Second Reading about simplification. Clause 4 is quite confusing to read. It is possible to understand it once you have read it a few times, but subsection (2) says, for example, that,
“the reference to a term’s meaning in the GDPR is to its meaning in the GDPR read with any provision of Chapter 2 which modifies the term’s meaning for the purposes of the GDPR”.
That sort of sentence is quite difficult for most people to understand, and I will be interested to hear of the Government’s progress.
Lord Stevenson of Balmacara
My Lords, I thank my noble friend Lord Knight and the noble Lord, Lord Clement-Jones, for raising points that I would otherwise have made. I endorse the points they made. It is important that those points are picked up, and I look forward to having the responses.
I had picked up that the Clause 4(2) definition of terms is probably a recital rather than a normative issue, and therefore my noble friend Lord Knight’s point is probably not as worrying as it might otherwise have been. But like him, I found that it was tending towards the Alice in Wonderland side. Subsection (1) says:
“Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR”.
I sort of get that, but it seems slightly unnecessary to say that, unless there is something that we are not picking up. I may be asking a negative: “There’s nothing in here that we ought to be alerted to, is there?”. I do not expect a response, but that is what we are left with at the end of this debate.
I have one substantial point relating to government Amendment 8. In the descriptions we had—this was taken from the letter—this is a technical amendment to ensure that there is clarity and that the definition of health professional in Clause 183 applies to Part 2 of the Bill. I do not think that many noble Lords will have followed this through, but it happens to pick up on a point which we will come back to on a later amendment: the question of certain responsibilities and exceptions applying to health professionals. There was therefore a concern in the back of my mind about how these would have been defined.
My point is that the definition that appears in the Bill, and which is signposted by the way that this amendment lies, points us to a list of professionals but does not go back into what those professionals do. I had understood from the context within which this part of the Bill is framed that the purpose of having health professionals in that position was that they were the people of whom it could be said that they had a duty of care to their patients. They could therefore by definition, and by the fact of the posts they occupied, have an additional responsibility attached to them through the nature of their qualifications and work. We are not getting that out of this government amendment. Can the Minister explain why polishing that amendment does or does not affect how that approach might be taken?
Baroness Chisholm of Owlpen
I thank noble Lords for all their contributions. The noble Lord, Lord Knight, wanted to know what “reasonable” meant in this context. The Financial Conduct Authority has set requirements on insurers in relation to the steps they must take in the case of insurance contracts that are automatically renewed. In this context, our view is that those steps are likely to be reasonable. As to how they get in contact, it is by normal business procedure acceptable to the FCA. Normally emails and so on is the way they do that.
Baroness Chisholm of Owlpen
Yes, it is the FCA. That would be the case.
The noble Lord, Lord Stevenson, talked about Amendment 8, the health amendment. It is to ensure that there is clarity for health professionals in Clause 183. The GDPR refers to health data being processed under the responsibility of a health professional whereas the Bill says,
“under the supervision of a health professional”,
to clarify that no intentional difference in the meaning is being conveyed. These amendments ensure that consistent language is used and so make it more understandable. I hope that has answered all noble Lords’ questions. Please come back to me if it has not.
Lord Kennedy of Southwark
My Lords, I have no interests whatever to declare in this debate.
Amendment 10, moved by my noble friend Lady Royall of Blaisdon and signed up to by the noble Lords, Lord Pannick and Lord Macdonald of River Glaven, raises the important issue of legitimate fundraising and alumni relations undertaken by schools, colleges and universities being at risk due to the changes being brought in by GDPR. My noble friend referred to various conditions and mentioned the lawfulness condition, specifically on the issue of consent.
As we have heard, GDPR sets a very high bar in requiring a positive opt in, and it is likely that existing consents will not reach the required standard. So educational institutions would have to take on the enormous task of rebuilding their databases from scratch to meet the condition, as my noble friend referred to.
The public interest condition does not really work, for various reasons. The legitimate-interest condition may provide a route for the justification of data processing for fundraising purposes but, as we have heard in this debate, there are issues here as well. To make that a realistic solution to this unintended consequence of the new regulations—I think we all agree that it is unintended—my noble friend is seeking to put in the Bill a subsection in Clause 6 that, for the purposes of GDPR, would make it clear that schools, colleges and universities are not public bodies.
I note that Clause 6(2) provides the Secretary of State with the power to designate those public bodies that are not regarded as public bodies for GDPR. I am not sure what the general attitude of the Minister is, although he seems to have indicated that he is broadly sympathetic, but if he is going to rely on subsection (2) then he is going to have to do a bit more. As I mentioned previously, when Governments tell us it will all be sorted out in regulations, that is often not the solution and things can take a very long time. I mention the Housing and Planning Act again.
This is not something that educational institutions can wait months or years for; it would cost them considerably in terms of their fundraising plans. I hope the Minister can deliver some positive news to my noble friend, who has raised an important issue. It is fair to say that if she pressed this or a similar amendment to a vote on Report, she would be likely to win the day because it is an issue that many noble Lords are very concerned about.
Baroness Chisholm of Owlpen
My Lords, I thank noble Lords for taking part in this debate. I always feel humbled when I realise how many chancellors, presidents and fellows of universities we have in this House. I think that is why our debates and discussions are always of such high quality, because that is what noble Lords bring to this House. I congratulate the noble Baroness, Lady Royall, on her appointment. I visited Somerville College a lot because my daughter went there; she had an extremely enjoyable time and loved her three years there.
Universities are classified as public authorities under the Freedom of Information Act, and the Bill extends that classification to data protection. We recognise that universities, as complex organisations with many varying functions and interests, also carry out other functions that may not count as “public tasks” under data protection law. The conundrum raised by the noble Baroness has also been raised with the Government by the universities. I thank them for their time and help in working with both the Government and the Information Commissioner to resolve the problem.
I fully appreciate that the intention of the amendment is to protect our schools, colleges and universities by allowing them to continue pursuing their interests outside of their public tasks. I reassure noble Lords that neither the Bill nor the GDPR puts that at risk. The Information Commissioner’s Office has confirmed that it will issue detailed guidance on this matter, including the processing of personal data for the purpose of maintaining alumni relations, in order to make this clear. Representatives of the higher education sector have also indicated to the Information Commissioner’s Office that they may wish to develop further sector-level guidance, and the Information Commissioner’s Office will assist with that.
However, we are very sympathetic to everything that noble Lords have said today. It is important that we should meet again, and I am happy to agree to a meeting between myself, my noble friend Lord Ashton and all interested Peers so that we can talk about this further, in order that when we come back on Report we will have something that perhaps everyone will wish to hear. I hope my clarification on this issue is sufficient for now, and that the noble Baroness will agree to withdraw her amendment.
Lord Kennedy of Southwark
The Minister mentioned guidance and said that these matters would be solved then. Can she give us an assurance that we will have the guidance before the Bill becomes law?
Baroness Chisholm of Owlpen
The guidance from the Information Commissioner’s Office is ongoing. I had better go and find out whether we will have it by the time this Bill becomes law, because I do not want to say something at the Dispatch Box that turns out to be wrong. I will have to get back to the noble Lord on that point.
Baroness Royall of Blaisdon
My Lords, I am grateful to the Minister for her semi-positive answer. I have to say that if the guidance were available before the Bill became law, that would be quite extraordinary because it is not the norm, but it would be very welcome. I am grateful for her sympathy and understanding, and I realise that there has been a meeting between the university sector and the Information Commissioner’s Office, but personally I still feel the guidance is not enough. I am therefore grateful for the offer of a meeting to discuss this further. I thank everyone who has participated in this short debate. I particularly thank my noble friend Lady Kennedy of The Shaws for quite rightly pointing out that this is a matter of importance for schools, universities and colleges up and down the land, not just the “elite”, as it were—everyone is going to suffer.
With the reassurance from the Minister that we can have a meeting to discuss this further, I beg leave to withdraw the amendment.