Data Protection Bill [Lords] (Fourth sitting) Debate
Full Debate: Read Full DebateLouise Haigh
Main Page: Louise Haigh (Labour - Sheffield Heeley)Department Debates - View all Louise Haigh's debates with the Home Office
(6 years, 8 months ago)
Public Bill CommitteesThank you, Mr Hanson. It is a pleasure to serve under your chairmanship again.
I will first provide some context for this part of the Bill. The provisions in the Bill relating to national security exemptions and certificates are wholly in line with the provisions in the Data Protection Act 1998 and its predecessor, the Data Protection Act 1984. What we are doing in the Bill is preserving an arrangement that has been on the statute book for more than 30 years and has been operated by successive Governments.
The national security exemption is no different in principle from the other exemptions provided for in the Bill. If it is right that certain provisions of data protection legislation can be disapplied for reasons of, for example, crime prevention or taxation purposes, or in pursuit of various regulatory functions, without external approval, surely it is difficult to take issue with the need for an exemption on the grounds of national security on the same basis.
The Minister is absolutely right that the provisions mirror those in the DPA. That is exactly why we take issue with them. They mirror unacceptable preventions of rights in the tribunal appeal process, but do not mirror the rights in the Investigatory Powers Act 2016. Why were safeguards put in place in that Act, but will not apply in this Bill?
If I understand the hon. Lady’s argument correctly, she has presented the judicial commissioners as permitting, for example, warrant to be granted. Having sat through the Joint Committee on the Draft Investigatory Powers Bill and then the Public Bill Committee, I can tell her that I am afraid that is not how that Act works. What happens is that the Secretary of State grants the warrant and then that decision is overseen by the judicial commissioner. I will come on to the difference between the Investigatory Powers Act and this Bill in due course, because the terminology used draws on that in the Investigatory Powers Act, but that Act is very different from this Bill, which is about the processing of data, in its engagement with people and their rights.
But what the national security certificate does not require is a statement of what data is being processed or the exemptions under which the Ministry of Defence or the intelligence services require it. That is what our amendments seek to introduce. If the Bill proceeds unamended, national security certificates would require only very broad details and no information on what data was being processed. It would therefore not be very likely that a tribunal would be able to oppose the decision on the basis of a judicial review.
I have a copy of a live certificate granted by the then Secretary of State, David Blunkett, on 10 December 2001. In the certificate, he sets out in summary the reasons why the certificate has been granted, including:
“The work of the security and intelligence agencies of the Crown requires secrecy.”
I assume hon. Members do not disagree with that. Another reason is:
“The general principle of neither confirming nor denying whether the Security Service processes data about an individual, or whether others are processing personal data for, on behalf of with a view to assist or in relation to the functions of the Security Service, is an essential part of that secrecy.”
Again, I assume that hon. Members do not disagree with that. As I said, this is a live certificate that has been given to the Information Commissioner, and is in the public domain for people to see and to check should they so wish. Those reasons are given in that certificate.
That is wonderful, but the Bill does not require that. It is great that my noble Friend Lord Blunkett put that on his national security application, but the Bill does not require that in law, so I am afraid that it is not a sufficient argument against the amendments that we have tabled.
What we are doing is transposing the requirements of the Data Protection Act 1998 into the Bill. It is difficult to see a situation in which a national security certificate will be granted on the basis that the work of the security and intelligence agencies of the Crown does not require secrecy.
Very much so—indeed, this debate ran through the passage of the Investigatory Powers Act 2016, which was one of the most scrutinised pieces of legislation. Senior parliamentarians who served on the Committee on that Act during long careers in this House, including the then Minister, my right hon. Friend the Member for South Holland and The Deepings (Mr Hayes), said that it was an incredibly well scrutinised Bill. There was constant debate about the battle, or tension, between ensuring the national security of our country in the most transparent way possible, and the fact that by definition there has to be some secrecy and confidentiality about the ways in which the security agencies work.
What was important in the debates on that Act, as it is in those on the current Bill, was making it clear that the idea that rogue civil servants or security agents can run around with people’s information with no checks is very wrong. We are replicating in the Bill the system that has been used for the past 30 years, because we consider that that system has the appropriate and necessary safeguards in the often very fast-moving context of a national security situation.
I will make a little progress, then I will take more interventions.
To be absolutely clear, a national security exemption is applied not by a Minister but by a data controller. Data controllers—be they the intelligence services, the Ministry of Defence or any other body—are well placed to make the determination, given that they will have a detailed understanding of the operational context and the extent to which departure from the requirement of the general data protection regulation—or parts 3 or 4 of the Bill as the case may be—is necessary to safeguard national security. In short, a data controller decides whether the national security exemption should be applied in a particular case, and the certificate is the evidence of the need for such an exemption in the event that someone challenges it.
I will give an example first, because I think it is so important. I fear that a bit of misunderstanding has crept in. Let us take the example of a subject access request. Mr Smith asks an intelligence service whether it is processing personal data concerning him and, if so, for information about that data under clause 94. The intelligence service considers whether it is processing personal data, which it will have obtained under its other statutory powers, such as the Regulation of Investigatory Powers Act 2000 or the Investigatory Powers Act 2016.
If the agency determines that it is processing personal data relating to Mr Smith, it then considers whether it is able to disclose the data, or whether a relevant exemption is engaged. For the agency, the key consideration will be whether disclosing the data would damage national security, for example by disclosing sensitive capabilities or alerting Mr Smith to the fact that he is a subject of investigation. If disclosure does not undermine national security and no other exemption is relevant, the intelligence service must disclose the information. However, if national security would be undermined by disclosure, the agency will need to use the national security exemption in relation to processing any personal data relating to Mr Smith.
If the intelligence service does not process any personal data relating to Mr Smith, it will again have to consider whether disclosing that fact would undermine national security, for example by revealing a lack of capability, which could be exploited by subjects of investigation. That is why, on occasion, when such requests are made, a “neither confirm nor deny” response may be necessary, because either confirming or denying may in itself have ramifications, not only in relation to Mr Smith but in relation to other aspects of national security.
Mr Smith may complain to the Information Commissioner about the response to his request for information. The intelligence service may then be required to demonstrate to the commissioner that the processing of personal data complies with the requirements of part four of the Bill, as set out in clause 102, and that it has responded to the request for information appropriately.
If, in legal proceedings, Mr Smith sought to argue that the national security exemption had been improperly relied upon, a national security certificate could be used as conclusive evidence that the national security exemption was required to safeguard national security. Any person who believed they were directly affected by the certificate could of course appeal against it to the upper tribunal, as set out in clause 111.
Does the Minister accept that in response to the case of Watson and others against the Government, the Government conceded that additional safeguards, including a far more robust system of independent oversight, were necessary? That test of judicial review is simply not sufficient as oversight. It cannot contest the merits of the case and applies only to the very limited, narrow appeal right of judicial review. It is just not sufficient.
I will come on, if I may, to the judicial review test. I have quite a lot about that.
There might be many reasons why we process information. The end result of processing might be for national security reasons or law enforcement reasons—my officials are scribbling away furiously, so I do not want to take away their glory when they provide me with the answer.
I have an answer on the Watson case, raised by the hon. Member for Sheffield, Heeley, which dealt with the retention of communications by communications service providers. Again, that is an entirely different scenario from the one we are talking about, where the material is held by the security services.
Amendment 161 goes further than the 2016 Act, because it places the decision to issue a certificate with the judicial commissioner. As I have said, national security certificates come into play only to serve in legal proceedings as conclusive evidence that an exemption from specified data protection requirements is necessary to protect national security—for example, to prevent disclosure of personal data to an individual under investigation, when such disclosure would damage national security. The certificate does not authorise the required use of the national security exemption, which is properly a matter for the data controller to determine.
Amendments 163 and 164 relate to the form of a national security certificate. Amendment 163 would require a detailed rather than general description of the data identified on a national security certificate, but we believe this change to be unnecessary and unhelpful, given that much data can be adequately described in a general way. Amendment 164, which would prevent a certificate from having prospective effect, appears to be dependent on the prior judicial authorisation scheme proposed in amendments 161 and 162, and again contrasts with the prospective nature of certificates currently under the Data Protection Act 1998.
Prospective certificates of the type issued under the 1998 Act are the best way of ensuring that the use of the national security exemption by the intelligence services and others is both sufficiently foreseeable for the purposes of article 8 of the European convention on human rights, and accountable. The accountability is ensured by the power to challenge certificates when they are issued, and that is something that has real teeth. The accountability is strengthened by the provision in clause 130 for the publication of certificates. The documents we are discussing will therefore be in the public domain—indeed, many of them are already. But it will now be set out in statute that they should be in the public domain.
Amendments 166 to 168 relate to the appeals process. Amendment 166 would broaden the scope for appealing a national security certificate from a person “directly affected” by it to someone who
“believes they are directly or indirectly affected”
by it. I wonder whether the Opposition did any work on the scope of the provision when drafting it, because the words “indirectly affected” have the potential to cause an extraordinary number of claims. How on earth could that phrase be defined in a way that does not swamp the security services with applications from people who consider that they might be indirectly affected by a decision relating to a national security matter? I do not see how that can be considered practicable.
As I have already said, the issue is that the judicial review process for appeal is incredibly narrow and limited. Under section 28 of the DPA, where an individual requests to access his or her data that is subject to a certificate, they will merely be informed that they have been given all the information that is required under the Act. They would not be informed that their data is being withheld on the grounds of a national security certificate. That means that it is impossible for them to know whether they even have the right to appeal under a judicial review, and they do not have the information available to allow them to take that judicial review case forward. That is why the amendment is drafted in this way. If the Minister would like, she can suggest some alternative wording that would solve the problem.
We get to the nub of the problem. Is the hon. Lady seriously suggesting that the security services should notify someone who puts in an access request that they are the subject of an investigation? That is the tension facing the security services. That is why we have internationally met standards, with regard to article 108 of the convention, which the Bill complies with. That is why we have to build in all these safeguards, to try to ensure that those people who intend ill will to this country do not benefit from our natural wish to be as transparent as possible when dealing with people’s personal data.
I have already explained that there would of course be an exemption for not informing individuals if they were under surveillance or being processed, but there are not sufficient oversights, safeguards or appeals. In the absence of any of those three, the Minister has to accept that there are absolutely no checks and balances on the exemptions listed under the clause.
There most certainly are: they have the right to appeal to the upper tribunal.
The Government have listened to the concerns of the House of Lords. We added clause 130 in the Lords to provide for the publication of national security certificates by the Information Commissioner, so that they would be easily accessible to anyone who wished to mount a subject access request, and could be tested accordingly. In her briefing to noble Lords about the Bill, the Information Commissioner said that the clause was
“very welcome as it should improve regulatory scrutiny and foster greater public trust and confidence in the use of national security certificate process.”
It will also ensure that any person who believes that they are directly affected by a certificate will be better placed to exercise their appeal rights.
The Bill’s approach to national security certificates is tried and tested. We rely on those 30 years of experience of the regime being in place. In her written submission to the Committee, the Information Commission has not raised any issues in respect of the provisions in clause 27.
I hope that I have reassured the hon. Member for Sheffield, Heeley. I suspect from the interventions that she may well press the amendment to a vote, but I invite her to withdraw it. We have scrutinised this matter, and the Government are clear that the Bill reflects the past 30 years of the regime. It has worked and the Information Commissioner has not raised any concerns about clause 27.
I am afraid that the Minister is correct; she has not reassured Opposition Members. The amendment is not about putting obstacles in the way of our intelligence agencies going about their operational capabilities—that is the last thing we want to do—but the Minister has been unable to give us a clear argument as to why there should be stronger safeguards on the collection of data than on processing. That the Home Office would like to have the data is not a sufficient argument.
Please do not trivialise the matter. It is not the case that the Home Office would like the data; this is national security. This is the regime that our security services use at the moment. It is the regime they need. That is why the Government are pressing the issue. Again, I would have thought that this week of all weeks is the week to back our security services, not to put more barriers in their way.
The intelligence agencies, as my right hon. Friend the Member for Birmingham, Hodge Hill has said, take parliamentary oversight and scrutiny seriously. The safeguards and oversights are not built into the Bill in the way they were in the Investigatory Powers Act 2016. There is no clear argument why those safeguards should be in place for collection, but not for processing. The Minister has constantly relayed that that decision is based on 30 years’-worth of data but, as has already been said, the scope for the collection and processing of data is so far transformed, even from when the Data Protection Act was written in 1998, that the oversights and safeguards need to be transformed as well. That is why we are proposing these amendments.
The Joint Committee on Human Rights has suggested that the exemptions put forward in the Bill are not legal and introduce arbitrary interferences into people’s privacy rights. It is this Committee’s responsibility to ensure that the amendments pass. That is not trivialising the issue, but ensuring that there is a proper debate about security and the individual’s data subject rights. That is why we will press the amendment to a vote.
Question put, That the amendment be made.
There is the example of Durham police force—an excellent police force in many regards—using automated decision making to decide who does and does not remain in custody, and when people receive their charge. A human is involved in that decision-making process at the moment, but the Bill would enable that to be taken away and allow it to be done purely on an automated basis. I am sure the Minister understands our concerns about removing humans from that decision-making process.
I have to say that I am not familiar with that example. I look to my officials—
I will pick up on the comments by the right hon. Gentleman, if I may.
In the Durham example given by the hon. Member for Sheffield, Heeley, I do not understand how a custody sergeant could sign a custody record without there being any human interaction in that decision-making process. A custody sergeant has to sign a custody record and to review the health of the detainee and whether they have had their PACE rights. I did not go into any details about it, because I was surprised that such a situation could emerge. I do not see how a custody sergeant could be discharging their duties under the Police and Criminal Evidence Act 1984 if their decision as to custody was based solely on algorithms, because a custody record has to be entered.
I thank the Minister for allowing me to clarify. I did not say that it was solely an algorithmic decision already. Durham is using an algorithm known as the harm assessment risk tool. A human makes a decision based on the algorithm’s recommendations. The point I was making was that law enforcement is using algorithms to make very important decisions that limit an individual’s right to freedom, let alone the right to privacy or anything else, but the Bill will enable law enforcement to take that further. I appreciate what the Minister is saying about PACE and the need for a custody sergeant, but the Bill will enable law enforcement to take that further and to remove the human right—
This has been a moment of genuine misunderstanding. Given how the hon. Lady presented that, to me it sounded as if she was saying that the custody record and the custody arrangements of a suspect—detaining people against their will in a police cell—was being done completely by a computer. That was how it sounded. There was obviously an area of genuine misunderstanding, so I am grateful that she clarified it. She intervened on me when I said that we were not aware of any examples of the police solely using automated decision making—that is when she intervened, but that is not what she has described. A human being, a custody sergeant, still has to sign the record and review the risk assessment to which the hon. Lady referred. The police are using many such examples nowadays, but the fact is that a human being is still involved in the decision-making process, even in the issuing of penalties for speeding. Speeding penalties may be automated processes, but there is a meaningful element of human review and decision making, just as there is with the custody record example she gave.
There was a genuine misunderstanding there, but I am relieved, frankly, given that the right hon. Member for Birmingham, Hodge Hill was making points about my being unaware of what is going on in the Home Office. I am entirely aware of that, but I misunderstood what the hon. Lady meant and I thought she was presenting the custody record as something that is produced by a machine with no human interaction.
Clause 35 establishes the principle that subject access requests should be provided free of charge in most cases. That will be the default position in most cases. In terms of the fees, that will not be a matter to place in statute; certainly, I can write to the right hon. Gentleman with my thoughts on how that may develop. The intention is that in the majority of cases, there will be no charge.
Question put and agreed to.
Clause 53, as amended, accordingly ordered to stand part of the Bill.
Clause 54
Meaning of “applicable time period”
Amendments made: 29, in clause 54, page 32, line 14, leave out “day” and insert “time”.
This amendment is consequential on Amendment 71.
Amendment 30, in clause 54, page 32, line 15, leave out “day” and insert “time”.—(Victoria Atkins.)
This amendment is consequential on Amendment 71.
Clause 54, as amended, ordered to stand part of the Bill.
Clauses 55 to 63 ordered to stand part of the Bill.
Clause 64
Data protection impact assessment
I beg to move amendment 142, in clause 64, page 37, line 2, leave out “is likely to” and insert “may”.
With this it will be convenient to discuss the following:
Amendment 143, in clause 64, page 37, line 2, leave out “high”.
Amendment 144, in clause 64, page 37, line 15, leave out “is likely to” and insert “may”.
Amendment 145, in clause 64, page 37, line 15, leave out “high”.
Amendment 146, in clause 65, page 37, line 19, leave out subsection (1) and insert—
“(1) This section applies where a controller intends to—
(a) create a filing system and process personal data forming part of it, or
(b) use new technical or organisational measures to acquire, store or otherwise process personal data.”
Amendment 147, in clause 65, page 37, line 23, leave out “would” and insert “could”.
Amendment 148, in clause 65, page 37, line 23, leave out “high”.
Amendment 149, in clause 65, page 37, line 44, at end insert—
“(8) If the Commissioner is not satisfied that the controller or processor (where the controller is using a processor) has taken sufficient steps to remedy the failing in respect of which the Commissioner gave advice under subsection (4), the Commissioner may exercise powers of enforcement available to the Commissioner under Part 6 of this Act.”
New clause 3—Data protection impact assessment: intelligence services processing—
“(1) Where a type of processing proposed under section 103(1) may result in a risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment.
(2) A data protection impact assessment is an assessment of the impact of the envisaged processing operations on the protection of personal data.
(3) A data protection impact assessment must include the following—
(a) a general description of the envisaged processing operations;
(b) an assessment of the risks to the rights and freedoms of data subjects;
(c) the measures envisaged to address those risks;
(d) safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Part, taking into account the rights and legitimate interests of the data subjects and other persons concerned.
(4) In deciding whether a type of processing could result in a risk to the rights and freedoms of individuals, the controller must take into account the nature, scope, context and purposes of the processing.”
New clause 4—Prior consultation with the Commissioner: intelligence services processing—
“(1) This section applies where a controller proposes that a particular type of processing of personal data be carried out under section 103(1).
(2) The controller must consult the Commissioner prior to the processing if a data protection impact assessment prepared under section [Data protection impact assessment: intelligence services processing] indicates that the processing of the data could result in a risk to the rights and freedoms of individuals (in the absence of measures to mitigate the risk).
(3) Where the controller is required to consult the Commissioner under subsection (2), the controller must give the Commissioner—
(a) the data protection impact assessment prepared under section [Data protection impact assessment: intelligence services processing], and
(b) any other information requested by the Commissioner to enable the Commissioner to make an assessment of the compliance of the processing with the requirements of this Part.
(4) Where the Commissioner is of the opinion that the intended processing referred to in subsection (1) would infringe any provision of this Part, the Commissioner must provide written advice to the controller and, where the controller is using a processor, to the processor.
(5) The written advice must be provided before the end of the period of 6 weeks beginning with receipt of the request for consultation by the controller or the processor.
(6) The Commissioner may extend the period of 6 weeks by a further period of one month, taking into account the complexity of the intended processing.
(7) If the Commissioner extends the period of 6 weeks, the Commissioner must—
(a) inform the controller and, where applicable, the processor of any such extension before the end of the period of one month beginning with receipt of the request for consultation, and
(b) provide reasons for the delay.
(8) If the Commissioner is not satisfied that the controller or processor (where the controller is using a processor) has taken sufficient steps to remedy the failing in respect of which the Commissioner gave advice under subsection (4), the Commissioner may exercise powers of enforcement available to the Commissioner under Part 6 of this Act.”
The amendments in my name, and in the names of my right hon. and hon. Friends, are all designed to strengthen the requirement to conduct impact assessments, and to require permission from the Information Commissioner for the purposes of data processing for law enforcement agencies. Impact assessments are a critical feature of the landscape of data protection, particularly where new technology has evolved. It is vital that we have in place enabling legislation and protective legislation to cover new technologies and new methods of data collection and processing.
Since the introduction of the Data Protection Act 1998, the advance of technology has considerably increased the ability of organisations to collect data, as we have discussed. The impact assessment as envisaged allows for an assessment to be conducted where there are systematic and extensive processing activities, including profiling, and where decisions have legal effects, or similarly significant effects, on individuals. In addition, an assessment can be conducted where there is large-scale processing of special categories of data, or personal data in relation to criminal convictions or offences, and where there is a high risk to rights and freedoms—for example, based on the sensitivity of the processing activity.
Given the breadth and reach of new technology, it is right that impact assessments are conducted where the new technology may present a risk, rather than a “high risk”, as envisaged in the Bill. That is what we seek to achieve with the amendments. New technology in law enforcement presents a unique challenge to the data protection and processing environment. The trialling of technology, including facial recognition and risk assessment algorithms, as already discussed, has not been adequately considered by Parliament to date, nor does it sit easily within the current legal framework. I do not doubt that such technologies have a significant role to play in making law enforcement more effective and efficient, but they have to be properly considered by Parliament, and they need to have adequate oversight to manage their appropriate use.
Facial recognition surveillance was mentioned in Committee on Tuesday. The Minister was right to say that it is being trialled by the Metropolitan police, but it has been trialled for three years running. I suggest that it is no longer a trial. It is also being used by South Wales police and other police forces across the country, particularly when policing large events. The Metropolitan police use it in particular for Notting Hill carnival.
In September last year, the Policing Minister made it clear in response to a written question that there is no legislation regulating the use of CCTV cameras with facial recognition. The Protection of Freedoms Act 2012 introduced the regulation of overt public space surveillance cameras. As a result, the surveillance camera code of practice was issued by the Secretary of State in 2013. However, there is no reference to facial recognition in the Act, even though it provides the statutory basis for public space surveillance cameras.
Neither House of Parliament has ever considered or scrutinised automated facial recognition technology. To do so after its deployment—after three years of so-called trialling by the Metropolitan police—is unacceptable, particularly given the technology’s significant and unique impact on rights. The surveillance camera commissioner has noted that “clarity regarding regulatory responsibility” for such facial recognition software is “an emerging issue”. We urgently need clarity on whether the biometric commissioner, the Information Commissioner or the surveillance camera commissioner has responsibility for this use of technology. Our amendments suggest that the Information Commissioner should have scrutiny powers over this, but if the Minister wants to tell me that it should be any of the others, we will be happy to support that.
I have just a small correction. The hon. Member for Sheffield, Heeley said in error that the Home Office were holding on to the photographs. It is not the Home Office. It is individual police forces that hold that.
No, it is on the police national computer. That falls under the responsibility of the Home Office, not individual forces.
That is run by the police. I do not want the misapprehension to be established that there is an office in the Home Office in Marsham Street where these photographs are held on a computer. It is on the police national computer, which is a secure system that people have to have security clearance to get into. It is not completely accurate to say that the Home Office has possession of it.
I would be grateful if the Minister can confirm that all the examples we raised today will fall under the “high risk” category in the Bill.
I will deal with the definition of high risk in a moment. Clause 64 separates out the processing most likely significantly to affect an individual’s rights and freedom, which requires an additional level of assessment to reflect the higher risk. The amendments would water down the importance of those assessments. That is not to say that consideration of the impact on rights and freedoms can be overlooked. It will, of course, remain necessary for the controller to carry out that initial assessment to determine whether a full impact assessment is required. Good data protection is not achieved by putting barriers in the way of processing. It is about considering the risk intelligently and applying appropriate assessments accordingly.
On the question of high risk, officers or data controllers will go through that process when considering whether a data protection impact assessment is correct. I will write to the hon. Lady to clarify whether the bodies and lists she mentioned will be defined as high risk. The fact is that they are none the less regulated by various organisations.
Indeed. A pertinent example of that is the development of artificial intelligence to help the police categorise images of child sexual exploitation online. That tool will help given the volume of offences now being carried out across the world. It will also help the officers involved in those cases, because having to sit at a computer screen and categorise some of these images is soul-breaking, frankly. If we can use modern technology and artificial intelligence to help categorise those images, that must surely be a good thing.
There is absolutely no argument over that. As a former special constable myself, I have no wish to put obstacles in the way of law enforcement. There is a particular need to develop technology to help digital investigations, and I think the Government have been delaying that. Human failures in those investigations have led to the collapse of several trials over the past couple of months.
The Minister says that the surveillance camera commissioner has a role. The commissioner has said that there needs to be further clarity on regulatory responsibility. It is not clear whether it is the surveillance camera commissioner, the biometrics commissioner or the Information Commissioner who has responsibility for facial recognition software. Does she accept that the Government urgently need to provide clarity, as well as guidance to the National Police Chiefs Council and police forces, about the use of this potentially invasive software?
Specifically on clause 64, which is about the data protection impact assessment, the judgment as to whether the proposed processing is high risk must be a matter for the controller. On the face of it, many of the systems that the hon. Lady described in her speech will involve high risk, but with respect the decision is not for me to make as a Minister on my feet in Committee. We must allow data controllers the freedom and responsibility to make those assessments. They are the ones that make the decisions and what flows from that in terms of processing.
If the hon. Lady will write to me on the more general, wider point about oversight of the surveillance camera commissioner and so on, I would be happy to take that up outside of Committee.
The issue about whether it is high risk is of course a matter for the data controller, but we are scrutinising this Bill, and the Minister is asking us to support a test of high risk. I am sure the whole Committee would agree that all the cases that have been suggested today involve an incredibly high risk. They involve deprivation of liberty and invasion of privacy. The idea that we would accept a definition of high risk that does not cover those examples is too much for the Opposition to support. That is why the amendment exists. We need to test exactly what the Government envisage in the definition of high risk.
May I just clarify whether the hon. Lady intends to amend her amendment to list the various categories she listed in her speech? I have been very clear that high risk is defined as including processing where there is a particular likelihood of prejudice to the rights and freedoms of data subjects. I would be very cautious about listing examples in the Bill through an amendment, because as we have all acknowledged, criminality and other things develop over time. It would be very bold to put those categories in the Bill.
No one is suggesting that such examples should go in the Bill. I appreciate this is the Minister’s first Bill Committee, but the job of the Opposition is to test the definitions in the Bill and ensure that it is fit for purpose. My concern is that the definition of high risk is set too high to cover law enforcement agencies and will allow egregious breaches of individuals’ data rights, privacy rights and right to liberty. It is our job as the Opposition—there is nothing wrong with us exercising this role—to ensure that the Bill is fit for purpose. That is what we are seeking to do.
I am extremely grateful to the hon. Lady for clarifying her role. My answer is exactly as I said before. High risk includes processing where there is a particular likelihood of prejudice to the rights and freedoms of data subjects. That must be a matter for the data controller to assess. We cannot assess it here in Committee for the very good reason put forward by members of the Committee: we cannot foresee every eventuality. Time will move on, as will technology. That is why the Bill is worded as it is, to try to future-proof it but also, importantly, because the wording complies with our obligations under the law enforcement directive and under the modernised draft Council of Europe convention 108.
Clause 65(2) states:
“The controller must consult the Commissioner prior to the processing if a data protection impact assessment prepared under section 64 indicates that the processing of the data would result in a high risk”.
There are many complicated cases that the police and others have to deal with. That is why we have guidance rather than putting it in statute—precisely to give those on the frontline the flexibility of understanding, “This situation has arisen, and we need to calibrate the meaning of high risk and take that into account when we look at the prejudices caused to a person or a group of people.” That is precisely what we are trying to encompass. Presumably, that is what the Council of Europe and those involved in drafting the law enforcement directive thought as well.
Of course, there will be guidance from the Information Commissioner to help data controllers on those assessments, to enable us to get a consistent approach across the country. That guidance will be the place to address these concerns, not on the face of the Bill.
Can the Minister confirm that the Metropolitan police consulted the Information Commissioner before trialling facial recognition software? I appreciate that she might not be able to do so on her feet, so I will of course accept it if she wishes to write to me.
I am afraid that I will have to write to the hon. Lady on that.
The intention behind this part of the Bill is not to place unnecessary barriers in the way of legitimate processing. Nor, we all agree, should we place additional burdens on the commissioner without there being a clear benefit. These provisions are in the Bill to address the need for an intelligent application of the data protection safeguards, rather than assuming that a one-size-fits-all approach results in better data protection.
Amendment 149 would insert a new subsection (8) to clause 65, which would permit the commissioner to exercise powers of enforcement if she was not satisfied that the controller or processor had taken sufficient steps to act on her opinion that intended processing would infringe the provisions in part 3. It is worth noting that the purpose of clause 65 is to ensure consultation with the commissioner prior to processing taking place. It is therefore not clear what enforcement the commissioner would be expected to undertake in this instance, as the processing would not have taken place. If, however, the controller sought to process the data contrary to the commissioner’s opinion, it would be open to her to take enforcement action in line with her powers already outlined in part 6.
I do not know, Mr Hanson, whether we have dealt with new clauses 3 and 4.
I remain concerned that the Bill leaves gaps that will enable law enforcement agencies and the police to go ahead and use technology that has not been tested and has no legal basis. As my right hon. Friend the Member for Birmingham, Hodge Hill said, that leaves the police open to having to develop their own guidance at force level, with all the inconsistencies that would entail across England and Wales.
The Minister agreed to write to me on a couple of issues. I do not believe that the Metropolitan police consulted the Information Commissioner before trialling the use of photo recognition software, and I do not believe that other police forces consulted the Information Commissioner before rolling out mobile fingerprint scanning. If that is the case and the legislation continues with the existing arrangements, that is not sufficient. I hope that before Report the Minister and I can correspond so as potentially to strengthen the measures. With that in mind, and with that agreement from the Minister, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 64 ordered to stand part of the Bill.
Clauses 65 and 66 ordered to stand part of the Bill.
Clause 67
Notification of a personal data breach to the Commissioner
Question proposed, That the clause stand part of the Bill.
The Committee is looking for some guidance and for tons of reassurance from the Minister about how the clause will bite on data processors who do not happen to base their operations here in the United Kingdom. This morning we debated the several hundred well-known data breaches around the world and highlighted some of the more recent examples, such as Yahoo!—that was probably the biggest—and AOL. More recently, organisations such as Uber have operated their systems with such inadequacy that huge data leaks have occurred, directly infringing the data protection rights of citizens in this country. The Minister will correct me if I am wrong, but I am unaware of any compensation arrangements that Uber has made with its drivers in this country whose data was leaked.
Even one of the companies closest to the Government—Equifax, which signed a joint venture agreement with the Government not too long ago—has had a huge data breach. It took at least two goes to get a full account from Equifax of exactly what had happened, despite the fact that Her Majesty’s Government were its corporate partner and had employed it through the Department for Work and Pensions. All sorts of information sharing happened that never really came to light. I am not sure whether any compensation for Equifax data breaches has been paid to British citizens either.
My point is that most citizens of this country have a large amount of data banked with companies that operate from America under the protection of the first amendment. There is a growing risk that in the years to come, more of the data and information service providers based in the UK will go somewhere safer, such as Ireland, because they are worried about the future of our adequacy agreement with the European Commission. We really need to understand in detail how the Information Commissioner, who is based here, will take action on behalf of British citizens against companies in the event of data breaches. For example, how will she ensure notification within 72 hours? How will she ensure the enforcement of clause 67(4), which sets out the information that customers and citizens must be told about the problem?
This morning we debated the Government’s ludicrous proposals for class action regimes, which are hopelessly inadequate and will not work in practice. We will not have many strong players in the UK who are able to take action in the courts, so we will be wholly reliant on the Information Commissioner to take action. I would therefore be grateful if the Minister reassured the Committee how the commissioner will ensure that clause 67 is enforced if the processor of the data is not on our shores.