Data (Use and Access) Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Business and Trade
Baroness Morgan of Cotes
Main Page: Baroness Morgan of Cotes (Non-affiliated - Life peer)Department Debates - View all Baroness Morgan of Cotes's debates with the Department for Business and Trade
Data (Use and Access) Bill [HL]
Baroness Morgan of Cotes ExcerptsMonday 16th December 2024
(2 months, 2 weeks ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-III(a) Amendments for Grand Committee (Supplementary to the Third Marshalled List) - (13 Dec 2024)
Lord Clement-Jones (LD)
My Lords, a key aspect of data protection rests in how it restricts the use of personal data once it has been collected. The public need confidence that their data will be used for the reasons they had shared it and not further used in ways that breach their legitimate expectations—or they will become suspicious as regards providing their data. The underlying theme that we heard on the previous group was the danger of losing public trust, which very much applies in the area of law enforcement and national security.
However, Schedules 4 and 5 would remove the requirement to consider the legitimate expectations of the individuals whose data is being processed, or the impact that this would have on their rights, for the purposes of national security, crime detection and prevention, safeguarding or answering to a request by a public authority. Data used for the purposes listed in these schedules would not need to undergo either a balancing test under Article 6.1(f) or a compatibility test under Article 6.4 of the UK GDPR. The combined effect of these provisions would be to authorise almost unconditional data sharing for law enforcement and other public security purposes while, at the same time, reducing accountability and traceability over how the police use the information being shared with them.
As with the previous DPDI Bill, Clauses 87 to 89 of this Bill grant the Home Secretary and police powers to view and use people’s personal data through the use of national security certificates and designation notices, which are substantially the same as Clauses 28 to 30 of the previous DPDI Bill. This risks further eroding trust in law enforcement authorities. Accountability for access to data for law enforcement purposes should not be lowered, and data sharing should be underpinned by a robust test to ensure that individuals’ rights and expectations are not disproportionately impacted. It is a bafflement as to why the Government are so slavishly following their predecessor and believe that these new and unaccountable powers are necessary.
By opposing that Clause 81 stand part, I seek to retain the requirement for police forces to record the reason they are accessing data from a police database. The public need more, not less, transparency and accountability over how, why and when police staff and officers access and use records about them. Just recently, the Met Police admitted that they investigated more than 100 staff over the inappropriate accessing of information in relation to Sarah Everard. This shows that the police can and do act to access information inappropriately, and there may well be less prominent cases where police abuse their power by accessing information without worry for the consequences.
Regarding Amendments 126, 128 and 129, Rights and Security International has repeatedly argued that the Bill would violate the UK’s obligations under the European Convention on Human Rights. On Amendment 126, the requirements in the EU law enforcement directive for logging are, principally, to capture in all cases the justification for personal data being examined, copied, amended or disclosed when it is processed for a law enforcement process—the objective is clearly to ensure that data is processed only for a legitimate purpose—and, secondarily, to identify when, how and by whom the data has been accessed or disclosed. This ensures that individual accountability is captured and recorded.
Law enforcement systems in use in the UK typically capture some of the latter information in logs, but very rarely do they capture the former. Nor, I am informed, do many commodity IT solutions on the market capture why data was accessed or amended by default. For this reason, a long period of time was allowed under the law enforcement directive to modify legacy systems installed before May 2016, which, in the UK, included services such as the police national computer and the police national database, along with many others at a force level. This transitional relief extended to 6 May 2023, but UK law enforcement did not, in general, make the required changes. Nor, it seems, did it ensure that all IT systems procured after 6 May 2016 included a strict requirement for LED-aligned logging. By adopting and using commodity and hyperscaler cloud services, it has exacerbated this problem.
In early April 2023, the Data Protection Act 2018 (Transitional Provision) Regulations 2023 were laid before Parliament. These regulations had the effect of unilaterally extending the transitional relief period under the law enforcement directive for the UK from May 2023 to May 2026. The Government now wish to strike the requirement to capture the justification for any access to data completely, on the basis that this would free up to 1.5 million hours a year of valuable police time for our officers so that they can focus on tackling crime on our streets, rather than being bogged down by administration, and that this would save approximately £42.8 million per year in taxpayers’ money.
This is a serious legislative issue on two counts: it removes important evidence that may identify whether a person was acting with malicious intent when accessing data, as well as removing any deterrent effect of them having to do so; and it directly deviates from a core part of the law enforcement directive and will clearly have an impact on UK data adequacy. The application of effective control over access to data is very much a live issue in policing, and changing the logging requirement in this way does nothing to improve police data management. Rather, it excuses and perpetuates bad practice. Nor does it increase public confidence.
Clause 87(7) introduces new Section 78A into the Act. This lays down a number of exemptions and exclusions from Part 3 of that Act when the processing is deemed to be in the interests of national security. These exemptions are wide ranging, and include the ability to suspend or ignore principles 2 through 6 in Part 3, and thus run directly contrary to the provisions and expectations of the EU law enforcement directive. Ignoring those principles in itself also negates many of the controls and clauses in Part 3 in its entirety. As a result, they will almost certainly result in the immediate loss of EU law-enforcement adequacy.
I welcome the ministerial letter from the noble Lord, Lord Hanson of Flint, to the noble Lord, Lord Anderson, of 6 November, but was he really saying that all the national security exemption clause does is bring the 2018 Act into conformity with the GDPR? I very much hope that the Minister will set out for the record whether that is really the case and whether it is really necessary to safeguard national security. Although it is, of course, appropriate and necessary for the UK to protect its national security interests, it is imperative that balance remains to protect the rights of a data subject. These proposals do not, as far as we can see, strike that balance.
Clause 88 introduces the ability of law enforcement, competent authorities and intelligence agencies to act as joint controllers in some circumstances. If Clause 88 and associated clauses go forward to become law, they will almost certainly again result in withdrawal of UK law enforcement adequacy and will quite likely impact on the TCA itself.
Amendment 127 is designed to bring attention to the fact that there are systemic issues with UK law enforcement’s new use of hyperscaler cloud service providers to process personal data. These issues stem from the fact that service providers’ standard contracts and terms of service fail to meet the requirements of Part 3 of the UK’s Data Protection Act 2018 and the EU law enforcement directive. UK law enforcement agencies are subject to stringent data protection laws, including Part 3 of the DPA and the GDPR. These laws dictate how personal data, including that of victims, witnesses, suspects and offenders, can be processed. Part 3 specifically addresses data transfers to third countries, with a presumption against such transfers unless strictly necessary. This contrasts with UK GDPR, which allows routine overseas data transfer with appropriate safeguards.
Cloud service providers routinely process data outside the UK and lack the necessary contractual guarantees and legal undertakings required by Part 3 of the DPA. As a result, their use for law enforcement data processing is, on the face of it, not lawful. This non-compliance creates significant financial exposure for the UK, including potential compensation claims from data subjects for distress or loss. The sheer volume of data processed by law enforcement, particularly body-worn video footage, exacerbates the financial risk. If only a small percentage of cases result in claims, the compensation burden could reach hundreds of millions of pounds annually. The Government’s attempts to change the law highlight the issue and suggest that past processing on cloud service providers has not been in conformity with the UK GDPR and the DPA.
The current effect of Section 73(4)(b) of the Data Protection Act is to restrict transfers for competent authorities who may have a legitimate operating need, and should possess the internal capability to assess that need, from making transfers to recipients who are not relevant authorities or international organisations and that cloud service provider. This amendment is designed to probe what impact removal of this restriction would have and whether it would enable them to do so where such a transfer is justified and necessary. I beg to move.
Baroness Morgan of Cotes (Non-Afl)
My Lords, I will speak to Amendment 124. I am sorry that I was not able to speak on this issue at Second Reading. I am grateful to the noble and learned Lord, Lord Thomas of Cwmgiedd, for his support, and I am sorry that he has not been able to stay, due to a prior engagement.
Eagle-eyed Ministers and the Opposition Front Bench will recognise that this was originally tabled as an amendment to the Data Protection and Digital Information (No. 2) Bill. It is still supported by the Police Federation. I am grateful to the former Member of Parliament for Loughborough for originally raising this with me, and I thank the Police Federation for its assistance in briefing us in preparing this draft clause. The Police Federation understands that the Home Secretary is supportive of the objective of this amendment, so I shall listen with great interest to what the Minister has to say.
This is a discrete amendment designed to address an extremely burdensome and potentially unnecessary redaction exercise, in relation to a situation where the police are preparing a case file for submission to the Crown Prosecution Service for a charging decision. Given that this issue was talked about in the prior Bill, I do not intend to go into huge amounts of detail because we rehearsed the arguments there, but I hope very much that with the new Government there might be a willingness to entertain this as a change in the law.
Data (Use and Access) Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Baroness Morgan of Cotes
Main Page: Baroness Morgan of Cotes (Non-affiliated - Life peer)Department Debates - View all Baroness Morgan of Cotes's debates with the Department for Science, Innovation & Technology
Data (Use and Access) Bill [HL]
Baroness Morgan of Cotes ExcerptsTuesday 28th January 2025
(1 month ago)
Lords ChamberRead Full debate Data (Use and Access) Bill [HL] 2024-26 Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: HL Bill 57-II Second marshalled list for Report - (24 Jan 2025)
Lord Sandhurst (Con)
My Lords, I will be brief. I congratulate my noble friend Lady Owen on these three splendid amendments. She has done a tremendous service to the criminal law and the women of this country—and young men, who I understand are abused in this way too. It is really important. I shall not add anything to the speeches that have been made, other than to say that I endorse everything said by the noble Lords, Lord Browne of Ladyton and Lord Pannick, and the noble Baroness, Lady Kidron. We must act now, and we must have a Bill that is complete at Third Reading and which includes everything that the noble Baroness has asked for; there cannot be any excuse for quibbling about solicitation. We have to act now, it has got to be done and I am sure the criminal courts will endorse and adopt it. This is a terrible mischief that causes great harm, and we would be doing a great disservice if we did not act on it.
Baroness Morgan of Cotes (Non-Afl)
My Lords, I will speak briefly on this group. Like other noble Lords, I congratulate the noble Baroness, Lady Owen, on her tenacity. As the noble Baroness, Lady Kidron, said, she has learned the lessons of how to change the law in this House very early on—it takes the rest of us quite a while to catch up. I am very grateful that the Government Front Bench have listened, and it demonstrates the value of this House.
The noble Baroness has outlined why her version of the amendment is right: in victims not having to prove the intent of those who have created or solicited the creation of the image, and also the importance of that solicitation. She is in a difficult position tonight. It is a difficult choice to have to make. I fully appreciate that this is part of the Government’s overall commitment to halve violence against women and girls, I think in the course of this Parliament, and that is extremely noble. But we debated this on 13 December, when we debated the noble Baroness’s Private Member’s Bill; we are now at the end of January and, for everything that is welcome in what the Minister said, he also said that he is unable to give the assurance that the amendment will be tabled at Third Reading. He wants the noble Baroness, Lady Owen, to accept that, if she does not see the amendment then, it will appear in the Commons. I have no reason to think that that will not be the case, but, of course, if it does not appear at Third Reading, and if the noble Baroness does not put down her amendment at Third Reading and push it to a vote, then she is very reliant on it coming back in the Commons.
The broader point that I want to make is that, although we are all committed to ending violence against women and girls and next month we will see the Online Safety Act guidance on that very issue being published by Ofcom, the lesson from the Online Safety Act is that—and it was a Government of which I was a supporter and at the time I was taking the Whip—it took the Government an awfully long time to catch up to the fact that there was a group of Members of this House who just wanted the right thing to be done. The Government took far too long. If the Government had actually been engaging by drafting their own amendment to capture the points made by the noble Baroness between 13 December and today, we would have an amendment that we could all unite around and be even more congratulatory to both the noble Baroness and the Government Front Bench in having tackled these images. As it is, we are in a deeply unsatisfactory place. While I am sure that the noble Lord, Lord Pannick, is right that, perhaps, we should not have a vote tonight, the noble Baroness is taking that on an enormous amount of trust.
Therefore, I say to Government Ministers that, when we come to tackle these issues of violence against women and girls in the rest of this Parliament, it should not matter where the proposals come from; if they are right, if they reflect the reality of women’s and girls’ experiences online or offline, then I would hope that Ministers would listen and that the Opposition would obviously help support and secure those changes. As the online world develops, and as technology gets faster and faster, we need to be nimble in this Parliament in addressing those images. If the noble Baroness pushes Amendment 69 to a vote, I would support it tonight. We will all listen very carefully—no pressure—to what the Minister says, and we shall be guided by the noble Baroness and her decisions as we reach the conclusion of this debate.