(11 months, 2 weeks ago)
Commons ChamberI am very happy to join the hon. Lady in calling for that. I recently met my ministerial colleague at the Department for Work and Pensions to discuss what more we can do to ensure that benefit claimants are aware of the possibility of going on to social tariffs.
I am afraid that I cannot say any more about the detail of the proposed merger, other than that we have well-established and robust processes in place for the consideration of both the impact on competition in the market and any possible national security concerns. I am confident that those processes will be followed, if necessary, in this case.
With the leave of the House, I call Liam Byrne to wind up.
(12 months ago)
Commons ChamberWith the leave of the House, I call the Minister to wind up the debate.
I thank all hon. Members who have contributed to the debate. I believe that these matters are important, if sometimes very complicated and technical. My hon. Friend the Member for Yeovil (Mr Fysh) was absolutely right to stress how fundamentally important they are, and they will become more so.
I also thank the shadow Minister for identifying the areas where we are in agreement. We had a good Committee stage with his colleague, the hon. Member for Barnsley East (Stephanie Peacock), where we agreed on the overall objectives of the Bill. It is welcome that the shadow Minister has supported us, particularly on the amendment that we moved this afternoon on the powers of the Information Commissioner’s Office, the provisions relating to digital verification services, and smart data. There were, however, some areas on which we will not agree.
Let me begin by addressing the main amendments that the hon. Gentleman has moved. Amendment 1 relates to high-risk processing. It is the case that one of the main aims of the Bill is to remove some of the UK GDPR’s unnecessary compliance burdens. That is why organisations will be required to designate only senior responsible individuals to carry out risk assessments and keep records of processing when their activities pose high risks to individuals. The amendments that the hon. Gentleman is proposing would reintroduce a prescriptive list of high-risk processing activities drawn from article 35 of the UK GDPR. We find that some of the language in article 35 is unclear and confusing, which is partly why we removed it in the first place. We think organisations should have the ability to make a judgment of risk based on the specific nature, scale and context of their own processing activities. We do not need to provide prescriptive examples of high-risk processing in the legislation, because any list could quickly become out of date. Instead, to help data controllers, clause 18 of the Bill requires the ICO to produce a document with examples of what the commissioner considers to be high-risk processing.
I agree, to the extent that levels of fraud in state pensions being currently nearly zero, the power is not needed in that case. However, the Government wish to retain an option should the position change in the future. But I am happy to take the hon. Gentleman up on his request on behalf of my hon. Friend the Minister for Disabled People, Health and Work, with whom he has already engaged. I am sure that the right hon. Member for East Ham will want to examine the issue further in the Work and Pensions Committee, which he chairs. It will undoubtedly also be subject to further discussions in the other place. We are certainly open to further discussion.
The right hon. Member for East Ham also raised the question of commencement. I can tell him that the test and learn phase will begin in 2025, with a steady roll-out to full-scale delivery by 2030. I am sure that he will want to examine these matters further.
The amendment tabled by my right hon. Friend the Member for Haltemprice and Howden (Mr Davis) focuses on digital exclusion. The Bill provides for the use of secure and inclusive digital identities across the economy. It does not force businesses or individuals to use them. Individual choice is integral to our approach. As the Bill makes clear, digital verification services can be provided only at the request of the individual. Where people want to use a digital verification service, the Government are committed to ensuring that available products and services are secure and privacy-focused. That is to be achieved through the high standards set out in the trust framework.
The trust framework also outlines how services can improve inclusion, and requires services to publish an annual inclusion monitoring report. There are businesses that operate only in the digital sphere, such as some online banks and energy companies, as I think has been acknowledged. We feel that to oblige them to offer manual document checking would place obligations on businesses that go beyond the Government’s commitment to do only what is necessary to enable the digital market to grow.
On amendment 224 from the Scottish National party, solely automated decision making that produces legal or similarly significant effects on individuals was not entirely prohibited previously under the UK’s data protection legal framework. The rules governing article 22 are confusing and complex, so clause 12 clarifies and simplifies the rules related to solely automated decision making, and will reduce barriers to responsible data use, help to drive innovation, and maintain high standards of data protection. The reforms do not water down any of the protections to data subjects offered under the broader UK data protection regime—that is, UK GDPR and the Data Protection Act 2018.
On the other amendment tabled by the SNP, amendment 229, effective independent oversight of surveillance camera systems is crucial to public trust. The oversight framework is complex and confusing for the police and public because of substantial duplication between the surveillance camera commissioner functions and the code, which covers police and local authorities in England and Wales only, and the ICO and data protection legislation. The Bill addresses that, following public consultation, through abolishing the surveillance camera commissioner and code.
The amendment tabled by the hon. Member for Glasgow North would negate that by retaining the code and transferring the surveillance camera commissioner functions to the investigatory powers commissioner. It would also blur the lines between overt and covert surveillance, which the investigatory powers commissioner oversees. Those two types of surveillance have distinct legislation and oversight, mainly because covert surveillance is generally considered to be significantly more intrusive.
On amendment 222, it is important to be clear that the ability to refuse or charge a reasonable fee for a request already exists, and clause 8 does not place new restrictions on reasonable requests from data subjects. The Government believe that it is proportionate to allow controllers to refuse or charge a reasonable fee for vexatious or excessive requests, and a clearer provision enables controllers to focus time and resources on responding to reasonable requests instead.
Amendments 278 and 279, tabled by my hon. Friend the Member for Yeovil, would remove the new lawful ground of recognised legitimate interests, which the Bill will add to article 6 of UK GDPR. Amendment 230 accepts that there is merit in retaining the recognised legitimate interests list, but would make any additions to it subject to a super-affirmative parliamentary procedure. It is true that the Bill removes the need for non-public-sector organisations to do a detailed legitimate interests assessment in relation to a small number of processing activities. Those include activities relating for example to the safeguarding of children, crime prevention and responding to emergencies. We heard from stakeholders that the need to do an assessment and the fear of getting it wrong could sometimes delay or deter those important processing activities from taking place. Future Governments would not be able to add new activities to the list lightly; clause 5 of the Bill already makes it clear that the Secretary of State must carefully consider the rights and interests of people, and in particular the special protection needed for children, before adding anything new to the list. Any new regulations would also need to be approved via the affirmative resolution procedure.
My hon. Friend the Member for Yeovil has tabled a large number of other amendments, which are complicated in nature. I have written to him in some detail setting out the Government’s response to each of those, but if he wishes to pursue further any of the points contained therein I would be very happy to have further discussions with him.
I would like to comment on the amendments by several of my colleagues that I wish I was in a position to be able to support. In particular, my hon. Friend the Member for Loughborough (Jane Hunt) has been assiduous in pursuing her point both in the Bill Committee and in this debate. The problem she identifies is without question a very real one, and she set out in some detail how it is massively increasing the burden on the police, which clearly we would wish to reduce wherever possible.
I have had meetings with Home Office Ministers, as my hon. Friend has, and they absolutely identify that problem and share her wish. While we welcome her intent, the problem is that we do not think that her amendment as drafted would achieve her aims of removing the burden of redaction. To do so would require the amendment and exception of more principles than those identified in the amendment. Indeed, it would require the amendment of more laws than just the Data Protection Act 2018.
The Government are absolutely committed to reducing the burden on the police, but it is obviously important that, if we do so, we do it right, and that the solution works comprehensively. We are therefore actively working on ways to better address the issue, including through improved process, new technology, guidance and legislation. I am very happy to continue to work with her on achieving the aim that we all share and so too, I know, are colleagues in the Home Office.
With respect to the amendments tabled by my hon. Friend the Member for Weston-super-Mare (John Penrose), as I indicated, we absolutely share his enthusiasm for smart data and ensuring that the powers within the Bill are implemented in a timely manner, with interoperability at their core. While I agree that we can only fully realise the benefits of smart data schemes if they enable interoperability, different sectors will have different levels of existing digital infrastructure and capability. Thus, we could inadvertently hinder the success of future schemes if we mandated the use of one universal set of standards based, for instance, on those used in open banking.
The Government will ensure that interoperability is central to the development of smart data schemes. To support our thinking, we are working with industry and regulators in the Smart Data Council to identify the technical infrastructure that needs to be replicated. With regard to the timeline—or even the timeline for a timeline—that my hon. Friend asked for, I recognise that it is important to build investor, industry and consumer confidence by outlining the Government’s planned timeline.
My hon. Friend is right to highlight the Chancellor’s comments in the autumn statement, where we set out plans to kick-start the smart data big bang, and our ambition for using those powers across seven sectors. At this stage I am afraid I am not able to accept his amendment, but it is our intention to set out those plans in more detail in the coming months. I know the Under-Secretary of State for Business and Trade, my hon. Friend the Member for Thirsk and Malton (Kevin Hollinrake) and I will be happy to work with him to do so.
The aim of the amendment tabled by the hon. Member for Jarrow (Kate Osborne) was to clarify that, when special category data of employees such as health data is transferred between members of a group of undertakings for internal administrative purposes on grounds of legitimate interests, the conditions and safeguards outlined in schedule 1 of the Data Protection Act should apply to that processing. The Government agree with the sentiment of her amendment, but consider that it is unnecessary. The current legal framework already requires controllers to identify an exemption under article 9 of the UK GDPR if they are processing special category data. Those exemptions are supplemented by the conditions and safeguards outlined in schedule 1. Under those provisions, employers can process special category data where processing is necessary to comply with obligations under employment law. We do not therefore consider the amendment necessary.
Finally, I turn to new clause 45, tabled by my hon. Friend the Member for Aberconwy (Robin Millar). The Government are absolutely committed to improving the availability of comparable UK-wide data. He, too, has been assiduous in promoting that cause, and we are very happy to work with him. We are extremely supportive of the principle underlying his amendment. He is right to point out that people have the right to know the extent of Labour’s failings with the NHS in Wales, as he pointed out, and his new clause sends an important message on our commitment to better data. I can commit to working at pace with him and the UK Statistics Authority to look at ways in which we may be able to implement the intentions of his amendment and bring forward legislative changes following those discussions.
On that basis, I commend the Government amendments to the House.
Question put and agreed to.
New clause 6 accordingly read a Second time, and added to the Bill.
For the benefit of all Members, we are before the knife, so we will have to go through a sequence of procedures. It would help me, the Clerk and the Minister if we had a degree of silence. This will take a little time, and we need to be able to concentrate. Elected representative Candidate for election as an elected representative member of the House of Commons section 118A of the Representation of the People Act 1983 a member of the Senedd article 84(2) of the National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236) a member of the Scottish Parliament article 80(1) of the Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425) a member of the Northern Ireland Assembly section 118A of the Representation of the People Act 1983, as applied by the Northern Ireland Assembly (Elections) Order 2001 (S.I. 2001/2599) an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely— (i) in England, a county council, a district council, a London borough council or a parish council; (ii) in Wales, a county council, a county borough council or a community council; section 118A of the Representation of the People Act 1983 an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000 section 118A of the Representation of the People Act 1983, as applied by the Local Authorities (Mayoral Elections) (England and Wales) Regulations 2007 (S.I. 2007/1024) a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009 section 118A of the Representation of the People Act 1983, as applied by the Combined Authorities (Mayoral Elections) Order 2017 (S.I. 2017/67) a mayor for the area of a combined county authority established under section 9 of the Levelling-up and Regeneration Act 2023 section 118A of the Representation of the People Act 1983, as applied by the Combined Authorities (Mayoral Elections) Order 2017 (S.I. 2017/67) the Mayor of London or an elected member of the London Assembly section 118A of the Representation of the People Act 1983 an elected member of the Common Council of the City of London section 118A of the Representation of the People Act 1983 an elected member of the Council of the Isles of Scilly section 118A of the Representation of the People Act 1983 an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994 section 118A of the Representation of the People Act 1983 an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.)) section 130(3A) of the Electoral Law Act (Northern Ireland) 1962 (c. 14 (N.I.)) (n)a police and crime commissioner article 3 of the Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917) Term Provision accredited conformity assessment body section 50(7) approved supplementary code section (Approval of a supplementary code)(6) designated supplementary code section (Designation of a supplementary code)(3) digital verification services section 48(2) the DVS register section 50(2) the DVS trust framework section 49(2)(a) the main code section 49(2)(b) recognised supplementary code section (List of recognised supplementary codes)(2) supplementary code section 49(2)(c) supplementary note section (Supplementary notes)(6)” “the data protection legislation section 236”.”
New Clause 48
Processing of personal data revealing political opinions
“(1) Schedule 1 to the Data Protection Act 2018 (special categories of personal data) is amended in accordance with subsections (2) to (5).
(2) After paragraph 21 insert—
‘Democratic engagement
21A (1) This condition is met where—
(a) the personal data processed is personal data revealing political opinions,
(b) the data subject is aged 14 or over, and
(c) the processing falls within sub-paragraph (2),
subject to the exceptions in sub-paragraphs (3) and (4).
(2) Processing falls within this sub-paragraph if—
(a) the processing—
(i) is carried out by an elected representative or a person acting with the authority of such a representative, and
(ii) is necessary for the purposes of discharging the elected representative’s functions or for the purposes of the elected representative’s democratic engagement activities,
(b) the processing—
(i) is carried out by a registered political party, and
(ii) is necessary for the purposes of the party’s election activities or democratic engagement activities,
(c) the processing—
(i) is carried out by a candidate for election as an elected representative or a person acting with the authority of such a candidate, and
(ii) is necessary for the purposes of the candidate’s campaign for election,
(d) the processing—
(i) is carried out by a permitted participant in relation to a referendum or a person acting with the authority of such a person, and
(ii) is necessary for the purposes of the permitted participant’s campaigning in connection with the referendum, or
(e) the processing—
(i) is carried out by an accredited campaigner in relation to a recall petition or a person acting with the authority of such a person, and
(ii) is necessary for the purposes of the accredited campaigner’s campaigning in connection with the recall petition.
(3) Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
(4) Processing does not meet the condition in sub-paragraph (1) if—
(a) an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
(b) the notice gave the controller a reasonable period in which to stop processing such data, and
(c) that period has ended.
(5) For the purposes of sub-paragraph (2)(a) and (b)—
(a) “democratic engagement activities” means activities whose purpose is to support or promote democratic engagement;
(b) “democratic engagement” means engagement by the public, a section of the public or a particular person with, or with an aspect of, an electoral system or other democratic process in the United Kingdom, either generally or in connection with a particular matter, whether by participating in the system or process or engaging with it in another way;
(c) examples of democratic engagement activities include activities whose purpose is—
(i) to promote the registration of individuals as electors;
(ii) to increase the number of electors participating in elections for elected representatives, referendums or processes for recall petitions in which they are entitled to participate;
(iii) to support an elected representative or registered political party in discharging functions, or carrying on other activities, described in sub-paragraph (2)(a) or (b);
(iv) to support a person to become a candidate for election as an elected representative;
(v) to support a campaign or campaigning referred to in sub-paragraph (2)(c), (d) or (e);
(vi) to raise funds to support activities whose purpose is described in sub-paragraphs (i) to (v);
(d) examples of activities that may be democratic engagement activities include—
(i) gathering opinions, whether by carrying out a survey or by other means;
(ii) communicating with electors.
(6) In this paragraph—
“accredited campaigner” has the meaning given in Part 5 of Schedule 3 to the Recall of MPs Act 2015;
“candidate” , in relation to election as an elected representative, has the meaning given by the provision listed in the relevant entry in the second column of the table in sub-paragraph (7);
“elected representative” means a person listed in the first column of the table in sub-paragraph (7) and see also sub-paragraphs (8) to (10);
“election activities” , in relation to a registered political party, means—
(a) campaigning in connection with an election for an elected representative, and
(b) activities whose purpose is to enhance the standing of the party, or of a candidate standing for election in its name, with electors;
“elector” means a person who is entitled to vote in an election for an elected representative or in a referendum;
“permitted participant” has the same meaning as in Part 7 of the Political Parties, Elections and Referendums Act 2000 (referendums) (see section 105 of that Act);
“recall petition” has the same meaning as in the Recall of MPs Act 2015 (see section 1(2) of that Act);
“referendum” means a referendum or other poll held on one or more questions specified in, or in accordance with, an enactment;
“registered political party” means a person or organisation included in a register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000;
“successful” , in relation to a recall petition, has the same meaning as in the Recall of MPs Act 2015 (see section 14 of that Act).
(7) This is the table referred to in the definitions of “candidate” and “elected representative” in sub-paragraph (6)—
(8) For the purposes of the definition of “elected representative” in sub-paragraph (6), a person who is—
(a) a member of the House of Commons immediately before Parliament is dissolved,
(b) a member of the Senedd immediately before Senedd Cymru is dissolved,
(c) a member of the Scottish Parliament immediately before that Parliament is dissolved, or
(d) a member of the Northern Ireland Assembly immediately before that Assembly is dissolved,
is to be treated as if the person were such a member until the end of the period of 30 days beginning with the day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.
(9) For the purposes of the definition of “elected representative” in sub-paragraph (6), where a member of the House of Commons’s seat becomes vacant as a result of a successful recall petition, that person is to be treated as if they were a member of the House of Commons until the end of the period of 30 days beginning with the day after—
(a) the day on which the resulting by-election is held, or
(b) if earlier, the day on which the next general election in relation to Parliament is held.
(10) For the purposes of the definition of “elected representative” in sub-paragraph (6), a person who is an elected member of the Common Council of the City of London and whose term of office comes to an end at the end of the day preceding the annual Wardmotes is to be treated as if the person were such a member until the end of the fourth day after the day on which those Wardmotes are held.’
(3) Omit paragraph 22 and the italic heading before it.
(4) In paragraph 23 (elected representatives responding to requests)—
(a) leave out sub-paragraphs (3) to (5), and
(b) at the end insert—
‘(6) In this paragraph, “elected representative” has the same meaning as in paragraph 21A.’
(5) In paragraph 24(3) (definition of ‘elected representative’), for ‘23’ substitute ‘21A’.
(6) In section 205(2) of the 2018 Act (general interpretation: periods of time), in paragraph (i), for ‘paragraph 23(4) and (5)’ substitute ‘paragraph 21A(8) to (10)’.”—(Sir John Whittingdale.)
This new Clause inserts into Schedule 1 to the Data Protection Act 2018 (conditions for processing of special categories of personal data) a condition relating to processing by elected representatives, registered political parties and others of information about an individual’s political opinions for the purposes of democratic engagement activities and campaigning.
Brought up, read the First and Second time, and added to the Bill.
New Clause 7
Searches in response to data subjects’ requests
“(1) In Article 15 of the UK GDPR (right of access by the data subject)—
(a) after paragraph 1 insert—
‘1A. Under paragraph 1, the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph.’, and
(b) in paragraph 3, after ‘processing’ insert ‘to which the data subject is entitled under paragraph 1’.
(2) The 2018 Act is amended in accordance with subsections (3) and (4).
(3) In section 45 (law enforcement processing: right of access by the data subject), after subsection (2) insert—
‘(2A) Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.’
(4) In section 94 (intelligence services processing: right of access by the data subject), after subsection (2) insert—
‘(2ZA) Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.’
(5) The amendments made by this section are to be treated as having come into force on 1 January 2024.”—(Sir John Whittingdale.)
This new clause confirms that, in responding to subject access requests, controllers are only required to undertake reasonable and proportionate searches for personal data and other information.
Brought up, read the First and Second time, and added to the Bill.
New Clause 8
Notices from the Information Commissioner
“(1) The 2018 Act is amended in accordance with subsections (2) and (3).
(2) Omit section 141 (notices from the Commissioner).
(3) After that section insert—
‘141A Notices from the Commissioner
(1) This section applies in relation to a notice authorised or required by this Act to be given to a person by the Commissioner.
(2) The notice may be given to the person by—
(a) delivering it by hand to a relevant individual,
(b) leaving it at the person’s proper address,
(c) sending it by post to the person at that address, or
(d) sending it by email to the person’s email address.
(3) A “relevant individual” means—
(a) in the case of a notice to an individual, that individual;
(b) in the case of a notice to a body corporate (other than a partnership), an officer of that body;
(c) in the case of a notice to a partnership, a partner in the partnership or a person who has the control or management of the partnership business;
(d) in the case of a notice to an unincorporated body (other than a partnership), a member of its governing body.
(4) For the purposes of subsection (2)(b) and (c), and section 7 of the Interpretation Act 1978 (services of documents by post) in its application to those provisions, a person’s proper address is—
(a) in a case where the person has specified an address as one at which the person, or someone acting on the person’s behalf, will accept service of notices or other documents, that address;
(b) in any other case, the address determined in accordance with subsection (5).
(5) The address is—
(a) in a case where the person is a body corporate with a registered office in the United Kingdom, that office;
(b) in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office;
(c) in any other case, an address in the United Kingdom at which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of the person.
(6) A person’s email address is—
(a) an email address published for the time being by that person as an address for contacting that person, or
(b) if there is no such published address, an email address by means of which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of that person.
(7) A notice sent by email is treated as given 48 hours after it was sent, unless the contrary is proved.
(8) In this section “officer”, in relation to a body corporate, means a director, manager, secretary or other similar officer of the body.
(9) This section does not limit other lawful means of giving a notice.’
(4) In Schedule 2 to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696) (Commissioner’s enforcement powers), in paragraph 1(b), for ‘141’ substitute ‘141A’.”—(Sir John Whittingdale.)
This amendment adjusts the procedure by which notices can be given by the Information Commissioner under the Data Protection Act 2018. In particular, it enables the Information Commissioner to give notices by email without obtaining the consent of the recipient to use that mode of delivery.
Brought up, read the First and Second time, and added to the Bill.
New Clause 9
Court procedure in connection with subject access requests
“(1) The Data Protection Act 2018 is amended as follows.
(2) For the italic heading before section 180 substitute—
‘Jurisdiction and court procedure’.
(3) After section 180 insert—
‘180A Procedure in connection with subject access requests
(1) This section applies where a court is required to determine whether a data subject is entitled to information by virtue of a right under—
(a) Article 15 of the UK GDPR (right of access by the data subject);
(b) Article 20 of the UK GDPR (right to data portability);
(c) section 45 of this Act (law enforcement processing: right of access by the data subject);
(d) section 94 of this Act (intelligence services processing: right of access by the data subject).
(2) The court may require the controller to make available for inspection by the court so much of the information as is available to the controller.
(3) But, unless and until the question in subsection (1) has been determined in the data subject’s favour, the court may not require the information to be disclosed to the data subject or the data subject’s representatives, whether by discovery (or, in Scotland, recovery) or otherwise.
(4) Where the question in subsection (1) relates to a right under a provision listed in subsection (1)(a), (c) or (d), this section does not confer power on the court to require the controller to carry out a search for information that is more extensive than the reasonable and proportionate search required by that provision.’”—(Sir John Whittingdale.)
This new clause makes provision about courts’ powers to require information to be provided to them, and to a data subject, when determining whether a data subject is entitled to information under certain provisions of the data protection legislation.
Brought up, read the First and Second time, and added to the Bill.
New Clause 10
Approval of a supplementary code
“(1) This section applies to a supplementary code whose content is for the time being determined by a person other than the Secretary of State.
(2) The Secretary of State must approve the supplementary code if—
(a) the code meets the conditions set out in the DVS trust framework (so far as relevant),
(b) an application for approval of the code is made which complies with any requirements imposed by a determination under section (Applications for approval and re-approval), and
(c) the applicant pays any fee required to be paid by a determination under section (Fees for approval, re-approval and continued approval)(1).
(3) The Secretary of State must notify an applicant in writing of the outcome of an application for approval.
(4) The Secretary of State may not otherwise approve a supplementary code.
(5) In this Part, an “approved supplementary code” means a supplementary code for the time being approved under this section.
(6) For when a code ceases (or may cease) to be approved under this section, see sections (Change to conditions for approval or designation), (Revision of a recognised supplementary code) and (Request for withdrawal of approval).”—(Sir John Whittingdale.)
This amendment sets out when a supplementary code of someone other than the Secretary of State must be approved by the Secretary of State.
Brought up, read the First and Second time, and added to the Bill.
New Clause 11
Designation of a supplementary code
“(1) This section applies to a supplementary code whose content is for the time being determined by the Secretary of State.
(2) If the Secretary of State determines that the supplementary code meets the conditions set out in the DVS trust framework (so far as relevant), the Secretary of State may designate the code as one which complies with the conditions.
(3) In this Part, a ‘designated supplementary code’ means a supplementary code for the time being designated under this section.
(4) For when a code ceases (or may cease) to be designated under this section, see sections (Change to conditions for approval or designation), (Revision of a recognised supplementary code) and (Removal of designation).”—(Sir John Whittingdale.)
This enables the Secretary of State to designate a supplementary code of the Secretary of State as one which complies with the conditions set out in the DVS trust framework.
Brought up, read the First and Second time, and added to the Bill.
New Clause 12
List of recognised supplementary codes
“(1) The Secretary of State must—
(a) maintain a list of recognised supplementary codes, and
(b) make the list publicly available.
(2) For the purposes of this Part, each of the following is a ‘recognised supplementary code’—
(a) an approved supplementary code, and
(b) a designated supplementary code.”—(Sir John Whittingdale.)
This amendment places the Secretary of State under a duty to publish, and keep up to date, a list of supplementary codes that are designated or approved.
Brought up, read the First and Second time, and added to the Bill.
New Clause 13
Change to conditions for approval or designation
“(1) This section applies if the Secretary of State revises the DVS trust framework so as to change the conditions which must be met for the approval or designation of a supplementary code.
(2) An approved supplementary code which is affected by the change ceases to be an approved supplementary code at the end of the relevant period unless an application for re-approval of the code is made within that period.
(3) Pending determination of an application for re-approval the supplementary code remains an approved supplementary code.
(4) Before the end of the relevant period the Secretary of State must—
(a) review each designated supplementary code which is affected by the change (if any), and
(b) determine whether it meets the conditions as changed.
(5) If, on a review under subsection (4), the Secretary of State determines that a designated supplementary code does not meet the conditions as changed, the code ceases to be a designated supplementary code at the end of the relevant period.
(6) A supplementary code is affected by a change if the change alters, or adds, a condition which is or would be relevant to the supplementary code when deciding whether to approve it under section (Approval of a supplementary code) or designate it under section (Designation of a supplementary code).
(7) In this section “the relevant period” means the period of 21 days beginning with the day on which the DVS trust framework containing the change referred to in subsection (1) comes into force.
(8) Section (Approval of a supplementary code) applies to re-approval of a supplementary code as it applies to approval of such a code.”—(Sir John Whittingdale.)
This amendment provides that when conditions for approval or designation are changed this requires re-approval of an approved supplementary code and, in the case of a designated supplementary code, a re-assessment of whether the code meets the revised conditions.
Brought up, read the First and Second time, and added to the Bill.
New Clause 14
Revision of a recognised supplementary code
“(1) If an approved supplementary code is revised—
(a) the code before and after the revision are treated as the same code for the purposes of this Part, and
(b) the code ceases to be an approved supplementary code unless subsection (2) or (4) applies.
(2) This subsection applies if the supplementary code, in its revised form, has been approved under section (Approval of a supplementary code).
(3) If subsection (2) applies the approved supplementary code, in its revised form, remains an approved supplementary code.
(4) This subsection applies for so long as—
(a) a decision is pending under section (Approval of a supplementary code) on an application for approval of the supplementary code in its revised form, and
(b) the revisions to the code have not taken effect.
(5) If subsection (4) applies the supplementary code, in its unrevised form, remains an approved supplementary code.
(6) The Secretary of State may revise a designated supplementary code only if the Secretary of State is satisfied that the code, in its revised form, meets the conditions set out in the DVS trust framework (so far as relevant).
(7) If a designated supplementary code is revised, the code before and after the revision are treated as the same code for the purposes of this Part.”—(Sir John Whittingdale.)
This amendment sets out the consequences where there are changes to a recognised supplementary code and, in particular, what needs to be done for the code to remain a recognised supplementary code.
Brought up, read the First and Second time, and added to the Bill.
New Clause 15
Applications for approval and re-approval
“(1) The Secretary of State may determine—
(a) the form of an application for approval or re-approval under section (Approval of a supplementary code),
(b) the information to be contained in or provided with the application,
(c) the documents to be provided with the application,
(d) the manner in which the application is to be submitted, and
(e) who may make the application.
(2) A determination may make different provision for different purposes.
(3) The Secretary of State must publish a determination.
(4) The Secretary of State may revise a determination.
(5) If the Secretary of State revises a determination the Secretary of State must publish the determination as revised.”—(Sir John Whittingdale.)
This amendment enables the Secretary of State to determine the process for making a valid application for approval of a supplementary code.
Brought up, read the First and Second time, and added to the Bill.
New Clause 16
Fees for approval, re-approval and continued approval
“(1) The Secretary of State may determine that a person who applies for approval or re-approval of a supplementary code under section (Approval of a supplementary code) must pay a fee to the Secretary of State of an amount specified in the determination.
(2) A determination under subsection (1) may specify an amount which exceeds the administrative costs of determining the application for approval or re-approval.
(3) The Secretary of State may determine that a fee is payable to the Secretary of State, of an amount and at times specified in the determination, in connection with the continued approval of a supplementary code.
(4) A determination under subsection (3)—
(a) may specify an amount which exceeds the administrative costs associated with the continued approval of a supplementary code, and
(b) must specify, or describe, who must pay the fee.
(5) A fee payable under subsection (3) is recoverable summarily (or, in Scotland, recoverable) as a civil debt.
(6) A determination may make different provision for different purposes.
(7) The Secretary of State must publish a determination.
(8) The Secretary of State may revise a determination.
(9) If the Secretary of State revises a determination the Secretary of State must publish the determination as revised.”—(Sir John Whittingdale.)
This amendment enables the Secretary of State to determine that a fee is payable for approval/re-approval/continued approval of a supplementary code and the amount of such a fee.
Brought up, read the First and Second time, and added to the Bill.
New Clause 17
Request for withdrawal of approval
“(1) The Secretary of State must withdraw approval of a supplementary code if—
(a) the Secretary of State receives a notice requesting the withdrawal of approval of the supplementary code, and
(b) the notice complies with any requirements imposed by a determination under subsection (3).
(2) Before the day on which the approval is withdrawn, the Secretary of State must inform the person who gave the notice of when it will be withdrawn.
(3) The Secretary of State may determine—
(a) the form of a notice,
(b) the information to be contained in or provided with the notice,
(c) the documents to be provided with the notice,
(d) the manner in which the notice is to be submitted,
(e) who may give the notice.
(4) A determination may make different provision for different purposes.
(5) The Secretary of State must publish a determination.
(6) The Secretary of State may revise a determination.
(7) If the Secretary of State revises a determination the Secretary of State must publish the determination as revised.”—(Sir John Whittingdale.)
This amendment enables a supplementary code to be “de-approved”, on request.
Brought up, read the First and Second time, and added to the Bill.
New Clause 18
Removal of designation
“(1) The Secretary of State may determine to remove the designation of a supplementary code.
(2) A determination must—
(a) be published, and
(b) specify when the designation is to be removed, which must be a time after the end of the period of 21 days beginning with the day on which the determination is published.”—(Sir John Whittingdale.)
This amendment enables the Secretary of State to determine that a designated supplementary code should cease to be designated.
Brought up, read the First and Second time, and added to the Bill.
New Clause 19
Registration of additional services
“(1) Subsection (2) applies if—
(a) a person is registered in the DVS register,
(b) the person applies for their entry in the register to be amended to record additional digital verification services that the person provides in accordance with the main code,
(c) the person holds a certificate from an accredited conformity assessment body certifying that the person provides the additional services in accordance with the main code,
(d) the application complies with any requirements imposed by a determination under section 51, and
(e) the person pays any fee required to be paid by a determination under section 52(1).
(2) The Secretary of State must amend the DVS register to record that the person is also registered in respect of the additional services referred to in subsection (1).
(3) For the purposes of subsection (1)(c), a certificate is to be ignored if—
(a) it has expired in accordance with its terms,
(b) it has been withdrawn by the body that issued it, or
(c) it is required to be ignored by reason of provision included in the DVS trust framework under 49(10).”—(Sir John Whittingdale.)
This amendment provides for a person to apply to add services to their entry in the DVS register and requires the Secretary of State to amend the register to record that a person is registered in respect of the additional services.
Brought up, read the First and Second time, and added to the Bill.
New Clause 20
Supplementary notes
“(1) Subsection (2) applies if—
(a) a person holds a certificate from an accredited conformity assessment body certifying that digital verification services provided by the person are provided in accordance with a recognised supplementary code,
(b) the person applies for a note about one or more of the services to which the certificate relates to be included in the entry relating to that person in the DVS register,
(c) the application complies with any requirements imposed by a determination under section 51, and
(d) the person pays any fee required to be paid by a determination under section 52(1).
(2) The Secretary of State must include a note in the entry relating to the person in the DVS register recording that the person provides, in accordance with the recognised supplementary code referred to in subsection (1), the services in respect of which the person made the application referred to in that subsection.
(3) The Secretary of State may not otherwise include a note described in subsection (2) in the DVS register.
(4) For the purposes of subsection (1)(a), a certificate is to be ignored if—
(a) it has expired in accordance with its terms,
(b) it has been withdrawn by the body that issued it, or
(c) subsection (5) applies.
(5) This subsection applies if—
(a) the recognised supplementary code to which the certificate relates has been revised since the certificate was issued,
(b) the certificate was issued before the revision to the supplementary code took effect, and
(c) the supplementary code (as revised) provides—
(i) that certificates issued before the time the revision takes effect are required to be ignored, or
(ii) that such certificates are to be ignored from a date, or from the end of a period, specified in the code and that date has passed or that period has elapsed.
(6) In this Part, a note included in the DVS register in accordance with subsection (2) is referred to as a supplementary note.”—(Sir John Whittingdale.)
This amendment provides for a person to apply for a note to be included in the DVS register that they provide digital verification services in accordance with a recognised supplementary code.
Brought up, read the First and Second time, and added to the Bill.
New Clause 21
Addition of services to supplementary notes
“(1) Subsection (2) applies if—
(a) a person has a supplementary note included in the DVS register,
(b) the person applies for the note to be amended to record additional digital verification services that the person provides in accordance with a recognised supplementary code,
(c) the person holds a certificate from an accredited conformity assessment body certifying that the person provides the additional services in accordance with the recognised supplementary code referred to in paragraph (b),
(d) the application complies with any requirements imposed by a determination under section 51, and
(e) the person pays any fee required to be paid by a determination under section 52(1).
(2) The Secretary of State must amend the note to record that the person also provides the additional services referred to in subsection (1) in accordance with the recognised supplementary code referred to in that subsection.
(3) For the purposes of subsection (1)(c), a certificate is to be ignored if—
(a) it has expired in accordance with its terms,
(b) it has been withdrawn by the body that issued it, or
(c) subsection (4) applies.
(4) This subsection applies if—
(a) the recognised supplementary code to which the certificate relates has been revised since the certificate was issued,
(b) the certificate was issued before the revision to the supplementary code took effect, and
(c) the supplementary code (as revised) provides—
(i) that certificates issued before the time the revision takes effect are required to be ignored, or
(ii) that such certificates are to be ignored from a date, or from the end of a period, specified in the code and that date has passed or that period has elapsed.”—(Sir John Whittingdale.)
This amendment provides for a person to add services to their supplementary note in the DVS register and requires the Secretary of State to amend the note to record that a person is registered in respect of the additional services.
Brought up, read the First and Second time, and added to the Bill.
New Clause 22
Duty to remove services from the DVS register
“(1) Where a person is registered in the DVS register in respect of digital verification services, subsection (2) applies if the person—
(a) asks for the register to be amended so that the person is no longer registered in respect of one or more of those services,
(b) ceases to provide one or more of those services, or
(c) no longer holds a certificate from an accredited conformity assessment body certifying that all of those services are provided in accordance with the main code.
(2) The Secretary of State must amend the register to record that the person is no longer registered in respect of (as the case may be)—
(a) the service or services mentioned in a request described in subsection (1)(a),
(b) the service or services which the person has ceased to provide, or
(c) the service or services for which there is no longer a certificate as described in subsection (1)(c).
(3) For the purposes of subsection (1)(c), a certificate is to be ignored if—
(a) it has expired in accordance with its terms,
(b) it has been withdrawn by the body that issued it, or
(c) it is required to be ignored by reason of provision included in the DVS trust framework under section 49(10).”—(Sir John Whittingdale.)
This amendment places the Secretary of State under a duty to amend the DVS register, in certain circumstances, to record that a person is no longer registered in respect of certain services.
Brought up, read the First and Second time, and added to the Bill.
New Clause 23
Duty to remove supplementary notes from the DVS register
“(1) The Secretary of State must remove a supplementary note included in the entry in the DVS register relating to a person if—
(a) the person asks for the note to be removed,
(b) the person ceases to provide all of the digital verification services to which the note relates,
(c) the person no longer holds a certificate from an accredited conformity assessment body certifying that at least one of those digital verification services is provided in accordance with the supplementary code, or
(d) the person continues to hold a certificate described in paragraph (c) but the supplementary code is not a recognised supplementary code.
(2) For the purposes of subsection (1)(c) and (d), a certificate is to be ignored if—
(a) it has expired in accordance with its terms,
(b) it has been withdrawn by the body that issued it, or
(c) subsection (3) applies.
(3) This subsection applies if—
(a) the supplementary code to which the certificate relates has been revised since the certificate was issued,
(b) the certificate was issued before the revision to the supplementary code took effect, and
(c) the supplementary code (as revised) provides—
(i) that certificates issued before the time the revision takes effect are required to be ignored, or
(ii) that such certificates are to be ignored from a date, or from the end of a period, specified in the code and that date has passed or that period has elapsed.”—(Sir John Whittingdale.)
This amendment sets out the circumstances in which the Secretary of State must remove a supplementary note from the DVS register.
Brought up, read the First and Second time, and added to the Bill.
New Clause 24
Duty to remove services from supplementary notes
“(1) Where a person has a supplementary note included in their entry in the DVS register in respect of digital verification services, subsection (2) applies if the person—
(a) asks for the register to be amended so that the note no longer records one or more of those services,
(b) ceases to provide one or more of the services recorded in the note, or
(c) no longer holds a certificate from an accredited conformity assessment body certifying that all of the services included in the note are provided in accordance with a supplementary code.
(2) The Secretary of State must amend the supplementary note so it no longer records (as the case maA24y be)—
(a) the service or services mentioned in a request described in subsection (1)(a),
(b) the service or services which the person has ceased to provide, or
(c) the service or services for which there is no longer a certificate as described in subsection (1)(c).
(3) For the purposes of subsection (1)(c), a certificate is to be ignored if—
(a) it has expired in accordance with its terms,
(b) it has been withdrawn by the body that issued it, or
(c) subsection (4) applies.
(4) This subsection applies if—
(a) the supplementary code to which the certificate relates has been revised since the certificate was issued,
(b) the certificate was issued before the revision to the supplementary code took effect, and
(c) the supplementary code (as revised) provides—
(i) that certificates issued before the time the revision takes effect are required to be ignored, or
(ii) that such certificates are to be ignored from a date, or from the end of a period, specified in the code and that date has passed or that period has elapsed.”—(Sir John Whittingdale.)
This amendment places the Secretary of State under a duty to amend a supplementary note on the DVS register relating to a person, in certain circumstances, to remove reference to certain services from the note.
Brought up, read the First and Second time, and added to the Bill.
New Clause 25
Index of defined terms for Part 2
“The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part of this Act.
—(Sir John Whittingdale.)
This amendment provides an index of terms which are defined in Part 2.
Brought up, read the First and Second time, and added to the Bill.
New Clause 26
Powers relating to verification of identity or status
“(1) In section 15 of the Immigration, Asylum and Nationality Act 2006 (penalty for employing a person subject to immigration control), after subsection (7) insert—
“(8) An order under subsection (3) containing provision described in subsection (7)(a), (b) or (c) may, in particular—
(a) specify a document generated by a DVS-registered person or a DVS-registered person of a specified description;
(b) specify a document which was provided to such a person in order to generate such a document;
(c) specify steps involving the use of services provided by such a person.
(9) In subsection (8), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data Protection and Digital Information Act 2024 (“the DVS register”).
(10) An order under subsection (3) which specifies a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to specified services (see section (Supplementary notes) of the Data Protection and Digital Information Act 2024).”
(2) In section 34 of the Immigration Act 2014 (requirements which may be prescribed for the purposes of provisions about occupying premises under a residential tenancy agreement)—
(a) in subsection (1)—
(i) in paragraph (a), after “occupiers” insert “, a DVS-registered person or a DVS-registered person of a prescribed description”,
(ii) in paragraph (b), after “occupiers” insert “, a DVS-registered person or a DVS-registered person of a prescribed description”, and
(iii) in paragraph (c), at the end insert “, including steps involving the use of services provided by a DVS-registered person or a DVS-registered person of a prescribed description”, and
(b) after that subsection insert—
“(1A) An order prescribing requirements for the purposes of this Chapter which contains provision described in subsection (1)(a) or (b) may, in particular—
(a) prescribe a document generated by a DVS-registered person or a DVS-registered person of a prescribed description;
(b) prescribe a document which was provided to such a person in order to generate such a document.
(1B) In subsections (1) and (1A), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data Protection and Digital Information Act 2024 (“the DVS register”).
(1C) An order prescribing requirements for the purposes of this Chapter which prescribes a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section (Supplementary notes) of the Data Protection and Digital Information Act 2024).”
(3) In Schedule 6 to the Immigration Act 2016 (illegal working compliance orders etc), after paragraph 5 insert—
“Prescribed checks and documents
5A (1) Regulations under paragraph 5(6)(b) or (c) may, in particular—
(a) prescribe checks carried out using services provided by a DVS-registered person or a DVS-registered person of a prescribed description;
(b) prescribe documents generated by such a person;
(c) prescribe documents which were provided to such a person in order to generate such documents.
(2) In sub-paragraph (1), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data Protection and Digital Information Act 2024 (“the DVS register”).
(3) Regulations under paragraph 5(6)(b) or (c) which prescribe a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section (Supplementary notes) of the Data Protection and Digital Information Act 2024).””—(Sir John Whittingdale.)
This amendment contains amendments of powers to make subordinate legislation so they can be exercised so as to make provision by reference to persons registered in the DVS register established under Part 2 of the Bill.
Brought up, read the First and Second time, and added to the Bill.
New Clause 27
Interface bodies
“(1) This section is about the provision that regulations under section 66 or 68 may (among other things) contain about bodies with one or more of the following tasks—
(a) establishing a facility or service used, or capable of being used, for providing, publishing or otherwise processing customer data or business data or for taking action described in section 66(3) (an “interface”);
(b) setting standards (“interface standards”), or making other arrangements (“interface arrangements”), for use by other persons when establishing, maintaining or managing an interface;
(c) maintaining or managing an interface, interface standards or interface arrangements.
(2) Such bodies are referred to in this Part as “interface bodies”.
(3) The regulations may—
(a) require a data holder, an authorised person or a third party recipient to set up an interface body;
(b) make provision about the type of body to be set up.
(4) In relation to an interface body (whether or not it is required to be set up by regulations under section 66 or 68), the regulations may—
(a) make provision about the body’s composition and governance;
(b) make provision requiring a data holder, an authorised person or a third party recipient to provide, or arrange for, assistance for the body;
(c) impose other requirements relating to the body on a person required to set it up or to provide, or arrange for, assistance for the body;
(d) make provision requiring the body to carry on all or part of a task described in subsection (1);
(e) make provision requiring the body to do other things in connection with its interface, interface standards or interface arrangements;
(f) make provision about how the body carries out its functions (such as, for example, provision about the body’s objectives or matters to be taken into account by the body);
(g) confer powers on the body for the purpose of monitoring use of its interface, interface standards or interface arrangements (“monitoring powers”) (and see section 71 for provision about enforcement of requirements imposed in exercise of those powers);
(h) make provision for the body to arrange for its monitoring powers to be exercised by another person;
(i) make provision about the rights of persons affected by the exercise of the body’s functions under the regulations, including (among other things)—
(i) provision about the review of decisions made in exercise of those functions;
(ii) provision about appeals to a court or tribunal;
(j) make provision about complaints, including provision requiring the body to implement procedures for the handling of complaints;
(k) make provision enabling or requiring the body to publish, or provide to a specified person, specified documents or information relating to its interface, interface standards or interface arrangements;
(l) make provision enabling or requiring the body to produce guidance about how it proposes to exercise its functions under the regulations, to publish the guidance and to provide copies to specified persons.
(5) The monitoring powers that may be conferred on an interface body include power to require the provision of documents or information (but such powers are subject to the restrictions in section 72 as well as any restrictions included in the regulations).
(6) Examples of facilities or services referred to in subsection (1) include dashboard services, other electronic communications services and application programming interfaces.
(7) In subsection (4)(b) and (c), the references to assistance include actual or contingent financial assistance (such as, for example, a grant, loan, guarantee or indemnity or buying a company’s share capital).”—(Sir John Whittingdale.)
This new clause enables regulations under Part 3 to make provision about bodies providing facilities or services used for providing, publishing or processing customer data or business data, or setting standards or making other arrangements in connection with such facilities or services.
Brought up, read the First and Second time, and added to the Bill.
New Clause 28
The FCA and financial services interfaces
“(1) The Treasury may by regulations make provision enabling or requiring the Financial Conduct Authority (“the FCA”) to make rules—
(a) requiring financial services providers described in the regulations to use a prescribed interface, or prescribed interface standards or interface arrangements, when providing or receiving customer data or business data which is required to be provided by or to the financial services provider by data regulations;
(b) requiring persons described in the regulations to use a prescribed interface, or prescribed interface standards or interface arrangements, when the person, in the course of a business, receives, from a financial services provider, customer data or business data which is required to be provided to the person by data regulations;
(c) imposing interface-related requirements on a description of person falling within subsection (2),
and such rules are referred to in this Part as “FCA interface rules”.
(2) The following persons fall within this subsection—
(a) an interface body linked to the financial services sector on which requirements are imposed by regulations made in reliance on section (Interface bodies);
(b) a person required by regulations made in reliance on section (Interface bodies) to set up an interface body linked to the financial services sector;
(c) a person who uses an interface, interface standards or interface arrangements linked to the financial services sector or who is required to do so by data regulations or rules made by virtue of regulations under subsection (1)(a) or (b).
(3) For the purposes of this section, requirements are interface-related if they relate to—
(a) the composition, governance or activities of an interface body linked to the financial services sector,
(b) an interface, interface standards or interface arrangements linked to the financial services sector, or
(c) the use of such an interface, such interface standards or such interface arrangements.
(4) For the purposes of this section—
(a) an interface body is linked to the financial services sector to the extent that its interface, interface standards or interface arrangements are linked to the financial service sector;
(b) interfaces, interface standards and interface arrangements are linked to the financial services sector to the extent that they are used, or intended to be used, by financial services providers (whether or not they are used, or intended to be used, by other persons).
(5) The Treasury may by regulations make provision enabling or requiring the FCA to impose requirements on a person to whom FCA interface rules apply (referred to in this Part as “FCA additional requirements”) where the FCA considers it appropriate to impose the requirement—
(a) in response to a failure, or likely failure, by the person to comply with an FCA interface rule or FCA additional requirement, or
(b) in order to advance a purpose which the FCA is required to advance when exercising functions conferred by regulations under this section (see section (The FCA and financial services interfaces: supplementary)(3)(a)).
(6) Regulations under subsection (5) may, for example, provide for the FCA to impose requirements by giving a notice or direction.
(7) The restrictions in section 72 apply in connection with FCA interface rules and FCA additional requirements as they apply in connection with regulations under this Part.
(8) In section 72 as so applied—
(a) the references in subsections (1)(b) and (8) to an enforcer include the FCA, and
(b) the references in subsections (3) and (4) to data regulations include FCA interface rules and FCA additional requirements.
(9) In this section—
“financial services provider” means a person providing financial services;
“prescribed” means prescribed in FCA interface rules.”—(Sir John Whittingdale.)
This new clause and new clause NC29 enable the Treasury, by regulations, to confer powers on the Financial Conduct Authority to impose requirements (by means of rules or otherwise) on interface bodies used by the financial services sector and on persons participating in, or using facilities and services provided by, such bodies.
Brought up, read the First and Second time, and added to the Bill.
New Clause 29
The FCA and financial services interfaces: supplementary
“(1) This section is about provision that regulations under section (The FCA and financial services interfaces) may or must (among other things) contain.
(2) The regulations—
(a) may enable or require the FCA to impose interface-related requirements that could be imposed by regulations made in reliance on section (Interface bodies)(4) or (5), but
(b) may not enable or require the FCA to require a person to set up an interface body.
(3) The regulations must—
(a) require the FCA, so far as is reasonably possible, to exercise functions conferred by the regulations in a manner which is compatible with, or which advances, one or more specified purposes;
(b) specify one or more matters to which the FCA must have regard when exercising functions conferred by the regulations;
(c) if they enable or require the FCA to make rules, make provision about the procedure for making rules, including provision requiring such consultation with persons likely to be affected by the rules or representatives of such persons as the FCA considers appropriate.
(4) The regulations may—
(a) require the FCA to carry out an analysis of the costs and benefits that will arise if proposed rules are made or proposed changes are made to rules and make provision about what the analysis must include;
(b) require the FCA to publish rules or changes to rules and to provide copies to specified persons;
(c) make provision about the effect of rules, including provision about circumstances in which rules are void and circumstances in which a person is not to be taken to have contravened a rule;
(d) make provision enabling or requiring the FCA to modify or waive rules as they apply to a particular case;
(e) make provision about the procedure for imposing FCA additional requirements;
(f) make provision enabling or requiring the FCA to produce guidance about how it proposes to exercise its functions under the regulations, to publish the guidance and to provide copies to specified persons.
(5) The regulations may enable or require the FCA to impose the following types of requirement on a person as FCA additional requirements—
(a) a requirement to review the person’s conduct;
(b) a requirement to take remedial action;
(c) a requirement to make redress for loss or damage suffered by others as a result of the person’s conduct.
(6) The regulations may enable or require the FCA to make rules requiring a person falling within section (The FCA and financial services interfaces)(2)(b) or (c) to pay fees to an interface body for the purpose of meeting expenses incurred, or to be incurred, by such a body in performing duties, or exercising powers, imposed or conferred by regulations under this Part or by rules made by virtue of regulations under section (The FCA and financial services interfaces).
(7) Regulations made in reliance on subsection (6)—
(a) may enable rules to provide for the amount of a fee to be an amount which is intended to exceed the cost of the things in respect of which the fee is charged;
(b) must require rules to provide for the amount of a fee to be—
(i) a prescribed amount or an amount determined in accordance with the rules, or
(ii) an amount not exceeding such an amount;
(c) may enable or require rules to provide for the amount, or maximum amount, of a fee to increase at specified times and by—
(i) a prescribed amount or an amount determined in accordance with the rules, or
(ii) an amount not exceeding such an amount;
(d) if they enable rules to enable a person to determine an amount, must require rules to require the person to publish information about the amount and how it is determined;
(e) may enable or require rules to make provision about—
(i) interest on any unpaid amounts;
(ii) the recovery of unpaid amounts.
(8) In this section—
“interface-related” has the meaning given in section (The FCA and financial services interfaces);
“prescribed” means prescribed in FCA interface rules.
(9) The reference in subsection (5)(c) to making redress includes—
(a) paying interest, and
(b) providing redress in the form of a remedy or relief which could not be awarded in legal proceedings.”—(Sir John Whittingdale.)
See the explanatory statement for new clause NC28.
Brought up, read the First and Second time, and added to the Bill.
New Clause 30
The FCA and financial services interfaces: penalties and levies
“(1) Subsections (2) and (3) are about the provision that regulations made by the Treasury under this Part providing for the FCA to enforce requirements under FCA interface rules may (among other things) contain in relation to financial penalties.
(2) The regulations may require or enable the FCA—
(a) to set the amount or maximum amount of, or of an increase in, a penalty imposed in respect of failure to comply with a requirement imposed by the FCA in exercise of a power conferred by regulations under section (The FCA and financial services interfaces) (whether imposed by means of FCA interface rules or an FCA additional requirement), or
(b) to set the method for determining such an amount.
(3) Regulations made in reliance on subsection (2)—
(a) must require the FCA to produce and publish a statement of its policy with respect to the amount of the penalties;
(b) may require the policy to include specified matters;
(c) may make provision about the procedure for producing the statement;
(d) may require copies of the statement to be provided to specified persons;
(e) may require the FCA to have regard to a statement published in accordance with the regulations.
(4) The Treasury may by regulations—
(a) impose, or provide for the FCA to impose, a levy on data holders, authorised persons or third party recipients for the purpose of meeting all or part of the expenses incurred, or to be incurred, during a period by the FCA, or by a person acting on the FCA’s behalf, in performing duties, or exercising powers, imposed or conferred on the FCA by regulations under section (The FCA and financial services interfaces), and
(b) make provision about how funds raised by means of the levy must or may be used.
(5) Regulations under subsection (4) may only provide for a levy in respect of expenses of the FCA to be imposed on persons that appear to the Treasury to be capable of being directly affected by the exercise of some or all of the functions conferred on the FCA by regulations under section (The FCA and financial services interfaces).
(6) Section 75(3) and (4) apply in relation to regulations under subsection (4) of this section as they apply in relation to regulations under section 75(1).”—(Sir John Whittingdale.)
This new clause enables the Treasury, by regulations, to confer power on the Financial Conduct Authority to set the amount of certain penalties. It also enables the Treasury to impose a levy in respect of expenses incurred by that Authority.
Brought up, read the First and Second time, and added to the Bill.
New Clause 31
Liability in damages
“(1) The Secretary of State or the Treasury may by regulations provide that a person listed in subsection (2) is not liable in damages for anything done or omitted to be done in the exercise of functions conferred by regulations under this Part.
(2) Those persons are—
(a) a public authority;
(b) a member, officer or member of staff of a public authority;
(c) a person who could be held vicariously liable for things done or omitted by a public authority.
(3) Regulations under this section may not—
(a) make provision removing liability for an act or omission which is shown to have been in bad faith, or
(b) make provision so as to prevent an award of damages made in respect of an act or omission on the ground that the act or omission was unlawful as a result of section 6(1) of the Human Rights Act 1998.”— (Sir John Whittingdale.)
This new clause enables regulations under Part 3 to provide that certain persons are not liable in damages when exercising functions under such regulations.
Brought up, read the First and Second time, and added to the Bill.
New Clause 32
Other data provision
“(1) This section is about cases in which subordinate legislation other than regulations under this Part contains provision described in section 66(1) to (3) or 68(1) to (2A) (“other data provision”).
(2) The regulation-making powers under this Part may be exercised so as to make, in connection with the other data provision, any provision that they could be exercised to make as part of, or in connection with, provision made under section 66(1) to (3) or 68(1) to (2A) that is equivalent to the other data provision.
(3) In this Part, references to “data regulations” include regulations made in reliance on subsection (2) to the extent that they make provision described in sections 66 to 70 or (Interface bodies).
(4) In this section, “subordinate legislation” has the same meaning as in the Interpretation Act 1978 (see section 21 of that Act).”—(Sir John Whittingdale.)
This new clause enables the regulation-making powers under Part 3 to be used to supplement existing subordinate legislation which requires customer data or business data to be provided to customers and others.
Brought up, read the First and Second time, and added to the Bill.
New Clause 33
Duty to notify the Commissioner of personal data breach: time periods
“(1) In regulation 5A of the PEC Regulations (personal data breach)—
(a) in paragraph (2), after “delay” insert “and, where feasible, not later than 72 hours after having become aware of it”, and
(b) after paragraph (3) insert—
“(3A) Where notification under paragraph (2) is not made within 72 hours, it must be accompanied by reasons for the delay.”
(2) In Article 2 of Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (notification to the Information Commissioner)—
(a) in paragraph 2—
(i) in the first subparagraph, for the words from “no” to “feasible” substitute “without undue delay and, where feasible, not later than 72 hours after having becoming aware of it”, and
(ii) in the second subparagraph, after “shall” insert “, subject to paragraph 3,”, and
(b) for paragraph 3 substitute—
“3. To the extent that the information set out in Annex 1 is not available to be included in the notification, it may be provided in phases without undue further delay.””—(Sir John Whittingdale.)
This adjusts the period within which the Information Commissioner must be notified of a personal data breach. It also inserts a duty (into the PEC Regulations) to give reasons for not notifying within 72 hours and adjusts the duty (in Commission Regulation (EU) No 611/2013) to provide accompanying information.
Brought up, read the First and Second time, and added to the Bill.
New Clause 34
Power to require information for social security purposes
“In Schedule (Power to require information for social security purposes)—
(a) Part 1 amends the Social Security Administration Act 1992 to make provision about a power for the Secretary of State to obtain information for social security purposes;
(b) Part 2 amends the Social Security Administration (Northern Ireland) Act 1992 to make provision about a power for the Department for Communities to obtain information for such purposes;
(c) Part 3 makes related amendments of the Proceeds of Crime Act 2002.”—(Sir John Whittingdale.)
This new clause introduces a new Schedule NS1 which amends social security legislation to make provision about a new power for the Secretary of State or, in Northern Ireland, the Department for Communities, to obtain information for social security purposes.
Brought up, read the First and Second time, and added to the Bill.
New Clause 35
Retention of information by providers of internet services in connection with death of child
“(1) The Online Safety Act 2023 is amended as follows.
(2) In section 100 (power to require information)—
(a) omit subsection (7);
(b) after subsection (8) insert—
“(8A) The power to give a notice conferred by subsection (1) does not include power to require processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed by the notice is to be taken into account).”
(3) In section 101 (information in connection with investigation into death of child)—
(a) before subsection (1) insert—
“(A1) Subsection (D1) applies if a senior coroner (in England and Wales), a procurator fiscal (in Scotland) or a coroner (in Northern Ireland) (“the investigating authority”)—
(a) notifies OFCOM that—
(i) they are conducting an investigation, or are due to conduct an investigation, in connection with the death of a child, and
(ii) they suspect that the child may have taken their own life, and
(b) provides OFCOM with the details in subsection (B1).
(B1) The details are—
(a) the name of the child who has died,
(b) the child’s date of birth,
(c) any email addresses used by the child (so far as the investigating authority knows), and
(d) if any regulated service has been brought to the attention of the investigating authority as being of interest in connection with the child’s death, the name of the service.
(C1) Where this subsection applies, OFCOM—
(a) must give a notice to the provider of a service within subsection (E1) requiring the provider to ensure the retention of information relating to the use of the service by the child who has died, and
(b) may give a notice to any other relevant person requiring the person to ensure the retention of information relating to the use of a service within subsection (E1) by that child.
(D1) The references in subsection (C1) to ensuring the retention of information relating to the child’s use of a service include taking all reasonable steps, without delay, to prevent the deletion of such information by the routine operation of systems or processes.
(E1) A service is within this subsection if it is—
(a) a regulated service of a kind described in regulations made by the Secretary of State, or
(b) a regulated service notified to OFCOM by the investigating authority as described in subsection (B1)(d).
(F1) A notice under subsection (C1) may require information described in that subsection to be retained only if it is information—
(a) of a kind which OFCOM have power to require under a notice under subsection (1) (see, in particular, subsection (2)(a) to (d)), or
(b) which a person might need to retain to enable the person to provide information in response to a notice under subsection (1) (if such a notice were given).
(G1) OFCOM must share with the investigating authority any information they receive in response to requirements mentioned in section 102(5A)(d) that are included in a notice under subsection (C1).”
(b) in subsection (3), for “power conferred by subsection (1) includes” substitute “powers conferred by this section include”;
(c) after subsection (5) insert—
“(5A) The powers to give a notice conferred by this section do not include power to require processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed by the notice is to be taken into account).”
(4) In section 102 (information notices)—
(a) in subsection (1), for “101(1)” substitute “101(C1) or (1)”;
(b) in subsection (3)—
(i) after “information notice” insert “under section 100(1) or 101(1)”,
(ii) omit “and” at the end of paragraph (c), and
(iii) after paragraph (c) insert—
“(ca) specify when the information must be provided (which may be on or by a specified date, within a specified period, or at specified intervals), and”;
(c) omit subsection (4);
(d) after subsection (5) insert—
“(5A) An information notice under section 101(C1) must—
(a) specify or describe the information to be retained,
(b) specify why OFCOM require the information to be retained,
(c) require the information to be retained for the period of one year beginning with the date of the notice,
(d) require the person to whom the notice is given—
(i) if the child to whom the notice relates used the service in question, to notify OFCOM by a specified date of steps taken to ensure the retention of information;
(ii) if the child did not use the service, or the person does not hold any information of the kind required, to notify OFCOM of that fact by a specified date, and
(e) contain information about the consequences of not complying with the notice.
(5B) If OFCOM give an information notice to a person under section 101(C1), they may, in response to information received from the investigating authority, extend the period for which the person is required to retain information by a maximum period of six months.
(5C) The power conferred by subsection (5B) is exercisable—
(a) by giving the person a notice varying the notice under section 101(C1) and stating the further period for which information must be retained and the reason for the extension;
(b) any number of times.”;
(e) after subsection (9) insert—
“(9A) OFCOM must cancel an information notice under section 101(C1) by notice to the person to whom it was given if advised by the investigating authority that the information in question no longer needs to be retained.”
(f) in subsection (10), after the definition of “information” insert—
““the investigating authority” has the same meaning as in section 101;”.
(5) In section 109 (offences in connection with information notices)—
(a) in subsection (2)(b), for “all reasonable steps” substitute “all of the steps that it was reasonable, and reasonably practicable, to take”;
(b) after subsection (6) insert—
“(6A) A person who is given an information notice under section 101(C1) commits an offence if—
(a) the person deletes or alters, or causes or permits the deletion or alteration of, any information required by the notice to be retained, and
(b) the person’s intention was to prevent the information being available, or (as the case may be) to prevent it being available in unaltered form, for the purposes of any official investigation into the death of the child to whom the notice relates.
(6B) For the purposes of subsection (6A) information has been deleted if it is irrecoverable (however that occurred).”
(6) In section 110 (senior managers’ liability: information offences)—
(a) after subsection (6) insert—
“(6A) An individual named as a senior manager of an entity commits an offence if—
(a) the entity commits an offence under section 109(6A) (deletion etc of information), and
(b) the individual has failed to take all reasonable steps to prevent that offence being committed.”;
(b) in subsection (7), for “or (6)” substitute “, (6) or (6A)”.
(7) In section 113 (penalties for information offences), in subsection (2)—
(a) for “(4) or (5)” substitute “(4), (5) or (6A)”;
(b) for “(5) or (6)” substitute “(5), (6) or (6A)”.
(8) In section 114 (co-operation and disclosure of information: overseas regulators), in subsection (7), omit the definition of “the data protection legislation”.
(9) In section 225 (Parliamentary procedure for regulations), in subsection (10), after paragraph (c) insert—
“(ca) regulations under section 101(E1)(a),”
(10) In section 236(1) (interpretation)—
(a) after the definition of “country” insert—
““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act);”;
(b) in the definition of “information notice”, for “101(1)” substitute “101(C1) or (1)”.
(11) In section 237 (index of defined terms), after the entry for “CSEA content” insert—
—(Sir John Whittingdale.)
This new clause amends the Online Safety Act 2023 to enable OFCOM to give internet service providers a notice requiring them to retain information in connection with an investigation by a coroner (or, in Scotland, procurator fiscal) into the death of a child suspected to have taken their own life. The new clause also creates related offences.
Brought up, read the First and Second time, and added to the Bill.
New Clause 36
Retention of biometric data and recordable offences
“(1) Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share information) is amended in accordance with subsections (2) to (10).
(2) In section 18A(3) (retention of material: general), after “recordable offence” insert “or recordable-equivalent offence”.
(3) Section 18E (supplementary provision) is amended in accordance with subsections (4) to (10).
(4) In subsection (1), after the definition of “recordable offence” insert—
““recordable-equivalent offence” means an offence under the law of a country or territory outside England and Wales and Northern Ireland where the act constituting the offence would constitute a recordable offence if done in England and Wales or Northern Ireland (whether or not the act constituted such an offence when the person was convicted);”.
(5) In subsection (3), in the words before paragraph (a), after “offence” insert “in England and Wales or Northern Ireland”.
(6) After subsection (5) insert—
“(5A) For the purposes of section 18A, a person is to be treated as having been convicted of an offence in a country or territory outside England and Wales and Northern Ireland if, in respect of such an offence, a court exercising jurisdiction under the law of that country or territory has made a finding equivalent to—
(a) a finding that the person is not guilty by reason of insanity, or
(b) a finding that the person is under a disability and did the act charged against the person in respect of the offence.”
(7) In subsection (6)(a)—
(a) after “convicted” insert “—
(i) ‘”, and
(b) after “offence,” insert “or
(ii) in a country or territory outside England and Wales and Northern Ireland, of a recordable-equivalent offence,”.
(8) In subsection (6)(b)—
(a) omit “of a recordable offence”, and
(b) for “a recordable offence, other than a qualifying offence” substitute “an offence, other than a qualifying offence or qualifying-equivalent offence”.
(9) In subsection (7), for “subsection (6)” substitute “this section”.
(10) After subsection (7) insert—
“(7A) In subsection (6), “qualifying-equivalent offence” means an offence under the law of a country or territory outside England and Wales and Northern Ireland where the act constituting the offence would constitute a qualifying offence if done in England and Wales or Northern Ireland (whether or not the act constituted such an offence when the person was convicted).”
(11) The amendments made by this section apply only in connection with the retention of section 18 material that is or was obtained or acquired by a law enforcement authority—
(a) on or after the commencement day, or
(b) in the period of 3 years ending immediately before the commencement day.
(12) Subsection (13) of this section applies where—
(a) at the beginning of the commencement day, a law enforcement authority has section 18 material which it obtained or acquired in the period of 3 years ending immediately before the commencement day,
(b) at a time before the commencement day (a “pre-commencement time”), the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material, and
(c) at the pre-commencement time, the law enforcement authority could have retained the material under section 18A of the Counter-Terrorism Act 2008, as it has effect taking account of the amendments made by subsections (2) to (10) of this section, if those amendments had been in force.
(13) Where this subsection applies—
(a) the law enforcement authority is to be treated as not having been required to destroy the material at the pre-commencement time, but
(b) the material may not be used in evidence against the person to whom the material relates—
(i) in criminal proceedings in England and Wales, Northern Ireland or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or
(ii) in criminal proceedings in any other country or territory.
(14) In this section—
“the commencement day” means the day on which this Act is passed;
“law enforcement authority” has the meaning given by section 18E(1) of the Counter-Terrorism Act 2008;
“section 18 material” has the meaning given by section 18(2) of that Act.
(15) For the purposes of this section, proceedings in relation to an offence are instituted—
(a) in England and Wales, when they are instituted for the purposes of Part 1 of the Prosecution of Offences Act 1985 (see section 15(2) of that Act);
(b) in Northern Ireland, when they are instituted for the purposes of Part 2 of the Justice (Northern Ireland) Act 2002 (see section 44(1) and (2) of that Act);
(c) in Scotland, when they are instituted for the purposes of Part 3 of the Proceeds of Crime Act 2002 (see section 151(1) and (2) of that Act).”—(Sir John Whittingdale.)
This new clause enables a law enforcement authority to retain fingerprints and DNA profiles where a person has been convicted of an offence equivalent to a recordable offence in a jurisdiction outside England and Wales and Northern Ireland.
Brought up, read the First and Second time, and added to the Bill.
New Clause 37
Retention of pseudonymised biometric data
“(1) Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share information) is amended in accordance with subsections (2) to (6).
(2) Section 18A (retention of material: general) is amended in accordance with subsections (3) to (5).
(3) In subsection (1), for “subsection (5)” substitute “subsections (4) to (9)”.
(4) In subsection (4)(a), after “relates” insert “(a “pseudonymised form”)”.
(5) After subsection (6) insert—
“(7) Section 18 material which is not a DNA sample may be retained indefinitely by a law enforcement authority if—
(a) the authority obtains or acquires the material directly or indirectly from an overseas law enforcement authority,
(b) the authority obtains or acquires the material in a form which includes information which identifies the person to whom the material relates,
(c) as soon as reasonably practicable after obtaining or acquiring the material, the authority takes the steps necessary for it to hold the material in a pseudonymised form, and
(d) having taken those steps, the law enforcement authority continues to hold the material in a pseudonymised form.
(8) In a case where section 18 material is being retained by a law enforcement authority under subsection (7), if—
(a) the law enforcement authority ceases to hold the material in a pseudonymised form, and
(b) the material relates to a person who has no previous convictions or only one exempt conviction,
the material may be retained by the law enforcement authority until the end of the retention period specified in subsection (9).
(9) The retention period is the period of 3 years beginning with the date on which the law enforcement authority first ceases to hold the material in a pseudonymised form.”
(6) In section 18E(1) (supplementary provision)—
(a) in the definition of “law enforcement authority”, for paragraph (d) substitute—
“(d) an overseas law enforcement authority;”, and
(b) after that definition insert—
““overseas law enforcement authority” means a person formed or existing under the law of a country or territory outside the United Kingdom so far as exercising functions which—
(a) correspond to those of a police force, or
(b) otherwise involve the investigation or prosecution of offences;”.
(7) The amendments made by this section apply only in connection with the retention of section 18 material that is or was obtained or acquired by a law enforcement authority—
(a) on or after the commencement day, or
(b) in the period of 3 years ending immediately before the commencement day.
(8) Subsections (9) to (12) of this section apply where, at the beginning of the commencement day, a law enforcement authority has section 18 material which it obtained or acquired in the period of 3 years ending immediately before the commencement day.
(9) Where the law enforcement authority holds the material in a pseudonymised form at the beginning of the commencement day, the authority is to be treated for the purposes of section 18A(7)(c) and (d) of the Counter-Terrorism Act 2008 as having—
(a) taken the steps necessary for it to hold the material in a pseudonymised form as soon as reasonably practicable after obtaining or acquiring the material, and
(b) continued to hold the material in a pseudonymised form until the commencement day.
(10) Where the law enforcement authority does not hold the material in a pseudonymised form at the beginning of the commencement day, the authority is to be treated for the purposes of section 18A(7)(c) of the Counter-Terrorism Act 2008 as taking the steps necessary for it to hold the material in a pseudonymised form as soon as reasonably practicable after obtaining or acquiring the material if it takes those steps on, or as soon as reasonably practicable after, the commencement day.
(11) Subsection (12) of this section applies where, at a time before the commencement day (a “pre-commencement time”), the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material but—
(a) at the pre-commencement time, the law enforcement authority could have retained the material under section 18A(7) to (9) of the Counter-Terrorism Act 2008 (as inserted by this section) if those provisions had been in force, or
(b) on or after the commencement day, the law enforcement authority may retain the material under those provisions by virtue of subsection (9) or (10) of this section.
(12) Where this subsection applies—
(a) the law enforcement authority is to be treated as not having been required to destroy the material at the pre-commencement time, but
(b) the material may not be used in evidence against the person to whom the material relates—
(i) in criminal proceedings in England and Wales, Northern Ireland or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or
(ii) in criminal proceedings in any other country or territory.
(13) In this section—
“the commencement day” , “law enforcement authority” and “section 18 material” have the meaning given in section (Retention of biometric data and recordable offences)(14);
“instituted” , in relation to proceedings, has the meaning given in section (Retention of biometric data and recordable offences)(15);
“in a pseudonymised form” has the meaning given by section 18A(4) and (10) of the Counter-Terrorism Act 2008 (as amended or inserted by this section).”—(Sir John Whittingdale.)
This new clause enables a law enforcement authority to retain fingerprints and DNA profiles where, as soon as reasonably practicable after acquiring or obtaining them, the authority takes the steps necessary for it to hold the material in a form which does not include information which identifies the person to whom the material relates.
Brought up, read the First and Second time, and added to the Bill.
New Clause 38
Retention of biometric data from INTERPOL
“(1) Part 1 of the Counter-Terrorism Act 2008 (powers to gather and share information) is amended in accordance with subsections (2) to (4).
(2) In section 18(4) (destruction of national security material not subject to existing statutory restrictions), after “18A” insert “, 18AA”.
(3) After section 18A insert—
“18AA Retention of material from INTERPOL
(1) This section applies to section 18 material which is not a DNA sample where the law enforcement authority obtained or acquired the material as part of a request for assistance, or a notification of a threat, sent to the United Kingdom via INTERPOL’s systems.
(2) The law enforcement authority may retain the material until the National Central Bureau informs the authority that the request or notification has been cancelled or withdrawn.
(3) If the law enforcement authority is the National Central Bureau, it may retain the material until it becomes aware that the request or notification has been cancelled or withdrawn.
(4) In this section—
“INTERPOL” means the organisation called the International Criminal Police Organization - INTERPOL;
“the National Central Bureau” means the body appointed for the time being in accordance with INTERPOL’s constitution to serve as the United Kingdom’s National Central Bureau.
(5) The reference in subsection (1) to material obtained or acquired as part of a request or notification includes material obtained or acquired as part of a communication, sent to the United Kingdom via INTERPOL’s systems, correcting, updating or otherwise supplementing the request or notification.
18AB Retention of material from INTERPOL: supplementary
(1) The Secretary of State may by regulations amend section 18AA to make such changes as the Secretary of State considers appropriate in consequence of—
(a) changes to the name of the organisation which, when section 18AA was enacted, was called the International Criminal Police Organization - INTERPOL (“the organisation”),
(b) changes to arrangements made by the organisation which involve fingerprints or DNA profiles being provided to members of the organisation (whether changes to existing arrangements or changes putting in place new arrangements), or
(c) changes to the organisation’s arrangements for liaison between the organisation and its members or between its members.
(2) Regulations under this section are subject to affirmative resolution procedure.”
(4) In section 18BA(5)(a) (retention of further fingerprints), after “18A” insert “, 18AA”.
(5) Section 18AA of the Counter-Terrorism Act 2008 applies in relation to section 18 material obtained or acquired by a law enforcement authority before the commencement day (as well as material obtained or acquired on or after that day), except where the law enforcement authority was informed, or became aware, as described in subsection (2) or (3) of that section before the commencement day.
(6) Subsection (7) of this section applies where—
(a) at the beginning of the commencement day, a law enforcement authority has section 18 material,
(b) at a time before the commencement day (a “pre-commencement time”), the law enforcement authority was required by section 18(4) of the Counter-Terrorism Act 2008 to destroy the material, but
(c) at the pre-commencement time, the law enforcement authority could have retained the material under section 18AA of that Act (as inserted by this section) if it had been in force.
(7) Where this subsection applies—
(a) the law enforcement authority is to be treated as not having been required to destroy the material at the pre-commencement time, but
(b) the material may not be used in evidence against the person to whom the material relates—
(i) in criminal proceedings in England and Wales, Northern Ireland or Scotland in relation to an offence where those proceedings, or other criminal proceedings in relation to the person and the offence, were instituted before the commencement day, or
(ii) in criminal proceedings in any other country or territory.
(8) In this section—
“the commencement day” , “law enforcement authority” and “section 18 material” have the meaning given in section (Retention of biometric data and recordable offences)(14);
“instituted” , in relation to proceedings, has the meaning given in section (Retention of biometric data and recordable offences)(15).”—(Sir John Whittingdale.)
This new clause enables fingerprints and DNA profiles obtained as part of a request for assistance, or notification of a threat, from INTERPOL and held for national security purposes by a law enforcement authority to be retained until the authority is informed that the request or notification has been withdrawn or cancelled.
Brought up, read the First and Second time, and added to the Bill.
New Clause 39
National Underground Asset Register
“(1) After section 106 of the New Roads and Street Works Act 1991 insert—
“Part 3A
National Underground Asset Register: England and Wales
The register
106A National Underground Asset Register
(1) The Secretary of State must keep a register of information relating to apparatus in streets in England and Wales.
(2) The register is to be known as the National Underground Asset Register (and is referred to in this Act as “NUAR”).
(3) NUAR must be kept in such form and manner as may be prescribed.
(4) The Secretary of State must make arrangements so as to enable any person who is required, by a provision of Part 3, to enter information into NUAR to have access to NUAR for that purpose.
(5) Regulations under subsection (3) are subject to the negative procedure.
106B Access to information kept in NUAR
(1) The Secretary of State may by regulations make provision in connection with making information kept in NUAR available—
(a) under a licence, or
(b) without a licence.
(2) The regulations may (among other things)—
(a) make provision about which information, or descriptions of information, may be made available;
(b) make provision about the descriptions of person to whom information may be made available;
(c) make provision for information to be made available subject to exceptions;
(d) make provision requiring or authorising the Secretary of State to adapt, modify or obscure information before making it available;
(e) make provision authorising all information kept in NUAR to be made available to prescribed descriptions of person under prescribed conditions;
(f) make provision about the purposes for which information may be made available;
(g) make provision about the form and manner in which information may be made available.
(3) The regulations may make provision about licences under which information kept in NUAR is made available, including—
(a) provision about the form of a licence;
(b) provision about the terms and conditions of a licence;
(c) provision for information to be made available under a licence for free or for a fee;
(d) provision about the amount of the fees, including provision for the amount of a fee to be an amount which is intended to exceed the cost of the things in respect of which the fee is charged;
(e) provision about how funds raised by means of fees must or may be used, including provision for funds to be paid to persons who are required, by a provision of Part 3, to enter information into NUAR.
(4) Except as otherwise prescribed and subject to section 106G, processing of information by the Secretary of State in exercise of functions conferred by or under section 106A or this section does not breach—
(a) any obligation of confidence owed by the Secretary of State, or
(b) any other restriction on the processing of information (however imposed).
(5) Regulations under this section are subject to the affirmative procedure.
Requirements for undertakers to pay fees and provide information
106C Fees payable by undertakers in relation to NUAR
(1) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to pay fees to the Secretary of State for or in connection with the exercise by the Secretary of State of any function conferred by or under this Part.
(2) The regulations may—
(a) specify the amounts of the fees, or the maximum amounts of the fees, or
(b) provide for the amounts of the fees, or the maximum amounts of the fees, to be determined in accordance with the regulations.
(3) In making the regulations the Secretary of State must seek to secure that, so far as possible and taking one year with another, the income from fees matches the expenses incurred by the Secretary of State in, or in connection with, exercising functions conferred by or under this Part (including expenses not directly connected with the keeping of NUAR).
(4) Except where the regulations specify the amounts of the fees—
(a) the amounts of the fees must be specified by the Secretary of State in a statement, and
(b) the Secretary of State must—
(i) publish the statement, and
(ii) lay it before Parliament.
(5) Regulations under subsection (1) may make provision about—
(a) when a fee is to be paid;
(b) the manner in which a fee is to be paid;
(c) the payment of discounted fees;
(d) exceptions to requirements to pay fees;
(e) the refund of all or part of a fee which has been paid.
(6) Before making regulations under subsection (1) the Secretary of State must consult—
(a) such representatives of persons likely to be affected by the regulations as the Secretary of State considers appropriate, and
(b) such other persons as the Secretary of State considers appropriate.
(7) Subject to the following provisions of this section regulations under subsection (1) are subject to the affirmative procedure.
(8) Regulations under subsection (1) that only make provision of a kind mentioned in subsection (2) are subject to the negative procedure.
(9) But the first regulations under subsection (1) that make provision of a kind mentioned in subsection (2) are subject to the affirmative procedure.
106D Providing information for purposes of regulations under section 106C
(1) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes—
(a) assisting the Secretary of State in determining the provision that it is appropriate for regulations under section 106C(1) or a statement under section 106C(4) to make;
(b) assisting the Secretary of State in determining whether it is appropriate to make changes to such provision.
(2) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes—
(a) ascertaining whether a fee is payable by a person under regulations under section 106C(1);
(b) working out the amount of a fee payable by a person.
(3) Regulations under subsection (1) or (2) may require an undertaker to notify the Secretary of State of any changes to information previously provided under the regulations.
(4) Regulations under subsection (1) or (2) may make provision about—
(a) when information is to be provided (which may be at prescribed intervals);
(b) the form and manner in which information is to be provided;
(c) exceptions to requirements to provide information.
(5) Regulations under subsection (1) or (2) are subject to the negative procedure.
Monetary penalties
106E Monetary penalties
Schedule 5A makes provision about the imposition of penalties in connection with requirements imposed by regulations under sections 106C(1) and 106D(1) and (2).
Exercise of functions by third party
106F Arrangements for third party to exercise functions
(1) The Secretary of State may make arrangements for a prescribed person to exercise a relevant function of the Secretary of State.
(2) More than one person may be prescribed.
(3) Arrangements under this section may—
(a) provide for the Secretary of State to make payments to the person, and
(b) make provision as to the circumstances in which any such payments are to be repaid to the Secretary of State.
(4) In the case of the exercise of a function by a person authorised by arrangements under this section to exercise that function, any reference in this Part or in regulations under this Part to the Secretary of State in connection with that function is to be read as a reference to that person.
(5) Arrangements under this section do not prevent the Secretary of State from exercising a function to which the arrangements relate.
(6) Except as otherwise prescribed and subject to section 106G, the disclosure of information between the Secretary of State and a person in connection with the person’s entering into arrangements under this section or exercise of functions to which such arrangements relate does not breach—
(a) any obligation of confidence owed by the person making the disclosure, or
(b) any other restriction on the disclosure of information (however imposed).
(7) Regulations under this section are subject to the affirmative procedure.
(8) In this section “relevant function” means any function of the Secretary of State conferred by or under this Part (including the function of charging or recovering fees under section 106C) other than—
(a) a power to make regulations, or
(b) a function under section 106C(4) (specifying of fees etc).
Data protection
106G Data protection
(1) A duty or power to process information that is imposed or conferred by or under this Part does not operate to require or authorise the processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, that duty or power is to be taken into account).
(2) In this section—
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act);
“personal data” has the same meaning as in that Act (see section 3(2) of that Act).
Supplementary provisions
106H Regulations under this Part
(1) In this Part “prescribed” means prescribed by regulations made by the Secretary of State.
(2) Regulations under this Part may make—
(a) different provision for different purposes;
(b) supplementary and incidental provision.
(3) Regulations under this Part are to be made by statutory instrument.
(4) Before making regulations under this Part the Secretary of State must consult the Welsh Ministers.
(5) Where regulations under this Part are subject to “the affirmative procedure” the regulations may not be made unless a draft of the statutory instrument containing them has been laid before and approved by a resolution of each House of Parliament.
(6) Where regulations under this Part are subject to “the negative procedure” the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament.
(7) Any provision that may be made in regulations under this Part subject to the negative procedure may be made in regulations subject to the affirmative procedure.
106I Interpretation
(1) In this Part the following terms have the same meaning as in Part 3—
“apparatus” (see sections 89(3) and 105(1));
“in” (in a context referring to apparatus in a street) (see section 105(1));
“street” (see section 48(1) and (2));
“undertaker” (in relation to apparatus or in a context referring to having apparatus in a street) (see sections 48(5) and 89(4)).
(2) In this Part “processing” has the same meaning as in the Data Protection Act 2018 (see section 3(4) of that Act) and “process” is to be read accordingly.”
(2) In section 167 of the New Roads and Street Works Act 1991 (Crown application)—
(a) after subsection (4) insert—
“(4A) The provisions of Part 3A of this Act (National Underground Asset Register: England and Wales) bind the Crown.”;
(b) in subsection (5), for “(4)” substitute “(4) or (4A)”.
(3) Schedule (National Underground Asset Register: monetary penalties) to this Act inserts Schedule 5A into the New Roads and Street Works Act 1991 (monetary penalties).”—(Sir John Whittingdale.)
This amendment inserts Part 3A into the New Roads and Street Works Act 1991 which requires, and makes provision in connection with, the keeping of a register of information relating to apparatus in streets (to be called the National Underground Asset Register).
Brought up, read the First and Second time, and added to the Bill.
New Clause 40
Information in relation to apparatus
“(1) The New Roads and Street Works Act 1991 is amended in accordance with subsections (2) to (6).
(2) For the italic heading before section 79 (records of location of apparatus) substitute “Duties in relation to recording and sharing of information about apparatus”.
(3) In section 79—
(a) for the heading substitute “Information in relation to apparatus”;
(b) in subsection (1), for paragraph (c) substitute—
“(c) being informed of its location under section 80(2),”;
(c) after subsection (1A) (as inserted by section 46(2) of the Traffic Management Act 2004) insert—
“(1B) An undertaker must, except in such cases as may be prescribed, record in relation to every item of apparatus belonging to the undertaker such other information as may be prescribed as soon as reasonably practicable after—
(a) placing the item in the street or altering its position,
(b) inspecting, maintaining, adjusting, repairing, altering or renewing the item,
(c) locating the item in the street in the course of executing any other works, or
(d) receiving any such information in relation to the item under section 80(2).”
(d) omit subsection (3);
(e) in subsection (3A) (as inserted by section 46(4) of the Traffic Management Act 2004)—
(i) for “to (3)” substitute “and (2A)”;
(ii) for “subsection (1)” substitute “this section”;
(f) after subsection (3A) insert—
“(3B) Before the end of the initial upload period an undertaker must enter into NUAR—
(a) all information that is included in the undertaker’s records under subsection (1) on the archive upload date, and
(b) any other information of a prescribed description that is held by the undertaker on that date.
(3C) Where an undertaker records information as required by subsection (1) or (1B), or updates such information, the undertaker must, within a prescribed period, enter the recorded or updated information into NUAR.
(3D) The duty under subsection (3C) does not apply in relation to information recorded or updated before the archive upload date.
(3E) A duty under subsection (3B) or (3C) does not apply in such cases as may be prescribed.
(3F) Information must be entered into NUAR under subsection (3B) or (3C) in such form and manner as may be prescribed.”
(g) in subsection (4)(a), omit “not exceeding level 5 on the standard scale”;
(h) after subsection (6) insert—
“(7) For the purposes of subsection (3B) the Secretary of State must by regulations—
(a) specify a date as “the archive upload date”, and
(b) specify a period beginning with that date as the “initial upload period”.
(8) For the meaning of “NUAR”, see section 106A.”
(4) For section 80 (duty to inform undertakers of location of apparatus) substitute—
“80 Duties to report missing or incorrect information in relation to apparatus
(1) Subsection (2) applies where a person executing works of any description in a street finds an item of apparatus belonging to an undertaker in relation to which prescribed information—
(a) is not entered in NUAR, or
(b) is entered in NUAR but is incorrect.
(2) The person must take such steps as are reasonably practicable to inform the undertaker to whom the item belongs of the missing or incorrect information.
(3) Where a person executing works of any description in a street finds an item of apparatus which does not belong to the person and is unable, after taking such steps as are reasonably practicable, to ascertain to whom the item belongs, the person must—
(a) if the person is an undertaker, enter into NUAR, in such form and manner as may be prescribed, prescribed information in relation to the item;
(b) in any other case, inform the street authority of that information.
(4) Subsections (2) and (3) have effect subject to such exceptions as may be prescribed.
(5) A person who fails to comply with subsection (2) or (3) commits an offence.
(6) A person who commits an offence under subsection (5) is liable on summary conviction to a fine not exceeding level 4 on the standard scale.
(7) Before making regulations under this section the Secretary of State must consult—
(a) such representatives of persons likely to be affected by the regulations as the Secretary of State considers appropriate, and
(b) such other persons as the Secretary of State considers appropriate.
(8) For the meaning of “NUAR”, see section 106A.”
(5) Before section 81 (duty to maintain apparatus) insert—
“Other duties and liabilities of undertakers in relation to apparatus”.
(6) In section 104 (regulations), after subsection (1) insert—
“(1A) Before making regulations under section 79 or 80 the Secretary of State must consult the Welsh Ministers.
(1B) Regulations under this Part may make supplementary or incidental provision.”
(7) In consequence of the provision made by subsection (4), omit section 47 of the Traffic Management Act 2004.”—(Sir John Whittingdale.)
This amendment amends the New Roads and Street Works Act 1991 so as to impose new duties on undertakers to keep records of, and share information relating to, apparatus in streets; and makes amendments consequential on those changes.
Brought up, read the First and Second time, and added to the Bill.
New Clause 41
Pre-commencement consultation
“A requirement to consult under a provision inserted into the New Roads and Street Works Act 1991 by section (National Underground Asset Register) or (Information in relation to apparatus) may be satisfied by consultation before, as well as consultation after, the provision inserting that provision comes into force.”—(Sir John Whittingdale.)
This amendment provides that a requirement that the Secretary of State consult under a provision inserted into the New Roads and Street Works Act 1991 by the new clauses inserted by Amendments NC39 and NC40 may be satisfied by consultation undertaken before or after the provision inserting that provision comes into force.
Brought up, read the First and Second time, and added to the Bill.
New Clause 42
Transfer of certain functions to Secretary of State
“(1) The powers to make regulations under section 79(1) and (2) of the New Roads and Street Works Act 1991, so far as exercisable in relation to Wales, are transferred to the Secretary of State.
(2) The power to make regulations under section 79(1A) of that Act (as inserted by section 46(2) A42of the Traffic Management Act 2004), so far as exercisable in relation to Wales, is transferred to the Secretary of State.
(3) The Street Works (Records) (England) Regulations 2002 (S.I. 2002/3217) have effect as if the reference to England in regulation 1(2) were a reference to England and Wales.
(4) The Street Works (Records) (Wales) Regulations 2005 (S.I. 2005/1812) are revoked.”—(Sir John Whittingdale.)
This amendment provides that certain powers to make regulations under section 79 of the New Roads and Street Works Act 1991, so far as exercisable in relation to Wales, are transferred from the Welsh Ministers to the Secretary of State; and makes provision in relation to regulations already made under those powers.
Brought up, read the First and Second time, and added to the Bill.
Clause 5
Lawfulness of processing
Amendment proposed: 11, page 7, line 12, at end insert—
““internal administrative purposes”, in relation to special category data, means the conditions set out for lawful processing in paragraph 1 of Schedule 1 of the Data Protection Act 2018.”—(Kate Osborne.)
This amendment clarifies that the processing of special category data in employment must follow established principles for reasonable processing, as defined by paragraph 1 of Schedule 1 of the Data Protection Act 2018.
Question put, That the amendment be made.
I beg to move, That the Bill be now read the Third time.
This Bill will deliver tangible benefits to British consumers and businesses alike, which would not have been possible if Britain had still been a member of the European Union. It delivers a more flexible and less burdensome data protection regime that maintains high standards of privacy protection while promoting growth and boosting innovation. It does so with the support of the Information Commissioner, and without jeopardising the UK’s European Union data adequacy.
I would like to thank all Members who contributed during the passage of the Bill, and all those who have helped get it right. I now commend it to the House on its onward passage to the other place.