Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendments 1 to 28.

1: Clause 3, page 2, line 25, leave out “personal data” and insert “information”
--- Later in debate ---
28: Clause 50, page 30, line 17, leave out “21 days” and insert “1 month”
Lord Ashton of Hyde Portrait The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
- Hansard - -

My Lords, with the leave of the House, I beg to move that this House do agree with the Commons in their Amendments 1 to 28. I will speak also to the other amendments in this group.

It is my pleasure to be able to open Lords Consideration of Commons amendments to the Data Protection Bill this afternoon. As we discussed at length when the Bill first passed through your Lordships’ House, this is a detailed and often quite technical Bill, intended to make our data protection laws fit for the digital age. It went through a period of review and revision under your Lordships’ supervision, and it has since been refined further in the other place. It now falls on us to review, and I hope agree, those refinements. I am very grateful to my noble and learned friend Lord Keen and my noble friend Lady Williams for helping me with some of these key areas today.

In setting out the reasoning behind the Commons amendments today, I will focus my remarks on the substantive changes made rather than the technical tweaks, of which there are many. This first group of amendments addresses the Commons amendments to Parts 1 and 2. I shall start with the subject of parish councils, a cause previously championed by my noble friend Lord Marlesford, and I declare an interest in that my wife is a parish councillor.

Parish and community councils are not exempt from the new law. Nonetheless, by describing parish and community councils as “public authorities”, the Bill gives these councils additional obligations above and beyond those placed on other small organisations, including that they must appoint a data protection officer. We have been working to minimise the impact of this requirement—for example, by exploring options for parish councils to share a data protection officer.

However, since the Bill left your Lordships’ House, we have concluded that as parish and community councils process very little personal data and often have few staff and small budgets, the burden that they will face may be disproportionate in some instances. I am therefore pleased to say that Commons Amendments 8, 9, and 10 would take these councils out of the definition of “public authorities” for data protection purposes. Their status in respect of other legislation, including the Freedom of Information Act, is unaffected.

Since the introduction of this Bill, it has been brought to our attention by a range of stakeholders from all sides of the political divide that there is concern about how processing for the purpose of democratic engagement should be treated for the purposes of the GDPR. I remember especially the contributions from the noble Lord, Lord Kennedy, and others on this subject, and I have met him to discuss these issues. I am grateful for his time and commitment.

As I have said before, the Government believe that there is a strong public interest in political parties and elected representatives and officials being able to engage with the public both inside and outside elections, which may sometimes include the processing of personal data. Having considered the matter further since then, the Government have concluded that it would be prudent to make provision in the Bill, to provide greater clarity to those operating in this space. Helpfully, Clause 8 already provides high-level examples of processing activities which the Government consider could be undertaken on the grounds of public interest.

As a consequence of the importance that the Government attach to the matter, Commons Amendment 12 would add,

“an activity that supports or promotes democratic engagement”,

to that list. This term has been deliberately chosen with the intention of covering a range of activities carried out with a view to encouraging the general public to get involved in the exercise of democracy. That could include activities such as communicating with electors, campaigning activities, supporting candidates and elected representatives, casework, surveying and opinion gathering, and fundraising to support such activities. We will ensure that the Explanatory Notes include such examples to assist the interpretation of what this provision means in practice.

However, any processing of personal data in connection with these activities would have to be necessary for the purpose and have a legal basis. That is why we can be clear that firms like Cambridge Analytica will not be able to claim public interest irrespective of whether Amendment 12 is agreed today. The amendment does not seek to create partisan advantage for any one side or to create new exemptions from the data protection legislation; it is intended to provide greater clarity and allow legitimate political activity to continue. The amendment is also technology neutral, given that in a short time we have moved from physical post to email, text, Twitter, Facebook, WhatsApp and Snapchat, and no doubt other means that I do not know about.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

My Lords, I am grateful to the noble Lords, Lord Clement-Jones and Lord Kennedy, for their positive remarks. There are a lot of amendments so, as I said before, I will try to concentrate on the substantive ones. There are a lot of consequential amendments, which make sure that the substantive amendments go through so that the Bill makes sense. I note that, having considered 692 amendments in your Lordships’ House, we are now considering a further 286; 978 amendments later, we should be in a better place.

Motion agreed.
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendment 29.

29: Clause 51, page 31, line 2, leave out from first “the” to end of line 3 and insert “restriction imposed by the controller was lawful;”
--- Later in debate ---
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendments 30 to 50.

30: Clause 51, page 31, line 11, leave out from first “the” to end of line 12 and insert “restriction imposed by the controller was lawful;”
--- Later in debate ---
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House agrees with the Commons in their Amendments 51 and 52.

51: Clause 119, page 65, line 29, at end insert—
“( ) Paragraphs (b) and (c) of section 3(14) do not apply to references in this section to personal data, the processing of personal data, a controller or a processor.”
52: Clause 120, page 66, line 21, at end insert—
“( ) Section 3(14)(b) does not apply to references to personal data and the processing of personal data in this section.”
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

My Lords, this group of Commons amendments relates primarily to the enforcement powers available to the Information Commissioner. This is one area where, after the Bill originally left your Lordships’ House, events have influenced the Government’s thinking.

The Information Commissioner’s investigation into Cambridge Analytica is unprecedented in both its scale and its complexity. It has, necessarily, pushed the boundaries of what the drafters of the Data Protection Act 1998, and the parliamentarians who scrutinised it, could envisage.

While recognising that the Bill already expands and enhances the commissioner’s ability to enforce the requirements of the data protection legislation in such circumstances, the Government undertook to consider whether further provision was desirable in light of the commissioner’s recent experience. Following extensive conversations with the commissioner and others, we concluded that such provision was indeed desirable. The amendments made in the other place would strengthen the commissioner’s ability to enforce the law while ensuring that she operates within a clear and accountable structure. I want to give five examples in particular.

First, Commons Amendment 64 would allow the commissioner to require any person who might have knowledge of suspected breaches of the data protection legislation to provide information. Previously, information could be sought only from a data controller or data processor. This could be important where, for example, a former employee had information about the organisation’s processing activities or if an organisation had gone into administration.

Secondly, Commons Amendment 70 would allow the commissioner to apply to the court for an order to force compliance where a person failed to comply with a requirement to provide information. Organisations that might previously have been tempted to pay a fine for non-compliance instead of handing over the information will now find themselves at risk of being in contempt of court if they do not comply.

Thirdly, Commons Amendments 67 and 87 would allow the commissioner to require controllers to comply with information or enforcement notices within 24 hours in some very urgent cases, rather than the seven days the current law provides for. Amendment 79 would allow the commissioner in certain circumstances to issue an assessment notice that can have immediate effect. The amendments would allow the commissioner to obtain information about a suspected breach or put a stop to high-risk processing activities promptly and effectively. They will also allow her to carry out no-notice inspections without a warrant in certain circumstances.

Fourthly, Commons Amendment 81 criminalises the behaviour of any person who seeks to frustrate an information or assessment notice by deliberately destroying, falsifying, blocking or concealing evidence which has been identified as being relevant to the commissioner’s investigation.

Finally, we have also taken this opportunity to modernise the commissioner’s powers. Storing files on an office PC is rapidly becoming a thing of the past. Commons Amendment 210 would enable the commissioner to apply for a warrant to access material which can be viewed via computers on the premises but which is actually held elsewhere, such as in the cloud.

--- Later in debate ---
Lord Pannick Portrait Lord Pannick (CB)
- Hansard - - - Excerpts

Building on the point about the limited time for scrutiny here, can the Minister also explain whether there is a protection for the sources of journalism, with no obligation to disclose sources? Is there a protection for legal professional privilege and matters of that sort?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

I am grateful for the contributions made by noble Lords. The first thing to acknowledge is that these amendments were made at a reasonably late stage in the Bill but not a very late stage, in the sense that it was in the second House. We considered the Bill first and the second House amended the Information Commissioner’s powers, so we are now looking at them again. However, I can confirm to the noble Lord, Lord Stevenson, that the Information Commissioner was involved in these powers. That is not to say that, in the course of those discussions, she did not put up some powers that she might like to have but, in discussion with the Government, we settled on some powers that she was content with. I can confirm that she is content with this suite of powers; in fact, she has written to the Minister for Digital confirming as such.

The noble Lord, Lord Clement-Jones, mentioned a dawn raid and asked whether we can do that and, further, whether these powers are on all fours with the Competition and Markets Authority and Ofcom. By and large the powers are on all fours but, as the noble Lord, Lord Stevenson, said, they are not exactly the same. They were modelled on them but they are slightly different, given the different roles and functions that regulators have. As for a dawn raid, the Information Commissioner has the power to ask for a warrant to be issued without notice if the judge is satisfied that giving the controller advance notice would not be appropriate. As I say, we looked closely at the powers of the CMA and Ofcom and modelled them as closely as possible.

The noble Lord, Lord Pannick, asked about protection for journalists’ sources. I can confirm that, yes, the new ICO powers continue to respect the need to protect journalistic sources and legal professional privilege.

The noble Lord, Lord Stevenson, also talked about the Information Commissioner’s resources. As he knows, we have increased the fees and made a commitment in the past that we will make sure that the Information Commissioner has the resources available to do her job properly. We understand the issues that that involves. We need the Information Commissioner to do a proper job and to be able to do so, not least because of the Brexit negotiations and the data adequacy requirements that we will want to continue for electronic commerce.

I think I have dealt with the points raised and, on that basis, I thank noble Lords for their support for these powers.

Motion on Amendments 51 and 52 agreed.
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendment 53.

53: Clause 121, leave out Clause 121
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

My Lords, Commons Amendments 53 and 207 would remove from the Bill matters inserted by the noble Lord, Lord Mitchell, with the intention of protecting value in certain personal data held by the state. I am grateful to the noble Lord for again taking the time to come to see me to discuss further the intention of his original amendments to the Bill. He has been very helpful and we are in full agreement that this is an important matter. Our meeting also gave me the opportunity to explain the Government’s plans to address the issues that he raised going forward.

In this new digital information age, big data is changing the world we live in. One of the key reasons for updating our data protection laws was to ensure that the law is fit for this new age, where an ever increasing amount of personal data is being processed. We have remained conscious throughout the drafting of the Bill of the need to protect individuals’ data while also ensuring that the new law does not stifle innovation in the way that we use personal data. The Government recognise that novel ways of processing personal data could bring great technological, economic and societal benefits to the UK.

Longitudinal health and care data, in particular, has the power to fundamentally transform our lives in truly positive ways. The Government are taking a considered approach to the policy in this area in order to ensure that we get this right and fully realise the potential benefits of using health data, while ensuring that individual privacy is respected. We want to examine how we can maximise the value of the data for the benefit of the NHS and those who use and pay for it.

While we are entirely sympathetic to the aim of the noble Lord’s amendments, Commons Amendments 53 and 207 would reverse them because we firmly believe they do not help us achieve the outcome we are all seeking. A statutory code of practice risks stifling innovation, placing public authorities in a straitjacket. In an area where the thinking is still developing and the rate of technological advancement is increasing, flexibility is essential.

Moreover, maintaining a register of “data of national significance” is likely to raise a number of security concerns. The NHS has been the victim of cyberattacks and we do not want to produce a road map to assist those who want to harm us. The Information Commissioner’s Office has also stated, quite rightly,

“that even establishing and maintaining a register would still require the Commissioner to make decisions in an area where she is not best placed to advise”,

because her core function is to protect information rights.

While not developing a code and a register, the Government are none the less taking active steps to ensure we grip the issue that the noble Lord raises. We are working to connect to make the most of the distributed data that exists in the health service, identifying three to five local exemplars of integrated digital health and care records and using these to develop digital innovation hubs to support the use of data for research purposes, including in partnership with industry.

The Department of Health and Social Care is working to explore how to maximise the benefits of health and care data for patients and taxpayers. This includes exploring the different approaches taken by a range of bodies and lessons to be learned from local experiences of working with the private sector. It will look specifically at how best to capture value from products developed using NHS data.

Although Commons Amendments 53 and 207 may appear disappointing to the noble Lord, I can reassure the House that they are made with the best intentions, and that the Government are making every effort to address the concern in the right way. I beg to move.

Amendment 53A (as an amendment to the Motion on Amendment 53)

Moved by
--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

My Lords, I feel a lot of sympathy for the noble Lord, Lord Mitchell, and commend what he is trying to do. I think that I shall be able to reassure the noble Lord, Lord Clement-Jones, that we are not as far apart as he might think. The noble Lord, Lord Mitchell, raised with great enthusiasm the point that we should ensure as a country that we use our rich resources wisely. We share his excitement about the huge potential of big data to improve health and care. We acknowledge that, if we leverage these data to their full potential, that will have huge positive impact in improving care, giving people greater control, enabling the system to plan better and target support and treatments to those who can benefit, and it will transform our already world-leading life sciences industry.

Nevertheless, in the judgment not just of the DCMS but also the Department of Health and Social Care—I know that the noble Lord has been speaking to my noble friend Lord O’Shaughnessy, on this subject—Amendment 53B risks undermining the work already being done in this space. NHS England, the Department of Health and Social Care and the Office for Life Sciences are already undertaking a programme of work that looks seriously at the public benefits that can be derived from NHS data. They are committed to working with representatives of the public and industry to explore how to maximise the benefits of health and care data for patients and taxpayers. In doing so, it is vital that service users and patients are involved every step of the way. They will accept and support the use of their health data only if they understand how and why their information is being used and how everyone will benefit. We must take the public with us on this journey, rather than imposing a code now.

My noble friend Lord O’Shaughnessy and his ministerial colleagues at the Department of Health and Social Care have made a written commitment to keeping the noble Lord, Lord Mitchell, involved in future discussions about this work. He will make a valuable contribution with his expertise in this matter, ensuring that we maximise the value in these datasets.

I want to answer straightaway and head-on the point about why the Government should not consider that we extract the full value of the taxpayers’ data. Of course, it is absolutely right that public sector bodies should be aware of the value of the data that they hold, but that value can be extracted in many ways, not solely through monetary means. For example, sharing health data with other companies that analyse that data may lead to a deeper understanding of diseases and potentially even to new cures. That is why we want to take some time to explore this important issue fully and try to find the most appropriate solution, should one be needed, rather than tying ourselves to one approach now. That was raised in the other place when this issue was discussed by amendments from people who are very concerned about how health data are being treated. As I said before, we have to be very careful, particularly when talking about health data, how we use datasets when people have given their information on the basis that it is anonymous and is extremely sensitive.

The noble Lord, Lord Freyberg, rightly broadened the issue a bit from just health data. He asked how much data we are commercialising, at home and abroad, and to whom. He suggested that bodies other than central government should take charge of a process for measuring and tracking these flows of significant data. The noble Lord, Lord Clement-Jones, mentioned the Centre for Data Ethics and Innovation. A body exactly such as that can, in this very fast-moving area, consider the balance between the need to protect an individual’s anonymity and the sensitivity of their data, and that data’s monetary value and use for things such as curing disease.

The noble Baroness, Lady Jones, made some interesting remarks about how information would be abused by the Government and the broad powers we have taken in the Bill. I remind her that the GDPR, which takes effect directly on 25 May, is exactly about protecting data subjects’ rights. For example, it allows data subjects the rights of rectification and erasure. The point about subject access rights is to allow individuals to have more protection than they currently do. The Bill brings some of those rights and extends them into areas which are not even covered by EU competence. I do not agree with the noble Baroness that we are abusing the powers.

Lord Framlingham Portrait Lord Framlingham (Con)
- Hansard - - - Excerpts

I apologise for interrupting the Minister. I have not been in the House long, so have not heard the whole debate, but I was listening to a programme about this subject at lunchtime today. The impression was clearly given that lives were being put at risk because of oversensitivity about the sharing of data. Perhaps the Minister will get his advisers to check what was said on that programme and see how much sense it made.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

I will find out what was said. We should deal with what the GDPR calls special categories of data very sensitively. We should take data on health, sexual orientation, ethnicity and things like that very seriously. That is what the GDPR does and we will continue to do it under the Bill.

Finally, I return to the Commons amendments. I am afraid we still cannot support Amendments 53A and 53B as, at the moment, we believe that they are fundamentally the wrong solution. However, I hope that the productive discussions, to which the noble Lord, Lord Mitchell, referred, along with what I have said today, have convinced the noble Lord that our vision is aligned and that he finds sufficient reassurance in these words, and the written assurances that he has had from my noble friend Lord O’Shaughnessy, to be able to withdraw his amendment.

Lord Mitchell Portrait Lord Mitchell
- Hansard - - - Excerpts

I thank the noble Lord for his very helpful comments. I also thank my noble friend Lord Freyberg, who has been with me all the way on this and given me huge support, and the noble Baroness, Lady Jones, for her comments. On the Front Benches, the noble Lord, Lord Clement-Jones, has always been a supporter and, at this particular point, the noble Lord, Lord Stevenson, has guided me through the intricacies of ping-pong, which I was not aware of.

I have heard what the Minister has said, and have received a letter from the noble Lord, Lord O’Shaughnessy. It is the end of the football season. We are now in extra time; we are still at a draw and could be facing penalty shoot-outs, but I am going to decline that. I beg leave to withdraw the amendment.

--- Later in debate ---
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendment 54.

54: Clause 124, page 68, line 24, leave out “with the day on which” and insert “when”
--- Later in debate ---
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendments 56 to 61.

56: Clause 125, page 69, line 2, leave out “or 124” and insert “, 124 or (Data protection and journalism code)”
--- Later in debate ---
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendment 62.

62: Clause 142, leave out Clause 142
--- Later in debate ---
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendments 63 to 114.

63: Clause 143, page 77, line 37, after “notice”)” insert “— (a) ”
--- Later in debate ---
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendment 115.

115: Clause 183, page 105, line 42, leave out “80” and insert “80(1)”
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

My Lords, the main amendments in this group relate to the representation of data subjects by not-for-profit bodies. Last time we discussed this matter, the question before us was whether those bodies should have to seek the mandate—that is, the consent—of data subjects before pursuing claims on their behalf.

As I said then,

“the Government have reflected on the principles at stake here and agree it would be reasonable for a review to be undertaken, two years after Royal Assent, of the effectiveness of”—

Clause 183—

“as it is currently drafted. The Government are fully prepared to look again at the issue”,

of representation without prior mandate in the context of that review.

“We are serious about this. We will therefore amend the Bill in the other place to provide for such a review and to provide the power for the Government to implement its conclusions”.—[Official Report, 10/1/18; col. 287.]


Commons Amendments 122 and 123 duly deliver on that promise, while Commons Amendment 121 allows the Secretary of State to make regulations to ensure that, where a not-for-profit seeks to represent a large number of data subjects in court proceedings, it can file one claim and not hundreds.

I am grateful to the noble Baroness, Lady Kidron, for her continued engagement on this subject. She and I are in total agreement that children merit specific protection in relation to their personal data, and that the review should look accordingly at the specific barriers young people face in exercising their rights. Therefore, Commons Amendment 122 makes provision for that in subsections (4), (5) and (6) of the proposed new clause. Of course, as some noble Lords have mentioned previously, such provision is not to the exclusion of other vulnerable groups in our society, and the Government fully expect that review to consider their position, too.

Commons Amendment 126 would allow Her Majesty’s Revenue & Customs to share contact detail information with the Ministry of Defence to ensure that the Ministry of Defence is better able to locate and contact members of the ex-regular reserve. The amendment does not alter the liability for ex-regular reserves, nor does it affect the rules regarding the call-out or recall of ex-regular reserves; it is simply about being better able to contact them. The security of the United Kingdom is the primary responsibility of government. Commons Amendment 126 offers us the opportunity to strengthen that security.

Finally, Commons Amendment 282 would insert a schedule making transitional, transitory and saving provision in connection with the coming into force of the Bill, including provision about subject access requests, the Information Commissioner’s enforcement powers and national security certificates. This comprehensive new schedule, running to some 19 pages, is designed to ensure a seamless shift between the 1998 Act and the new data protection law we are scrutinising today. I beg to move.

Baroness Kidron Portrait Baroness Kidron (CB)
- Hansard - - - Excerpts

I thank the Government for listening, the Bill team, the Secretary of State and the Minister, Margot James. The point is that rights are only as good as one’s ability to enact them, so I really welcome the review and I thank all concerned for the very great care and detail with which they have laid it out in the Bill.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

My Lords, I am very grateful for the contribution of all noble Lords on this, especially the noble Baroness, Lady Kidron. It is very nice to be in her good books.

The noble Lord, Lord Clement Jones, talked about the age-appropriate design code and when the Information Commissioner will get going. As he rightly said, the Bill has not come into force yet; nevertheless, we understand that the Information Commissioner is already setting the wheels in motion for a comprehensive age-appropriate design code and will launch a call for evidence imminently. During that process she will be seeking evidence and views on the content of the code in line with the points raised in the debate in this House and elsewhere. So I confirm what he suggested was the case; indeed, work is already being done.

The noble Lord, Lord Stevenson, mentioned the focus of the code. In mentioning vulnerable people I was trying to bring him back to some of the points I think he made: I did not want anyone to get the impression that we were concentrating just on children—albeit they are very important—and their particular rights under the code. It will include vulnerable people, but also the way that it operates in general. Although children rightly have a special mention, we are also concerned with people who may have particular problems and may be vulnerable. I think this should exactly satisfy some of the things the noble Lord mentioned in previous debates.

As for the Ministry of Defence, it does try to keep in touch. In fact, it is a duty of an ex-regular reservist to keep the MoD in touch with their whereabouts. Some 49%, I believe, do not do so: we want to use this information to keep in touch with the reserve for the security of the country and that is why we are doing this. I also point out that there are protections: the commissioners of the Inland Revenue have to give permission before information is disclosed to anyone else or elsewhere.

Motion on Amendment 115 agreed.
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendments 116 to 152.

116: Clause 183, page 105, line 44, leave out “certain rights” and insert “the data subject’s rights under Articles 77, 78 and 79 of the GDPR (rights to lodge complaints and to an effective judicial remedy)”
--- Later in debate ---
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendment 153.

153: Schedule 1, page 123, line 21, at beginning insert “Except as otherwise provided,”
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

My Lords, this group of amendments covers issues that will be familiar to many noble Lords, as it primarily addresses concerns and issues raised in this House last autumn. The Government have remained committed to listening and to improving the Bill. I owe thanks to many noble Lords who brought these issues to our attention.

Commons Amendment 155 would help businesses and other organisations ensure that their boardrooms and senior management levels are truly representative of the workforces they manage and the communities they serve. In November 2016, Sir John Parker published a report which showed that while 14% of the population identified as black, Asian or minority ethnic, only 1.5% of directors in FTSE 100 boardrooms are UK citizens from a minority background. More than half of the FTSE 100 boards are exclusively white. While significant progress has been made in recent years to improve the gender balance in the boardrooms of such companies, the severe underrepresentation of people from minority backgrounds needs to be addressed.

Sir John’s report included a series of recommendations to improve racial and ethnic diversity in the boardroom. He encouraged companies to make better use of executive search firms to identify potential candidates and invite them to be interviewed for managerial vacancies. This amendment would therefore add a new processing condition to Schedule 1 to allow organisations to process personal data about potential candidates’ racial or ethnic origin in identifying suitable candidates for potential managerial positions.

Previously when we discussed the Bill in this House, Thomson Reuters provided a very helpful briefing note setting out how it compiles reports on persons suspected of terrorism, bribery, money laundering, modern slavery and other illegal activities. It then shares this information with the banks to help them avoid engaging with such people and allow them to comply with their regulatory obligations and other internationally recognised guidelines. In response to support for the proposal on all sides, the Government committed to work with Thomson Reuters to bring forward amendments at a later stage of the Bill’s passage. Commons Amendment 158 is the culmination of this work.

I am also pleased to introduce Commons Amendment 160, which would provide for processing by patient support groups, a concern well put by my noble friend Lady Neville-Jones. She spoke movingly on behalf of the patient support group Unique, which manages a register of patients suffering from very rare and sometimes life-limiting chromosomal disorders. Amendment 160 would add a new processing condition to Schedule 1 to provide Unique and groups like it with the legal certainty required for their vital work to continue. I am most grateful to her for her advocacy.

Commons Amendments 162 and 163 relate to data processing for safeguarding purposes. These amendments respond to one tabled on the same issue by the noble Lord, Lord Stevenson, on Report in December. In response to that amendment, I made it clear that the Government were sympathetic to the points raised. These amendments would ensure that sensitive data could be processed without consent in certain circumstances for legitimate safeguarding activities which are in the substantial public interest. The unfortunate reality is that there still exists a great deal of uncertainty under current law about which personal data can be processed for safeguarding purposes. This has resulted, for example, in some organisations withholding information from the police and other law enforcement agencies for fear of breaching data protection law. With these amendments, the Government intend to address this uncertainty by providing relevant organisations with a specific processing condition for processing the most sensitive personal data for safeguarding purposes.

Similarly, a number of other amendments in this group would extend necessary exemptions to certain regulators to ensure that data subjects cannot use data protection laws to undermine their regulatory work. Commons Amendment 178 would provide the Comptroller and Auditor-General of the United Kingdom, and his counterpart in each of the devolved nations, with an exemption from certain provisions of the GDPR where these would be likely to prejudice his statutory functions. Likewise, Amendment 179 would provide an exemption for the Bank of England from the listed GDPR provisions where these could inhibit its ability to exercise its functions. Amendment 183 would provide an exemption for the Scottish Information Commissioner, who regulates freedom of information rather than data protection. Amendment 185 would protect the work of the Financial Conduct Authority and the Prudential Regulation Authority. Amendment 186 would extend the exemptions in Schedule 2 to the Charity Commission’s functions under the Charities Acts of 1992, 2006 and 2011.

The remaining amendments in this group would address more technical issues, ensuring consistency across the Bill. I beg to move.

Baroness Neville-Jones Portrait Baroness Neville-Jones (Con)
- Hansard - - - Excerpts

My Lords, I thank my noble friend the Minister for the Government having carried these provisions in the Commons. More importantly, the patient support groups for which I spoke are very gratified because they regard these amendments as absolutely vital to their ability to carry on their important work. If I might say so, it is a very satisfactory outcome.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

My Lords, I am grateful for all those comments. It is nice that in the last group I will handle on it—touch wood—I leave the Bill in a glow of good will. I am particularly pleased that I can agree with the noble Lord, Lord McNally, and that we have been able to respond to some of the concerns and points raised in this House. In many ways, the Bill has been an object lesson of discussion on a very technical Bill. We have made progress. I certainly acknowledge and am very grateful for the support and co-operation I have had from both opposition Front Benches.

Lord McNally Portrait Lord McNally
- Hansard - - - Excerpts

As a little footnote, which might give encouragement to others, I first raised the Thomson Reuters matter because it sponsored a conference at the Guildhall well over a year ago about the coming of the GDPR. I went along to find out about it. I and the other Benches raised this from that. It has now ended up in the Bill. It is an encouragement to companies that sometimes think that legislation is a mysterious place that, by taking little bit of effort to put the case and extend it, they can have real influence.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

I am grateful to the noble Lord. That brings me nicely to the point made by the noble Lord, Lord Pannick, about arbitrators. The noble Lords, Lord Clement-Jones and Lord Stevenson, mentioned the importance of arbitration to the economy of this country. I am only too well aware of it from my background in insurance. London has a very well-respected legal system, but the arbitration system is linked to that. We certainly would not wish in any way to hinder it. Contrary to what the noble Lord, Lord McNally, did, the people who brought this up seemed to do so at the last minute. I slightly wonder how they managed to miss this trick, if it is so obvious, for the two years that the GDPR has been in place, let alone—

Lord Pannick Portrait Lord Pannick
- Hansard - - - Excerpts

Could I suggest to the noble Lord that they were too busy arbitrating?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

They should have hired a lawyer. The point is that it is a perfectly valid point. We have sought to replicate in the Bill, as far as possible, the existing provisions relating to legal professional privilege. We had several discussions about that in the 1998 Act, including the relevant exemptions to rights and obligations for personal data. I cannot help but notice that the Arbitration and Mediation Service, given that we are trying to replicate as far as possible existing provisions, appears to have been operating without undue burden for the last 20 years, but I am certainly prepared to undertake to the noble Lord, Lord Pannick, that we will look at that with a view to making sure that this is not a serious problem. We certainly have not been able to do it in time. I can confirm to him that, if there is a problem, the Bill contains regulation-making powers to address this concern. The only thing I can say on that is that, quite rightly, those regulations would have to come before both Houses of Parliament. If there is a concern he will be able to address it later.

The noble Lord, Lord Stevenson, is quite correct that we talked about me making a statement or addressing concerns about the individual application of the GDPR and the Bill to Peers. I assumed I would do so if it was necessary and if the subject came up, which, luckily, it has not. Just to be clear, it is not just that Peers and other citizens of this country are suffering under the GDPR, although they might have obligations that they were not aware of before and, I agree, certain extra ones because the GDPR has direct effect; it also greatly increases individual subject rights. It makes sure that individuals’ personal data, in particular sensitive personal data, is better protected in law and by a regulator, who, thanks to your Lordships’ agreement, has real power to make sure that the data regime is obeyed. I believe that the House authorities have issued a statement to all Peers. Of course, my department is there to address this. The first avenue that Peers should use for the individual circumstances is the House authorities.

Baroness Neville-Rolfe Portrait Baroness Neville-Rolfe (Con)
- Hansard - - - Excerpts

Can I press my noble friend a little further on the issue of what individual Peers and Members of Parliament should do? There was an earlier discussion on whether some arrangements might be made so that data protection rules can be followed but the burden would not be unreasonable. I also take this opportunity to thank my noble friend for these many amendments which are grouped together, on diversity through to financial services. It has been a model of good working.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

I am grateful for that. When my noble friend spoke of pushing me further, I am not completely clear what she wants me to do. It is not right for me to opine on individual cases. I think we are talking about Peers in their roles as Peers. Each individual Peer has to discuss that in the light of their individual circumstances. All I would say is that if noble Lords are dealing with special categories of data and personal data, they will have to be aware of the obligations put on them by the Bill and the GDPR. The House authorities are there to advise, as is the Information Commissioner. They will have to do so. In my case, for example, I do not anticipate that in what I do as a Peer, as opposed to a Minister, I would have to pay a fee as a controller, if that helps.

Motion agreed.
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendments 154 to 173.

154: Schedule 1, page 124, line 24, leave out from “subject” to end of line 25
--- Later in debate ---
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendment 175.

175: Schedule 2, page 137, line 11, at end insert “and, subject to sub-paragraph (2)(vii) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)”
--- Later in debate ---
Moved by
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - -

That this House do agree with the Commons in their Amendments 176 to 282.

176: Schedule 2, page 138, line 15, at end insert—
“( ) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);”