Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateBaroness Jones of Whitchurch
Main Page: Baroness Jones of Whitchurch (Labour - Life peer)Department Debates - View all Baroness Jones of Whitchurch's debates with the Department for Science, Innovation & Technology
(8 months ago)
Grand CommitteeMy Lords, I listened carefully to the explanation given by the noble Lord, Lord Clement-Jones, for his stand part notice on Clause 44. I will have to read Hansard, as I may have missed something, but I am not sure I am convinced by his arguments against Clause 44 standing part. He described his stand part notice as “innocuous”, but I am concerned that if the clause were removed it would have a slightly wider implication than that.
We feel that there are some advantages to how Clause 44 is currently worded. As it stands, it simply makes it clear that data subjects have to use the internal processes to make complaints to controllers first, and then the controller has the obligation to respond without undue delay. Although this could place an extra burden on businesses to manage and reply to complaints in a timely manner, I would have thought that this was a positive step to be welcomed. It would require controllers to have clear processes in place for handling complaints; I hope that that in itself would be an incentive against their conducting the kind of unlawful processing that prompts complaints in the first place. This seems the best practice, which would apply anyway in most organisations and complaint and arbitration systems, including, perhaps, ombudsmen, which I know the noble Lord knows more about than I do these days. There should be a requirement to use the internal processes first.
The clause makes it clear that the data subject has a right to complain directly to the controller and it makes clear that the controller has an obligation to respond. Clause 45 then goes on to make a different point, which is that the commissioner has a right to refuse to act on certain complaints. We touched on this in an earlier debate. Clearly, to be in line with Clause 44, the controller would have to have finished handling the case within the allotted time. We agree with that process. However, an alternative reason for the commissioner to refuse is when the complaint is “vexatious or excessive”. We have rehearsed our arguments about the interpretation of those words in previous debates on the application of subject access requests. I do not intend to repeat them here, but our concern about that wording rightly remains. What is important here is that the ICO should not be able to reject complaints simply because the complainant is distressed or angry. It is helpful that the clause states that in these circumstances,
“the Commissioner must inform the complainant”
of the reasons it is considered vexatious or excessive. It is also helpful that the clause states that this
“does not prevent the complainant from making it a complaint again”,
presumably in a way more compliant with the rules. Unlike the noble Lord, Lord Clement Jones—as I said, I will look at what he said in more detail—on balance, we are content with the wording as it stands.
On a slightly different tack, we have added our name to Amendment 154, in the name of the noble Lord, Lord Clement-Jones, and we support Amendment 287 on a similar subject. This touches on a similar principle to our previous debate on the right of data communities to raise data-breach complaints on behalf of individuals. In these amendments, we are proposing that there should be a collective right for organisations to raise data-breach complaints for individuals or groups of individuals who do not necessarily feel sufficiently empowered or confident to raise the complaints on their own behalf. There are many reasons why this reticence might occur, not least that the individuals may feel that making a complaint would put their employment on the line or that they would suffer discrimination at work in the future. We therefore believe that these amendments are important to widen people’s access to work with others to raise these complaints.
Since these amendments were tabled, we have received the letter from the Minister that addresses our earlier debate on data communities. I am pleased to see the general support for data intermediaries that he set out in his letter. We argue that a data community is a separate distinct collective body, which is different from the wider concept of data intermediaries. This seems to be an area in which the ICO could take a lead in clarifying rights and set standards. Our Amendment 154 would therefore set a deadline for the ICO to do that work and for those rights to be enacted.
The noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, made a good case for broadening these rights in the Bill and, on that basis, I hope the Minister will agree to follow this up, and follow up his letter so that we can make further progress on this issue.
The noble Lord, Lord Clement-Jones, has tabled a number of amendments that modify the courts and tribunals functions. I was hoping that when I stood here and listened to him, I would understand a bit more about the issues. I hope he will forgive me for not responding in detail to these arguments. I do not feel that I know enough about the legal background to the concerns but he seems to have made a clear case in clarifying whether the courts or tribunals should have jurisdiction in data protection issues.
On that basis, I hope that the Minister will also provide some clarification on these issues and I look forward to his response.
My Lords, I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for tabling these amendments to Clauses 44 and 45, which would reform the framework for data protection complaints to the Information Commissioner.
The noble Lord, Lord Clement-Jones, has given notice of his intention to oppose Clause 44 standing part of the Bill. That would remove new provisions from the Bill that have been carefully designed to provide a more direct route to resolution for data subjects’ complaints. I should stress that these measures do not limit rights for data subjects to bring complaints forward, but instead provide a more direct route to resolution with the relevant data controller. The measures formalise current best practice, requiring the complainant to approach the relevant data controller, where appropriate, to attempt to resolve the issue prior to regulatory involvement.
The Bill creates a requirement for data controllers to facilitate the making of complaints and look into what may have gone wrong. This should, in most cases, result in a much quicker resolution of data protection-related complaints. The provisions will also have the impact of enabling the Information Commissioner to redeploy resources away from handling premature complaints where such complaints may be dealt with more effectively, in the first instance, by controllers and towards value-added regulatory activity, supporting businesses to use data lawfully and in innovative ways.
The noble Lord’s Amendment 153 seeks, in effect, to expand the scope of the Information Commissioner’s duty to investigate complaints under Section 165 of the Data Protection Act. However, that Section of the Act already provides robust redress routes, requiring the commissioner to take appropriate steps to respond to complaints and offer an outcome or conclude an investigation within a specified period.
The noble Lord raised the enforcement of the UK’s data protection framework. I can provide more context on the ICO’s approach, although noble Lords will be aware that it is enforced independently of government by the ICO; it would of course be inappropriate for me to comment on how the ICO exercises its enforcement powers. The ICO aims to be fair, proportionate and effective, focusing on areas with the highest risk and most harm, but this does not mean that it will enforce every case that crosses its books.
The Government have introduced a new requirement on the ICO—Clause 43—to publish an annual report on how it has exercised its enforcement powers, the number and nature of investigations, the enforcement powers used, how long investigations took and the outcome of the investigations that ended in that period. This will provide greater transparency and accountability in the ICO’s exercise of its enforcement powers. For these reasons, I am not able to accept these amendments.
I also thank the noble Baroness and the noble Lord for their Amendments 154 and 287 concerning Section 190 of the Data Protection Act. These amendments would require the Secretary of State to legislate to give effect to Article 80(2) of the UK GDPR to enable relevant non-profit organisations to make claims against data controllers for alleged data breaches on behalf of data subjects, without those data subjects having requested or agreeing to the claim being brought. Currently, such non-profit organisations can already pursue such actions on behalf of individuals who have granted them specific authorisation, as outlined in Article 80(1).
In 2021, following consultation, the Government concluded that there was insufficient evidence to justify implementing Article 80(2) to allow non-profit organisations to bring data protection claims without the authorisation of the people affected. The Government’s response to the consultation noted that the regulator can and does investigate complaints raised by civil society groups, even when they are not made on behalf of named individuals. The ICO’s investigations into the use of live facial recognition technology at King’s Cross station and in some supermarkets in southern England are examples of this.
I also thank the noble Baroness, Lady Kidron, for raising her concerns about the protection of children throughout the debate—indeed, throughout all the days in Committee. The existing regime already allows civil society groups to make complaints to the ICO about data-processing activities that affect children and vulnerable people. The ICO has a range of powers to investigate systemic data breaches under the current framework and is already capable of forcing data controllers to take decisive action to address non-compliance. We are strengthening its powers in this Bill. I note that only a few member states of the EU have allowed non-governmental organisations to launch actions without a mandate, in line with the possibility provided by the GDPR.
I turn now to Amendments 154A, 154B—
My Lords, we now move on to Part 2 of the Bill, which concerns the provision of digital verification services. In moving Amendment 177, I will also speak to the amendments through to Amendment 195; apart from one, all of them are in my name and have the support of the noble Lord, Lord Clement-Jones, for which I am grateful.
I have no doubt that its contribution to the letter will be equally enjoyable. However, for all the reasons I set out above, I am not able to accept these amendments and respectfully encourage the noble Baroness and noble Lords not to press them.
My Lords, I suppose I am meant to say that I thank the Minister for his response, but I cannot say that it was particularly optimistic or satisfying. On my amendments, the Minister said he would be responding to the DPRRC in due course, and obviously I am interested to see that response, but as the noble Lord, Lord Clement-Jones, said, the committee could not have been clearer and I thought made a very compelling case for why there should be some parliamentary oversight of this main code and, indeed, the fees arrangements.
I understand that it is a fast-moving sector, but the sort of things that the Delegated Powers Committee was talking about was that the main code should have some fundamental principles, some user rights and so on. We are not trying to spell out every sort of service that is going to be provided—as the Minister said, it is a fast-moving sector—but people need to have some trust in it and they need to know what this verification service is going to be about. Just saying that there is going to be a code, on such an important area, and that the Secretary of State will write it, is simply not acceptable in terms of basic parliamentary democracy. If it cannot be done through an affirmative procedure, the Government need to come up with another way to make sure that there is appropriate parliamentary input into what is being proposed here.
On the subject of the fees, the Delegated Powers Committee and our amendment was saying only that there should be a negative SI. I thought that was perfectly reasonable on its part and I am sorry that the Minister is not even prepared to accept that perfectly suggestion. All in all, I thought that the response on that element was very disappointing.
The response was equally disappointing on the whole issue that the noble Lords, Lord Kamall and Lord Vaux, raised about the right not to have to use the digital verification schemes but to do things on a non-digital basis. The arguments are well made about the numbers of people who are digitally excluded. I was in the debate that the noble Lord referred to, and I cannot remember the statistics now, but something like 17% of the population do not have proper digital access, so we are excluding a large number of people from a whole range of services. It could be applying for jobs, accessing bank accounts or applying to pay the rent for your son’s flat or whatever. We are creating a two-tier system here, for those who are involved and those who are on the margins who cannot use a lot of the services. I would have hoped that the Government would have been much more engaged in trying to find ways through that and providing some guarantees to people.
We know that we are taking a big leap, with so many different services going online. There is a lot of suspicion about how these services are going to work and people do not trust that computers are always as accurate as we would like them to be, so they would like to feel that there is another way of doing it if it all goes wrong. It worries me that the Minister is not able to give that commitment.
I have to say that I am rather concerned by what the Minister said about the private sector—in effect, that it can already have a requirement to have digital only. Surely, in this brave new world we are going towards, we do not want a digital-only service; this goes back to the point about a whole range of people being excluded. What is wrong with saying, even to people who collect people’s bank account details to pay their son’s rent, “There is an alternative way of doing this as well as you providing all the information digitally”? I am very worried about where all this is going, including who will be part of it and who will not. If the noble Lords, Lord Kamall and Lord Vaux, wish to pursue this at a later point, I would be sympathetic to their arguments.
On identity theft, the noble Lord, Lord Clement-Jones, made a compelling case. The briefing that he read out from the Metropolitan Police said that your data is one of your most valuable assets, which is absolutely right. He also rightly made the point that this is linked to organised crime. It does not happen by accident; some major people are farming our details and using them for all sorts of nefarious activities. There is a need to tighten up the regulation and laws on this. The Minister read out where he thinks this is already dealt with under existing legislation but we will all want to scrutinise that and see whether that really is the case. There are lots of examples of where the police have not been able to help people and do not know what their rights are, so we just need to know exactly what advice has been given to the police.
I feel that the Minister could have done more on this whole group to assure us that we are not moving towards a two-tier world. I will withdraw my amendment, obviously, but I have a feeling that we will come back to this issue; it may be something that we can talk to the Minister about before we get to Report.
My Lords, it has been a pleasure to listen to noble Lords’ speeches in this debate. We are all very much on the same page and have very much the same considerations in mind. Both the protection of biometric data itself and also the means by which we regulate its use and have oversight over how it is used have been mentioned by everyone. We may have slightly different paths to making sure we have that protection and oversight, but we all have the same intentions.
The noble Lord, Lord Holmes, pointed to the considerable attractions of, in a sense, starting afresh, but I have chosen a rather different path. I think it was the noble Lord, Lord Vaux, who mentioned Fraser Sampson, the former Biometrics and Surveillance Camera Commissioner. I must admit that I have very high regard for the work he did, and also for the work of such people as Professor Peter Fussey of Essex University. Of course, a number of noble Lords have mentioned the work of CRISP in all this, which kept us very well briefed on the consequence of these clauses.
No one has yet spoken to the stand part notices on Clauses 130 to 132; I will come on to those on Clauses 147 to 149 shortly. The Bill would drastically change the way UK law enforcement agencies can handle biometric personal data. Clauses 130 to 132 would allow for data received from overseas law enforcement agencies to be stored in a pseudonymised, traceable format indefinitely.
For instance, Clause 130 would allow UK law enforcement agencies to hold biometric data received from overseas law enforcement agencies in a pseudonymised format. In cases where the authority ceases to hold the material pseudonymously and the individual has no previous convictions or only one exempt conviction, the data may be retained in a non-pseudonymous format for up to three years. Therefore, the general rule is indefinite retention with continuous pseudonymisation, except for a specific circumstance where non-pseudonymised retention is permitted for a fixed period. I forgive noble Lords if they have to read Hansard to make total sense of that.
This is a major change in the way personal data can be handled. Permitting storage of pseudonymised or non-pseudonymised data will facilitate a vast biometric database that can be traced back to individuals. Although this does not apply to data linked to offences committed in the UK, it sets a concerning precedent for reshaping how law enforcement agencies hold data in a traceable and identifiable way. It seems that there is nothing to stop a law enforcement agency pseudonymising data just to reattach the identifying information, which they would be permitted to hold for three years.
The clauses do not explicitly define the steps that must be taken to achieve pseudonymisation. This leaves a broad scope for interpretation and variation in practice. The only requirement is that the data be pseudonymised
“as soon as reasonably practicable”,
which is a totally subjective threshold. The collective impact of these clauses, which were a late addition to the Bill on Report in the Commons, is deeply concerning. We believe that these powers should be withdrawn to prevent a dangerous precedent being set for police retention of vast amounts of traceable biometric data.
The stand part notices on Clauses 147 to 149 have been spoken to extremely cogently by the noble Lord, Lord Vaux, the noble Viscount, Lord Stansgate, and the noble Baroness, Lady Harding. I will not repeat a great deal of what they said but what the noble Baroness, Lady Harding, said about the Human Fertilisation and Embryology Authority really struck a chord with me. When we had our Select Committee on Artificial Intelligence, we looked at models for regulation and how to gain public trust for new technologies and concepts. The report that Baroness Warnock did into fertilisation and embryology was an absolute classic and an example of how to gain public trust. As the noble Baroness, Lady Harding, said, it has stood the test of time. As far as I am concerned, gaining that kind of trust is the goal for all of us.
What we are doing here risks precisely the reverse by abolishing the office of the Biometrics and Surveillance Camera Commissioner. This was set up under the Protection of Freedoms Act 2012, which required a surveillance camera commissioner to be appointed and a surveillance camera code of practice to be published. Other functions of the Biometrics and Surveillance Camera Commissioner are in essence both judicial and non-judicial. They include developing and encouraging compliance with the surveillance camera code of practice; raising standards for surveillance camera developers, suppliers and users; public engagement; building legitimacy; reporting annually to Parliament via the Home Secretary; convening expertise to support these functions; and reviewing all national security determinations and other powers by which the police can retain biometric data. The Bill proposes to erase all but one—I stress that—of these activities.
The noble Lord, Lord Vaux, quoted CRISP. I will not repeat the quotes he gave but its report, which the noble Viscount, Lord Stansgate, also cited, warns that
“plans to abolish and not replace existing safeguards in this crucial area will leave the UK without proper oversight just when advances in artificial intelligence (AI) and other technologies mean they are needed more than ever”.
The Bill’s reduction of surveillance-related considerations to data protection compares unfavourably to regulatory approaches in other jurisdictions. Many have started from data protection and extended it to cover the wider rights-based implications of surveillance. Here, the Bill proposes a move in precisely the opposite direction. I am afraid this is yet another example of the Bill going entirely in the wrong direction.
My Lords, I thank all noble Lords who have contributed to what has been an excellent debate on this issue. We have all been united in raising our concerns about whether the offices of the biometrics commissioner and the surveillance camera commissioner should be abolished. We all feel the need for more independent oversight, not less, as is being proposed here.
As we know, the original plan was for the work of the biometrics commissioner to be transferred to the Information Commissioner, but when he raised concerns that this would result in the work receiving less attention, it was decided to transfer it to the Investigatory Powers Commissioner instead. Meanwhile, the office of the surveillance camera commissioner is abolished on the basis that these responsibilities are already covered elsewhere. However, like other noble Lords, we remain concerned that the transfer of this increasingly important work from both commissioners will mean that it does not retain the same level of expertise and resources as it enjoys under the current regime.
These changes have caused some alarm among civic society groups such as the Ada Lovelace Institute and the Centre for Research into Information Surveillance and Privacy, to which noble Lords have referred. They argue that we are experiencing a huge expansion in the reach of surveillance and biometric technology. The data being captured, whether faces, fingerprints, walking style, voice or the shape of the human body, are uniquely personal and part of our individual identity. The data being captured can enhance public safety but can also raise critical ethical concerns around privacy, free expression, bias and discrimination. As the noble Lord, Lord Vaux, said, we need a careful balance of those issues between protection and privacy.
The noble Baroness, Lady Harding, quite rightly said that there is increasing public mistrust in the use of these techniques, and that is why there is an urgent need to take people on the journey. The example the noble Baroness gave was vivid. We need a robust legal framework to underpin the use of these techniques, whether it is by the police, the wider public sector or private institutions. As it stands, the changes in the Bill do not achieve that reassurance, and we have a lot of lessons to learn.
Rather than strengthening the current powers to respond to the huge growth and reach of surveillance techniques, the Bill essentially waters down the protections. Transferring the powers from the BSCC to the new Information Commissioner brings the issue down to data protection when the issues of intrusion and the misuse of biometrics and surveillance are much wider than that. Meanwhile, the impact of Al will herald a growth of new techniques such as facial emotional appraisal and video manipulation, leading to such things as deep fakes. All these techniques threaten to undermine our sense of self and our control of our own personal privacy.
The amendment in the name of the noble Lord, Lord Holmes, takes up the suggestion, also made by the Ada Lovelace Institute, to establish a biometrics office within the ICO, overseen by three experienced commissioners. The functions would provide general oversight of biometric techniques, keep a register of biometric users and set up a process for considering complaints. Importantly, it would require all entities processing biometric data to register with the ICO prior to any use.
We believe that these amendments are a really helpful contribution to the discussion. They would place the oversight of biometric techniques in a more effective setting where the full impacts of these techniques can be properly monitored, measured and reported on. We would need more details of the types of work to be undertaken by these commissioners, and the cost implications but, in principle, we support these amendments because they seem to be an answer to our concerns. We thank the noble Lord for tabling them and very much hope the Minister will give the proposals serious consideration.
I am sorry, but I am wondering whether the Minister is going to say any more on the amendment in the name of the noble Lord, Lord Holmes. Can I be clear? The Minister said that the ICO is the best place to oversee these issues, but the noble Lord’s amendment recognises that; it just says that there should be a dedicated biometrics unit with specialists, et cetera, underneath it. I am looking towards the noble Lord—yes, he is nodding in agreement. I do not know that the Minister dismissed that idea, but I think that this would be a good compromise in terms of assuaging our concerns on this issue.
I apologise if I have misunderstood. It sounds like it would be a unit within the ICO responsible for that matter. Let me take that away if I have misunderstood—I understood it to be a separate organisation altogether.
The Government deem Amendment 238 unnecessary, as using biometric data to categorise or make inferences about people, whether using algorithms or otherwise, is already subject to the general data protection principles and the high data protection standards of the UK’s data protection framework as personal data. In line with ICO guidance, where the processing of biometric data is intended to make an inference linked to one of the special categories of data—for example, race or ethnic origin—or the biometric data is processed for the intention of treating someone differently on the basis of inferred information linked to one of the special categories of data, organisations should treat this as special category data. These protections ensure that this data, which is not used for identification purposes, is sufficiently protected.
Similarly, Amendment 286 intends to widen the scope of the Forensic Information Databases Service—FINDS—strategy board beyond oversight of biometrics databases for the purpose of identification to include “classification” purposes as well. The FINDS strategy board currently provides oversight of the national DNA database and the national fingerprint database. The Bill puts oversight of the fingerprint database on the same statutory footing as that of the DNA database and provides the flexibility to add oversight of new biometric databases, where appropriate, to provide more consistent oversight in future. The delegated power could be used in the medium term to expand the scope of the board to include a national custody image database, but no decisions have yet been taken. Of course, this will be kept under review, and other biometric databases could be added to the board’s remit in future should these be created and should this be appropriate. For the reasons I have set out, I hope that the noble Baroness, Lady Jones of Whitchurch, will therefore agree not to move Amendments 238 and 286.
Responses to the data reform public consultation in 2021 supported the simplification of the complex oversight framework for police use of biometrics and surveillance cameras. Clauses 147 and 148 of the Bill reflect that by abolishing the Biometrics and Surveillance Camera Commissioner’s roles while transferring the commissioner’s casework functions to the Investigatory Powers Commissioner’s Office.
Noble Lords referred to the CRISP report, which was commissioned by Fraser Sampson—the previous commissioner—and directly contradicts the outcome of the public consultation on data reform in 2021, including on the simplification of the oversight of biometrics and surveillance cameras. The Government took account of all the responses, including from the former commissioner, in developing the policies set out in the DPDI Bill.
There will not be a gap in the oversight of surveillance as it will remain within the statutory regulatory remit of other organisations, such as the Information Commissioner’s Office, the Equality and Human Rights Commission, the Forensic Science Regulator and the Forensic Information Databases Service strategy board.