Read Bill Ministerial Extracts
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Ashton of Hyde
Main Page: Lord Ashton of Hyde (Non-affiliated - Excepted Hereditary)Department Debates - View all Lord Ashton of Hyde's debates with the Department for Digital, Culture, Media & Sport
(6 years, 9 months ago)
Lords ChamberMy Lords, I do not wish to detain the House. I thank the noble Baroness for raising the point; clarity is always important, as we have learned, and she is right to put her finger on it. However, the point made by the noble Lord, Lord Paddick, is correct.
We run the risk in this Bill of pouring fuel on an already raging fire: the more we try to focus on children as a group, the more we demonise and make difficult the Bill’s attempts—through an amendment we all supported on Report—to raise our sights and find a way of expressing how all people are dealt with in terms of internet access, with particular reference to those with developmental or other support needs to whom the word “child” could well be applied. But that does not mean that we want the more generic approach to fail because it did not mention vulnerable adults, the elderly who may be struggling with internet issues, those with special needs or others. These groups all need to be considered in the right way, and I am sure that, in time, “age appropriate” may not be the most appropriate way of dealing with it. It does get us to a particular point, however. It was a historic decision that we took on Report to do it this way, but we need to have an eye on the much wider case for a better understanding of under what conditions and with what impact those of us who wish to use the internet can do so safely and securely.
My Lords, I feel confident that I will be able to reassure the noble Baroness and other noble Lords who have spoken this afternoon.
Child online safety is an issue close to the heart of the noble Baroness, Lady Howe, and everyone in this House. It is right that children in the UK should be granted a robust data regime so that they can access online services in a way that meets their age and development needs. It was with this goal in mind that the Government, with a great deal of support from a number of Peers from all sides of the House, led by the noble Baroness, Lady Kidron, agreed and supported her amendment. It introduced a requirement on the Information Commissioner to prepare an age-appropriate design code. This amendment was the product of many hours of discussion and days of drafting and redrafting, and I am glad that it was accepted with no dissenting voices in this House. The code will contain guidance on standards of age-appropriate design for relevant online services which are likely to be accessed by children.
The aim of Amendment 4, as explained by the noble Baroness, is to add a definition to the age-appropriate design code to define “children” as those under the age of 18. We are determined to ensure that children of different ages are able to access online services in a way that is safe and takes into account their different needs. For that reason, we included in Clause 124(4) a requirement that the commissioner must have regard to the fact that children have different needs at different ages, and in Clause 124 (4)(b) that the commissioner must have regard to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child. So I maintain that it is explicitly included in the Bill.
Article 1 of the United Nations Convention on the Rights of the Child defines children as,
“every human being below the age of eighteen years unless under the law applicable to the child, majority is attained earlier”.
As such, the existing age-appropriate design code, which requires the commissioner to have regard to the convention, already addresses the point that the proposed amendment is making.
Article 2 of the convention obliges state parties to respect and ensure the rights in the convention to each child—all those under 18. By requiring the commissioner to have regard to the convention, Clause 124 ensures that in order to comply with the requirements for the code on age-appropriate design, children up to 18 would need to be considered. Therefore, the existing age-appropriate design code already ensures that the commissioner must have regard to the different needs and rights of children under the age of 18, and as a result this amendment is not necessary.
Not only is the amendment unnecessary, it is potentially unhelpful. One of the key features of the existing age-appropriate design code is that it recognises that children have different needs at different ages. The proposed amendment risks undermining this important point by presenting children as a homogenous group. The needs of a child aged 17 are very different from the needs of a child aged 10 and it is right that the requirements of the age-appropriate design code reflect that.
The noble Baroness asked—the noble Baroness, Lady Kidron, also alluded to this—whether the Bill is consistent in its approach to children. As I said, children are human beings under the age of 18. That is the consistent approach we are taking on this legislation. But the Bill works in tandem with the GDPR and we cannot amend the GDPR. Nor does the GDPR allow member states to come up with their own definitions, so we interpret the GDPR as adopting the definitions from the UN Convention on the Rights of the Child.
There are of course differences between young children and older children, and the provision needs to be age appropriate. A child who is 12 years old may consent to having their data processed in the offline world. Clause 201 ensures that is consistent in Scotland as well as England and Wales. A child who is 13 years old may consent to having their data processed online. That is provided by Clause 9. Any website or app maker providing services for children—meaning everyone under 18—will have the benefit of the code of practice on age-appropriate design provided by Clause 124. Of course, the law generally makes different provision for older children and for young children—for example, the age of sexual activity, marriage and serving in the Armed Forces.
There is a risk that the proposed amendment to the clause on age-appropriate design could also have serious unintended consequences. The Data Protection Bill contains numerous references to “children”. We cannot agree to an amendment that could have implications for issues elsewhere in the Bill.
Finally, it is worth emphasising that the existing wording of the age-appropriate design code is completely consistent with the wording of the general data protection regulation, which itself does not define children. I hope I have reassured the noble Baroness and as a result she feels able to withdraw her amendment at this late stage of the Bill.
My Lords, I turn now to an issue that is pertinent to us all: parliamentary privilege. I am sure that noble Lords will agree that it is paramount that both this House and the other place continue to be safeguarded in their processing of personal data in connection with parliamentary proceedings.
This issue was raised in previous debates by the noble and learned Lord, Lord Brown of Eaton-under-Heywood, to whom I am very grateful. Those debates influenced our thinking on how the Bill currently provides for parliamentary activity, and I am pleased to announce that the amendments in this group have been tabled to ensure that privileges under the current law will not disappear when we enter the new data protection framework.
I will start with Amendments 5 to 8. Amendments 5 to 7 restrict information, assessment and enforcement notices served by the commissioner from requiring a person to comply with the notice if compliance would involve infringing the privileges of either House of Parliament. Put simply, the commissioner’s notices are “switched off” where there would be an infringement of parliamentary privilege. Amendment 8 prevents the commissioner giving the House a penalty notice with respect to the processing of personal data by or on behalf of the House. These amendments have been tabled to ensure that parliamentary proceedings will not be impeded by the commissioner and that Parliament will maintain the freedom to do its work that it currently enjoys.
Amendments 9 to 13 relate to criminal liability and seek to prevent corporate officers of either House of Parliament being liable to prosecution as a data controller. This is the current position in the Data Protection Act 1998, and our amendments seek to clarify the Government’s intention to maintain the effect of Section 63A of the 1998 Act. The amendments also make equivalent provision for government departments and data controllers for the Royal Household. It should be noted, however, that these provisions do not prevent corporate officers being liable for their own conduct when acting as data controllers on behalf of either House, for government departments or for the Royal Household. This maintains the current position, and we believe that it is an important safeguard that allows full parliamentary privilege while balancing the rights of data subjects.
Amendments 14 and 15 revert to the current position under the Data Protection Act 1998 in relation to the processing that is necessary for the functions of the Houses of Parliament or for the administration of justice by removing the additional “substantial public interest” test. On reflection, we could not see how such processing would not be in the substantial public interest, so the test appeared redundant. On that basis, the Houses of Parliament will have to consider simply whether processing is necessary for the purposes of their functions, as is the position now.
Amendments 20 and 21 make a corresponding amendment to Schedule 8, where processing is necessary for the administration of justice under the provisions in Part 3 for law-enforcement processing, to maintain a consistent approach across the Bill.
Amendment 18 is to Schedule 2 and extends the exemptions from the GDPR relating to parliamentary privilege to include an exemption from article 34(1) and article 34(4) of the GDPR. Article 34 requires controllers to communicate a personal data breach to the data subject where the breach is likely to result in a high risk to the rights and freedoms of the subject. The amendment excludes this requirement from applying to parliamentary proceedings and also restricts the ability of the commissioner to oblige either House to comply with it.
I hope that the House will agree that these amendments, taken as a package, will ensure that there will be no chilling effect on the functions of Parliament and will restore the regime that applies under the Data Protection Act 1998. It has the approval of the House authorities. I beg to move.
My Lords, I strongly support this group of amendments, perhaps unsurprisingly given that they have now been brought forward in place of a series of broadly similar amendments which, as the Minister has mentioned, I tabled on Report. They achieve the same basic objective, which is to safeguard parliamentary privilege and thereby ensure that this House, along with the other place, can continue to go about its business and fulfil its vital constitutional role without inappropriate inhibitions and concerns with regard to the protection of data and privacy, which of course the Bill as a whole is rightly designed to protect.
As I made plain on Report, I was prompted to table the original amendments by and on behalf of the officials of both Houses, that is to say, the clerks and counsel, because of their concern about how, unamended as it then was, the Bill risked infringing parliamentary privilege in the various ways that the Minister has recounted. These concerns were raised and over recent months they have been discussed extensively between officials and the Bill team. Again I express my gratitude and pay tribute to the Bill team for its hugely constructive help and co-operation throughout. As now formulated, these amendments substantially and realistically meet the concerns of officials, and accordingly I welcome them.
I too thank the noble and learned Lord, Lord Brown of Eaton-under-Heywood, for his stalwart work in bringing forward these important amendments. What he did not say but we should also recognise is that on a couple of occasions he had to stay late in order to do that, I am sure far beyond his normal bedtime.
Unfortunately, squeezed out in the second group of amendments which I also supported but which did not find favour with the Government, was an effort to try to retain the current arrangements under which noble Lords of this House who wish to speak about individual cases would be able to do so on the basis that they would be treated as elected representatives. That did not win the support of the Government and therefore will be left to the other place, which I am sure will immediately seize on it and see the injustice reversed. In due course it will come back to us. With that, I support the amendment.
My Lords, I am grateful for most of the comments. It is a pity that the noble Lord, Lord Stevenson, had to bring up the one bit that did not quite go through, but as he says, I am sure that we can rely on the other place.
My Lords, I am very pleased to be able to set out the Government’s reasoning in tabling this group of amendments in response to valid concerns from the insurance industry. There are three amendments in the group; one technical matter and two addressing processing for insurance purposes. Regarding Amendments 16 and 17, I am grateful to the noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, for raising the challenges facing the insurance industry in previous stages of the Bill’s progress through the House and in discussions with me and my officials.
The Government recognise the fundamental importance of insurance products. They are vital to the public at large, who rely on insurance daily to protect them from financial loss due to an unfortunate emergency, accident or other unforeseen event. The industry is an important sector in the economy. On Report, we made clear our intention to propose an amendment addressing the noble Lords’ concerns at Third Reading. These amendments make good on that promise. Amendment 16 therefore replaces the three narrow conditions currently included in Schedule 1 with a single, more holistic condition permitting the processing of certain types of special category data where it is necessary for an insurance purpose.
There is a need to balance such processing with appropriate safeguards, and Amendment 16 provides these. First, as I have just said, processing must be necessary for a defined insurance purpose. For example, this condition will not be met if the organisation could achieve the purpose by some other reasonable means that did not require the processing of special categories of data, or if the processing was necessary only because the organisation has decided to operate its business in a particular way.
Secondly, processing must be necessary for reasons of substantial public interest. We consider that ensuring the availability of insurance at a reasonable cost to members of the public through risk-based pricing, the ability to detect and investigate fraudulent claims and the efficient administration and payment of insurance claims are matters of substantial public interest. Nevertheless, as this processing condition for insurance purposes is drawn more widely than those previously included in the Bill, we consider it reasonable to ask data controllers to consider whether, in respect of a particular processing activity they propose to undertake, it is necessary for a purpose that is in the substantial public interest.
Thirdly, the processing condition has been designed so that it affords additional safeguards to those data subjects who do not have rights or obligations in respect of the insurance contract or insured person. For example, a witness to an event giving rise to an insurance claim or a parent of a person seeking health insurance might fall into this category. Processing of data relating to these data subjects is permitted only if the data controller cannot reasonably be expected to obtain the consent of the data subject and they are not aware of the data subject withholding their consent.
Fourthly, data controllers relying on this new insurance condition will be required to have an appropriate policy document in place, as set out in Part 4 of Schedule 1 to the Bill.
Amendment 17 extends paragraph 13A so that the processing of criminal conviction and offences data is also permitted for an insurance purpose, which is clearly essential. Taken as a whole, we think that the processing condition set out in the new paragraph 13A provides the necessary balance between the rights of data subjects and the benefits that members of the public derive from the efficient and effective provision of insurance products.
Finally, Amendment 19 is a minor and technical matter. It merely deletes a reference to a provision elsewhere in the Bill that no longer exists. I am grateful to the helpful staff of the Public Bill Office who spotted this error when preparing the current print of the Bill last week. I am pleased that we have achieved what we agreed to do at the earlier stages of the Bill and I acknowledge the help of the Association of British Insurers and the Lloyd’s Market Association in reaching this solution. On that note, I beg to move.
My Lords, I welcome these amendments and it is nice to hear the story that has come through of a listening Bill team and a listening Minister, and the way in which the industry has organised itself to make sure that the perceived faults were remedied.
If it is of interest to the House, a lot of us have been doing events with professional bodies and others interested in this whole area since the Bill started. I was reflecting just before this Third Reading debate that there were really only three things that came up time and again at these sessions, after the presentations by the experts and others such as us who were trying to keep up with what they were saying. The first was Article 8 of the European Charter of Fundamental Rights—that came up time and again. People did not understand the basis on which their rights would be retained, but we have dealt with that.
The second was the—unpronounceable—re-identification of previously anonymised data. I suspect that was because there are one or two very active persons going around all these groups—I seemed to recognise their faces every time it came up—who were anxious to make sure that this point was drilled back to Ministers. We have found a way forward on that, which is good.
The third item was the insurance industry time and time again raising points similar to those raised by the noble Earl, Lord Kinnoull, by suggesting that there was a problem with efficient markets and the operation of customer good, and that the Government had to look again. We are very glad that the Government have done so. I have now ticked off all my list and it is done.
My Lords, I am grateful to the noble Earl, Lord Kinnoull, and to the noble Lords, Lord Stevenson and Lord Clement-Jones. The noble Earl is absolutely right that there are various names for different insurance contracts, including reinsurance and retrocession, but they are all contracts of indemnity. The schedule absolutely covers all types of insurance, including reinsurance and retrocession contracts.
As for the clarificatory questions asked by the noble Lord, Lord Clement-Jones, they are very reasonable because this is not an easy part of the Bill to understand—even for people who have been looking at it for many weeks, as we have. First, he asked whether the provision permits processing of data relating to criminal convictions or offences where it is necessary for an insurer to process this data for policy underwriting and claims management, and for insurance purposes. Technically speaking, paragraph 13A, introduced by Amendment 16, does not permit the processing of criminal convictions data because it exercises the derogation provided by article 9(2)(g) of the GDPR. Criminal convictions data is regulated by a separate article of the GDPR, article 10, but the noble Lord will be pleased to know that Amendment 17 extends paragraph 13A so that it also covers criminal convictions and offences data.
Secondly, as for the processing of special category data by insurance companies and related intermediaries such as reinsurers and brokers, which are important, as is managing claims, the noble Lord asked whether that will be regarded by the Government as purposes that are in the substantial public interest. The answer is that the Government have introduced paragraph 32A because they believe that the provision of core insurance products is in the substantial public interest. However, the world of insurance is an exciting and dynamic one—no, really it is—and controllers must be accountable for their own particular processing activities. I hope that answers his questions.
My Lords, in moving that the Bill do now pass, I shall say a few words about it. The Bill has been central to my life and the lives of a number of noble Lords for many weeks now. It was accepted right from the word go as a necessary Bill, and there was almost unanimity about the importance and necessity of getting it in place by next May, taking into account that it still has to go through the other place. I am very relieved to have got to this stage. Despite that unanimity, we have managed to deal with 692 amendments during the passage of the Bill, which is a very good indication of unanimity as far as I am concerned. I have to admit that of those 692, 255 were government amendments, but that is not necessarily a bad thing. The GDPR takes effect in May and many of the things that would have been put into secondary legislation have been dealt with in the Bill. I think most noble Lords would agree that that is a good precedent. Data protection is so pervasive that the previous Data Protection Act, passed 20 years ago in 1998, is referred to around 1,000 times in other legislation, so a lot of the amendments were to make sure that when we repeal that Act and this Bill becomes law it will be consistent with other legislation.
I am very appreciative of what we achieved and the way that we did it. One thing we managed to achieve was to accept a number of recommendations from your Lordships’ House, so we changed the way that universities, schools and colleges can process personal data in respect of alumni relations; we ensured that medical researchers can process necessary personal data they need without any chilling effect; we agreed that patient support groups can process health data; we ensured a fair balance between privacy and the right to freedom of expression when journalists process personal data; and we have talked about insurers today. The noble Baroness, Lady Kidron, one of the heroes of the Bill, helped us protect children online, which we all agreed with—in the end. We amended the way that some of the delegated powers in the Bill are effective and subject to the right parliamentary oversight.
I thank the Front Benches for their co-operation. This is meant to be the last Bill for the noble Lord, Lord Stevenson. I doubt that. Every time he says that, he comes back. He had a good team to help him: the noble Lords, Lord Kennedy and Lord Griffiths of Burry Port. It was the first Bill for the noble Lord, Lord Griffiths; if he can survive this, he can survive anything. I am sure we will see a lot of him in future. I thank the noble Lords, Lord Clement-Jones and Lord Paddick. I should have mentioned the noble Baroness, Lady Hamwee, and acknowledged her position on the privilege amendment. I must say that the way she withdrew her amendments one after the other on Report is a very good precedent for other legislation that might be coming before your Lordships’ House soon.
The Bill team has been mentioned several times, not only today but all through the passage of the Bill. The members of the team have been outstanding. They have worked incredibly hard. I should like to mention Andrew Elliot, the Bill manager, Harry Burt, who worked with him, Jagdeep Sidhu and, from the Home Office, Charles Goldie. They have all done a tremendous job and been great to work with.
Lastly, I have had a galaxy of talent to help me with large parts of the Bill. My noble friends Lady Williams, Lady Chisholm and Lord Young of Cookham and my noble and learned friend Lord Keen have made my life very easy and I am very grateful to them. I beg to move.
My Lords, I will just slip in for a couple of minutes in the light of the Minister’s very shrewd appraisal of the progress on the Bill. I had not quite realised that the Bill team were treating the Digital Economy Bill as a dress rehearsal for the Data Protection Bill, but that is really why this has gone so smoothly, with very much the same cast on the Front Benches.
We on these Benches welcomed many aspects of the Bill on its introduction last October and continue to do so. Indeed, it has improved on the way through, as the Minister pointed out. I thank my noble friends Lord Paddick, Lady Hamwee, Lord McNally, Lady Ludford and Lord Storey for helping to kick the tyres on this Bill so effectively over the last four months. I also thank the noble Lord, Lord Stevenson, and all his colleagues for a generally harmonious collaboration in so many areas of common interest.
I very much thank the Minister and all his colleagues on the Front Bench and the excellent Bill team for all their responses over time to our particular issues. The Minister mentioned a number of areas that have been significant additions to the Bill. I thank the Minister for his good humour throughout, even at late hours and on many complicated areas. We are hugely pleased with the outcome obtained by the campaign of the noble Baroness, Lady Kidron, for age-appropriate design, which many of us on these Benches think is a real game-changer.
There is just a slight sting in the tale. We are less happy with a number of aspects of the Bill, such as, first, the continuing presence of exemptions in paragraph 4 of Schedule 2 for immigration control. Solicitors need the facts to be able to represent their clients, and I am afraid these immigration exceptions will deny access to justice.
Secondly, the Minister made a pretty good fist of explaining the way the new framework for government use of personal data will operate, but I am afraid, in the light of examples given, for instance by the noble Earl, Lord Clancarty, in relation to the Department for Education’s approach to the national pupil database, and now concerns over Public Health England’s release of data on 180,000 patients to a tobacco firm, that there will be continuing concerns about that framework.
Finally, one of the triumphs of debate in this House was the passing of the amendment from the noble Baroness, Lady Hollins, calling for, in effect, Leveson 2. The response of the Secretary of State, whose appointment I very much welcomed at the time, was rather churlish:
“This vote will undermine high quality journalism, fail to resolve challenges the media face and is a hammer blow to local press”.
On Sunday he did even better, saying it could be the “death knell” of democracy, which is pretty strong and unnecessary language. I very much hope that a sensible agreement to proceed is reached before we start having to play ping-pong. I am sorry to have to end on that slightly sour note, but it is an important amendment and I very much hope that it stands.