Read Bill Ministerial Extracts
Baroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Home Office
(7 years, 1 month ago)
Lords ChamberMy Lords, I, too, thank the Minister for his careful introduction of the Bill, and the organisations and individuals who have briefed us, including the individual who wrote, “It does your head in”. I was glad to hear the assurance that the Bill may—I hope I have this right—with repeated readings come close to comprehension.
At later stages, I hope to focus on Parts 3 and 4 of the Bill, but this evening I make some points about young people and the age of consent. I have to say—I may be out of step with other noble Lords—that I am not entirely convinced that the age of 16 would provide more effective protection than 13. I was struck by the recent launch of a report by the Children’s Commissioner for England. The report contains a jargon-busting guide,
“to give kids more power in digital world”.
The commissioner’s launch paper remarked:
“For children, there is no difference between online and offline life. To them, it’s just life … You wouldn’t drop a 12-year-old in the middle of a big city and expect them to fend for themselves. The same should be true online”.
The jargon-busting guide is intended to help children and teachers negotiate and understand what they are signing up to when they use Facebook, Instagram, YouTube, Snapchat, WhatsApp and so on. It uses simplified terms and conditions—it is acknowledged that it is not a legal document but is designed to be an accessible and child-friendly tool to help children understand their digital rights and make informed choices.
Noble Lords will have received a briefing from the Carnegie UK Trust on digital skills. Among other things, it reminds us that so many young people— I think actually that should be “so many people”—are unaware that “delete” does not actually mean “delete”.
I do not think that achieving the age of 14, 15 or 16 would address this. The route of information and education is much more important than a diktat in legislation. I suspect that we could be in danger of being unrealistic about what life is like for children and young people these days. We should not ignore public opinion but, quite honestly, times have changed. We will debate both the age threshold and age verification, which is clearly inseparable from this, during the course of the Bill.
Like other noble Lords, I am concerned about public trust and confidence in the system. At the moment there is a need for guidance on preparation for the new regime. I visited a charity last week and asked about the availability and accessibility of advice. The immediate, almost knee-jerk response was, “It’s pretty dire”—followed by comments that most of what is available is about fundraising and that there is a particular lack of advice on how to deal with data relating to children. The comment was made, too, that the legislation is tougher on charities than on the private sector. I have not pinned down whether that is the case, but I do not disbelieve it. The Federation of Small Businesses has made similar points about support for small businesses.
On confidence and trust, my view is that the use of algorithms undermines confidence. This is not an algorithm but perhaps an analogy: we have been made aware recently—“reminded” would be a better term—of the requirement on banks to check the immigration status of account holders. I took part recently in a panel discussion on immigration. The participants’ names were Gambaccini, Siddiq, Qureshi and Hamwee. With those names, although we are all British citizens, I should think that we are pretty suspect. Algorithms will be used by the policing and intelligence communities, among others. My specific question is: have the Government considered independent oversight of this?
My confidence in the system is also not helped by the fact that the data protection principles applied to law enforcement do not include transparency. I am prepared to be told that this is because of the detail of the GDPR, but I find it difficult to understand why there is not transparency subject to some qualifications, given that transparency is within the principles applying in the case of the intelligence services.
“User notification” is another way of talking about transparency and is a significant human rights issue in the context of the right not only to privacy but to effective remedy and a fair trial. I am sure that we will question some of the exemptions and seek more specificity during the course of the Bill.
We are of course accustomed to greater restrictions—or “protections”, depending on your point of view—where national security is concerned, but that does not mean that no information can be released, even if it is broad brush. I wonder whether there is a role for the Intelligence and Security Committee here—not that I would suggest that that would be a complete answer. Again, this is something we might want to explore.
Part of our job is to ensure that the Bill is as clear as possible. I was interested that the report of the committee of the noble Lord, Lord Jay, referred to “white space” and language. It quoted the Information Commissioner, who noted trigger terms such as “high-risk”, “large scale” and “systematic”. Her evidence was that until the new European Data Protection Board and the courts start interpreting the terms,
“it is not clear what the GDPR will look like in practice”.
I found that some of the language of the Bill raised questions in my mind. For instance—I am not asking for a response now; we can do this by way of an amendment later—the term “legitimate” is used in a couple of clauses. Is that wider than “legal”? What is the difference between “necessary” and “strictly necessary”? I do not think that I have ever come across “strictly necessary” in legislation. There are also judgment calls implicit in many of the provisions, including the “appropriate” level of security and processing that is “unwarranted”. By the by, I am intrigued by the airtime given to exams—and by the use of the term “exams”. Back in the day there would certainly have been an amendment to change it to “examinations”; I am not going to table that one.
Finally, I return to the committee report, which has not had as much attention as the Bill. That is a shame, but I am sure we will come back to it as source material. I noted the observation that, post Brexit, there is a risk that, in the Information Commissioner’s words, the UK could find itself,
“outside, pressing our faces on the glass … without influence”,
and yet having,
“adopted fulsomely the GDPR”.
That image could be applied more widely.
Do the Government accept the committee’s recommendation in paragraph 166 that they should start to address retaining UK influence by,
“seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board”?
My noble friend Lord McNally referred to running up the down escalator, and his alternatives to the Henry VIII clauses are well worth considering—I hope that that does not sound patronising.
This is one of those Bills that is like a forest in the points of principle that it raises. Some of us, I am afraid, will look closely at a lot of the twigs in that forest.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberI realise that, in rising to speak on this particular part of the Bill, I depart slightly from the purpose of the noble Lord, Lord Stevenson—but I thank him for raising the issue all the same.
Of course, we are dealing with the overview of the Bill. The noble Lord, Lord McNally, almost wrote my introduction. What has worried me for some considerable time, notwithstanding the Bill’s provisions that provide for data subject to error correction, is the manifest inclusion of data in the data processing function, which is broadly drawn—namely, the inclusion of information that is knowingly false or recklessly included in that process, and which can affect the life chances of individuals. We know of significant and high-profile circumstances in which false information has been included and has either affected a significant class of people or has seriously damaged the life prospects of individuals.
Given that the collection of data is part of the processing function, it seems to me that very little is being said about responsibility for those sorts of errors—in other words, the things that one could or should have realised were incorrect or where there was a disregard for the norms of checking information before it got into data systems. We heard at Second Reading how difficult it is to excise that information from the system once it has got in there and been round the virtual world of information technology.
Could the noble Lord, Lord Stevenson, or the Minister in replying, say whether there is anything apart from the Bill—I do not see it there at the moment—that enables there to be some sort of sanction, for want of a better word, against knowingly or recklessly including data that is false and which affects the life chances and prospects of individuals because it is capable of being identified with them and can be highly damaging? That is something that we may need to look at further down the line. If I am speaking in error, I shall stand corrected.
My Lords, I say to my noble friend Lord McNally that it is even worse having people say to you, “You’re a lawyer, you must understand this”, when too often you do not.
I have a question for the Minister. Am I right in thinking that the Charter of Fundamental Rights will apply to all member states after Brexit? Is it not the objective that we are on all fours with them as other users of data and, therefore, if there is no provision such as the ones that we have been debating contained in the Bill, how will that affect the adequacy arrangements?
My Lords, I want to say a couple of words about privacy. A very important basic point has been raised here. I am not going to argue with lawyers about whether this is the right way in which to do it, but the right to privacy is something about which people feel very strongly—and you will also find that the Open Rights Group and other people will be very vociferous and worry about it, as should all of us here. When we go out and do things on the internet, people can form some interesting conclusions just by what we chance to browse on out of interest, if they can record that and find it out. I became very aware of this, because I have been chairing a steering group that has been producing, along with the British Standards Institution, a publicly available specification, PAS 1296, on age verification. It is designed to help business and regulators to comply with Section 3 of the Digital Economy Act, which we passed just the other day, which is about protecting children online. The point is to put age verification at the front of every website that could be a problem. We want it to be anonymous, because it is not illegal for an adult to visit sites like that; if it was recorded for certain people in certain jobs, it could destroy their careers, so it must be anonymous. So a question arises about trying to put in the specification a right to privacy.
One thing that we have to be very careful about is not to interpret laws or regulations or tread on the toes of other standards. Therefore, when this Bill and the GDPR are passed, we must make sure that people processing any of that material ensure that any data is kept completely secure, or anonymised, or is anonymous in the first place. Websites, first of all, should not know the identity of a temporary visitor when they get verified—there are ways of doing that—so that there are rights to privacy. The thing about the right to privacy is that it is a right that you, the individual, should have. The GDPR and this Bill are about how you process data; in other words, it is about what you do with the data when you have it. The legislation builds in lots of safeguards, but there is nothing that says, when you decide what data to keep or whatever it is, that people should have a right to know that it will not be revealed to the general world.
The question is where we should put it in. People used to think that Article 8 of the European Convention on Human Rights covered them, but I realised just now that it covers only your relationship with Governments. What about your relationship with other corporates, other individuals or ordinary websites? It should cover everybody. So there is an issue here that we should think about. How do we protect ourselves as individuals, and is this the right place to do it? I think that this is probably the only place where we can put something in—but I leave that to the very bright lawyers such as the noble Lord, Lord Pannick, to think about.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, as this amendment involves data provided by local authorities, I should declare my interests as a councillor of the London Borough of Southwark and as a vice-president of the Local Government Association.
Amendment 53 in my name and that of my noble friend Lord Stevenson of Balmacara would delete the first occurrence of the word “substantial” from paragraph 17(2) of Schedule 1 and Amendment 54 would delete its second occurrence from the same provision.
Healthy-functioning political parties are a vital part of our democracy. Campaigners and campaigning have moved on a long way from the days of hand writing envelopes to encompass much more sophisticated methods of contacting voters using all available mechanisms.
Political parties and their members need clarity and certainty as to what they are required to do, what they are able to do and what they are not able to do, so that they act lawfully at all times and in all respects. We cannot leave parties, campaigners and party members with law that is grey and unclear, and with rules that mean that campaigners, in good faith, make wide interpretations that are then found to be incorrect, due largely to the required clarity not having been given to them in the first place by government and Parliament.
I am also very clear that political parties are volunteer armies, with people volunteering to campaign to get members of their party elected to various positions in Parliament and in local authorities and to run various campaigns.
I have a number of questions for the Minister. I do not necessarily expect to get answers today but I hope that when he responds he will agree to meet me along with other interested Peers on the matters I am raising. I know that the noble Lord, Lord Hayward, from the Minister’s Benches would certainly like to meet him, and I am sure that the noble Lord, Lord Tyler, would also wish to be involved in those discussions. I hope that the Minister will agree to that. I also think that it would be useful if any such meeting involved officials from the three parties to discuss how we can get this right; otherwise, there will be all sorts of problems for parties, party members and campaigners, and none of us wants that.
Therefore, my questions to the Minister are as follows—as I said, I shall be happy for him to write to me. Will he provide a list of the characteristics or activities that are required for a political party to conduct operations? Does he believe that the terms in relation to political activity in paragraph 17 of Schedule 1 definitively cover the required activities of UK political parties? Will he clarify what constitutes profiling with regard to the activities of political parties? What activities or operations with reference to paragraph 17(1)(c) of Schedule 1 would be considered necessary for a political party? Does he think that the procedure detailed in paragraph 17(3)(a), whereby a data subject can give written notice to require the data controller—in this case, a political party—to cease the processing of their data, is consistent with Section 13(3) of the RPA 1983, where parties hold and process data on the basis not of consent but of being supplied that data by a local authority via the electoral register? Given the regular transfer of registers to political parties, does the Minister think it is practical or enforceable for a party to cease processing the data, which will likely be resupplied by an authority?
Let me make the point this way: take elector A, who instructs the party to stop processing their data, and the party complies. But the party then gets given data from the local authority in the next round, and elector A’s information is included. As soon as the party processes that data, it will technically have infringed the law. This is very complicated and it would be useful if the Minister’s officials could meet people interested in this area and come back to us. Whatever we end up with following this process, it must be consistent and work, and it should not bring into conflict two different Acts of Parliament. I beg to move.
My Lords, the noble Lord referred to the rules as a bit grey and asked for clarity for the volunteer army. I should declare an interest as a foot soldier in that volunteer army.
The noble Lord’s request that party officials should be involved in this process is a good one—I would have thought they would have been. The Minister should be aware of my first question as I emailed him about this, over the weekend I am afraid. Has the Electoral Commission been involved in these provisions?
The noble Lord mentioned the electoral register provided by a local authority. My specific question is about the provision, acquisition and use of a marked electoral register. For those who are not foot soldiers, that document is marked up by the local authority, which administers elections, to show which electors have voted. As noble Lords will understand, this is valuable information for campaigning parties and can identify whether an individual is likely to turn out and vote and so worth concentrating a lot of effort on. I can see that this exercise could be regarded as “campaigning” under paragraph 17(4) of Schedule 1. However, it is necessary, although I do not suppose that every local party in every constituency makes use of the access it has. It is obvious to me that this information does not reveal political opinions, which is also mentioned in the provisions. I would be grateful to hear the Minister’s comments. I am happy to wait until a wider meeting takes place, but that needs to be before Report.
I want to raise a question on a paragraph that is in close geographical proximity in the Bill—I cannot see another place to raise the issue and it occurred to me only yesterday. Why are Members of the House of Lords not within the definition of “elected representatives”? We do not have the casework that MPs do, but we are often approached about individual cases and some Peers pursue those with considerable vigour. This omission—I can see a typo in the email that I sent to the Minister about this; I have typed “mission” but I meant “omission”—is obviously deliberate on the part of the Government.
My Lords, I begin by repeating, almost word-for-word, the noble Lord, Lord Kennedy: engaging voters is important in a healthy democracy. In order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so, and this includes the proper handling of the personal data they collect and hold.
Noble Lords will be aware that the Information Commissioner recently announced that she was conducting an assessment of the data protection risks arising from the use of data analytics, including for political purposes. She recognises that this is a complex and rapidly evolving area where organisations use a person’s internet or public profile to target communications or messaging. The level of awareness among the public about how data and analytics work and how their personal data is collected, shared and used through such tools is low. What is clear is that these tools have a significant potential impact on an individual’s privacy, and the Government welcome the commissioner’s focus on this issue. It is against this backdrop that we considered the amendments of the noble Lord.
The amendments seek to amend a processing condition relating to political parties in paragraph 17. The current clause permits political parties to process data revealing political opinions, provided that it does not cause substantial damage or substantial distress. This replicates the existing wording in the Data Protection Act 1998. I have said that political campaigning is a vital democratic activity but it can also generate heated debated. Removal of the word “substantial” could mean that data processing for political purposes which caused even mild offence or irritation becomes unlawful. I am sure noble Lords would agree that it is vital that the Bill, while recognising the importance of adequate data protection standards, does not unduly chill such an important aspect of the UK’s democracy. For that reason I ask the noble Lord to withdraw the amendments.
I thank the noble Lord for allowing me to reply later to his list of questions. I found it difficult to copy them down, let alone answer them all, but I take the point. In many instances we are all in the same boat on this, as far as political parties are concerned. I shall of course be happy to meet with him, and I take the point about who should attend. I am not sure it will be next week, when we have two days in Committee, but we will arrange it as soon as possible. I will have to get a big room because my office is too small for all the people who will be coming. I take the points the noble Lord made in his questions and will address them in the meeting.
The noble Baroness, Lady Hamwee, asked whether the Electoral Commission had been consulted. It did not respond to the Government’s call for views which was published earlier this year, and we have not solicited any views explicitly from it beyond that.
The noble Baroness also asked about the provision, acquisition and use of a marked electoral register within paragraph 17 of Schedule 1. As she explained, the marked register shows who has voted at an election but does not show how they voted. As such, it does not record political views and does not contain sensitive data—called special categories of data in the GDPR —and, as the protections for sensitive data in article 9 of the GDPR are not relevant, Schedule 1 does not apply.
Lastly, the noble Baroness asked why Members of the House of Lords are not within the definition of elected representatives. Speaking as an elected Member of the House of Lords—albeit with a fairly small electorate—I am obviously interested in this. I have discovered that none of us, I am afraid, are within the definition of elected representatives in the Bill. We recognise that noble Lords may raise issues on an individual’s behalf. Most issues will not concern sensitive data but, where they do, in most cases we would expect noble Lords to rely on the explicit consent of the person concerned. This arrangement has operated for the past 20 years under the current law, and that is the position at the moment.
I hope I have tackled the specific items relating to the amendments. I accept the points made by the noble Lord, Lord Kennedy, about the electoral issues that need to be raised in general.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, I want to add a word in support of the points made by the noble Lord, Lord Pannick, particularly with reference to the concerns that some people have expressed about money being moved out of the very closely and properly regulated regime of English trust law to offshore organisations and jurisdictions which are less careful about how people’s money is handled.
I should declare an interest as Chief Justice of the Abu Dhabi Global Market Courts. I am not suggesting that this has anything to do with Abu Dhabi, but it has introduced me to an aspect of trust law with which I was not previously familiar, and it bears closely on the point made by the noble Lord, Lord Pannick. He referred to Jersey as one of the jurisdictions of concern. One aspect of its legislation which has come to my attention through my connection with Abu Dhabi is the Foundations (Jersey) Law 2009. This is a structure set up by statute under Jersey law which is matched with an equivalent statute in Guernsey. It creates a form of trust which is, as it were, a hybrid between a trust and a corporation with a number of aspects that are described very well in Sections 25 and 26 of the Jersey law.
One of the points about the foundation, which appears in Section 25, is that a,
“beneficiary under a foundation … has no interest in the foundation’s assets; and … is not owed by the foundation or by a person appointed under the regulations of the foundation a duty that is or is analogous to a fiduciary duty”.
So the beneficiary under that system is rather different from a beneficiary under our system, where undoubtedly they have an interest in the foundation’s assets. But also to the point is Section 26, which provides that foundations are,
“not obliged to provide information”.
That has its counterpart in the point made about the Data Protection Act in that jurisdiction. It says that except,
“as specifically required by or under this Law or by the charter or regulations of the foundation, a foundation is not required to provide any person … with any information about the foundation”.
It goes on to say in subsection (2) that the,
“information mentioned in paragraph (1) includes, in particular, information about … the administration of the foundation … the manner in which its assets are being administered … its assets; and … the way in which it is carrying out its objects”.
I do not wish in any way to criticise how the foundation laws are run in Guernsey or Jersey, but it is a pattern which, if repeated in less scrupulous jurisdictions, has obvious attractions. People move into a foundation and nobody knows what part of the foundation money they own, because they are not supposed to own any part of it, and the foundation is not obliged to disclose any information at all. There is a risk that those who are keen, for whatever reason—it could even be for matrimonial reasons—to conceal their assets could move them offshore from a trust such as we have in this country, closely regulated and subject to the ordinary rules, to one of these other bodies, which we would not wish to encourage. One has only to look at the Criminal Finances Act 2017 and some of the clauses in the Sanctions and Anti-Money Laundering Bill that is before the House to see that we are taking a completely opposite line to the foundations laws, because we are insisting that we should be provided with information about what organisations of this kind hold and, indeed, who holds what assets. We have not got as far as actually requiring trusts to do that but, certainly, anyone who puts his money into a company, in an attempt to conceal his assets within the company, will be forced eventually to have that information disclosed.
I add these points to suggest that the point that the noble Lord, Lord Pannick, made has a great deal of substance, which one can trace through the foundations law. I stress again that I am not criticising how this is administered in Jersey or Guernsey—that is not really the point. The point is that those who would wish to copy their systems are subject to less close scrutiny. I also emphasise that I am not suggesting that we in this country would want to adopt a foundations law; that would really be quite contrary to how our current legislation is proceeding. So there is an important issue here about protecting ourselves—and those who set up trusts here and administer them properly according to our rules and conventions—against a loss of business, which would be detrimental not only to those who run the businesses but to the whole ethic by which we practise our trust law.
I hope that the Minister and those advising him will look carefully at the Jersey and Guernsey examples, with a view not to criticism but to sensing the risk to which the noble Lord, Lord Pannick, drew our attention.
My Lords, Amendments 80A and 83A are in the names of the noble Baroness, Lady Neville-Rolfe, and the noble Lord, Lord Arbuthnot, and come from the Bar Council. In their unavoidable absence, I have again been asked to speak to the amendments. The Government have amendments also to paragraph 5 of Part 1 of Schedule 2—and no doubt we will be asked to agree them shortly. These amendments deal with other aspects of that paragraph and relate to legal professional privilege. The paragraph, as amended, refers to the disclosure of data but disclosure is only one of the acts of processing. The Bar Council is concerned that we need to deal with processing more widely so as not to disrupt the activities of the court and to protect privilege, which is something we have debated on many occasions and which we all agree is not only important but a fundamental right for persons and organisations.
My Lords, if the noble Lord scours the GDPR, he may find that the term “data” is used with a plural verb. I wondered whether to put down amendments to that, but I thought that that was pushing it a bit far.
My Lords, I support Amendment 79. I offer as an example the national pupil database, which the Department for Education makes available. It is very widely used, principally to help improve education. In my case, I use it to provide information to parents via the Good Schools Guide; in many other cases it is used as part of understanding what is going on in schools, suggesting where the roots of problems might lie, and how to make education in this country better. That does not fall under “scientific or historical” and is a good example of why that phrase needs widening.
My Lords, the Committee may realise that there are sometimes occasions when none of us quite prepare for amendments and others where more than one of us does, but, as my noble friend knows, I rarely pass over an opportunity to say how offensive the phrase “hostile environment” is. Data protection should be a force for good in dealing with the way our society is going.
My noble friend has reminded the Committee of the provisions of paragraph 4. Over the last few years the state has extended the mechanisms for immigration control very significantly to letting of property, employment, bank accounts, driving and so on. We may be told that the various departments have memoranda of understanding between themselves with the Home Office to deal with all this, but that is an inadequate way of dealing with them. I do not think I will be the only one in the Chamber to think that. Home Office errors are reported embarrassingly frequently. The exemption covers so many rights: rights held by data subjects to access rectification and erasure, and the right to know who is processing data and why, including when data is obtained from a third party.
Liberty, with its usual energy, has provided us with 13 pages of briefing on this amendment. I do not propose to read them all to the Committee. No doubt the Government have read them and are prepared to respond, but I reserve the right to do so on Report if necessary. It reminds us of the work, if we needed reminding, of Lord Avebury, who said that the equivalent, very similar provision with which he was dealing was,
“in danger of being oppressive, deeply worrying to the immigrant community living among us, and one which is in grave danger of infringing the provisions”—[Official Report, 21/7/1983; cols. 1274-75]—
of the European Convention on Human Rights. The Minister will be relieved that I have not yet succeeded in emulating my late, much-missed noble friend to the extent I would like—I never will, but I will continue to try. His words are even more pertinent now, extending beyond the immigrant community to families and employers, to give two examples.
Like my noble friend, I would be interested to know examples and justifications for how the exemption might be applied. Presumably it would facilitate sharing between public services used by an individual, government departments and the Home Office to check the individual’s entitlement. The Government have said that they want to make the immigration system as “digital, flexible and frictionless” as possible. Initially that seems admirable, until one delves into issues such as this. Liberty asks whether the provision extends to activities such as running a night shelter or a food bank, which might well benefit undocumented migrants. Providing shelter and providing food could be construed as activities which undermine “effective immigration control”—to quote the Bill. Would a school have to provide a person’s address without their knowledge and without their even having committed an immigration offence? Underlying all this, what effect could such a provision have on migrants’ willingness to engage with public services?
Other noble Lords will probably have received a briefing from the Migrants’ Rights Network. It is about a legal challenge which it is starting against the NHS’s data sharing, but it is relevant here. The director of Migrants’ Rights Network said:
“We are gravely concerned that immigration enforcement is creeping into our public services, especially the NHS. And therefore, it is important to challenge this data-sharing agreement which violates patient confidentiality, and discriminates against those who are non-British”.
The lawyer acting for Migrants’ Rights Network says in the press release what I have heard from many workers in the field: that the data-sharing arrangement,
“is leaving migrants too scared to access healthcare services they are entitled to, for fear their address and other public information may be passed onto the Home Office. This could have a particularly negative effect on children, pregnant women, people with disabilities and victims of trafficking and abuse”.
It could have a severe effect on public health as well—we will debate all this when we deal with NHS charges in the regret Motion on Thursday.
The data subject will not know that data are transferred to the Home Office for immigration control purposes. The exemption seems to apply to immigrants and those connected with them, and those suspected of having an immigration offence in contemplation, thus turning them into an inferior class of citizen. It allows, or perhaps requires, data controllers, including the Home Office and its various arms, processing information for immigration purposes to ignore the principles on which the use of data is founded under the GDPR and the Bill and protection is applied.
I think that your Lordships might gather that we are very unhappy with this provision. It needs more justification than I think is capable of being provided, although we will of course wait and see.
My Lords, the Minister, who is not in his place at the moment, said earlier that he could not understand what I meant by repressive measures, but paragraph 4 of the schedule is exactly what I meant and it is why this amendment would remove it.
The inclusion of an immigration control exemption in the Bill is a brazen violation of the data protection and privacy rights of migrants—both documented and undocumented—and of their families and communities in the name of immigration control. In effect, it removes all the Home Office’s data protection obligations as they relate to its activities to control immigration, as well as those of any other agency processing personal data for the same purpose or sharing data with another agency processing it for that purpose.
As the noble Baroness, Lady Hamwee, mentioned, it is not the first time that the Government have tried to limit data protection rights on immigration control grounds. In 1983, Clause 28 of the then Data Protection Bill had an identical aim, setting out broad exemptions to data subjects’ rights on grounds of crime, national security and immigration control. The Data Protection Committee, then chaired by Sir Norman Lindop, said that the clause would be,
“a palpable fraud upon the public if … allowed to become law”,
because it allowed data acquired for one purpose to be processed for another; and here is another power grab by this Government.
Clause 28 was rightly removed from the 1983 Bill, but today we see it resurrected with even more breadth and even less definition of its objectives. No attempt whatever has been made to define the new objective: nowhere in the Bill or its Explanatory Notes are the notions of effective immigration control or the activities requiring its maintenance defined. I simply do not understand the colossal cheek this Government have to put something such as this into a Bill and then present it in this House—I can understand it going through the other place but certainly not here. It is virtually impossible to come up with an exhaustive list of all the activities that might be included under this, or of individuals who might be affected. The potential list, as, again, the noble Baroness, Lady Hamwee, pointed out, could go far beyond the immigrants themselves and could apply to almost anybody, including some in your Lordships’ House—at least, I hope that some in your Lordships’ House might be involved in shelters and food banks.
I urge the Government to think again. This is probably one of the really nasty bits that the Government have an option to take out, so I hope that they will listen to us.
My Lords, I thank all noble Lords who have taken part in the debate. There is clearly a lot of interest, as is evident from what has been said. I am also glad to be back opposite the noble Lord, Lord Kennedy of Southwark, as we have been on so many occasions, and I am sure we will be in the future. It is probably worth addressing some of the evident misunderstandings that have arisen around the purpose and the scope of this provision, and I hope to be able to persuade the Committee that this is a necessary and proportionate measure to protect the integrity of our immigration system.
The Government welcome the enhanced rights and protections for data subjects afforded by the GDPR and in negotiating, it was accepted by all parties that at times these rights needed to be qualified in the general public interest, whether that is to prevent and detect crime, safeguard legal professional privilege or journalists’ sources, or in this case maintain an effective system of immigration control. A number of articles of the GDPR therefore make express provision for such derogations, including article 23, which enables restrictions to be placed on certain rights of data subjects. Given the extension of data subjects’ rights under the GDPR, it is necessary that we include in the Bill an express targeted exemption in the immigration context. The exemption would apply to the processing of personal data by immigration officers and the Secretary of State for the purposes of maintaining effective immigration control or the detection and investigation of activities which would undermine the system of immigration control. It would also apply to other public authorities required or authorised to share information with the Secretary of State for either of those purposes.
It is important that it is clear to the Committee what paragraph 4 of Schedule 2 does not do. It emphatically does not set aside the whole of the GDPR for all processing of personal data for all immigration purposes. The opening words of paragraph 4 make it clear that only “the listed GDPR provisions” may be set aside. The listed GDPR provisions are those set out in paragraph 1 of Schedule 2. The provisions in question relate to various rights of data subjects as provided for in chapter 3 of the GDPR, such as the rights to information and to access to personal data, and to two of the data protection principles: those relating to fair and transparent processing and the purpose limitation. Except to that extent, all the data protection principles, including those relating to the lawfulness of processing, data minimisation, accuracy, storage limitation, and integrity and confidentiality will continue to apply. So too will all the obligations on data controllers and processors, all the safeguards around cross-border transfers and all the oversight and enforcement powers of the Information Commissioner. The latter is particularly relevant here as it is open to any data subject affected by the provisions in paragraph 4 of Schedule 2 to lodge a complaint with the Information Commissioner, which the commissioner is then obliged to investigate.
Moreover, paragraph 4 does not give the Home Office carte blanche to invoke the permitted exceptions as a matter of routine. The Bill is clear: the exceptions may be applied only to the extent that the application of the rights of data subjects or the two relevant data protection principles,
“would be likely to prejudice … the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control”.
This is a significant and important qualification. The noble Lord, Lord Clement-Jones, asked why we have not listed exactly what we mean by,
“the maintenance of effective immigration control”.
The maintenance of that control does not merely encompass physical immigration controls at points of entry but, more generally, the arrangements made in connection with a person’s entry into and stay within the United Kingdom. A system of effective immigration control depends on our ability to control the entry and stay of those who wish to come to our country; to identify those who should not be admitted; and to pursue enforcement action against those who are liable to removal for failure to comply with restrictions and conditions on their stay, or otherwise in the public interest.
To use the example of the right conferred by article 15 of the GDPR, each subject access request would need to be considered on its own merits. We could not, for example, and would not want to limit the information given to visa applicants as to how their personal data will be processed as part of that application. Rather, the restrictions would bite only where there is a real likelihood of prejudice to immigration controls in disclosing the information concerned. It is equally important to dispel one other myth. Some of the briefing I have seen on this provision suggests that it creates new information-sharing gateways. This is simply not the case. As I have indicated, Schedule 2 sets out certain exceptions from the GDPR; it does not in and of itself create new powers to share data between data controllers. However, where personal data is shared between controllers for the limited immigration purposes specified in paragraph 4, it does mean that the data subject does not need to be notified if to do so would be prejudicial to the maintenance of effective immigration control.
It may assist the Committee if I explain the kind of information that it might be necessary to withhold from data subjects, and offer a couple of examples of the circumstances requested by the noble Baroness, Lady Hamwee, where to do so would be necessary to maintain the effectiveness of our immigration controls. The classes of information which the Home Office may need to withhold include a description of the data held, our data sources, the purposes for which the data was held, and details of the recipients to whom the data has been disclosed. There will be circumstances where the disclosure to data subjects of such information could afford them the opportunity to circumvent our immigration controls. Two examples will, I hope, help to illustrate where the disclosure of such information may have precisely the adverse effect.
First, in the case of a suspected overstayer, if we had to disclose in response to a subject access request what we are doing to track their whereabouts with a view to effecting administrative removal, it is clearly possible that they might then be able to evade enforcement action. A second example relates to circumstances where we seek to establish the legitimacy of a particular claim, such as an extension of leave to remain in the UK, and suspect that the claimant has provided false information to support that claim. In such a case, we may contact third parties to evidence the claim. If we are then obliged to inform the claimant that we are accessing records held by third parties, they may abscond and evade detection. Such procedures may then become common knowledge and further undermine our ability to maintain effective controls.
Immigration is, naturally, a very sensitive subject area and a topic of huge importance to the public, to the economic well-being of this country and to the social cohesion of our society. Being able to effectively control immigration is, therefore, in the words of the GDPR,
“an important objective of general public interest”.
As I have indicated, having a new data protection regime which seeks to give broader rights to data subjects is to be welcomed. But in an area as sensitive as the immigration system, we need to make appropriate use of the limited exemptions available to us so that we can continue to maintain effective control of that system in the wider public interest.
I hope that I have been able to satisfy noble Lords that this provision is necessary and proportionate. It is not the wholesale carve-out of subject access rights that some have suggested but a targeted provision wholly in line with the discretion afforded to member states by the GDPR, and it is vital to maintaining the integrity of the immigration system.
Having given this provision a good airing, I hope the noble Lord, Lord Clement-Jones, will feel happy to withdraw his amendment.
My Lords, there is a lot that demands careful reading and careful thought. I have three questions which I can raise now. First, in the examples which the Minister gave it struck us on these Benches that she was talking about things which are, in fact, criminal offences being dealt with under Part 3, which is the law enforcement part of the Bill.
Secondly, how is all this applied in practice? How does the controller know about the purposes? I am finding it quite difficult to envisage how this might work in real life. Thirdly, the Minister referred to the lawfulness of processing. I wonder whether this is not circular because paragraph 4, in disapplying listed provisions—by the way, I think those listed provisions include many which are very important indeed—makes it lawful, so I have a bit of a problem around that. Of course, I and others will carefully read what the Minister said, but I am sure we will want to return to this at the next stage.
My Lords, I felt entirely comfortable with my noble friend’s examples, but they do not fit with what the Home Office has been doing. What it has done with the national pupil database is not to ask targeted questions when it has a problem with an individual but to collect the whole lot so that it has the ability to trawl, look at, match and use the whole of the dataset. That is a much more dangerous thing because of the consequences it has for the integrity of the data and for the way in which the lawfulness of gathering it is questioned. It is that sort of practice that troubles me. I had not read this clause in the narrow way in which my noble friend described it. I will obviously go away and read it again carefully, but if she would add a letter to her noble friend’s letter enlarging on why this is a narrow provision and giving us comfort, that would be worth while for me.
Baroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Home Office
(7 years ago)
Lords ChamberMy Lords, from these Benches we also have some concerns about the national security and defence exemption. My noble friends Lord Clement-Jones and Lord Paddick have their names to a clutch of amendments to Clauses 24 and 26, and to a replacement for Clause 25—these are Amendment 124C and so on. These amendments essentially probe what Clause 24 means and question whether the requirements for national security certificates are adequate.
My first question is: what processing is outside the scope of EU law, and so would fall within Part 2 and not within Parts 3 and 4, the parts of the Bill on law enforcement and the intelligence services? Many of these amendments were suggested to us by Privacy International and one or two by Big Brother Watch. Those who know about these things say that they do not know what certificates exist under the current regime, so they do not know what entities may benefit from Clauses 24 to 26. However, Privacy International says that in their current form certificates are timeless in nature, lack transparency, are near impossible to challenge and offer overly broad exemptions from data protection principles, and all the rights of the data subject.
My second question is: what are “defence purposes”? That phrase does not feature in the interpretation clause of the Bill. The Explanatory Notes, in referring to the 1998 Act, refer to the section about national security. Is defence not a national security matter? There are very broad exemptions in Clause 24 and Privacy International even says that the clause has the potential to undermine an adequacy decision. For us, we are not convinced that the clause does not undermine the data protection principles—fairness, transparency, and so on—and the remedies, such as notification to the commissioner and penalties.
I note that under Clause 25(2)(a), a certificate may identify data,
“by means of a general description”.
A certificate from a Minister is conclusive evidence that the exemption is, or was, required for a purpose of safeguarding national security, so is “general description” adequate in this context?
Amendment 124L proposes a new Clause 25 and is put forward against the background that national security certificates have not been subject to immediate, direct oversight. When parliamentary committees consider them, they are possibly tangential and post hoc. Crucially, certificates are open-ended in time. There may be an appeal but the proposed new clause would allow for an application to a judicial commissioner, who must consider the Minister’s request as to necessity and proportionality—words that I am sure we will use quite a bit in the next few hours—applying these to each and every provision from which exemption is sought. The Committee may spot that this could owe something to the Investigatory Powers Act.
Amendment 137P takes us forward to Part 3, the law enforcement part of the Bill. Clause 77(5) gives individuals the right to appeal against a national security certificate, but individuals will not know that they have been subject to such a national security certificate if the certificate itself takes away the specific rights which would require a controller or a processor to inform individuals that there was such a restriction in effect against them. The whole point of a right to access personal information and, on the basis of that, the right to appeal against a restriction, does not seem to us to work. The amendment provides for informing the data subject that he is a subject to a certificate.
Amendment 148C is an amendment to Part 4, which is the intelligence services part of the Bill. Clause 108 refers to an exemption being “required” for the purposes of national security. Our amendment would substitute “necessary”, which is a more objective test. I might require something to be done, but it might not be necessary. It is more subjective. Amendment 148D would—I note the irony here—require a certificate because Clause 109 seems not to require it, although the certificate itself would be conclusive. Finally, Amendment 148H is our response to the Constitution Committee, which recommended that the Government clarify the grounds of appeal for proceedings relating to ministerial certificates under Clause 109, other than judicial review. We have set out some provisions which I hope will enable the Minister to respond to the committee’s recommendation.
My Lords, I thank all noble Lords who have spoken to these amendments on the scope of the national security and defence exemptions in Parts 2 and 4 and the provisions in respect of national security certificates.
Amendments 124A, 124M and 124N relate to the exemption in Clause 24 for defence purposes. Amendments 124A and 124N seek to reinstate wording used in the Data Protection Act 1998 which used the term “combat effectiveness”. While it may have been appropriate for the 1998 Act to refer to “combat effectiveness”, the term no longer adequately captures the wide range of vital activities that the Armed Forces now undertake in support of the longer-term security of the British islands and their interests abroad and the central role of personal data, sometimes special categories of personal data, in those activities. I think that is what the noble Lord was requiring me to explain.
Such a limitation would not cover wider defence activities which defence staff are engaged in, for example, defence diplomacy, intelligence handling or sensitive administration activities. Indeed, the purpose of many of these activities is precisely to avoid traditional forms of combat. Yet without adequate provision in the Bill, each of the activities I have listed could be compromised or obstructed by a sufficiently determined data subject, putting the security, capability and effectiveness of British service personnel and the civilian staff who support them at risk.
Let me be absolutely clear at this stage: these provisions do not give carte blanche to defence controllers. Rights and obligations must be considered on a case-by-case basis. Only where a specific right or obligation is found to be incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. In every other circumstance, personal data will be processed in accordance with GDPR standards.
Amendment 124M probes the necessity of the applied GDPR’s article 9 exemption for defence purposes. Article 9 provides for a prohibition on processing of special categories of personal data. If we did not modify the application of article 9 for defence purposes, we would be hampering the ability of the Armed Forces to process certain personal data, for example, biometric data. This could have a detrimental impact on operations and other activities carried out by the Armed Forces.
I firmly believe that it is in the UK’s national interest to recognise that there may sometimes be a conflict between the individual’s right to have their personal data protected and the defence of the realm, and to make appropriate provision in the Bill to this end. I think that the noble Baroness, Lady Hamwee, asked about the publication of security certificates. National security certificates are public in nature, given that they may be subject to legal challenge. They are not secret and in the past they have been supplied if requested. A number are already published online and we will explore how we can make information about national security certificates issued under the Bill more accessible in future. She also asked about the timelessness of these certificates. They are general and prospective in nature, and arguably no purpose would be served by a requirement that they be subject to a time limitation. For example, in so far as a ministerial certificate allows the intelligence services to apply a “neither confirm nor deny” response to a subject access request, any certificate will inevitably require such a provision.
Amendments 124C, 124D, 124E, 124F, 124P and 148E seek to restrict the scope of the national security exemption provided for in Parts 2 and 4 of the Bill. I remind the Committee that Section 28 of the Data Protection Act 1998 contains a broad exemption from the provisions of that Act if the exemption is required for the purpose of safeguarding national security. Indeed, Section 28 provides for an exemption on such grounds from, among other things, all the data protection principles, all the rights of data subjects and all the enforcement provisions. Although we have adopted a more nuanced approach in the Bill, it none the less broadly replicates the provisions in the 1998 Act, which have stood the test of time. Crucially, under the Bill—as under the 1998 Act—the exception can be relied upon only when it is necessary to do so to protect national security; it is not a blanket exception.
It may assist the Committee if I provide a couple of examples, first in the context of Part 4, of why the exemption needs to be drawn as widely as it is. Clause 108 includes an exemption from Clauses 137 to 147 relating to information, assessment and enforcement notices issued by the Information Commissioner. It may be necessary for an intelligence service to apply this exemption in cases of extreme sensitivity or where the commissioner requested sensitive data but was unable to provide sufficient assurances that it would be held securely enough to protect the information.
In relation to the offence of unlawfully obtaining personal data, much intelligence work involves obtaining and then disclosing personal data without the consent of the controller. For example, if GCHQ intercepts personal data held on a foreign terrorist group’s computer, the data controller is the terrorist group. Without the national security exemption, the operation, although authorised by law, would be unlawful as the data controller has not consented. Similarly, reidentification of deidentified personal data may be a valuable source of intelligence if it can be reidentified. For example, an intelligence service may obtain from a computer a copy of a list of members of a terrorist group who are identified using code names, and from other sources the service believes that it can tie the code names to real identities.
The need for a wide-ranging exemption applies equally under Part 2 of the Bill. Again, a couple of examples will serve to illustrate this. Amendment 124C would mean that a controller processing data under the applied GDPR scheme could not be exempted from the first data protection principle as it relates to transparency. This principle goes hand in hand with the rights of data subjects. It cannot be right that a data subject should be made aware of a controller providing information to, say, the Security Service where there are national security concerns, for example because the individual is the subject of a covert investigation.
To take another example which touches on Amendment 124D, it is wholly appropriate to be able to limit the obligation on controllers under article 33 of the applied GDPR to disclose information to the Information Commissioner where the disclosure would be damaging to national security because, say, it would reveal the identity of a covert human intelligence source. As is the case under Part 4, this exemption would be applied so as to restrict the information provided to the commissioner, not to remove entirely the obligation to report appropriate details of the breach.
I hope that this has given the Committee a flavour of why the national security exemption has been framed in the way that it has. As I have indicated, the Bill’s provisions clearly derive from a similar provision in the existing Data Protection Act and are subject to the same important qualification: namely, that an exemption may be applied in a given case only where it is required for the purpose of safeguarding national security.
My Lords, the Minister has just proved a point that I made to a colleague who asked me whether I could explain all my amendments, and I said, “If I don’t, the Minister will”. Let us see what the Constitution Committee has to say, as I take its concerns seriously. To dispose of one small point, I accept what she says about the “timelessness”, which I think was the word she used, of certificates. I accept that some must always apply, but perhaps it is a point that the Government can take into account when thinking about publication of certificates whose relevance has—“expired” is probably the wrong term—passed.
I am still concerned about what is meant by “defence purposes”. The Minister referred to civilian staff. I cannot remember what the object was in the sentence, but we all know what she means by civilian staff. To take a trite example, can the Minister confirm that in “defence purposes”, we are not talking about records of holiday leave taken by cleaners, secretaries and so on working in the Ministry of Defence? “Defence purposes” could be read as something very broad. I will not ask the Minister to reply to that now, but perhaps I can leave the thought in her head.
Finally, I do not think that the right of appeal provides the same protection as applying oversight from the very start of the process. We have had that debate many times, but I shall leave it there for now. There is quite a lot to read, so I am grateful to the Minister for replying at such length.
My Lords, I thank the Minister for her response, which was very detailed. It was helpful to the House to get it on record. These are serious matters. The rights of the data subject must be protected, but equally there are issues of national security, and we must get that balance right. The House has been assured that we will get the balance right, which is an important part of our work here today. I am very pleased with the detailed response, and I have no issue with it whatever.
I shall read Hansard again tomorrow, as these are very serious matters, to fully take in all that the Minister has said. At this stage, I am happy to withdraw my amendment.
I shall speak to Amendment 124Q and to a number of amendments in this group. I start with a general point. The number of amendments that we have tabled to Part 3 in particular, but also to Part 4, might suggest considerable opposition to the Bill, but I reassure the Committee that that is not the case. We are on a probing mission generally. We have some serious objections but, in general, we support where the Bill is going.
The probing in many cases is because of the language used. It is about the different uses of language in EU and UK legislation, and how language is used when something is transposed, to use the term non-technically, into UK law. There are different traditions; laws develop in different ways. I might sum it up by saying that it is a matter of style, but the style may have an impact on the meaning. That is why we are using the fact that the Bill has started in this House, where we have a tradition of reading every word and questioning every other word, to get on the record some of the things that we have identified as being helped by explanation.
This group is about definitions. Amendment 124Q would limit “competent authorities”, as they are defined and listed, to the extent of their law enforcement functions. I mentioned just now staff who work at the Ministry of Defence but do not have jobs that come remotely close, in themselves, to defending the country, although they support those who do. It occurred to me that police forces similarly, even if it is above that kind of administrative level, deal with more than law enforcement, if there are still enough coppers around. Prevention work in schools is one example. Then there is dealing with internal human rights—I beg noble Lords’ pardon, I mean human resources—records. I use the acronym HR too often.
The parties to a collaboration agreement are not necessarily policing bodies or even public sector bodies, which fall within these provisions. Criticising my own amendment, I wondered if it would be confusing to have different regimes applying to different activities—the law enforcement ones on one hand and the others on the other—but there are similar distinctions elsewhere in the Bill.
The co-pilot is in charge of this leg of the legislative journey, so there may be some turbulence.
I am very grateful to the noble Baroness for her explanation of these amendments. I particularly welcome what she said at the beginning of her remarks—namely, that these were probing amendments designed to improve the style. We are all in favour of improving style. Having read previous Hansards, I know that there has been broad cross-party support for the Bill’s provisions, particularly this part of it. I know that the Liberal Democrat Benches are particular enthusiasts for enshrining in UK law the provisions of the EU law enforcement directive.
As the noble Baroness has indicated, this group of amendments relates to the definition of various terms used in Part 3, including that of a competent authority and the meaning of “profiling”. I also welcome the contribution of the noble Lord, Lord Kennedy, in support of some of the amendments.
The scope of the law enforcement processing regime is provided for in Part 3 of the Bill. Unlike Part 4, which applies to all processing of personal data by the intelligence services, the scheme in Part 3 is purpose-driven. The Part 3 scheme applies to processing by competent authorities, as defined in Clause 28, for any of the law enforcement purposes, as defined in Clause 29. This approach is clear from a reading of Part 3 as a whole. For example, each of the data protection principles in Clauses 33 to 38 refers to processing for any of the law enforcement purposes.
The definition of a competent authority needs to be viewed in that context. Competent authorities will process personal data under the scheme in Part 3 only where such processing is for one of the law enforcement purposes. If they process data for another purpose, as the noble Baroness indicated—for example, for HR management purposes—the processing would be undertaken under either the GDPR or applied GDPR scheme, as the case may be. That would be the default regime. I am not sure there is a case for yet another regime on top of the two we already have. As paragraph 167 of the Explanatory Notes to the Bill makes clear, a government department will be a competent authority for the purposes of Part 3 only to the extent that it processes personal data for a law enforcement purpose. For example, where DWP processes data in the course of investigating criminal offences linked to benefit fraud, it will do so as a competent authority.
The approach we have taken in Schedule 7 is to list all the principal law enforcement agencies, including police forces, prosecutors and those responsible for offender management, but also to list other office holders and organisations that have law enforcement functions supplementary to their primary function. For example, the list in Schedule 7 includes some significant regulators. We should remember that the definition of “law enforcement purposes” includes the “execution of criminal penalties”, as set out in Clause 29. That being the case, it is entirely appropriate to list contractors providing offender management services. I hope this explanation deals with Amendment 129A. As I explained a moment ago, where such contractors process data for a non-law enforcement purpose—again, an example given by the noble Baroness—they will do so under the GDPR or applied GDPR scheme.
Schedule 7 is not, and is not intended to be, a wholly exhaustive list, and other organisations with incidental law enforcement functions will come within the scope of the definition of a competent authority by virtue of Clause 28(1)(b). Police and crime commissioners, to which Amendment 127A relates, may be a case in point, but if they process personal data for a law enforcement purpose, they will do so as a competent authority by virtue of Clause 28(1)(b). The government amendments in this group should be viewed against that backdrop.
Since the Bill was introduced, we have identified a number of other organisations that it would be appropriate to add to the list in Schedule 7, and Amendments 125, 126, 128 and 129 are directed to that end. Government Amendment 127 modifies the existing entry in respect of the independent office for police conduct in recognition of the fact that under the reforms we are making to the Independent Police Complaints Commission, the director-general will be the data controller of the reformed organisation.
The amendments to Clause 31 all seek to amend the definition of profiling. First, Amendment 129C seeks to include “attributes” in the definition of profiling, which currently refers to “aspects”. The existing wording reflects the terminology used in the LED, which is clear. In any event, the two words do not differ much in substance, so little is gained by the proposed addition.
In Amendment 129B and Amendments 129D to 129F the noble Baroness seeks to widen the definition of profiling so that it is not restricted to “certain” areas of profiling or to the aspects listed. However, the personal aspects itemised in the definition are not intended to act as an exhaustive list, and the inclusion of the words “certain” and “in particular” do not have this effect. The list refers to those aspects considered of most importance to profiling. Again, for these reasons, these amendments are not necessary. I think the noble Baroness conceded that we were simply replicating the existing terminology.
I hope I have been able to reassure her on these points and that she will be content to withdraw her Amendment 124Q and support the government amendments.
My Lords, to take that last point about certain areas of profiling first, obviously I did not make myself clear, as I want the opposite of what the Minister read me as wanting. I want to be clear that I do not want to leave areas for doubt, so I sought to restrict rather than to extend.
On police and crime commissioners, I am a little baffled as to why, if so many other organisations which have some functions that are about law enforcement are included, police and crime commissioners should be left to rely on Clause 28(1)(b) rather than being included specifically.
Finally, yes, we are enthusiasts for incorporating the directive. We want to be clear that the incorporation works. Should I talk for another moment or two in case a message is coming? There was a thumbs up to that suggestion. We are great enthusiasts for certain things that the EU is proposing—I am being a little flippant and this will read terribly badly in Hansard. As I said at the start, all this is so that we may be assured—and this is the stage at which to do it—that what is being incorporated works in the way that reading the words as a sort of narrative suggests.
Some in-flight refuelling has arrived. The noble Baroness made a valid point about why we had added certain organisations to Schedule 7 but not the police and crime commissioners. We will reflect on that between now and Report.
My Lords, this group of amendments is about data protection principles. Our Amendments 129G and 129H would add transparency to the requirements of lawfulness and fairness for processing. Here, the directive is again being reflected, but why, since transparency is a requirement in the case of the intelligence services? I confess that I found this counterintuitive. I might have expected the services to have an argument against transparency because of the very nature of what they do, but not so law enforcement—at least, not so much.
Amendment 129J enables me to ask, as I did at Second Reading, why some activities are “strictly necessary” and others merely “necessary”. This arises in several places and this is the first example, although for good measure my Amendment 133ZJ seeks to add “strictly” to another of these—I am not sure that it was my best choice, but there you go. The point is that “strictly” calls into question just how necessary something that does not attract the term is. This may be an example of adopting language used in other legislation and directives without it having been considered in the context of UK legislation.
The Minister used the example of our seeking in the first group of amendments on these parts to change a term used in current legislation. I take that point, because it opens up a question as to whether there is any distinction. The point I am making about terminology is not a million miles away from that.
Amendment 130A concerns the scope for the Secretary of State to amend Schedule 8 by regulations. That schedule sets out the conditions for “sensitive processing”—in other words, when that processing is permitted. Should the Secretary of State be able to add circumstances when it is permitted, or to vary the schedule, omitting items from the schedule by regulations would fulfil the objective of protecting the data subject. That is very different from “adding” or “varying”.
Amendment 133ZB deals with another instance of different legislative styles. In Clause 34(1), the law enforcement purpose must be “legitimate”—an interesting term when applied to law enforcement. I suggest as an alternative “authorised by law”, a term used later in the clause, in order to probe this. In not very technical language “legitimate” suggests something wider than legal. It has elements of logic and justification and might import the notion of balance. The term comes from not only the GDPR but the 1995 directive—so there is a history to this—and there are many examples of the accepted meaning of “legitimate” in EU law. However, I am concerned about how we interpret the term and apply it in the UK. Looking to the future, what will happen when we are cut adrift from the European Court of Justice? Presumably we will have to rely on the development of case law in the UK and the different UK jurisdictions. It is worth thinking about how this may be dealt with as we go forward.
On Amendment 133ZD, under Clause 36(3) a clear distinction needs to be made “where relevant”—the amendment would delete this—as far as possible between data relating to different categories of data subject. I do not see what “where relevant” means in this context. It begs the question of whether or not something is relevant and whether the provision is applicable.
Amendment 133ZE applies to Clause 36(4), which deals what must be done—or, rather, not done—with inaccurate, incomplete or out-of-date data, which must not be “transmitted or made available”. That is the phrase used and my amendment probes the question of why the term “disclosed” is not used. There is a definition of “processing” in Clause 2, which includes,
“disclosure by transmission, dissemination or otherwise making available”.
In other words, “disclosed” would cover everything.
Amendment 133ZK relates to Clause 40, which deals with the controller having an appropriate policy document. Under that clause, the controller must make the document available to the Information Commissioner. Is it not a public document? Should it not be published? The amendment proposes that it should be. I beg to move.
My Lords, we have a number of amendments in this group which fit very well with what has just been said by the noble Baroness, Lady Hamwee. I hope she will take it from that that we support broadly where she is coming from and hope to extend it slightly in a couple of areas.
Amendment 130—which is a DPRRC recommendation —affects Schedule 8. This was touched on in earlier groups and I will not delay the Committee by repeating the points now. They will be covered in the Minister’s response, which we confidently expect to be that this is under consideration, that a further air travel bulletin will be emerging shortly and that we should not worry too much about it at this stage. However, I am prepared to argue for it if necessary, and if the noble Lord challenges me I will do so.
The government amendments have not yet been introduced. However, in anticipation, we welcome them. They take out one or two of the points I will be making later. Once they have been introduced and looked at we will be able to rely on them. They cover a particular gap in the Bill in terms of the need to rely on a function conferred on a person by rule of law as well as simply by an enactment.
Amendment 133ZA is a probing amendment to quite an important clause that we would like to see retained. The reason for putting down the amendment in this form is to probe further into what is going on here. The terms of Clause 39 apply only,
“in relation to the processing of personal data for a law enforcement purpose”,
and would be conferred by rule of law as well. It repeats other areas that cover,
“archiving purposes in the public interest … scientific or historical research purposes, or … statistical purposes”.
I am not clear why these are linked to law enforcement purposes. Why would archiving be necessary for such a purpose? Perhaps the Minister can respond on that particular point. It is a narrow one, but I should like to know the answer.
Clause 33(5) deals with processing without the consent of the data subject, of which this is a part, and makes the point that it is permissible only for the purposes listed in Schedule 8. However, Clause 33(6) permits amendment to this derogation, so purposes could be added or indeed lost. There is of course a wide research exception in Schedule 8 with no specific safeguards. So it is important to understand why the framing of this is so open-ended, and I would be grateful for a response.
When we check the GDPR, the antecedent impulse for this is present in the wording of article 4(3). That goes on to say that the processing has to be subject to appropriate safeguards for the rights and freedoms of data subjects, yet we do not see these in either Clause 33 or Clause 39—or indeed at any point in between. Why is that? Is there a reason why it should not be part of the processing conditions? If so, can we have an example of why that would be necessary?
Amendment 133ZC relates to quite an important area, which is a derogation to allow personal data to be processed for different law enforcement purposes other than when it is initially processed, as long as it is a lawful purpose and is proportionate and necessary. That is quite open-ended, so it would be helpful if in his response the Minister could speculate a little about where the boundaries there exist. We have no objection to the provision in principle, but it is important to ensure that the scope is not so impossibly broad that anything can be hung on one particular issue. If that was coming forward, I am sure that it would be possible to do that. The scope seems to be too broad to be considered proportionate—which, as I said, is what the directive requires.
Amendment 133ZE builds on Amendment 133ZD to which the noble Baroness, Lady Hamwee, has already spoken. This is about what happens to data that is found to be inaccurate and the requirement that it should not be disclosed for any law enforcement purpose. This is a slightly different wording and I am looking for confirmation that the Government do not see a difference in the two possibilities. The original requirement was that data should not be “transmitted or made available” if it is inaccurate, but this would say that it should not be “disclosed”, which is an active rather than a passive expression of that—but is it different? The amendment tries to broaden the provision so that reasonable steps are taken to make sure that data is not made available for any purpose, which I think would be a more satisfactory approach.
I turn to Amendment 133ZG. I think I am right in saying that the GDPR envisages that inaccurate personal data should be corrected or deleted at the initiative of the controller, but that provision does not appear in the Bill. I wonder whether there is an explanation for that. If there is not, who will be responsible for correcting data that is found to be inaccurate or needs to be corrected or deleted?
Finally in this group, Amendment 133ZH relates to Clause 37, which requires that personal data should be kept for no longer than necessary. To comply with this principle, the data controller should establish time limits for erasure or for a periodic review. The current drafting seems to suggest that all that is required to be done by controllers is that from time to time they should review their procedures; it does not say that they have to do it. Perhaps the Minister could respond on this point. Surely what we want here is a clear requirement for both reviews and action. You can review the data, but if it is no longer required and should be deleted, there should be an appropriate follow-up. Time limits are not enough: you do it within the time limits but then you have to follow up. We do not think it currently makes sense. I look forward to the Minister’s responses.
I am very grateful for the late intelligence that came across on the point about withdrawal. The issue was not that there is not sufficient power in the Bill—there is, we accept that—but just that there seems to be an unfortunate separation between the need periodically to review the length of time for which the data is held and the fact that, when a decision has been arrived at, the data is no longer required. There seems to be no prod to remove the data that should be removed. I understand the point made earlier by the Minister that some data, although wrong, should be kept, but that was not the point I was making. However, I think we can deal with this outside the Chamber.
My Lords, without wanting to appear ungrateful, I am very troubled by some of what we have heard about the incorporation of language used in the law enforcement directive and in the modernised 108. Simply to reflect that language, incorporate it into our primary legislation and cause confusion thereby does not seem to be a very good way to proceed. My questions about the difference between “strictly necessary” and “necessary” illustrate this well. To be told that “necessary” is a lower threshold than “strictly necessary”—which is certainly how I would read it—calls into question how necessary something which is necessary really is.
We will have to come back to this—it may be something that we can discuss outside the Chamber before Report. I wonder whether I should threaten to unleash my noble friend Lord Lester of Herne Hill—that might be enough to lead us to a resolution, but I have not consulted him yet. However, I am troubled, because we are in danger of doing a disservice to the application of these important provisions. For the moment, of course, I beg leave to withdraw the amendment.
My Lords, Amendment 133ZL is an amendment to Clause 42. Clause 43 deals with a data subject’s right of access. The onus is on the data subject to ask whether their personal data is being processed. If so, they have a right of access, although there are provisions about restrictions and the controller must tell them.
We have already touched on how you know that you are a data subject. The amendment would place an obligation on the controller to tell you. I appreciate that there would be considerable practical considerations. However, in a different context, time and again during the passage of the Bill we have heard noble Lords express surprise about what organisations know about each of us. It is irritating when it is a commercial organisation; it is a different matter when it is a law enforcement body.
Amendment 133ZM is a way of asking why the information to be given to a data subject under Clause 42(2) is limited to “specific cases”. Is this is a bit of the narrative style that I referred to earlier? Restrictions are set out later in the clause. What are the specific cases to which the controller’s duties are restricted? Should there be a cross-reference somewhere? The term suggests something more—or maybe something less—than the clause provides.
Amendment 133ZN takes us to Clause 42(4), which refers to the data subject’s “fundamental rights”— this phrase is used also in a number of other clauses. My amendment would insert references to the Human Rights Act and the European Charter of Fundamental Rights, seeking not to reopen the argument about the retention of the charter but to probe how fundamental rights are identified in UK law. It is not an expression that I recognise other than as a narrative term. This is fundamental—if noble Lords will forgive the pun—to my questioning and the workability of all this.
On Amendment 133ZP, the same subsection refers to an “official” inquiry. I know what that means in common sense—in human speak, if you like—but what does it mean in legislative speak?
Amendment 133ZQ is a cross-reference. I queried what was in the clause and have had exchanges with officials about it. I thought that the Minister’s name would be added to the amendment. I would have been very happy if the correction had been made quietly, but apparently that was not possible. So the drafting is not mine, but it corrects a mis-drafting—would that be a gentle term for it? At any rate, that is what the amendment is about. I beg to move.
My Lords, the five amendments in this group are all in the name of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Paddick. I should say at the start that I am not convinced by Amendment 133ZL and I look forward to the response of the Government. I am not sure that it is proportionate in respect of law enforcement processing. I had concerns about it before the debate and I have heard nothing to change my mind.
Amendment 133ZM widens the scope of the provisions and I am content with that. I am interested to hear from the Government why the three words to be deleted are so important: perhaps they can convince me of the merits of having them in the Bill.
Amendment 133ZN is proportionate and I happy to support it. I do not support Amendment 133ZP and, again, I have heard nothing yet to convince me otherwise. I await a response from the Government. Amendment 133ZQ seems proportionate to me in respect of the data controller being able to record reasons to restrict provision of information to a data subject and the reasons for refusing requests.
My Lords, the noble Lord, Lord Kennedy, need not have been apologetic: it is perfectly fair to make the point that he did not think the amendment was proportionate. I will not claim the credit for Amendment 133ZQ because it is not my drafting, but much more importantly, yes, fundamental rights should be interpreted by the UK courts, but on what basis? It really is a matter of “New readers start here” with that, and the same applies to “official inquiry”: the very fact that there is an Inquiries Act was in my mind in asking what an official inquiry is. It is all the same argument—the same discussion, would be a better way of putting it—as on earlier groups. I said then that I was troubled; I am troubled in this connection. I think I made it clear that I was not trying to reopen the question of the European Charter of Fundamental Rights now; there will be other occasions to do that. I beg leave to withdraw the amendment.
My Lords, we debated automated decision-making under Part 2 on Monday. Clause 48 provides for automated decision-making in the case of law enforcement. No doubt we will return to the issues raised on Monday in this connection, but for now, Clause 48(1) provides that a “qualifying significant decision” must be,
“required or authorised by law”.
This is perhaps a slightly frivolous probe, but may a controller take a decision that is not required or authorised by law? If it is not authorised, how is the data subject protected?
Amendment 135 refers to not engaging the rights of the data subject under the Human Rights Act. Again, we had a debate on this on Monday and it is a subject to which we may return. I simply ask: does the Minister have anything to add to what her noble friend Lord Ashton of Hyde had to say then? He told us that human rights are always engaged—indeed they are—and that the amendment therefore did not really work but that there are, as he said in col. 1871, “appropriate safeguards”. Are the Government satisfied that the balance between processing and protection is the right one? As I say, I am sure we will come back to this issue.
Amendment 135A is to Clause 48(2), which deals with decisions based solely on automated processing. Article 11 of the directive, which I believe is the basis for this, provides for automated processing, including profiling. Profiling is a defined term, so I merely want to check that there is no significance in omitting the reference to it. I doubt there is but the language is reproduced exactly elsewhere, so this is a simple check.
Clause 48(2)(a) provides that notification of a decision must be given “as soon as … practicable”. Amendment 135B would limit this to a maximum of 72 hours. I do not want to describe what is in the Bill as open-ended but I think the Minister would accept that it is less certain than it could be, which is a pity as the requirement under this clause to notify the right to ask for reconsideration is important. I note that at another point close to this, the data subject has an exact limit of 21 days. That may not be practicable for the data subject but perhaps the Minister can confirm whether that means within 21 days of actual receipt, not 21 days of delivery, as the means of serving that notification.
Amendment 136A would insert a new provision. We have been considering some form of independent oversight of automated decision-making. That would not be quite right because we have the commissioner, who is independent, but the amendment proposes more assistance and advice in this connection and the publication of reports on the subject.
Amendment 137 proposes a new clause. We debated a more elaborate amendment on the right to information about decisions based on algorithmic profiling on Monday. The proposed new clause would allow the data subject to obtain an understanding of the reasoning underlying the processes, when the results of it are applied to him. The wording might seem familiar to noble Lords, which would show that they have read on in the Bill. The amendment would reproduce in the law enforcement part a right that is included in Clause 96 in Part 4, which deals with the intelligence services. If they can do it, why not law enforcement? I was quite surprised that they could do it and were expected to provide the underlying reasoning, but that is a good thing. I am not arguing that this would be a silver bullet for all the issues around algorithms but it would be significant. Perhaps it would be courteous and appropriate to say I understand that as regards the intelligence services exemptions, the UK is proposing one of the most advanced explanation rights in the world—tick.
Amendment 144 raises the human rights point again, in the context of the intelligence services’ automated decision-making. Amendments 145 and 146 are to ask the Government to justify decisions based solely on automated processing which significantly affects the data subject when it relates to a contract. Clause 94(2)(c) refers to,
“considering whether to enter into a contract with the data subject”,
and,
“with a view to entering into … a contract”,
with them. There must be a fine distinction between those two provisions but they are dealt with differently. These are all in Part 4, on the intelligence services. Finally, Amendment 146A is to ask whether the commissioner should have a role in the process, because there is a bit more scope for people doing their own thing in this part of the Bill than under Part 3. I beg to move.
My Lords, I support the amendments that have just been moved and spoken to by the noble Baroness, Lady Hamwee. We should perhaps have signed up to them but I do not think we had the time to do so. However, they all bear on important issues that need to be addressed and I look forward to hearing the responses from the Minister.
Our amendments in this group are also about automated processing but they attach to a slightly different arrangement. In Clause 92, on page 52, the right of access provisions are largely copied from earlier parts of the Bill and are extensive. Like the noble Baroness, Lady Hamwee, we appreciate that. The Government have moved a long way to try to reassure everyone that the intelligence services, as well as the defence services, are trying to operate in a manner that could be taken almost directly from the GDPR. While this may be gold-plating, it is a good way of making progress. Having said that, halfway down page 52 are two things that our amendments address. In Amendment 142C, we suggest that there should be a,
“right to object to automated-decision making”,
within automatic processing, because at the end of Clause 92(2) all the other rights are there but the one present in other parts of the Bill on the right to object is not. I wonder why it has been missed out. It would be interesting to hear from the Minister about that.
In Amendment 143B, we also wish to challenge why the fee has to be paid for this. The Government have tried hard to make an equality of approach right the way across but fees suddenly appear here, in a way which seems rather strange. It cannot be that the information services of Her Majesty’s Government are so starved of cash that they have to charge money to get their services completed for those who just want reasonable information, which should specifically be made available. It seems a double bind to have a situation where these rights and obligations are tantalisingly included in the Bill, but are then removed from reasonable access because of the costs that might be charged. I know that the Secretary of State would have to do it by regulations, which would be subject to further scrutiny, but perhaps this could be looked at again.
My Lords, these amendments return us to the issue of automated decision-making, which we debated on Monday, albeit principally in the context of Part 2.
The noble Baroness, Lady Hamwee, has indicated that the purpose of Amendment 134A is to probe why Clause 48(1)(b) is required. Clauses 47 and 48 should be read together. Clause 47 essentially operates to prohibit the controller making a significant decision based solely on automated processing, unless such a decision is required or authorised by law. Where automated decision-making is authorised or required by law, Clause 48 permits the controller to make a qualifying significant decision, subject to the specified safeguards.
A significant decision based solely on automated processing which is not required or authorised by law is an unlawful decision and therefore null and void. That being the case, we should not seek to legitimise an unlawful decision by conferring a right on a data subject to request that such a decision be reconsidered. Should such a decision be made contrary to Clause 47(1), the proper way to deal with it is through enforcement action by the Information Commissioner, not through the provisions of Clause 48.
Amendments 135 and 144 seek to prevent any decision being taken on the basis of automated decision-making where the decision would engage the rights of the data subject under the Human Rights Act. As my noble friend Lord Ashton indicated on Monday when the Committee debated Amendment 75, which was framed in similar terms, such a restriction would arguably wholly negate the provisions in respect of automated decision-making as it would be possible to argue that any decision based on automated decision-making would, at the very least, engage the data subject’s right to respect for privacy under Article 8 of the European Convention on Human Rights.
At the same time, the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore be to prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act. Where a decision will have legal or similarly significant effects for a data subject, data controllers will be required to notify data subjects to ensure that they can seek the remaking of that decision with human intervention. We believe that this affords sufficient safeguards.
Turning to Amendment 135A, I can assure the noble Baroness, Lady Hamwee, that automated processing does indeed include profiling. This is clear from the definition of profiling in Clause 31 which refers to,
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual”.
Given that, I do not believe more is needed, but I confirm that there is no significance in omitting the word “profiling”. We did not include a reference to profiling as an example of automated decision-making on the grounds that it is just that, an example, and therefore an express reference to including profiling would add nothing.
Amendment 135B would require controllers to notify data subjects within 72 hours where a qualifying significant decision has been made based solely on automated processing. While it is appropriate elsewhere in the Bill to require controllers to report data breaches to the Information Commissioner, where feasible, within 72 hours, we consider that the existing requirement to notify data subjects of what is a lawful qualifying significant decision as soon as reasonably practicable establishes the need for prompt notification while recognising that there needs to be some flexibility to reflect the operational environment.
Amendment 136A seeks to require the Information Commissioner to appoint an independent person to oversee the operation of automated decision-making under Part 3. I am unpersuaded of the case for this amendment. The Information Commissioner is, of course, already an independent regulator with express statutory duties to, among other things, monitor and enforce the provisions in Part 3, so it is unclear to me why the commissioner should be obliged to, in effect, subcontract her functions in so far as they relate to automated decision-making. Such processing is subject to the commissioner’s oversight functions as much as any other processing, so I do not see why we need to single it out for special treatment. If the argument is that automated processing can have a more acute impact on data subjects than any other forms of processing, then it is open to the commissioner to reflect this in how she undertakes her regulatory functions and to monitor compliance with Clauses 47 and 48 more closely than other aspects of Part 3, but this should be left to the good judgment of the commissioner rather than adding a new layer of regulation.
The noble Baroness asked whether it is 21 days from receipt of notification or another time. Clause 48(2)(b) makes it clear that it is 21 days from receipt.
I have some sympathy for Amendment 137, which requires controllers subject to Part 3, on request, to provide data subjects with the reasons behind the processing of their personal data. I agree that data subjects should, in general, have the right to information about decision-making which affects them, whether or not that decision-making derives from automated processing. However, this is not straightforward. For example, as with the rights to information under Clauses 42 and 43, this cannot be an absolute right otherwise we risk compromising ongoing criminal investigations. If the noble Baroness will agree not to move Amendment 137, I undertake to consider the matter further ahead of Report.
Amendments 142C and 143B in the name of the noble Lord, Lord Stevenson, seek to confer a new duty on controllers to inform data subjects of their right to intervene in automated decision-making. I believe the Bill already effectively provides for this. Clause 95(3) already places a duty on a controller to notify a data subject that a decision about them based solely on automated processing has been made.
Amendments 145 and 146 seek to strike out the provisions in Part 4 that enable automated decision-making in relation to the consideration of contracts. The briefing issued by Liberty suggested that there was no like provision under the GDPR, but recital 71 to the GDPR expressly refers to processing,
“necessary for the entering or performance of a contract between the data subject and a controller”,
as one example of automated processing which is allowed when authorised by law. Moreover, we envisage the intelligence services making use of this provision—for example, considering whether to enter into a contract may initially require a national security assessment whereby an individual’s name is run through a computer program to determine potential threats.
Finally, Amendment 146A would place a duty on the intelligence services to inform the Information Commissioner of the outcome of their consideration of a request by a data subject to review a decision based solely on automated processing. We are not persuaded that a routine notification of this kind is necessary. The Information Commissioner has a general function in relation to the monitoring and enforcement of Part 4 and in pursuance of that function can seek necessary information from the intelligence services, including in respect of automated processing.
I hope again that my detailed explanation in response to these amendments has satisfied noble Lords, and as I have indicated, I am ready to consider Amendment 137 further ahead of Report. I hope that on that note, the noble Baroness will withdraw the amendment.
My Lords, I am grateful for the long response and for the Minister agreeing to consider Amendment 137. As regards oversight of automated processing, which is not quite where I would be coming to as something that was suggested to us, it would be fair to say that the commissioner has a resource issue covering all these developments. Maybe it is something that we will think about further in order to approach it from a different direction, perhaps by requiring some regular reporting about how the development of automated processing is controlled and affecting data subjects. I will consider that, but for the moment I beg leave to withdraw the amendment.
My Lords, Clause 56 anticipates that competent law enforcement authorities may work together, and designates them as “joint controllers”. Clause 56(2) allows them to “determine their respective responsibilities”, although there is an exception when the responsibility is,
“determined under or by virtue of an enactment”.
Amendment 137A would, I suggest, take us a step further by providing that, in any event, if there is a failure to comply with a controller’s statutory obligations, each joint controller is liable—or does this not need to be spelled out? I beg to move.
My Lords, these are narrow but important amendments relating to the liability of joint controllers. I agree with the noble Baroness that there should be clarity as to where liability rests when a controller contravenes the provisions of the Bill. The concept of joint data controllers is not new; indeed, it is recognised in the Data Protection Act 1998. In a similar vein, Clause 56 makes provision for joint controllers under Part 3—the shared responsibility for the police national computer by chief officers is a case in point. Upholding the rights of data subjects is dependent on the clear understanding of responsibilities. Clause 56 requires joint controllers to determine transparently their respective responsibilities so that data subjects know who to look to in order to access their rights or to seek redress. There should be no ambiguity as to who is responsible for compliance with the provisions of Part 3.
The issue of liability is dealt with elsewhere in the Bill. For example, Clause 160 provides that an individual has the right to compensation from a controller if they suffer damage because of a contravention of this legislation. Subsection (4) makes specific provision for joint controllers: it provides that liability for damages flows from the legal responsibility for compliance as determined by an arrangement made under Clause 56. These types of arrangement already exist, and this is as it should be. What matters to the data subject is that the legal position in relation to joint controllers is clear, and Clause 160, read with Clause 56, provides such clarity. I also refer the noble Baroness to Clauses 145, 149 and 158, which make like provision in respect of enforcement notices, penalty notices and compliance orders.
The government amendments in this group, which are technical, address much the same point. As I have indicated, the Bill adopts the principle that a court order in relation to controllers operating under a joint controller arrangement may be made only against the controller responsible for compliance with the relevant provision of data protection legislation. That has to be right, whereas under the noble Baroness’s amendment, they would all be liable, whether or not they were responsible for compliance with the relevant provision. Amendments 143, 147 and 148 are needed to ensure that the principle is carried through when joint controllers are operating under Clause 102 and that the liability of such controllers is clear. Providing such clarity is in everyone’s interests, including data subjects.
I hope I have been able to satisfy the noble Baroness that the position on the liability of joint controllers is clear and that she will be content to withdraw her amendment and support the government amendments.
My Lords, I am certainly happy with the latter. I simply observe that in other walks of life when people act jointly, each is often responsible for what the other does, but of course I beg leave to withdraw the amendment.
My Lords, under Clause 59, the controller must record certain information, including, according to subsection (2)(g),
“where applicable, details of the use of profiling”.
The purpose of Amendment 137B is to ask whether, if profiling is used, this is not applicable. My amendment would delete the words, but the Minister will understand that I am probing.
I am afraid this is quite a big group of amendments. Clause 62 provides for data protection impact assessments when there is a “high risk” to “rights and freedoms”. In assessing the risk, the controller,
“must take into account the nature, scope, context and purposes of the processing”.
Amendment 137C would insert a reference to,
“new technologies, mechanisms and procedures”,
picking up wording which is in articles 27 and 28 of the law enforcement directive.
Clause 63 requires consultation with the commissioner where there is a “high risk” to “rights and freedoms”. Article 28(3) of the directive allows for the “supervisory authority”—the commissioner, in our case—to,
“establish a list of the processing operations which are to be subject to prior consultation”.
Amendment 137D would allow the commissioner to “specify other conditions” where consultation is required. I am not sure I would defend the approach of having regulations under a negative resolution. The amendment was tabled following a certain amount of toing and froing—aka consultation with me—because my original amendment did not quite work, or at any rate I was not clear enough about it. I was not at Westminster at the time and I think I did not take in properly over the phone what was being proposed. I am sure the Minister will not take me too much to task for that, but focus instead on the nub of this.
Under Clause 63, the commissioner is required to give advice to the controller and the processor when she thinks that the intended processing would infringe Part 3. Amendment 137E set outs what advice would be included “to mitigate the risk” and would be a reminder of the commissioner’s powers in the event of non-compliance. The amendment builds on rather fuller provisions in article 28 of the directive, which provides for the use of powers.
Amendment 137F would amend Clause 64, which deals with the security of processing and refers to,
“appropriate measures … to ensure a level of security appropriate to the risks”.
The amendment proposes what “appropriate measures” might be, in particular whether cost is a criterion. Article 29(1) seems to envisage this—are we envisaging it in the Bill?
As for Amendment 137G, there is a duty in Clause 66 to inform the data subject when there is a breach, but not when the controller has implemented protection measures. In seeking to change “has” to “had” implemented, I just seek confirmation that the measures in question were applied before the breach. One might read the clause as meaning that, subsequently, steps had been taken and protection measures implemented. That will be good for the future, but would not address the specific breach.
On Amendment 137H, Clause 66(7) gives a wide exemption, setting out the reasons for restricting the provision of information to a data subject. I assume from the words “so long as necessary” that, once a specific security threat has passed or a court case is over, the right to that information would revive. Can the Minister confirm this? Again, I am not sure what the role of the commissioner would be here.
On Amendment 137J, Clause 69 sets out the tasks of the data protection officer. Chapter 5 of this part deals with transfers to third countries. By requiring the updating of controllers on the development of standards of third countries, my amendment suggests that the data protection officer should keep on top of international issues.
Amendment 137K is an amendment to Clause 71 in Chapter 5, on the principles for the transfer of data to a third country or international organisation. It would insert an explicit requirement that the rights of the data subject be protected. Article 44 provides:
“All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
That is broad and overarching. My amendment probes how that protection is covered: is it in the detail of the subsequent clauses? It is spelled out in the article; does that imply that the clauses might not always properly provide protection if we do not spell it out in the same way, given the reflections that the Bill provides?
On Amendments 137L and 137M, authorisation under Clause 71(1)(b) from another member state from which the data originated is not required if the transfer is necessary for the prevention of a threat to the essential interests of a member state and authorisation cannot be obtained in good time. The amendments probe whether “essential interests” are more than law enforcement purposes—the first condition for transfer. Will the interests be clear? Is there a confusing element of subjectivity here? The person who wants the data might see things quite differently from the person who is being asked to transfer it. It is open to us to provide higher safeguards, which is what I am working towards. “Obtaining in good time” perhaps suggests a slightly more relaxed attitude than the subject matter should demand. I would substitute a reference to urgency.
On Amendment 137N—noble Lords will be relieved to know that I am on the last of our amendments in this group—there can be a transfer on the basis of special circumstances under Clause 74. I welcome the fact that, in some cases, the controller can refuse a transfer because fundamental rights and freedoms override the public interest in the transfer. Presumably, the controller’s determination must be reasonable. This seems to give some discretion to the commissioner; I wonder whether the commissioner might give guidance rather than leaving it entirely up to the controller. I beg to move.
My Lords, we have one amendment in this group, and I will speak to it. It affects what appears to be a lacuna—if that is not too technical a term for Hansard—in relation to the storage and retention of data collected by local police forces under the automatic number plate recognition system. Each local police force has an ANPR system. There are thousands of cameras, which we are all too aware of. Anyone who drives past one and has a picture of their number plate taken has a momentary shudder in case they are doing something wrong. When you add them all together, it is one of the biggest surveillance systems in the world—probably the world’s biggest non-military system—and it is growing every day. At the moment, there are probably about 1 billion shots of people cars in circulation. It is of course personal data, as it tracks people’s journeys, or can be read to do so.
There are two problems. First, the ANPR system has grown and grown but does not have proper governance or structure. Attention needs to be paid to that. This is not the Bill for that, but the noble Baroness might wish to take that point back with her. Secondly, an FOI request revealed in 2015 that the police had no systematic retention or disposal policy; they simply just kept the data because it might come in useful at some time. I do not think that works under the Data Protection Act 1998 and does not seem appropriate, given the way the Bill is framed.
In case there is any doubt whether those systems fall within the scope of the Act or whether there should be a change of policy, we have tabled the amendment to probe what is going on. There has been a recent change—I hope that the noble Baroness will update us about it—and several billion deletions, but there is still a question about the appropriate retention system. Our amendment is an attempt to move forward on that issue.
The problem is that the ANPR is not covered anywhere in statute. Despite the fact that it is very large, it is simply run. The Home Office does not see it as an espionage system—that is fair enough—so it is not covered in the Investigatory Powers Act. There is a case, however, for using the Bill to get this issue back into scope. The proposal here is simple. These particular words need not be used, but I hope the noble Baroness will accept that something should be done. We propose that the approach should be in accordance with the arrangements currently adopted in surveillance systems elsewhere.
My Lords, this quite extensive group of amendments relates to the obligations on controllers and processors and the transfer of personal data to third countries. As the noble Baroness, Lady Hamwee, explained, Amendment 137B seeks to probe the necessity for the words “where applicable” in Clause 59(2)(g), which places a duty on a controller to record details of the use of profiling in the course of processing. This wording is transposed directly from Article 24 of the LED—and. to be clear, we are not excluding types of profiling from being recorded. Rather, the clause provides that all profiling is recorded where profiling has taken place. The wording acknowledges that some processing may not involve profiling.
Amendment 137C seeks to add a definition of the word “nature” as used in Clause 62(4). References to the,
“nature, scope, context, and purposes of the processing”,
are found throughout the LED and we have faithfully transposed this. We accept that the nature of the processing does include the aspects set out in the noble Baroness’s amendment, but we do not believe it necessary to set that out on the face of the Bill, and there is a danger that doing so in these terms could unwittingly narrow the scope of this provision. I might add that the Information Commissioner’s Office already publishes guidance on conducting privacy impact assessments and will be issuing further guidance on issues related to the Bill in due course.
Amendment 137D to Clause 63 would confer on the Information Commissioner a power to make regulations specifying further circumstances in which a controller must consult the commissioner before undertaking processing activities. Currently the requirement is for controllers to consult the commissioner when a data protection impact assessment indicates that processing would pose a high risk to the rights and freedoms of data subjects. Clause 63 reflects the provisions in Article 28 of the LED and sets an appropriate threshold for mandatory consultation with the Information Commissioner. This is not to preclude consultation in other cases, but I am unpersuaded that we should go down the rather unusual road of conferring regulation-making powers on the commissioner. Instead, we should leave this to the co-operative relationship we expect to see between the commissioner and controllers and, if appropriate, to any guidance issued by the commissioner.
Amendment 137E seeks to specify the content of the written advice which the Information Commissioner must provide to a controller in the event that she considers that a proposed processing operation would contravene the provisions of Part 3. I do not disagree with the point that the amendment is seeking to make—indeed, it echoes some of what is said at paragraph 209 of the Explanatory Notes—but we believe that we can sensibly leave it to the good judgment of the commissioner to determine on a case-by-case basis what needs to be covered in her advice.
Amendment 137F would expressly require controllers to account for the cost of implementation when putting in place appropriate organisational and technical measures to keep data safe. I entirely agree with the spirit of this amendment; there needs to be a proportionate approach to data protection. However, I refer the noble Baroness to Clause 53(3), which already includes a provision to this effect. On Amendment 137G, we believe the use of the present tense is correct in Clause 66(3)(a) in that the implementation of the measures is ongoing and not set in the past.
Amendment 137H would require a controller to inform the commissioner when they have restricted the information available to data subjects in the event of a data breach. Clause 66(7) is one of four instances in Part 3 where a controller may restrict the rights of data subjects. I do not believe that there is a case for singling out this provision as one where a duty to report the exercise of the restriction should apply. If the commissioner wants information about the exercise of the power in Clause 66(7), she can ask for it.
Amendment 137J seeks to add to the role of data protection officers by requiring them to update the controller on relevant developments in the data protection standards of third countries. I do not deny that awareness of such standards by police forces and others is important for the purposes of the operation of the safeguards in Chapter 5 of Part 3. However, Clause 69 properly reflects the terms of the LED. It does not preclude data protection officers exercising other functions such as the one described in Amendment 137J.
Amendments 137K, 137L and 137M relate to Clause 71, which sets out the general principles for transfers of personal data to a third country or international organisation. The whole purpose of Chapter 5 of Part 3 is to provide safeguards where personal data is transferred across borders. Given that, I am not sure what Amendment 137K would add. Amendment 137L would narrow the circumstances in which onward transfers of personal data may take place with express authorisation from the originator of the data. In contrast, Amendment 137M, in seeking to remove Clause 71(5)(b), would expand those circumstances —which I am not sure is the noble Baroness’s intention. Subsection (5) is a direct transposition of article 35(2) of the LED, so we should remain faithful to its provisions. What constitutes the essential interests of a member state must be for the controller to determine in the circumstances of a particular case—but, here as elsewhere, they are open to challenge, including enforcement action by the commissioner if they were to abuse such provisions.
Amendment 137N would require a controller to pay due regard to any ICO guidance before coming to a decision under Clause 74(2), which relates to the transfer of data on the basis of special circumstances. The Bill already caters for this. Clause 119 places a duty on the commissioner to prepare a data-sharing code of practice and, under the general principles of public law, controllers will be required to consider the code—or for that matter any other guidance issued by the commissioner.
Finally, Amendment 137EA in the name of the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson, seeks to set in statute the retention period for personal data derived from ANPR cameras. ANPR is an important tool used by the police and others for the prevention and detection of crime. I understand that the National Police Chiefs’ Council has recently changed its policy on the retention of ANPR records, reducing the retention period from two years to 12 months. The new policy requires all data not related to a specific case to be deleted after 12 months. This will be reflected in revised national ANPR standards. We know that the Information Commissioner had concerns about the retention of ANPR records and we welcome the decision by the NPCC in this regard.
Given this, I have no difficulty with the spirit of the noble Lord’s amendment, but the detail is too prescriptive and we are not persuaded that we should be writing into the Bill the retention period for one category of personal data processed by competent authorities. The amendment is unduly prescriptive as it takes no account of the fact that there will be operational circumstances where the data needs to be retained for longer than 12 months—in particular, where it is necessary to do so for investigative or evidential purposes.
More generally, I remind the noble Lord that the fifth data protection principle—the requirement that personal data be kept no longer than is necessary—will regulate the retention policies of controllers for all classes of personal data. In addition, Clause 37(2) requires controllers to undertake a periodic review of the need for the continued retention of data. Given these provisions, I am not persuaded that we should single out ANPR-related data for special treatment on the face of the Bill.
I apologise again for the extensive explanation of the amendments, and I hope that noble Lords will be happy not to press them.
Certainly. I feel that I ought perhaps to apologise to the House for the speed at which we have been going; it has caused a bit of a flurry. I know that I have been quite telegraphic in speaking to the amendments. I have possibly been too telegraphic, but I will read the detail of the response, and beg leave to withdraw my amendment.
My Lords, sensitive processing requires meeting at least one condition from the menu in Schedule 9 and one in Schedule 10. This could be achieved, for instance, because the processing is necessary to protect someone’s vital interests under Schedule 9, and for the same reason under Schedule 10 when consent cannot be given. I wondered whether the repetition amounted to there being only one condition to be met, rather than two or perhaps one and a half—hence Amendment 137R.
Amendment 138A is another amendment suggesting that the Secretary of State’s regulation-making power is too wide under the Bill. In our view, the Secretary of State should be able to add conditions—in other words, protections—but not vary or omit them. That is a thread that runs through the whole of the Bill.
Amendments 139A and 139B probe the condition in Schedule 9 that processing is necessary for the purposes of legitimate interests pursued by the controller or a third party to whom the data is disclosed. Again, “legitimate interest” made me pause. It is made lawful by Clause 84 because it meets one of the lawfulness conditions, so there is a circularity here. The schedule then applies a condition to the condition—it is not lawful if it prejudices rights and freedoms or legitimate interests of data subjects, or rather is unwarranted because of prejudice to the rights and freedoms or interests of the data subject. Does that allow for the risk of prejudice? It struck me as quite a clumsy phrase—“unwarranted … because of prejudice”. I realise that the person who drafted it—I do not want to say “draftsman”—must have had some very particular thoughts in mind.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for explaining these amendments, which relate to intelligence services processing.
Amendment 137R would provide that sensitive processing for a condition under Schedule 10 was lawful when the condition was not also a condition in Schedule 9. Clause 84 provides that processing is lawful only as long as one of the conditions in Schedule 9 is met, and for sensitive processing one of the conditions in Schedule 10 must also be met. We consider that the two-stage consideration process when processing sensitive personal data is important, as it requires the controller to ensure that conditions in both schedules can be satisfied.
We accept that there is a degree of overlap between some of the conditions provided for in the schedules, but that is necessary. For example, consent is a condition for processing in both schedules, but that reflects the fact that consent may often be the most appropriate grounds for processing personal data, such as when people consent to their sensitive personal data being processed for medical purposes. That position is not new: Schedules 9 and 10 reflect the equivalent Schedules 2 and 3 to the Data Protection Act, both of which provide that consent is a condition for processing. The amendment adds nothing, but has the potential to reduce clarity and is likely to confuse by departing from a well-established, two-stage consideration process.
Amendment 138A, which the noble Baroness said was probing, would restrict the power of the Secretary of State to amend the conditions for sensitive processing set out in Schedule 10 to adding conditions rather than also varying or omitting. The issue was debated in the context of other parts of the Bill last Monday, and I repeat the commitment given by my noble friend to take account of the noble Baroness’s amendment as part of our consideration of the report from the Delegated Powers Committee.
Amendment 139A would remove as a condition for lawful processing under Schedule 9 processing that is necessary for the purposes of legitimate interests pursued by the data controller. In the case of the intelligence services, their legitimate interests are dictated by their statutory functions, including safeguarding national security and preventing and detecting serious crime. I should also add that this is a condition currently provided for in Schedule 2 to the Data Protection Act 1998, so it may not surprise noble Lords that we could not support an amendment that would preclude the intelligence services from processing personal data in pursuance of their vital functions.
Amendment 139B would preclude the processing of personal data by the intelligence agencies in pursuit of their legitimate interests—that is, their statutory functions—whenever the processing prejudices the rights and freedoms or legitimate interests of the data subjects, rather than the current drafting, which prevents such processing in circumstances where it would be unwarranted in any particular case because of prejudice to those rights or interests. This more restrictive approach would mean that the intelligence services would be unable to process personal data in pursuit of their legitimate interests—for example, safeguarding national security—since it could be argued that such processing is likely to engage such rights, in particular the right to respect private life. It would prevent data processing that was otherwise lawful, necessary and proportionate and carried out in full compliance with the Human Rights Act. The ECHR provides that some rights, including the right to private life, are qualified rights, recognising the fact that while a right may be engaged, lawful interference with that right should be permissible in certain circumstances. As a result, this amendment would appear to go further than that required by the ECHR as, whenever a right was engaged, interference would not be possible, even if such interference were lawful, proportionate and necessary. Again, the condition in the Bill replicates the existing condition in Schedule 2 to the Data Protection Act 1998. Given this, I am not aware of any powerful reasons for changing the existing established approach.
Amendment 139C would require the Information Commissioner to be informed when processing is necessary to protect the vital interests of the data subject in circumstances, for instance, where consent cannot be given by or on behalf of the data subject or the controller cannot reasonably be expected to obtain the consent of the data subject. Such processing is a condition for sensitive processing under Schedule 10 and it mirrors precisely the equivalent provisions in Schedule 3 to the Data Protection Act 1998. The amendment does not add to a data subject’s rights nor does it strengthen protections. The processing of personal data in these circumstances already attracts the protections and safeguards provided for in the Bill, including the general oversight of the Information Commissioner. It is therefore in our view unnecessary and, I might add, I am not aware that the Information Commissioner has asked for such a provision.
Amendment 139D—which the noble Baroness was gracious enough to concede that she had not thought through—would limit the processing of personal data in connection with legal proceedings related to an offence or alleged offence. This amendment would have an extremely damaging effect, preventing processing in connection with all other legal proceedings, such as court or tribunal proceedings under this Bill, complaints to the Investigatory Powers Tribunal about unlawful conduct by the intelligence services and assistance with other civil proceedings and inquiries. I am sure that this was not the noble Baroness’s intention. Furthermore, the wording at paragraph 5 of Schedule 10 reflects that currently provided for at paragraph 6 of Schedule 3 to the Data Protection Act, so the Bill goes no further than existing legislation in this respect.
Amendment 140A would remove from Schedule 10 processing personal data necessary for medical purposes as a condition for sensitive processing. However, this is relevant for the intelligence services for straightforward processing of medical data by medical professionals processing the services’ data. An example would be an intelligence service’s occupational health services carrying out fitness for work assessments and providing medical advice. In such circumstances the intelligence service would likely rely on this condition as a lawful basis for the processing. This is to the benefit of both the services as employers and to their employees.
Finally, Amendment 140B relates to Clause 85, which provides for the second data protection principle: the requirement that the purposes of processing be specified, explicit and not excessive. Subsection (4) of the clause provides that processing is to be regarded as compatible with the purpose for which it is collected if the processing is for purposes such as archiving and scientific or historical research. This amendment has the effect of rendering processing compatible only if it was for those specific purposes. I am sure that was not the noble Baroness’s intention given that the amendment would prevent the intelligence services processing personal data in pursuance of their vital statutory functions.
I hope that noble Lords will agree that in relation to these amendments the Bill, with possibly one exception, adopts the right approach. In relation to the possible exception, namely the delegated power in Clause 84, I have reiterated the commitment that we will take account of Amendment 138A when we respond to the report from the Delegated Powers Committee. I therefore ask the noble Baroness to withdraw her amendment.
My Lords, almost all these amendments were probing, except for Amendment 138A, which is how the noble Lord described it—it was distinctly not probing, so I am glad to have had his assurance in that regard. I commented on an earlier group about either the intelligence services or law enforcement—I cannot remember which—being advantaged as against other employers outside their immediate job. It seemed to me from the noble Lord’s comments about medical data that the services would be advantaged as against employers in completely different fields. He gave a long answer, and I am grateful for that; it of course deserves reading and I will do so. I thank him for this comments on Amendment 138A and beg leave to withdraw the amendment.
My Lords, I can be very brief. We had intended to withdraw Amendment 142A in this group but, unfortunately, we could not do so in time so I will not speak to it. To complete the icing on the cake, I have already spoken, rather stupidly, to Amendment 142D, and therefore I do not need to repeat myself. I simply await the noble Baroness’s response on it.
My Lords, I cannot be quite so quick but I will be fairly quick. Amendment 142B concerns Clause 91(3), which states:
“The controller is not required … to give a data subject information that the data subject already has”.
When I read that, I wondered how the controller would know that the data subject had the information. Therefore, my alternative wording would refer to information which the,
“controller has previously provided to the data subject”.
There can therefore be no doubt about that.
Amendment 143A concerns Clause 92, which deals with a right of access within a time limit of a month of the relevant day, as that is defined, or a longer period specified in regulations. What is anticipated here? Why is there the possibility of an extension? This cannot, I believe, be dealt with on a case-by-case basis as that would be completely impracticable and, I think, improper. Is it to see whether experience shows that it is a struggle to provide information within a month, and therefore a time limit of more than a month would benefit the controller, which at the same time would be likely to disbenefit the data subject, given the importance of the information? I hope the Minister can explain why this slightly curious power for the Secretary of State is included in the Bill.
Amendment 146B concerns Clause 97, which deals with the right to object to processing. I might have misunderstood this but I believe that the controller is obliged to comply only if he needs to be informed of the location of data. I do not know whether I have that right, so Amendment 146B proposes the wording,
“if its location is known to the data subject”,
so that the amendment flows through in terms of language, if not in sense. The second limb of Clause 97(2), whereby the data subject is told that the controller needs to know this, suggests this. That enables me to make the point that this puts quite a heavy burden on the data subject.
Amendment 148A concerns Clause 101. I, of course, support the requirement that the controller should implement measures to minimise the risks to rights and freedoms. However, I question the term “minimise”. The Bill is generally demanding in regard to this protection, so to root the requirement in the detail of the Bill the amendment would add,
“in accordance with this Act”.
As regards the test of whether a personal data breach seriously interferes with rights, I suggest this is not as high a threshold as that required by the term “significantly” proposed in Amendment 148B.
Following the noble Lord’s co-piloting analogy, I now say, “Over and out”.
My Lords, I thank the noble Baroness, Lady Hamwee, and the noble Lord, Lord Stevenson, who negated the need for me to speak to Amendment 142A, so I shall not do so.
I turn straight to Amendment 142B. This requires the controller to provide a data subject with specified information about the processing of their personal data unless the controller has previously provided the data subject with that information. This contrasts with the existing approach in Clause 91(3), which provides that the controller is not required to give the data subject information that the data subject already has. Although similar, the shift in emphasis of this amendment could undermine Clause 91(2) by requiring the data controller to provide information directly to the data subject rather than to generally provide it. The effect of this could be to place an undue burden on the controller by preventing them providing such information generally, such as by means of their website.
Clause 92 provides for an individual to obtain confirmation from a controller of whether the controller is processing personal data concerning them and, if so, to be provided with that data and information relating to it. It sets out how an individual would request such information and places certain restrictions and obligations on meeting such requests.
Amendment 142C would add to the information that must be provided to a data subject. I do not believe this amendment is necessary. Clause 91 already provides that the general information that must be provided by a controller is information about how to exercise rights under Chapter 3 of Part 4 and I am sure that the Information Commissioner will put out further information about data subjects’ rights under each of the schemes covered by the Bill.
The purpose of Amendment 142D is to remove the ability of the intelligence services to charge a fee for providing information in response to a request by a data subject in any circumstances. The noble Lord, Lord Stevenson, or the noble Lord, Lord Kennedy—I am not quite sure who it was; I think it was the noble Lord, Lord Stevenson—has contrasted the position in Part 4 with that in Parts 2 and 3 of the Bill, whereby a controller may charge a fee only where the subject access request is manifestly unfounded or excessive. The fact remains, however, that the modernised Convention 108, on which Part 4 is based, continues to allow for the charging of a reasonable fee for subject access requests and we are retaining the power to specify a maximum fee, which currently stands at £10.
It is entirely right that the intelligence services should be required to respond to subject access requests, but we believe it is appropriate to retain the ability to charge because we do not want the intelligence services to be exposed to vexatious or frivolous requests that could impose a significant burden upon Part 4 controllers. As I have said, the modernised Convention 108 allows for the charging of a fee and there is a power in Clause 92 not just to place a cap on the amount of the fee but to provide that, in specified cases, no fee may be charged. I think this is the right approach and we should therefore retain Clause 92(3) and (4).
Amendment 143A would require every subject access request under Clause 92 to be fulfilled within one month and would remove the Secretary of State’s ability to extend the applicable time period to up to three months for any cases. The Delegated Powers and Regulatory Reform Committee has considered this Bill and made no comment on this regulation-making power. In our delegated powers memorandum we explained the need for this provision, and the equivalent power in Part 3 of the Bill, as follows:
“Meeting the default one month time limit for responding to subject access requests or to requests to rectify or erase personal data may, in some cases, prove to be challenging, particularly where the data controller holds a significant volume of data in relation to the data subject. A power to extend the applicable time period to up to three months will afford the flexibility to take into account the operational experience of police forces, the CPS, prisons and others in responding to requests from data subjects under the new regime”.
I hope the noble Baroness would agree that this is a prudent regulation-making power which affords us limited flexibility to take into account the operational experience of the intelligence services in operating under the new scheme.
Before the Minister moves on, I asked whether the power would be used on a case-by-case basis, which I thought was what she was saying, or as a result of overall experience—and then she went on to talk about overall experience. So is it the latter, extending to all cases in the light of experience gathered over a period?
Yes, that is the point I made.
One of the rights afforded by Part 4 is that a data subject can require a controller not to process their personal data if that processing is an unwarranted interference with their interests or rights. If such a request is received, the controller may require further information in order to comply with the request. This includes information so as to be satisfied of the identity of the requesting individual or information so that they can locate the data in question.
Amendment 146B would require the requesting individual to provide information to help the controller locate the data in question only if the individual themselves knows where the data is located. I think we can agree that it is very unlikely that a data subject would know the exact location of data processed by a controller. As such, this change could make it more difficult for a controller to locate the data in question, as the data subject could refuse to provide any information to aid in the locating of their data. This could make it impossible for the controller to comply with the request and would in turn deprive the data subject of having their request fulfilled.
Chapter 4 of Part 4 deals with the obligations of the controller and processor. Controllers must consider the impact of any proposed processing on the rights of data subjects and implement appropriate measures to ensure those rights. In particular, Clause 101(2)(b) requires that risks to the rights and freedoms of data subjects be minimised. Amendment 148A would require that those risks be also dealt with in accordance with the Bill. If I understand the purpose of this amendment correctly and the noble Baroness’s intention is that the broader requirements of Part 4 should apply to any new type of processing, I can concur with the sentiments behind this amendment. However, it is not necessary to state this requirement in Clause 101; all processing by the intelligence services must be in accordance with the relevant provisions of the Bill.
Finally, Clause 106 requires that the controller notify the Information Commissioner if the controller becomes aware of a serious personal breach of data for which it is responsible. A data breach is deemed serious if it seriously interferes with the rights and freedoms of a data subject. Amendment 148B seeks to alter the level at which a data breach must be notified to the commissioner by lowering the threshold from a serious interference with the rights and freedoms of a data subject to a significant interference. The threshold is set purposely at serious so that the focus and resources of the controller and commissioner are spent on breaches above a reasonable threshold. We also draw the noble Baroness’s attention to the draft modernised Convention 108, which uses the phrase “seriously interfere”.
I am mindful that some noble Lords in this Chamber will be utterly perplexed by the subject matter to which we have been referring, so I hope that, with those words, the noble Lord will be sufficiently reassured and will withdraw his amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Department for Digital, Culture, Media & Sport
(7 years ago)
Lords ChamberMy Lords, I support the spirit of this amendment. I think it is the right thing and that we ultimately might aspire to a code. In the meantime, I suspect that there is a lot of work to be done because the field is changing extremely fast. The stewardship body which the noble Lord referred to, a deliberative body, may be the right prelude to identifying the shape that a code should now take, so perhaps this has to be taken in a number of steps and not in one bound.
My Lords, I too support the amendment. Picking up this last point, I am looking to see whether the draft clause contains provisions for keeping the code under review. A citizens’ charter is a very good way of describing the objective of such a code. I speak as a citizen who has very frequently, I am sure, given uninformed consent to the use of my data, and the whole issue of informed consent would be at the centre of such a code.
My Lords, I speak also to the other amendments in this group. All these amendments are suggested by the Bar Council and stand in my name and those of the noble Lord, Lord Arbuthnot of Edrom, and the noble Baroness, Lady Neville-Rolfe. All concern legal professional privilege, a subject which the Committee and the House have frequently debated. I know I do not need to stress its importance or remind noble Lords—but obviously, I am just about to—that the confidentiality and privilege are those of the client, not the lawyer.
The Bar Council comments that the powers of the commissioner to have access to the information and systems of data controllers should be limited where the data controller is a legal professional or anyone subject to the requirements of client confidentiality and legal professional privilege. It reminded us that there are exceptions in the 1998 Act which deal with this. Legal professional privilege cannot be waived by the lawyer but is subject to contractual or other legal restrictions. In the clauses in question, legal professional privilege seems to be overridden in circumstances where the commissioner considers that she needs to look at the data to perform her functions. Clause 128(1) refers to use or disclosure,
“only so far as necessary for carrying out those functions”—
that is, the commissioner’s functions. I suggest that this is inappropriate given the provisions elsewhere in the Bill which we now seek to amend.
Amendments 161A, 161B, 161C and 161D deal with confidential legal materials which it is proposed should be inserted and covered. These are defined in the last of these four amendments as “materials brought into being”, as distinct from documents which are communicated between an adviser and a client, and thus would be wider, and include materials brought into being,
“for the purpose of establishing, exercising or defending legal rights”,
which is wider than the Bill provides.
The Bill does not contain directions as to the purpose of the guidance on protection of privileged material. Amendment 161C would give a direction to the commissioner as to the purpose. Amendments 162A, 162B, 163ZA and 163ZB would again extend the protection. Clauses 138 and 141 are limited to documents that relate to data protection legislation. These amendments would widen the protection to all documents protected by legal professional privilege.
Clause 138(5) does not cover the right of self-incrimination of other persons, such as the client of a legal representative or a family member of a client, who would not be entitled to rely on privilege. Amendment 162C would widen the class of persons to others. Since the client may well be seeking advice or representation in relation to a matter which might incriminate him, the Bar Council asks us to point out that this is particularly important.
Amendment 163B reflects provisions in Clause 138, on information notices, and in Clause 141, on assessment notices, and extends the restrictions to enforcement notices. The clauses I have mentioned provide that a person is not required to give the commissioner privileged material—I beg your Lordships’ pardon; a bracket has been opened and I am seeking where it closes—in response to such a notice. As I say, this would extend that restriction to enforcement notices.
Finally, on Amendment 164B, professionals may be restricted in providing information to the commissioner in respect of their processing, because of privilege or an obligation of confidentiality, compliance with the Bar code of conduct, or rules or orders of the court. The Bar Council wishes the Committee to be aware that a barrister,
“may wish to disclose information in mitigation or explanation for a breach of the GDPR provisions, but be unable to do so because disclosure would place”,
counsel,
“in breach of professional conduct rules or other confidentiality obligations, or in breach of data protection obligations because it is not possible to obtain consent for”,
the processing.
Compliance with the profession’s rules might have the result of exposing a barrister to a higher penalty to be imposed by the commissioner as a result of that inability, which does not seem fair. The amendment would provide that circumstances of this kind may be taken into account by the commissioner when assessing the penalty by adding a paragraph to the mitigating circumstances in the list. As the Bar Council points out, none of these points would prevent the commissioner effectively carrying out her duties. Even if she were,
“prevented from seeing privileged and confidential material, this … would be a justified and necessary consequence of … proper weight being given to the citizen’s fundamental right to consult a lawyer and to maintain the confidentiality”.
However, if unamended, there could be a conflict between the legal regulators and the commissioner. I beg to move.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, and to the Bar Council for the help it has given us on these amendments. I declare an interest—at least, I suppose I do—in that my wife is a judge and I used to practice as a Chancery barrister long ago.
It is an essential part of our legal system that people should have access to the justice system without communications between the client and the lawyer being disclosed—or, at any rate, that those disclosures should have only the rarest occurrence, such as, for example, if a communication is to be used to facilitate a crime. In those circumstances alone can legal professional privilege be waived. I suggest that the Bill should recognise the value of legal professional privilege but that it does not put that recognition into full effect. I hope that our amendments would achieve that.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for tabling these amendments. I know that the Bar Council has raised similar concerns with officials in my department and I am keen that that dialogue continue.
Before I address the amendments, I would like to say something about the overarching principles in relation to the interaction between data protection and legal professional privilege.
The right of a person to seek confidential advice from a legal adviser is indeed, as my noble friend Lord Arbuthnot said, a fundamental right of any person in the UK and a crucial part of our legal system. The Government in no way dispute that, and I reassure noble Lords that this Bill does not erode the principle of legal professional privilege.
It is true that the Data Protection Act 1998 allows the Information Commissioner to use her powers to investigate alleged data breaches by law firms, and sometimes the information she requests in order to carry out a thorough investigation may contain information which is subject to legal professional privilege. The commissioner recognises the sensitivity of material protected by legal professional privilege and has established processes in place for protecting it. Any material identified by the data controller as privileged is isolated if seized during a search and it is then sent directly to independent counsel for review. Counsel then provides an opinion on whether privilege applies. If counsel decides that the data is not privileged, the data controller can still dispute the Information Commissioner’s right to access that material and has the right to appeal to a tribunal, which will carry out a full merits review.
The Government are seeking only to replicate, as far as possible, in the current Bill the existing provisions relating to legal professional privilege in the 1998 Act. It is, for example, vital that the Information Commissioner retains the power to investigate law firms. They, like other data controllers, can make mistakes. If personal data is lost, stolen or disclosed unlawfully, that can have serious consequences for data subjects. It is right that the Information Commissioner retains the ability to investigate potential breaches by lawyers. They are not above the law.
As a final point of principle before we examine the amendments in detail, it is also worth highlighting that Clause 128 introduces a new requirement for the Information Commissioner to publish guidance on how legally privileged material obtained in the course of her investigations will be safeguarded. There was no similar requirement in the 1998 Act, so in that respect the current Bill actively strengthens protections for legal professional privilege. This has been included because historically the commissioner has found that a minority of those in the legal profession refuse to allow her access to personal data on the basis that it is privileged. The profession has not always understood that it must disclose the data and that the commissioner then has processes and procedures to protect that data. This guidance will make it clearer to the legal profession that robust safeguards are in place.
I turn to the amendments in this group. As I have said, Clause 128 provides that the Information Commissioner must publish guidance on the safeguards in relation to legally privileged communications. Amendments 161A and 161B would amend subsection (1) to clarify that any guidance published by the commissioner should cover the handling of any “confidential legal materials” as well as any communications between legal adviser and client. Amendment 161D would then introduce a wide definition of “confidential legal materials”. This, in our view, is unnecessary. I have no doubt that the Information Commissioner will interpret this to include draft communications.
Bills have grown in length over the years and, if we were to cover off permutations and combinations of processing and preparatory work such as this in every clause, we would be debating this Bill until next summer. We would also, through overdefinition, create more worrying loopholes.
Amendment 161C would make further provision about the purposes of the guidance published by the Information Commissioner. It has been suggested that the aim of the guidance should be to make it clear that nobody can access legally privileged material without the consent of the client who provided the material in the expectation that it would be treated in confidence. As I have already said, it is vital that the Information Commissioner retains the ability to investigate, and this amendment would call that into question because an investigation could not happen if the client withheld consent. I hope that the reassurances I have already given about the lengths to which the Information Commissioner will go to keep any confidential information safe are sufficient on that point. We are clear that the commissioner must have the right to investigate.
I said I would return to the issue of the Information Commissioner’s enforcement powers and the interaction with legal professional privilege. When there is a suspected breach of the data protection legislation, the commissioner has a number of tools available to aid her investigation. The commissioner can use information notices and assessment notices to request information or access filing systems, use enforcement notices to order a data controller to stop processing certain data or to correct bad practices, and issue monetary penalty notices to impose fines for breaches of the data protection legislation. However, we understand from the commissioner that the powers to issue assessment notices and information notices are rarely used because controllers tend to co-operate with her request. There are, however, a number of restrictions on the use of these enforcement powers where they relate to legally privileged information. In relation to information notices these are set out in Clause 138, and in relation to assessment notices they are set out in Clause 141. The restrictions ensure that a person is not required to provide legally privileged information. The concept of legal privilege is therefore preserved, although it may be waived by the controller or processor.
Amendments 162A, 162B, 162C, 163ZA and 163ZB intend to broaden the restrictions in Clauses 138 and 141 regarding information and assessment notices so that they apply explicitly to all legally privileged communications, not just those which concern proceedings under data protection legislation. The Government carefully considered whether these restrictions should apply to a wider range of legally privileged material when we developed the Bill. The current practice is for the ICO to appoint independent counsel to assess all potentially legally privileged material, which is not therefore passed on to the ICO if found to be privileged.
Amendment 163B seeks to apply the same restrictions that apply to assessment and information notices to enforcement notices. While we understand that this amendment derives from a concern that there may be a gap in the enforcement notice provisions, as there is currently no reference in those provisions to protecting legal professional privilege I can reassure noble Lords that such provision is unnecessary because, unlike information and assessment notices, enforcement notices cannot be used to require a person to provide the commissioner with information, only to require the controller to correct bad practice.
Finally, I turn to Amendment 164B, which aims to add to the list of matters in Clause 148 that the Information Commissioner must consider when deciding whether to give a data controller a penalty notice and determining the amount of the penalty. If a legal adviser failed to comply with an information or assessment notice because the information concerned was legally privileged, it would require the Information Commissioner to take this into account as a mitigating factor when deciding whether to issue a penalty notice and setting the level of financial penalty. Clause 126 specifically provides that the duty of confidence should not preclude a legal adviser from sharing legally privileged material with the Information Commissioner. As I have previously explained, there are strict procedures in place to protect privileged material.
We have given all these amendments careful consideration, but I hope that I have convinced the Committee that the Bill already strikes the correct balance between the right to legal professional privilege and the rights and freedoms of data subjects. With that, I hope that the noble Baroness feels able to withdraw her amendment.
My Lords, indeed I will. The Minister mentioned continuation of dialogue. That, of course, is the right way to address these things, but I believe the Bar Council seeks to do what he says the Bill does: replicate the current arrangements.
If it is not necessary to provide specifically for confidential material, I suspect those who drafted these amendments may want to look again at the definition of “privileged communications” to see whether it is adequate. I do not believe they would have gone down this route had they been content with it.
On the amendments that would extend protections to all legally privileged material, not just data protection items—Amendment 162A and so on refer to any material—I am not clear why there is a problem with the extension under a regime such as the one the Minister described. That would catch material and deal with it in the same way as any other. I do not know whether there is a practical problem here.
On Amendment 164B the Minister directed us to Clause 126. Again, I am not sure whether he is suggesting there might be a practical problem. It seems an important amendment, not something that should be dealt with by reading between the lines of an earlier clause. However, I will leave it to those who are much more expert than I am to consider the Minister’s careful response, for which I thank him. I beg leave to withdraw the amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Department for Digital, Culture, Media & Sport
(6 years, 11 months ago)
Lords ChamberMy Lords, this group of amendments in my name, prompted by House officials, covers a number of issues concerning parliamentary privilege. The Bill in its present form contains some exemptions to its application to Parliament, but these are considered rather too narrow in scope. The group relates to four areas which have been raised by officials—that is, counsel and clerks of both Houses—as giving rise to concerns about how the Bill as drafted risks infringing parliamentary privilege. These concerns have been discussed extensively with the Bill team and the Leader’s office at official level, and drawn to the attention of the Senior Deputy Speaker, who is of course chairman of the Committee for Privileges and Conduct of this House. I say at once that these discussions have been most helpful and constructive. I pay tribute to the Bill team for its co-operation throughout.
Happily, the Bill team is now, as I understand it and as I expect the Minister shortly to confirm, satisfied that amendments to the Bill in all four areas of concern are appropriate, so that those will be forthcoming before Third Reading in the new year. I recognise and accept that those amendments may not follow the precise wording suggested in the present proposals but, provided they address the substance of these various specific concerns, we shall obviously be disposed to accept them.
In these circumstances, and given that we shall obviously not divide the House at this stage, it is unnecessary to outline the detailed nature of each of these proposed amendments. It is, I hope, sufficient to indicate that they include, for example, meeting concerns lest the Information Commissioner take enforcement action against Members or the corporate officers of either House—here, the Clerk of the Parliaments—in respect of the processing of personal data in parliamentary proceedings. Such action could lead to very substantial administrative penalties amounting to millions of pounds. There are concerns, too, about the liability of both corporate officers to prosecution for certain specified offences for things done on behalf of the two Houses of Parliament. I hope that that is sufficient, and at this stage I beg to move Amendment 16 and ask that the eight other amendments be accepted.
My Lords, from these Benches I support the noble and learned Lord, who is absolutely the right person to pursue this matter. If I might simply add to what he said, it is important that we bear in mind that in the same way as legal professional privilege is the privilege of the client, these provisions would be for the benefit of the public, the running of good democracy, good scrutiny and holding the Government to account. It is not a personal benefit that is proposed here and I hope—I trust, because this is very important—that the Government can find a way through this. I look forward to hearing from them, as the noble and learned Lord said, early in the new year.
My Lords, I am grateful to the noble and learned Lord, Lord Brown, for raising these amendments and for the words of the noble Baroness, Lady Hamwee. His amendments address concerns about the interaction of the Bill with parliamentary privilege. I agree wholeheartedly with him that parliamentary privilege should continue to be safeguarded and maintained for future generations, as it has been for centuries past. As I said in Committee, the Government’s view is that the Bill contains adequate protections to ensure that this is the case. However, we recognise the concerns that, in some areas, these protections could be enhanced and clarified, and we will bring forward amendments at Third Reading to address some of the points that the noble and learned Lord has raised in his amendments.
With that in mind, I will now turn briefly to the amendments themselves, starting with Amendments 16, 17 and 185. The Government recognise the concerns raised in these amendments about the way the conditions for processing sensitive personal data apply in respect of parliamentary proceedings, and liability under Clause 193(5). I am happy to reassure noble Lords that the Government intend to bring forward amendments to address these points at Third Reading.
My Lords, I tabled this amendment to keep the issue that I raised in Committee on the agenda. I spoke about it at some length in Committee. I think it is better determined by your Lordships’ House, rather than going off to the other place. I know the Minister has kindly agreed to a meeting. We have not had a chance to have it yet, but we will later this week.
I know that the noble Lord, Lord Hayward, who sits on the Government Benches, fully supports this issue being debated. He, like me, hopes it can be sorted out here by Third Reading, rather than going to the other place. The basic problem is that provisions in the Bill potentially conflict with legislation in respect of elections and other matters already on the statute book. I went through those in Committee. I am sure we do not want to pass legislation that conflicts with existing legislation, but we risk doing that here. That cannot be right. What political parties, campaigners and politicians need—and certainly what the regulators need—is crystal clear legislation and regulation that they can apply. To pass something that is in direct conflict with the Representation of the People Act would be unwise. We need to have our meeting later this week and I hope we can bring something back at Third Reading. These are important issues that we need to get right to ensure that all legislation is working together. I beg to move.
My Lords, I am very glad that the noble Lord is keeping this on the agenda. I had a note to ask what was happening about the meeting to which lots of people were invited at the previous stage. I do not believe that we have heard anything about it. This is not a whinge but a suggestion that it is important to discuss this very widely.
I find this paragraph in Schedule 1 very difficult. One of the criteria is that the processing is necessary for the purposes of political activities. I honestly find that really hard to understand. Necessary clearly means more than desirable, but you can campaign, which is one of the activities, without processing personal data. What does this mean in practice? I have a list of questions, by no means exhaustive, one of which comes from outside, asking what is meant by political opinion. That is not voting intention. Political opinion could mean a number of things across quite a wide spectrum. We heard at the previous stage that the Electoral Commission had not been involved in this, and a number of noble Lords urged that it should be. It did not respond when asked initially, but that does not mean it should be kept out of the picture altogether. After all, it will have to respond to quite a lot of what goes on. It might not be completely its bag, but it is certainly not a long way from it.
We support pinning down the detail of this. I do not actually agree with the noble Lord’s amendment as drafted, but I thank him for finding a mechanism to raise the issue again.
I am grateful to the noble Lord, Lord Kennedy, for raising this issue, and to the noble Baroness for her comments. These issues are vital to our system of government, and we agree with that.
Amendment 27 seeks to expand the umbrella term “political activities” to include any additional activities determined to be appropriate by the Electoral Commission. Noble Lords will agree that engaging and interacting with the electorate is crucial in a democratic society, and we must therefore ensure that all activity to facilitate this is done in a lawful manner. Although paragraph 18(4) includes campaigning, fundraising, political surveys and case work as illustrative examples of political activities, it should not be taken to represent an exhaustive list.
Noble Lords will be aware that the Electoral Commission’s main areas of expertise concern the regulation of political funding and spending, and we are of the opinion that much, if not all the activities they regulate will be captured under the heading “political activity”. As I have just set out, fundraising is included as an illustrative example, which ought to provide some reassurance on this point. Moreover, the greater the number of activities denoted by the Electoral Commission, the less likely it is that any other activity would be considered by a court to be a political activity by dint of its omission. The commission, a body which as far as I am aware claims no expertise in data protection matters, would find itself in an endless spiral of denoting new activities as being permissible under the GDPR. Nevertheless, in recognition of the importance of such processing to the democratic process, the Government are continuing to consider the broader issues at stake and may well return to them in the second House. In this vein, the noble Lord made a number of good points, and I look forward to meeting him with the Minister for Digital, my right honourable friend Matt Hancock, on Thursday this week to discuss the matter in more detail than the parameters of this debate allow. We will see what the noble Lord feels about the timing of that after the meeting.
As for the noble Baroness, Lady Hamwee, we talked about having bigger meetings, and I am sure the time will come. This is just a preliminary meeting to decide on timings and to give the noble Lord, Lord Kennedy, the chance to discuss this with the Minister for Digital. I envisage that further meetings will include the noble Baroness.
I appreciate the sentiment behind the noble Lord’s amendment. In the light of our forthcoming discussions, I hope he feels able to withdraw it.
My Lords, I have put my name to this amendment. I stumbled on the omission of Members of this House during debate in Committee, when I asked what I thought was an innocent question. I was asked to appear on the BBC’s “Question Time” after the list of Peers of which I was one was announced but before I actually arrived here. It was a fairly difficult occasion, which I remembered when I was thinking about this issue at lunchtime today. When I referred, during the discussion, to Members of Parliament, Nicholas Ridley said, “You are a Member of Parliament”. We are all Members of Parliament. We happen to be Members of the House of Lords; those who are normally called MPs are Members of the House of Commons. I regard myself as being in a representative position, even though I am not elected.
I disagree with one comment of the noble and learned Lord, which was about the amount of casework that I do. I am so conscious of the problems of getting it wrong, particularly in the area of immigration, that I try not to do that work. However, it is notable how the number of requests to Peers to intervene in individual cases has grown over the last few years. I suppose that reflects the fact that MPs are taking on more and more of what a few years ago one might have called social work. There are not the same demarcation lines as perhaps there used to be.
The casework, among other things, informs our general response to policy issues and specific proposals put before us, so we cannot exclude ourselves from all this. Ten days or so ago, in response to a request to pursue a particular case, I made the point that the individual should approach her own MP. The answer came back, through an intermediary, “She’s an asylum seeker. She doesn’t have an MP. We’re looking for anyone who can help”.
In Committee, questions on this issue were asked round the House. I recall that the noble Lord, Lord Lucas, took up the point after I had asked a question. I am very grateful to the noble and learned Lord for pursuing this matter. I hope that the Minister will accept his suggestion that this should be considered further between now and Third Reading, and that it should be dealt with at this end. I hope that the Minister will this evening assure us that it will remain on the agenda and that we can return to it at the next stage of the Bill in this House.
My Lords, we do not need to think very hard about this issue in terms of providing evidence that might be helpful to Ministers given that at Oral Questions today, at which I think the Minister and the noble Baroness were present, a case was raised by a Peer on our side of the House, in a Question to the DWP Minister, which verged on picking up a particular case. It was very useful in terms of making a broader political point. Are we saying that that will not be possible in future, as it raises significant questions? Secondly, as the noble Baroness, Lady Hamwee, said, irrespective of whether we have been an MP or a Member of the other House, we receive letters and emails almost daily offering individual data and information which, if we used it, would, I think, fall into the category mentioned by the noble and learned Lord.
At the weekend, I had the privilege of seeing the RSC perform the “Imperium” plays, adapted from the books of Robert Harris. These deal with a well-known orator, Cicero. Noble Lords will not be surprised to learn that he recommends to his clients—at one stage, he gives a tutorial to fellow citizens of Rome who intend to seek high office—that it is always helpful, and always catches the attention of an audience, if you give the specifics of an individual case and rise from that to the general. So if there is a possibility of placing a constraint on the ability of Members of this House to raise cases in an effort to improve the quality of life for citizens to whom we owe a duty of care and responsibility, that must be wrong. I hope that the Minister will take this away and work with the noble and learned Lord, Lord Brown, to bring something forward at Third Reading.
I confess to being disappointed by the Minister’s response to this. I dealt with the fact that things have changed over the 15 years since the 2002 order. Of course there will continue to be circumstances in which it is possible to get, without inhibiting problems, the express consent of the person concerned. However, it will not always be possible, and to that extent it will inhibit the future ability of Members to discharge a function they have been discharging. Of course I will not divide the House at this stage; nevertheless, I urge the Government to reread the arguments and submissions that the noble Baroness and I have advanced today and see whether they cannot bring themselves to recognise that there is a substantial point here. Although there is a natural reluctance to treat us as elected Members, they should for this limited purpose do so; that is justified in the narrow circumstances in which this point arises.
Before the noble and learned Lord finishes, if the House permits me, I will raise something with the Minister. A number of individual cases are brought to us through other organisations, which may have the consent of the individuals. We would want to pursue a matter in the way the noble Lord, Lord Stevenson, just mentioned—I was not at Question Time today but I can imagine the kind of situation. It would add considerably to the difficulty of doing that if the consent obtained by the organisation was thought not to extend to a Peer taking up the matter. I do not know how we would deal with that. It would be a considerable barrier to our doing what I regard as our job.
I am grateful to the noble Baroness, who puts forward a dimension to the problem that she is much more alive to than I am. However, there it is. I urge the Minister to reread these speeches and, in the meantime, I have no option but to beg leave to withdraw the amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Department for Digital, Culture, Media & Sport
(6 years, 11 months ago)
Lords ChamberMy Lords, I support Amendment 34 and will speak to Amendments 35, 93, 100, 101 and 102. I retabled these amendments because I think I did not make myself clear in Committee and some of the Ministers’ replies seemed confused. It was pacifying to be soothed in that way but I still have a problem. The noble Lord, Lord Ashton, said:
“All decisions relating to the processing of personal data engage an individual’s human rights, so it would not be appropriate to exclude automated decisions on this basis”.—[Official Report, 13/11/17; col. 1871.]
My point was that there is confusion between the gathering of evidence, the processing and decision-making. My amendments do nothing to inhibit automated data processing or seek to move us back to handwritten records. Automated data processing is unaffected by my amendments, which focus on decisions based on data, however the data is processed. Data could be gathered, processed and analysed completely automatically with no human involvement—a computer could even generate a recommended decision—but where human rights are engaged, the final decision must be made by a human being.
There was similar confusion in the replies of the noble Baroness, Lady Williams, in regard to law enforcement and intelligence service decisions. She said that,
“the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act”.—[Official Report, 15/11/17; col. 2073.]
Again, there is confusion between the processing, gathering of data and making the decision where human rights are engaged.
I repeat that my amendments allow for data to be processed automatically: they do not allow for a computer to make a decision contrary to someone’s human rights. Decision-makers can be supported by automated processing but the ultimate decisions must be made by a human being. We have to have this vital safeguard for human rights. After all the automated processing has been carried out, a human has to decide whether or not it is a reasonable decision to proceed. In this way we know where the decision lay and where the responsibility lies. No one can ever say, “We messed up your human rights. We interfered with your human rights and it is the computer’s fault”.
I am grateful to Liberty for drafting the amendments I have tabled and I hope that I have explained them fully and rather better than in Committee. I look forward to the Ministers’ replies. I feel strongly about this issue. These words have to be in the Bill so that it is absolutely clear that human rights are protected.
My Lords, I support my noble friend’s amendments. The points that he made apply almost entirely to Amendments 91, 92 and 94, which relate to later parts of the Bill, including particularly the phraseology “solely” and in Amendment 94 “solely” or “partially”.
I am pleased that the noble Baroness, Lady Jones, decided to retable her amendments. What she said can be summed up as, “Human rights, so human decision”. Human beings will ensure transparency and accountability in a way that machines simply do not. The Minister smiled when the noble Baroness said that she was not sure whether she was clear on the last occasion. I rather wish that I could ask her to give us the reassurances and concessions that that smile might have indicated, but I do not know.
These issues are extremely important. I was thinking about them over the weekend and, although it sounds patronising, the Government are entirely correct to ensure that human rights are engaged in these subjects. Given how central human rights are, they cannot be thought of as an occasional peripheral, particularly not as regards law enforcement and security issues. I have come full circle to thinking that the protection of human rights should be spelled out at the start of the Bill, which would take us back to our debate on Monday about an introductory clause covering the protection of a subject where the right is not absolute because of the criteria of necessity and proportionality. I think that that should be made clear in the Bill and it would put what the noble Baroness is seeking to achieve in her amendments in the right context. I support her in this.
My Lords, we have Amendment 37 tabled in my name and that of my noble friend Lord Kennedy in this group. The focus of our amendment is to tease out from the Dispatch Box a sense of what is meant by “meaningful” in the context of the discussions we have already had about how organisations might disclose details of algorithms used in profiling and data-driven decision systems, to meet the obligation in the GDPR to provide meaningful information about what has been going on in that space. It will be difficult to do this because “meaningful” can involve many words and obligations and is, I think, a slightly slippery concept. It will probably exercise the noble and learned Lord, Lord Mackay of Clashfern, in its imprecision—but do not blame us, mate; it is the GDPR, which we are not allowed to discuss. However, I think that the Minister can help us here by providing a bit more information.
We have suggested that a way of dealing with this would be to look at how the information is used and make it a requirement that it should,
“be sufficient to enable the data subject to assess whether the profiling will be beneficial or harmful to their interests”.
That may not be sufficiently strict legal language but, if it is an important distinction, it would help to get us to the point at which the Minister might say that she will bring back improved wording in an amendment at Third Reading.
The real issue which is not discussed here is the question of whether we can access the algorithms themselves. The problem, and the reason for the solution to that problem lying in terms of the test of how it works in practice, is that it is not sufficient just to have simple information about the actual mathematics of the algorithm because that in itself would not give us enough information. What we need, for those in a particular part of the population cohort, is knowledge of the consequences of being in one category or another and how that is weighed up by those carrying out the processing. This covers all the ways in which decisions are made on credit, on our purchases and how we are advertised to. It is happening now, so the sooner we can get the information, the better. I look forward to hearing the Minister’s comments when she comes to respond.
My Lords, paragraph 4 of Schedule 2, which this amendment would delete, deals with the provisions of the GDPR—that is, protections—which do not apply to immigration control. Government Amendment 44 alters that by removing some of the protections from the list; in other words, the protections would continue to apply in relation to the rights to rectification and data portability.
So what protections will the data subject forgo? I suggest that they are almost all basic safeguards, including: that the processing of someone’s personal information must be lawful, fair and transparent; that data must be processed accurately and kept up to date; that it be held securely; that the person to whom the data relates is informed of the data being held, for how long it may be held and for what purpose it may be used; and that the person to whom the data relates may inspect it and request its erasure. I am not clear what use the right to rectification, which will be retained, would be without one being able to access the data being held so that one could identify the factual inaccuracies. The Information Commissioner’s Office says that this will mean that,
“the system lacks transparency and is fundamentally unfair”.
The list may appear innocuous because not every paragraph in the articles listed is in play, but what is left are things such as that this right,
“shall not adversely affect the rights and freedoms of others”;
the best part of each of the articles listed will no longer apply. This is not a limited or modest modification of the basic safeguards but a wholesale removal.
What is the purpose of this? The purpose is for,
“the maintenance of effective immigration control, or … the investigation or detection of activities that would undermine the maintenance of effective immigration control, to the extent that the … provisions would be likely to prejudice”,
these matters. In other words, this is very far-reaching indeed.
My Lords, these amendments bring us back to the immigration exemption in paragraph 4 of Schedule 2 which, as the noble Lord, Lord Kennedy, said, was debated at some length in Committee. As this is Report, I am not going to repeat all the arguments I made in the earlier debate, not least because noble Lords will have seen my follow-up letter of 23 November, but it is important to reiterate a few key points about the nature of this provision, not least to allay the concerns that have been expressed by noble Lords.
Let me begin by restating the core objective underpinning this provision. The noble Lord, Lord Kennedy, specifically asked for further clarity on this point. The UK’s ability to maintain an effective system of immigration control and to enforce our immigration laws should not be threatened by the impact of the GDPR. It is therefore entirely appropriate to restrict, on a case-by-case basis, certain rights of a data subject in circumstances where giving effect to those rights would undermine that objective. That is the sole purpose and effect of this provision—nothing more, nothing less.
The GDPR recognises this by enabling member states to place restrictions on the rights of data subjects where it is necessary and proportionate to do so to safeguard,
“important objectives of general public interest”.
The maintenance of effective immigration control is one such objective. This is the basis for the provision in paragraph 4 of Schedule 2.
The noble Baroness referred to article 23 of the GDPR. It does not expressly allow restrictions for the purposes of immigration control. She asked whether the immigration restriction is legal. She pointed to Liberty’s claim that the exemption is unlawful. It is not the case.
My Lords, the Minister is reading from her brief, but I do not think I made any of the statements it anticipated I would make.
I have been badly advised somewhere. Shall I just get on with what I was going to say?
I made clear in Committee that the exemption is not a blanket provision applying to a whole class of data subjects. It is important to note that Schedule 2 does not create a basis for processing personal data. The exemptions in that schedule operate as a shield allowing data controllers to resist the exercise or application of the data subjects’ rights as set out in chapter III of the GDPR. It is the assertion or application of those rights that triggers the exemptions in Schedule 2. Given this, it is simply not the case that the Home Office, or any other data controller, can invoke the immigration exemption or, for that matter, any other exemption as a default response to subject access requests by a group of persons. Instead, an individual decision must be taken as to whether to apply the exemption in circumstances where a data subject’s rights are engaged.
Moreover, before a right can be restricted, the controller must be satisfied that there would be a likelihood of prejudice to the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective immigration control. Only if that test is satisfied will the controller be able to apply the restriction on the data subject’s rights. I should also stress that this restriction should be seen as a pause button and not something to be applied in perpetuity to the data subject. If circumstances change so that the test is no longer satisfied in a given case, then the restriction will have to be lifted.
Having said that, I recognise the concerns that were expressed in Committee about the breadth of the exemption, and government Amendments 43 and 44, as the noble Lord, Lord Kennedy, said, respond to those concerns. These amendments remove the right to rectification and the right to data portability from the list of data subjects’ rights that may be restricted. On further examination of the listed GDPR provisions in paragraph 1 of Schedule 2, we have concluded that the risk of any prejudicial impact on our ability to maintain effective immigration control that might arise from the exercise of the rights in articles 16 and 20 of the GDPR is likely to be low.
Having clarified both the purpose of this provision and the way it will operate, and having addressed the concerns about the extent of the exemption, I would ask the noble Baroness, Lady Hamwee, to withdraw her amendment and support the government amendments.
My Lords, I am obviously disappointed by both those speeches. I agree with the noble Lord, Lord Kennedy, that immigration control should be effective and fair, which is precisely what I was driving at. He referred to balance; I quoted article 23(1), which requires necessity and proportionality.
I thank the Minister for her answers and for her response to Liberty. She talked about taking this “case by case”, but is that not how we deal with all our immigration control? We do not apply wholesale visa bans; we are not Trump’s poodle. Data requests are made on a case-by-case, individual basis, but you need to know what data is held in order to make the request.
The Minister referred to a “pause button”. I am afraid that does not, to me, have the air of reality or really offer any assurance in the real world.
Amendment 44 does not respond to our concerns. As I commented, you cannot exercise the right of rectification unless you know what is said about you. I feel we are hardly even talking the same language, although it gives me no pleasure to say that. I think I must seek to test the opinion of the House.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateBaroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Department for Digital, Culture, Media & Sport
(6 years, 11 months ago)
Lords ChamberMy Lords, I am very keen to support this extremely useful amendment from the noble Lord, Lord Stevenson. If I had £5 for every mention of a recital in Committee and on Report, I would have the price of an extremely good Christmas dinner for me and quite a few of my friends. Only today, the noble Baroness, Lady Williams, prayed in aid a recital in an earlier rather useful debate on Clause 13. We really need to know what the status of these recitals is both pre and post Brexit. Is it that of an immediate aid to interpretation or an integral part of the law, or is it more like that of a Pepper v Hart statement, to be used only when the meaning is not clear in the Bill or the GDPR, or where there is ambiguity? Or do these recitals impose certain obligations, as I think has been implied on a number of occasions by Ministers?
At this time of night I cannot remember whether it was in Alice in Wonderland or Through the Looking Glass that a phrase was used along the lines of, “Words mean what I say they mean”. I rather feel that recitals are prayed in aid at every possible opportunity when it is convenient to do so without specifying exactly what their status is. We will need to establish that very clearly by the time we come to the end of the Bill.
At the risk of making myself unpopular for one more minute, all I can say to my noble friend is: Humpty Dumpty.
At an earlier stage of the Bill I asked how we would interpret a particular provision when we were no longer tethered to the European Court of Justice. The response I received was that it would be interpreted in accordance with UK law at the time. If this amendment is agreed, it will be an extremely helpful contribution to UK law applying while taking into account the impact of the recitals.
My Lords, I cannot think of a better way to end our debate than with a discussion on recitals, which we have talked about a lot during the course of this Bill. I point out to both noble Lords that it was not only me who referred to recitals; they have both done so ad nauseam.