Data Protection and Digital Information (No. 2) Bill Debate

Full Debate: Read Full Debate
Department: Department for Science, Innovation & Technology

Data Protection and Digital Information (No. 2) Bill

Jane Hunt Excerpts
2nd reading
Monday 17th April 2023

(1 year, 7 months ago)

Commons Chamber
Read Full debate Data Protection and Digital Information Bill 2022-23 Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

The Secretary of State will have greater powers when it comes to some of the statutory codes that the ICO adheres to, but those powers will be brought to this House for its consent. The whole idea is to make the ICO much more democratically accountable. I know that concern about the independence of the regulator has been raised as we have been working up these proposals, but I wish to assure the House that we do not believe those concerns to be justified or legitimate. The Bill actually has the strong support of the current Information Commissioner, John Edwards.

The Bill will also put in place the foundations for data intermediaries, which are organisations that can help us to benefit from our data. In effect, we will be able to share less sensitive data about ourselves with businesses while securing greater benefits. As I say, one of the examples of this is open banking. Another way in which the Bill will help people to take back control of their data is by making it easier and more secure for people to prove things about themselves once, electronically, without having to dig out stacks of physical documents such as passports, bills, statements and birth certificates and then having to provide lots of copies of those documents to different organisations. Digital verification services already exist, but we want consumers to be able to identify trustworthy providers by creating a set of standards around them.

The Bill is designed not just to boost businesses, support scientists and deliver consumer benefits; it also contains measures to keep people healthy and safe. It will improve the way in which the NHS and adult social care organise data to deliver crucial health services. It will let the police get on with their jobs by allowing them to spend more time on the beat rather than on pointless paperwork. We believe that this will save up to 1.5 million hours of police time each year—

Julia Lopez Portrait Julia Lopez
- Hansard - - - Excerpts

I know that my hon. Friend has been passionate on this point, and we are looking actively into her proposals.

We are also updating the outdated system of registering births and deaths based on paper processes from the 19th century.

Data has become absolutely critical for keeping us healthy, for keeping us safe and for growing an economy with innovative businesses, providing jobs for generations to come. Britain is at its best when its businesses and scientists are at theirs. Right now, our rules risk holding them back, but this Bill will change that because it was co-designed with those businesses and scientists and with the help of consumer groups. Simpler, easier, clearer regulation gives the people using data to improve our lives the certainty they need to get on with their jobs. It maintains high standards for protecting people’s privacy while seeking to maintain our adequacy with the EU. Overall, this legislation will make data more useful for more people and more usable by businesses, and it will enable greater innovation by scientists. I commend the Bill to the House.

--- Later in debate ---
Jane Hunt Portrait Jane Hunt (Loughborough) (Con)
- View Speech - Hansard - -

This Bill provides us with yet another opportunity to ensure that our legal and regulatory frameworks are tailored to our needs and specifications, now that we are free from the confines of EU law. It is crucial that we have a data rights regime that maintains the high data protection standards that the public expect, but it must do so in a way that is not overly burdensome to businesses and public services, and does not stifle innovation, growth and productivity. The Bill will go a long way to achieving that, but I would like to focus on one small aspect of it.

Announcing the First Reading of the Bill, the Secretary of State stated that it would improve

“the efficiency of data protection for law enforcement and national security partners encouraging better use of personal data where appropriate to help protect the public. It provides agencies with clarity on their obligations, boosting the confidence of the public on how their data is being used.”—[Official Report, 8 March 2023; Vol. 729, c. 20WS.]

That is a positive step forward for national security, but we are missing a crucial opportunity to introduce further reforms that will reduce administrative burdens on police forces across the UK.

I recently met members of the Leicestershire Police Federation, who informed me of the association’s concerns regarding part 3 of the Data Protection Act 2018. Specifically, the Police Federation is concerned about how the requirements of part 3 interact with the Crown Prosecution Service’s “Director’s Guidance on Charging”, which obliged the police to provide more information to the CPS pre-charge. That information includes unused material, digitally recovered material and third-party material, all of which must be redacted in accordance with the Data Protection Act.

Combined, the guidance’s requirements and the provisions of the Act represent a huge amount of administrative work for police officers, who would have to spend hours making the necessary redactions. Furthermore, much of that work may never be used by the CPS if no charge is brought, or the defendant pleads guilty before trial. Nationally, around 25% of cases submitted to the CPS result in no charge. This desk-based work would remove police officers from the frontline.

Picture the scene of an incident. Say that 10 police officers attend, all turning on their body cameras as they arrive. They deal with different aspects of the incident; they talk to a variety of people and take statements, standing in different positions that result in different backgrounds to the video footage and different side-conversations being captured. The lead officer then spends hours, if not days, redacting all the written data and video footage generated by all the officers, only for the redacted data to be sent to a perfectly trusted source, the CPS, which will not necessarily take the case forward.

The data protection Bill is meant to update and simplify the data protection framework used by bodies in the UK. The Bill refers to the work of the police in national security situations, but it should also cover their day-to-day work as a professional body. They should be able to share their data with the CPS, another professional body. Both have a legitimate interest in accessing and sharing the data collected. My hon. Friend the Minister for Data and Digital Infrastructure will know that this is an issue, as I have already raised it with her. I am very grateful for her considered response, and for the Government’s commitment to looking into this matter further, including in the context of this Bill, and at whether the Police Federation’s idea of a data bubble between the police service and the CPS is a workable solution.

I look forward to working with the Government on the issue. It is vital that we do what we can to ease the administrative burden on police officers, so that we can free up thousands of policing hours every year and get police back to the frontline, where they can support communities and tackle crime. Speaking of easing burdens, may I also take this opportunity to wish my hon. Friend the Minister the very best with the arrival that is expected in, I suspect, the none-too-distant future?

Data Protection and Digital Information (No. 2) Bill (First sitting) Debate

Full Debate: Read Full Debate

Data Protection and Digital Information (No. 2) Bill (First sitting)

Jane Hunt Excerpts
Committee stage
Wednesday 10th May 2023

(1 year, 6 months ago)

Public Bill Committees
Read Full debate Data Protection and Digital Information Bill 2022-23 Read Hansard Text Amendment Paper: Public Bill Committee Amendments as at 10 May 2023 - (10 May 2023)
None Portrait The Chair
- Hansard -

We are now sitting in public again and the proceedings are being broadcast. Before we hear from the witnesses, do any Members wish to make a declaration of interest in connection with the Bill?

Jane Hunt Portrait Jane Hunt (Loughborough) (Con)
- Hansard - -

I am not sure whether this is a declaration of interest, so I will mention it just in case. I have had a meeting with Leicestershire Police Federation and I am interested in an amendment that it would like tabled.

Data Protection and Digital Information (No. 2) Bill (Eighth sitting) Debate

Full Debate: Read Full Debate

Data Protection and Digital Information (No. 2) Bill (Eighth sitting)

Jane Hunt Excerpts
Committee stage
Tuesday 23rd May 2023

(1 year, 6 months ago)

Public Bill Committees
Read Full debate Data Protection and Digital Information Bill 2022-23 Read Hansard Text Amendment Paper: Public Bill Committee Amendments as at 23 May 2023 - (23 May 2023)
None Portrait The Chair
- Hansard -

We now come to the big moment for the hon. Member for Loughborough. Weeks of anticipation are now at an end. I call her to move new clause 16.

New Clause 16

Processing of data in relation to a case-file prepared by the police service for submission to the Crown Prosecution Service for a charging decision

‘(1) The 2018 Act is amended in accordance with subsection (2).

(2) In the 2018 Act, after section 40 insert—

40A Processing of data in relation to a case-file prepared by the police service for submission to the Crown Prosecution Service for a charging decision

(1) This section applies to a set of processing operations consisting of the preparation of a case-file by the police service for submission to the Crown Prosecution Service for a charging decision, the making of a charging decision by the Crown Prosecution Service, and the return of the case-file by the Crown Prosecution Service to the police service after a charging decision has been made.

(2) The police service is not obliged to comply with the first data protection principle except insofar as that principle requires processing to be fair, or the third data protection principle, in preparing a case-file for submission to the Crown Prosecution Service for a charging decision.

(3) The Crown Prosecution Service is not obliged to comply with the first data protection principle except insofar as that principle requires processing to be fair, or the third data protection principle, in making a charging decision on a case-file submitted for that purpose by the police service.

(4) If the Crown Prosecution Service decides that a charge will not be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service it must take all steps reasonably required to destroy and delete all copies of the case-file in its possession.

(5) If the Crown Prosecution Service decides that a charge will be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service it must return the case-file to the police service and take all steps reasonably required to destroy and delete all copies of the case-file in its possession.

(6) Where the Crown Prosecution Service decides that a charge will be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service and returns the case-file to the police service under subsection (5), the police service must comply with the first data protection principle and the third data protection principle in relation to any subsequent processing of the data contained in the case-file.

(7) For the purposes of this section—

(a) The police service means—

(i) constabulary maintained by virtue of an enactment, or

(ii) subject to section 126 of the Criminal Justice and Public Order Act 1994 (prison staff not to be regarded as in police service), any other service whose members have the powers or privileges of a constable.

(b) The preparation of, or preparing, a case-file by the police service for submission to the Crown Prosecution Service for a charging decision includes the submission of the file.

(c) A case-file includes all information obtained by the police service for the purpose of preparing a case-file for submission to the Crown Prosecution Service for a charging decision.”’ —(Jane Hunt.)

This new clause adjusts Section 40 of the Data Protection Act 2018 to exempt the police service and the Crown Prosecution Service from the first and third data protection principles contained within the 2018 Act so that they can share unredacted data with one another when making a charging decision.

Brought up, and read the First time.

Jane Hunt Portrait Jane Hunt (Loughborough) (Con)
- Hansard - -

I beg to move, That the clause be read a Second time.

It is a pleasure to speak before you today, Mr Hollobone, and to move my new clause. I recently met members of the Leicestershire Police Federation, who informed me of its concerns regarding part 3 of the Data Protection Act 2018, which imposes unnecessary and burdensome redaction obligations on the police and taking them away from the frontline. I thank the Police Federation for providing me with the information I am going to discuss and for drafting the new clause I have tabled.

Part 3 of the 2018 Act implemented the law enforcement directive and made provision for data processing by competent authorities, including police forces and the Crown Prosecution Service, for “law enforcement purposes”.

Although recital (4) to the law enforcement directive emphasised that the

“free flow of personal data between competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences…should be facilitated while ensuring a high level of protection of personal data,”

part 3 of the 2018 Act contains no provision at all to facilitate the free flow of personal data between the police and the CPS. Instead, it imposes burdensome obligations on the police, requiring them to redact personal data from information transferred to the CPS. Those obligations are only delaying and obstructing the expeditious progress of the criminal justice system and were not even mandated by the law enforcement directive.

The problem has arisen due to chapter 2 of part 3 of the 2018 Act, which sets out six data protection principles that, as I have mentioned, apply to data processing by competent authorities for law enforcement purposes. Section 35(1) states:

“The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.”

Section 35(2) states:

“The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either—

(a) the data subject has given consent to the processing for that purpose, or

(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority.”

The Police Federation has said that it is very unlikely that section 35(2)(a) will apply in this context. It has also said that, in the case of section 35(2)(b), the test of whether the processing is “necessary” is exacting, requiring a competent authority to apply its mind to the proportionality of processing specific items of personal data for the particular law enforcement purpose in question. Under sections 35(3) to (5), where the processing is “sensitive processing”, an even more rigorous test applies, requiring among other things that the processing is “strictly necessary” for the law enforcement purpose in question. Section 37 goes on to state:

“The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.”

For the purposes of the 2018 Act, the CPS and each police force are separate competent authorities and separate data controllers. Therefore, as set out in section 34(3), the CPS and each police force must comply with the data protection principles. A transfer of information by a police force to the CPS amounts to the processing of personal data.

The tests of “necessary” and “strictly necessary” under the first data protection principle and the third data protection principle require a competent authority to identify and consider each and every item of personal data contained within information that it is intending to process, and to consider whether it is necessary for that item of personal data to be processed in the manner intended.

The Police Federation has explained that, when the police prepare a case file for submission to the CPS for a charging decision, the practical effect is that they have to spend huge amounts of time and resources on doing so. They go through the information that has been gathered by investigating officers in order to identify every single item of personal data contained in that information; decide whether it is necessary—or, in many cases, strictly necessary—for the CPS to consider each item of personal data when making its charging decision; and redact every item of personal data that does not meet that test.

--- Later in debate ---
John Whittingdale Portrait Sir John Whittingdale
- Hansard - - - Excerpts

I thank my hon. Friend the Member for Loughborough, who has been assiduous in pursuing her point and has set out very clearly the purpose of her new clause. We share her wish to reduce unnecessary burdens on the police as much as possible. The new clause seeks to achieve that in relation to the preparation by police officers of pre-charge files, which is an issue that the National Police Chiefs’ Council has raised with the Home Office, as I think she knows.

This is a serious matter for our police forces, which estimate that about four hours is spent redacting a typical case file. They argue that reducing that burden would enable officers to spend more time on frontline policing. We completely understand the frustration that many officers feel about having to spend a huge amount of time on what they see as unnecessary redaction. I can assure my hon. Friend that the Home Office is working with partners in the criminal justice system to find ways of safely reducing the redaction burden while maintaining public trust. It is important that we give them the time to do so.

We need to resolve the issue through an evidence-based solution that will ensure that the right amount of redaction is done at the right point in the process, so as to reduce any delays while maintaining victim and witness confidence in the process. I assure my hon. Friend that her point is very well taken on board and the Government are looking at how we can achieve her objective as quickly as possible, but I hope she will accept that, at this point, it would be sensible to withdraw her new clause.

Jane Hunt Portrait Jane Hunt
- Hansard - -

I thank the Minister greatly for what he has said, and for the time and effort that is being put in by several Departments to draw attention to the issue and bring it to a conclusion. I am happy that some progress has been made and, although I reserve my right to bring back the new clause at a later date, I beg to ask leave to withdraw the motion.

Clause, by leave, withdrawn.

None Portrait The Chair
- Hansard -

Hon. Members will be disappointed to hear that we have reached the final Question that I must put to the Committee.

Question proposed, That the Chair do report the Bill, as amended, to the House.

Data Protection and Digital Information Bill

Jane Hunt Excerpts
Finally, it occurs to me that the power being introduced could be used to establish benefit eligibility for people who do not currently claim benefits. We know, for example, that a large number of people do not claim pension credit, but are eligible for it. A lot of the information about whether they are entitled to pension credit is already held in the public sector, and in local councils in particular. If it were possible to check whether people had less than the threshold savings level, that could help in establishing eligibility for pension credit automatically. Can the Minister tell us whether that is intended with this proposal?
Jane Hunt Portrait Jane Hunt (Loughborough) (Con)
- View Speech - Hansard - -

I rise to speak to new clause 1 in my name and that of other colleagues. Earlier this year, I met with members of Leicestershire Police Federation, who raised concerns about elements of the Data Protection Act 2018 that were imposing unnecessary and burdensome redaction obligations on police forces. I thank the national Police Federation for its tireless campaigning on this issue, particularly Ben Hudson of Suffolk police, and I thank my hon. Friend the Member for Waveney (Peter Aldous) for all he has done in this area. I thank them for much of the information I will share today.

As I explained in Committee, part 3 of the 2018 Act implemented the law enforcement directive and made provision for data processing by competent authorities, including police forces and the Crown Prosecution Service, for law enforcement purposes. Paragraph (4) of the enforcement directive emphasised that the

“free flow of personal data between competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences…should be facilitated while ensuring a high level of protection of personal data.”

However, part 3 of the 2018 Act contains no provision at all to facilitate the free flow of personal data between the police and the CPS. Instead, it imposes burdensome obligations on the police, requiring them to redact personal data from information transferred to the CPS. Those obligations are only delaying and obstructing the expeditious progress of the criminal justice system and were not even mandated by the law enforcement directive.

The problem has arisen due to chapter 2 of part 3 of the 2018 Act, which sets out six data protection principles that apply to data processing by competent authorities for law enforcement purposes. Section 35(1) states:

“The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.”

Section 35(2) states:

“The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either—

(a) the data subject has given consent to the processing for that purpose, or

(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority.

The Police Federation has said that it is unlikely that section 35(2)(a) will apply in this context. It has also said that in the case of 35(2)(b), the test of whether the processing is “necessary” is exacting, requiring a competent authority to apply its mind to the proportionality of processing specific items of personal data for the particular law enforcement purpose in question.

Under sections 35(3) to 35(5), where the processing is “sensitive processing”, an even more rigorous test applies, requiring among other things that the processing is

“strictly necessary for the law enforcement purpose”

in question. Section 37 states:

“The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.”

For the purposes of the 2018 Act, the Crown Prosecution Service and each police force are separate competent authorities and separate data controllers. Therefore, as set out in section 34(3), the CPS and each police force must comply with the data protection principles. A transfer of information by a police force to the CPS amounts to the processing of personal data.

The tests of “necessary” and “strictly necessary” under the first and third data protection principles require a competent authority to identify and consider each and every item of personal data contained within the information that it is intended to process and to consider whether it is necessary for that item of personal data to be processed in the manner intended. The impact of this is that when preparing a case file for a charging decision from the CPS, the police must spend huge amounts of time and resources analysing information that has been gathered by investigating officers in order to identify every item of personal data. They then have to decide whether it is necessary or, in many cases strictly necessary, for the CPS to consider each item of personal data when making its charging decision, and to redact every item of personal data that does not meet that test.

The National Police Chiefs’ Council and the CPS have produced detailed guidance on this redaction process. It emphasises that the 2018 Act is a legal requirement and that the police and the CPS do not have any special relationship that negates the need to redact and protect personal information. The combination of the requirements of the guidance and of the Act represent a huge amount of administrative work for police officers, resulting in hours of preparing appropriate redactions. Furthermore, such work is inevitably carried out by relatively junior officers who have no particular expertise in data protection, and much of it may never be used by the CPS if the matter is not charged or if the defendant pleads guilty before trial. Nationally, about 25% of cases that are submitted to the CPS are not charged. A significant proportion of that time and money could be saved if the redaction of personal data by the police occurred after, rather than before, a charging decision has been made by the CPS.

The burden that this is placing on police forces was highlighted in the 2022 “Annual Review of Disclosure” by the Attorney General’s Office, which heard evidence from police that

“redaction of material for disclosure is placing a significant pressure on resources”.

It also found that one police force had invested £1 million in a disclosure specialist team solely to deal with redaction. In its report on policing priorities, the Home Affairs Committee stated:

“The National Police Chiefs’ Council and the College of Policing said this ‘labour-intensive’ process ‘ties up police resources for a protected period of time’, meaning investigations take longer, and possibly adds to the likelihood of victims withdrawing their support for a case. The College noted that the problem has become worse as digital devices such as phones and laptops have developed ever greater storage capacity, meaning there is more data for the police to process and redact. Disparities in digital capabilities across the 43 local forces also exacerbate the problem.”

The report went on to say:

“Lengthy and inefficient redaction processes and protracted investigations are neither effective nor fair on either victims or suspects. The handling of case files needs to comply with data protection laws. However, ensuring that the requirements are proportionate and that forces have the digital capacity to meet such requirements efficiently is an urgent issue that needs addressing. More needs to be done to pilot solutions and get the balance right.”

Furthermore, the Police Federation and the National Police Chiefs’ Council estimate that the cost nationally of the redaction exercise is over £5.6 million per annum. There is no disputing that there is a clear issue here, and I welcome that this has been acknowledged by Ministers I have been engaging with, including the Minister for Crime, Policing and Fire, my right hon. Friend the Member for Croydon South (Chris Philp); the former Home Secretary, my right hon. and learned Friend the Member for Fareham (Suella Braverman); and the Minister for Data and Digital Infrastructure, the right hon. Member for Maldon (Sir John Whittingdale). Only last week, the latter emphasised to me the Government’s support for reform.

Indeed, the autumn statement last week highlighted the Government’s commitment to boosting public sector productivity by running an ambitious public sector productivity programme with all Departments to reimagine the way public services are delivered. The focus of that will be on

“reducing the amount of time our key frontline workers, including police, doctors, and nurses, spend on administrative tasks”.

That is to ensure that they can spend more time delivering for the public. Arguably, the current process of data redaction is the biggest unnecessary administrative task keeping police officers away from the frontline, so reform needs to be implemented urgently.

My new clause lays out a blueprint for that reform and would insert a proposed new section into the 2018 Act to exempt the police service and the CPS from complying with the first data protection principle—except in so far as that principle requires processing to be fair—or with the third data protection principle when preparing a case file for submission to the CPS for a charging decision, thereby facilitating the free flow of personal data between the police and the CPS. If the CPS decided to charge, the case file would be returned to the police to carry out the redaction exercise before there was any risk of the file being disclosed to any person or body other than the CPS. In the 25% of cases in which the CPS decides not to charge, the unredacted file would simply be deleted by the CPS.

My new clause would have no obvious disadvantages, as the security of the personal data would not be compromised and the necessary redactions would still be undertaken once a charging decision had been made. Furthermore, providing material unredacted to the CPS pre-charge would not impact the timeliness of the process in any way, as the police would still be providing the same material to the CPS as they would have done previously, just unredacted.

I know from my conversations with Ministers that there are a few questions from a number of sources about whether legislative change is the best way to tackle the issues surrounding redaction. To that, the Police Federation has said that

“the hope is that the CPS will set out, within their charging advice, what material they intend to rely upon and, therefore, only the required material will have to be redacted by the police. This would be done in line with the maximum time of service set out within the ‘Better case management handbook Jan 23’, which states that service is required no less than five days before the hearing. So we must accept that there may be a slight delay in the CPS being able to serve their case on the defence at the point of charge. But the time in which it will take police forces to apply for a charging decision to the CPS will be far quicker without the need for redact. Thus, stopping defendants being on bail or under ‘released under investigation’ status for as long as they currently are and victims of crime waiting less time for charging decisions.”

In addition, the Police Federation has highlighted that while auto-redaction software will help to mitigate the current issues, it will not recover all policing capacity in respect of redaction. Officers will still need to review the item to consider what auto-redaction parameters need applying, otherwise police could risk ending up with mass over-redaction, and having to check to ensure nothing has been missed. The real benefit for auto-redaction software will come post-charge, especially if the CPS states exactly what material it intends to use or disclose.

I also appreciate that the Government feel they cannot support my amendment because of three technical legal points, and I would like to summarise the Police Federation’s response to this, based on advice from its leading counsel who are experienced in the field of data protection and privacy.

The Government’s first objection is that there are provisions in the 2018 Act, other than the first and third data protection principles, that

“in effect require the material concerned to be reviewed and redacted”.

The two examples given by the Home Office were the sixth data protection principle and section 44. The sixth data protection principle—data security—does not require case files to be redacted. The same standard of

“appropriate technical or organisational measures”

is required whether case files are redacted before or after the CPS has made a charging decision. The Police Federation’s leading counsel has pointed out that section 44(4) of the Act already contains potentially relevant restrictions on a data subject’s rights. Those restrictions during an investigation would be consistent with an amendment providing for the police to redact any given case file only after the CPS has decided to charge.