I thank the noble Lords, Lord Clement-Jones and Lord Stevenson, for their comments.
The noble Lord, Lord Clement-Jones, asked whether we will publish the results of the consultation. In response to interest from Peers and in the interests of transparency, they will be published shortly. Both noble Lords talked about the top tier. Indeed, as the noble Lord, Lord Stevenson, said, these regulations and the GDPR come into force on 25 May, so we are a bit short of time. The top tier has been raised significantly, and the amount has been set out to ensure appropriate funding for the ICO without leading to excessive surplus. However, I hear what the noble Lord, Lord Stevenson, said about large companies. It is important to remember that DCMS will review the income generated annually to ensure that it remains appropriate, so it can be checked.
The noble Lord, Lord Stevenson, also talked about large public authorities. It is important to remember that they hold a huge amount of sensitive data about members of the public; therefore they are subject to high levels of information risk. So we consider it appropriate that the regulation of these organisations is effectively subsidised; that means that they are paying a large sum, but the small and medium-sized businesses are not. It is important that they should not be unfairly charged. The new funding model is aimed at ensuring that the new charges are fair and reflect the risk of the organisations. The small and medium-sized businesses will not be paying any more than they have been, in real terms. It is the larger organisations that will be paying the most.
I may not have made the case clearly enough. We have not seen the figures but the last time we asked about this we were told that the proportion of very small registrants—micro-companies and individuals—is really small. As we learned when the Bill was in Committee, an awful lot of people and loads of small companies and organisations—including parish councils, of which much was made—will have to appoint data controllers to make sure that their systems are up and adequate. That is right, but the shock of having to pay on a regular basis will be substantial. I want to make it clear that going from 10% to 100% of people involved in this will be a major change in people’s thinking.
They have been paying up until now, but a very small amount.
Those that registered did pay, but very small numbers do. That is the point. I bet that no parish council has ever registered: every one will have to register. That is a big change.
I take the noble Lord’s point. However, more often than not they will be able to use somebody who is already on the parish council to do the work. They will not have to pay somebody extra to do it. We feel that this is the fairest way of doing it. Those with the least money are paying the least and those with the most money are paying the most. I think I have answered all the questions.
It is not so much whether they should be paying—we probably accept that they should, though how much is in question—it is the fact that they were not consulted. The consultation exercise did not reach that far and the Minister was going to try to give some information about why that could have been.
In 2015, the ICO used the BDRC, an independent market research company, to conduct initial research about its funding structure. The contractors of the survey were provided with a sample of 10% of the register of the Information Commissioner’s Office, including all top fee-payers and a random sample of lower ones. In 2017, data controllers who responded to this initial research formed the basis of the targeted consultation on the new charges last year. This comprised a representative sample of data controllers, including public authorities, small businesses and other large organisations.
I thank noble Lords for their contributions on this important matter. I believe that the funding regime proposed today represents the best way of ensuring that the ICO is appropriately resourced for its increased role, while still keeping regulatory costs and burdens low for small businesses. I assure the Committee that, while the exemptions from paying charges have not significantly changed at present, they will be comprehensively reviewed with a view to updating them later this year. I beg to move.
My Lords, I was not intending to speak on these regulations but I caught something my friend the noble Lord, Lord Clement-Jones, said and I thought I would respond to it. It was also mentioned by my noble friend Lord Griffiths in his response.
When we look at lottery matters, we should have regard to the fact that we are looking at a system under which the intention is to increase the amount of money paid out to good causes. We have adopted a model to do that which is not necessarily found in other parts of the world that have lotteries. I do not wish in any sense to emulate the length of time for which the noble Lord, Lord Clement-Jones, has presided over this brief in his party but when I came to debate it, a long time after he started, I wondered whether we should think harder about the percentages going out of the National Lottery system into the good causes. That was presumably not unrelated to the fact that money had to be found for the Olympics, so there was a lot of tension and a focus in that.
However, things have moved on and I felt that some of the figures being cited by the noble Lord, Lord Clement-Jones, were not exactly in line with the current state of knowledge on this. For instance, I understand that there is now a report from the National Audit Office indicating clearly that the money going to the Postcode Lottery does not deflect from people’s interest in the National Lottery and that the representations made on behalf of the Postcode Lottery—that it should be allowed to expand its prize money, which is the point he made—have been the subject of lengthy discussion and consideration in the department. I think there are still consultations going on.
The Minister may know that I have tabled a Question for Written Answer on this matter, to which I am sure she will want to speedily return to amplify what she says in response to this debate. If she wants to wait until then, I will be quite happy, but my point is that there is an ongoing debate to be had about the proportion of money that the public wish to see going to national causes, which means that our model needs to be robust and sustainable.
First, is it time to reflect on that? Secondly, is there room now for this in a society that has changed out of all recognition since the National Lottery was formed, and which has an interest in local events? Research exists now to show that the Postcode Lotteries which are done postcode by postcode in the full system, and which operate right across Europe successfully, may offer another approach to giving for good causes in that the committees set up under the Postcode Lottery seem to be locally focused. The giving is therefore not so much for the benefit of winning a big prize, because the prizes are more modest, but because there is more satisfaction in the direct channelling of money towards local causes. It may be appropriate for the Government to look at whether it is time to think again about these things so that we can get more sense, and, we hope, more money, into the system.
I thank all noble Lords who have taken part. As the noble Lord, Lord Griffiths, said, it might be a steep learning curve for him but it is an even steeper learning curve for me. It is marvellous to have so many experts here today. I am very much the old new girl on the block where this is concerned, so it is interesting to hear everything that the Committee has said.
The noble Lord, Lord Faulkner, talked about the deal with companies such as Lottoland. We feel that one problem is that this is a growing market, which is why it is so important to bring this SI in. As several noble Lords have mentioned, there is no doubt that it takes away from people taking part in the National Lottery, which then takes away from good causes and so on.
The noble Lord, Lord Clement-Jones, talked about society lotteries, as did the noble Lord, Lord Stevenson. Evidence shows that, to date, there has been no substitution between society lotteries and the National Lottery due to the very different prospects they offer the players who take part. We have been looking at the Digital, Culture, Media and Sport Select Committee’s recommendations on society lotteries and we will look closely at how we feel they are working, including on the top prize. We hope to provide a further update on that in due course.
The noble Lord, Lord Griffiths, talked about customer confusion. Again, we hope that this SI will sort this out. The ban certainly aims to reduce customer confusion by protecting those who wish to buy a EuroMillions lottery ticket online from ending up on a betting site.
It is always important to keep education in mind and find ways to improve it, making sure that people are betting on what they want to bet on and not on something else. It is not our intention to prevent operators offering bets on lotteries that do not form part of the National Lottery to consumers who genuinely wish to place legitimate bets on such a lottery. Betting on the National Lottery is already illegal and the point of this ban is to bring betting on all EuroMillions products in line with the rest of the National Lottery portfolio.
I think that has answered all the questions. I have a note that was handed to me; is it something I forgot? The National Lottery is a uniquely important part of British society. Each year, it raises around £1.6 billion for good causes and has raised a total of £37 billion—a pretty impressive sum—since it started in 1994, supporting important charity, heritage, arts and sports projects. From the charities I am involved in, I have found the National Lottery a great help on many occasions.
In bringing forward these regulations imposing a new licence condition, we are doing no more than extending the existing protection against betting on the National Lottery and taking action to remove consumer confusion in relation to bets on EuroMillions games. I commend the regulations to the House.
(7 years ago)
Lords ChamberMy Lords, I thank the noble Lord, Lord Stevenson, for explaining the amendment, and the noble Earl, Lord Erroll, the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, for their words. The amendment is fascinating. When I talked to the noble Lord, Lord Stevenson, about it earlier today, I thought that it just shows how interesting it is, how fast everything is moving in this world and how difficult it will be for us to keep up. I feel rather relieved that I may not be around to have to grapple with it myself and that there will be younger people better at dealing with it than I am.
The amendment would require the Information Commissioner to consult on the use of private personal data accounts, which provide for people to retain greater ownership of their data. While I recognise the intention behind this amendment—to stimulate debate and a shift in public attitudes towards personal data and its value—this is not the appropriate means through which to pursue these aims.
By way of explanation, I have three quick points to make. First, I question the value of the Information Commissioner consulting on the use of private data accounts, which are already available to those members of the public who wish to use them. Importantly, the priority for the commissioner at the moment and for the foreseeable future is helping companies and organisations of all sizes to implement the new law to ensure that the UK has the comprehensive data protection regime we need in place, and to help prepare the UK for our exit from the EU. I hardly need to point out that these are massive tasks, and we must not divert the commissioner’s resources from them at this point.
Secondly, it is a question not only of resource, but of remit. It is right that the commissioner monitors and advises on developments in the use and storage of personal data, but it is not her role to advise on broader issues in society. The question of whether individuals should have ownership of their personal data and be remunerated by companies for its use falls squarely into that category. The commissioner is first and foremost a regulatory body.
Thirdly, I take this opportunity to highlight that there are already mechanisms in the new regime which will support individuals to have more control over their data and place additional requirements on data subjects. For example, data controllers will be required, when obtaining personal data from an individual, to inform that person of: the purposes for which their personal data are being processed; the period for which their data will be stored, to the extent that this possible; their right, where applicable, to withdraw consent for their data to be used; and their right to lodge a complaint with the supervisory authority. Obviously, that is not an exhaustive list but it is illustrative of the protections that will be put in place. Such information must also be updated if the controller intends to process the personal data for any new purpose.
I fully agree with the noble Lord that the questions of an individual’s control over their data and the value of that data are worthy of debate and, as I said earlier, we will have to wrestle with them for years to come as the digital economy evolves. However, the Government’s view is that the Bill strikes the right balance between protecting the rights of data subjects and facilitating growth and innovation in the digital economy, and that placing an arbitrary requirement on the commissioner to consult would not be appropriate or the best use of her resources at this point. On that basis, I urge the noble Lord to withdraw his amendment.
I thank all noble Lords who have spoken in this short debate, particularly the noble Earl, Lord Erroll, for the idea about agency, which is an important construct that we will need to keep an eye on. He is quite right about that. I thank the noble Baroness, Lady Kidron, for reminding me, correctly, that I had got a lot of information from the IEEE, whose work on this I have praised before. I reiterate that: it has done a great job in trying to think through some of the bigger issues involved in this area. I also take this opportunity to acknowledge the debt I owe an organisation called HATDeX, which has been working in this area and from which I got the original idea of a private personal data account.
I agree with the noble Lord, Lord Clement-Jones, that this is something that will come back to haunt us. Obviously, as long as the Minister is there with her beaming smile, we will be able to resist all blandishments to come at it, but I think it will come and bite us. It was not an arbitrary thought of mine that it might be something that the ICO would want to look at it. I know from talking to the ICO that it is interested in this as well. I think the Minister is saying that the proposal, as it is, stands outside the Bill framework, but that is because the Bill focuses on a particular area, and perhaps that is a pity. But if it is not the ICO, who is it? I hope it will be the data ethics commissioner that we hope to establish in the future. I beg leave to withdraw the amendment.
(7 years ago)
Lords ChamberBefore the Minister sits down, I put it to her that, in the considerations that will take place between now and the return in January, one thing that changes between 1998 and today in terms of the Act is something we have not looked at specifically, although it comes up in the Bill. It is the need to ring-fence the Information Commissioner from any involvement with Parliament or the Government. She is answerable to Parliament, but she should not be in that sense exposed to considerations that might adversely affect her. I hope that might be taken into account as well.
I agree with the noble Lord, and we will take that into account.
My Lords, we do not need to think very hard about this issue in terms of providing evidence that might be helpful to Ministers given that at Oral Questions today, at which I think the Minister and the noble Baroness were present, a case was raised by a Peer on our side of the House, in a Question to the DWP Minister, which verged on picking up a particular case. It was very useful in terms of making a broader political point. Are we saying that that will not be possible in future, as it raises significant questions? Secondly, as the noble Baroness, Lady Hamwee, said, irrespective of whether we have been an MP or a Member of the other House, we receive letters and emails almost daily offering individual data and information which, if we used it, would, I think, fall into the category mentioned by the noble and learned Lord.
At the weekend, I had the privilege of seeing the RSC perform the “Imperium” plays, adapted from the books of Robert Harris. These deal with a well-known orator, Cicero. Noble Lords will not be surprised to learn that he recommends to his clients—at one stage, he gives a tutorial to fellow citizens of Rome who intend to seek high office—that it is always helpful, and always catches the attention of an audience, if you give the specifics of an individual case and rise from that to the general. So if there is a possibility of placing a constraint on the ability of Members of this House to raise cases in an effort to improve the quality of life for citizens to whom we owe a duty of care and responsibility, that must be wrong. I hope that the Minister will take this away and work with the noble and learned Lord, Lord Brown, to bring something forward at Third Reading.
My Lords, Amendments 28 and 29 create a new processing condition for Members of this House. The Government’s view is that the provisions in paragraphs 19 and 21 of Schedule 1 are intended to reflect the unique and special nature of the relationship between an elected representative and their constituent.
Like the noble Baroness, Lady Hamwee, and the noble and learned Lord, Lord Brown, I am very aware of the important and valuable work that many noble Lords carry out on behalf of members of the public, advocating for their rights, taking up their cases with government departments and representing their interests in any number of scenarios. However, this relationship between a Peer and a member of the public is of a different nature and order from that conferred on an elected representative by their constituents. Elected representatives have particular rights and duties to act on behalf of the citizens they represent. The Government therefore consider it appropriate for them to be able to deal with urgent situations where they could not reasonably be expected to obtain consent; for example, in the case of an individual facing imminent deportation. There is no such need for Peers to be exempted from the provisions on consent. I stress again that nothing in the Bill or the GDPR prevents Peers undertaking casework if they first obtain the consent of the individual concerned.
I emphasise that these provisions are not new. The position under the 1998 Act is very similar and, in answer to the point made by the noble Lord, Lord Stevenson, it has not prevented Peers who are interested in undertaking casework doing so. Indeed, I have not found difficulty in this respect; I have just obtained consent first.
I hope I have reassured the noble and learned Lord that the Government understand the concerns raised, and that in this instance he will withdraw his amendment.
(7 years, 1 month ago)
Lords ChamberMy Lords, as my noble friend and I have mentioned previously, one of the Government’s primary concerns is to ensure that organisations of all sizes are supported in the transition to the new regime. To that end, the Bill maintains the requirement in the Data Protection Act 1998 for the Information Commissioner to publish codes of practice on data sharing and direct marketing.
When these codes are first published, they will rightly be subject to parliamentary scrutiny, although of course “first published” is slightly misleading as almost identical codes have been, or will have been, published under the 1998 Act before the Bill reaches Royal Assent. Either way, Amendments 153C and 153D seek to ensure that any future amendments to the data-sharing code of practice or the direct marketing code of practice are also subject to parliamentary scrutiny. I understand and appreciate the sentiment behind the amendments. I am happy to reassure the noble Lord that under Clause 121(8) it is already the case that amendments to the code are subject to parliamentary scrutiny.
Amendment 154A would require the commissioner to review the codes of practice at least once every three years. However, I point out to the noble Lord that the Bill already requires the commissioner to keep the codes of practice under review while they are in force and the Government do not consider that specifying a three-year timeframe between reviews would add any benefit. Indeed, it might create the misleading impression that the code should be reviewed only once every three years, when in fact it is a continuous process.
Finally, I turn to Amendment 154B. The Bill makes provision for the Information Commissioner to publish additional codes of practice beyond the two codes on data sharing and direct marketing. The noble Lord’s amendment would require any such additional codes to be subject to the affirmative resolution procedure. When preparing such codes, the commissioner must first consult trade associations, data subjects and other stakeholders the commissioner deems appropriate. The Government’s view is that, given the requirement for advance consultation with interested parties, and the fact that any regulations would simply place the commissioner under a duty to issue a code of practice providing practical guidance on the processing of specified classes of personal data of action, the negative resolution procedure remains appropriate.
To sum up, first, the purpose of the two codes of practice is to provide practical guidance to data controllers on the proper application of the data protection legislation; as such, they do not alter the law. Secondly, the procedure used to approve codes and amendments to codes is the same as found in Sections 52A and 52AA of the current Data Protection Act, the latter of which was inserted only earlier this year by the Digital Economy Act. That also means that the Delegated Powers and Regulatory Reform Committee of your Lordships’ House has considered this matter twice in the past year, and we are not aware that it had any concerns. I hope that has reassured the noble Lord and he feels able to withdraw his amendment.
My Lords, I am grateful to the Minister for her comments. She always sounds so reassuring, it is very hard to be critical. She did a rather better job of summarising what my amendments are about than I did—and I say that without any rancour or any concern. I am very grateful to her on all these counts. I beg leave to withdraw the amendment.
(7 years, 1 month ago)
Lords ChamberMy Lords, I am grateful to the noble Lord for turning the attention of the Committee to the accreditation process. I recognise the intention behind his detailed amendments; namely, to reduce the administrative burden associated with requests for accreditation decisions to be reviewed and, subsequently, for the review process to be appealed. Under the new regime, both the Information Commissioner and the United Kingdom Accreditation Service will be able to accredit organisations that wish to offer a certification service for compliance with data protection legislation. Many organisations may wish to make use of certification services to support their compliance with the new law, and the accreditation process is intended to support them in choosing a provider of certification.
Schedule 5 establishes a mechanism for organisations that have applied for accreditation to seek redress against a decision made by UKAS or the Information Commissioner. The mechanism process has two elements. In the first instance, organisations can seek a review of the accreditation decision. Then, if they are unhappy with that review process, they can lodge an appeal. I share the noble Lord’s desire to minimise the administrative burden created by that review and appeal mechanism. Amendments 108C and 110A limit the documents that may be submitted when appealing. Amendment 108E reduces the time to lodge an appeal. Amendment 108F removes the ability of the appellant to object to members of the appeal panel.
I assure noble Lords that we want a fair and straightforward review and appeals mechanism. Our choice of process, time limits and other restrictions mirrors the appeals process that UKAS currently operates. That process is as provided for by the Accreditation Regulations 2009. Maintaining a consistent appeals process creates administrative simplicity and efficiency. The Government consider that the process in Schedule 5 strikes the right balance between limiting the administrative burden on the accrediting bodies, while also providing applicants with sufficient means of redress.
To add them up, there are four reasons why we feel that what is in there now works well: our choice of process, time limits and other restrictions limits the appeals process that UKAS currently operates; it maintains a consistent appeals process, which creates administrative simplicity and efficiency; it strikes the right balance between limiting the administrative burden but provides applicants with sufficient means of redress; and the accreditation process will give organisations confidence that they are choosing the right provider of certification. I hope I have addressed the noble Lord’s concerns and urge him to withdraw the amendment.
I am grateful to the Minister for her response. I think I may have slightly misled the Committee: I think I am right in saying that this is a new process, brought in by the Bill. It was not in the Data Protection Act 1998. I should have said that there is an additional reason for wanting to scrutinise it, to make sure we are looking at the right things.
I should have asked one question, to which I do not expect a response now, unless the Minister has it to hand. I notice that the national accreditation body, which has to be set up by member states because of the GDPR, is set up under another EU instrument because it is the designated body under the Accreditation Regulations 2009. I take it that they will be brought forward in the withdrawal Bill as necessary regulations for that to be provided.
As the noble Lord said, the process is new to the GDPR and not in the 1995 directive or the DPA. The GDPR requires member states to ensure that certification bodies are accredited by the ICO and/or the national accreditation body. As such, the UK Government will need to demonstrate their compliance with that requirement, which Clause 16 and Schedule 5 fulfil.
I thank the Minister for that response. I am sure that the narrow point about the regulations can be dealt with by correspondence, so I will not press it today. I beg leave to withdraw the amendment.
(7 years, 1 month ago)
Lords ChamberMy Lords, we are all very grateful to the noble Lord, Lord Black, for his very full introduction to these amendments. I shall read very carefully what the noble Lord, Lord McNally, said and take his remarks on their merits. I have no problem with that.
I am sure that the noble Lord, Lord Black, will not mind if I quote what he said in Committee only a week ago and pose a question to him. He said:
“This Bill is very carefully crafted to balance rights to free expression and rights to privacy, which of course are of huge importance. It recognises the vital importance of free speech in a free society at the same time as protecting individuals. It replicates a system which has worked well for 20 years and can work well for another 20”.—[Official Report, 6/11/17; cols. 1667-68.]
What a difference a week makes to one’s thinking. The noble Lord was pressed by a number of noble Lords, including his noble friend Lord Attlee, to come up with a much more detailed and engaged critique. We would love to hear from him again if he is prepared to tell us why there has been a change in his thinking. However, I do not think that gets in the way of what he is saying, which is that some issues need to be addressed. We will look at them carefully when we have the chance to see them in print. I shall also be interested to hear what the noble Baroness makes of this when she replies.
As my noble friend Lord Black and the noble Lord, Lord Stevenson, said, the Government are firmly committed to preserving the freedom of the press, maintaining the balance between privacy and the freedom of expression in our existing law that has served us well.
I shall try to reply to my noble friend as I go through the many amendments—a soup of amendments, as the noble Lord, Lord McNally, said. As we heard, Amendments 87ZA, 87AA, 87AB and 87AC would enable the special purposes exemptions to be used when processing for other purposes in addition to a special purpose. The use of the word “only” in the Bill is consistent with the existing law. Examples have been given of where further processing beyond the special purposes might be justified without prejudicing the overall journalistic intent in the public interest. None the less, the media industry has been able to operate effectively under the existing law, and while we are all in favour of further clarity, we must be careful not to create any unintended consequences.
Paragraph 24(3) of Schedule 2 concerns the test to determine whether something is in the public interest. Amendment 87CA seeks to define the compatibility requirement, and Amendments 87DA and 87DB seek to clarify the reasonable belief test. The Bill is clear that the exemption will apply where the journalist reasonably believes that publication would be in the public interest, taking account of the special importance of the public interest in the freedom of expression and information. To determine whether publication is in the public interest is a decision for the journalist. They must decide one way or another. It is not necessary to change the existing position.
Amendments 89C to 89F seek to widen the available exemptions by adding in additional data rights that can be disapplied. Amendment 89C seeks to add an exemption for article 19 concerning the obligation to give the data subjects notice regarding the processing carried out under articles 16, 17 and 18 of the GDPR. The Bill already provides exemptions for the special purposes for these articles, rendering article 19 irrelevant in this context.
Amendment 89D seeks to add an exemption for article 36. This requires the controller to give notice to the Information Commissioner before engaging in high-risk processing. My noble friend Lord Black and the noble Lord, Lord McNally, both argued that this might require the commissioner to be given notice of investigative journalistic activity. This is not the case. We do not believe that investigative journalism needs to put people’s rights at high risk. Investigative journalism, like other data-processing activities, should be able to manage risks to an acceptable level.
Amendment 89E concerns the need for journalists to transfer data to third countries. We are carefully considering whether the GDPR creates any obstacles of the type described. We certainly do not intend to prevent the transfers the noble Lord describes.
Amendment 89F seeks to add an exemption from the safeguards in article 89 that relate to research and archiving. Following the interventions of the noble Lord, Lord Patel, the Government have agreed to look again at these safeguards. Once we have completed that, we will assess whether any related derogations also need reconsidering.
Amendment 91B seeks to introduce a time limit by which complaints can be brought. The Government agree that complaints should be brought in a timely manner and are concerned to hear of any perceived abuses. We will consider this further and assess the evidence base.
The Government are firmly committed to preserving the freedom of the press and preventing restrictions to journalists’ ability to investigate issues in the public interest. We will continue to consider the technical points raised by my noble friend, and I hope—at this late hour, and with the view that we will further consider points that have been raised—that he feels able to withdraw his amendment.
(7 years, 1 month ago)
Lords ChamberMy Lords, Clause 12 deals primarily with credit reference agencies. It is not an area that I think we want to go through in complete detail, but in comparing the current version of the Bill with the provisions in the Data Protection Act 1998, in particular Section 39(2), we wondered whether the updating of that provision was entirely correct and thought it would be helpful to give the Minister a chance to respond to that point.
The question that underlies the suggestion that the clause should not stand part is whether Clause 12 constitutes a restriction on a data subject’s access rights. It can be read as a presumption that a data subject in this area is asking only about their financial standing, and not for other data that the credit reference agency might have. The provision therefore might be said to run contrary to the underpinning rationale behind the GDPR that data controllers should be transparent and that data subjects should not be put in the position of having to guess what data is held about them in order to ask for it.
I am sorry to have to refer again to a recital, but recital 63, which the Minister might be aware of, specifies that among other purposes, the right of access is to allow a data subject to be aware of the data held about them so as to be able to,
“verify … the lawfulness of the processing”
that is taking place. This is different from the wording in Clause 12, in that the trigger appears to be based on the quantity of data rather than the type of controller. There is also no presumption about the nature of the data that the data subject wants. I think I have said enough to suggest that there is possibly an issue behind this and I would be grateful if the Minister could respond to that point.
My Lords, as your Lordships know, before giving somebody credit, lenders such as banks, loan companies and shops want to be confident that the person can repay the money they lend. To help them do this, they may look at the information held by credit reference agencies.
Credit reference agencies give lenders a range of information about potential borrowers, which lenders use to make decisions about whether or not to offer a person credit. It is safe to say that the three main credit reference agencies in the UK—Equifax, Experian and Callcredit—are likely to hold certain information about most adults in the country. Most of the information held by the credit reference agencies relates to how a person has maintained their credit and their service and utility accounts. It also includes details of people’s previous addresses and information from public sources such as the electoral roll, public records including county court judgments, and bankruptcy and insolvency data.
The information held by the credit reference agencies is also used to verify the identity, age and residency of individuals, to identify and track fraud, to combat money laundering and to help recover payment of debts. Government bodies may also access this credit data to check that individuals are entitled to certain benefits and to recover unpaid taxes and similar debts. Credit reference agencies are licensed by the Financial Conduct Authority.
As noble Lords may be aware, anyone can write to a credit reference agency to request a copy of their credit reference file. Given the sheer volume of requests that such agencies receive, Section 9 of the Data Protection Act 1998 provides that a subject access request made under Section 7 of the Act will be taken to mean a request for information about the person’s financial standing, unless the person makes it clear that he or she is seeking different information. Very importantly, when responding to such a request, Section 9(3) of the 1998 Act requires the credit reference agencies to provide the person with details about how he or she can go about correcting any wrong information held by the agencies. The process for doing so is set out in Section 159 of the Consumer Credit Act 1974, and the 1998 Act makes reference to it. If personal information held about someone is incorrect or out of date, noble Lords will appreciate that it could lead to that person being unfairly refused credit.
Clause 12 of the Bill simply replicates the provisions in Section 9 of the DPA in relation to handling of subject access requests made under article 15 of the GDPR. If it were omitted without anything being put in its place, this could create uncertainty for consumer reference agencies about how they should respond to a subject access request. It would create uncertainty for data subjects, who would no longer be supplied with guidance on how to update details in their file that were wrong or misleading. As far as we are aware, these provisions have worked well over the last 20 years and we can see no reason why they should be omitted from the Bill.
On that basis, I respectfully invite the noble Lord to accept that Clause 12 should stand part of the Bill.
I am grateful to the Minister for her response. I think we agree that any impact on one’s credit standing is a major issue and that it is really important that we get this right. Although she did not specifically say so, I take it that all the big companies involved in this field were consulted before this measure was put forward. One notices, but does not make any comment, that Equifax is one of the companies concerned—and look what happened to it.
The message coming through is that the DPA 1998 provisions are being reproduced here: there is no intention to change them and people should not be concerned about this. On that basis, I will not object to Clause 12 standing part of the Bill.
(7 years, 2 months ago)
Lords ChamberMy Lords, I welcome this opportunity to set out the Government’s position on various delegated powers contained in the Bill, which have been the subject of recommendations by the Delegated Powers and Regulatory Reform Committee. The Government are very grateful to the committee for its usual thoroughness in examining the delegated powers in the Bill, but I should begin my remarks by saying that the committee’s report, which ran to some 20 pages, was published only on 24 October, so we are still considering its conclusions and recommendations. The range of views expressed in tonight’s debate will be further input into that process.
The current Data Protection Act has stood firm for almost 20 years. This one will be in danger of lasting barely two if we start striking out the delegated powers contained within it. As the noble Lord, Lord Stevenson, and the noble Baroness, Lady Jones, said, such is the pace of change in this area that we need to keep up with what is going on. Furthermore, new forms of data processing not yet dreamed of will have been designed, developed and deployed even before the Bill reaches Royal Assent. It is essential that the law can keep up.
It is also worth reminding ourselves that the Government have taken the opportunity to include directly in the relevant schedules numerous provisions which had previously been included only in secondary legislation. The noble Lord, Lord Stevenson, has been extremely busy, and has taken the opportunity to table more than a dozen amendments to Schedule 1 alone. We will of course turn to those shortly.
That said, the Government recognise that there is tension between the need to provide for appropriate future-proofing of legislation, such as provided for in Clauses 9, 15, 33, 84 and 111, and the need to ensure proper parliamentary scrutiny of the resultant delegated powers. It follows that we are open to constructive suggestions as to how provisions in the Bill can be improved and, obviously, that includes its regulation-making powers.
I have listened with care and interest to the case put forward by my noble friend Lord Arbuthnot, the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for the application of the super-affirmative procedure. I am also grateful to the noble Lord, Lord Whitty, for reminding us that data subjects, not just data controllers, have an interest in the proper application of these powers.
I am sure that noble Lords will agree that the amendments before us should be considered in the context of the broader recommendations of the Delegated Powers and Regulatory Reform Committee report. As I said earlier, the process of considering these issues is still ongoing, but I am more than confident that it will conclude in time for the Bill’s next stage.
Before I conclude, I think that the noble Lord, Lord Stevenson, asked what was meant by “legislative measure”. Clause 15(1)(b) uses the term “legislative measure” to reflect the wording used in Article 23 of the GDPR. Recital 41 makes clear that a legislative measure would include an Act or statutory instrument. I hope that that answers the question.
I therefore humbly invite the noble Lord to withdraw his amendment on the understanding that we will return to this important issue on Report.
I thank all noble Lords for their contributions; we have had a very good go at this, which has raised all the big issues. The Minister made a positive response, with a sideswipe at me for being too active on the amendment front; but that is what we do, and we expect Ministers to be able to deal with them without too much worry. We are enjoying this debate and will have lots of things to come back to on Report because of the interesting points being made.
However, on this issue, we are slightly narrower. The Government have got themselves into a bit of a hole here. I appreciate the wider context, and the point has been very well made. It seems to me that there are three options. They can tough it out and just say to the DPRRC that it has stepped too far from where they want to be and this is the only way forward. They can follow the DPRRC and find amendments that they can bring back on Report—I think the Minister was talking about Report; later than that would be too late. We are talking here about narrower powers to define down the areas within which discretion is operated. To follow the point made by the noble Baroness, Lady Neville-Jones, and the noble Lord, Lord Arbuthnot—I think this is my noble friend Lord Whitty’s concern and is shared widely around the House—the most egregious issue here is when the Government seek to omit legislation which has been passed as primary legislation by secondary legislation, or legislative measures, as we now call them.
The helpful suggestion, backed up by the noble Lord, Lord Clement-Jones—that we should have a super-affirmative measure when matters are almost of the status of requiring there to be primary legislation, but for which flexibility requires a lesser measure—seems to be the way forward. A very little research shows that “super-affirmative” has many meanings. That chosen by the noble Lord and the noble Baroness, Lady Neville-Jones, is one of about seven or eight. The Public Bill Office has published a table which noble Lords can pore over at leisure and find themselves completely confused at the end about the best route forward. I am sure the clerks will guide us as we go forward down that route. However, the best seems to be the one that provides for amendments to be made to the measure that is being considered before the vote. That is the sensibility which is being assembled around the Committee, and I hope that the Government will take it away and do it.
The noble Lord, Lord McNally, is right: there is a possibility here of a constitutional car crash. It is not restricted to this Bill, and no noble Lords who have spoken in this debate would want it to be taken, sui generis, to this Bill. It has to be taken more widely, because it is a much bigger issue. On the other hand, this provides an opportunity to go forward. In the meantime, I beg leave to withdraw the amendment.
(7 years, 2 months ago)
Lords ChamberMy Lords, I thank my noble friend Lord Knight and the noble Lord, Lord Clement-Jones, for raising points that I would otherwise have made. I endorse the points they made. It is important that those points are picked up, and I look forward to having the responses.
I had picked up that the Clause 4(2) definition of terms is probably a recital rather than a normative issue, and therefore my noble friend Lord Knight’s point is probably not as worrying as it might otherwise have been. But like him, I found that it was tending towards the Alice in Wonderland side. Subsection (1) says:
“Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR”.
I sort of get that, but it seems slightly unnecessary to say that, unless there is something that we are not picking up. I may be asking a negative: “There’s nothing in here that we ought to be alerted to, is there?”. I do not expect a response, but that is what we are left with at the end of this debate.
I have one substantial point relating to government Amendment 8. In the descriptions we had—this was taken from the letter—this is a technical amendment to ensure that there is clarity and that the definition of health professional in Clause 183 applies to Part 2 of the Bill. I do not think that many noble Lords will have followed this through, but it happens to pick up on a point which we will come back to on a later amendment: the question of certain responsibilities and exceptions applying to health professionals. There was therefore a concern in the back of my mind about how these would have been defined.
My point is that the definition that appears in the Bill, and which is signposted by the way that this amendment lies, points us to a list of professionals but does not go back into what those professionals do. I had understood from the context within which this part of the Bill is framed that the purpose of having health professionals in that position was that they were the people of whom it could be said that they had a duty of care to their patients. They could therefore by definition, and by the fact of the posts they occupied, have an additional responsibility attached to them through the nature of their qualifications and work. We are not getting that out of this government amendment. Can the Minister explain why polishing that amendment does or does not affect how that approach might be taken?
I thank noble Lords for all their contributions. The noble Lord, Lord Knight, wanted to know what “reasonable” meant in this context. The Financial Conduct Authority has set requirements on insurers in relation to the steps they must take in the case of insurance contracts that are automatically renewed. In this context, our view is that those steps are likely to be reasonable. As to how they get in contact, it is by normal business procedure acceptable to the FCA. Normally emails and so on is the way they do that.
My Lords, I support the amendment in the names of the noble Lords, Lord Clement-Jones and Lord McNally. I will speak also to Amendments 3 and 9 in this group. This is a wide-ranging, rather stretching group covering a lot of detail, and I am sure the noble Baroness the Minister, who is making her first appearance on this Bill, will be able to cope with it with ease and will not have to resort to having meetings outside or anything; it will be a straight answer. I mean no disrespect to the noble Lord the Minister who spoke earlier.
Amendment 3 is a probing amendment. I make that absolutely clear, like the noble Lord, Lord Clement-Jones, did. It is about the rather disputed issue, as I understand it, of the status that many of the big tech companies that operate in the United Kingdom have in relation to the Act. Are they, as I think I have heard in other meetings, data controllers in the sense that the Bill sets out to achieve; in other words, are they responsible for all the elements that will be raised in the Bill and in the GDPR in relation to that issue? I am looking for a clear and straightforward answer on that, because it seems to me that there has been too much evasion and difficulty in pinning down some of the definitional points that this issue raises.
Having established that they are data controllers and that the material and data that they go through are subject to the Bill in its entirety—and, by implication, the GDPR—in which territory will this power exist? Obviously, that has relevance both pre and post Brexit. For instance, I asked the representatives of a large company who came in to brief us about their concerns about the Bill the very same question and received the answer that they regarded themselves as being European data controllers, which was a strange combination of thinking, and that they had selected, because it seemed appropriate at the time—again, I would be interested in having more information on that if it is available—that the Irish Information Commissioner would be responsible for any activities that were regulated under the Act and they would look to that body. Irrespective of whether or not that is true, and I suspect it is, that leads to a question about the role the Information Commissioner in the United Kingdom has in relation to companies which choose a European domicile and have a responsible information commissioner who is not in this country and therefore not subject to any regulatory or statutory provisions provided by this Parliament. There is no particular reason why this should be wrong. I am not in any sense making accusations that would arise from that, but it is important that we have on the record a very clear narrative on this point because it will raise a lot of questions if we do not.
Amendment 9 has already been referred to in the debate on Amendment 1, in relation to where the recitals that accompany the GDPR are going to end up. Reflecting on what was said by the Minister in that debate, I found that very helpful in answering the questions that Amendment 4A raised. Therefore, it poses another question about why the Government decided—well, they have no choice—to have an arrangement under which the GDPR comes into play, as required, on 25 May 2018. However, at that point the recitals will not be brought into effect. I understand that the recitals do not have statutory power in the GDPR, but it is quite clear, from reading around on this subject and hearing of cases already raised in relation to data processing, that they are helpful to those who have side issues arising from the GDPR. The recitals help them to understand what the legislation actually means and, without them, there may well be a problem, at the least, in getting a consistency of approach across the EU. It is therefore important that we should know where the recitals are going to end up. If they are not being brought in, to what extent can they be relied on and, if so, by whom?
My Lords, I am grateful to the noble Lords, Lord Clement-Jones and Lord McNally, for the opportunity to explain the meaning of data processing. As the noble Lord, Lord Clement-Jones, has explained, Amendment 2 would import words in relation to this term from Section 1(2) of the Data Protection Act. It might be helpful if I explain that the definition in Clause 2(4) of the Bill is taken directly from article 4(2) of the GDPR. Importantly—the noble Lord, Lord Clement-Jones, was right to mention this—the extent to which we can redefine or reinterpret it is therefore limited.
Having said that, the current definition of data processing already refers to,
“any operation or set of operations which is performed on personal data, or on sets of personal data”.
That is a very broad term. If somebody obtained, recorded, used or disclosed all or any part of the data relating to individuals, I have no doubt and am confident that it would be covered by the existing definition.
I go on to the amendments in the name of the noble Lord, Lord Stevenson, who I thank for his kind words about us being together at the Dispatch Box. I greatly look forward to it, too. As he explained, Amendment 3 aims to clarify that the processing of data includes processing undertaken by information society services, such as commercial websites. Article 4 of the GDPR and Clause 2 make it quite clear that the term processing applies to any automated and certain non-automated processing. There is no doubt that this would include information society services.
I am sorry to interrupt so aggressively and early in the Minister’s response, but a word was used that I did not understand and I therefore need to come back. In films, we often find that if you talk to an American film executive about whether a film is successful, compared with what happens if you talk to a British executive in a similar situation, they will use “quite” in completely different senses. Britain uses “quite” to mean, “That’s okay”. But if Americans say, “That film was quite successful”, it means, “Blimey—you really have hit the box office”. In which sense was the Minister using it?
I am using it in the English sense. The noble Lord interrupted me, but I wanted to go on to say that, because of this, we can see no reason to distinguish information society services from any other type of data controller or processor.
Additionally, the definition of controller in the GDPR requires a case-by-case analysis to determine who the controller is, but it is likely that social media companies are controllers. Although the person posting personal data online is a controller, social media companies control personal data: in the context of activities which involve collecting such data; in retrieving, recording and organising it for indexing purposes; in storing it on their services; and in disclosing and making it available to users in the form of lists of search results. The Information Commissioner has also published guidance on this matter suggesting that, if a social media site’s operator has a moderating role over the site’s contents, then it is likely to be a controller.
In respect of Amendment 9, the recitals to the GDPR do not have normative effect—they are more akin to Explanatory Notes—and there is no requirement for the UK to enshrine them in legislation. In some places in the Bill we have adopted some language in the recitals to aid with clarity. For example, in Clause 8 we borrow from the recitals to make it clear that the consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child. We will return to this later in Amendment 17 in another group. It is important to say that recitals do not contain substantive law, nor can they override the express language of a regulation. I hope my clarification on this issue is sufficient, and I urge the noble Lord to withdraw his amendment.