Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Home Office
(6 years, 11 months ago)
Lords ChamberMy Lords, Amendment 93A in my name and that of my noble friend Lord Stevenson of Balmacara is the first amendment in a small group before the Committee this afternoon. They are probing amendments to allow us to begin to debate the issues around Schedule 3, specifically Part 2 and matters concerning health data and social work data.
Amendment 93A would delete the words “or another individual”. I want to understand clearly what the Government mean when they refer to the “serious harm test” for the data subject and to this very wide catch-all phrase, “or another individual”. Amendment 94A would delete specific wording as detailed in the Bill and replace it with the wording in my amendment.
I can see the point of paragraph 4(1)(c) of Schedule 3, but do not see why the Government would not wish to rely on the definition of lacking mental capacity, as defined by the Mental Capacity Act 2005. Can the Minister explain, if my amendment is not going to be accepted, why the Government appear to be relying on weaker words in this section?
Amendment 94B would delete paragraph 4(2)(a) of Schedule 3. Again, I stress that this is a probing amendment to give the Minister the opportunity to set out clearly how this is going to work so that it does not cause problems for research but respects people’s privacy regarding the data that they have been provided with.
On the other amendments in the group, Amendment 94C looks to broaden the definition of social work data to include education data and data concerning health, by probing what the Government mean by their definition of social work data in the Bill. Amendment 94D probes, regarding paragraph 8, the details on data processed by local authorities, by the regional health and social care boards, by health and social care trusts and by education authorities.
With Amendments 95A and 95B, I am looking for a greater understanding of what the Government mean. The wording in the Bill which these amendments would delete is quite vague. We want to understand much more what the Government are talking about here. I beg to move.
My Lords, the Bill sets new standards for protecting general data, in accordance with the GDPR, which will give people more control over use of their data and provide new rights to move or delete personal data. However, there will be occasions when it is not in the best interests of the data subject for these rights to be exercised, or where exercising them might impinge on the rights and freedoms of others. Schedule 3 considers this issue in the specific context of health, social work, education and child abuse data. It provides organisations operating in these fields with targeted exemptions where it is necessary for the protection of the data subject or the rights and freedoms of others. Importantly, much of Schedule 3 is directly imported from existing legislation.
The amendments which the noble Lords, Lord Stevenson and Lord Kennedy, have tabled focus on exemptions available for healthcare and social services providers. Let me deal first with the amendments relating to the healthcare exemptions. Amendment 93A would amend the serious harm test, in paragraph 2 of Schedule 3, by removing the reference to harm caused to other individuals. This is an important safeguard. For example, if a child informed a healthcare provider that they had been abused by a relative and then that person made a subject access request, it is obvious that disclosure could have serious consequences for the child. I am sure that this is not what the noble Lords envisage through their amendment; we consider there are good reasons for retaining the current wording. As I said earlier, these provisions are not new: they have been imported from paragraph 5 of the Data Protection (Subject Access Modification) (Health) Order 2000.
Amendments 94A and 94B would amend the exemption in paragraph 4 which allows health professionals to withhold personal data from parents or carers where the data in question has been provided by the data subject on the basis that it would not be disclosed to the persons making the request. Again, neither of these provisions is new. They too were provided for in paragraph 5 of the 2000 order and we think they remain appropriate.
If Amendment 108F is agreed to, I cannot call Amendment 109 due to pre-emption.
My Lords, I am grateful to the noble Lord for turning the attention of the Committee to the accreditation process. I recognise the intention behind his detailed amendments; namely, to reduce the administrative burden associated with requests for accreditation decisions to be reviewed and, subsequently, for the review process to be appealed. Under the new regime, both the Information Commissioner and the United Kingdom Accreditation Service will be able to accredit organisations that wish to offer a certification service for compliance with data protection legislation. Many organisations may wish to make use of certification services to support their compliance with the new law, and the accreditation process is intended to support them in choosing a provider of certification.
Schedule 5 establishes a mechanism for organisations that have applied for accreditation to seek redress against a decision made by UKAS or the Information Commissioner. The mechanism process has two elements. In the first instance, organisations can seek a review of the accreditation decision. Then, if they are unhappy with that review process, they can lodge an appeal. I share the noble Lord’s desire to minimise the administrative burden created by that review and appeal mechanism. Amendments 108C and 110A limit the documents that may be submitted when appealing. Amendment 108E reduces the time to lodge an appeal. Amendment 108F removes the ability of the appellant to object to members of the appeal panel.
I assure noble Lords that we want a fair and straightforward review and appeals mechanism. Our choice of process, time limits and other restrictions mirrors the appeals process that UKAS currently operates. That process is as provided for by the Accreditation Regulations 2009. Maintaining a consistent appeals process creates administrative simplicity and efficiency. The Government consider that the process in Schedule 5 strikes the right balance between limiting the administrative burden on the accrediting bodies, while also providing applicants with sufficient means of redress.
To add them up, there are four reasons why we feel that what is in there now works well: our choice of process, time limits and other restrictions limits the appeals process that UKAS currently operates; it maintains a consistent appeals process, which creates administrative simplicity and efficiency; it strikes the right balance between limiting the administrative burden but provides applicants with sufficient means of redress; and the accreditation process will give organisations confidence that they are choosing the right provider of certification. I hope I have addressed the noble Lord’s concerns and urge him to withdraw the amendment.
I am grateful to the Minister for her response. I think I may have slightly misled the Committee: I think I am right in saying that this is a new process, brought in by the Bill. It was not in the Data Protection Act 1998. I should have said that there is an additional reason for wanting to scrutinise it, to make sure we are looking at the right things.
I should have asked one question, to which I do not expect a response now, unless the Minister has it to hand. I notice that the national accreditation body, which has to be set up by member states because of the GDPR, is set up under another EU instrument because it is the designated body under the Accreditation Regulations 2009. I take it that they will be brought forward in the withdrawal Bill as necessary regulations for that to be provided.
As the noble Lord said, the process is new to the GDPR and not in the 1995 directive or the DPA. The GDPR requires member states to ensure that certification bodies are accredited by the ICO and/or the national accreditation body. As such, the UK Government will need to demonstrate their compliance with that requirement, which Clause 16 and Schedule 5 fulfil.
I thank the Minister for that response. I am sure that the narrow point about the regulations can be dealt with by correspondence, so I will not press it today. I beg leave to withdraw the amendment.