All 14 Lord Clement-Jones contributions to the Data Protection Act 2018

Read Bill Ministerial Extracts

Mon 30th Oct 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 1st sitting (Hansard): House of Lords
Mon 30th Oct 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 1st sitting (Hansard - continued): House of Lords
Mon 6th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 2nd sitting (Hansard - continued): House of Lords
Mon 13th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 3rd sitting (Hansard): House of Lords
Mon 13th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 3rd sitting (Hansard - continued): House of Lords
Mon 20th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 5th sitting (Hansard): House of Lords
Wed 22nd Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 6th sitting (Hansard): House of Lords
Mon 11th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report: 1st sitting: House of Lords
Mon 11th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report stage (Hansard - continued): House of Lords
Wed 13th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report: 2nd sitting (Hansard): House of Lords
Wed 13th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report: 2nd sitting (Hansard - continued): House of Lords
Wed 10th Jan 2018
Data Protection Bill [HL]
Lords Chamber

Report: 3rd sitting Hansard: House of Lords
Wed 10th Jan 2018
Data Protection Bill [HL]
Lords Chamber

Report: 3rd sitting (Hansard - continued): House of Lords
Wed 17th Jan 2018
Data Protection Bill [HL]
Lords Chamber

3rd reading (Hansard): House of Lords & Report: 2nd sitting (Hansard): House of Lords

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, I remind the Committee that this is an intensely practical issue. We have managed to lure many of our learned noble Lords from their chambers today—so clearly it has been a fairly expensive afternoon. I am only a humble solicitor and I tend to focus on what is practical and necessary for those whom we advise. The fundamental basis of these amendments is the concern in many sectors—manufacturing, retail, health, information technology and financial services in particular—that the free flow of data between ourselves and the EU continues post Brexit with minimum disruption. With an increasingly digital economy, this is critical for international trade.

We have been briefed by techUK, TheCityUK, the ABI, our own Lords EU affairs sub-committee, and the UK Information Commissioner herself. They have persuasively argued that we need to ensure that our data protection legislation is ruled as adequate for the purposes of permitting cross-border data flow into and out of the EU post Brexit. The first question that arises is: will the Government, even before any transition period, start the process needed to obtain an adequacy decision from the EU before we arrive at the status of a third country for EU data adequacy purposes?

However, as the Committee has heard today, if an adequacy ruling is to be sought, a major obstacle has been erected by the Government themselves in the European Union (Withdrawal) Bill, which makes it clear that the European Charter of Fundamental Rights will not become part of UK law as part of the replication process. Many noble Lords have spoken of their fears about the interaction with Article 8 of the charter, yet this article, relating to the protection of personal data, underpins the GDPR. How will we secure adequacy without adhering to the charter? Will the Government separately state that they will adhere to Article 8? We are not trying today to confer “special status”, in the words of the noble Lord, Lord Faulks, on Article 8. The wording of the amendment reflects Article 8, but it is designed to create certainty, post Brexit, for the sectors of business which I mentioned earlier.

Let us not forget that the EU Select Committee heard from witnesses who highlighted the ongoing role of the European Court of Justice and the continued relevance of the Charter of Fundamental Rights in relation to adequacy decisions. The amendment is not frivolous: it is essential to underpin an adequacy decision by the EU post Brexit. Does the House really want to put that decision at risk? I am sure that it does not. Whether now or in the future, we need to pass this kind of amendment. I look forward to hearing what the Minister has to say, which will determine whether or not the House divides.

Lord Brown of Eaton-under-Heywood Portrait Lord Brown of Eaton-under-Heywood (CB)
- Hansard - - - Excerpts

My Lords, when I came into the Chamber, I had not the faintest intention of speaking in this debate. I do so, above all, for one reason: not because I am opposed to the amendment, although I am, very substantially, for the reasons given by the noble Lord, Lord Pannick. I do so because, in my experience, it is very unusual nowadays to vote at the outset of Committee stage on so fundamental a question as that raised by the amendment. It is surely yet more unusual—spectacularly so—to do so on a manuscript amendment filed this morning, which none of us has had sufficient time to deal with, on a very tricky area of the law, which so fundamentally alters the original amendment. As we have heard, that amendment was completely hopeless. The noble Lord, Lord Lester, described it as “constitutionally illiterate”. At least this one tries to introduce the concept of a balanced right which previously was missing.

It is true that I come from a different tradition where you do not vote on anything or decide anything unless you have heard the arguments. I rather gather that there may be a whipped vote on the other side, so the amendment is going to be voted on by noble Lords who have not heard the arguments of the noble Lords, Lord Pannick, Lord Faulks and Lord Lester, and who do not recognise the difficulties and the fundamental importance of this amendment. I seriously urge that it is not pressed to a Division today.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, that provokes me to add something. I am not entirely clear whether we are talking about something that is too narrow within the GDPR, or whether it is a lack of a suitably wide derogation on the part of the Government as part of the Bill. For all the reasons that the two noble Lords have mentioned, it seems extraordinary that the beneficial activities that they are discussing are not included as exemptions, whether explicitly or implicitly. It may be that the Minister can give us greater comfort on that, but I am not clear what is giving rise to the problems. As we heard in earlier groupings, I am a fan of having something more explicit, if anything, in the Bill, which is particular perhaps to medical research and other forms of research in that sort of area. But it is not clear whether that is going to be permissible under the GDPR or whether the Government can actually derogate from it in those circumstances.

Lord Patel Portrait Lord Patel
- Hansard - - - Excerpts

I shall respond to some of the points raised. First, on the research ethics committee, we established through legislation—and I remember the debates that we had—a national Research Ethics Committee to deal with all applications for biomedical research, but particularly research involving patient data and transfer of data. If I as a clinician want to do a trial, I have to apply to that committee with a full protocol as to what consent procedures and actual research there will be, and what will be the closing time of that consent. If I subsequently found the information that I had could lead to further research, or that the research that I had carried out had suddenly thrown up a next phase of research, I would have to go back to the committee and it would have to say, “Yes, that’s part of the original consent, which is satisfactory to progress with the further research”. It is a robust, nationally driven, independently chaired national ethics committee, apart from the local ethics committee that each trust will run. So the national ethics committee is the guardian.

Furthermore, there is a separate ethics committee for the 500,000 genomes project, run by the Wellcome Trust and other researchers; it is specifically for that project, for the consent issues that it obtains, the information given at the time when the subject gives the consent and how the data can be used in future. The genomes project aims to sequence all the 500,000 genomes, and to link that genome sequence data with the lifestyles that people had and diseases that they developed to identify the genes that we can subsequently use for future diagnosis and treatment—and to develop diagnostic tests that will provide early diagnosis of cancers, for instance. The future is in the diagnostic tests. Eventually we will find them for diseases which have not developed but which have a likelihood of developing. Those diagnostic tests will identify the early expression of a protein from a gene and then find a treatment to suppress that expression well before the diseases develop, rather than waiting until the cancer develops and then treating it.

All this is based on the data originally collected. At this stage, it is impossible to know where that research will lead—that is the history—apart from the clinical trials which are much more specific and you get consent for them. I realise that there is a limit to how much the text of the Bill can deviate from the GDPR, unless it is dealing with specific issues which the GDPR permits member states to provide derogations for. I realise that, post exit, the UK will need an adequacy agreement and some equivalent, neutral recognition of data protection regimes between the UK and the EU. We need that for the transfer of data. For instance, the noble Baroness, Lady Neville-Jones, has talked about extremely rare diseases, which require the exchange of data across many countries because their incidence is low and no one country could possibly have enough information on that group of patients.

The research exemption does not undermine agreement on Clause 7—which is what the noble Lord, Lord Clement-Jones, was leading up to when he asked about the ethics committee. The noble Baroness, Lady Neville-Rolfe, suggested that medical research should be possible through the research exemption, but that has to be wide enough yet not specific enough to encompass wider exemptions. I hope that the Minister will come up with that trick in an amendment which he might bring forward. It will not be restrictive, yet protect the patient’s personal interest.

There is a research exemption for processing specific categories of data, including health data. The legal basis for this is through article 9 of the GDPR, referred to in Part 1 of Schedule 1 to the Bill. However, all processing of personal data also needs an article 6 legal basis: research is not exempt from needing this. I am arguing today that research needs that exemption, defined in wide enough terms. For processing special categories, you need both an article 6 and an article 9 legal basis. We need to have provision for both in the Bill. One of the article 6 legal bases is consent and I have explained why this is not suitable for much research. The other feasible route for universities and other public bodies processing personal data for research is public interest. This is why it is so important to be clear on what processes can use this legal basis.

There was serious concern about the likely impact of the GDPR on research as it was being drafted. However, this was successfully resolved and it provides the necessary flexibility for the UK to create a data protection regime that is supportive of research in the public interest. The Government, and other UK organisations, worked hard to make sure that this was the case. The provision is there: it is now for the Government to act on it. It is also important to seek an adequacy agreement post Brexit: we will have to have one. It will be vital to consider the need to retain, post Brexit, cross-border transfers of data for research. I give the same example of rare diseases as the noble Baroness, Lady Neville-Jones, used. The Government have recognised the value of retaining a data protection regime consistent with the EU, but the research community would welcome knowing whether it will seek a status of adequacy as a third country or an equivalent agreement.

The plea I make is that unless we include a provision, and there are exemptions which can be written in the Bill in the format that is required, we will not be able to carry out much of the research. A question was asked about the life sciences industrial strategy. It is the key pillar of the Government’s industrial strategy Green Paper. It relies on data that the NHS collects and the data that the science community collects and marrying up the two to produce, and lead the world in, treatments and developing technologies. If we are not able to do this, the whole thing will be unworkable.

--- Later in debate ---
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, the Minister gave the impression that medical research of the type described by the noble Lord, Lord Patel, was encompassed, or allowable, by the GDPR. Can he give chapter and verse on where in the mixture of article 6 and article 9 that occurs? That would be extremely helpful. I understand that obviously the Minister was also agreeing to look further in case those articles did not cover the situation, but it would be good to know which articles he is referring to.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

I re-emphasise to the noble Lord that we think these tasks are in the public interest. However, I understand his desire for even more clarity than that. It would be sensible if I wrote to him and to other noble Lords taking part in the debate. I want to make sure that I get the legal basis right rather than just doing it on the hoof, so I agree to write to him and to all noble Lords who have spoken tonight. Again, as I say, we will work towards what I hope will be a more acceptable solution for everyone. Fundamentally, we do not want to impede medical research that is for the public good.

Data Protection Bill [HL] Debate

Full Debate: Read Full Debate
Department: Scotland Office

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Lord Keen of Elie Portrait The Advocate-General for Scotland (Lord Keen of Elie) (Con)
- Hansard - - - Excerpts

My Lords, of course, we appreciate the contributions from all sides of the Committee on this issue, but let us be clear: this Bill is about data protection—it is not about press regulation. It is not about distinguishing between journalists, nor between the regulators they may or may not belong to.

The Government are committed to defending not only hard-won liberties but the operation of a free press. That is a fundamental principle of any liberal democracy. This Bill seeks to preserve the balance found in the 1998 Act, where journalists can process personal and special categories of personal data, but only when their processing is in the public interest and the substantial public interest respectively. The Bill also seeks to ensure that journalists are exempt from compliance with certain data protection requirements where to do so would undermine the operation of a free press, a key part of a strong and effective democracy where Governments are held to account and corruption and criminal behaviour can be challenged. No one seeks to condone the past misbehaviour of individual media organisations, nor to legitimise it.

Amendment 42 is moved by the noble Lord, Lord Stevenson. As we discussed last week in reference to Part 2 of Schedule 1, there is an exhaustive list of the types of processing which could be in the substantial public interest. When the Government consider that processing of a particular type will not always be in the substantial public interest, the Bill makes it a requirement that the data controller satisfies himself that any particular instance of processing is in the substantial public interest. Amendment 42 concerns the condition allowing journalists to process data in connection with unlawful acts and dishonesty, as dealt with in paragraph 10. The Bill, however, needs to balance freedom of expression with privacy and it may be that in some cases an act of dishonesty is not important enough and does not engage the substantial public interest to the extent that it justifies the processing of sensitive data by journalists. That is why the distinction is made.

To pick up on a point made by the noble Lord, Lord Stevenson, about continuity of arrangements in the 1998 Act, this processing condition is the same as that which currently appears under the existing Data Protection Act. It would appear that journalists have been dealing with that effectively and making the appropriate judgments for the last 20 years. I hope that that goes some way to explaining why we resist Amendment 42.

On Amendment 87B, I reassure the noble Lord that the specific inclusion of “photographic material” in paragraph 24(2)(a) of the schedule is unnecessary. This is because photographic material is likely to fall within one or more of the categories listed in that paragraph—for example, journalistic material or artistic material. We suggest that there is no requirement for express reference to photographic material. As for the point that was raised with the noble Lord by the NUJ, I think, about the use, the test is,

“with a view to publication”.

As long as that test is met, it does not necessarily follow that there must have been publication in order to legitimise the material in question. The position would, of course, be radically different if one had regard to one of the amendments moved by the noble Baroness, Lady Hollins.

Amendment 87E would remove the list of codes and guidelines in paragraph 24 of Schedule 2 that help controllers assess whether a publication would be in the public interest for data protection purposes and would replace it, as I understand it, with the term “appropriate codes”. I confess that I am a lawyer, to respond to a point made by the noble Lord, Lord McNally, or at least it is alleged that I am. That would certainly make it more difficult, as a matter for interpretation, for both publishers and the Information Commissioner to evaluate whether the publication of an individual’s personal data was in the public interest. Indeed, rather than the clarity of a list, one could instead be faced with years of potential litigation before an adequate body of case law was in place to establish what was appropriate. That is why we suggest it is appropriate that there should be a specific list, as reflected in the current legislation, the 1998 Act.

Amendments 88 and 89A concern the specific industry codes listed in the Bill. I start by saying that the codes currently listed in the Bill reflect those that are listed in the existing legislation. The editors’ code listed in the Bill—now enforced by IPSO rather than the Press Complaints Commission, I acknowledge —is one of these, and the Information Commissioner has already reflected this change in her current guidance on Section 32 of the existing Act. That follows from the Data Protection (Designated Codes of Practice) (No. 2) Order 2000, which set out the various codes of practice and included the editors’ code of practice. While there is a suggestion that the editors’ code of practice might change, in the light of any such change the Information Commissioner’s view and guidance as to the applicability of that code may also change. So it is not as if it is entirely without control.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

The Minister said that it could change, but the word IPSO is actually in the Bill, so I do not quite understand the point that the Minister has just made.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Committee: 3rd sitting (Hansard): House of Lords
Monday 13th November 2017

(7 years ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Lord Fowler Portrait The Lord Speaker (Lord Fowler)
- Hansard - - - Excerpts

I should notify the Committee that if Amendment 45B is agreed, I cannot call Amendments 46 to 50A by reason of pre-emption.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, the noble Earl, Lord Kinnoull, has clearly and knowledgeably introduced the amendment, which I strongly support. He made clear through his case studies the Bill’s potential impact on the insurance industry, and I very much hope that the Minister has taken them to heart. Processing special category data, including health data, is fundamental to calculating levels of risk, as the noble Earl explained, and to underwriting most retail insurance products. Such data is also needed for the administration of insurance policies, particularly claims handling.

The insurance industry has made the convincing case that if the implementation of the Bill does not provide a workable basis for insurers to process that data, it will interrupt the provision to UK consumers of retail insurance products such as health, life and travel insurance, and especially products with health-related consumer benefits, such as enhanced annuities. The noble Earl mentioned a number of impacts, but estimates suggest that, in the motor market alone, if this issue is not resolved, it could impact on about 27 million policies and see premiums rise by about 3% to 5%.

There is a need to process criminal conviction data for the purposes of underwriting insurance in, for instance, the motor insurance market. Insurers need to process data to assess risk and set the prices and terms for mainstream products such as motor, health and travel insurance.

The key issue of concern is that new GDPR standards for consent for special category data, including health, such as the right to withdraw consent without experiencing detriment, are incompatible with the uninterrupted provision of these products. As the noble Earl, Lord Kinnoull, has clearly stated, there is scope for a UK derogation represented by these amendments, which would be in the public interest, to allow processing of criminal conviction and special category data when it is necessary for arranging, underwriting and administering insurance and reinsurance policies and insurance and reinsurance policy claims. I very much hope that the Minister will take those arguments on board.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara (Lab)
- Hansard - - - Excerpts

My Lords, the noble Earl, Lord Kinnoull, has done us a great favour in introducing with great skill these amendments, which get to the heart of problems with some of the language used in the Bill. We are grateful to him for going through and picking out the choices that were before the Government and the way their particular choices seem to roll back some of the advances made in the insurance industry in recent years. I look forward to the Minister’s response.

Our probing Amendment 47 in this group is on a slightly higher level. It is not quite as detailed—nor was it intended to be—as the one moved by the noble Earl. We were hoping to raise a more general question, to which I hope the Minister will be able to respond. Our concern, which meets the concerns raised by the noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, is where the Government want to get to on this. It must be true that insurance is one of the key problems facing many people in our country. It is the topic that will be discussed in the QSD in today’s dinner break as it bears heavily on financial inclusion issues. So many people in this country do not take out insurance, personal or otherwise, and suffer as a result. We have to be very careful as we take this forward as a social issue.

However, an open-ended derogation to allow those who wish to gather information to make a better insurance market surely also raises risks. If we are talking about highly personal profiling—we may not be because there are constraints in the noble Earl’s amendment—it would lead to a more efficient and cheaper insurance industry, but at what personal cost? For instance, if it is possible to pick up data from those who perhaps unadvisedly put on Facebook or Twitter how many times they get drunk—I am sure that is not unusual, particularly among the younger generation—information could be gathered for a profile that ought to be taken into account for their life, health or car insurance. I am not sure that we would be very happy with that.

Underlying our probing amendment is to ask the Minister to respond—it may be possible by letter rather than today—on protections the Government have in mind. What sort of stock points are there that we can rely on as we move forward in this area? As processing becomes more powerful and more data is available, pooled risks are beginning to look a little old-fashioned. The old traditional model under which insurance is gathered is that the more the pool is expanded, the risks are spread out more appropriately across everybody. The trouble is that the more we know, we will be including people who are perhaps more reckless and therefore skewing the pooling arrangements. We have to be careful about that.

There is obviously a social objective in having a more efficient and effective insurance market but this ought to be counterbalanced to make sure that those people who are vulnerable are not excluded or uninsurable as a result. The state could step in, obviously, and has done so, as we have been reminded already in our Committee discussions about the difficulty of getting insurance for those who build on flood plains. However that is not the point here. This is about general insurance across the range of current market opportunities being affected by the fact that we are not ensuring that the data gathered is both proportionate and correct in terms of what it provides for the individual data subjects concerned.

--- Later in debate ---
Lord Ashton of Hyde Portrait The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
- Hansard - - - Excerpts

My Lords, I am grateful to all noble Lords who have spoken and for the opportunity to speak to Schedule 1 in relation to an industry in which I spent many years. I accept many of the things that the noble Earl, Lord Kinnoull, described and completely understand many of his points—and, indeed, many of the points that other noble Lords have made. As the noble Lord, Lord Clement-Jones, said, I have taken the noble Earl’s examples to heart, and I absolutely accept the importance of the insurance industry. The Government have worked with the Association of British Insurers and others to ensure that the Bill strikes the right balance between safeguarding the rights of data subjects and processing data without consent when necessary for carrying on insurance business—and a balance it must be. The noble Lord, Lord Stevenson, alluded to some of those issues when he took us away from the technical detail of his amendment to a higher plane, as always.

The noble Earl, Lord Kinnoull, and the noble Lords, Lord Clement-Jones and Lord Stevenson, have proposed Amendments 45B, 46A, 47, 47A, 48A and 50A, which would amend or replace paragraphs 14 and 15 of Schedule 1, relating to insurance. These amendments would have the effect of providing a broad basis for processing sensitive types of personal data for insurance-related purposes. Amendment 45B, in particular, would replace the current processing conditions for insurance business set out in paragraphs 14 and 15 with a broad condition covering the arrangement, underwriting, performance or administration of a contract of insurance or reinsurance, but the amendment does not provide any safeguards for the data subject.

Amendment 47 would amend the processing condition relating to processing for insurance purposes in paragraph 14. This processing condition was imported from paragraph 5 of the 2000 order made under the Data Protection Act 1998. Removal of the term might lessen the safeguards for data subjects, because insurers could potentially rely on the provisions even where it was reasonable to obtain consent. I shall come to the opinions of the noble Earl, Lord Erroll, on consent in a minute.

Amendments 46A, 47A, 48A and 50A are less sweeping, but would also remove safeguards and widen the range of data that insurers could process to far beyond what the current law allows. The Bill already contains specific exemptions permitting the processing of family health data to underwrite the insured’s policy and data required for insurance policies on the life of another or group contract. We debated last week a third amendment to address the challenges of automatic renewals.

These processing conditions are made under the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited—this partly addresses the point made by the noble Lord, Lord Stevenson—by the need to meet the “substantial public interest test” in the GDPR and the need to provide appropriate safeguards for the data subject. A personal or private economic or commercial benefit is insufficient: the benefits for individuals or society need to significantly outweigh the need of the data subject to have their data protected. On this basis, the Government consider it difficult to justify a single broad exemption. Taken together, the Government remain of the view that the package of targeted exemptions in the Bill is sufficient and achieves the same effect.

Nevertheless, noble Lords have raised some important matters and the Government believe that the processing necessary for compulsory insurance products must be allowed to proceed without the barriers that have been so helpfully described. The common thread in these concerns is how consent is sought and given. The noble Earl, Lord Kinnoull, referred to that and gave several examples. The Information Commissioner has published draft guidance on consent and the Government have been in discussions with her office on how the impact on business can be better managed. We will ensure that we resolve the issues raised.

I say to the noble Earl, Lord Erroll, that consent is important and the position taken by the GDPR is valid. We do not have a choice in this: the GDPR is directly applicable and when you are dealing with data, it is obviously extremely important to get consent, if you can. The GDPR makes that a first line of defence, although it provides others when consent is not possible. As I say, consent is important and it has to be meaningful consent, because we all know that you can have a pre-tick box and that is not what most people nowadays regard as consent. Going back to the noble Earl, Lord Kinnoull—

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I am sorry to interrupt. The Minister mentioned the guidance from the Information Commissioner. From what he said, I assume he knows that the insurance industry does not believe that the guidance is sufficient; it is inadequate for its purposes. Is he saying that a discussion is taking place on how that guidance might be changed to meet the purposes of the insurance industry? If it cannot be changed, will he therefore consider amendments on Report?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

Of course, it is not for us to tell the Information Commissioner what guidance to issue. The guidance that has been issued is not in all respects completely helpful to the insurance industry.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

I agree; I think I mentioned compulsory classes before. Going back to the guidance, we are having discussions. We have already had constructive discussions with the noble Earl, and we will have more discussions on this subject with the insurance industry, in which he has indicated that he would like to take part. I am grateful to him for coming to see me last week.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I am sorry to interrupt the Minister again but he is dealing with important concepts. Right at the beginning of his speech he said he did not think this could be covered by the substantial public interest test. Surely the continuance of insurance in all those different areas, not just for small businesses but for the consumer, and right across the board in the retail market, is of substantial public interest. I do not quite understand why it does not meet that test.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

I may have misled the noble Lord. I did not say that it does not meet the substantial test but that we had to balance the need to meet the substantial public interest test in the GDPR and the need to provide appropriate safeguards for the data subject. I am not saying that those circumstances do not exist. There is clearly substantial public interest that, as we discussed last week, compulsory classes of insurance should be able to automatically renew in certain circumstances. I am sorry if I misled the noble Lord.

We realised that there are potentially some issues surrounding consent, particularly in the British way of handling insurance where you have many intermediaries, which creates a problem. That may also take place in other countries, so the Information Commissioner will also look at how they address these issues, because there is meant to be a harmonious regime across Europe. The noble Earl has agreed to come and talk to us, and I hope that on the basis of further discussions, he will withdraw his amendment.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

We can break it down simply between compulsory and non-compulsory classes. Some classes may more easily fulfil the substantial public interest test than others. In balancing the needs, it goes too far to give a broad exemption for all insurance, so we are trying to create a balance. However, we accept that compulsory classes are important.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

I am sure that the noble Earl, Lord Kinnoull, will come back at greater length on this. The issue that the Minister has outlined is difficult, partly because the Information Commissioner plays and will play such an important role in the interpretation of the Bill. When the Government consider the next steps and whether to table their own amendments or accept other amendments on Report, will they bring the Information Commissioner or her representative into the room? It seems that the guidance and the interaction of the guidance with the Bill—and, eventually, with the Act—will be of extreme importance.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

I agree, which is why I mentioned the guidance that the Information Commissioner has already given. I am certainly willing to talk to her but it is not our place to order her into the room. However, we are constantly talking to her, and there is absolutely no reason why we would not do so on this important matter.

--- Later in debate ---
Countess of Mar Portrait The Deputy Chairman of Committees (The Countess of Mar) (CB)
- Hansard - - - Excerpts

My Lords, if this amendment is agreed to, I cannot call Amendments 58 to 62 because of pre-emption.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

I must say how delighted I am that on this occasion we had the noble Lord advocating his own amendment. I was nearly in the hot seat last week, but we have just avoided it. I was delighted at his powerful advocacy because of course the noble Lord is extraordinarily well informed on all matters to do with sport, and this goes to the heart of sport in terms of preventing cheats who prevent the rest of us enjoying what should be clean sport, however that may be defined. All I have to do is pick out one or two of the elements of what the noble Lord said in my supportive comments.

There is the fact that neither “doping” nor “sport” is defined in the Bill, as the noble Lord pointed out. There is no definition of the bodies to be covered by paragraph 21, which is extremely important. He also made an extraordinarily important point about UKAD. Naming UKAD in the Bill, as the amendment seeks to do, would add to its authority and allow it to carry out all the various functions that he outlined in his speech. If it is necessary to add other bodies, as he suggested, that should of course be considered.

The noble Lord’s reference to performance-enhancing substances, which again are mentioned in the amendment and included in the World Anti-Doping Code, ties the Bill together with that code and was very important as well. Finally, the point that he made about gender and the substances used in connection with gender change was bang up to the minute. That, too, must be covered by provisions such as this. So if the Minister is not already discussing these issues with the noble Lord, Lord Moynihan, I very much hope that he is about to and will certainly do so before Report.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, once again your Lordships’ House is very grateful to the noble Lord, Lord Moynihan, for raising this issue and, as the noble Lord, Lord Clement-Jones, said, for doing so in such a comprehensive way. It is in the context of the much wider range of issues that the noble Lord, Lord Moynihan, has been pursuing regarding how sport, gambling and fairness are issues that all need to be taken together. We have been supporting him on those issues, which need legislation behind them.

Noble Lords may not be aware that we have been slightly accused of taking our time over the Bill. I resist that entirely because we are doing exactly what we should be doing in your Lordships’ House: going through line-by-line scrutiny and making sure that the Bill is as good as it can be before it leaves this House. We saw the noble Lord, Lord Moynihan, at the very beginning of Committee and he then dashed off to Australia to do various things, no doubt not unrelated to sport. He has had time to come back and introduce these amendments—but, meanwhile, the noble Lord, Lord Clement-Jones, and I were debating who was going to pick the straw that would require us to introduce them. We were very lucky not to have to do so because they were introduced so well on this occasion.

Our amendment in this group is a probing amendment that picks up on some of the points already made. It raises the issue of why we are restricting this section of the Bill to “sport”—whatever that is. If we are concerned about performance enhancement, we have to look at other competitive arrangements where people gain an advantage because of a performance-enhancing activity such as taking drugs. For instance, in musical competitions, for which the prizes can be quite substantial, it is apparently possible to enhance one’s performance—perhaps in high trills on the violin or playing the piano more brilliantly—if you take performance-enhancing drugs. Is that not somehow seeking to subvert these arrangements? Since that is clearly not sport, is it not something that we ought to be thinking about having in the Bill as well? I say that because, although the narrow sections of the Bill that relate to sport are moving in the right direction, they do not go far enough. As a society, we are going to have to think more widely about this as we go forward.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Committee: 3rd sitting (Hansard - continued): House of Lords
Monday 13th November 2017

(7 years ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Moved by
79: Clause 14, page 8, line 23, leave out “scientific or historical”
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, this amendment arises from concerns about the narrowness of the derogations based on article 89 of the GDPR for research statistics and archiving expressed by a number of organisations, notably techUK. The argument is that there should be a derogation similar to Section 33 of the Data Protection Act 1998. That Act makes provision for exemptions for research and development where suitable safeguards are in place. The GDPR limits this to scientific and historical research, but member states are able to legislate for additional exemptions where safeguards are in place.

The organisation techUK and others believe that the Bill’s provision for scientific and historical research should be broadened, involving the same provisions as Section 33 of the Data Protection Act 1998, and that the definition of scientific and historical research needs clarification. For example, it is not clear whether it would include computer science engineering research. I very much hope that the Minister will be able to clarify that. I recognise that the amendment leads the line in this group but may not be followed in exactly the same way. I beg to move.

Lord Pannick Portrait Lord Pannick (CB)
- Hansard - - - Excerpts

My Lords, I shall speak to Amendment 86BA, in my name. It concerns the application of data protection principles in the context of the law of trusts. The law has long recognised that a trustee is not obliged to disclose to a beneficiary the trustee’s confidential reasons for exercising or not exercising a discretionary power. This is known as the Londonderry principle, named after a case decided by the Court of Appeal, reported in 1965, Chancery Division, page 9.1.8. The rationale of this principle was helpfully summarised by Mr Justice Briggs—recently elevated to the Supreme Court—in the case of Breakspear v Ackland, 2009, Chancery, page 32, at paragraph 54.

The principle is that the exercise by trustees of their discretionary powers is confidential. It is in the interests of the beneficiaries, because it enables the trustees to make discreet but thorough inquiries as to the competing claims for consideration for benefit. Mr Justice Briggs added that such confidentiality also advances the proper interests of the administration of trusts, because it reduces the scope for litigation about how trustees have exercised their discretion, and encourages suitable people to accept office as trustees, undeterred by a concern that their discretionary deliberations might be challenged by disappointed or hostile beneficiaries and that they will be subject to litigation in the courts.

There is, of course, a public interest here, which is protected by the inherent jurisdiction of the court to supervise and, where appropriate, intervene in the administration of trusts, as the noble and learned Lord, Lord Walker of Gestingthorpe, stated for the Judicial Committee of the Privy Council in Schmidt v Rosewood Trust Ltd, 2003, 2 AC 709.

The problem is that, as presently drafted, the Bill would confer a right on beneficiaries to see information about themselves unless a specific exemption is included. A recent Court of Appeal judgment in Dawson-Damer v Taylor Wessing, 2017, EWCA Civ 74, drew attention to the general applicability of data protection law in this context unless a specific exemption is enacted.

My understanding, which is indirect—I declare an interest as a barrister, but this is not an area in which I normally practise—is that in other jurisdictions such as Jersey, the data protection legislation contains a statutory restriction on the rights of a data subject to make a subject access request where that would intrude on the trustees’ confidentiality under the Londonderry principle. Indeed, I am told that those who practise in this area are very concerned that offshore trustees and offshore professionals who provide trust services are already actively encouraging the transfer of trust business away from this jurisdiction because of the data protection rights which apply here, and which will apply under the Bill.

The irony is that the data protection law is driving trust business towards less transparent offshore jurisdictions and away from the better regulated English trust management businesses. I have received persuasive representations on this subject from the Trust Law Committee, a group of leading academics and practitioners, and I acknowledge the considerable assistance I have received on this matter from Simon Taube QC and James MacDougald.

This is plainly a very technical matter, but it is one of real public interest. I hope that the Minister will be able to consider this issue favourably before Report.

--- Later in debate ---
I hope I have given sufficient explanations in response to the amendments in this group and persuaded noble Lords that there are good reasons why the exemptions are required. In the light of the comments I have made, I invite the noble Lord to withdraw his amendment.
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I thank the Minister for that tour de force. This group is an extraordinary collection of different aspects such as research trusts and professional privilege. He even shed light on some opaque amendments to opaque parts of the Bill in dealing with Amendments 86A, 86B and 86C. The noble Lord, Lord Griffiths, was manful in his description of what his amendments were designed to do. I lost the plot fairly early on.

I thank the Minister particularly for his approach to the research aspect. However, we are back again to the recitals. I would be grateful if he could give us chapter and verse on which recitals he is relying on. He said that without the provisions of the Bill that we find unsatisfactory, research would be crippled. There is a view that he is relying on some fair stretching of the correct interpretation of the words “scientific” and “historical”, especially if it is to cover the kinds of things that the noble Lord, Lord Lucas, has been talking about. Many others are concerned about other forms of research, such as cyber research. There are so many other aspects. TechUK does not take up cudgels unless it is convinced that there is an underlying problem. This brings us back, again, to the question of recitals not being part of the Bill—

Lord Lucas Portrait Lord Lucas
- Hansard - - - Excerpts

I support the noble Lord on this. Coming back to his earlier example, if you were told a sandwich was solely made of vegetable, the Minister is saying that that means it has not got much meat in it. This is Brussels language. I do not think it is the way in which our courts will interpret these words when we have sole control of them. If, as I am delighted to learn, we are going to implement our 2017 manifesto in its better bits, including Brexit, this is something we will have to face up to. This appears to be another occasion where “scientific” does not bear the weight the Bill is trying to put on it. It is not scientific research which is happening with the NPD. It is research, but it is not scientific.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

I agree with that. Again we are relying on the interpretation in whichever recital the Minister has in his briefing. It would be useful to have a letter from him on that score and a description of how it is going to be binding. How is that interpretation which he is praying in aid in the recitals going to be binding in future on our courts? The recitals are not part of the Bill. We probably talked about this on the first day.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

This was included in the letter I was sent today. I am afraid the noble Lord has not got it. The noble Lord, Lord Kennedy, helpfully withdrew his amendment before I was able to say anything the other night but the EU withdrawal Bill will convert the full text of direct EU instruments into UK law. This includes recitals, which will retain their status as an interpretive aid.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, we will see if the EU withdrawal Bill gets passed, but that is a matter for another day.

I thank the Minister for his remarks. There are many aspects of his reply which Members around the House will wish to unpick.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara (Lab)
- Hansard - - - Excerpts

Perhaps I may pursue this for a second. It is late in the evening and I am not moving fast enough in my brain, but the recitals have been discussed time and again and it is great that we are now getting a narrow understanding of where they go. I thought we were transposing the GDPR, after 20 May and after Brexit, through Schedule 6. However, Schedule 6 does not mention the recitals, so if the Minister can explain how this magic translation will happen I will be very grateful.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

I knew I was slow. We are moving to applied GDPR; that is correct. The applied GDPR, as I read it in the book—that great wonderful dossier that I have forgotten to table; I am sure the box can supply it when we need it—does not contain the recitals.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, just to heap Pelion on Ossa, I assume that until 29 March the recitals are not part of UK law.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

They will be part of UK law, because the withdrawal Bill will convert the full text into UK law. There will of course be a difference between the recitals and the articles; it will be like a statutory instrument, where the Explanatory Memorandum is part of the text of the instrument.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

Will that take place after 29 March 2019?

Lord Pannick Portrait Lord Pannick
- Hansard - - - Excerpts

May I add to this fascinating debate? Does this not illustrate one of the problems of the withdrawal Bill—that in many areas, of which this is one, there will be two potentially conflicting sources of English law? There will be this Act, on data protection, and the direct implementation through the EU withdrawal Bill on the same subject. The two may conflict because this Act will not contain the recitals.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, all I can say is that I do not know how the legal profession will cope in the circumstances.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

One thing we can all be certain of is that the legal profession will cope.

--- Later in debate ---
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

I beg leave to withdraw the amendment.

Amendment 79 withdrawn.
--- Later in debate ---
Moved by
80: Schedule 2, page 125, line 41, leave out paragraph 4
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

The Minister will be delighted to hear that I will speak only briefly to this amendment, because I do not want to steal my noble friend Lady Hamwee’s thunder. This amendment would remove exemption to data subjects’ rights where personal data is being processed for the maintenance of effective immigration control or for the investigation or detection of activities that would undermine it. The amendment would remove paragraph 4 of Schedule 2 in its entirety. There is no attempt to define this new objective; nowhere in the Bill or its Explanatory Notes are notions of effective immigration control, or the activities requiring its maintenance, defined.

The immigration exemption is new in the Bill; there was no direct equivalent under the Data Protection Act 1998. This is the broad and wide-ranging exemption that is open to abuse. The exemption should be removed altogether, as there are other exemptions in the Bill that the immigration authorities can, and should, seek to rely on for the processing of personal data in accordance with their statutory duties and functions. The current provision, under the heading “Immigration”, removes all rights from a data subject that the Home Office wishes it did not have. Such removals are not restricted to those who have been found guilty of immigration offences, but apply to every data subject, including Home Office clerical errors. It is exactly those errors that data protection regulates.

In particular, there is a concern that the application of the effective immigration control exemption will become an administrative device to disadvantage data subjects using the immigration appeals process. Since the exemption has nothing to do with crime, national security, public safety or the protection of sources, such a prospect appears a distinct possibility without a rational explanation. The immigration authorities should be able to justify the inclusion of this exemption on the basis of hard evidence. The Home Office should be able to provide examples of subject access requests where personal data were released to the detriment of the public interest.

This is not the first time the Government have attempted to limit data protection rights on immigration control grounds. Clause 28 of the Data Protection Bill 1983 had an identical aim, setting out broad exemptions to data subject rights on grounds of crime, national security and immigration control. The Data Protection Committee, then chaired by Sir Norman Lindop, said that the clause would be,

“a palpable fraud upon the public if … allowed to become law”,

because it allowed data acquired for one purpose to be processed for another. In the House of Lords, my late and much-missed noble friend Lord Avebury mounted a robust and ultimately successful opposition to Clause 28 in 1983. He raised concerns almost synonymous with those we raise today. His objections and those of several Members of the House have the same resonance now as they did then. I beg to move.

--- Later in debate ---
Baroness Williams of Trafford Portrait Baroness Williams of Trafford
- Hansard - - - Excerpts

I thank my noble friend for that. In the meantime, I think my words should be reread, particularly my point about it not being a wholesale carve-out but quite a narrow exemption. I will write to noble Lords. I thought I might home in on one question that the noble Baroness, Lady Hamwee, asked about relying on this in the investigation, detection and prevention of crime. Of course, that is not always the correct and proportionate response to persons who are in the UK without lawful authority and may not be the correct remedy. I will write to noble Lords, and I hope that the noble Lord will feel happy to withdraw the amendment.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I thank the Minister. For a Home Office Minister she has a wonderful ability to create a sense of reassurance, which is quite dangerous. I am afraid that for all her well-chosen words, these Benches are not convinced. In particular, I noticed that she started off by saying, “This is only a very limited measure; it does not set aside everything”. But paragraph 1 sets aside nine particular aspects, all of which are pretty important. This provision is not a pussycat; it is very important.

I thank all those who spoke, including the noble Baroness, Lady Jones, and the noble Lord, Lord Lucas. I thought the support from the noble Lord, Lord Kennedy, for this amendment—I called him the right name this time—was rather more equivocal, and I hope he has not been persuaded by the noble Baroness’s siren song this evening. This is a classic example of the Home Office dusting off and taking off the shelf a provision which it has been dying to put on the statute book for years. The other rather telling point is that the noble Baroness said there is express provision for such derogation in the GDPR. But that is no reason to adopt it—just because it is possible, it is not necessarily desirable. But no, they say, let us adopt a nice derogation of this kind when it is actually not necessary.

As my noble friend pointed out, the Minister has not actually adduced any example which was not covered by existing exemptions, for instance, criminal offences. We will read with great care what the Minister has said, but I do not think that the “Why now?” question has really been answered this evening. In the meantime, I beg leave to withdraw the amendment.

Amendment 80 withdrawn.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Committee: 5th sitting (Hansard): House of Lords
Monday 20th November 2017

(7 years ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, with so many codes of practice flying around it would not be hard to lose one in the crowd, but this one stands out. With this amendment, we are suggesting to the Government that there is a need at the top of the pyramid for a code of practice which looks at the whole question of data ethics and morality. We discussed this topic in earlier sittings of the Committee and I think we were of one mind that there was a gap in the overall architecture of the organisations supporting data processing, which concerned us, in the sense that there was a need for an expert body.

The body could be some sort of combination along the lines of the HFEA or the Committee on Climate Change. It would have a duty to look at the moral and ethical issues affecting data collection and use, and be able to do some blue-sky thinking and to provide a supervisory approach to the way in which thinking on these matters would have to go. We are all aware, as has been mentioned many times, that this is a fast-moving technology in an area full of change where people feel a bit concerned about where their data is and how it is being looked at. They are worried that they do not have sufficient control or understanding of the processes involved.

The amendment suggests to the Government a data ethics code of practice which I hope they will look at with some care. It would begin to provide a hand of support to individuals who are concerned about their data and how it has been processed. Under this code of practice the commissioner could set out the moral and ethical issues, rather than the practical day-to-day stuff. It would focus on duties of care and need to provide examples of where best practice can be found. It would increase the security of personal data and ensure that the access to its use and sharing were transparent, and that the purposes of data processing were communicated to data subjects.

Some codes of this type already exist. I think that the Royal Statistical Society has been behind a number of codes on the use of our overall statistics, such as that operated within the OSS. Having read that code, I was struck by how apposite it was to some of the issues faced in the data-processing community. Some of the wording of this amendment comes from that, while other wording comes from think tanks and others who are working in this field. It will also come as no surprise to the Committee that some of the detail in the code’s latter subsections about privacy settings, minimisation standards and the language of terms and conditions also featured in the proposed code recommended to the Committee by the noble Baroness, Lady Kidron, in relation to children’s use of the internet and how their data is treated. The amendment meets other interests and examples of activity. It seems to fulfil a need, which is becoming more pressing every day, and is ambitious in its attempt to try to make sure that whatever regulatory and statutory provisions are in place, there will also be a wider dimension employed, which I think we will increasingly be part of.

I do not expect the Government to accept the amendment tout court, because it needs a lot more work. I fully accept that the drafting is a bit rough at the edges, despite the fact that we spent a lot of time in the Public Bill Office trying to get it right. I have already explained that I am not very good at synthesising in the way that the Bill team obviously is. I have no doubt that when he responds the Minister will be able to encapsulate in a few choice words what I have been struggling to say over the past three or four sentences—he nods, so it is clearly going to hit me again. I hope that he will take away from this short debate that this is an issue that will not go away. It is an issue that we need to address, and it may be that the new body, which was, I think, generally accepted by the Committee as something that we should move to in short order, might take on this as its first task. I beg to move.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, the noble Lord, Lord Stevenson, is too modest about his drafting—I think that this is one of the most important amendments to the Bill that we have seen to date. I am just sorry that we were not quick enough off the mark to put our name to it. I do not know which hand the noble Lord, Lord Stevenson, is using—there seem to be a certain number of hands involved in this—but anybody who has read Jonathan Taplin’s Move Fast and Break Things, as I did over the weekend, would be utterly convinced of the need for a code of ethics in these circumstances. The increasing use of data in artificial intelligence and algorithms means that we need to be absolutely clear about the ethics involved in that application. The noble Lord, Lord Stevenson, mentioned a number of codes that he has based this amendment on, but what I like about it is that it does not predicate any particular code at this stage. It just talks about the desirable architecture of the code. That makes it a very robust amendment.

Like the noble Lord, I have looked at various other codes of ethics. For instance, the IEEE has rather a good code of ethics. This is all of a piece with the stewardship council, the data ethics body that we debated in the previous day in Committee. As the Royal Society said, the two go together. A code of ethics goes together with a stewardship council, data ethics committee or whatever one calls it. You cannot have one without the other. Going forward, whether or not we agree today on this amendment, it is very clear that we need to keep coming back to this issue because this is the future. We have to get it right, and we cannot prejudice the future by not having the right ethical framework.

Lord Puttnam Portrait Lord Puttnam (Lab)
- Hansard - - - Excerpts

My Lords, I support this amendment and identify myself totally with the remarks of the noble Lord, Lord Clement-Jones. I am trying to be practical, and I am possibly even pushing at an open door here. I have a facsimile of the 1931 Highway Code. The introduction by the then Minister says:

“By Section 45 of the Road Traffic Act, 1930, the Minister of Transport is directed to prepare a code of directions for the guidance of road users … During the passage of the Act through Parliament, the opinion was expressed almost universally … that much more could be done to ensure safety by the instruction and education of all road users as to their duties and obligations to one another and to the community as a whole”.


Those last few words are very important. This must be, in a sense, a citizens’ charter for users—a constantly updated notion—of the digital environment to be sure of their rights and of their rights of appeal against misuse. This is exactly where the Government have a duty of care to protect people from things they do not know about as we move into a very difficult, almost unknown digital environment. That was the thinking behind the 1931 Highway Code, and we could do a lot worse than do something similar. That is probably enough for now, but I will undoubtedly return to this on Report.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I am very grateful to the noble Lord, Lord Stevenson, for tabling this amendment, which allows us to return to our discussions on data ethics, which were unfortunately curtailed on the last occasion. The noble Lord invited me to give him a few choice words to summarise his amendments. I can think of a few choice words for some of his other amendments, but today I agree with a lot of the sentiment behind this one. It is useful to discuss this very important issue, and I am sure we will return to it. The noble Lord, Lord Puttnam, brought the 1931 Highway Code into the discussion, which was apposite, as I think the present Highway Code is about to have a rewrite due to autonomous vehicles—it is absolutely right, as he mentioned, that these codes have to be future-proofed. If there is one thing we are certain of, it is that these issues are changing almost by the day and the week.

The noble Lord, Lord Stevenson, has rightly highlighted a number of times during our consideration of the Bill that the key issue is the need for trust between individuals and data controllers. If there is no trust in what is set up under the Bill, then there will not be any buy-in from the general public. The noble Lord is absolutely right on that. That is why the Government are committed to setting up an expert advisory body on data ethics. The noble Lord mentioned the HFEA and the Committee on Climate Change, which are interesting prior examples that we are considering. I mentioned during our last discussion that the Secretary of State was personally leading on this important matter. He is committed to ensuring that just such a body is set up, and in a timely manner.

However, although I agree with and share the intentions that the noble Lord has expressed through this amendment, which other noble Lords have agreed with, I cannot agree with the mechanism through which he has chosen to express them. When we previously debated this topic, I was clear that we needed to draw the line between the function of an advisory ethics body and the Information Commissioner. The proposed ethics code in this amendment is again straddling this boundary.

Our new data protection law as found in this Bill and the GDPR will already require data controllers to do many of the things found in this amendment. Securing personal data, transparency of processing, clear consent, and lawful sharing and use are all matters set out in the new law. The commissioner will produce guidance, for that is already one of her statutory functions and, where the law is broken, the commissioner will be well equipped with enforcement powers. The law will be clear in this area, so all this amendment will do is add a layer of complexity.

The Information Commissioner’s remit is to provide expert advice on applying data protection law. She is not a moral philosopher. It is not her role to consider whether data processing is addressing inequalities in society or whether there are public benefits in data processing. Her role is to help us comply with the law to regulate its operation, which involves fairly handling complaints from data subjects about the processing of their personal data by controllers and processors, and to penalise those found to be in breach. The amendment that the noble Lord has tabled would extend the commissioner’s remit far beyond what is required of her as a UK supervisory authority for data protection and, given the breadth of the code set out in his amendment, would essentially require the commissioner to become a regulator on a much more significant scale than at present.

This amendment would stretch the commissioner’s resources and divert from her core functions. We need to examine the ethics of how data is used, not just personal data. However, the priority for the commissioner is helping us to implement the new law to ensure that the UK has in place the comprehensive data protection regime that we need and to help to prepare the UK for our exit from the EU. These are massive tasks and we must not distract the commissioner from them.

There is of course a future role for the commissioner to work in partnership with the new expert group on ethics that we are creating. We will explore that further once we set out our plans shortly. It is also worth noting that the Bill is equipped to future-proof the commissioner to take on this role: under Clause 124, the Secretary of State may by regulation require the commissioner to produce appropriate codes of practice. While the amendment has an arbitrary shopping list, much of which the commissioner is tasked with already, the Bill allows for a targeted code to be developed as and when the need arises.

The Government recognise the need for further credible and expert advice on the broader issues of the ethical use of data. As I mentioned last week, it is important that the new advisory body has a clearly defined role focused on the ethics of data use and gaps in the regulatory landscape. The body will as a matter of necessity have strong relationships with the Information Commissioner and other bodies that have a role in this space. For the moment, with that in mind, I would be grateful if the noble Lord withdrew his amendment. As I say, we absolutely understand the reasons behind it and we have taken on board the views of all noble Lords in this debate.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, do the Minister or the Government yet have a clear idea of whether the power in the Bill to draw up a code will be invoked, or whether there will be some other mechanism?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

At the moment, I do not think there is any anticipation for using that power in the near future, but it is there if necessary in the light of the broader discussions on data ethics.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

So the Minister believes it is going to be the specially set-up data ethics body, not the powers under the Bill, that would actually do that?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

I do not want to be prescriptive on this because the data ethics body has not been set up. We know where we think it is going, but it is still to be announced and the Secretary of State is working on this. The legal powers are in the Bill, and the data ethics body is more likely to be an advisory body.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Committee: 6th sitting (Hansard): House of Lords
Wednesday 22nd November 2017

(7 years ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, this is a relatively narrow point and affects only a very small part of the Bill, but is still quite important. The amendments in the group mainly cover the question of how the Bill can reach out to the question about anonymisation and how, or not, it plays against de-identification. There are two amendments and a clause stand part Motion which relate to other slightly different issues, which we will get to in turn.

Amendment 170CA would insert into the Bill the term “anonymisation”, as there is no definition of de-identification in the Bill. I will come back to explain what that means in practice. Amendment 170CB provides an important exemption for data scientists and information security specialists dealing with a particular area, because there is a fear that the introduction of criminal sanctions might mean that they would be caught when they are trying to consider the issue for scientific and other reasons. Amendment 170CC adds a definition of identified data—after all, if it is to be criminalised, there needs to be a definition. This definition will cover cases which involve names of individuals, but will also cover those where fingerprints, for instance, are used to identify people.

The clause creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller. Amendment 170F asks for guidance relating to this offence. It is at the request of the Royal Society, because it wants clarity on the legal basis for processing.

Amendment 170G concerns transparency. If we are going to go into this area, it is very important that we know more about what is happening. The amendment suggests that the Information Commissioner,

“must set standards by which a data controller is required to anonymise personal data”.

There may be lots of new technologies soon to be invented or already available, and it is important that the way in which this important work goes forward can be flexed as and when new technologies come forward. We think that the Information Commissioner is in the strongest position to do that.

The other set of amendments to which our names are attached, Amendments 170E and 170H, relate to particular problems that can arise in large databases within health. There is a worry that where re-identification occurs by accident or just through the process of using the data, an offence will be created. MedConfidential suggests that some form of academic peer reviewing might be useful in trying to assess whether this was a deliberate act or just an unfortunate consequence of the work being done by those looking at the dataset concerned. The further amendment, Amendment 170H, clarifies whether an offence actually occurs when the re-identification work applies to disseminated NHS data —which of course, by its very nature, is often rather scattered and difficult to bring together. There is a particular reason for that, which we could go into.

At the heart of what I just said is a worry that certain academics have communicated to us: that the Bill is attempting to address what is in fact a fundamental mathematical problem—that there is no real way of making re-identification illegal—with a legal solution, and that this approach will have limited impact on the main privacy risks for UK citizens. If you do not define de-identification, the problem is compounded. The reference I have already made suggests that there might be advantage to the Bill if it used the terms used in the GDPR, which are anonymisation and pseudonymisation.

The irony which underlies the passion with which we have received submissions on this is that the people likely to be most affected by this part of the Bill are UK information security researchers, one of our academic strengths. It seems ironic that we should be putting into the Bill a specific criminal penalty which would stop them doing their work. Their appeal to us, which I hope will not fall on stony ground, is that we should look at this again. This is not to say in any sense that it is not an important issue, given the subsequent pain and worry that happens when datasets certified as anonymised are suddenly revealed as capable of being cracked, so people can pick up not just details of information about dates of birth or addresses but much more important stuff to do with medical health. So it is very important—and others may want to speak to the risk that it poses also to children, in particular. I hope that that is something that we might pick up.

There needs to be a proper definition in the Bill, whatever else we do about it, and that would be right in a sense. But we would like transparency about what is happening in this area, so that there is more certainty than at present about what exactly is meant by anonymous data and whether it can be achieved. That could be solved if the Information Commissioner is given responsibility for doing it. I beg to move.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

We are in the thickets here at the interface between technology, techno-speak and legality. Picking our way through Clause 162 is going to be rather important.

There are two schools of thought. The first is that we can amend this clause in fairly radical ways—and I support many of the amendments proposed by the noble Lord, Lord Stevenson. Of course, I am speaking to Amendment 170E as well, which tries to simplify the language and make it much more straightforward in terms of retroactive approval for actions taken in this respect, and I very much hope that parliamentary draftsmen will approve of our efforts to simplify the language. However, another more drastic school of thought is represented by many researchers—and the noble Lord, Lord Stevenson, has put the case very well that they have put to us, that the cause of security research will be considerably hampered. But it is not just the research community that is concerned, although it is extremely concerned by the lack of definition, the sanctions and the restrictions that the provisions appear to place on their activities. Business is also concerned, as numerous industry practices might be considered illegal and a criminal offence, including browser fingerprinting, data linkage in medicine, what they call device reconciliation or offline purchases tracking. So there is a lot of uncertainty for business as well as for the academic research community.

This is where we get into the techno-language. We are advised that modern, privacy-enhancing technologies such as differential privacy, homomorphic encryption—I am sure that the Minister is highly familiar with that—and question and answer systems are being used and further developed. There is nothing worse than putting a chill on the kind of research that we want to see by not acknowledging that there is the technology to make sure that we can do what we need to do and can keep our consumers safe in the circumstances. The fact is that quite often anonymisation, as we are advised, can never be complete. It is only by using this new technology that we can do that. I very much hope that the Minister is taking the very best legal and technology advice in the drafting and purposes of this clause. I am sure that he is fully aware that there is a great deal of concern about it.

Baroness Neville-Rolfe Portrait Baroness Neville-Rolfe
- Hansard - - - Excerpts

I rise to support the noble Lords, Lord Stevenson and Lord Clement-Jones, and some of the amendments in this group on this, the final day in Committee. I congratulate my noble friends Lord Ashton and Lady Chisholm of Owlpen as well as the indefatigable Bill team for taking this gargantuan Bill through so rapidly.

The problem caused by criminalising re-identification was brought to my attention by one of our most distinguished universities and research bodies, Imperial College London. I thought that this was a research issue, which troubled me but which I thought might be easy to deal with. However, talking to the professor in the computational privacy group today, I found, as the noble Lord, Lord Clement-Jones, said, that it goes wider and could cause problems for companies as well. That leads me to think that I should probably draw attention to my relevant interests in the House of Lords register of interests.

The computational privacy group explained that the curious addition of Clause 162—which is different in character and language from other parts of the Bill, as the noble Lord, Lord Stevenson, said—draws on Australian experience, but risks halving the work of the privacy group, which is an academic body, and possibly creating costs and problems for other organisations and companies. I am not yet convinced that we should proceed with this clause at all, for two reasons. First, it will not address the real risk of unethical practice by people outside the UK. As the provision is not in the GDPR or equivalent frameworks in most other countries, only UK and Australian bodies or companies will be affected, which could lead to the migration of research teams and data entrepreneurs to Harvard, Paris and other sunny and sultry climes. Secondly, because it will become criminal in the UK to re-identify de-identified data—it is like saying “seashells on the seashore”—the clause could perversely increase the risk of data being re-identified and misused. It will limit the ability of researchers to show up the vulnerability of published datasets, which will make life easier for hackers and fraudsters—another perversity. For that reason, it may be wise to recognise the scope and value of modern privacy-enhancing technologies in ensuring the anonymous use of data somewhere in the Bill, which could perhaps be looked at.

I acknowledge that there are defences in Clause 162 —so, if a person faces prosecution, they have a defence. However, in my experience, responsible organisations do not much like to rely on defences when they are criminal prohibitions, as they can be open to dispute. I am also grateful to the noble Lord, Lord Stevenson— I am so sorry about his voice, although it seems to be getting a bit better—for proposing an exemption in cases where re-identification relates to demonstrating how personal data can be re-identified or is vulnerable to attack. However, I am not sure that the clause and its wider ramifications have been thought through. I am a strong supporter of regulation to deal with proven harm, especially in the data and digital area, where we are still learning about the externalities. But it needs to be reasonable, balanced, costed, careful and thought through—and time needs to be taken for that purpose.

I very much hope that my noble friend the Minister can find a way through these problems but, if that is not possible, I believe that the Government should consider withdrawing the clause.

--- Later in debate ---
Lord Ashton of Hyde Portrait The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
- Hansard - - - Excerpts

My Lords, I am grateful to all noble Lords who have spoken on this very important clause. I agree very much with the noble Lords, Lord Clement-Jones and Lord Stevenson, that these are important issues which we need to consider. The amendments seek to amend Clause 162, which introduces the offence of re-identifying data that has been de-identified. I will start by giving some background to this clause because, as noble Lords have mentioned, this is new to data protection legislation.

Pseudonymisation of datasets is increasingly commonplace in many organisations, both large and small. This is a very welcome development: where sensitive personal data is being processed in computerised files, it is important that people know that data controllers are taking cybersecurity seriously and that their records are kept confidential. Article 32 of the GDPR actively encourages controllers to implement technical and organisational measures to ensure an appropriate level of security, including, for example, through the pseudonymisation and encryption of personal data.

As noble Lords will be aware, the rapid advancement of technology has opened many doors for innovation in these sectors. However, as we continue to be able to do more with technology, the risk of its misuse also grows. Online data hackers and scammers are a much more prominent and substantial threat than was posed in 1998, when the original Data Protection Act was passed. It is appropriate, therefore, that the Bill addresses the contemporary challenges posed by today’s digital world. This clause responds to concerns raised by the National Data Guardian for Health and Care and other stakeholders regarding the security of data kept in online files, and is particularly timely following the well-documented cyberattacks on public and private businesses over the last few years.

It is important to note that the Bill recognises that there might be legitimate reasons for re-identifying data without the consent of the controller who encrypted it. The clause includes a certain number of defences, as my noble friend Lady Neville-Rolfe mentioned. These can be relied on in certain circumstances, such as where re-identification is necessary for the purpose of preventing or detecting crime, to comply with a legal obligation or is otherwise necessary in the public interest. I am aware that some academic circles, including Imperial College London, have raised concerns that this clause will prohibit researchers testing the robustness of data security systems. However, I can confidently reassure noble Lords that, if such research is carried out with the consent of the controller or the data subjects, no offence is committed. Even if the research is for legitimate purposes but carried out without the consent of the controller who de-identified the data in the first place, as long as researchers act quickly and responsibly to notify the controller, or the Information Commissioner, of the breach, they will be able to rely on the public interest defences in Clause 162. Finally, it is only an offence to knowingly or recklessly re-identify data, not to accidentally re-identify it. Clause 162(1) is clear on that point.

I turn to the specific amendments that have been tabled in this group. Amendment 170CA seeks to change the wording in line 3 from “de-identified” to “anonymised”. The current clause provides a definition of de-identification which draws upon the definition of “pseudonymisation” in article 4 of the GDPR. We see no obvious benefit in switching to “anonymised”. Indeed, it may be actively more confusing, given that recital 26 appears to use the term “anonymous information” to refer to information that cannot be re-identified, whereas here we are talking about data that can be—and, indeed, has been—re-identified.

Amendment 170CB seeks to provide an exemption for re-identification for the purpose of demonstrating how the personal data can be re-identified or is vulnerable to attacks. The Bill currently provides a defence for re-identification where the activity was consented to, was necessary for the purpose of preventing or detecting crime, was justified as being in the public interest, or where the person charged reasonably believes the activity was, or would have been, consented to. So long as those re-identifying datasets can prove that their actions satisfy any of these conditions, they will not be guilty of an offence. In addition, we need to be careful here not to create defences so wide that they become open to abuse.

Amendment 170CC seeks to add to the definition of what constitutes re-identification. I agree with the noble Lord that current techniques for re-identification involve linking datasets. However, we risk making the offence too prescriptive if we start defining exactly how re-identification will occur. As noble Lords, including the noble Lord, Lord Clement-Jones, mentioned, as technology evolves and offenders find new ways to re-identify personal data, we want the offence to keep pace.

Amendment 170E seeks to add an extra defence for persons who achieve approval for re-identifying de-identified personal data after the re-identification has taken place. The current clause provides a defence where a person acted in the reasonable belief that they would have had the consent of the controller or the data subject had they known about the circumstances of the re-identification. Retroactive approval for the re-identification could be relied on as evidence in support of that defence, so we believe that there is no need to provide a separate defence for retroactive consent.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I think that the noble Lord is misreading the amendment. As I read my own amendment, I thought it was substitutional.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

If we are talking about Amendment 170E, I am certainly prepared to look at that and address it.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

That may have been the original intention, but perhaps it was never put properly into effect.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.

Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.

Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.

It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.

I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.

--- Later in debate ---
Moved by
183A: Clause 172, page 97, line 44, after “in” insert “or associated with”
--- Later in debate ---
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, in moving Amendment 183A I hope to astonish the Minister with my brevity. Clause 172 deals with the avoidance of certain contractual terms related to health records so that,

“A term or condition of a contract is void in so far as it purports to require an individual to supply another person with a record which — … (a) consists of the information contained in a health record, and … (b) has been or is to be obtained by a data subject in the exercise of a data subject access right”.


The NHS has committed to informing patients how their medical records are used. The legal protections in the Bill against an enforced subject access request on a medical record should also apply to such information about that record. Does this provide the required protection? I beg to move.

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen
- Hansard - - - Excerpts

My Lords, I think that must be a record.

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen
- Hansard - - - Excerpts

It is probably for the best that we are not doing a seventh day in Committee because the noble Lord, Lord Stevenson, has told us that his voice is going and I seem to have an infected eye. Slowly, we are falling by the way, so it is probably just as well that this is our last evening.

This amendment seeks to amend Clause 172, which concerns contractual terms relating to health records. As noble Lords are aware, the Bill will give people more control over use of their data, providing stronger access rights as well as new rights to move or delete personal data. Data subject access rights are intended to aid people in getting access to information held about them by organisations. While subject access provisions are present in current data protection law, the process will be simplified and streamlined under the new legal framework, reflecting the importance of data protection in today’s digital age.

There are, unfortunately, a minority of instances where service providers and employers seek to exploit the rights of data subjects, making it a condition of a contract that a person supplies to them health records obtained through use of their data subject access rights. It is with this in mind that Clause 172 was drafted, to protect data subjects from abuses of their rights. Organisations are able to use provisions in the Access to Medical Reports Act 1988 to gain access to a person’s health records for employment or insurance purposes, and so should not be unduly relying upon subject access rights to acquire such information.

Amendment 183A seeks to widen the clause to include prohibiting contractual terms from including a requirement to use subject access rights to supply a person with information “associated with” as well as “in” a health record. While I can see where the noble Lord is coming from with the amendment and appreciate the willingness further to protect data subjects from exploitation, we are not convinced that it is necessary to widen the scope of this clause. The Government believe that avoidance of contractual terms—that is to say a restriction on parties’ freedom of contract—is not something that should legislated for lightly. Our starting point must be that contractual terms are voided only where there is a known, rather than a hypothetical, abuse of them.

It is also important to point out that the clause has been carried over from the 1998 Act, which has served us well for many years and we are not aware of any issues with its scope. But I will certainly carefully read the noble Lord’s contribution in Hansard, and with this in mind I encourage the noble Lord to withdraw his amendment.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I thank the Minister. She will not need to spend very long reading my contribution in Hansard, as she will appreciate, but I pledge to read what she had to say. The interplay with the Access to Medical Reports Act may be of some importance in this, but on both sides we may need to reflect a little further. The case being made is that, because the NHS is making more information available about the use of patient records, it may be appropriate to change the legislation, which, as the Minister said, may have been fit for purpose for a period of time but now, in the light of new circumstances, may need changing. Indeed, it may not be “hypothetical” any more, to use her word. I will reflect on what the Minister said, but if there is scope for further improvement of the clause, I hope that it might be considered at a future stage. In the meantime, I beg leave to withdraw the amendment.

Amendment 183A withdrawn.
--- Later in debate ---
Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, at earlier stages of the Bill, the Minister and others have been at pains to stress the need to ensure that, whatever we finally do, the Bill should help to build trust between those who operate and accept data and those who provide it—the data subjects. It is important that we look at all aspects of that trust relationship and think about what we can do to make sure that it fructifies. Amendment 184 tries to add to the Bill something that could be there, because it is provided for in the GDPR, but is not there. Will the Minister explain when he responds why article 80(2) of the GDPR is not translated into UK legislation, as could happen? The proposed new clause would provide that,

“a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate”.

I will largely leave the noble Lord, Lord Clement-Jones, to introduce Amendment 185 because he has a new and brief style of introduction, which we like a lot.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

It is not a new style.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

It is certainly new to me. He may have been here a lot longer than I have and there have been other occasions where he has been less than fulsome in his contributions. But I am not in any sense criticising him because everything he says has fantastic precision and clarity, as befits a mere solicitor. It is important that we give him the chance to shine on this particular issue as well.

I mentioned what a pleasure it is to have the noble Baroness, Lady Neville-Rolfe, here today, particularly because she will speak very well to the fact that only a few happy months ago we worked on the Consumer Rights Bill, which is now an Act, in which a power was given to private enforcers to take civil action in courts to protect collective consumer rights via an enforcement order. The campaigning consumer body Which? is the designated private enforcer.

Also, in the financial sector, Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland have the power to present super-complaints to the FCA. The super-complainant system is working very well; one reason why the PPI mis-selling scandal was discovered was as a result of the work of Citizens Advice. These independent enforcers of consumer rights in the traditional consumer sector and in the consumer finance sector exist. Why is there no equivalent status for digital consumer enforcers? That is the question raised by the amendment.

The powers for independent action here are important in themselves and I am sure other noble Lords will speak to that point, but they are also really important at the start of this new regime we are bringing in. With the new Data Protection Bill we have a different arrangement. Far more people are involved and a lot more people are having to think harder about how their data is being used. It makes absolute sense to have a system that does not require too much knowledge or detail, which was aided and abetted by experts who had experience in this, such as Which? and others, and would allow those who are a little fazed by the whole process of trying to raise an action and get things going to have a steady hand that they know will take it on behind them.

The Government will probably argue that by implementing article 80(1) of the GDPR they are providing effectively the same service. That is a system under which an individual can have their case taken up by much the same bodies as would be available under article 80(2). However, when an individual complainant is working with a body such as Which?, we are probably talking about redress of the individual whose rights have been breached in some way and exacting from the company or companies concerned a penalty or some sort of remuneration. One can see in that sense that the linking between the individual and the body that might take that on is important and would be very helpful.

However, there are cases—recent ones come to mind such as TalkTalk, Equifax, Cash Converters and Uber—where data has gone missing and there has been a real worry about what information has escaped and is available out there. I do not think that in those cases we are talking about people wanting redress. What they want is action, such as making sure that their credit ratings are not affected by their data having come out and that they could perhaps get out of contracts. One of the issues that was raised with EE and TalkTalk was that people had lost confidence in the companies and wanted to be able to get out of their contracts. That is not a monetary penalty but a different form of arrangement. In some senses, just ongoing monitoring of the company with which one’s data is lodged might be a process. All that plays to a need to have in law in Britain the article 80(2) version of what is in the GDPR. I beg to move.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I strongly support Amendment 184. The Minister will have noticed that Amendment 185 would simply import the same provisions into applied GDPR for this purpose. The rationale, which has been very well put forward by the noble Lord, Lord Stevenson, is precisely the same.

I do not know whether the Minister was choking over his breakfast this morning, but if he was reading the Daily Telegraph—he shakes his head. I am encouraged that he was not reading the Daily Telegraph, but he would have seen that a letter was written to his right honourable friend Matt Hancock, the Digital Minister, demanding that the legislation can and should contain the second limb that is contained in the GDPR but is not brought into the Bill. The letter was signed by Which?, Age UK, Privacy International and the Open Rights Group for all the reasons that the noble Lord, Lord Stevenson, put forward. The noble Lord mentioned a number of data breach cases, but the Uber breach came to light only last night. It was particularly egregious because Uber did not tell anybody about it for months and, as far as one can make out from the press reports, it was a pay-off. There is a very important role for such organisations to play on behalf of vulnerable consumers.

The Which? survey was particularly important in that respect because it showed that consumers have little understanding of the kind of redress that they may have following a data breach. A recent survey shows that almost one in five consumers say that they would not know how to claim redress for a data breach, and the same proportion do not know who would be responsible for helping them when data is lost. Therefore the equivalent of a super-complaint in these circumstances is very important. To add to that point, young people are often the target of advertising and analysis using their personal data. I think they would benefit particularly from having this kind of super-complaint process for a data breach.

I hope very much that the Government, who I believe are conducting some kind of review, although it is not entirely clear, will think about this again because it is definitely something we will need to bring back on Report.

Baroness Jones of Moulsecoomb Portrait Baroness Jones of Moulsecoomb (GP)
- Hansard - - - Excerpts

My Lords, I support Amendment 184. As the noble Lord, Lord Stevenson, said, the GDPR does allow not-for-profit organisations to lodge complaints about suspected breaches of data protection without needing the authorisation of the individuals concerned. I really do not understand why this has been taken out; it is such an important piece of legislation that gives teeth to data protection. Most people do not have the time or the inclination to lodge complaints against data controllers. So many organisations are now holding data about us that it is ridiculous to suggest that individuals can become data detectives responsible for finding out who holds data on them and trying to work out whether that data is being processed in accordance with data protection rules.

I went through the hassle of getting my own subject access request from the Met police. It took a lot of form filling and cost me £10, which was absolutely not money well spent because the file, when I got it, was so redacted. I did ask for my money back but was not given it. That shows me that most of us will not know that data about us is being held—so the amendment is extremely valid.

Despite my opposition to some provisions in the Bill, I accept that it is very important. However, it is equally important that we get it right and that we do not have all these derogations which mean that it has less authority and power. Personally, I think that the amendment strengthens the data protection regime without any hassle for consumers. I hope that the Government will include it in the next iteration of the Bill.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I am grateful to all noble Lords who have contributed—in particular my noble friend Lord Lucas, who was even briefer than the noble Lord, Lord Clement-Jones. He made his point very succinctly and well.

With the greatest respect to the noble Lords, Lord Stevenson and Lord Clement-Jones—and I do mean that sincerely—during the passage of the 443 amendments in Committee that we are rapidly approaching the end of, we have listened carefully to each other, but in this case I am afraid that we reject Amendments 184 and 185 as being unnecessary. We believe that they are not required because the Bill already provides sufficient recourse for data subjects by allowing them to give consent to a non-profit organisation to represent their interests.

Clause 173, in conjunction with article 80(1) of the GDPR, provides data subjects with the right to authorise a non-profit organisation which has statutory objectives in the public interest and which is active in the field of data protection to exercise the rights described in Clauses 156 to 160 of the Bill. Taken together with existing provision for collective redress, and the ability of individuals and organisations to independently complain to the Information Commissioner where they have concerns, groups of like-minded data subjects will have a variety of redress mechanisms from which to choose. It is not true that when we have large numbers of data subjects they are unable, or too ignorant of their rights, to combine. For example, it is worth noting that more than 5,000 data subjects have brought one such action which is currently proceeding through the courts.

Furthermore, we would argue that the amendment is premature. If we were to make provision for article 80(2), it would be imperative to analyse the effectiveness not only of Clause 173 and article 80(1) of the GDPR but of other similar provisions in UK law to ensure that they are operating in the interests of data subjects and not third parties. We would also need to assess, for example, how effective the existing law has been in dealing with issues such as aggregate damages, which cases brought under article 80(2) might be subject to.

More generally, the Bill seeks to empower data subjects and ensure that they receive the information they need to enforce their own rights, with assistance from non-profit organisations if they wish. The solution to a perceived lack of data subject engagement cannot be to cut them out of the enforcement process as well. Indeed, there is a real irony here. Let us consider briefly a claim against a controller who should have sought, but failed to get, proper consent for their processing. Are noble Lords really suggesting that an unrelated third party should be able to enforce a claim for not having sought consent without first seeking that same consent?

We should also remember that these not-for-profit organisations are active in the field of data subjects’ rights; indeed, the GDPR states that they have to be. While many—the noble Lord, Lord Clement-Jones, mentioned Which?—will no doubt have data subjects’ true interests at heart and will be acting in those best interests, others will have a professional interest in achieving a different outcome: raising their own profile, for example.

I know that these amendments are well intentioned and I do have some sympathy with the ambition of facilitating greater private enforcement to complement the work of the Information Commissioner. But, for the reasons I have set out, I am not convinced that they are the right solution to the problems identified by noble Lords, and I therefore urge the noble Lord to withdraw his amendment.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I am baffled by the Minister’s response. The Government have taken on board huge swathes of the GDPR; in fact, they extol the virtues of the GDPR, which is coming into effect, as are many of its articles. Yet they are baulking at a very clear statement in article 80(2), which could not be clearer. Their prevarication is extravagant.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.

To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.

--- Later in debate ---
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - - - Excerpts

My Lords, government Amendments 185A, 185B, 185C and 185D add four fairly substantial new clauses to the Bill on the last day of Committee. I can see the point made by the Minister when he moved the amendments, but it is disappointing that they were not included right at the start. Have the Government just thought about them as a good thing?

The Delegated Powers and Regulatory Reform Committee has not had time to look at these matters. I note that in Amendment 185A, the Government suggest that regulations be approved by Parliament under the negative procedure. I will look very carefully at anything that the committee wants to bring to the attention of the House when we look at these matters again on Report. I am sure the committee will have reported by then.

I will not oppose the amendments today, but that is not to say that I will not move some amendments on Report—particularly if the committee draws these matters to the House’s attention.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I want to echo that point. There is time for reflection on this set of amendments and I sympathise with what the noble Lord, Lord Kennedy, said.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I am grateful for those comments. We understand that the DPRRC will have to look at the powers under the clause. As usual, as we have done already, we take great note of what the committee says; no doubt it will opine soon. We will pay attention to that.

--- Later in debate ---
188A: Schedule 18, leave out Schedule 18 and insert the following new Schedule—
“SCHEDULE 18 MINOR AND CONSEQUENTIAL AMENDMENTSPart 1ACTS AND MEASURESParliamentary Commissioner Act 1967 (c. 13)
1_ In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Local Government Act 1974 (c. 7)
2_ The Local Government Act 1974 is amended as follows.3_ In section 33A(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or (ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”4_ In section 34O(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Consumer Credit Act 1974 (c. 39)
5_ The Consumer Credit Act 1974 is amended as follows.6_ In section 157(2A) (duty to disclose name etc of agency)—(a) in paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and(b) in paragraph (b), after “any” insert “other”.7_ In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers)”.8_ In section 189(1) (definitions), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.Medical Act 1983 (c. 54)
9_ The Medical Act 1983 is amended as follows.10_(1) Section 29E (evidence) is amended as follows.(2) In subsection (5), after “enactment” insert “or the GDPR”.(3) For subsection (7) substitute—“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”11_(1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.(2) In subsection (4), after “enactment” insert “or the GDPR”.(3) For subsection (5A) substitute—“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”12_ In section 55 (interpretation), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.13_(1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows. (2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.(3) For sub-paragraph (8A) substitute—“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”Dentists Act 1984 (c. 24)
14_ The Dentists Act 1984 is amended as follows.15_(1) Section 33B (the General Dental Council’s power to require disclosure of information: the dental profession) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”16_(1) Section 36Y (the General Dental Council’s power to require disclosure of information: professions complementary to dentistry) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Access to Medical Reports Act 1988 (c. 28)
17_ In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—““health professional” has the same meaning as in the Data Protection Act 2017 (see section 183 of that Act);”.Opticians Act 1989 (c. 44)
18_(1) Section 13B of the Opticians Act 1989 (the Council’s power to require disclosure of information) is amended as follows. (2) In subsection (3), after “enactment” insert “or the GDPR”.(3) For subsection (4) substitute—“(4) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (9) insert—“(10) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Human Fertilisation and Embryology Act 1990 (c. 37)
19_(1) Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)
20_(1) Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Tribunals and Inquiries Act 1992 (c. 53)
21_ In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “section 112 of the Data Protection Act 2017”.Health Service Commissioners Act 1993 (c. 46)
22_ In section 18A(1) of the Health Service Commissioners Act 1993 (power to disclose information)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Data Protection Act 1998 (c. 29)
23_ The Data Protection Act 1998 is repealed.Crime and Disorder Act 1998 (c. 37)
24_ In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”. Food Standards Act 1999 (c. 28)
25_(1) Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration and Asylum Act 1999 (c. 33)
26_(1) Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported) is amended as follows.(2) For subsection (4) substitute—“(4) For the purposes of Article 49(1)(d) of the GDPR, the provision under this section of identification data is a transfer of personal data which is necessary for important reasons of public interest.”(3) After subsection (4) insert—“(4A) “The GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Financial Services and Markets Act 2000 (c. 8)
27_ The Financial Services and Markets Act 2000 is amended as follows.28_ In section 86(9) (exempt offers to the public), for “the Data Protection Act 1998 or any directly applicable EU legislation relating to data protection” substitute “—(a) the data protection legislation, or(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection”.29_ In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.30_ In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.31_ In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.32_ In section 417 (definitions), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Terrorism Act 2000 (c. 11)
33_ In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.Freedom of Information Act 2000 (c. 36)
34_ The Freedom of Information Act 2000 is amended as follows.35_ In section 2(3) (absolute exemptions), for paragraph (f) substitute—“(f) section 40(1),(fa) section 40(2) so far as relating to cases where the first condition referred to in that subsection is satisfied,”.36_ In section 18 (the Information Commissioner) omit subsection (1). 37_(1) Section 40 (personal information) is amended as follows.(2) In subsection (2)—(a) in paragraph (a), for “do” substitute “does”, and(b) in paragraph (b), for “either the first or the second” substitute “the first, second or third”.(3) For subsection (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (4) substitute—“(4A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14, 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) For subsection (5) substitute—“(5A) The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).(5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies—(a) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—(i) would (apart from this Act) contravene any of the data protection principles, or(ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(6) Omit subsection (6).(7) For subsection (7) substitute—“(7) In this section—“the data protection principles” means the principles set out in— (a)Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act).(8) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”38_ Omit section 49 (reports to be laid before Parliament).39_ For section 61 (appeal proceedings) substitute—“61 Appeal proceedings(1) Tribunal Procedure Rules may make provision for regulating the exercise of rights of appeal conferred by sections 57(1) and (2) and 60(1) and (4).(2) In relation to appeals under those provisions, Tribunal Procedure Rules may make provision about—(a) securing the production of material used for the processing of personal data, and(b) the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.(3) Subsection (4) applies where—(a) a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal on an appeal under those provisions, and(b) if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.(4) The First-tier Tribunal may certify the offence to the Upper Tribunal.(5) Where an offence is certified under subsection (4), the Upper Tribunal may—(a) inquire into the matter, and(b) deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.(6) Before exercising the power under subsection (5)(b), the Upper Tribunal must—(a) hear any witness who may be produced against or on behalf of the person charged with the offence, and(b) hear any statement that may be offered in defence.(7) In this section,“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4) and (14) of that Act).”40_ In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “the data protection legislation”.41_ After section 76A insert—“76B Disclosure of information to Commissioner or TribunalNo enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner, the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of their functions under this Act. 76C Confidentiality of information provided to Commissioner(1) A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which—(a) has been obtained by, or provided to, the Commissioner under or for the purposes of this Act,(b) relates to an identified or identifiable individual or business, and(c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,unless the disclosure is made with lawful authority.(2) For the purposes of subsection (1), a disclosure is made with lawful authority only if and to the extent that—(a) the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,(b) the information was provided for the purpose of its being made available to the public (in whatever manner) under a provision of this Act or the data protection legislation,(c) the disclosure was made for the purposes of, and is necessary for, the discharge of a function under this Act or the data protection legislation,(d) the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,(e) the disclosure was made for the purposes of criminal or civil proceedings, however arising, or(f) having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.(3) It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).(4) A person guilty of an offence under this section is liable—(a) on summary conviction in England and Wales, to a fine;(b) on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;(c) on conviction on indictment, to a fine.(5) No proceedings for an offence under this section may be instituted—(a) in England and Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;(b) in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.”42_ In section 77(1)(b) (offence of altering etc records with intent to prevent disclosure), omit “or section 7 of the Data Protection Act 1998,”.43_ In section 84 (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Political Parties, Elections and Referendums Act 2000 (c. 41)
44_(1) Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.(2) In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph,“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Finance and Accountability (Scotland) Act 2000 (asp 1)
45_ The Public Finance and Accountability (Scotland) Act 2000 is amended as follows.46_ In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.47_ In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.48_ In section 29(1) (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice and Police Act 2001 (c. 16)
49_ The Criminal Justice and Police Act 2001 is amended as follows.50_ In section 57(1) (retention of seized items)—(a) omit paragraph (m), and(b) after paragraph (s) insert—“(t) paragraph 10 of Schedule 15 to the Data Protection Act 2017;”.51_ In section 65(7) (meaning of “legal privilege”)—(a) for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017”, and(b) for “paragraph 9” substitute “paragraph 11 (matters exempt from inspection and seizure: privileged communications)”.52_ In Schedule 1 (powers of seizure)—(a) omit paragraph 65, and(b) after paragraph 73R insert—“Data Protection Act 201773S_ The power of seizure conferred by paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017 (powers of entry and inspection).”Anti-terrorism, Crime and Security Act 2001 (c.24)
53_ The Anti-terrorism, Crime and Security Act 2001 is amended as follows.54_(1) Section 19 (disclosure of information held by revenue departments) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.55_(1) Part 1 of Schedule 4 (extension of existing disclosure powers) is amended as follows.(2) Omit paragraph 42.(3) After paragraph 52 insert—“52A_ Section 76C(1) of the Freedom of Information Act 2000.”(4) After paragraph 53F insert—“53G_ Section 127(1) of the Data Protection Act 2017.”Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))
56_(1) Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.(2) In subsection (3), after “provision” insert “or the GDPR”.(3) For subsection (5) substitute— “(5) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (7) insert—“(8) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Justice (Northern Ireland) Act 2002 (c. 26)
57_(1) Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Proceeds of Crime Act 2002 (c. 29)
58_ The Proceeds of Crime Act 2002 is amended as follows.59_ In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.60_ In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.61_ In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.62_ In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.63_ In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.64_ After section 442 insert—“442A Data protection legislationIn this Part, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Scottish Public Services Ombudsman Act 2002 (asp 11)
65_(1) In Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (disclosure of information by the Ombudsman), the entry for the Information Commissioner is amended as follows.(2) In paragraph 1, for sub-paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”.(3) For paragraph 2 substitute—“2_ The commission of an offence under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Freedom of Information (Scotland) Act 2002 (asp 13)
66_ The Freedom of Information (Scotland) Act 2002 is amended as follows. 67_ In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection (2)(a)(i) or (b) of that section”.68_(1) Section 38 (personal information) is amended as follows.(2) In subsection (1), for paragraph (b) substitute—“(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));”.(3) For subsection (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit subsection (4).(6) In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act);”.(7) After that subsection insert—“(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Courts Act 2003 (c. 39)
69_ Schedule 5 to the Courts Act 2003 (collection of fines) is amended as follows.70_(1) Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.(2) In sub-paragraph (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”71_(1) Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.(2) In sub-paragraph (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In sub-paragraph (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Sexual Offences Act 2003 (c. 42)
72_(1) Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice Act 2003 (c. 44)
73_ The Criminal Justice Act 2003 is amended as follows.74_ In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “the data protection legislation”.75_ In section 327B (disclosure of information about convictions etc of child sex offenders to members of the public: interpretation), after subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Audit (Wales) Act 2004 (c. 23)
76_(1) Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (5), at the beginning insert “In this section—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Domestic Violence, Crime and Victims Act 2004 (c. 28)
77_(1) Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children Act 2004 (c. 31)
78_ The Children Act 2004 is amended as follows.79_(1) Section 12 (information databases) is amended as follows.(2) In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (13) insert—“(14) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”80_(1) Section 29 (information databases: Wales) is amended as follows. (2) In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (14) insert—“(15) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Constitutional Reform Act 2005 (c. 4)
81_(1) Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act 2005 (c. 9)
82_ In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—““health record” has the same meaning as in the Data Protection Act 2017 (see section 184 of that Act);”.Public Services Ombudsman (Wales) Act 2005 (c. 10)
83_(1) Section 34X of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (5) substitute—“(5) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc);(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Commissioners for Revenue and Customs Act 2005 (c. 11)
84_(1) Section 22 of the Commissioners for Revenue and Customs Act 2005 (data protection, etc) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Gambling Act 2005 (c. 19)
85_(1) Section 352 of the Gambling Act 2005 (data protection) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Commissioner for Older People (Wales) Act 2006 (c. 30)
86_(1) Section 18 of the Commissioner for Older People (Wales) Act 2006 (power to disclose information) is amended as follows.(2) In subsection (7), for paragraph (a) substitute— “(a) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (8) substitute—“(8) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”National Health Service Act 2006 (c. 41)
87_ The National Health Service Act 2006 is amended as follows.88_(1) Section 251 (control of patient information) is amended as follows.(2) In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “of the data protection legislation”.(3) In subsection (13), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.89_ In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.National Health Service (Wales) Act 2006 (c. 42)
90_ The National Health Service (Wales) Act 2006 is amended as follows.91_(1) Section 201C (provision of information about medical supplies: supplementary) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”92_ In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.Tribunals, Courts and Enforcement Act 2007 (c. 15)
93_ The Tribunals, Courts and Enforcement Act 2007 is amended as follows.94_ In section 11(5)(b)(right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.95_ In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.Statistics and Registration Service Act 2007 (c. 18)
96_ The Statistics and Registration Service Act 2007 is amended as follows.97_(1) Section 45A (information held by other public authorities) is amended as follows.(2) In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”. (3) In subsection (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(5) In subsection (12)(c), after the first “legislation” insert “(which is not part of the data protection legislation)”.98_(1) Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.(2) In paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (c), after the first “legislation” insert “(which is not part of the data protection legislation)”.99_(1) Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.(2) In paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (d), after the first “legislation” insert “(which is not part of the data protection legislation)”.100_ In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “the data protection legislation”.101(1) Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.(2) In subsection (6), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(4) In subsection (17), for “the Data Protection Act 1998” substitute “the data protection legislation”.102(1) Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.(2) In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(3) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.103(1) Section 54 (Data Protection Act 1998 and Human Rights Act 1998) is amended as follows.(2) In the heading omit “Data Protection Act 1998 and”.(3) Omit paragraph (a) (together with the final “or”).104_ In section 67 (general interpretation: Part 1), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Serious Crime Act 2007 (c. 27)
105_ The Serious Crime Act 2007 is amended as follows.106(1) Section 5A (verification and disclosure of information) is amended as follows.(2) In subsection (6)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”107(1) Section 68 (disclosure of information to prevent fraud) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”. (3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”108(1) Section 85 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Legal Services Act 2007 (c. 29)
109(1) Section 169 of the Legal Services Act 2007 (disclosure of information to the Legal Services Board) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Adoption and Children (Scotland) Act 2007 (asp 4)
110_ In section 74 of the Adoption and Children (Scotland) Act 2007 (disclosure of medical information about parents), for subsection (5) substitute—“(5) In subsection (4)(e), “processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act).”Criminal Justice and Immigration Act 2008 (c. 4)
111_ The Criminal Justice and Immigration Act 2008 is amended as follows.112_ Omit—(a) section 77 (power to alter penalty for unlawfully obtaining etc personal data), and(b) section 78 (new defence for obtaining etc for journalism and other special purposes).113(1) Section 114 (supply of information to Secretary of State etc) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (6) insert—“(6A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Regulatory Enforcement and Sanctions Act 2008 (c. 13)
114(1) Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2008 (c. 14)
115_ In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.Counter-Terrorism Act 2008 (c. 28)
116(1) Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows. (2) In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Health etc.(Scotland) Act 2008 (asp 5)
117(1) Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (7) insert—“(7A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Banking Act 2009 (c. 1)
118(1) Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.(2) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Borders, Citizenship and Immigration Act 2009 (c. 11)
119(1) Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.(2) In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine and Coastal Access Act 2009 (c. 23)
120_ The Marine and Coastal Access Act 2009 is amended as follows.121(1) Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”122(1) Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Broads Authority Act 2009 (c. i)
123(1) Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (6), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”. Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))
124(1) Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.(2) In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Terrorist Asset-Freezing etc. Act 2010 (c. 38)
125(1) Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (6), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Marine (Scotland) Act 2010 (asp 5)
126(1) Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Charities Act 2011 (c. 25)
127(1) Section 59 of the Charities Act 2011 (disclosure: supplementary) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Welsh Language (Wales) Measure 2011 (nawm 1)
128_ The Welsh Language (Wales) Measure 2011 is amended as follows.129(1) Section 22 (power to disclose information) is amended as follows.(2) In subsection (4)—(a) in the English language text, for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”, and(b) in the Welsh language text, for paragraph (a) substitute—“(a) adrannau 137 i 147, 153 i 155, neu 164 i 166 o Ddeddf Diogelu Data 2017 neu Atodlen 15 i’r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);”.(3) For subsection (5)—(a) in the English language text substitute—“(5) The offences referred to under subsection (3)(b) are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of exercise of warrant etc); or (b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”, and(b) in the Welsh language text substitute—“(5) Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw’r rhai—(a) o dan ddarpariaeth yn Neddf Diogelu Data 2017 ac eithrio paragraff 15 o Atodlen 15 (rhwystro gweithredu gwarant etc); neu(b) o dan adran 76C neu 77 o Ddeddf Rhyddid Gwybodaeth 2000 (troseddau o ddatgelu gwybodaeth ac altro etc cofnodion gyda’r bwriad o atal datgelu).”(4) In subsection (8)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(5) In subsection (9)—(a) at the appropriate place in the English language text insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) at the appropriate place in the Welsh language text insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.130(1) Paragraph 8 of Schedule 2 (inquiries by the Commissioner: reports) is amended as follows.(2) In sub-paragraph (7)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(3) In sub-paragraph (8)—(a) in the English language text, after “paragraph” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) in the Welsh language text, after “hwn” insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation “yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.Safeguarding Board Act (Northern Ireland) 2011 (c. 7 (N.I))
131(1) Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2012 (c. 7)
132_ The Health and Social Care Act 2012 is amended as follows.133_ In section 250(7) (power to publish information standards), for the definition of “processing” substitute— ““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.134(1) Section 251A (consistent identifiers) is amended as follows.(2) In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”135(1) Section 251B (duty to share information) is amended as follows.(2) In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Protection of Freedoms Act 2012 (c. 9)
136_ The Protection of Freedoms Act 2012 is amended as follows.137(1) Section 27 (exceptions and further provision about consent and notification) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”138_ In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.139_ In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.HGV Road User Levy Act 2013 (c. 7)
140(1) Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Crime and Courts Act 2013 (c. 22)
141_ The Crime and Courts Act 2013 is amended as follows.142(1) Section 42 (other interpretive provisions) is amended as follows.(2) In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “Article 82 of the GDPR or section 159 or 160 of the Data Protection Act 2017 (compensation for contravention of the data protection legislation)”.(3) After subsection (5) insert—“(5A) In subsection (5)(a), “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).” 143(1) Paragraph 1 of Schedule 7 (statutory restrictions on disclosure) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph, insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine Act (Northern Ireland) 2013 (c. 10 (N.I.))
144(1) Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Local Audit and Accountability Act 2014 (c. 2)
145(1) Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.(2) In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (3) insert—“(3A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”(4) In sub-paragraph (4), for “comprise or include” substitute “comprises or includes”.Anti-social Behaviour, Crime and Policing Act 2014 (c. 12)
146(1) Paragraph 7 of Schedule 4 to the Anti-social Behaviour, Crime and Policing Act 2014 (anti-social behaviour case reviews: information) is amended as follows.(2) In sub-paragraph (4)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After sub-paragraph (5) insert—“(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Immigration Act 2014 (c. 22)
147(1) Paragraph 6 of Schedule 6 to the Immigration Act 2014 (information: limitation on powers) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Care Act 2014 (c. 23)
148_ In section 67(9) of the Care Act 2014 (involvement in assessment, plans etc), for paragraph (a) substitute—“(a) a health record (within the meaning given in section 184 of the Data Protection Act 2017),”.Social Services and Well-being (Wales) Act 2014 (anaw 4)
149_ In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—(a) in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”, and(b) in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “personal data” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2017 (gweler adran 2(2) a (14) o’r Ddeddf honno))”.Counter-Terrorism and Security Act 2015 (c. 6)
150(1) Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Small Business, Enterprise and Employment Act 2015 (c. 26)
151(1) Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies) is amended as follows.(2) In subsection (7)—(a) for paragraph (b) substitute—“(b) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers);”, and(b) omit paragraph (c).(3) After subsection (7) insert—“(7A) In subsection (7) “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Modern Slavery Act 2015 (c. 30)
152(1) Section 54A of the Modern Slavery Act 2015 (Gangmasters and Labour Abuse Authority: information gateways) is amended as follows.(2) In subsection (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 (c. 2 (N.I.))
153_ The Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 is amended as follows.154_ In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “the data protection legislation”.155_ In section 25(1) (interpretation of this Act), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.156_ In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “the data protection legislation”. Justice Act (Northern Ireland) 2015 (c. 9 (N.I.))
157(1) Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration Act 2016 (c. 19)
158(1) Section 7 of the Immigration Act 2016 (information gateways: supplementary) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Investigatory Powers Act 2016 (c. 25)
159_ The Investigatory Powers Act 2016 is amended as follows.160_ In section 1(5)(b), for sub-paragraph (ii) substitute—“(ii) in section 161 of the Data Protection Act 2017 (unlawful obtaining etc of personal data),”.161_ In section 199 (bulk personal datasets: interpretation), for subsection (2) substitute—“(2) In this Part, “personal data” means—(a) personal data within the meaning of section 2(2) of the Data Protection Act 2017 which is subject to processing described in section 80 (1) of that Act, and(b) data relating to a deceased individual where the data would fall within paragraph (a) if it related to a living individual.”162_ In section 202(4) (restriction on use of class BPD warrants), in the definition of “sensitive personal data”, for “which is of a kind mentioned in section 2(a) to (f) of the Data Protection Act 1998” substitute “the processing of which would be sensitive processing for the purposes of section 84(7) of the Data Protection Act 2017”.163_ In section 206 (additional safeguards for health records), for subsection (7) substitute—“(7) In subsection (6)—“health professional” has the same meaning as in the Data Protection Act 2017 (see section 183(1) of that Act);“health service body” has the meaning given by section 183(4) of that Act.”164(1) Section 237 (information gateway) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (2) insert—“(3) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))
165(1) Section 49 of the Police Services Ombudsman Act (Northern Ireland) 2016 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 and 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”. (3) For subsection (5) substitute—“(5) The offences are those under—(a) any provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc),(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”(4) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (c. 12 (N.I.))
166(1) Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.(2) In subsection (8), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (12) insert—“(12A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act (Northern Ireland) 2016 (c. 18 (N.I.))
167_ In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—““health record” has the meaning given by section 184 of the Data Protection Act 2017;”.Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))
168_ The Justice Act (Northern Ireland) 2016 is amended as follows.169(1) Section 17 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.170_ In section 44(3)(disclosure of information)—(a) in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Policing and Crime Act 2017 (c. 3)
171(1) Section 50 of the Policing and Crime Act 2017 (Freedom of Information Act etc: Police Federation for England and Wales) is amended as follows.(2) The existing text becomes subsection (1). (3) In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection, insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children and Social Work Act 2017 (c. 12)
172_ In Schedule 5 to the Children and Social Work Act 2017—(a) in Part 1 (general amendments to do with social workers etc in England) omit paragraph 6, and(b) in Part 2 (renaming of Health and Social Work Professions Order 2001) omit paragraph 47(g).Higher Education and Research Act 2017 (c. 29)
173_ The Higher Education and Research Act 2017 is amended as follows.174(1) Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.175(1) Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert —“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Digital Economy Act 2017 (c. 30)
176_ The Digital Economy Act 2017 is amended as follows.177(1) Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”178(1) Section 43 (codes of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.179(1) Section 49 (further provision about disclosures under section 48) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”180(1) Section 52 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”. 181(1) Section 57 (further provision about disclosures under section 56) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”182(1) Section 60 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.183(1) Section 65 (supplementary provision about disclosures under section 64) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”184(1) Section 70 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.185_ Omit sections 108 to 110 (charges payable to the Information Commissioner).Landfill Disposals Tax (Wales) Act 2017 (anaw 3)
186(1) Section 60 of the Landfill Disposals Tax (Wales) Act 2017 (disclosure of information to the Welsh Revenue Authority) is amended as follows.(2) In subsection (4)(a)—(a) in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”, and(b) in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri’r ddeddfwriaeth diogelu data”.(3) After subsection (7)—(a) in the English language text insert—“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”, and(b) in the Welsh language text insert—“(8) Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno).”This Act
187(1) Section 183 (meaning of “health professional” and “social work professional”) is amended as follows (to reflect the arrangements for the registration of social workers in England under Part 2 of the Children and Social Work Act 2017).(2) In subsection (1)(g)—(a) omit “and Social Work”, and(b) omit “, other than the social work profession in England”.(3) In subsection (2), for paragraph (a) substitute— “(a) a person registered as a social worker in the register maintained by Social Work England under section 39(1) of the Children and Social Work Act 2017;”.Part 2SUBORDINATE LEGISLATIONChannel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)
188(1) Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.(2) In paragraph (2)—(a) for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “section 186 of the Data Protection Act 2017 (“the 2017 Act”), data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.(3) In paragraph (3)—(a) for “section 5 of the 1998 Act, data which are” substitute “section 186 of the 2017 Act, data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)
189_ The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.190_ In Article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”, and(b) for “are” substitute “is”.191_ In Article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”,(b) for “are” substitute “is”, and(c) for “section 5” substitute “section 186 ”.Environmental Information Regulations 2004 (S.I. 2004/3391)
192_ The Environmental Information Regulations 2004 are amended as follows.193(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act);”.(3) For paragraph (4) substitute—“(4A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a public authority as defined in these Regulations, and (b) the references to personal data held by such an authority were to be interpreted in accordance with regulation 3(2).”194(1) Regulation 13 (personal data) is amended as follows.(2) For paragraph (1) substitute—“(1) To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—(a) the first condition is satisfied, or(b) the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.”(3) For paragraph (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—(a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”(4) For paragraph (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(5) Omit paragraph (4).(6) For paragraph (5) substitute—“(5A) For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—(a) the condition in paragraph (5B)(a) is satisfied, or(b) a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.(5B) The conditions mentioned in paragraph (5A) are—(a) giving a member of the public the confirmation or denial—(i) would (apart from these Regulations) contravene any of the data protection principles, or (ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 97 of the Data Protection Act 2017 (right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;(e) on a request under section 92(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(7) After that paragraph insert—“(6) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”195_ In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “regulation 13(1)(b) or (5A)”.196_ In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “regulation 13(5A)”.Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)
197_ The Environmental Information (Scotland) Regulations 2004 are amended as follows.198(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (2) and (14) of that Act);”.(3) For paragraph (3) substitute—“(3A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and(b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.”199(1) Regulation 11 (personal data) is amended as follows.(2) For paragraph (2) substitute— “(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if—(a) the first condition set out in paragraph (3A) is satisfied, or(b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.”(3) For paragraph (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For paragraph (4) substitute—“(4A) The third condition is that any of the following applies to the information—(a) it is exempt from the obligation under Article 15(1) of the GDPR (general processing: right of access by the data subject) to provide access to, and information about, personal data by virtue of provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit paragraph (5).(6) After paragraph (6) insert—“(7) In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)
200(1) Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.(2) In paragraph (1)(d)—(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.(3) After paragraph (1) insert—“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene— (a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).(1C) The condition in this paragraph is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.(1D) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).”(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”(4) Omit paragraphs (2) to (4).INSPIRE Regulations 2009 (S.I. 2009/3157)
201(1) Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.(2) In paragraph (2)—(a) omit “or” at the end of sub-paragraph (a),(b) for sub-paragraph (b) substitute—“(b) Article 21 of the GDPR (general processing: right to object to processing), or(c) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”, and(c) omit the words following sub-paragraph (b).(3) After paragraph (7) insert—“(8) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act; “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).(9) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)
202_ In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co- operation in criminal matters).Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (S.R.(N.I.) 2014 No. 224)
203_ In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—(a) in paragraph (9) omit sub-paragraph (b) and the word “and” before it, and(b) in paragraph (11) omit the definition of “processing” and “sensitive personal data” and the word “and” before it.Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)
204_ In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—(a) in paragraph (7) omit sub-paragraph (b) and the word “and” before it, and(b) omit paragraph (8).Provision inserted in subordinate legislation by this Schedule
205_ Provision inserted into subordinate legislation by this Schedule may be amended or revoked as if it had been inserted using the power under which the subordinate legislation was originally made.”
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, looking at the amendments and new Schedule 18 is rather like looking for a needle in a haystack, but I hope that the Minister received some notice of what I was going to raise. If not, as ever, I hope that he will helpfully write to me. In paragraph 42 of new Schedule 18, there is a reference to an amendment to Section 77 of the Freedom of Information Act. It deletes any reference to,

“section 7 of the Data Protection Act 1998”.

That is a deletion of a summary offence, which is rather baffling to many of us. It is about not keeping records. Many of us thought that, since there have been very few or no prosecutions under that section of the Freedom of Information Act, the answer would perhaps have been to ratchet up the penalty. At the moment, it is only a summary offence. Therefore, there is a six-month time limit, and it is difficult to get the information to hand in that period. If it was made a more serious offence, it would be rather more straightforward to prosecute in those circumstances. The Government, however, seem to have swept this off the statute book, buried in new Schedule 18. I hope that the Minister when he writes will elucidate clearly and perhaps say that in another part of the forest a criminal offence still lurks.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Report: 1st sitting: House of Lords
Monday 11th December 2017

(6 years, 11 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Lord Smith of Finsbury Portrait Lord Smith of Finsbury (Non-Afl)
- Hansard - - - Excerpts

My Lords, I remind the House of my interest as master of Pembroke College, Cambridge. I give a warm welcome to Amendments 3, 4 and 5, and I am grateful that Ministers have listened to the concerns of universities and colleges and very helpfully addressed them in these amendments. I know I speak also for the noble Baroness, Lady Royall, in this respect.

The two most important issues that have been of concern to universities and colleges have been, first, maintaining good relationships with alumni and the way in which that can lead to successful fundraising for universities and, secondly, the need constantly to improve what we do in outreach work to schools and the widening of participation from the broadest base of potential students to draw them into the best of our universities. In both these respects, relying on legitimate interests, as we do at the moment, is going to be extremely helpful. I very much hope that that is the Government’s understanding of the purpose and effect of the amendments.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, I hope to be as brief as the Minister, who I thought was admirably so in introducing the government amendments. However, there are some issues that arise. I applaud the noble Baroness, Lady Royall, and others who have been so instrumental in persuading the Government on this. As the noble Lord, Lord Patel, indicated in various ways, there are ambiguities; the particular way in which the Government have chosen to amend the Bill potentially leaves a gap. I wonder, for instance, whether alumni fundraising for, say, a research institute can never be in the public interest. Is there not a possibility that it might fall outside the exemptions as a result? Perhaps the Minister can give me the correct interpretation. It is very important that this is on the record and that it is very clear what the formulation means. It would have been much more straightforward to have approached the subject directly in the Freedom of Information Act, but that is not the way the Government have chosen to help alumni fundraising in universities. In talking about universities, I should declare an interest as chairman of the council of Queen Mary University as well.

Another question arises. By and large there is nothing particularly controversial in the remainder of the amendments, but I do not quite understand why new Section 76C of the Freedom of Information Act, which was introduced in the original version of the Bill, is now being taken out by Amendment 198. Is it because Clause 127 already provides the necessary duty of confidentiality of information by the commissioner and employees of the Information Commissioner’s Office? The Minister might have given us a bit of explanation about that, which would have been extremely helpful.

Otherwise, many of the other provisions are welcome. Amendments 119, 182 and 197 demonstrate that it would be a good idea to have prompt enactment or implementation of legislation, so that weird and wonderful new clauses such as are introduced by those amendments would be unnecessary.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab Co-op)
- Hansard - - - Excerpts

My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for her explanation of the government amendments in this group, which are largely in response to issues raised in Committee. I do not intend to speak for long on this group, because the amendments are largely to be welcomed. I want to pay particular tribute to my noble friend Lady Royall of Blaisdon, who raised the concern of the university sector during Committee that, under the Bill, universities could find themselves in difficulty over fundraising activities with alumni. We were pleased to see today that the Government have listened and addressed that. My noble friend cannot be with us today because of the weather making it difficult for her to travel to London. Generally, the higher education sector and others are grateful for what is proposed, although a couple of noble Lords have raised particular concerns, so it would be useful if the Minister could address those in her response. There may be one area that has not quite been resolved.

There are a couple of issues to mention. We are happy to support the amendment on police sharing of information for law enforcement purposes, as I am the amendment in respect of the Prisoner Ombudsman for Northern Ireland and the technical amendments on tribunals and courts to ensure consistency of language.

I shall not go on any further, because I am conscious that we have two Statements today and one will take at least an hour and the other 40 minutes, and the dinner break business for an hour, which will eat in to our time for Report today. I shall leave it here and say well done to the Government: thank you very much for that. It is better that we spend our day looking at issues that we have not quite resolved.

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen
- Hansard - - - Excerpts

My Lords, I thank all noble Lords for the points they made. In answer to the noble Lord, Lord Patel, as my noble friend Lord Ashton explained in previous debates, Clause 7 was never intended to provide an exhaustive list of public interest tasks but, rather, to ensure continuity with respect to those processing activities that cover paragraph 5 of Schedule 2 to the 1968 Act. However, I am happy to reiterate that medical research—and other types of research carried out by universities for the benefit of society—will almost always be seen as a public interest task. I appreciate the sector’s desire to have greater guidance from the Information Commissioner on the issue, and I shall certainly pass that on, but the noble Lord will appreciate that it is not for me to dictate the Information Commissioner’s precise programme of work from the Dispatch Box.

I thank the noble Lords, Lord Smith and Lord Macdonald, for their kind words. I think we have put universities on a safe footing in this regard. I reiterate my thanks to them for coming to see us and helping us with that amendment.

The noble Lord, Lord Clement-Jones, asked: is alumni fundraising always in the public interest, and what about medical research?

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

No, can it sometimes be in the public interest?

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen
- Hansard - - - Excerpts

I think that gets more rather than less muddling, but I think I see where the noble Lord is coming from.

The amendment should relate to and rely either on article 6(1)(e) or (f). That should solve any possibility raised by the noble Lord.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Report stage (Hansard - continued): House of Lords
Monday 11th December 2017

(6 years, 11 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
On Amendment 10 in the name of the noble Lord, Lord Clement-Jones, I shall listen with interest to what he and other noble Lords have to say before responding. For now, noble Lords will be relieved to hear me say that I beg to move.
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, the noble Baroness having sat through my last speech, I am in no position to judge. That was a skilful summary of the memorandum put to the Delegated Powers and Regulatory Reform Committee and it is useful to have it on the parliamentary record.

I remind the House that the amendments we have brought forward do not take the ultra position, if you like. They are about having an appropriate level of parliamentary control over delegated legislation in a field where these are important matters—rights which are inextricably linked to human rights. To boil down a long memorandum, the Minister’s arguments are about flexibility and future proofing. However, the horse has bolted. In previous legislation such regulations were permitted to be made by government and therefore we should roll over and put them into the next bit of legislation.

The one essence that I take away is that the consultation duty is enshrined. I accept that it is a considerable improvement that the Secretary of State must consult the commissioner and such other persons as the Secretary of State considers appropriate. It would be useful at this stage at least to have on the record the kinds of bodies the Minister thinks are appropriate in these circumstances.

The real issue and the reason why we have tabled our amendments—I am not saying they are perfect but they allow for a parliamentary process in which there is an ability to suggest amendments and to have a full consultation on regulation changes—is the controversy about “omission”, “addition” and “varying”. The Government have clearly come to the view that omitting provisions is permissible in certain circumstances but they are relying on adding or varying. They say that varying is a light-touch aspect but why, in certain circumstances, is it permissible to omit provisions added by regulations? Is this a kind of second thoughts aspect, whereby regulations are brought forward under this Bill and then the Government think they want to omit some of them? I do not quite understand the rationale behind that.

I accept that in some of the crucial cases they are limiting themselves to “adding” or “varying”. However, variation can be extremely broad and virtually equivalent to omitting. It seems that one can vary a right all the way down to a minuscule situation which can impinge on the human rights of an individual, even though it is not technically an omission where a safeguard is provided. These are very broad rights. They are broad powers to create new exemptions to data protection rules as they affect a data subject and they can add exemptions to safeguards for processing sensitive personal data. These matters could have a powerful effect on individuals.

I should remind the Minister of a sad aspect, which is that in its procedures, the Delegated Powers and Regulatory Reform Committee does not seem to have a second bite of the cherry—something I am sure the Minister approves of entirely. But for those of us who relied on the very useful original DPRRC report, it is unfortunate that the committee has not come back and said what it thinks of the ministerial memorandum. In the original report the committee went as far as to say:

“We consider that clause 9(6) is inappropriately wide and recommend its removal from the Bill”.


That is pretty heavy stuff, even for this useful committee. It had even more to say about Clause 15:

“We regard this is an insufficient and unconvincing explanation for such an important power”.


I must put on the record that we on these Benches do not think that the Government have discharged the onus of proof, showing why they need these extraordinary powers under the Bill, and we hope that they will further reduce their regulation-making powers.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark (Lab Co-op)
- Hansard - - - Excerpts

My Lords, this group of overwhelmingly government amendments seeks to address issues raised by the Delegated Powers and Regulatory Reform Committee in its sixth report, published on 24 October this year, the only addition being Amendments 10 and 69 in the names of the noble Lords, Lord Clement-Jones and Lord Paddick. As we have heard, the Delegated Powers and Regulatory Reform Committee is widely respected in the House and I am pleased that the government amendments address the concerns raised by the committee. But as we have heard from the noble Baroness, Lady Chisholm of Owlpen, those concerns have not been accepted in full, and she has given the reasons for that.

I was particularly pleased to see government Amendments 9, 67 and 68, among others, which would limit the powers to amend the processing conditions and exemptions found in various schedules to the Bill. I am equally pleased to see the Government act in respect of the powers to make regulations. This will be done using the affirmative rather the negative procedure, starting with government Amendment 71. It gives Parliament the right level of scrutiny and the ability to reject or express regret about a particular decision, and allows for a proper level of scrutiny, a debate having to take place in both Houses.

In respect of Clauses 9 and 15, Amendments 10 and 69 seek to change the scrutiny procedure from the affirmative, as presently in the Bill, to the super-affirmative. I am not convinced that this is necessary as we have the tools at our disposal to scrutinise the proposals using the affirmative procedure. Starting with government Amendment 130, we have a series of amendments relating to the enforcement powers of the ICO, and again these are to be welcomed.

As I say, in general I welcome the government amendments and the explanation given by the noble Baroness.

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen
- Hansard - - - Excerpts

I thank the noble Lord for those kind words. The noble Lord, Lord Clement-Jones, asked who would be consulted. While it is clearly impossible to be specific, the Secretary of State might consider it appropriate to consult, for example, representatives of data subjects or trade bodies, depending on the circumstances and regulations in question. I hope that that answers his question.

On why it is permissible to admit provisions added by regulations, we believe it is qualitatively different from admitting those added during the extensive parliamentary debate and scrutiny afforded to primary legislation. As I said, many other powers are not new. The 1998 Act already provides a power to add to conditions for sensitive processing. We feel it is prudent to retain the ability to amend Schedules 2 to 4 if necessary. As I said, this is a fast-moving area. We want to make sure that the Bill provides a framework for the constant evolution and developments in how we use and apply data, but it must be supportive rather than stifle innovation and growth.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

With the greatest respect, the point I was making was whether the right to vary was not omission by the backdoor. Perhaps I was not clear enough.

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen
- Hansard - - - Excerpts

No, we do not believe it is omission by the backdoor.

--- Later in debate ---
The other amendment would ask the ICO to prepare insurance-specific guidance and in doing so to consult. In its September response to the consultation on consent, the ICO noted the differing worries of various sectors but said that it did not intend to give any sector-specific guidance. The amendment asks them to do so. Given that the sectors named by the ICO included health and social care, education and charities as well as insurance, it is right that Parliament should ask its Information Commissioner to be as helpful as possible to all sectors. The case for that has grown strongly in the many days of debate that we have had on the Bill, and again today and tonight. I therefore ask the Minister to confirm that these issues will be brought back at Third Reading.
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, it is a pleasure to follow the noble Earl, Lord Kinnoull, who has very impressively pursued these issues with considerable care and determination. He has said pretty much everything that needs to be said. Processing special category data, including health data and criminal convictions is, as he said, fundamental to calculating levels of risk and underwriting. I hardly need to say that to the Minister. His amendments are welcome, but of course the essence of the noble Earl’s amendments is to get from the Minister a progress report on how things are moving on in terms of enabling the continued processing of special category and criminal conviction data and whether we can get something along the right lines that allows a derogation for processing of special category and criminal conviction data where it is necessary in relation to insurance policies and claims. That would prevent disruption to consumers in the way the noble Earl mentioned. Then, of course, there is the guidance produced by Amendment 26; this is what you might call a sprat to catch a mackerel and I hope that the Minister will deliver the mackerel.

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - - - Excerpts

My Lords, I welcome government Amendments 11 and 12. As we have heard, they address some of the concerns that were raised in Committee. The Government have said that they never intended to have a narrow interpretation and they have put back the words of the 1998 Act, which is very welcome. As was said earlier, the noble Earl, Lord Kinnoull, has laid out in great detail the issues addressed in his Amendments 25 and 26. He makes a very important and clear case and raised some important issues. I hope that the noble Lord, Lord Ashton of Hyde, will respond to those. I certainly think that there is a case for bringing these things back at Third Reading to address the points the noble Earl has raised.

--- Later in debate ---
Baroness Neville-Jones Portrait Baroness Neville-Jones (Con)
- Hansard - - - Excerpts

My Lords, I introduced the same amendment in Committee and do not intend to repeat what I said then. I am glad to say that, since I put down that amendment, there has been a very helpful meeting between DCMS officials, the Genetic Alliance UK and Unique. I very much hope that that meeting will form the basis of a solution on which we can build for Third Reading. I thank my noble friend the Minister for his personal contribution to the progress that we have made.

My understanding is that at that meeting it was accepted that an amendment would have to be brought forward to ensure the legality of the work of patient support groups. My understanding also is that the Government would prefer to do this by their own amendment, and I am certainly very happy to accept that. I also hope that it will be possible to agree such an amendment before Third Reading.

My noble friend has said that he is concerned about defining the scope of the amendment. I certainly accept that that is a legitimate issue. The family of patient support groups is quite large, but I accept that it is right to prevent any amendment becoming a loophole for evasion of the Bill’s provisions. I am conscious of that issue. However, the purpose of the amendment is not controversial and I am happy to look to finding words and drafting that will both safeguard the points that we want to make and provide the right scope for the amendment. It would be highly desirable to be able to deal with this matter in our House.

I hope and trust that my noble friend will be able to confirm that he shares my understanding of the point that we have now reached and that he will be able to give me an assurance at least of best endeavours to present a government amendment at Third Reading. I might say that Genetic Alliance and other patient support groups stand ready to help in any way that they can to meet this deadline.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I will speak briefly to support the noble Baroness, Lady Neville-Jones, in her amendment. Clearly, this is of great importance to patient groups. I very much hope that the Minister will carry on the good work and come back at Third Reading with something substantive for the benefit of patient organisations that collect vital health information from their members, so that they will not be required to destroy or anonymise data. Without amendment, the Data Protection Bill has the potential to seriously damage the work of these patient support groups and hinder the work of certain public agencies, too, such as Public Health England and NICE—so I very much support the noble Baroness.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Report: 2nd sitting (Hansard): House of Lords
Wednesday 13th December 2017

(6 years, 11 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara (Lab)
- Hansard - - - Excerpts

My Lords, the Government must be quaking in their shoes whenever a Back-Bencher offers to come to their help. I looked across at the Dispatch Box when I heard the noble Lord, Lord Moynihan, make that offer and I saw a definite quiver come over the Minister’s face. Clearly, we are in for something rather interesting. We were entertained by the noble Viscount, Lord Falkland, with his worries about the BHA, but he said he thought that it is really quite simple at the end of the day—we need to keep the money out and sort out the betting influences that are affecting all our sports. He is absolutely right. The public have come to the end of their tether and it is time that we got this sorted: we have to keep sport clean and eliminate cheating. The data is key to this, as the noble Lord, Lord Moynihan, said.

We expect a great deal of our athletes in terms of their whereabouts and their strict liability, so we have to make sure that the systems under which they operate are fair, properly organised and regulated. In short, we have such high stakes in this that we have to be sure that we up our game—I am sorry about the puns. We should be clearer than we are at the moment about who has responsibility for what and how it is operated, and that is what this amendment is about. DCMS needs a stronger NDPB, in the form of UKAD or a successor body, and there needs to be an authority exercised with care and consideration as to how the rules will apply and to whom they apply. All these definitional points, all the concern about where it goes, are tied up in that set of constructs, which is what this amendment deals with. I think it is very powerful.

If noble Lords look back at the way in which a state was able to influence the way that the drug-testing system operated in the winter Olympic Games in Russia, they will understand how this thing has got to a new level of concern. We must have appropriate safeguards and ways of operating in place to insulate those who are trying to do the right thing from the charge that they are involved too closely. The public will stand for no less. I recommend this amendment very strongly and we will support it should it be necessary to take it to a vote. I hope that that will not be necessary, because as the noble Lord, Lord Moynihan, said, this is an area of such importance that the right thing to do would surely be for the Government to accept this amendment today and bring it back at Third Reading with a proper wording and proper consideration that will reassure any who still doubt it. In the interim, we will support it if necessary.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, as ever the noble Lord, Lord Moynihan, made his case extremely well. We on these Benches share his objectives and, indeed, most of the objectives of the noble Lord, Lord Stevenson, around clean sport, particularly putting UKAD on a statutory footing and having a proper framework around the powers in the Bill.

I know that the noble Lord, Lord Moynihan, feels that these need a proper definition and control. However, despite the noble Lord’s best efforts this amendment is not the finished article. Sadly, there are still discussions taking place. Noble Lords have had a great deal of material from governing bodies, including the England and Wales Cricket Board, the Rugby Football Union, the British Horseracing Authority and the Sport and Recreation Alliance, which by itself represents some 320 organisations.

Further discussions need to take place so that we get to an agreed position. I feel very uncomfortable at this point. All those governing bodies may be speaking with different voices, as the noble Lord, Lord Moynihan, suggests, and he has entered discussion with them in good faith, but other voices have come to us saying that they are not yet able to accept what he has put forward. There is still work to be done. I very much hope that the Minister will take on board the fact that many of us around the House, particularly on these Benches, want those conversations to continue and an agreed amendment to be brought forth at Third Reading.

--- Later in debate ---
Moved by
34: Clause 13, page 7, line 20, at end insert “or a group sharing a protected characteristic, within the meaning of the Equality Act 2010, to which the data subject belongs”
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I will speak also to a number of other amendments to Clause 13 in this group. I regret that the rules of drafting on Report mean that I was not able to produce a consolidated clause; it is rather bitty in the way it is presented in the amendments, but I very much hope that the Minister will be able to interpret the bits as eventually forming a perfectly-formed whole and a much preferable alternative Clause 13. In addition to those amendments I will speak to Amendment 41, which constitutes a new clause after Clause 13.

Clause 13 concerns the prohibition and exemptions around significant solely automated decisions. However, it can be confusing. There are three grounds on which such decisions are permitted under the GDPR: to enter or to perform a contract, to give explicit consent or to be authorised under UK law. Clause 13 concerns only the safeguards for the last category. Therefore, our amended version of Clause 13 has the following important four aims.

First, it clarifies that an individual’s ability to claim that a decision had a significant effect on them—a prerequisite for triggering any of the protections that the GDPR has to offer relating to automated decision-making—can be grounded in a significant effect on a protected group under the Equality Act 2010. The Equality Act is a strong piece of legislation, but it contains no information rights for individuals to investigate suspicions of machine bias or illegal discrimination. Given that the Information Commissioner will already be overloaded with work, given the changes accompanying the GDPR and the speed of technological development, this is a simple and crucial check and balance that will strengthen enforcement of not just data protection but many UK laws.

Secondly, the amendments further clarify that in order to claim that a decision was not solely automated—and therefore benefiting from none of this clause’s protections—there must be “meaningful human input”. The Minister argued in Committee that this is,

“precisely the meaning that that phrase already has”.—[Official Report, 13/11/17; col. 1869.]

Unfortunately, we have reason for concern because, in respect of identical wording in the 1995 data protection directive, German courts, for instance, have previously read “solely” in a restricted, narrow sense. Therefore, having such clarification in the Bill would ensure that the Minister’s understanding of the protection afforded to data subjects is the protection they will receive. This clarification is in line with the article 29 working party guidance—I recognise that the Minister corresponded with me on the subject of article 29 guidance—but it takes us closer to an adequacy agreement if one is sought upon leaving the EU.

Thirdly, the Explanatory Notes in paragraph 115 promise a safeguard that is not found in any of the articles of the GDPR, nor the safeguards laid out by the Government: a right to,

“an explanation of the decision reached after an assessment”.

The cause of this is that its position is in a non-binding recital, and there is a contradiction between the recitals and the main text. This is easily rectified for the decisions authorised by law, as the purpose of Clause 13 is to specify safeguards for these particularly impactful and largely public sector decisions.

It is included as well to indicate—in a very similar way to a recent French law on exactly the same issue—what such an explanation should provide to be useful. These explanations are possible even with black box algorithms. I have tabled an additional simple amendment to include this safeguard explicitly for automated decisions authorised by consent or contract, not just those authorised by law.

--- Later in debate ---
The drafters of the GDPR, LED and Convention 108 were sensitive to the need to apply appropriate safeguards around the use of automated decision-making. The GDPR and the Bill give effect to such safeguards. In particular, data subjects must be notified of decisions and may request that the decision be reconsidered. Given this and the other safeguards provided in the Bill, including the monitoring and enforcement role of the Information Commissioner, I am satisfied that the Bill already makes adequate and proportionate provision and I therefore invite noble Lords not to press their amendments.
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I thank the Minister for that helpful unpacking of the amendments. I hope that the ICO will read her speech because, in essence, it has helpfully brought together a series of glosses on automated decision-making and the rights of the data subject. My amendments tried to bring together those rights specifically on the face of the Bill. The fact that the Minister had to unpack them from quite a number of articles and recitals demonstrates just how opaque is the GDPR for many of us, including those of us who have spent many weeks in the salt mines—it is no less opaque than when we started. Her response was extremely helpful. I hope that some sort of explanatory memorandum produced by the ICO might help because many of us around the House are trying to future-proof the Data Protection Bill so that we do not have to keep coming back and invoking Clause 15, Clause 9 and so on—whatever our differences may be about Henry VIII powers. We want to come to some conclusions while the Bill is going through and really understand what the rights of the data subject are in the face of increasing use of algorithms and so on.

There are just a couple of areas in which I should push, in particular the article 29 working group guidance on “meaningful”. None of us really knows what the status of the article 29 working group will be. Will we have a 29 March 2019 working group? Does everything change after that or not? If we are relying on that kind of interpretation, we need to have a pretty clear idea and a pretty good statement from the Government that it will continue after Brexit.

Where I am still unpersuaded and thought the argument was not really as good as it could have been was over my Amendment 41, on recital 71. Children are not adequately drawn into the legislation or protected from automated decision-making—that was the reason for proposing that additional clause.

I will withdraw my amendment, but I will read very carefully what the Minister has had to say. I am sure we will have many more happy hours corresponding in this area, because it will provide grist to the mill for quite a number of observers who are extremely interested in the consequences of artificial intelligence and the data it uses. I beg leave to withdraw the amendment.

Amendment 34 withdrawn.
--- Later in debate ---
Baroness Kidron Portrait Baroness Kidron (CB)
- Hansard - - - Excerpts

I, too, support the amendment. I raised this issue at Second Reading and pointed to the work of the ethics committee of the IEEE, which has done a lot of work on this. This is not as blue sky as the noble Lord suggested; this is indeed the direction of travel.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I am inspired by the last two speeches to add some words here. This is a very imaginative amendment. There is a great debate about ownership or control of one’s personal data, and this may be an elegant solution to some of that in future, although I suspect that the noble Lord, Lord Stevenson, may be right in his prediction about the Government’s response at this stage. Again, it is a bit of future-proofing that we really should think about.

If the Government do not like this, how do they think portability will work? If portability is to be a substantive right that can be taken advantage of under the GDPR, this is a very good way to make sure that data can then be inserted into a vehicle as a result of it having been sought in a portable way. This could be a very imaginative way to give teeth to the right of portability. I shall be extremely interested to hear how, otherwise, the Government think it will take effect.

Baroness Chisholm of Owlpen Portrait Baroness Chisholm of Owlpen (Con)
- Hansard - - - Excerpts

My Lords, I thank the noble Lord, Lord Stevenson, for explaining the amendment, and the noble Earl, Lord Erroll, the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, for their words. The amendment is fascinating. When I talked to the noble Lord, Lord Stevenson, about it earlier today, I thought that it just shows how interesting it is, how fast everything is moving in this world and how difficult it will be for us to keep up. I feel rather relieved that I may not be around to have to grapple with it myself and that there will be younger people better at dealing with it than I am.

The amendment would require the Information Commissioner to consult on the use of private personal data accounts, which provide for people to retain greater ownership of their data. While I recognise the intention behind this amendment—to stimulate debate and a shift in public attitudes towards personal data and its value—this is not the appropriate means through which to pursue these aims.

By way of explanation, I have three quick points to make. First, I question the value of the Information Commissioner consulting on the use of private data accounts, which are already available to those members of the public who wish to use them. Importantly, the priority for the commissioner at the moment and for the foreseeable future is helping companies and organisations of all sizes to implement the new law to ensure that the UK has the comprehensive data protection regime we need in place, and to help prepare the UK for our exit from the EU. I hardly need to point out that these are massive tasks, and we must not divert the commissioner’s resources from them at this point.

Secondly, it is a question not only of resource, but of remit. It is right that the commissioner monitors and advises on developments in the use and storage of personal data, but it is not her role to advise on broader issues in society. The question of whether individuals should have ownership of their personal data and be remunerated by companies for its use falls squarely into that category. The commissioner is first and foremost a regulatory body.

Thirdly, I take this opportunity to highlight that there are already mechanisms in the new regime which will support individuals to have more control over their data and place additional requirements on data subjects. For example, data controllers will be required, when obtaining personal data from an individual, to inform that person of: the purposes for which their personal data are being processed; the period for which their data will be stored, to the extent that this possible; their right, where applicable, to withdraw consent for their data to be used; and their right to lodge a complaint with the supervisory authority. Obviously, that is not an exhaustive list but it is illustrative of the protections that will be put in place. Such information must also be updated if the controller intends to process the personal data for any new purpose.

I fully agree with the noble Lord that the questions of an individual’s control over their data and the value of that data are worthy of debate and, as I said earlier, we will have to wrestle with them for years to come as the digital economy evolves. However, the Government’s view is that the Bill strikes the right balance between protecting the rights of data subjects and facilitating growth and innovation in the digital economy, and that placing an arbitrary requirement on the commissioner to consult would not be appropriate or the best use of her resources at this point. On that basis, I urge the noble Lord to withdraw his amendment.

--- Later in debate ---
Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - - - Excerpts

My Lords, Amendment 42, moved by the noble Baroness, Lady Hamwee, was also debated in Committee. The noble Baroness, her noble friend and other noble Lords raised concerns in Committee about paragraph 4 of Schedule 2 in respect of the broad nature, the wide-ranging exemptions and the application of those exemptions. I see the point about the application of this part of the Bill. The amendments tabled by the noble Lord, Lord Ashton of Hyde, set out in the Bill those rights which might be restricted by virtue of article 23(1) of the GDPR and so give more focus to this part of the schedule.

I want to see effective immigration controls and also fair immigration controls, but I do not want to see people unable to get access to data held on them or to how that data is being used and shared except in limited circumstances. I hope the Minister can confirm that the government amendments will do this on a case-by-case basis and do not provide a blanket power. These things are very sensitive and are a matter of balancing important principles, protections and rights carefully and coming down with the right protections in place. I think it would be a problem if we were left in a situation where we could disclose to data subjects information that could give them the opportunity to circumvent our immigration controls.

The noble Baroness, Lady Williams of Trafford, gave a detailed explanation of the Government’s opposition to the amendment in Committee and highlighted a number of the issues that would come forward. I do not think anyone wants a situation where we are making things worse for ourselves. I recall the examples given of an overstayer where the authorities are seeking to enforce an administrative removal or where there is an application to extend the leave to stay and it is suspected that false information has been given. These seem perfectly reasonable to me. The amendments tabled by the Government provide important clarification on what is exempt, limit the power in the Bill and seek to address the concerns highlighted during the previous debate and today.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

Before the noble Lord sits down, does he therefore agree with the Government that this is all about the circumvention of immigration controls? Does he not think that essentially, as my noble friend Lady Hamwee mentioned, most of the circumstances are about people asserting their rights?

Lord Kennedy of Southwark Portrait Lord Kennedy of Southwark
- Hansard - - - Excerpts

I accept that people want to assert their rights. Of course I do. I also think that we had a very detailed debate in Committee. Points were raised about the broad-brush approach; the Government have responded, and I am happy to support their amendments.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Report: 2nd sitting (Hansard - continued): House of Lords
Wednesday 13th December 2017

(6 years, 11 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, I am very keen to support this extremely useful amendment from the noble Lord, Lord Stevenson. If I had £5 for every mention of a recital in Committee and on Report, I would have the price of an extremely good Christmas dinner for me and quite a few of my friends. Only today, the noble Baroness, Lady Williams, prayed in aid a recital in an earlier rather useful debate on Clause 13. We really need to know what the status of these recitals is both pre and post Brexit. Is it that of an immediate aid to interpretation or an integral part of the law, or is it more like that of a Pepper v Hart statement, to be used only when the meaning is not clear in the Bill or the GDPR, or where there is ambiguity? Or do these recitals impose certain obligations, as I think has been implied on a number of occasions by Ministers?

At this time of night I cannot remember whether it was in Alice in Wonderland or Through the Looking Glass that a phrase was used along the lines of, “Words mean what I say they mean”. I rather feel that recitals are prayed in aid at every possible opportunity when it is convenient to do so without specifying exactly what their status is. We will need to establish that very clearly by the time we come to the end of the Bill.

Baroness Hamwee Portrait Baroness Hamwee (LD)
- Hansard - - - Excerpts

At the risk of making myself unpopular for one more minute, all I can say to my noble friend is: Humpty Dumpty.

At an earlier stage of the Bill I asked how we would interpret a particular provision when we were no longer tethered to the European Court of Justice. The response I received was that it would be interpreted in accordance with UK law at the time. If this amendment is agreed, it will be an extremely helpful contribution to UK law applying while taking into account the impact of the recitals.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I cannot think of a better way to end our debate than with a discussion on recitals, which we have talked about a lot during the course of this Bill. I point out to both noble Lords that it was not only me who referred to recitals; they have both done so ad nauseam.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

Ad infinitum!

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

Sorry, I should have said “ad infinitum”—that is perfectly correct.

The Government do not dispute that recitals form an important part of the GDPR. As I said, we have all referred to one recital or another many times. There is nothing embarrassing or awkward about that. It is a fact of EU law that courts often require assistance in properly interpreting the articles of a directly applicable regulation—and we, as parliamentarians, need to follow that logic, too.

I would remind noble Lords that the Government have been clear that the European Union (Withdrawal) Bill will be used to deliver two things which are very important in this context. First, under Clause 3 of the withdrawal Bill, recitals of directly applicable regulations will be transferred into UK law at the same time as the articles are transferred. There is no risk of them somehow being cast adrift. Where legislation is converted under this clause, it is the text of the legislation itself which will form part of domestic legislation. This will include the full text of any EU instrument, including its recitals.

Secondly, Clause 6 of the withdrawal Bill ensures that recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a substantive legal rule. Clause 20(5) of this Bill ensures that whatever is true for the interpretation of the GDPR proper is also true for the applied GDPR.

More than 10,000 regulations are currently in force in the European Union. Some are more important than others but, however you look at it, there must be more than 100,000 recitals across the piece. The European Union (Withdrawal) Bill provides a consistent solution for every single one of them. It seems odd that we would want to use this Bill to highlight the status of 0.1% of them. Nor, as I say, is there a need to: Clause 20 already ensures that the applied GDPR will be interpreted consistently with the GDPR, which means that it will be interpreted in accordance with the GDPR’s recitals wherever relevant, both before and after exit.

There is one further risk that I must draw to the House’s attention. Recitals are not the only interpretive aid available to the courts. Other sources, such as case law or definitions of terms in other EU legislation, may also be valid depending on the circumstances. Clause 20(5) as drafted provides for all interpretive aids to the GDPR to apply to the applied GDPR. By singling out recitals the amendment could uniquely elevate their status in the context of the applied GDPR above any other similar aids. This, in turn, may cause the GDPR and applied GDPR to diverge.

The drafting of the noble Lord’s amendment is also rather perplexing. It seeks to affect only the interpretation of the applied GDPR. The applied GDPR is an important part of the Bill but it is relatively narrow in its application. I am not sure it has the importance that the noble Lord’s amendment seeks to attach to it. It is, at most, a template for what will follow post exit.

I will not stand here and say that the noble Lord’s amendment would be the end of the world. That would be disingenuous. However, it is unnecessary, it risks unintended consequences and it does not achieve what the noble Lord is, I think, attempting. For those reasons, I am afraid I am unable to support his amendment this evening and I ask him to withdraw it.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Report: 3rd sitting Hansard: House of Lords
Wednesday 10th January 2018

(6 years, 10 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
Baroness Neville-Rolfe Portrait Baroness Neville-Rolfe (Con)
- Hansard - - - Excerpts

My Lords, we have had something of a break, so perhaps I should remind the House what lies behind my Amendments 106, 125 and 127. It is the wish to reduce, as far as possible, the burden that the GDPR and the Bill will place especially on small entities—notably, small businesses, small charities and parish councils. I might add that it behoves us to stand back from time to time and recognise the burdens we all too often impose on people and businesses. This is very often for good reasons, but it can seem overwhelming for those at the receiving end, and it is important to minimise the burden where we can legitimately do so.

I also place on record my thanks to the Minister for a helpful meeting about my concerns. Against this background, Amendment 106 would place a duty on the Information Commissioner to support such small entities in meeting their obligations under the GDPR and the Bill. It gives examples of how this should be done, including compliance advice and zero or discounted fees. This is important both practically and as a manifestation of how the state expects the commissioner to approach her duties. We should always remember that data protection will sound forbidding to some small organisations.

Furthermore, parish councils are fearful that they could face new costs of up to £20 million in total on one reasonable interpretation of the present text. They have been advised that an existing officer of a council could not act as a DPO because they are not independent. My noble friend Lord Marlesford mentioned this issue at Questions in December but, happily, I believe the Government take a different view, and it would be helpful to hear that on the record from my noble friend.

On the same lines, Amendment 125 would require the Secretary of State to consider fixing charges levied on small entities by the commissioner at a discounted or zero level. We need to find a way to avoid the imposition of significant costs for small entities into the future as cost recovery escalates in the administration of data protection.

Amendment 127 goes a little further. It would require the commissioner to have regard to economic factors in conducting her business. This is a fundamental point. The commissioner’s remit contains elements which are similar to those of a judge and focuses predominantly on individual rights and protections. But the analogy is imperfect. Judges must go where justice takes them. The commissioner’s role is different in important respects, and economic factors ought to hold a high place in her consideration. This is important for UK competitiveness and for continued growth and innovation, which is also of benefit to business, citizens and data science—and, indeed, UK plc.

The amendment seeks to ensure that the commissioner concentrates on this economic angle by reference to the commissioner’s annual report. The noble Lord, Lord Stevenson, may remember that we introduced a special reporting requirement into intellectual property legislation which helped to ensure the right culture in that increasingly important area.

I should add that I am grateful to my noble friend Lord Arbuthnot and to the noble Lord, Lord Stevenson, for their involvement, and I am hopeful that the Minister will be able to meet the concerns I have outlined in my three amendments in a sympathetic and practical way.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, I rise briefly to support the noble Baroness, Lady Neville-Rolfe, in her amendment. She made a very good case. Current fee proposals really are very flawed. Clause 132, “Charges payable to the Commissioner by controllers”, states:

“The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner”.


That, compared to the existing regime of registration, seems far more arbitrary and far less certain in the way it will provide the resources that the Minister, in a very welcome fashion, pledged to the noble Lord, Lord Puttnam. It is far from clear on what basis those fees will be payable. Registration is a much sounder basis on which to levy fees by the Information Commissioner, as it was from the 1998 Act onwards.

I wish to be very brief; this has already been brought up. The Minister prayed in aid the fact that there are already some 400,000 data controllers and it was already getting out of hand. If the department—indeed, if the ICO—is going to be in contact with all those it believes to hold data as data controllers, it will have to have some kind of records. If that is not registration, I do not know what is. The department has not really thought through what the future will be, or how the Information Commissioner will secure the resources she needs. I hope that there is still time for the Minister to rethink the approach to the levying of future tariffs.

Earl of Erroll Portrait The Earl of Erroll (CB)
- Hansard - - - Excerpts

I just want to ask briefly whether small organisations will also include clubs and societies. I do not know whether that has been dealt with before. For instance, I am the chief of Clan Hay and we have a Clan Hay society. It does not make money, but it has membership lists and branches abroad. I discussed it with the ICO before this came up, and it thought we would definitely have to comply. I hope we will be covered as a small organisation.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

We were going to have a debate on that—I gather that the Liberal Democrats did not want to bring it forward—but the basic answer is that schools have responsibilities under the GDPR. They particularly have responsibility for personal data relating to children; they already have extensive responsibilities under the current Data Protection Act. So it is very much an issue for schools. In this case, to help them, the Department for Education is going to provide guidance—and I am assured that it will be out very soon. So they have particular responsibilities. The kind of personal data that they handle on a regular basis is very important; I believe that the noble Lord, Lord Clement-Jones, mentioned an example of some of the personal data that they hold in relation to free school meals, which has to be protected and looked after carefully. One benefit for the school system, as far as other organisations are concerned, is that they will have central guidance from the Department for Education—and I repeat that that is due to come out very soon.

I turn to Amendment 125, also proposed by my noble friend. It seeks to introduce a requirement on the Secretary of State, when making regulations under Clause 132, to consider making provision for a discounted charge—or no charge at all—to be payable by small businesses, small charities and parish councils to the Information Commissioner. Clause 132(3) already allows the Secretary of State to make provision for cases in which a discounted charge or no charge is payable. The new charge structure will take account of the need not to impose additional burdens on small businesses. This may include a provision in relation to small organisations.

I am happy to confirm that the Government have given very serious consideration to the appropriate charges for smaller businesses as part of the broader process for setting the Information Commissioner’s 2018 charges. The new charge structure will take account of the need to not impose additional burdens on small businesses. It is important to note, however, that small and medium organisations form a significant proportion of the data controllers currently registered with the ICO—approximately 99%, in fact. The process of determining a new charge structure is nearly complete and we will bring forward the resulting statutory instrument shortly. I would, however, like to put one thing on the record: in putting together that charging regime, we have been mindful of the need to ensure that the Information Commissioner is adequately resourced during this crucial transitional period, but I want to be clear that the Government do not consider the 2018 charges to be the end of the story. There may well be more we can do further down the line to modernise a regime that has not been touched for the best part of a decade.

Amendment 127 would place an obligation on the commissioner, in her annual report to Parliament, to include an economic assessment of the actions that the commissioner has taken on small businesses, charities and parish councils. I agree with my noble friend about the importance of the commissioner being aware of the impact of her approach to regulation during this crucial period. As I said to the commissioner when we met, we must nevertheless also be mindful of maintaining her independence in selecting an approach. Even if we did not think that having an independent regulator was important—I want to be clear: we do —articles 51 to 59 of the GDPR impose a series of particular requirements in that regard. But, all of the above notwithstanding, I agree with a lot of what my noble friend has said this afternoon.

Turning to amendment 107A, in the name of the noble Lord, Lord Clement-Jones, concerning the registration of data controllers, I remember the Committee debate where the noble Lord tabled a similar amendment. I hope that I can use this opportunity to provide further reassurance that it is unnecessary. The Government replaced the existing notification system with a new system of charges payable by data controllers in the Digital Economy Act. We did this for two reasons. First, the new GDPR has done away with the need for notification. Secondly, and consequentially, we needed a replacement system to fund the important work of the Information Commissioner. All this Bill does is re-enact what was done and agreed in the Digital Economy Act last year. We legislated on this a year earlier than the GDPR would come into force because changes to fees and charges need more of a lead time to take effect. As I have already said, these new charges must be in place by the time the GDPR takes effect in May and we will shortly be laying regulations before Parliament which set those fees.

Returning to the subject matter of the amendment, under the current data protection law, notification, accompanied by a charge, is the first step to compliance. Similarly, under the new law, a charge will also need to be paid and, as under the previous law, failure to pay the charge is enforceable. We have replaced the unwieldy criminal sanction with a new penalty scheme—found in Clause 151 of the Bill.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, can the Minister explain what the trigger is for the payment of the fees?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

A charge will need to be paid if you are the data controller.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

That is not what I meant. That is not a trigger; it is notification by the data controller.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

If you process and control data, you will need to make a notification to the data commissioner. I do not understand why that is not a trigger.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

But that is very close to registration, my Lords.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

Exactly, so my point, which I was coming to but which the noble Lord has very carefully made for me, is that, in doing this, the Information Commissioner will obviously keep a list of the names and addresses of those people who have paid the charge. The noble Lord may even want to call that a register. The difference is, unlike the previous register, it will not have all the details included in the previous one. That was fine in 1998, and had some benefit, but the Information Commissioner finds it extremely time-consuming to maintain this. In addition, as regards the information required in the existing register, under the GDPR that now has to be notified to the data subjects anyway. Therefore, if the noble Lord wants to think of this list of people who have paid the charge as a register, he may feel happier.

I have talked about the penalty sanction. When the noble Lord interrupted me, I was just about to say—I will repeat it—that the commissioner will maintain a database of those who have paid the new charge, and will use the charge income to fund her operation. So what has changed? The main change is that the same benefits of the old scheme are achieved with less burden on business and less unnecessary administration for the commissioner. The current scheme is cumbersome, demanding lots of information from the data processors and controllers, and for the commissioner, and it demands regular updates. It had a place in 1998 and was introduced then to support the proper implementation of data protection law in the UK. However, in the past two decades, the use of data in our society has changed dramatically. In our digital age, in which an ever-increasing amount of data is being processed, data controllers find this process unwieldy. It takes longer and longer to complete the forms and updates are needed more and more often, and the commissioner herself tells us that she has limited use for this information.

My hope is that Amendment 107A is born out of a feeling shared by many, which is to a certain extent one of confusion. I hope that with this explanation the situation is now clearer. When we lay the charges regulations shortly, it will, I hope, become clearer still. The amendment would simply create unnecessary red tape and may even be incompatible with the GDPR as it would institute a register which is not required by the GDPR. I am sure that cannot be the noble Lord’s intention. For all those reasons, I hope he will withdraw the amendment.

--- Later in debate ---
Lord Mitchell Portrait Lord Mitchell (CB)
- Hansard - - - Excerpts

My Lords, I will also speak to Amendment 108. The points I am addressing were glossed over in Committee, and I now wish to expand on this important issue.

Data is the new oil. This has been said many times in your Lordships’ House, but as each day passes it becomes more true. Without stretching the analogy too far, in our country big data is about to become the 21st-century equivalent of North Sea oil. Because big data has such value, it will come as no surprise to see big tech companies swarming all over it. They have to because it is their lifeline. Many of our public bodies, particularly the NHS, are custodians of massive amounts of data, which big tech is eager to get its hands on. But we as legislators who act for the public good also have a responsibility to ensure that the public are protected and that, simply put, our treasure is not taken from us without clear authority or appropriate recompense. The data the public bodies hold belongs to us all. It is ours—our communal property—and we must tread carefully.

I will make one point as strongly as I can. I am a product of the data revolution; I have been professionally involved in the digital industry for over 50 years. For 40 of those I was an IT serial entrepreneur. This industry has been good to me; I fully understand that the tech sector needs light regulation. I know that at its best the digital revolution is a force for good but, equally, I know the dangers it poses, so I am trying to be cautious in what I propose. We stand at a crossroads. Computing power has reached astronomical capabilities, software is increasingly complex and artificial intelligence is now making dramatic inroads. Plus, we see the exponential availability of digital data. All these have contributed to the creation and brilliance of algorithms. The one thing we know for certain is that these exciting developments will keep on growing at exponential rates. In medicine, for example, new tools are being developed that are already enhancing diagnostic and treatment capabilities that could benefit all manner of healthcare, in particular our ageing population.

I welcome these developments, as I am sure we all do, many of which have come from our own private sector, and we should rejoice at this example of British expertise. However, at the same time we need to strike a balance between the ambitions of 21st century businesses and the responsibility of government to steward assets and resources of national significance so that the proceeds of technological developments benefit us all. My two amendments seek to codify how valuable, publicly controlled personal data is shared with big tech companies, and to ensure that financial returns, combined with wider social, economic and environmental benefits, are optimised.

I can best demonstrate the scale of this issue if I refer to the NHS. Ever since its formation in 1948—maybe they were kept even before that—the NHS has kept records of tens of millions of patients, literally from cradle to grave. These records are either in written form, or increasingly in digital format, but the magnitude of the collected data is huge. Very few countries can match the length and depth of the health records that the NHS is trusted to retain on behalf of the general public. Such data is called longitudinal data and, when it is bundled together, has great commercial value.

At Second Reading I gave the example of a company called DeepMind, which is a British subsidiary of Google. I visited DeepMind, which is an impressive organisation based here in London. It has purchased access to millions of anonymised data records from institutions such as the Royal Free and Moorfields Eye Hospital. It does not buy this data outright—it does not have to. It simply buys access. Such access enables it and companies like it to use very powerful computers and very sophisticated software to process millions of records with the help of artificial intelligence and machine learning.

This synthesising of data using AI capabilities is designed to produce algorithms, and it is these algorithms that become the product that companies such as DeepMind are able to monetise. They do this by selling the algorithms and their consulting services to the likes of pharmaceutical companies and healthcare providers and even back to the NHS itself. It is a global business and very profitable. At the Royal Free, these algorithms are being used to detect the early onset of kidney disease. At Moorfields Eye Hospital, also here in London, spectacular advances have occurred in similarly detecting potential optical problems.

This is data processing used for the benefit and enhancement of all mankind and we should welcome it. However, I am concerned that this precious and unique data is being offered to big tech companies by our public bodies in the absence of clear and consistent guidelines and without asking how best to obtain value for money in the broadest sense of the term.

Having dealt with big tech companies for most of my life, I know that they are staffed with exceptionally clever people and are no slouches at driving hard bargains. Unlike our NHS, they are not consumed with the day-to-day preoccupation of trying to balance their current budgets; with hundreds of billions of dollars in the bank, they can afford to play the long game, and it is easy to see who holds the aces in any negotiation. Put simply, I wish to protect our public bodies and ensure that we do not give away our inheritance. That is why we need to codify how we will obtain value for money from the sharing of data of national significance with the private sector.

My proposal is not just for the NHS and it is not just for now. All public bodies need protection and guidelines today and well into the future. That is why I have introduced my amendments. In Amendment 107B I seek, first, to require the Information Commissioner to maintain a register of publicly controlled personal data of national significance and, secondly, to prepare a code of practice containing practical guidance in relation to personal data of national significance. These are defined in subsection (2). In Amendment 108 I have set out the requirements of the code on personal data of national significance.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I want briefly to express sympathy with the noble Lord, Lord Mitchell. I share many of his concerns but essentially I think that we should look on the most optimistic side. I hope that he is also really describing the opportunities that can be made available with this kind of data, provided that it is accessible in the way described. I know that the noble Lord takes considerable inspiration from Future Care Capital’s report on intelligence-sharing unleashing the potential of health and care data in the UK to transform outcomes. I thought that it was very good and well considered.

The noble Lord has put down a very important marker today but my one caveat is that I am not sure that there is yet a settled view about how to deal with this kind of data. In Committee we talked about data trusts. In her AI review, Dame Wendy Hall also talked about data trusts. I know that we need to head in a direction that gives us much more assurance about the use of the data in the way that the noble Lord, Lord Mitchell, has described, but I am not sure we have quite reached a consensus around these things to come to the decision that this is the best possible model.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
Report: 3rd sitting (Hansard - continued): House of Lords
Wednesday 10th January 2018

(6 years, 10 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
Lord Ashton of Hyde Portrait The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
- Hansard - - - Excerpts

My Lords, I turn to the new offence of reidentifying de-identified personal data. As a new clause, with no corresponding parallel in the 1998 Act, it has been a hot topic throughout the passage of the Bill and the Government welcome the insightful debates on it that took place in Committee. Those debates have influenced our thinking on aspects of the clause and I will elaborate on the amendments we have tabled in response to concerns raised by noble Lords.

By way of background, Clause162(3) and (4) provide a number of defences for circumstances where reidentification may be lawful, including where it was necessary for the prevention or detection of crime, to comply with a legal obligation, or was otherwise justified as being in the public interest. Further defences are available where the controller responsible for de-identifying the personal data, or the data subjects themselves, consented to its reidentification.

As noble Lords will recall, concerns were raised in Committee that researchers who acted in good faith to test the robustness of an organisation’s de-identification mechanisms may not be adequately protected by the defences in the current clause. Although we continue to believe that the public interest defence would be broad enough to cover this type of activity, we recognise that the perception of a gap in the law may itself be capable of creating harm. We therefore tabled Amendments 151A, 156A and 161A to fix this. These amendments introduce a new, bespoke defence for those for whom reidentification is a product of their testing of the effectiveness of the de-identification systems used by other controllers.

A number of safeguards are included to prevent abuse. I particularly draw noble Lords’ attention to the requirement to notify either the original controller or the Information Commissioner. In addition, the researcher cannot intend to cause, or threaten to cause, damage or distress to a legal person. That means, for example, that those self-styled researchers who attempt to use their discovery to extort money from either the data controller or the data subjects they have reidentified are not protected by this new defence.

We fully appreciate the importance of the work undertaken by legitimate security researchers. I assured noble Lords in Committee that it was in no way our intention to put a halt on this activity where it is done in good faith, and the amendments I am moving today make good on that commitment. On that basis, I beg to move.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, I thank the Minister. We on these Benches had considerable activity from the academic community, security researchers and so on. I am delighted that the Minister has reflected those concerns with the new amendments.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara (Lab)
- Hansard - - - Excerpts

My Lords, I echo the noble Lord’s words. We also welcome these amendments. As has been said, this issue was raised by the academic community, whose primary concern was that the way the Bill had originally been phrased would make important security research illegal and weaken data protection for everyone by that process. It would also mean that good and valid research going on in our high-quality institutions might be at risk.

I do not in any sense want to question the amendments’ approach, but I have been in further correspondence with academics who have asked us to make a few points. I am looking for a sense that the issues raised are being dealt with. Either a letter or a confirmation that these will be picked up later in the process of the Bill is all that is necessary.

First, it is fairly common-sense to say that companies probably would not be very happy if a researcher picks up that they are not doing what they say on the tin—in other words, if their claim that their data has been anonymised turns out not to be the case. Therefore, proposed new subsection (2)(b) may well be used against researchers to threaten or shut down their work. The wording refers to “distress” that might be caused, but,

“without intending to cause, or threaten to cause, damage or distress to a person”,

seems a particularly weak formulation. If it is only a question of distress, I could be distressed by something quite different from what might distress the noble Lord, who may be more robust about such matters. I think that is a point to take away.

Secondly, we still do not have, despite the way the Minister introduced the amendment, definitions in the Bill that will work in law. “Re-identification”, which is used in the description and is part of the argument around it, is still not defined. Therefore, in proposed new Clause 161A(3), as mentioned by the noble Lord who introduced the amendment, the person who,

“notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification”,

has to do this,

“without undue delay, and … where feasible, not later than 72 hours after becoming aware of it”.

That is a very tight timetable. Again, I wonder if there might be a bit more elasticity around that. It does say “where feasible”, but it puts rather tight cordon around that.

We are trying to make it safe for researchers and data scientists to report improperly de-identified data, but in the present arrangements the responsibility for doing all this lies with the researcher. We are asking a researcher to go to court, perhaps, and defend themselves, including arguing that they have satisfied Clause 162(2)(a) and (b) and Clause 162(3)(a), (b) and (c), which is a fairly high burden. All in all, we just wonder whether how this has been framed does the trick satisfactorily. I would be grateful for further correspondence with the Minister on this point.

Finally, there is nothing in this amendment about industry. It may not be necessary but it raises a question that has been picked up by a couple of people who have corresponded with us. The burden, again, is on the researcher. Is there not also a need to try to inculcate a culture of transparency in the anonymisation processes which are being carried out in industry? In other words, if there is a duty on researchers to behave properly and do certain things at a certain time, should there not also be a parallel responsibility, for example, on companies to properly and transparently anonymise the data? If there is no duty for them to do it properly, what is in it for them? It may well be that that is just a natural aspect of the work they are doing, but maybe the Government should reflect on whether they are leaving this a little one-sided. I put that to the Minister and hope to get a response in due course.

--- Later in debate ---
Moved by
175: Clause 173, page 98, line 26, at end insert—
“(2A) A body or other organisation which meets the conditions in subsections (3) and (4) may also exercise some or all of the rights under subsection (2) independently of the data subject’s authority.(2B) Subsection (2A)—(a) applies in respect of infringements occurring (or alleged to have occurred) whether before or after the commencement of this section; and(b) is without prejudice to the generality of any other enactment or rule of law which permits the bringing of representative proceedings.”
Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, as a result of the vagaries of grouping, redrafting and so on, I am in danger of being the tail that wags the dog on this group of amendments, especially as Amendment 175 deals with the processing of personal data to which the GDPR does not apply. Amendment 175A is a much broader amendment, dealing with the implementation of not only article 82 but other aspects that are extremely desirable.

I know that the Minister will be fairly brief in response, so I will not rehearse all the arguments we put forward in Committee. The noble Lord, Lord Stevenson, led on this group of amendments and put forward many of the arguments made by a great number of organisations, such as Which?, Age UK, Privacy International and the Open Rights Group, for this kind of group representation, along the lines of the super-complaints in the Consumer Rights Act, which are highly desirable. I recommend—which shortens the job I have of introducing this amendment—that the Minister reads the blog on the Privacy International site written by the chair emeritus of PI’s board of trustees, Anna Fielder. She puts the arguments extremely well and wrestles with some of the points that the Minister made in Committee, which is extremely useful. I am certainly not going to go through all that, let alone the polling data, which I think refutes quite a lot of what the Minister said. This is extremely desirable. I support very strongly what the noble Lord, Lord Stevenson, has tabled. It is quite comprehensive in many ways. I look forward to his introduction of his amendment.

Finally, a very important factor in all of this is the support of the Information Commissioner. She has come to the conclusion, as she wrote very convincingly in her second memorandum, that we need to have this kind of right of representation where consent has not necessarily been obtained. I think we should listen very carefully to what she has to say. I beg to move.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for his introduction and for paving the way to the comments I want to make. He suggested further reading but I might be able to shorten the reading list for the Minister, because I am going to cite a bit of what has been sent as part of that package. We went through most of the main issues and had a full response from Ministers the last time this was raised, in Committee. But since then we have of course amended the Bill substantially to provide for a significant amount of age-appropriate design work to be done to protect children who, either lawfully or unlawfully as it might be, come into contract arrangements with processors of their data.

That data processing will almost certainly be done properly under the procedures here. We hope that, within a year of Royal Assent, we will see the fruits of that coming through. But after that, we will be in uncharted territory as far as younger persons and the internet are concerned. They will obviously be on there and using substantial quantities of data—a huge amount, as is picked up when one sees one’s bills and how much time they spend on downloading material from the internet and has to find the wherewithal to provide for them. But I am pretty certain there will also be occasions where things do not work out as planned. They may well find that their data has been misused or sold in a way they do not like, or processed in a way which is not appropriate for them. In those circumstances, what is the child to do? This is why I want to argue that the current arrangements, and the decision by the Government not to allow for the derogation provided for in the GDPR under article 82 to apply, may have unforeseen consequences.

I am grateful to the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for supporting Amendment 175A, and I look forward to her comments later on, particularly in relation to children’s use. It is important to recognise that, if there is a derogation and it is not taken up, there has to be a good reason for that. The arguments brought up last time were largely along the lines that it would be overcomplicated to have two types of approach and that, in any case, there was sufficient evidence to suggest that individual consumers would prefer to be represented when they do so—of course, that falls away when we talk about children.

In Amendment 175A, we are trying to recognise two things: first, the right of adults to seek collective redress on issues taken up on their behalf by bodies that have a particular skill or knowledge in that area and, secondly, to do this without the need to form an association with an individual or group, or a particular body that has a responsibility for it. The two parts of the amendment will provide a comprehensive regime to allow victims of data breaches to bring proceedings to vindicate rights to proper protection of their personal data, always bearing in mind that children will have the additional cover provided by theirs being a third-party involvement. We hope that there will not be serious breaches of data protection. We think that the Bill is well constructed and that in most cases it will be fine, but the possibility that it will happen cannot be ignored. This parallels other arrangements, including those in the Consumer Rights Act 2015, which apply to infringements of competition law—not a million miles away from where we are here—and for which there is a procedure in place.

To anticipate where the Government will come from on this, first, I think they will say that there is a lot going on here and no evidence to suggest that it should work. I suggest to them that we would be happy with a recognition that this issue is being applied elsewhere in Europe and that there is a discrepancy if it is not in Britain. Secondly, there may be a good case for waiting some time until we understand how the main provisions work out. But a commitment to keep this under review, perhaps within a reasonable time after the commencement of the procedures—particularly in relation to children and age-appropriate design—to carry out a formal assessment of the process and to consider its results would, I think, satisfy us. I accept the argument that doing too much too soon might make this difficult, but the principle is important and I look forward to the responses.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

It absolutely will not and cannot languish, because we are going to put in the Bill—so on a statutory basis—that this has to be reviewed in two years. It will not languish. As I said, if we were just going to kick it into the long grass, I would not have said what I just said, which everyone can read. We would not have put it in the Bill and made the commitments we have made tonight.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I thank the Minister for his response and am only sorry that I, rather than the noble Lord, Lord Stevenson, have the privilege of responding. The Minister came back, I thought, very helpfully. The noble Baroness, Lady Kidron, made a superb case for these rights to be implemented earlier rather than later. If we are creating all those new rights for children under the Bill, as she says, we must have a mechanism to enforce them. I believe the Minister said that the review would be two years after the Bill comes into effect. I hope that that is an absolute—

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

To be clear, two years after Royal Assent.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

Let us hope that that is treated as an important timetable. I was interested that the Minister expressed his sympathy—I know that that was genuine—but then went on to talk about risks and pitfalls, and very significant developments, which all sounded a bit timid. I understand that we are in relatively novel territory, but it sounded rather timid in the circumstances, especially where the rights of children are concerned.

One point the Minister did come back on was group litigation orders. Class actions are very different from the kinds of representative action that we are talking about under these amendments. For example, they would be anonymous and the consent of the data subject would not have had to be acquired, unlike with a class action. They are very different, which is worth pointing out. There are some egregious issues in terms of the use of people’s data—the Equifax case, Uber, and so on. We need to remind ourselves that these are really important data breaches and there need to be remedies available. We, on this side of the House, and those on the Benches of the noble Baroness, Lady Kidron, will be vigilant on this aspect.

The one area of clarification that I did not receive from the Minister was whether this would apply to processing of personal data that was not under the GDPR. Will it be under the applied GDPR, and would that apply?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

I think it applies to the whole thing, but if I am wrong, I will certainly write to everyone who is here.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

In that case, I beg leave to withdraw the amendment.

Amendment 175 withdrawn.
--- Later in debate ---
Viscount Hailsham Portrait Viscount Hailsham (Con)
- Hansard - - - Excerpts

My Lords, I have only two brief observations to make, one supportive and one otherwise. My supportive observation is that I am very much in favour of the use of the affirmative resolution procedure for the approval of regulations, rather than the negative one. I add in parenthesis that I have always believed that we in Parliament should be able to amend under the affirmative resolution procedure. When we come to the European Bill, that will be particularly important, but that is for another day.

Where I disagree with the noble Lord is on his proposal that the commissioner should be responsible for preparing the document. That seems to me essentially a matter for the Secretary of State, because of the principle of ministerial responsibility. Ministers can be questioned and quizzed in a way which is utterly impossible for Parliament to do with the commissioner. There is also a small technical point. If a Minister has to come to Parliament—for example, under an affirmative resolution procedure—to argue in favour of regulations which he or she has not made, but which have, rather, been made by the commissioner, that could be at least a trifle embarrassing.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I hear what the noble Viscount said about the amendment, but the problem is that even the affirmative resolution procedure is not necessarily a good way to test the framework. The noble Lord, Lord Stevenson, was unusually kind about the Government’s framework. As he said, the Secretary of State can produce a framework that applies data protection to his own department; ignore what the Information Commissioner says about the framework; lay his own framework for Parliament through the negative procedure—I take the noble Viscount’s point about the affirmative procedure—which means it is very unlikely to get much scrutiny; and raise barriers against the ICO’s enforcement mechanism. He can then, as part and parcel of the framework, extend or introduce frameworks to include any other public sector body. Frankly, the Secretary of State can pretty much do what he or she wants. We should not be saying that the framework is essentially like a statutory code of practice; it is a very different animal.

This is our first debate on the architecture that the Government have imposed. In Committee the Minister produced a whole raft of amendments introducing the framework and we did not have a chance to scrutinise it properly. The Information Commissioner is not very happy with this architecture either. That is utterly clear. It is not just opposition parties or organisations such as medConfidential that are unhappy. The ICO has stated:

“The Commissioner understands the needs for government departments and public bodies to be clear about the legal basis for undertaking the functions and this is particularly true when processing personal data. However the provisions as drafted appear to go beyond this limited ambition and create different risks that must also be considered. She has made clear her concerns to government and these are set out below”.


I should very much like to hear what sort of dialogue the Government have had with the ICO because, frankly, at the moment they seem to be overriding any powers or involvement that she has in this framework. I am afraid that I am raising the temperature slightly at this time of night, but the framework for government data protection is not in fact data protection at all.

Earl Attlee Portrait Earl Attlee (Con)
- Hansard - - - Excerpts

To regain some favour with my noble friend the Minister, may I just say a little word about affirmative orders? It is tempting to say that we should have affirmative procedure but, at the end of the day, we will have at some point to debate those affirmative orders, and they keep mounting up. In respect of negative instruments, there is a praying period and we can flag them up for debate and have them debated in the Chamber in exactly the same way as we can an affirmative order.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I am grateful to all those who have participated. I take on board what the noble Lord, Lord Clement-Jones, said about our brief debate on the final day in Committee, so we can do a bit tonight. I hope that by the end I will be able to convince noble Lords that this is not quite as sinister as has been made out. I am going to duck, if I may, the argument about the affirmative procedure and whether it should be amendable, particularly given other Bills that are coming before this House soon. After all, I was only reappointed yesterday.

It is helpful to have this opportunity to further set out the purpose and operation of Clauses 175 to 178 and, in doing so, explain why the amendments in this group are unnecessary—except, of course, the government amendments. As noble Lords will now be aware, the Bill creates a comprehensive and modern scheme for data protection in the UK. No one is above the law, including the Government. That partly answers the point made by the noble Lord, Lord Clement-Jones. The Secretary of State cannot do whatever she or he wants because they are subject to the GDPR and the Bill, like everyone else. When I go further and explain the relationship between this framework and the ICO’s guidance, if it is issued, I hope that will further reassure noble Lords.

While we are on this subject, the reason the Bill uses the term “framework” is that it uses the term “code of practice” to refer to a number of documents produced by the Information Commissioner. As this document will be produced by the Government, we felt that it would be clearer not to use that term in this case. It is purely a question of naming conventions—nothing significant at all.

Inherent in the execution of the Government’s functions is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is therefore intended to set out the principles and processes that the Government must have regard to when processing personal data. Government departments will be required to have regard to the framework when processing personal data. This is not a novel concept. Across the country, organisations and businesses produce guidance on data processing that addresses the specific circumstances relevant to them or the sector in which they operate. This sector, or organisation-specific guidance, coexists with the overarching guidance provided by the Information Commissioner.

This framework adopts a similar approach; it is the Government producing guidance on their own processing of data. The Information Commissioner was consulted during the preparation of these clauses and will be consulted during the preparation of the framework itself to ensure that the framework complements the commissioner’s high-level national guidance when setting out more detailed provision for government.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, the Minister said that the Information Commissioner was consulted, but what was her view? Can the Minister put on record what the Information Commissioner’s view about the final architecture was? She has made it fairly clear to us that this is not satisfactory, as far as she is concerned.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

When I said that she was consulted, I said what I meant. This is one of the few areas in the whole Bill, I think, where we do not have complete agreement with the Information Commissioner. I think that she is worried about complications regarding independence and the extent of her authority in this. I am not pretending that she is completely happy with this, but I hope that I will address how the two interlink and we can come back to this if the noble Lord wants. I acknowledge his point that she is not completely happy with this but, as I said before, it is one of the few areas in the whole Bill where that is the case. Certainly, we have a very good relationship with the Information Commissioner, as evidenced earlier this evening by her agreement on pay and flexibility. Importantly though, whatever she thinks of it, she will be consulted during the preparation of the framework itself to ensure that it complements the commissioner’s high-level national guidance when setting out more detailed provision for the Government.

As I explained in Committee, the Government’s view is that the framework will serve to further improve the transparency and clarity of existing government data processing. The Government can and should lead by example on data protection. Amendment 176 is designed to address concerns about the potential for confusion if the framework is produced by the Government, I respectfully suggest that these concerns are misplaced. The Secretary of State’s framework will set out principles for the specific context of data processing by government. It will, as I have set out, complement rather than supplant the commissioner’s statutory codes of practice and guidance, which will, by necessity, be high level and general as they will apply to any number of sectors and organisations.

Requiring the commissioner to dedicate time and resources to producing guidance specifically for the Government, as the noble Lord’s amendment would require, would hardly seem to the best use of her resources. Just like a sectoral representative body, it is the Government who have the experience and knowledge to devise a framework that speaks to their own context in more specific terms.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

I am sorry to keep interrupting the Minister, but is he therefore saying that the frameworks cover government and that the ICO’s codes of practice cover government as well?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

Absolutely. The framework exists like other sectoral guidance that is produced, under the overarching guidance produced by the Information Commissioner. In a minute I will provide further reassurance on how the two interlink.

As I have already set out, the Government will consult the commissioner in preparing the framework. Importantly, she is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents.

--- Later in debate ---
Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, we can be quite brief on this matter. It is an open secret that both the Government and Her Majesty’s loyal Opposition, joined by others who have signed Amendment 181, were keen to try to move ahead with the idea of setting up a data ethics board or panel and giving it powers and teeth, particularly in light of the recent Budget, in which it was clear that there was money available for it to be established and start spending. We felt that it would be nice to get that going. Unfortunately, the rules of the House are so tight that it has not been possible to find a form of words for the powers that would be used to set up this advisory board which would be sufficiently broad to give a proper basis for the ambitions that we all share for it. On the basis that I think the Government may have something to say about this, I will not extend the discussion on this, because there is so much common ground. I look forward to hearing from the Minister, but to get the debate going I beg to move.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, we are at the last knockings on most of the Bill. It is rather ironic that one of the most important concepts that we need to establish is a new data ethics body—a new stewardship body—called for by the Government in their manifesto, by the Royal Society, by the British Academy and by many others. Many of those who gave evidence to our Select Committee want to see an overarching body of the kind that is set out, and with a code of ethics to go with it. We all heard what the Minister had to say last time; we hope that he can perhaps give us more of an update on the work being carried out in this area.

This should not be and I do not think it will be a matter of party contention; I think there will be a great deal of consensus on the need to have this kind of body, not just for the narrow field of data protection and the use of data but generally, for the wider application in the whole field, whether it is the internet of things or artificial intelligence, and so on. There is therefore a desire to see progress in fairly short order in this kind of area. One of the reasons for that is precisely because of the power of the tech majors. We want to see a much more muscular approach to the use of data by those tech majors. It is coming down the track in all sorts of different varieties. We have seen it in debates in this House; no doubt there will be a discussion tomorrow about social media platforms and their use of news and content and so on. This is therefore a live issue, and I very much hope that the Minister will be able to tell us that the new Secretary of State is dynamically taking this forward as one of the top items on his agenda.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I can certainly confirm that the new Secretary of State is dynamic. In this group we are in danger of violently agreeing with each other. There is a definite consensus on the need for this; whether there will be consensus on the results is another matter. I agree with the analysis given by the noble Lord, Lord Stevenson, that the trouble is that to get this into the Bill, we have to concentrate on data. As the noble Lord, Lord Clement-Jones, outlined, many other things need to be included in this grouping, not least artificial intelligence.

I will briefly outline what we would like to do. For the record, we understand that the use of data and the data-enabled technologies is transforming our society at unprecedented speed. We should expect artificial intelligence and machine learning to inform ever more aspects of our life in increasingly important ways. These new advances have the potential to deliver enormous benefits to society and the economy but, as we are made aware on a daily basis—like the noble Lord, Lord Clement-Jones, I am sure that this will be raised tomorrow in the debate that we are all looking forward to on social media—they are also raising a host of new and profoundly important challenges that we need to consider. One of those challenges, and the focus of this Bill, is protecting people’s personal data—ensuring that it is collected, retained and used appropriately. However, the other challenges and opportunities raised by these technologies go far beyond that, and there are many examples that I could give.

Therefore, in the Autumn Budget the Government announced their intention to create a centre for data ethics and innovation to maximise the benefits of AI and data technologies to society and the economy, and to help identify and address the ethical challenges that they pose. The centre will advise the Government and regulators on how they can strengthen and improve the way that data and artificial intelligence are governed. It will also support the effective, innovative and ethical use of data and artificial intelligence so that we maximise the positive impact that these technologies can have on our economy and society.

We are in the process of working up the centre’s terms of reference in more detail and will consult on this soon. The issues it will consider are pressing, and we intend to set it up in an interim form as soon as possible, in parallel to this consultation. However, I fully share the noble Lord’s view that the centre, whatever its precise form, should be placed on a statutory footing, and I can commit that we will bring forward appropriate legislation to do so at the earliest opportunity. I accept the reasoning from the noble Lord, Lord Stevenson, on why this is not the appropriate place due to the limitations of this Bill, and I therefore hope that he will be able to withdraw his amendment.

Data Protection Bill [HL]

Lord Clement-Jones Excerpts
3rd reading (Hansard): House of Lords & Report: 2nd sitting (Hansard): House of Lords
Wednesday 17th January 2018

(6 years, 10 months ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 77-I Marshalled list for Third Reading (PDF, 71KB) - (16 Jan 2018)
Lord Brown of Eaton-under-Heywood Portrait Lord Brown of Eaton-under-Heywood (CB)
- Hansard - - - Excerpts

My Lords, I strongly support this group of amendments, perhaps unsurprisingly given that they have now been brought forward in place of a series of broadly similar amendments which, as the Minister has mentioned, I tabled on Report. They achieve the same basic objective, which is to safeguard parliamentary privilege and thereby ensure that this House, along with the other place, can continue to go about its business and fulfil its vital constitutional role without inappropriate inhibitions and concerns with regard to the protection of data and privacy, which of course the Bill as a whole is rightly designed to protect.

As I made plain on Report, I was prompted to table the original amendments by and on behalf of the officials of both Houses, that is to say, the clerks and counsel, because of their concern about how, unamended as it then was, the Bill risked infringing parliamentary privilege in the various ways that the Minister has recounted. These concerns were raised and over recent months they have been discussed extensively between officials and the Bill team. Again I express my gratitude and pay tribute to the Bill team for its hugely constructive help and co-operation throughout. As now formulated, these amendments substantially and realistically meet the concerns of officials, and accordingly I welcome them.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, we should all thank the noble and learned Lord, Lord Brown, together with officials of the House, for having prompted these amendments. In thanking the Minister I want also to mention in dispatches my noble friend Lady Hamwee. She highlighted this point early on in Committee, I think to the incredulity of the House at the time because it was thought that it was only Members of Parliament who should have the exemptions in the Bill. These elegant solutions demonstrate that parliamentary privilege covers both Houses.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

I too thank the noble and learned Lord, Lord Brown of Eaton-under-Heywood, for his stalwart work in bringing forward these important amendments. What he did not say but we should also recognise is that on a couple of occasions he had to stay late in order to do that, I am sure far beyond his normal bedtime.

Unfortunately, squeezed out in the second group of amendments which I also supported but which did not find favour with the Government, was an effort to try to retain the current arrangements under which noble Lords of this House who wish to speak about individual cases would be able to do so on the basis that they would be treated as elected representatives. That did not win the support of the Government and therefore will be left to the other place, which I am sure will immediately seize on it and see the injustice reversed. In due course it will come back to us. With that, I support the amendment.

--- Later in debate ---
Earl of Kinnoull Portrait The Earl of Kinnoull (CB)
- Hansard - - - Excerpts

My Lords, I strongly support this excellent group of amendments. I declare my interests as set out in the register, particularly those in respect of the insurance industry. I am enormously grateful to the Minister for being so generous with his time in the process that has led to the birth of these amendments. His Bill team has been quite outstanding—I see some of them sitting over there—and I thank them as well. I also thank three other Members of your Lordships’ House: the noble Lord, Lord Clement-Jones —who yet again was emailing me at 11 o’clock last night —and the noble Lords, Lord Hunt of Wirral and Lord Stevenson of Balmacara, who have been great supporters in trying to make sure that the ordinary man in the street can continue to buy insurance at a good price.

I have one tiny point of clarification, which will be very easy for the Minister to answer. He talked about insurance and I have talked about insurance, but it is important that reinsurance is understood, as well as retrocession and all the other words. We are talking about the whole concept of insurance and if he could confirm that reinsurance, retrocession and other things are included, that would be very helpful.

Anyway, with this change the man in the street will be able to buy personal and business insurances that involve special category personal data and yet the GDPR will have arrived. Insurers will have to improve their game somewhat—never a problem for the good, and important for the back-markers in the industry.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I congratulate the noble Earl on the assiduous way in which he has pursued these issues on behalf of the insurance industry, and thank the Minister for his close engagement on them. We very much welcome these amendments but I have a couple of clarificatory questions for the Minister, the answers to which would be helpful in making sure that we all understand the exact position of the insurance industry relative to these new provisions.

The proposed derogation to paragraph 13A of Part 2 of Schedule 1 does not specifically address the processing of data relating to criminal convictions or offences. First, can the Minister confirm that paragraph 28 of Part 3 of Schedule 1 may be read in conjunction with paragraph 13A of Part 2 to permit the processing of data relating to criminal convictions or offences where it is necessary for an insurer to process this data for policy underwriting and claims management or related money laundering and anti-fraud activities? The reference in paragraph 13A to,

“racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health”,

would appear to preclude this, but we assume that this is not the intent.

Secondly, can the Minister confirm that the processing of special category data or data relating to criminal convictions or offences by insurance companies and related intermediaries, such as reinsurers and brokers, for the purposes of conducting insurance-related business and managing claims will be regarded by the Government as purposes that are in the “substantial public interest”?

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, I welcome these amendments and it is nice to hear the story that has come through of a listening Bill team and a listening Minister, and the way in which the industry has organised itself to make sure that the perceived faults were remedied.

If it is of interest to the House, a lot of us have been doing events with professional bodies and others interested in this whole area since the Bill started. I was reflecting just before this Third Reading debate that there were really only three things that came up time and again at these sessions, after the presentations by the experts and others such as us who were trying to keep up with what they were saying. The first was Article 8 of the European Charter of Fundamental Rights—that came up time and again. People did not understand the basis on which their rights would be retained, but we have dealt with that.

The second was the—unpronounceable—re-identification of previously anonymised data. I suspect that was because there are one or two very active persons going around all these groups—I seemed to recognise their faces every time it came up—who were anxious to make sure that this point was drilled back to Ministers. We have found a way forward on that, which is good.

The third item was the insurance industry time and time again raising points similar to those raised by the noble Earl, Lord Kinnoull, by suggesting that there was a problem with efficient markets and the operation of customer good, and that the Government had to look again. We are very glad that the Government have done so. I have now ticked off all my list and it is done.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, in moving that the Bill do now pass, I shall say a few words about it. The Bill has been central to my life and the lives of a number of noble Lords for many weeks now. It was accepted right from the word go as a necessary Bill, and there was almost unanimity about the importance and necessity of getting it in place by next May, taking into account that it still has to go through the other place. I am very relieved to have got to this stage. Despite that unanimity, we have managed to deal with 692 amendments during the passage of the Bill, which is a very good indication of unanimity as far as I am concerned. I have to admit that of those 692, 255 were government amendments, but that is not necessarily a bad thing. The GDPR takes effect in May and many of the things that would have been put into secondary legislation have been dealt with in the Bill. I think most noble Lords would agree that that is a good precedent. Data protection is so pervasive that the previous Data Protection Act, passed 20 years ago in 1998, is referred to around 1,000 times in other legislation, so a lot of the amendments were to make sure that when we repeal that Act and this Bill becomes law it will be consistent with other legislation.

I am very appreciative of what we achieved and the way that we did it. One thing we managed to achieve was to accept a number of recommendations from your Lordships’ House, so we changed the way that universities, schools and colleges can process personal data in respect of alumni relations; we ensured that medical researchers can process necessary personal data they need without any chilling effect; we agreed that patient support groups can process health data; we ensured a fair balance between privacy and the right to freedom of expression when journalists process personal data; and we have talked about insurers today. The noble Baroness, Lady Kidron, one of the heroes of the Bill, helped us protect children online, which we all agreed with—in the end. We amended the way that some of the delegated powers in the Bill are effective and subject to the right parliamentary oversight.

I thank the Front Benches for their co-operation. This is meant to be the last Bill for the noble Lord, Lord Stevenson. I doubt that. Every time he says that, he comes back. He had a good team to help him: the noble Lords, Lord Kennedy and Lord Griffiths of Burry Port. It was the first Bill for the noble Lord, Lord Griffiths; if he can survive this, he can survive anything. I am sure we will see a lot of him in future. I thank the noble Lords, Lord Clement-Jones and Lord Paddick. I should have mentioned the noble Baroness, Lady Hamwee, and acknowledged her position on the privilege amendment. I must say that the way she withdrew her amendments one after the other on Report is a very good precedent for other legislation that might be coming before your Lordships’ House soon.

The Bill team has been mentioned several times, not only today but all through the passage of the Bill. The members of the team have been outstanding. They have worked incredibly hard. I should like to mention Andrew Elliot, the Bill manager, Harry Burt, who worked with him, Jagdeep Sidhu and, from the Home Office, Charles Goldie. They have all done a tremendous job and been great to work with.

Lastly, I have had a galaxy of talent to help me with large parts of the Bill. My noble friends Lady Williams, Lady Chisholm and Lord Young of Cookham and my noble and learned friend Lord Keen have made my life very easy and I am very grateful to them. I beg to move.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I will just slip in for a couple of minutes in the light of the Minister’s very shrewd appraisal of the progress on the Bill. I had not quite realised that the Bill team were treating the Digital Economy Bill as a dress rehearsal for the Data Protection Bill, but that is really why this has gone so smoothly, with very much the same cast on the Front Benches.

We on these Benches welcomed many aspects of the Bill on its introduction last October and continue to do so. Indeed, it has improved on the way through, as the Minister pointed out. I thank my noble friends Lord Paddick, Lady Hamwee, Lord McNally, Lady Ludford and Lord Storey for helping to kick the tyres on this Bill so effectively over the last four months. I also thank the noble Lord, Lord Stevenson, and all his colleagues for a generally harmonious collaboration in so many areas of common interest.

I very much thank the Minister and all his colleagues on the Front Bench and the excellent Bill team for all their responses over time to our particular issues. The Minister mentioned a number of areas that have been significant additions to the Bill. I thank the Minister for his good humour throughout, even at late hours and on many complicated areas. We are hugely pleased with the outcome obtained by the campaign of the noble Baroness, Lady Kidron, for age-appropriate design, which many of us on these Benches think is a real game-changer.

There is just a slight sting in the tale. We are less happy with a number of aspects of the Bill, such as, first, the continuing presence of exemptions in paragraph 4 of Schedule 2 for immigration control. Solicitors need the facts to be able to represent their clients, and I am afraid these immigration exceptions will deny access to justice.

Secondly, the Minister made a pretty good fist of explaining the way the new framework for government use of personal data will operate, but I am afraid, in the light of examples given, for instance by the noble Earl, Lord Clancarty, in relation to the Department for Education’s approach to the national pupil database, and now concerns over Public Health England’s release of data on 180,000 patients to a tobacco firm, that there will be continuing concerns about that framework.

Finally, one of the triumphs of debate in this House was the passing of the amendment from the noble Baroness, Lady Hollins, calling for, in effect, Leveson 2. The response of the Secretary of State, whose appointment I very much welcomed at the time, was rather churlish:

“This vote will undermine high quality journalism, fail to resolve challenges the media face and is a hammer blow to local press”.


On Sunday he did even better, saying it could be the “death knell” of democracy, which is pretty strong and unnecessary language. I very much hope that a sensible agreement to proceed is reached before we start having to play ping-pong. I am sorry to have to end on that slightly sour note, but it is an important amendment and I very much hope that it stands.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, from this side of the House, I also thank the Bill team, as I think I can call them. What we faced when we first came across the Bill was a beast—a beast dressed up as legislation but a beast in many ways. As the Minister said, we got round most of it but then discovered there were another 250 amendments coming down the track from the Government. Although they were dressed up as being small, trivial things, you have to read them and understand them, and they add a little to one’s workload.

If we did not learn to love the Bill, we certainly at least respect it. It is a good Bill, now much better than it was before. I hope it will have the longevity of its predecessor, the 1998 Act. It has the same aspirations and aims but, because of the inclusivity of the age-appropriate design and other matters that the noble Lord, Lord Clement-Jones, mentioned, it also begins to shape the debate that we still need to have about how and under what conditions we as a mature democratic society wish to engage with those who provide information, data, statistics, facts, communications and other things in relation to the electronic world in a way that is, if not comparable to, at least as effective as what is applied in the current non-virtual world. That is not the subject of the Bill, I am afraid, but it is something that will trouble this House now and in the future. We should not shy away from it because at its heart lies the future of our society. Morality and ethics are dimensions that we have not yet touched on in the Bill; they are still to come. They may well be foreshadowed for us by the creation of a data ethics commissioner of some kind. I welcome that and hope it will come forward quickly. Without it, we really are not in a very good place, despite the strength of the Bill.

For my part I am grateful to my noble friend Lord Kennedy and to my apprentice—if I can call someone of such distinguished age and experience that—my noble friend Lord Griffiths of Burry Port, who is going to take over my responsibility here in the main, although, as the Minister said, I am not leaving the Front Bench; I am simply moving sideways to accommodate those with greater skills and abilities than I have myself.

I have enjoyed the Bill tremendously. It is the sixth Bill that I have done with DCMS, and five of those have been with the current team. With familiarity comes a certain ability both to see through the artifices as they come at you but also to recognise a true offer when it comes, and both sides have benefited from that. We understand some of the pressures a bit more, particularly the difficult time that any Bill team has when it is agreed to move forward but the processes and procedures in Whitehall are so slow that they cannot keep pace with our aspirations for doing it. That is very frustrating for all concerned.

On that point, but not related to the mechanics, there is a question that the House must address at some point in the near future. What happens when it is agreed around the House, through Second Reading and Committee and approaching Report, that a desired amendment would bring public good but it cannot be moved because it falls outwith the narrow scope of the Bill, is a frustration that we have all encountered on this Bill and the previous Bill that I was involved with. There is a solution to that which should be discussed by the Procedure Committee. I hope it will do so in the near future, and I will be writing to it to that effect.

The Bill team have been absolutely fantastic. I gave them a rousing welcome when they first arrived because they have a trick at DCMS, which I recommend to all departments, of bringing together in one place at the very beginning of the process all the documents that you need to work out what you are talking about. If only every Bill team did that, we would all have much easier lives. They did it again this time, and it was fantastic. I have enjoyed working with them; their professionalism and efficiency were wonderful and a great help to us. Our support is minuscule in comparison; effective and efficient though Nicola Jayawickreme and Dan Stevens are, there are only two of them to support all our work. I wish to ensure that our sincere appreciation is on the record.

This has been an enjoyable ride. I have had a great time, waxing lyrical on things I did not think I would ever want to talk about. I hope that the Bill passes, and that when it comes back we will be able to deal with it expeditiously and appropriately.