Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Lord Ashton of Hyde
Main Page: Lord Ashton of Hyde (Conservative - Excepted Hereditary)Department Debates - View all Lord Ashton of Hyde's debates with the Department for Digital, Culture, Media & Sport
(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Baroness Hamwee (LD)
My Lords, I am glad that the noble Lord, Lord Stevenson, has raised the question of the meaning of “broadly equivalent”. It encapsulates a difficulty I have found throughout the Bill: the language of the GDPR and of the law enforcement directive is more narrative and descriptive than language to which we are accustomed in UK legislation. Though one might say we should just apply a bit of common sense, that is not always the first thing to apply in interpreting UK legislation.
In this clause, there is another issue apart from the fact that “broadly equivalent” gives a lot of scope for variation. Although Clause 3 is an introduction to the part, if there are problems of interpretation later in Part 2, one might be tempted to go back to Clause 3 to find out what the part is about and be further misled or confused.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to noble Lords for their comments and the opportunity, I hope, to make things clearer. Amendment 5 seeks to make it clear that the applied GDPR does not apply to processing activities which fall outside the scope of EU law. Amendment 6 examines the differences between the GDPR and the applied GDPR. The applied GDPR exists to extend the GDPR standards for personal data processing to datasets outside the scope of EU law, which may be otherwise left unregulated. This is an essential extension because, first, we believe that all personal data should be protected, irrespective of EU legal competence; and, secondly, we need a complete data protection regulatory system to secure the future free flow of data.
Chapter 3 of Part 2 and Schedule 6 create the applied GDPR, which is close to, but not identical to, the GDPR. This is primarily because we have anglicised it as it sits within our domestic law, not European law. References to member states become references to the UK. As domestic regulation it is also outside the scope of the functions of the European Data Protection Board, so appropriate amendments are needed to reflect that. Otherwise the same general standards and exemptions apply to the applied GDPR as for the GDPR.
Lord Stevenson of Balmacara
Perhaps the Minister will respond to that because I, too, am troubled about the same point. If I am right, and I will read Hansard to make sure I am not misreading or mishearing what was said, the situation until such time as we leave through Brexit is covered by the GDPR. The extraterritorial—I cannot say it but you know what I am going to say—is still in place. Therefore, as suggested by the noble Lord, Lord Clement-Jones, a company operating out of a foreign country which was selling goods and services within the UK would have to have a representative, and that representative could be attached should there be a requirement to do so. It is strange that we are not doing that in the applied GDPR because, despite the great improvement that will come from better language, the issue is still the same. If there is someone that our laws cannot attack, there is obviously an issue. Perhaps the Minister would like to respond.
Lord Ashton of Hyde
Quite apart from the get-out that Clause 3 is only a signposting, I can confirm that we are not derogating from the GDPR. We intend to apply GDPR standards when we leave the EU, so we are not derogating from the GDPR on extraterritoriality.
Lord Stevenson of Balmacara
This concerns Amendment 115, which is to a substantial part of the Bill; it is not the issue raised by the amendment I introduced. We are talking about page 158, line 34. Perhaps it would be better if I requested a letter on this point so that—again, I cannot say the word—does not bog us down.
Lord Stevenson of Balmacara
Isn’t he so smooth? Unfortunately, I bet Hansard does not print that. However, extraterritoriality is important because it represents a diminution of the ability of those data subjects affected by actions taken by those bodies in terms of their future redress. It is important that we get that right and I would be grateful if the Minister could write to us on that.
I am satisfied with what the Minister said on Amendments 5 and 6. I am grateful and beg leave to withdraw the amendment.
Lord Kennedy of Southwark (Lab)
My Lords, I refer the Committee to my registered interests: I am on the board of two small charities in the London Borough of Southwark.
I recall from Second Reading the noble Lord, Lord Marlesford, who is not in his place today, talking about the effect of the legislation on small organisations—many others have made reference to it already. He referred to parish councils, which often employ just a part-time parish clerk. The noble Lord, Lord Arbuthnot of Edrom, spoke similarly about the effect on organisations. Both noble Lords had a point at Second Reading, as does the noble Baroness, Lady Neville-Rolfe, with her amendment today.
As we have heard, the amendment limits the scope of the Act to organisations employing more than five people and specifies for exemption organisations such as small businesses, charities and parish councils which meet the employment qualification of five employees or fewer. My noble friend Lord Knight of Weymouth made a valuable point about size and turnover—I think the noble Baroness accepted that in her intervention.
The amendment also makes the useful point that the exemption is not limited to these three specific groups but seeks to cast a wider net. I certainly want to hear from the Minister that community councils would be exempted, as well as the small not-for-profit sector and small co-operatives, which I am sure is the intention behind the amendment.
The amendment needs a detailed response, as we have to be clear on what the Government think is reasonable for such organisations to have to comply with and how the Government will make it as simple as possible and not pile additional burdens on them. I hope the Minister will not say that these organisations already have to comply with the 1998 Act and that this legislation is only a very small increase in what is required. We will require a lot more reassurance than that from the Minister.
Amendment 152, also in this group, would place a duty on the Information Commissioner to advise Parliament, government and other institutions and bodies on the likely consequences, economic or otherwise, for industry, charities and public authorities of measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data. The noble Baroness again makes a valid point and there is merit to placing this duty in the Bill.
If the Minister thinks that Clause 113, and specifically Clause 113(3)(b), is sufficient to provide the Information Commissioner with the power and the duty to do what is set out in the amendment, we need him carefully to set that out today for the benefit of your Lordships’ House.
Amendments 169—and Amendment 170, which would add “and charities” to it—raises some very important issues. It would place a duty on the Secretary of State to ensure that they or the Information Commissioner had a programme in place to ensure that information on the new duties that businesses and charities will be obliged to follow is publicly available. Again, these are very important and welcome amendments. Large businesses, large corporations and large charities will more than likely have the structures in place to ensure that they comply with any new requirements, but smaller organisations do not have compliance departments or lawyers on retainer to advise them. The Government have to get that message out to them. I particularly like subsection (2) of the new clause proposed by Amendment 169, which would require this information to be placed online and the Secretary of State to have regard to the creation of online training and testing to meet the requirements of the new Act. This group of amendments raises important matters on which I hope the Minister can give the Committee some reassurance.
Lord Ashton of Hyde
My Lords, I am grateful to all noble Lords who have raised the amendments and commented on them, because the Government recognise the concern behind them; namely, to protect the smallest organisations from the additional requirements established by this and future data protection legislation and to ensure that all UK businesses and organisations are properly supported through the transition.
I fully concur with my noble friend Lady Neville-Rolfe that supporting UK businesses of all sizes must be a priority. I can assure her that it is of the utmost importance both for the Government and for the Information Commissioner. However, I cannot agree with the proposal in Amendment 7 that those organisations with five or fewer employees be exempted from the requirements of the Act. We are talking in this Bill not just about businesses but about individual rights of data subjects. As my noble friend Lord Lucas mentioned, it is right that individuals enjoy the protections that will be afforded by this new regime regardless of the size of the organisation with which they are dealing. People should not be afforded a lesser degree of protection simply because they have chosen to do business with, or indeed to voluntarily support, a small organisation. After all, the fact that an organisation employs few staff does not mean that a breach of data protection law will cause a correspondingly small amount of distress. Many of the most cutting-edge financial technology firms begin life in someone’s back bedroom, but it does not make their customers’ transaction history any less worthy of protection.
Amendment 7 is unlikely to have the intended effect because the GDPR does not permit such an exemption. As an area in which our ongoing relationship with the European Union will be of the utmost importance, I do not consider that such an amendment would be in the best interests of British businesses.
However, I understand my noble friend’s concerns that the smallest organisations may be the least well equipped to deal with the changes introduced by this regime. I was therefore pleased to learn recently—the noble Lord, Lord Clement-Jones, mentioned this—that the Information Commissioner has announced the establishment of a dedicated telephone advice service for small and micro businesses to support them in implementation. The noble Lord also mentioned that the threshold was 250 employees, which represents quite a large organisation by today’s terms, with small businesses, especially in the tech field, growing up all over the place.
In respect of Amendment 152, I fully concur with my noble friend about the importance of monitoring the consequences of the Act for businesses and other organisations. I reassure her that there is already, quite rightly, a broad obligation on government to assess and report on the impact of all legislation that regulates business under the Small Business, Enterprise and Employment Act 2015. In addition, the Information Commissioner will be required to advise Parliament, government and other bodies on both legislative and administrative measures relating to the new Act and to provide opinions on any issue relating to the protection of personal data. My noble friend Lady Neville-Rolfe also asked about the impact on business. I confirm that the Government will publish a further assessment of the impact of the Bill on business very shortly.
With regard to Amendment 169, it is worth reiterating that the Information Commissioner has already provided general guidance, which is available online to all businesses, to help them understand their obligations. The commissioner is continuing to develop this guidance and has a programme in place for publication. I cannot go through it all but, in addition to the guidance the ICO has already published, it expects to develop this further between now and May into a fully comprehensive guide to the GDPR, including summaries and checklists, as well as more detailed content focused on key areas. This will also be available online from early next year. Later this year, the Information Commissioner will publish draft guidance on children’s data; on accountability, including documentation; on legitimate interests, including examples addressing universities maintaining alumni relationships; and draft guidance on security of processing, including joint work on high-level security principles. It will also provide sector-specific guidance. The Government are working with the Information Commissioner to identify appropriate areas and to work with sectors to deliver more guidance.
In respect of timing, I completely agree with my noble friend that it is desirable that up-to-date guidance about the new regime is available to businesses as soon as possible. As I have just set out, that is precisely what the commissioner is already attempting. But I fear that it may not be feasible, as the amendment requires, for final information to be published at least six months before the commencement of the provisions in the Act, not least because changes to the Bill may affect that guidance.
In respect of Amendment 170, I share the sentiment of the noble Lord, Lord Clement-Jones, in wishing to ensure that charities are provided with guidance to help them understand their obligations. I reassure him that the general guidance that the Information Commissioner has already published is designed to assist all organisations through the transition.
The noble Lord, Lord Knight, asked how the role of the Information Commissioner will develop and be resourced. My noble friend Lady Williams said at Second Reading that the Government take the adequate resourcing of the Information Commissioner very seriously and have provided for an appropriate charging regime in Part 5 of the Bill. I assure the noble Lord that we are aware that there are problems with the Information Commissioner at the moment and we are looking at that. But, possibly for the reasons that he mentioned, I am not able to make any binding commitments tonight. But I accept that there is an issue there. We are looking at it.
I assure noble Lords that the Government share the concerns raised in these amendments and are particularly pleased that the Information Commissioner is actively taking steps to provide dedicated support for small and micro enterprises, including the telephone service I mentioned earlier. With that in mind, I hope my noble friend feels able to withdraw her amendment.
Lord Kennedy of Southwark
The Minister mentioned guidance a few times and said that it might not be ready in time. I was reminded of our debates—which he was not involved in—on the Housing and Planning Bill. We were told about guidance and regulations, and well over a year later we have seen next to nothing. This is such an important issue that we need to hear a little more from the Minister. I and many other noble Lords mentioned parish councils. I do not think he mentioned those. For example, I know the Deeping St James Parish Council in Lincolnshire very well. It employs only a part-time clerk. I think the noble Lord, Lord Marlesford, made a similar point about parish councils at Second Reading. Perhaps the Minister could say something about that.
Lord Ashton of Hyde
Yes, I think my noble friend mentioned the parish council of the noble Lord, Lord Marlesford, in her reply. I make the point again that individuals’ data rights have to be protected. Just because parish councils are small organisations does not mean that they should not take that seriously—and I am sure they do. With regard to the practicalities of how they cope with their duties, apart from the fact that the Information Commissioner is providing guidance specifically for small organisations, the parish clerk—who already often works for more than one parish council so they can share the cost—is in a good position to deal with the duties under the Bill and will be able to take the guidance relating specifically to small businesses and organisations from the Information Commissioner.
I admit that I did not follow the Housing and Planning Bill too closely. But I mentioned a lot of the guidance that will be available before the end of the year. The Information Commissioner is very aware of the need to produce this quickly. In addition, of course, she is actively involved in outlining the European guidance on which a lot of member states’ guidance will be based. Therefore, she is helping to set the tone on which her future guidance will be based.
Lord Kennedy of Southwark
That is fine as far it goes. The point I am making is that we have heard guidance mentioned two or three times, in relation to two or three different organisations. I know that the Minister was not involved but we heard the same comments about guidance and regulations from the Government Front Bench when we were dealing with the Housing and Planning Bill. I hope we are not having déjà vu here. We hear these things are coming forward. These things are very important. I accept entirely that people’s data are important—of course they are—but, equally, getting this guidance right is important, as is organisations being able to have the information so that they ensure that they comply with the law. I hope the Minister can take back how important this is. He said it will all be after Report, at the end of the year. The Bill will have long left this House and we will be saying, “Where is this guidance then? You promised it and nothing has arrived”. It really is not good enough for the individual data subject or for business or for anyone else involved.
Lord Ashton of Hyde
I agree with the noble Lord that, if nothing did arrive, it would not be good enough.
Baroness Neville-Rolfe
My Lords, I was slightly disappointed when all my amendments were grouped, but bringing them together has led to an extremely useful and productive debate. I am very grateful to noble Lords right across the Committee for their support. I am also grateful to the Minister for saying that he will let us have a compliance cost assessment, which I will read with the detail and vigour that it merits, and for some of the other points he made.
I am a little disappointed about how we achieve some de minimis relief for the smaller organisations in these various sectors, including the ones mentioned by the noble Lord, Lord Kennedy, as well as on guidance—I am not sure we are quite there. We need to think a little further. I gave the Minister an example of the difficulties that the data analytics sector had had on consent. It would be good if he could look at that point and perhaps arrange for a meeting so that we could talk further. I will look in Hansard at the progress we have made in this very constructive discussion and possibly come back on Report on one or two points. I beg leave to withdraw the amendment.
Lord Patel (CB)
My Lords, I speak to Amendments 11 and 13, in the name of the noble Lord, Lord Clement-Jones, and Amendment 154, in the name of the noble Lord, Lord Stevenson of Balmacara, and to which I have added my name in support.
When I first read the amendments tabled by the noble Lord, Lord Clement-Jones, I was concerned because I thought them quite restrictive. Now that he has spoken to them, I can see that he intended them to be wider, so I apologise to him that I did not have the opportunity to speak with him beforehand, so that I would have had that clarification. None the less, having said that, I am concerned that the amendment would restrict the interpretation of,
“a task carried out in the public interest”,
and a narrow list is set out in Clause 7(a) to (d). That is a major concern for universities and other institutions involved in research.
It is absolutely important that universities and other public bodies that carry out research functions are able to use,
“task carried out in the public interest”,
as a legal basis for processing personal data. Restricting this clause to apply only to those functions listed in paragraphs (a) to (d) would instantly make all processing of personal data carried out for research purposes with a university illegal. That is unless it could meet the stringent requirements of GDPR-compliant consent, which I will speak to on an amendment in the group that follows.
None the less, providing further clarity through regulations would ensure that “public interest” was not used as a catch-all for public bodies, negating the incentive to restrict the definition in the Bill in the way proposed by this amendment. I have no doubt that we will have a discussion and that the amendment is not intended to be so restrictive. I look forward to the Minister’s summing up.
I support Amendment 154 in the name of the noble Lord, Lord Stevenson of Balmacara. However, under the GDPR, all users and controllers of data will need to be much clearer about the legal basis that they use to process personal data, and more explicit with data subjects about what is happening to data about them. However, this shift is also likely to generate a certain amount of confusion among researchers who process personal data as part of their studies.
An enormous amount of research using personal data is carried out by universities, which constitute public bodies. As it stands, the Bill defines “public interest” in quite a narrow way—and I shall come to that in more detail when I deal with a group of amendments in my name. But “public interest” is an underspecified notion that could be interpreted in many ways, in the absence of authoritative guidance—and it is that absence that the amendment under the name of the noble Lord, Lord Stevenson of Balmacara, deals with. Placing the requirement to produce codes of practice in the Bill will ensure that it is an undertaking that receives the urgent attention that it demands, and I support it for that reason.
Lord Ashton of Hyde
My Lords, this is a rather unusual occasion, in that normally noble Lords say that they are going to read very carefully what the Minister has said in Hansard. In this case, I am certainly going to have to read carefully what the noble Lord, Lord Clement-Jones, said, in Hansard. This is a complicated matter and I thought that I was following it and then thought that I did not—and then I thought that I did again. I shall set out what I think should be the answer to his remarks, but when we have both read Hansard we may have to get together again before Report on this matter.
I am glad that we have this opportunity to set out the approach taken in the Bill to processing that is in the public interests and the substantial public interests. Both terms are not new; they appeared before 1998, as the noble Lord, Lord Stevenson, said, in the 1995 data protection directive, in the same sense as they are used in the GDPR and the Bill. That is to say, “substantial public interest” is one of the bases for the processing of special categories of personal data, and this is a stricter test than the public interest test that applies in connection with the processing of all categories of personal data. The noble Lord, Lord Clement-Jones, was wrong to suggest that the list provided in the 1998 Act in relation to public interest was genuinely exhaustive, I think. As he said himself, the effect of paragraph 5(d) of Schedule 2 was to make that list non-exhaustive.
In keeping with the approach taken under the 1998 Act, the Government have not limited the public interest general processing condition. The list in Clause 7 is therefore non-exhaustive. This is intentional, and enables organisations which undertake legitimate public interest tasks to continue to process general data. Noble Lords may recall that the Government committed after Second Reading to update the Explanatory Notes to provide reassurance that Clause 7 should be interpreted broadly. Universities, museums and many other organisations carrying out important work for the benefit of society all rely on this processing condition. For much the same reason, “public interest” has not historically been defined in statute, recognising that the public interest will change over time and according to the circumstances of each situation. This flexibility is important, and I would not wish to start down the slippery slope of attempting to define it further.
The Government have, however, chosen to set out in Part 2 of Schedule 1 an exhaustive list of types of processing which they consider constitute, or could constitute, processing in the substantial public interest. That reflects the increased risks for data subjects when their sensitive personal data is processed. Again, this approach replicates that taken in the 1998 Act. Where the Government consider that processing meeting a condition in that part will sometimes, but not necessarily, meet the substantial public interest test, a sub-condition to that effect is included. This ensures that the exemption remains targeted on those processing activities in the substantial public interest. A similar approach was taken in secondary legislation made under the 1998 Act. The Government intend to keep Part 2 of Schedule 1 under review, and have proposed a regulation-making power in Clause 9 that would allow Schedule 1 to be updated or refined in a timelier manner than would be the case if primary legislation were required. We will of course return to that issue in a later group.
Amendment 15 seeks to make clear that the public interest test referred to in Clause 7 is not restricted by the substantial public interest test referred to in Part 2 of Schedule 1. Having described the purposes of both these elements of the Bill, I hope that noble Lords can see that these are two separate tests. The different wording used would mean that these would be interpreted as different tests, and there is no need to amend the Bill to clarify that further.
Amendment 154 would require the Information Commissioner to develop a code of practice in relation to the processing of personal data in the public interest and substantial public interest. As we have already touched on, the Information Commissioner is developing relevant guidance to support the implementation of the new data protection framework. Should there later prove a need to formalise this guidance as a code of practice, Clause 124 provides the Secretary of State with the power to direct the Information Commissioner to make such a code. There is no need to make further provision.
I hope that that explanation satisfies noble Lords for tonight, and I urge the noble Lord to withdraw his amendment. However, in this complicated matter, I am certainly prepared to meet noble Lords to discuss this further, if they so require.
Lord Clement-Jones
My Lords, I thank the Minister for that very helpful exposition. I shall return the compliment and read his contribution in Hansard with great care. I apologise to the noble Lord, Lord Kennedy, if the Bill has already had a befuddling influence on me. It comes from looking along the Labour Benches too much in profile.
With this amendment, I feel somewhat caught between the noble Lord, Lord Patel, and a very hard place. Clearly, he wants flexibility in a public interest test, and I can well understand that. But there are issues to which we shall need to return. The idea of a specific code seems the way forward; the way forward is not by granting overmighty powers to the Government to change the definitions according to the circumstances. I think that that was the phrase that the Minister used—they wish to have that flexibility so that the public interest test could be varied according to circumstances. If there is a power to change, it has to be pretty circumscribed. Obviously, we will come back to that in a later group. In the meantime, I beg leave to withdraw the amendment.