Read Bill Ministerial Extracts
Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateLord Sharpe of Epsom
Main Page: Lord Sharpe of Epsom (Conservative - Life peer)Department Debates - View all Lord Sharpe of Epsom's debates with the Department for Science, Innovation & Technology
(7 months, 3 weeks ago)
Grand CommitteeMy Lords, we have heard some fine words from the noble Lord, Lord Clement-Jones, in putting the case for his Amendments 135A, 135B, 135C and 135D, which are grouped with the clause stand part debates. As he explained, they seek to test and probe why the Government have sought to extend the ability of the security and intelligence services to disapply basic data protection principles.
The new Government-drafted clause essentially, as well as disapplying current provisions, disapplies the rights of data subjects and the obligations placed on competent authorities and processors. The Explanatory Notes say that this is to create a regime that
“ensures that there is consistency in approach”.
Section 29 is designed to facilitate joint processing by the various agencies with a common regime. Like the noble Lord, Lord Anderson, I well understand why they might want to do that. The noble Lord, Lord Clement-Jones, has done the Committee a service in tabling these amendments because, as he said, during the passage of the 2018 Act assurances were given that law enforcement would always abide by basic data protection principles. On the face of it, that assurance no longer applies. Is this because it is inconvenient for the security and intelligence services? What are the Government seeking to do here?
Can the Minister explain from the Government’s perspective what has changed since 2018 that has led Ministers to conclude that those critical principles should be compromised? The amendments also seek to assert the importance of proportionality considerations when deciding whether national security exemptions apply. This principle is again raised in relation to the issuing of a national security certificate.
The noble Lord, Lord Clement-Jones, with Amendment 135E effectively poses the question of where the balance of oversight should rest. Should it be with the Secretary of State or the commissioner? All that new Clause 29 does is oblige the Secretary of State to consult the commissioner with the expectation that the commissioner then makes public a record of designation orders. However, it strips out quite a lot of the commissioner’s current roles and responsibilities. We should surely have something more convincing than that to guarantee transparency in the process. We on these Benches will take some convincing that the Government have got the right balance in regard to the interests of national security and the security services. Why, for instance, is Parliament being sidelined in the exercise of the Secretary of State’s powers? Did Ministers give any consideration to reporting duties and obligations so far as Parliament is concerned? If not, why not?
Labour does not want to see national security compromised in any way, nor do we want to undermine the essential and vital work that our intelligence services have to perform to protect us all. However, we must also ensure that we build confidence in our security and intelligence services by making them properly accountable, as the noble Lord, Lord Clement-Jones, argued, and that the checks and balances are sufficient and the right ones.
The noble Lord, Lord Anderson, got it right in questioning the change of language, and I want to better understand from the Minister what that really means. But why extend the range of exemptions? We could do with some specific reasons as to why that is being changed and why that is the case. Why has the Information Commissioner’s role been so fundamentally changed with regard to these clauses and the exemptions?
We will, as always, listen carefully to the Minister’s reply before we give further thought to this framework on Report, but we are very unhappy with the changes that are taking away some of the fundamental protections that were in place before, and we will need quite a lot of convincing on these government changes.
My Lords, I thank the noble Lord, Lord Clement-Jones, for his amendments and thank the other noble Lords who spoke in this short debate. These amendments seek to remove Clauses 28, 29 and 30 in their entirety, or, as an alternative, to make amendments to Clauses 28 and 29. I will first speak to Clause 28, and if I fail to answer any questions I will of course guarantee to write.
Clause 28 replaces the current provision under the law enforcement regime for the protection of national security data, with a revised version that mirrors the existing exemptions available to organisations operating under the UK GDPR and intelligence services regimes. It is also similar to what was available to law enforcement agencies under the 1998 Data Protection Act. It is essential that law enforcement agencies can properly protect data where required for national security reasons, and they should certainly be able to apply the same protections that are available to other organisations.
The noble Lord, Lord Clement-Jones, asked whether the exemption was in breach of a person’s Article 8 rights, but the national security exemption will permit law enforcement agencies to apply an exemption to the need to comply with certain parts of the law enforcement data protection regime, such as the data protection principles or the rights of the data subject. It is not a blanket exemption and it will be able to be applied only where this is required for the purposes of safeguarding national security—for instance, in order to prevent the tipping-off of a terror suspect. It can be applied only on a case-by-case basis. We do not, therefore, believe that the exemption breaches the right to privacy.
In terms of the Government taking away the right to lodge a complaint with the commissioner, that is not the case—the Government are not removing that right. Those rights are being consolidated under Clause 44 of this DPDI Bill. We are omitting Article 77 as Clause 44 will introduce provisions that allow a data subject to lodge a complaint with a controller.
In terms of how the subject themselves will know how to complain to the Information Commissioner, all organisations, including law enforcement agencies, are required to provide certain information to individuals, including their right to make a complaint to the Information Commissioner and, where applicable, the contact details of the organisation’s data protection officer or, in line with other amendments under the Bill, the organisation’s senior responsible individual, if they suspect that their personal information is being process unlawfully.
Amendments 135A and 135D seek to introduce a proportionality test in relation to the application of the national security exemption and the issuing of a ministerial certificate for law enforcement agencies operating under Part 3 of the Data Protection Act. The approach we propose is consistent with the similar exemptions for the UK GDPR and intelligence services, which all require a controller to evaluate on a case-by-case basis whether an exemption from a provision is required for the purpose of safeguarding national security.
Amendment 135B will remove the ability for law enforcement agencies to apply the national security exemption to data protection principles, whereas the approach we propose is consistent with the other data protection regimes and will provide for exemption from the data protection principles in Chapter 2—where required and on a case-by-case basis—but not from the requirement for processing to be lawful and the safeguards which apply to sensitive data.
The ability to disapply certain principles laid out in Chapter 2 is crucial for the efficacy of the national security exemption. This is evident in the UK GDPR and Part 4 exemption which disapplies similar principles. To remove the ability to apply the national security exemption to any of the data protection principles for law enforcement agencies only would undermine their ability to offer the same protections as those processing under the other data protection regimes.
Not all the principles laid out in Chapter 2 can be exempted from; for example, law enforcement agencies are still required to ensure that all processing is lawful and cannot exempt from the safeguards that apply to sensitive data. There are safeguards in place to ensure that the exemption is used correctly by law enforcement agencies. Where a data subject feels that the national security exemption has not been applied correctly, the legislation allows them to complain to the Information Commissioner and, ultimately, to the courts. Additionally, the reforms require law enforcement agencies to appoint a senior responsible individual whose tasks include monitoring compliance with the legislation.
Amendment 135C would make it a mandatory requirement for a certificate to be sought from and approved by a judicial commissioner whenever the national security exemption is to be invoked by law enforcement agencies only. This bureaucratic process does not apply to organisations processing under the other data protection regimes; forcing law enforcement agencies to apply for a certificate every time they need to apply the exemption would be unworkable as it would remove their ability to act quickly in relation to matters of national security. For these reasons, I hope that the noble Lord, Lord Clement-Jones, will not press his amendments.
On Clauses 29 and 30 of the Bill, currently, only the intelligence services can operate under Part 4 of the Data Protection Act. This means that, even when working together, the intelligence services and law enforcement cannot work on a single shared dataset but must instead transfer data back and forth, applying the provisions of their applicable data protection regimes, which creates significant friction. Removing barriers to joint working was flagged as a recommendation following the Manchester Arena inquiry, as was noted by the noble Lord, Lord Anderson, and following Fishmongers’ Hall, which also recommended closer working.
Clauses 29 and 30 enable qualifying competent authorities and an intelligence service jointly to process data under a single data protection regime in authorised, specific circumstances to safeguard national security. In order to jointly process data in this manner, the Secretary of State must issue a designation notice to authorise it. A notice can be granted only if the Secretary of State is satisfied that the processing is required for the purpose of safeguarding national security and following consultation with the ICO.
Amendment 135E would make the ICO the final arbiter of whether a designation notice is granted by requiring it to—
May I just intrude on the Minister’s flow? As I understand it, there is a possibility that relatives of the families affected by the Manchester Arena bombing will take to court matters relating to the operation of the security services, including relating to intelligence that it is felt they may have had prior to the bombing. How will this new regime, as set out in the Bill, affect the rights of those who may seek to hold the security services to account in the courts? Will their legal advisers ever be able to discover materials that might otherwise be exempt from public view?
That is a very good question but the noble Lord will understand that I am somewhat reluctant to pontificate about a potential forthcoming court case. I cannot really answer the question, I am afraid.
But understanding the impact on people’s rights is important in the context of this legislation.
As I say, it is a good question but I cannot comment further on that one. I will see whether there is anything that we can commit to in writing and have a further chat about this subject but I will leave it for now, if I may.
Amendment 135E would make the ICO the final arbiter of whether a designation notice is granted by requiring it to judge whether the notice is required for the purposes of the safeguarding of national security. It would be wholly inappropriate for the ICO to act as a judge of national security; that is not a function of the ICO in its capacity as regulator and should be reserved to the Secretary of State. As is generally the case with decisions by public bodies, the decision of the Secretary of State to grant a designation notice can be challenged legally; this is expressly provided for under new Section 82E, as is proposed to be included in the DPA by Clause 29.
On the subject of how a data subject is supposed to exercise their rights if they do not know that their data is being processed under a notice subject to Part 4, the ICO will publish designation notices as soon as is reasonably practical. Privacy information notices will also be updated if necessary to enable data subjects to identify a single point of contact should they wish to exercise their rights in relation to data that might be processed under a designation notice. This single point of contact will ease the process of exercising their data rights.
The noble Lord, Lord Anderson, asked which law enforcement agencies this will apply to. That will be set out separately in the subsequent affirmative SI. I cannot be more precise than that at the moment.
For these reasons, I hope that the noble Lord, Lord Clement-Jones, will be prepared to withdraw his amendment.
The Minister left us on a tantalising note. He was unable to say whether the law enforcement organisations affected by these clauses will be limited to Counter Terrorism Policing and the NCA or whether they will include others as well. I am rather at a loss to think who else might be included. Do we really have to wait for the affirmative regulations before we can be told about that? It seems pretty important. As the Minister knows well, there are quite a few precedents—following some recent ones—for extending to those bodies some of the privileges and powers that attach to the intelligence agencies. I suspect that a number of noble Lords might be quite alarmed if they felt that those powers or privileges were being extended more widely—certainly without knowing, or at least having some idea, in advance to whom they might be extended.
While I am on my feet and causing mischief for the Minister, may I return to the rather lawyerly question that I put to him? I do not think I had an answer about the formulation in new Section 78A, which talks about an exemption applying
“if exemption from the provision is required for the purposes of safeguarding national security”.
What does “required” mean? Does it simply mean the same as “necessary”—in which case, why not stick with that? Or does it mean something else? Does it mean that someone has required or requested it? It could be a pretty significant difference and this is a pretty significant ambiguity in the Bill. If the Minister is not willing to explain it now, perhaps he will feel able to write to us to explain exactly what is meant by replacing the well-worn phrase “necessary and proportionate” with “required”.
I thank the noble Lord for that. It is a lawyerly question and, as he knows, I am not a lawyer. With respect, I will endeavour to write and clarify on that point, as well as on his other good point about the sorts of authorities that we are talking about.
Perhaps the same correspondence could cover the point I raised as well.
My Lords, we should be very grateful to the noble Baroness, Lady Morgan of Cotes, for her amendment. I listened very carefully to her line of argument and find much that we can support in the approach. In that context, we should also thank the Police Federation of England and Wales for a particularly useful and enlightening briefing paper.
We may well be suffering under the law of unintended consequences in this context; it seems to have hit quite hard and acted as a barrier to the sensible processing and transfer of data between two parts of the law enforcement machinery. It is quite interesting coming off the back of the previous debate, when we were discussing making the transfer of information and intelligence between different agencies easier and having a common approach. It is a very relevant discussion to have.
I do not think that the legislation, when it was originally drafted, could ever have been intended to work in the way the Police Federation has set out. The implementation of the Data Protection Act 2018, in so far as law enforcement agencies are concerned, is supposed to be guided by recital 4, which the noble Baroness read into the record and which makes good sense.
As the noble Baroness explained, the Police Federation’s argument that the DPA makes no provisions at all that are designed to facilitate, in effect, the free flow of information, that it should be able to hold all the relevant data prior to the charging decision being made by the CPS, and that redaction should take place only after a decision on charging has been made seems quite a sensible approach. As she argued, it would significantly lighten the burden on police investigating teams and enable the decision on charging to be more broadly informed.
So this is a piece of simplification that we can all support. The case has been made very well. If it helps speed up charging and policing processes, which I know the Government are very concerned about, as all Governments should be, it seems a sensible move—but this is the Home Office. We do not always expect the most sensible things to be delivered by that department, but we hope that they are.
I thank all noble Lords for their contributions—I think. I thank my noble friend Lady Morgan of Cotes for her amendment and for raising what is an important issue. Amendment 137 seeks to permit the police and the Crown Prosecution Service to share unredacted data with one another when making a charging decision. Perhaps to the surprise of the noble Lord, Lord Bassam, we agree: we must reduce the burden of redaction on the police. As my noble friend noted, this is very substantial and costly.
We welcome the intent of the amendment. However, as my noble friend has noted, we do not believe that, as drafted, it would achieve the stated aim. To fully remove it would require the amendment of more than just the Data Protection Act.
However, the Government are committed to reducing the burden on the police, but it is important that we get it right and that the solution is comprehensive. We consider that the objective which my noble friend is seeking would be better achieved through other means, including improved technology and new, simplified guidance to prevent overredaction, as all speakers, including the noble Lord, Lord Clement-Jones, noted.
The Home Office provided £960,000 of funding for text and audio-visual multimedia redaction in the 2023-24 financial year. Thanks to that funding, police forces have been able to procure automated text redaction tools, the trials of which have demonstrated that they could save up 80% of the time spent by the police on this redaction. Furthermore, in the latest Budget, the Chancellor announced an additional £230 million of funding for technology to boost police productivity. This will be used to develop, test and roll out automated audio-visual redaction tools, saving thousands more hours of police time. I would say to my noble friend that, as the technology improves, we hope that the need for it to be supervised by individuals will diminish.
I can also tell your Lordships’ House that officials from the Home Office have consulted with the Information Commissioner’s Office and have agreed that a significant proportion of the burden caused by existing pre-charge redaction processes could be reduced safely and lawfully within the current data protection framework in a way that will maintain standards and protections for individuals. We are, therefore, actively working to tackle this issue in the most appropriate way by exploring how we can significantly reduce the redaction burden at the pre-charge stage through process change within the existing legislative framework. This will involve creating simplified guidance and, obviously, the use of better technology.
Is the Minister almost agreeing with some of my analysis in that case?
No, I think I was agreeing with my noble friend’s analysis.
I thank all noble Lords for their contributions. We acknowledge this particular problem and we are working to fix it. I would ask my noble friend to withdraw her amendment.
My Lords, I thank my noble friend the Minister for his response. I also thank the noble Lords, Lord Clement-Jones and Lord Bassam, for their support. I hope that those watching from outside will be heartened by what they have heard. I think there is general agreement that this problem should be simplified, and the burden taken off policing.
I am interested to hear about redaction but, with bodycams and images, as well as the mass amount of data on items such as mobile phones, it is complicated. My noble friend the Minister mentioned that the Home Office and the Information Commissioner’s Office were consulting with each other to reduce this pre-charge redaction burden. Perhaps he could write to me, or we could have a meeting to work it out. The challenge in all this is that we have a debate in which everybody agrees and then it all slows down again. Perhaps we can keep the momentum going by continuing discussions outside, involving the Police Federation as well. For now, I beg leave to withdraw the amendment.