Data Protection Bill [HL] Debate
Full Debate: Read Full DebateLord Ashton of Hyde
Main Page: Lord Ashton of Hyde (Non-affiliated - Excepted Hereditary)Department Debates - View all Lord Ashton of Hyde's debates with the Department for Digital, Culture, Media & Sport
(6 years, 11 months ago)
Lords ChamberMy Lords, the last time I cleared a room like this, it was a very bad film indeed.
Amendment 103A is connected to Amendments 103B, 103C, 124A, 124B and 125A, and I move it with the support of my noble friend Lord Stevenson and the noble Lords, Lord Clement-Jones and Lord Holmes. In a well-run world, this group of amendments should not really need to be moved or pressed. They are designed purely to ensure that we have the data commissioner—and the office of that commissioner—that we need. Frankly, they are the natural consequence of all the debates that have occurred during the passage of the data protection legislation.
There can be no more important role over the next few years than that of the Data Commissioner. The organisation she is being asked to regulate is the largest in the world. A quite extraordinary statistic is that the four largest companies—Google, Amazon, Facebook and Apple—have between them a larger market capitalisation than the FTSE 100. That is the scale of the businesses we are asking the Data Commissioner to regulate. At the same time, under the Bill at present the resources available to her are wholly inadequate to that task. We went through a similar operation 15 years ago with Ofcom, and out of that, and through the collective wisdom of this House, we were able to ensure that Ofcom had the resources to become what is genuinely the gold standard of any media and telecoms industry regulator in the world. That is an achievement of this House of which we should be very proud. The purpose of these amendments is to achieve exactly the same for our ICO—something we can be proud of and that can do the job given to it.
During the passage of the Bill, we have loaded the ICO with significant new and additional responsibilities. The idea that we might have an underfunded and underresourced regulator that is not adequate to the task we are giving it is unthinkable. The purpose of these amendments is to prevent that. I could go on at some length, but I think the mood of the House is that it wishes to move on, so I shall listen to the Minister’s response. I beg to move.
My Lords, it might be for the convenience of the House if I speak now as I have some information which may help the noble Lord, Lord Puttnam, and other noble Lords who have put their names to these amendments.
As I have repeatedly said during the debates on the Bill, the Government are committed to ensuring that the commissioner has adequate resources to fulfil her role as a world-class regulator and to take on the extra regulatory responsibilities set out in this Bill, so I agree with pretty well everything the noble Lord said. That is why we legislated for a new, GDPR-compliant charging regime in the Digital Economy Act, which we will turn to in the next group, but it is also why the commissioner needs to be able to recruit and retain expert staff.
I am therefore very pleased to announce that the Government have today granted the Information Commissioner’s Office pay flexibility up to 2020-21 so that it can review its pay and grading structure. The commissioner will have the independence to determine the levels of pay necessary for the ICO to maintain the expertise it needs to fulfil its new and revised functions as a supervisory authority, subject to the standard public spending principles. I am also pleased to say that the Information Commissioner has agreed these arrangements. She said:
“I welcome the positive response to my business case for pay flexibility at the ICO. I am confident that this will allow me to prepare the ICO for its critical role under the new data protection regime ensuring that the UK has a strong and expert regulator in an area recognised for its importance to the digital economy and society as a whole”.
This flexibility underscores the UK’s commitment to an independent and effective data protection regulator, and I think goes a long way in responding to the points raised by the noble Lord’s amendments. We all want an efficient, well-resourced ICO, so I am very pleased that this agreement has been reached. I should have said at the outset that I am very grateful to the noble Lord for coming to talk to me about it. I am glad to say he was pushing at an open door.
I thank the noble Lord, who has been extraordinarily generous with his time. He and his officials could not have been more helpful in reaching what I regard as a perfectly satisfactory conclusion. My only wish is that we have a regulator that can do the job required of it and tackle the abuses along the way confidently and competently. I am extraordinarily grateful for this outcome. I am very happy to withdraw the amendment.
My Lords, the noble Lord, Lord Deben, said that a small number of people do everything in small communities. It sometimes feels like that here. I do not think that we need to say much more; all the issues have been raised and I am sure that when he responds, the Minister will answer some, if not all, of the questions. The underlying theme is that we do not want to spoil what is a very good Bill with desirable aims by failing to pick up all the areas that it needs to address, because there will be benefits from it, as we have heard. I think that the Government understand that, but they must not be in the position of willing the ends of policy without also willing the means.
My Lords, I am grateful to all noble Lords who have spoken. I begin by thanking my noble friend Lady Neville-Rolfe, my predecessor in this role, for once again bringing the topic of small businesses to the House’s attention. Other noble Lords have extended that from small businesses to small organisations—indeed, even clans. While I am on the important subject of the clan, the noble Earl asked whether they would be classed as small organisations. I am sure that they are not small, but the answer is yes, they will be subject to the provisions of the GDPR.
The serious, general reason is that the GDPR, which is EU legislation which comes into direct effect on 25 May, is there to protect personal data. We must remember that the importance of protecting people’s personal data, particularly as it has developed since the most recent Data Protection Act was passed in 1998, has extended dramatically and concerns very personal items that belong to people. That is why it does not entirely matter whether it is a small or large organisation. Public authorities, such as parish councils, and other small organisations, such as charities, must take personal data seriously. They have obligations under the existing Act, but under the GDPR, they have more, and that is why. However, I and the Government instinctively support small organisations where we have it in our power to do so. I shall return to some of the specific points later.
I thank my noble friend for bringing this matter to the House’s attention and for coming to discuss it at length; I welcome this opportunity to provide some reassurance. As I have said at previous stages of the Bill, I wholeheartedly agree that the Government should recognise the concerns of the smallest organisations and continuously look at ways to support them through the transition to a new data protection framework. The amendments tabled by my noble friend have all been designed with small organisations, charities and parish councils in mind.
Before I address each amendment in turn, I remind noble Lords that the Information Commissioner’s Office already produces a variety of supportive materials intended to help organisations of all sizes to navigate their way to data protection compliance. I strongly encourage businesses to consult these, and to make use of the commissioner’s new dedicated helpline, provided specifically for small organisations. I am pleased to say, in answer to my noble friend Lord Marlesford and, in part, to my noble friend Lord Deben, that the Information Commissioner has agreed to issue advice to parish councils, which will be published shortly. That is one of the organisations to which my noble friend referred. I understand exactly what he is saying, as I live in a small village and my wife is a parish councillor. I assure noble Lords that the issues of the Data Protection Act in relation to parish councils have been aired vociferously, and not only in this Chamber.
In addition, it is worth noting that the process for paying annual charges to the commissioner will become simpler and less burdensome, which I am sure will come as welcome news to small organisations—but we will return to that point shortly.
Amendment 106 would add a new clause that would give the Information Commissioner a duty to provide additional support to small businesses, charities and parish councils to meet their requirements under the GDPR. This may include, among other things, additional advice and discounted fees paid to the commissioner. I think that my noble friend Lord Marlesford, raised a point earlier on, and I hope that it will be helpful if I put it on record that parish councils can share duties like a data protection officer, which is a public authority that they have to have, under the GDPR, with other parish councils as well as with district councils. Parish clerks can also fulfil that role.
While I agree with my noble friend that small organisations should be supported to meet new obligations under the GDPR and this Bill, I cannot agree with the obligations that that would place on the commissioner. As I mentioned earlier, the commissioner has already published a wide breadth of guidance online and is continuing to develop this guidance as we near the date of GDPR implementation. I mentioned an example just now. Only recently, she updated her small business portal to make it easier for organisations to access GDPR-related resources. Given that the commissioner is already so active in this field, which the Government and, I think, my noble friend fully support, I fear that additional prescriptive requirements would distract rather than contribute.
While the Minister is responding on this issue—I was not allowed to move Amendment 87A because somebody shouted out “not moved” when it was in fact not moved by myself—could he include schools in his comments?
We were going to have a debate on that—I gather that the Liberal Democrats did not want to bring it forward—but the basic answer is that schools have responsibilities under the GDPR. They particularly have responsibility for personal data relating to children; they already have extensive responsibilities under the current Data Protection Act. So it is very much an issue for schools. In this case, to help them, the Department for Education is going to provide guidance—and I am assured that it will be out very soon. So they have particular responsibilities. The kind of personal data that they handle on a regular basis is very important; I believe that the noble Lord, Lord Clement-Jones, mentioned an example of some of the personal data that they hold in relation to free school meals, which has to be protected and looked after carefully. One benefit for the school system, as far as other organisations are concerned, is that they will have central guidance from the Department for Education—and I repeat that that is due to come out very soon.
I turn to Amendment 125, also proposed by my noble friend. It seeks to introduce a requirement on the Secretary of State, when making regulations under Clause 132, to consider making provision for a discounted charge—or no charge at all—to be payable by small businesses, small charities and parish councils to the Information Commissioner. Clause 132(3) already allows the Secretary of State to make provision for cases in which a discounted charge or no charge is payable. The new charge structure will take account of the need not to impose additional burdens on small businesses. This may include a provision in relation to small organisations.
I am happy to confirm that the Government have given very serious consideration to the appropriate charges for smaller businesses as part of the broader process for setting the Information Commissioner’s 2018 charges. The new charge structure will take account of the need to not impose additional burdens on small businesses. It is important to note, however, that small and medium organisations form a significant proportion of the data controllers currently registered with the ICO—approximately 99%, in fact. The process of determining a new charge structure is nearly complete and we will bring forward the resulting statutory instrument shortly. I would, however, like to put one thing on the record: in putting together that charging regime, we have been mindful of the need to ensure that the Information Commissioner is adequately resourced during this crucial transitional period, but I want to be clear that the Government do not consider the 2018 charges to be the end of the story. There may well be more we can do further down the line to modernise a regime that has not been touched for the best part of a decade.
Amendment 127 would place an obligation on the commissioner, in her annual report to Parliament, to include an economic assessment of the actions that the commissioner has taken on small businesses, charities and parish councils. I agree with my noble friend about the importance of the commissioner being aware of the impact of her approach to regulation during this crucial period. As I said to the commissioner when we met, we must nevertheless also be mindful of maintaining her independence in selecting an approach. Even if we did not think that having an independent regulator was important—I want to be clear: we do —articles 51 to 59 of the GDPR impose a series of particular requirements in that regard. But, all of the above notwithstanding, I agree with a lot of what my noble friend has said this afternoon.
Turning to amendment 107A, in the name of the noble Lord, Lord Clement-Jones, concerning the registration of data controllers, I remember the Committee debate where the noble Lord tabled a similar amendment. I hope that I can use this opportunity to provide further reassurance that it is unnecessary. The Government replaced the existing notification system with a new system of charges payable by data controllers in the Digital Economy Act. We did this for two reasons. First, the new GDPR has done away with the need for notification. Secondly, and consequentially, we needed a replacement system to fund the important work of the Information Commissioner. All this Bill does is re-enact what was done and agreed in the Digital Economy Act last year. We legislated on this a year earlier than the GDPR would come into force because changes to fees and charges need more of a lead time to take effect. As I have already said, these new charges must be in place by the time the GDPR takes effect in May and we will shortly be laying regulations before Parliament which set those fees.
Returning to the subject matter of the amendment, under the current data protection law, notification, accompanied by a charge, is the first step to compliance. Similarly, under the new law, a charge will also need to be paid and, as under the previous law, failure to pay the charge is enforceable. We have replaced the unwieldy criminal sanction with a new penalty scheme—found in Clause 151 of the Bill.
My Lords, can the Minister explain what the trigger is for the payment of the fees?
That is not what I meant. That is not a trigger; it is notification by the data controller.
If you process and control data, you will need to make a notification to the data commissioner. I do not understand why that is not a trigger.
Exactly, so my point, which I was coming to but which the noble Lord has very carefully made for me, is that, in doing this, the Information Commissioner will obviously keep a list of the names and addresses of those people who have paid the charge. The noble Lord may even want to call that a register. The difference is, unlike the previous register, it will not have all the details included in the previous one. That was fine in 1998, and had some benefit, but the Information Commissioner finds it extremely time-consuming to maintain this. In addition, as regards the information required in the existing register, under the GDPR that now has to be notified to the data subjects anyway. Therefore, if the noble Lord wants to think of this list of people who have paid the charge as a register, he may feel happier.
I have talked about the penalty sanction. When the noble Lord interrupted me, I was just about to say—I will repeat it—that the commissioner will maintain a database of those who have paid the new charge, and will use the charge income to fund her operation. So what has changed? The main change is that the same benefits of the old scheme are achieved with less burden on business and less unnecessary administration for the commissioner. The current scheme is cumbersome, demanding lots of information from the data processors and controllers, and for the commissioner, and it demands regular updates. It had a place in 1998 and was introduced then to support the proper implementation of data protection law in the UK. However, in the past two decades, the use of data in our society has changed dramatically. In our digital age, in which an ever-increasing amount of data is being processed, data controllers find this process unwieldy. It takes longer and longer to complete the forms and updates are needed more and more often, and the commissioner herself tells us that she has limited use for this information.
My hope is that Amendment 107A is born out of a feeling shared by many, which is to a certain extent one of confusion. I hope that with this explanation the situation is now clearer. When we lay the charges regulations shortly, it will, I hope, become clearer still. The amendment would simply create unnecessary red tape and may even be incompatible with the GDPR as it would institute a register which is not required by the GDPR. I am sure that cannot be the noble Lord’s intention. For all those reasons, I hope he will withdraw the amendment.
I thank the Minister for going into the issues in such detail, and for the support that is now being offered by the ICO through the transition. We have heard about the helpline, the websites, and new guidance—not only for parish councils, which I regard as a major breakthrough, but for small business and schools. That is all very good news. There will be a charge but it will be modulated, as I understand it, in a way to be decided and brought before the House in an order. I think the Minister understands the wish of this House not to load lots of costs on smaller businesses as a result of this important legislation, which we all know is necessary for a post-Brexit world.
My only concern related to the Minister’s comments on what we might put into the report, because he rightly said that the Information Commissioner had to be independent, which I totally agree with. Equally, I thought that without undermining her independence, it was possible to ask her to report on economic matters and, for example, on how business learns about data protection and how that is going. I do not know whether he is able to confirm that today, but he made a point about independence and it was not clear whether it would be possible to put something into the reporting system.
We are keen that the Information Commissioner be independent and is seen to be independent, and I know that the commissioner herself is aware of that. I cannot commit to anything today, but I will certainly take back my noble friend’s question and see what can be done while maintaining the Information Commissioner’s independence.
On that basis, I am happy to beg leave to withdraw my amendment.
My Lords, in earlier amendments I have tried to interest the Government in the idea of establishing what I loosely call a copyright of one’s personal data. Another possibility put forward in a different amendment is that one could think of data provided by individuals as matters that would be controlled by them through the role of a data controller. I am not trying to be in any sense critical of the Government’s response to this but I think I was ahead of my time—a nice place to be if you can—and I do not think the idea is quite ready to be turned into legislative form. I suspect that the solution lies in a data ethics commission, an idea that we will come to later in the agenda. Such a commission may be established by statute, either today or through some future legislative process, so that we can begin to think through these important issues. I was interested in a lot of what the noble Lord, Lord Mitchell, said in his introduction of the amendment because it has bearing on these issues.
I agree with the noble Lord, Lord Clement-Jones, that we are not quite there yet. However, worrying issues have been raised that need to be addressed, particularly in relation to data that is acquired, used and commercially exploited without necessarily being certain that we are getting value for money from it. The amendments are relatively mild in their exhortations to the Government, but they certainly point the way to further work that should be done and I support them.
My Lords, I am grateful to the noble Lord, Lord Mitchell, for taking the time to come and see me to explain these amendments. We had an interesting conversation and I learned a lot—although clearly I did not convince him that they should not be put forward. I am grateful also to the noble Lords, Lord Clement-Jones and Lord Stevenson, who said, I think, that there may be more work to do on this—I agree—and that possibly this is not the right time to discuss these issues because they are broader than the amendment. Notwithstanding that, I completely understand the issues that the noble Lord, Lord Mitchell, has raised, and they are certainly worth thinking about.
These amendments seek to ensure that public authorities—for example, the NHS—are, with the help of the Information Commissioner, fully cognisant of the value of the data that they hold when entering into appropriate data-sharing agreements with third parties. Amendment 107B would also require the Information Commissioner to keep a register of this data of “national significance”. I can see the concerns of the noble Lord, Lord Mitchell. It would seem right that when public authorities are sharing data with third parties, those agreements are entered into with a full understanding of the value of that data. We all agree that we do not want the public sector disadvantaged, but I am not sure that the public sector is being disadvantaged. Before any amendment could be agreed, we would need to establish that there really was a problem.
Opening up public data improves transparency, builds trust and fosters innovation. Making data easily available means that it will be easier for people to make decisions and suggestions about government policies based on detailed information. There are many examples of public transport and mapping apps that make people’s lives easier that are powered by open data. The innovation that this fosters builds world-beating technologies and skills that form the cornerstone of the tech sector in the UK. While protecting the value in our data is important, it cannot be done with a blunt tool, as we need equally to continue our efforts to open up and make best use of government-held data.
In respect of health data, efforts are afoot to find this balance. For example, Sir John Bell proposed in the Life Sciences: Industrial Strategy, published in August last year, that a working group be established to explore a new health technology assessment and commercial framework that would capture the value in algorithms generated using NHS data. This type of body would be more suitable to explore these questions than a code of practice issued by the Information Commissioner, as the noble Lord proposes.
I agree that it is absolutely right that public sector bodies should be aware of the value of the data that they hold. However, value can be extracted in many ways, not solely through monetary means. For example, sharing health data with companies who analyse that data may lead to a deeper understanding of diseases and potentially even to new cures—that is true value. The Information Commissioner could not advise on this.
That sharing, of course, raises ethical issues as well as financial ones and we will debate later the future role and status of the new centre for data ethics and innovation, as the noble Lord, Lord Stevenson, mentioned. This body is under development and I am sure that this House would want to contribute to its development, not least the noble Lord, Lord Clement-Jones, and his Select Committee on Artificial Intelligence.
For those reasons, I am not sure that a code is the right answer. Having heard some of the factors that need to be considered, I hope the noble Lord will not press his amendment.
Perhaps I may offer some further reassurance. If in the future it emerged that a code was the right solution, the Bill allows, at Clause 124, for the Secretary of State to require the Information Commissioner to prepare appropriate codes. If it proves better that the Government should provide guidance, the Secretary of State could offer his own code.
There are technical questions about the wording of the noble Lord’s amendment. I will not go into them at the moment because the issues of principle are more important. However, for the reasons I have given that the code may not be the correct thing at the moment, I invite him to withdraw his amendment.
My Lords, I thank all noble Lords for their contributions to this short debate. I also thank the Minister for agreeing to see me prior to the Recess and for his comments today. However, this is an issue of precision—and we need precision on the statute book. All that has been suggested to me, which is that it can be found elsewhere or will be looked at in the future, does not give the definitive answer we require. That is why I would like to test the opinion of the House.