All 3 Lord Storey contributions to the Data Protection Act 2018

Read Bill Ministerial Extracts

Tue 10th Oct 2017
Data Protection Bill [HL]
Lords Chamber

2nd reading (Hansard - continued): House of Lords
Mon 6th Nov 2017
Data Protection Bill [HL]
Lords Chamber

Committee: 2nd sitting (Hansard): House of Lords
Wed 10th Jan 2018
Data Protection Bill [HL]
Lords Chamber

Report: 3rd sitting Hansard: House of Lords

Data Protection Bill [HL] Debate

Full Debate: Read Full Debate
Department: Home Office

Data Protection Bill [HL]

Lord Storey Excerpts
2nd reading (Hansard - continued): House of Lords
Tuesday 10th October 2017

(7 years, 1 month ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts
Lord Storey Portrait Lord Storey (LD)
- Hansard - -

My Lords, I am particularly interested in how the Bill enhances the lives of young people and how in Committee we could add to the opportunities that the Bill provides. The word “protection” is immensely important in this digital age, and young people probably need more protection than at any other time in our recent history. They should have control over their own data.

Like your Lordships, I have been sent a large number of briefings on the Data Protection Bill. I was particularly taken with the joint briefing from the Children’s Society and YoungMinds. As we have heard from the noble Baroness, Lady Lane-Fox, they found that almost three in four children and young people have a social media account before the age of 13. The same survey also revealed that four in 10 young people had experienced online bullying. For young people affected by this form of bullying, the right to have contact removed will be very welcome. I have seen first-hand how young people’s lives can be seriously harmed, and I welcome having a longer debate on this issue in Committee.

I was very taken with the noble Baroness’s comments, although they did not quite match my personal experience. As a head teacher of a large 600-place primary school, I would find children who had been seriously bullied and were in meltdown. When we saw the children and talked to their parents, it turned out that the bullying came from social media. This raises the question: how did children as young as eight years old get signed up to Facebook? By their brothers and sisters. Why did their parents not know about this? This is a very serious problem. I do not know if it is about the long arm of the police, which the noble Baroness, Lady Lane-Fox, suggested was not the way, whether it is about young children knowing their rights, or, as I suspect, whether it is a bit of both, including parental education as well.

In the 1960s a baby named Graham Gaskin was put into care by Liverpool local authority after his mother, a local beauty queen, committed suicide by jumping into the River Mersey. Graham was passed from one institution to another; he was sent to over 20 institutions, including 14 different foster homes, over an 18-year period. He claimed that he suffered neglect, mismanagement and sexual abuse. He tried to understand what had happened to him, the family circumstances and the family connections—his back story, if you like. He was prevented from seeing his social services file but managed somehow to purloin it. In those confidential papers he found out about the secrets of his shocking life in care.

Three remarkable people stand out in the Graham Gaskin story: the local solicitor, Mr Rex Makin, who represented Graham and fought to get justice for him; a local journalist, Mr Ian Craig, who spent months checking and cross-checking the details and wrote a series of devastating articles about what had happened to Graham in the Liverpool Echo; and the chair of the social services committee, Mr Paul Clark, who struggled against the legal system to allow his officers to open up the file and had a fiat, which I am told is a type of injunction, issued against him, preventing him releasing those files. In November 1981, the noble Lord, Lord Alton, then my honourable friend and MP for the Edge Hill constituency in Liverpool, spoke in the Commons about the Graham Gaskin case. He said:

“Graham Gaskin is just another name still locked away in a filing cabinet … I hope that encouragement will be given to local authorities to humanise their services so that the tragedy of Graham Gaskin’s lost youth will never happen again”.—[Official Report, Commons, 6/11/81; col. 284.]


Had the files of Graham Gaskin and thousands of other children been allowed to have been opened, they would have revealed a scandal as shocking as the revelations that have come to light about some of our residential homes and might have prevented the abuse of children that was so prevalent at the time.

We have come a long way since those days, and of course the law allows access to files under the Data Protection Act 1998. Since the noble Lord, Lord Alton, made his comments about humanising social services, we have done that very thing. However, opening the files and making them accessible to young people is very different from the sort of legal problems that, for example, solicitors often face. It is of fundamental importance that everyone has the right to their personal data, and the legislation does not restrict or inhibit that right, but I shall talk about it from a practitioner’s point of view. This issue is beyond my comprehension but I have spent several moments talking to solicitors about it, so the language that I use is not of my immediate understanding but it gives some flavour of how we should have not only the spirit of making these files available but the practicalities as well.

If someone makes a request for data a year after making a previous request, and in the intervening period there has been further activity about the requester by the data controller, it will be argued that the substance of previous requests is being repeated. Is not the substance of any request to obtain the relevant data then held by the data controller? It will be argued that if someone has made a previous request, they will not be able to make a subsequent one. I think I understand that and I hope noble Lords do too.

Terminology needs to be clearly defined, not left open to later judicial interpretation. For example, if a right is to be denied on the basis that complying with it would involve disproportionate effort, there needs to be a definition of “proportionate”. More effort is needed for supplying data to someone who has had a lot of dealings with a data controller, especially government departments and numerous agencies because such are regarded as one data controller. We need to ensure that each separate agency has its own data controller. Will it be argued in the courts that it is manifestly unfounded or excessive for someone with a lot of personal data about them to request it? The current law requires all data controllers, with some minor exceptions, to register with the ICO. If they do not, they are acting unlawfully by processing personal data, and the provisions of the criminal law apply.

When the Bill which became the Data Protection Act 1998 was introduced to Parliament, the drafting instructions to parliamentary counsel were as follows: “We regard it as essential that there be a clear sanction for failure to make a mandatory notification. The obligation to notify is itself a cornerstone of the notification regime, and we wish to place a distinct onus on controllers to take responsibility for ascertaining and discharging their obligations in this respect”. Huge numbers have not done so, with a massive loss to the public purse. The law will not be strengthened by removing the cornerstone of the current law.

The Bill is long and detailed, and the devil, as always, is in the detail. The detail needs most careful scrutiny to ensure that the fundamental rights of the citizen are paramount, not those of officialdom. In any balance concerning the rights of the individual, there should be a presumption that those acting in any official capacity should have the official records disclosed. The balancing exercise introduced in the 1998 Act following the Graham Gaskin case, effectively replicated in the Bill, has not worked in practice, and Parliament can and should give further guidance. I look forward to finding out how we may improve some of these detailed issues for people who find themselves in the same situation as the Graham Gaskins of the 1980s.

Data Protection Bill [HL]

Lord Storey Excerpts
Baroness Harding of Winscombe Portrait Baroness Harding of Winscombe (Con)
- Hansard - - - Excerpts

My Lords, I should draw the attention of the House to my interests in various digital organisations as set out in the register. I put my name to the amendments tabled by the noble Baroness, Lady Kidron, with a heavy heart, if I am honest. I have spent the past eight years running an internet service provider and arguing that competition is the route to delivering better services for consumers, and a large part of me would really like to believe that the fierce competition that exists among social media companies and other web applications would drive to the right outcomes for our children and for parents looking to protect their children, but the sad truth is that that is not the case. I have worked for and with many very well-meaning and talented people who lead these businesses, but the truth is that some of the largest companies in the world are simply not putting in place the most basic protections for our children. It is clear that our children are not protected. What is more, children say that themselves. They love social media platforms, but in research conducted by the Children’s Society, 83% of children said that they think that social media companies should do more to protect them, and we know that if we ask parents we get very similar statistics.

It is also clear that we know what could be done. It is no good saying we should set minimum standards if we do not have a sense of what those basic minimum standards would be. As the noble Baroness, Lady Kidron, has just set out, the children’s charities, led mainly on this by the NSPCC and the Anti-Bullying Alliance, are very clear about what some very basic standards would look like: the strongest privacy settings being default on for anyone under 18; geolocation turned off as a default if you are under 18; regular prompts about your privacy settings targeted in language that under-18s will understand; age being a required field when signing up for a service; and clear, transparent reporting processes if a child reports abusive behaviour on that platform in children’s language.

These are not difficult things, and I hope they are not contentious, yet they are not being done. We owe it to our children to step back and ask why these basic things are not being done. People attempted to argue that this is because these are small start-ups scrambling in the rush to build a tech business, but I am afraid the basic things I have just listed are by and large not done by the largest businesses on the planet, providing services to the vast majority of our children.

The second reason people argue these things are not being done is that these are global businesses that will develop only one, global, product and they cannot—they are terribly sorry—adjust for our children’s needs when they are working on their global technology road map. That is just not a good enough argument. In every other form of regulation the world over, good regulation begins in one geographical area and then spreads. We should not allow these large companies to tell us that because they are global they cannot engage with us locally. Actually, they are all learning that that is not true.

I suspect that the real reason we are not getting change is a very practical one, which is that every technology company in the world has a contended development pipeline, by which I mean they have more things they want to do to improve their product for their customers than they have the resource or capability to deliver. I say this having been a chief executive of a tech company: you spend your life trying to prioritise the list of ideas and innovations, and the harsh reality is that protecting children is not coming high enough up that contended technology stack in any of these businesses. That is probably not surprising, because children themselves will be asking for other things as well, and it is exactly why you need to have regulation.

We accept absolutely, almost as an act of faith, that minimum health and safety standards are necessary in the physical world and that factories have to meet basic regulatory standards. The digital world is no different. We know what those basic standards should be now. I am sure they will change over time, but we know enough to set them. Our children’s mental health is every bit as important as people’s physical health as they grow up. This is something that we have to face.

I hope your Lordships will forgive me if I am getting the procedures of the House wrong, but my noble friend Lady Lane-Fox asked me to add her voice to this debate. Although she is currently in her place, she says:

“I cannot be in my place for the length of the debate today but I would like to add my voice to the amendment. There is a clear need for more to be done to protect children and to ensure that they can realise the multiple benefits of engaging with the internet while recognising that they are not yet experienced users.


I welcome the opportunity to design accessible and clear services that help children to navigate around safely. As others may already have raised, designing for children is not technically difficult—the BBC has been doing it well online for many years, but it is right to ensure more services are as careful and do not shirk their responsibilities. As I raised in Second Reading, I would very much hope that the ICO will be given the necessary resources to be able to handle Baroness Kidron’s sensible suggestions alongside the other sizeable new areas of activity that they are being given in this Bill”.


Switching back to my own voice, I join the noble Baroness in being convinced of the good that the digital world can do, but as with all technology, we need to mould it to meet our needs, not vice versa, and it is high time we set out the basic safety requirements our children need. That is what this set of amendments intends to do, which is why I support it.

Lord Storey Portrait Lord Storey (LD)
- Hansard - -

My Lords, as I have said on a number of occasions, my previous job for 40 years was a teacher, 20 of those as a head teacher. One of my prime responsibilities as a head teacher was the safeguarding of children in my school. That was the most important thing I did: to make sure they were safe, so that those primary-age children, aged from five to 11, and nursery as well, could enjoy their childhood and their parents could know that they were safe and enjoying their innocence.

The Government did a lot with their education policies about safeguarding. Anyone visiting the school had to be checked and double-checked and had to wear identification. Children who went out of school had to be escorted properly and correctly. As part of our personal and social health education, we made sure that young people themselves understood. Yet, when it comes to this area, we seem not to take the role as seriously as we should. I was reading the newspapers on the train from Liverpool this morning. I just could not believe the Times headline:

“Children as young as ten are sexting”.


The article says that,

“according to figures from the National Police Chiefs Council. In 2015-16, there were 4,681 cases”,

where children as young as 10 were either sending inappropriate messages or photographs to other pupils or receiving them. Imagine it was your daughter who at the age of seven or eight—and some of them are that young—was receiving inappropriate pictures from other pupils. How would you feel as a parent? Is that really protecting or safeguarding those children?

I do not want to speak at length in this debate; I think the noble Baronesses, Lady Kidron and Lady Harding, have said it all. It is not beyond our wit to do these simple things. I have seen for myself that self-regulation does not work. I hope that between now and Report the Government will put aside any feeling that, “We can’t do this because of the EU, because of our own lethargy, because of what we have said in the past or because it will create more regulation”. This is about children. Let us all agree that on Report we can agree these eminently sensible amendments.

--- Later in debate ---
Moved by
20: After Clause 8, insert the following new Clause—
“Education for children of school age relating to the rights of data subjects
(1) Upon the passing of this Act, the Secretary of State must make arrangements for all children of school age to receive education relating to the rights of data subjects, appropriate to their age.(2) For the purposes of subsection (1) “the rights of data subjects” must include—(a) rights under this Act and other Acts and Regulations relating to data protection and privacy,(b) security of personal data, and(c) other matters related to the understanding and exercise of rights under this Act and other Acts and Regulations relating to data protection.”
Lord Storey Portrait Lord Storey
- Hansard - -

My Lords, the second pillar of protection of children and young people is education. In my view, that would be achieved through personal, social and health education. The noble Baroness, Lady Massey, has championed this issue for as long as I have been in the House of Lords.

One of the sad casualties of the last general election was the then Schools Minister, Edward Timpson, who was very keen that not only relationship and sex education would become a compulsory part of the curriculum, but PSHE would be part of the curriculum of all schools. Indeed, last year I asked an Oral Question on the subject. The then education Whip, now the Leader of the House, the noble Baroness, Lady Evans, said she thought it important that PSHE is taught in schools. Sadly, she missed two little words: in “all” schools and for “all” children. That has been the nagging issue. It is a question of not just having the subject, but ensuring it is taught in all schools, whether academies, free schools, independent schools or whatever, for the well-being of all our children.

On 24 October 2017 the Education Select Committee published the Government’s response to the joint report by the Education and Health Committees, Children and Young People’s Mental Health—the Role of Education. In response to the recommendation that,

“schools should include education on social media as part of PSHE, including educating children on how to assess and manage the risks of social media and providing them with the skills and ability to make wiser and more informed choices about their use of social media”,

the Government responded:

“All young people should have access to a curriculum that ensures they are prepared for adult life in modern Britain. Personal, Social, Health and Economic education … Relationships Education, and Relationships and Sex Education … help to provide pupils with the key knowledge and skills to ensure that they can keep themselves safe, develop healthy and positive relationships, maintain good mental health, build resilience and successfully navigate the changing world in which they are growing up”.


The Children and Social Work Act 2017 gives the Secretary of State the power to make PSHE or elements therein mandatory, subject to careful consideration. It has also given a duty to the Secretary of State to make relationships education in primary and relationships and sex education in secondary mandatory in all schools. The department will be conducting a thorough and wide-ranging engagement process on the scope and content of these subjects, considering school practice and quality of delivery to determine the content of the regulations and statutory guidance. Sadly, that consultation has slipped further behind the promised date originally given.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

I am not an expert on education, but I do not think that “adapting” children is a recognised educational aspiration. We are trying to make children aware of the issues involved in the online world. We all accept that they are technically skilful, but they may not have the maturity to make the right decisions at certain times in their lives. As I said, we are trying to pitch it so that, as children develop, they are introduced to different things along the way. I hope that that answers the noble Baroness.

We are working with social media and technology companies, subject experts, law enforcement, English schools and teaching bodies to ensure these subjects are up to date with how children and young people access content online and the risks they face. We will also consider how best to support schools in the delivery of these new subjects. It is important to note that education on data processing does not exist in a vacuum but is viewed as a part of a wider programme of digital learning being promoted to improve user awareness of online safety and build digital capability. As such, we think that legislation focusing solely on data processing would risk detracting from the broader issues being tackled.

I am grateful to noble Lords for their amendment: it has prompted an interesting debate and raised issues which have gone beyond data protection, on which of course we are concentrating in the Bill. I hope that I have reassured the noble Lord that the Government take the issue of educating young people seriously, particularly in data protection matters. Not only do they already feature in the curriculum but we are considering how we might strengthen this teaching as a key part of our wider online safety work. With that reassurance, I hope that the noble Lord will feel able to withdraw the amendment.

Lord Storey Portrait Lord Storey
- Hansard - -

I am very grateful for the Minister’s helpful reply and to noble Lords who have contributed to this debate. I do not particularly like the phrase “digital literacy”: I much prefer “digital understanding”. I always understood that the fourth “r” was religion, so perhaps, with a small “r”, this is a religion for some of these large tech companies.

I can accept everything the Minister said, with the exception of two points. He said that these things are happening in the maintained sector. However, over 70% of our secondary schools are no longer in the maintained sector and they can choose whether or not to follow the programmes that he has suggested. Free schools are also increasing in number and, again, they do not have to take any part in this activity if they do not want to.

I agree with the Minister that this is not a discrete package where you tick the box when you have done it. It has to be part of a wider programme which goes through all aspects of learning. I also agree with the noble Lord, Lord Stevenson, who raised the question of whether we have the skills in our schools. It is not just digital issues: we do not have teachers for A-level maths or physics but we do not stop doing maths or physics. This might ensure that we actually started training teachers to work in this area.

I am grateful for the Minister’s helpful reply and look forward to considering this again on Report. I beg leave to withdraw the amendment.

Amendment 20 withdrawn.

Data Protection Bill [HL]

Lord Storey Excerpts
Report: 3rd sitting Hansard: House of Lords
Wednesday 10th January 2018

(6 years, 10 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I am grateful to all noble Lords who have spoken. I begin by thanking my noble friend Lady Neville-Rolfe, my predecessor in this role, for once again bringing the topic of small businesses to the House’s attention. Other noble Lords have extended that from small businesses to small organisations—indeed, even clans. While I am on the important subject of the clan, the noble Earl asked whether they would be classed as small organisations. I am sure that they are not small, but the answer is yes, they will be subject to the provisions of the GDPR.

The serious, general reason is that the GDPR, which is EU legislation which comes into direct effect on 25 May, is there to protect personal data. We must remember that the importance of protecting people’s personal data, particularly as it has developed since the most recent Data Protection Act was passed in 1998, has extended dramatically and concerns very personal items that belong to people. That is why it does not entirely matter whether it is a small or large organisation. Public authorities, such as parish councils, and other small organisations, such as charities, must take personal data seriously. They have obligations under the existing Act, but under the GDPR, they have more, and that is why. However, I and the Government instinctively support small organisations where we have it in our power to do so. I shall return to some of the specific points later.

I thank my noble friend for bringing this matter to the House’s attention and for coming to discuss it at length; I welcome this opportunity to provide some reassurance. As I have said at previous stages of the Bill, I wholeheartedly agree that the Government should recognise the concerns of the smallest organisations and continuously look at ways to support them through the transition to a new data protection framework. The amendments tabled by my noble friend have all been designed with small organisations, charities and parish councils in mind.

Before I address each amendment in turn, I remind noble Lords that the Information Commissioner’s Office already produces a variety of supportive materials intended to help organisations of all sizes to navigate their way to data protection compliance. I strongly encourage businesses to consult these, and to make use of the commissioner’s new dedicated helpline, provided specifically for small organisations. I am pleased to say, in answer to my noble friend Lord Marlesford and, in part, to my noble friend Lord Deben, that the Information Commissioner has agreed to issue advice to parish councils, which will be published shortly. That is one of the organisations to which my noble friend referred. I understand exactly what he is saying, as I live in a small village and my wife is a parish councillor. I assure noble Lords that the issues of the Data Protection Act in relation to parish councils have been aired vociferously, and not only in this Chamber.

In addition, it is worth noting that the process for paying annual charges to the commissioner will become simpler and less burdensome, which I am sure will come as welcome news to small organisations—but we will return to that point shortly.

Amendment 106 would add a new clause that would give the Information Commissioner a duty to provide additional support to small businesses, charities and parish councils to meet their requirements under the GDPR. This may include, among other things, additional advice and discounted fees paid to the commissioner. I think that my noble friend Lord Marlesford, raised a point earlier on, and I hope that it will be helpful if I put it on record that parish councils can share duties like a data protection officer, which is a public authority that they have to have, under the GDPR, with other parish councils as well as with district councils. Parish clerks can also fulfil that role.

While I agree with my noble friend that small organisations should be supported to meet new obligations under the GDPR and this Bill, I cannot agree with the obligations that that would place on the commissioner. As I mentioned earlier, the commissioner has already published a wide breadth of guidance online and is continuing to develop this guidance as we near the date of GDPR implementation. I mentioned an example just now. Only recently, she updated her small business portal to make it easier for organisations to access GDPR-related resources. Given that the commissioner is already so active in this field, which the Government and, I think, my noble friend fully support, I fear that additional prescriptive requirements would distract rather than contribute.

Lord Storey Portrait Lord Storey (LD)
- Hansard - -

While the Minister is responding on this issue—I was not allowed to move Amendment 87A because somebody shouted out “not moved” when it was in fact not moved by myself—could he include schools in his comments?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

We were going to have a debate on that—I gather that the Liberal Democrats did not want to bring it forward—but the basic answer is that schools have responsibilities under the GDPR. They particularly have responsibility for personal data relating to children; they already have extensive responsibilities under the current Data Protection Act. So it is very much an issue for schools. In this case, to help them, the Department for Education is going to provide guidance—and I am assured that it will be out very soon. So they have particular responsibilities. The kind of personal data that they handle on a regular basis is very important; I believe that the noble Lord, Lord Clement-Jones, mentioned an example of some of the personal data that they hold in relation to free school meals, which has to be protected and looked after carefully. One benefit for the school system, as far as other organisations are concerned, is that they will have central guidance from the Department for Education—and I repeat that that is due to come out very soon.

I turn to Amendment 125, also proposed by my noble friend. It seeks to introduce a requirement on the Secretary of State, when making regulations under Clause 132, to consider making provision for a discounted charge—or no charge at all—to be payable by small businesses, small charities and parish councils to the Information Commissioner. Clause 132(3) already allows the Secretary of State to make provision for cases in which a discounted charge or no charge is payable. The new charge structure will take account of the need not to impose additional burdens on small businesses. This may include a provision in relation to small organisations.

I am happy to confirm that the Government have given very serious consideration to the appropriate charges for smaller businesses as part of the broader process for setting the Information Commissioner’s 2018 charges. The new charge structure will take account of the need to not impose additional burdens on small businesses. It is important to note, however, that small and medium organisations form a significant proportion of the data controllers currently registered with the ICO—approximately 99%, in fact. The process of determining a new charge structure is nearly complete and we will bring forward the resulting statutory instrument shortly. I would, however, like to put one thing on the record: in putting together that charging regime, we have been mindful of the need to ensure that the Information Commissioner is adequately resourced during this crucial transitional period, but I want to be clear that the Government do not consider the 2018 charges to be the end of the story. There may well be more we can do further down the line to modernise a regime that has not been touched for the best part of a decade.

Amendment 127 would place an obligation on the commissioner, in her annual report to Parliament, to include an economic assessment of the actions that the commissioner has taken on small businesses, charities and parish councils. I agree with my noble friend about the importance of the commissioner being aware of the impact of her approach to regulation during this crucial period. As I said to the commissioner when we met, we must nevertheless also be mindful of maintaining her independence in selecting an approach. Even if we did not think that having an independent regulator was important—I want to be clear: we do —articles 51 to 59 of the GDPR impose a series of particular requirements in that regard. But, all of the above notwithstanding, I agree with a lot of what my noble friend has said this afternoon.

Turning to amendment 107A, in the name of the noble Lord, Lord Clement-Jones, concerning the registration of data controllers, I remember the Committee debate where the noble Lord tabled a similar amendment. I hope that I can use this opportunity to provide further reassurance that it is unnecessary. The Government replaced the existing notification system with a new system of charges payable by data controllers in the Digital Economy Act. We did this for two reasons. First, the new GDPR has done away with the need for notification. Secondly, and consequentially, we needed a replacement system to fund the important work of the Information Commissioner. All this Bill does is re-enact what was done and agreed in the Digital Economy Act last year. We legislated on this a year earlier than the GDPR would come into force because changes to fees and charges need more of a lead time to take effect. As I have already said, these new charges must be in place by the time the GDPR takes effect in May and we will shortly be laying regulations before Parliament which set those fees.

Returning to the subject matter of the amendment, under the current data protection law, notification, accompanied by a charge, is the first step to compliance. Similarly, under the new law, a charge will also need to be paid and, as under the previous law, failure to pay the charge is enforceable. We have replaced the unwieldy criminal sanction with a new penalty scheme—found in Clause 151 of the Bill.