Data Protection Bill [Lords] Debate
Full Debate: Read Full DebateMargot James
Main Page: Margot James (Conservative - Stourbridge)Department Debates - View all Margot James's debates with the Department for Digital, Culture, Media & Sport
(6 years, 6 months ago)
Commons ChamberI beg to move, That the clause be read a Second time.
With this it will be convenient to discuss the following:
Government new clause 14—Destroying or falsifying information and documents etc.
Government new clause 15—Applications in respect of urgent notices.
Government new clause 16—Post-review powers to make provision about representation of data subjects.
Government new clause 17—Reserve forces: data-sharing by HMRC.
New clause 3—Bill of Data Rights in the Digital Environment—
‘Schedule [Bill of Data Rights in the Digital Environment] shall have effect.’
This new clause would introduce a Schedule containing a Bill of Data Rights in the Digital Environment.
New clause 4—Bill of Data Rights in the Digital Environment (No. 2)—
‘(1) The Secretary of State shall, by regulations, establish a Bill of Data Rights in the Digital Environment.
(2) Before making regulations under this section, the Secretary of State shall—
(a) consult—
(i) the Commissioner,
(ii) trade associations,
(iii) data subjects, and
(iv) persons who appear to the Commissioner or the Secretary of State to represent the interests of data subjects; and
(b) publish a draft of the Bill of Data Rights.
(3) The Bill of Data Rights in the Digital Environment shall enshrine—
(a) a right for a data subject to have privacy from commercial or personal intrusion,
(b) a right for a data subject to own, curate, move, revise or review their identity as founded upon personal data (whether directly or as a result of processing of that data),
(c) a right for a data subject to have their access to their data profiles or personal data protected, and
(d) a right for a data subject to object to any decision made solely on automated decision-making, including a decision relating to education and employment of the data subject.
(4) Regulations under this section are subject to the affirmative resolution procedure.’
This new clause would empower the Secretary of State to introduce a Bill of Data Rights in the Digital Environment.
New clause 6—Targeted dissemination disclosure notice for third parties and others (No. 2)—
‘In Schedule 19B of the Political Parties, Elections and Referendums Act 2000 (Power to require disclosure), after paragraph 10 (documents in electronic form) insert—
‘10A (1) This paragraph applies to the following organisations and individuals—
(a) a recognised third party (within the meaning of Part 6);
(b) a permitted participant (within the meaning of Part 7);
(c) a regulated donee (within the meaning of Schedule 7);
(d) a regulated participant (within the meaning of Schedule 7A);
(e) a candidate at an election (other than a local government election in Scotland);
(f) the election agent for such a candidate;
(g) an organisation or individual formerly falling within any of paragraphs (a) to (f); or
(h) the treasurer, director, or another officer of an organisation to which this paragraph applies, or has been at any time in the period of five years ending with the day on which the notice is given.
(2) The Commission may under this paragraph issue at any time a targeted dissemination disclosure notice, requiring disclosure of any settings used to disseminate material which it believes were intended to have the effect, or were likely to have the effect, of influencing public opinion in any part of the United Kingdom, ahead of a specific election or referendum, where the platform for dissemination allows for targeting based on demographic or other information about individuals, including information gathered by information society services.
(3) This power shall not be available in respect of registered parties or their officers, save where they separately and independently fall into one or more of categories (a) to (h) of sub-paragraph (1).
(4) A person or organisation to whom such a targeted dissemination disclosure notice is given shall comply with it within such time as is specified in the notice.’’
This new clause would amend the Political Parties, Elections and Referendums Act 2000 to allow the Electoral Commission to require disclosure of settings used to disseminate material where the platform for dissemination allows for targeting based on demographic or other information about individuals.
New clause 10—Automated decision-making concerning a child—
‘(1) Where a data controller expects to take a significant decision based solely on automated processing which may concern a child, the controller must, before such processing is undertaken—
(a) deposit a data protection impact assessment with the Commissioner, and
(b) consult the Commissioner (within the meaning of Article 36 of the GDPR), regardless of measures taken by the controller to mitigate any risk.
(2) Where, following prior consultation, the Commissioner does not choose to prevent processing on the basis of Article 58(2)(f) of the GDPR, the Commissioner must publish the part or parts of the data protection impact assessment provided under subsection (1), relevant to the reaching of that decision.
(3) The Commissioner must produce and publish a list of safeguards to be applied by data controllers where any significant decision based solely on automated processing may concern a child.
(4) For the purposes of this section, the meaning of “child” is determined by the age of lawful processing under Article 8 of the GDPR and section 9 of this Act.’
New clause 11—Education: safe use of personal data—
‘(1) The Children and Social Work Act 2017 is amended as follows.
(2) In section 35 (other personal, social, health and economic education), after subsection (1)(b) insert—
‘(1A) In this section, “personal, social, health and economic education” shall include education relating to the safe use of personal data.’’
This new clause would enable the Secretary of State to require that personal information safety be taught as a mandatory part of the national PSHE curriculum.
New clause 12—Health bodies: disclosure of personal data—
‘(1) In section 261 of the Health and Social Care Act 2012 (Health and Social Care Information Centre: dissemination of information) after subsection (5) insert—
‘(5A) A disclosure of personal data may be made under subsection (5)(e) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(5B) In subsection (5A)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences Against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’
(2) In section 13Z3 of the National Health Service Act 2006 () at the end insert—
‘(3) A disclosure of personal data may be made under subsection (1)(g) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(4) In subsection (3)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’
(3) In section 14Z23 of the National Health Service Act 2006 (clinical commissioning groups: permitted disclosure of information) at the end insert—
‘(3) A disclosure of personal data may be made under subsection (1)(g) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(4) In subsection (3)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’
(4) In section 79 of the Health and Social Care Act 2008 (Care Quality Commission: permitted disclosures) after subsection (3) insert—
‘(3A) A disclosure of personal data may be made under subsection (3)(g) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(3B) In subsection (3A)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’’
This new clause would prevent personal data held by the NHS from being disclosed for the purpose of the investigation of a criminal offence unless the offence concerned is serious, which is consistent with the NHS Code of Confidentiality and GMC guidance on confidentiality. It would also mean that any such disclosure could only be made to the police, and not, for example, to Home Office immigration enforcement officials.
New clause 24—Safeguards on the transfer of data for lethal force operations overseas—
‘(1) A transferring controller may not make any transfer of personal data outside the United Kingdom under Part 4 of this Act where—
(a) the transferring controller knows, or should know, that the data will be used in an operation or activity that may involve the use of lethal force, and
(b) there is a real risk that the transfer would amount to a breach of domestic law or an internationally wrongful act under international law.
(2) Where the transferring controller determines that there is no real risk under subsection (1)(b), the transfer is not lawful unless—
(a) the transferring controller documents the determination, providing reasons, and
(b) the Secretary of State has approved the transfer in writing.
(3) Any documentation created under subsection (2) shall be provided to the Information Commissioner and the Investigatory Powers Commissioner within 90 days of the transfer.
(4) A “transferring controller” is a controller who makes a transfer of personal data outside the United Kingdom under Part 4 of this Act.
(5) For the purposes of subsection (1)(b),
(c) “domestic law” includes, but is not limited to,
(i) soliciting, encouraging, persuading or proposing a murder contrary to section 4 of the Offences Against the Person Act 1861,
(ii) conspiracy to commit murder contrary to section 1 or 1A of the Criminal Law Act 1977,
(iii) aiding, abetting, counselling, or procuring murder contrary to section 8 of the Accessories and Abettors Act 1861,
(iv) offences contrary to section 44, 45 and 46 of the Serious Crime Act 2007,
(v) offences under the International Criminal Court Act 2001.
(d) “International law” includes, but is not limited to, Article 16 of the 2001 Draft Articles on the Responsibility of States for Internationally Wrongful Acts.
(6) The Secretary of State must lay before Parliament, within six months of the coming into force of this Act, guidance for intelligence officers on subsections (1) and (2).
(7) The Secretary of State must lay before Parliament any subsequent changes made to the guidance reported under subsection (6) within 90 days of any changes being made.’
Amendment 18, in clause 7, page 5, line 24, after “subsections” insert “(1A),”.
Government amendment 22.
Amendment 19, page 5, line 24, at end insert—
‘(1A) A primary care service provider is not a “public authority” or “public body” for the purposes of the GDPR merely by virtue of the fact that it is defined as a public authority by either—
(a) any of paragraphs 43A to 45A or paragraph 51 of Schedule 1 to the Freedom of Information Act 2000, or
(b) any of paragraphs 33 to 35 of Schedule 1 to the Freedom of Information (Scotland) Act 2002 (asp 13).’
Government amendments 23 and 24.
Amendment 4, in clause 10, page 6, line 37, leave out subsections (6) and (7).
This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.
Amendment 5, in clause 14, page 8, line 11, at end insert—
‘(2A) A decision that engages an individual’s rights under the Human Rights Act 1998 does not fall within Article 22(2)(b) of the GDPR (exception from prohibition on taking significant decisions based solely on automated processing for decisions that are authorised by law and subject to safeguards for the data subject’s rights, freedoms and legitimate interests).
(2B) A decision is “based solely on automated processing” for the purposes of this section if, in relation to a data subject, there is no meaningful input by a natural person in the decision-making process.’
This amendment would ensure that where human rights are engaged by automated decisions these are human decisions and provides clarification that purely administrative human approval of an automated decision does make an automated decision a ‘human’ one.
Amendment 6, page 9, line 36, leave out clause 16.
This amendment would remove delegated powers that would allow the Secretary of State to add further exemptions.
Government amendment 143.
Amendment 7, in clause 35, page 22, line 14, leave out subsections (6) and (7).
This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.
Amendment 151, in clause 49, page 30, line 19, at end insert—
‘(1A) A controller may not take a significant decision based solely on automated processing if that decision affects the rights of the data subject under the Human Rights Act 1998.’
Amendment 2, in clause 50, page 30, line 28, at end insert—‘and
(c) it does not engage the rights of the data subject under the Human Rights Act 1998.’
This amendment would ensure that automated decisions should not be authorised by law if they engage an individual’s human rights.
Amendment 8, in clause 86, page 51, line 21, leave out subsections (3) and (4).
This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.
Amendment 3, in clause 96, page 56, line 38, after “law” insert—
‘unless the decision engages an individual’s rights under the Human Rights Act 1998.’
This amendment would ensure that automated decisions should not be authorised by law if they engage an individual’s human rights.
Amendment 9, page 63, line 27, leave out clause 113.
This amendment would remove delegated powers that would allow the Secretary of State to create new exemptions to Part 4 of the Bill.
Government amendments 25 to 37.
Amendment 20, in clause 144, page 81, line 11, leave out “7 days” and insert “24 hours”.
This amendment would reduce from 7 days to 24 hours the minimum period which must elapse before a controller or processor has to comply with an assessment notice which has been issued by the Commissioner and which the Commissioner has stated should be complied with urgently.
Government amendments 38 to 71.
Government new schedule 3—Transitional provision etc.
New schedule 1—Bill of Data Rights in the Digital Environment—
‘The UK recognises the following Data Rights:
Article 1—Equality of Treatment
Every data subject has the right to fair and equal treatment in the processing of his or her personal data.
Article 2—Security
Every data subject has the right to security and protection of their personal data and information systems.
Access requests by government must be for the purpose of combating serious crime and subject to independent authorisation.
Article 3—Free Expression
Every data subject has the right to deploy his or her personal data in pursuit of their fundamental rights to freedom of expression, thought and conscience.
Article 4—Equality of Access
Every data subject has the right to access and participate in the digital environment on equal terms.
Internet access should be open.
Article 5—Privacy
Every data subject has the right to respect for their personal data and information systems and as part of his or her fundamental right to private and family life, home and communications.
Article 6—Ownership
Every data subject has the right to own and control his or her personal data.
Every data subject is entitled to proportionate share of income or other benefit derived from his or her personal data as part of the right to own.
Article 7—Control
Every data subject is entitled to know the purpose for which personal data is being processed. Data controllers should not deliberately extend the gathering of personal data solely for their own purposes. Government, corporations, public authorities and other data controllers must obtain meaningful consent for the use of people’s personal data. Every data subject has the right to own curate, move, revise or review their personal data.
Article 8—Algorithms
Every data subject has the right to transparent and equal treatment in the processing of his or her personal data by an algorithm or automated system.
Every data subject is entitled to meaningful human control in making significant decisions – algorithms and automated systems must not be deployed to make significant decisions.
Article 9—Participation
Every data subject has the right to deploy his or her personal data and information systems to communicate in pursuit of the fundamental right to freedom of association.
Article 10—Protection
Every data subject has the right to safety and protection from harassment and other targeting through use of personal data whether sexual, social or commercial.
Article 11—Removal
Every data subject is entitled to revise and remove their personal data.
Compensation
Breach of any right in this Bill will entitle the data subject to fair and equitable compensation under existing enforcement provisions. If none apply, the Centre for Data Ethics will establish and administer a compensation scheme to ensure just remedy for any breaches.
Application to Children
The application of these rights to a person less than 18 years of age must be read in conjunction with the rights set out in the United Nations Convention on the Rights of the Child. Where an information society service processes data of persons less than 18 years of age it must do so under the age appropriate design code set out in section 123 of this Act.’
Government amendments 72 and 73.
Amendment 16, in schedule 2, page 140, line 15, at end insert—
‘(1A) The exemption in sub-paragraph (1) may not be invoked in relation to offences under—
(a) sections 24, 24A, 24B or 24C of the Immigration Act 1971,
(b) section 21 of the Immigration, Asylum and Nationality Act 2006, or
(c) sections 33A and 33B of the Immigration Act 2014.’
Amendment 15, page 141, line 17, leave out paragraph 4.
Government amendments 141 and 142.
Amendment 10, page 152, line 24, leave out paragraph 19 and insert—
‘19 The listed GDPR provisions do not apply to personal data that consists of information which is protected by legal professional privilege or the duty of confidentiality.’
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Government amendments 139, 74 and 75.
Amendment 11, in schedule 11, page 196, line 39, leave out paragraph 9 and insert—
‘9 The listed provisions do not apply to personal data that consists of information which is protected by legal professional privilege or the duty of confidentiality.’
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Government amendments 140 and 76 to 80.
Amendment 21, in schedule 15, page 206, line 11, at end insert—
‘(1A) A warrant issued under subparagraph (1)(b) or (1)(c) of this paragraph does not require any notice to be given to the controller or processor, or to the occupier of the premises.’
This amendment would make it clear that a judge can issue a warrant to enter premises under subparagraphs 4(1)(b) or 4(1)(c) without the Commissioner having given prior notice to the data controller, data processor or occupier of premises.
Government amendments 81 to 85.
Amendment 12, page 208, line 13, leave out
“with respect to obligations, liabilities or rights under the data protection legislation”.
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Amendment 13, page 208, line 21, leave out from “proceedings” to the end of line 23.
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Government amendments 86 to 138.
Order. Will people who are leaving the Chamber please do so quietly? The Minister is making an important speech and people want to hear it. It is just rude to make a noise—unless you happen to be in the Chair.
I propose to start my remarks by addressing the Government amendments to strengthen the powers of the Information Commissioner.
The investigation of the Information Commissioner’s Office into Cambridge Analytica is unprecedented in its scale and complexity. It has, necessarily, pushed the boundaries of what the drafters of the Data Protection Act 1998 and the parliamentarians who scrutinised it could have envisaged. Although we recognise that the Bill already expands and enhances the commissioner’s ability to enforce the requirements of the data protection legislation in such circumstances, the Government undertook to consider whether further provision was desirable in the light of the commissioner’s experience. Following extensive discussions with the commissioner and in Committee, we concluded that such provision is desirable. Our amendments will strengthen the commissioner’s ability to enforce the law, while ensuring that she operates within a clear and accountable structure. I will give a few examples.
First, amendments 27 and 28 will allow the commissioner to require any person who might have knowledge about suspected breaches of the data protection legislation to provide information. Previously, information could be sought only from a data controller or a data processor. That might be important where, for example, a former employee has information about the organisation’s processing activities.
Secondly, new clause 13 will allow the commissioner to apply to the court for an order to force compliance when a person fails to comply with a requirement to provide information. Organisations that might previously have been tempted to pay a fine for non-compliance instead of handing over the information will find themselves at risk of being in contempt of court if they do not comply.
Thirdly, amendments 30 and 45 will allow the commissioner to require controllers to comply with information or enforcement notices within 24 hours in some very urgent cases, rather than the seven days provided for in the existing law. Amendment 38 will allow the commissioner, in certain circumstances, to issue an assessment notice that can have immediate effect. Those amendments will allow the commissioner to obtain information about a suspected breach or put a stop to high-risk processing activities in a prompt and effective way. They will also allow her to carry out no-notice inspections without a warrant in certain circumstances.
Fourthly, new clause 14 will criminalise the behaviour of any person who seeks to frustrate an information or assessment notice by deliberately destroying, falsifying, blocking or concealing evidence that has been identified as relevant to the commissioner’s investigation.
Finally, we have taken this opportunity to modernise the commissioner’s powers. Storing files on an office server is rapidly becoming a thing of the past. Amendment 79 will enable the commissioner to apply for a warrant to access material that can be viewed via computers on the premises but that is held in the cloud.
When strengthening the commissioner’s enforcement powers, we have been mindful of the need to provide appropriate safeguards and remedies for those who find themselves under investigation. For example, when an information, assessment or enforcement notice containing an urgency statement is served on a person, new clause 15 will allow them to apply to the court to disapply the urgency statement. In effect, they will have a right to apply to the court to vary the timetable for compliance with the order. A court considering an application from the commissioner for an information order will be able to take into account all the relevant circumstances at the time, including whether an application has been brought by the person concerned under new clause 15 and whether the person has brought an appeal against the notice itself in the tribunal. These amendments have been developed in close liaison with the Information Commissioner. We are confident that they will give her the powers she needs to ensure that those who flout the law in our increasingly digital age are held to account for their actions.
I now turn to the representation of data subjects. I am very grateful to Baroness Kidron for her continued engagement on this subject. In particular, we agree that children merit special protection in relation to their personal data and that the review the Government will undertake shall look accordingly at the specific barriers young people and children face in enforcing their rights. Government new clause 16, as well as amendments 61, 62, 63, 70 and 75, ensures that they will.
Government new clause 17 concerns maintaining contact with ex-regular reserve forces. This will allow Her Majesty’s Revenue and Customs to share contact detail information with the Ministry of Defence to ensure that the MOD is better able to locate and contact members of the ex-regular reserve.
New clause 12, on data sharing by health bodies, is in the name of my hon. Friend the Member for Totnes (Dr Wollaston), who chairs the Health and Social Care Committee. I know she and the Committee have significant and legitimate concerns about the operation of the memorandum of understanding between NHS Digital and the Home Office, which currently allows the sharing of non-clinical information, principally address information, for immigration purposes. The Select Committee has argued for the suspension of the MOU pending the outcome of a review of its impact by Public Health England. New clause 12 seeks to adopt a more long-term approach by narrowing the ability of NHS Digital to disclose information in connection with the investigation of criminal offences. The aim is to narrow the MOU’s scope, so that it only facilitates the exchange of personal data in cases involving serious criminality.
The Government have reflected further on the concerns put forward by my hon. Friend and her Committee. As a result, and with immediate effect, the data sharing arrangements between the Home Office and the NHS have been amended. This is a new step and it supersedes the position set out in previous correspondence between the Home Office, the Department for Health and Social Care and the Select Committee.
I know my hon. Friend and her colleagues have been particularly exercised by the contents of a letter dated 23 February from both the above-mentioned Departments to her Select Committee, in which it is stated that
“a person using the NHS can have a reasonable expectation when using this taxpayer-funded service that their non-medical data, which lies at the lower end of the privacy spectrum, will not be shared securely between other officers within government in exercise of their lawful powers”.
The bar for sharing data will now be set significantly higher. By sharing, I mean sharing between the Department of Health and Social Care, the Home Office and, in future, possibly other Departments. No longer will the names of overstayers and illegal entrants be sought against health service records to find current address details. The data sharing, relying on powers under the Health and Social Care Act 2012, the National Health Service Act 2006 and the Health and Social Care Act 2008, will only be used to trace an individual who is being considered for deportation action having been investigated for, or convicted of, a serious criminal offence that results in a minimum sentence of at least 12 months in prison.
The Government have a long-held policy on what level of serious criminality is deserving of deportation, given statutory force by the UK Borders Act 2007. When a custodial sentence of more than 12 months has been given, consideration for deportation must therefore follow. Henceforth, the Home Office will only be able to use the memorandum of understanding to trace an individual who is being considered for deportation action having been convicted of a serious criminal offence, or when their presence is considered non-conducive to the public good—for example, when they present a risk to public security but have yet to be convicted of a criminal offence.
Can the Minister give me more reassurance about the Home Office and its activity in this regard? At the moment, I have constituents who, under paragraph 322(5) of the immigration rules, face being deported for making legitimate changes to their tax return through HMRC data being accessed. Will she reassure me about what the Home Office can do to make sure that this is not abused and misused for the purposes of meeting immigration targets?
I will write to the hon. Lady and I hope to give her reassurance. This new higher bar concerns NHS data and that would obviously not catch within it errors on a tax return.
As now, the memorandum of understanding would also continue to operate when there are concerns about the welfare and safety of a missing individual—for example, vulnerable children and adults. That has always been the case. Personal information will only be disclosed to the Home Office or agencies under the purview of the Home Office. This is a significant restriction on the Home Office’s ability to use data held by the NHS. It is estimated that the change will exclude over 90% of the requests that have been satisfied to date.
The Minister talks about a memorandum of understanding giving reassurance to the House. I refer her to part 2 of schedule 2, which talks about exemptions from the general data protection regulation in respect of crime and taxation. Surely, the rights of individuals to have their data protected under that provision would address all these issues, and it would potentially supersede the memorandum of understanding.
I will come on to the exemptions in terms of criminal activity and immigration in a wider context than NHS information in due course.
My right hon. Friend the Minister for Immigration is committed to sending a copy of an updated MOU to the Health and Social Care Committee shortly, but as I have indicated, the significant narrowing of the MOU will have immediate effect. This commitment is consistent with the intention underpinning new clause 12. I trust that on that basis, my hon. Friend the Member for Totnes and her colleagues will not press new clause 12. I am sure that if she has any questions, she will intervene on me, or that when she makes her remarks later, I might be invited to intervene on her. I thank my hon. Friend and all her Committee members for their work to establish higher principles in this area.
I turn to Opposition amendments 16 and 15 and Government amendments 141 and 142, on immigration. Amendment 15 would remove the provisions relating to effective immigration control in schedule 2. In responding to the amendment, I want to address some of the continued misunderstandings that have arisen around the purpose and scope of the provision, and I hope to persuade the House that this is a necessary and proportionate measure to protect the integrity of our immigration system. It has been suggested that the provisions have no basis in the GDPR, but article 23 expressly allows member states to restrict certain specified rights for the purpose of safeguarding
“other important objectives of general public interest of a…Member State”.
The maintenance of effective immigration control is one such objective.
Will the Minister confirm that article 23 of the GDPR does not specify immigration?
It does not rule out immigration and it does allow the restriction of certain specified rights—not wholesale restrictions—for the purpose of safeguarding
“other important objectives of general public interest”.
The purpose is to provide a derogation for member states wide enough that they can pursue an overall Government policy in the general public interest. I would conclude that immigration is one such example. It has been suggested that the provisions represent a blanket carve-out of all a data subject’s rights. That is certainly not the case. I would like to reassure the right hon. Gentleman that we are being very selective about the rights that could be disapplied. The exemption will be applied only on a case-by-case basis and only where it is necessary and proportionate.
Has the Minister learnt nothing from the Windrush scandal? Here we have a Department of State that is not fantastic at keeping records. The idea of selectively carving out particular rights of particular people who need this information to fight tribunal cases strikes me as lunacy, given what we have learnt about the dysfunction at the Home Office.
Perhaps if I continue my remarks, I can reassure the right hon. Gentleman that of course lessons have been learnt, not least by the Home Office itself, as both the former Home Secretary and the current Home Secretary have made abundantly clear to the House.
The exemption in the amendment is to be applied only on a case-by-case basis and only where it is necessary and proportionate. It cannot and will not be used to target any group of people. Nor does the application of the exemption set aside all a data subject’s rights; it sets aside only those expressly listed. A further limitation is that it can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of effective immigration control.
Effective safeguards for crime prevention are already written into the Bill, which gives the Minister the power she is seeking to fulfil the purpose she is setting out for the House. If we selectively discard rights for selected people, we come pretty close to arbitrary decision making, and it is practically impossible to do that consistently and in way make it defendable in a judicial review. These provisions will result in injustice and cases that the Home Office loses, so just dump them now!
The right hon. Gentleman should know that different structures govern crime and immigration. I reiterate that we are disapplying these rights selectively—the data subjects will hang on to the majority of their rights—but it cannot be right for the Home Office to have to furnish someone who is in contravention of immigration law with information it has been given.
I am shocked by what the Minister is saying. These provisions were drafted before the Windrush scandal broke, and she is not learning the lessons at all. She says she wants these decisions made on an individual basis and in a way that is necessary and proportionate, but necessary and proportionate to achieve what? None of us knows what her definition of immigration control is. Does it mean meeting the net migration target, which is what we normally hear Ministers say? Necessary and proportionate to meet the net migration target could mean anything.
I understand that it is a matter of interpretation. I also understand that the Home Office is considering these matters in the fallout from the Windrush case. I am sure that, as Chair of the Home Affairs Committee, the right hon. Lady will have ample opportunity to question the new Home Secretary on exactly what he might mean by “necessary and proportionate”. When someone is seeking access to data from the Home Office to prove their immigration history, such as in the Windrush cases, there will be no basis for invoking the immigration exemption in the Bill. I trust that that provides the right hon. Lady with some comfort.
I will give way for the last time to the right hon. Lady, if the right hon. Gentleman does not mind.
That is not what the Bill says. That may be what the Minister intends, but if that is what she intends, she should change the Bill.
I shall have to write to the right hon. Lady once I have communicated with Home Office Ministers. According to my understanding, the Bill says that the exemption applies—
On a point of order, Madam Deputy Speaker. We are being invited to pass an important piece of legislation which hands important new powers to Her Majesty’s Home Office, yet there is not a Home Office Minister on the Front Bench to respond to the points that we are making about the details of that legislation. What steps can we take to summon a Home Office Minister this afternoon, so that our questions can be answered?
I understand the right hon. Gentleman’s point of order, but the fact is that the Minister, who is a very capable Minister, speaks for the Government, who are seamless. The Minister who is currently at the Dispatch Box is in a position to speak for all Ministers on this matter, which is why she has this responsibility and is responding to the questions that are currently being asked of her.
Thank you, Madam Deputy Speaker. I might as well give way to the right hon. Member for Kingston and Surbiton (Sir Edward Davey) now.
I am grateful to the Minister. To help other Members consider amendment 15, let me point out that one of the data protection provisions that are being exempted for immigration purposes is the right to make subject access requests. It is critical to the rule of law for people and their representatives to know on the basis of what information the Home Office has made its decisions. The Bill provides no safeguards, no balance, and no restrictions to the use of that law by Home Office officials. As we heard from the right hon. Member for Normanton, Pontefract and Castleford (Yvette Cooper), those are simply not in the Bill. It is entirely wrong for the House to be asked to pass a Bill that does not contain real safeguards for the people involved, given what happened in the Windrush cases.
I will continue to make some progress, as I feel that those points have already been made.
The application of the exemption does not set aside all data subjects’ rights, but only those expressly listed. A further limitation is that exemptions can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of effective immigration control.
It is an established term. It is used in the Immigration Act 2014 and the Freedom of Information Act 2000 uses a similar term, namely “operation of immigration controls”.
Without this immigration exemption, might not the Home Office have to disclose sources of tip-offs, which would not be conducive to ensuring that illegal immigration is properly controlled?
I think it highly likely that if, for example, someone were to undertake a full data subject review of whatever information the Home Office held about them—as was posited earlier by the right hon. Member for Kingston and Surbiton—the review would contain sources of information as well as the information itself. A further limitation is that exemptions can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of immigration control. This “prejudice” test must be applied first, and as a result the situations in which the exemption can be used are limited. The Government recognise the concerns that have been expressed in this debate.
Can the Minister give us a couple of examples to illustrate why these additional powers are necessary, and where the other powers in the Bill—in relation to criminal offences and investigations, for example—would not already suffice to do everything that the Home Office wishes?
We are permitted under GDPR to make these exemptions and are doing so in a very selective way and on a case-by-case basis, so it will not result in a widespread denial of people’s data rights.
The exemption should be as limited as possible, which is why we have brought forward amendments 141 and 142. These amendments will ensure that migrants enjoy the rights afforded under all of the data protection principles, except where a restriction on those principles is a consequence of restricting one of the other rights coming within the scope of the exemption.
I now turn to Opposition amendments 18 and 19 on primary care providers, and Government amendments 22 to 24 on parish councils. Parish and community councils are not exempt from the new law. None the less, by describing parish and community councils as “public authorities” the Bill gives these councils additional obligations above and beyond those placed on other small organisations, including that they must appoint a data protection officer. We have been working to minimise the impact of this requirement, and have concluded that as parish and community councils process very little personal data, the burden they would face would be disproportionate. Amendments 22, 23 and 24 therefore take these councils out of the definition of “public authorities” for data protection purposes.
I commend my hon. Friend the Minister on amendment 24, which recognises that councils are often so tiny—indeed, some are not even parish councils, and some do not employ any staff—that it would be wholly disproportionate to treat them in the way originally intended. I commend the Minister for listening to so many Members who made these points and recognising that parish councils must be treated separately.
I thank my hon. Friend for his comments. He and other colleagues across the House made these arguments, and given that such organisations are often very small and process only small amounts of personal data, we have decided to take parish councils out of the definition of “public authorities” for data protection purposes. Their status in respect of other legislation, including the Freedom of Information Act, is unaffected, however.
Similar arguments have been advanced in respect of primary care providers, but although I have sympathy with amendments 18 and 19, primary care providers are different from parish councils in that they process sizeable quantities of sensitive health data, whether that be an individual’s mental health status, the fact that they are pregnant, or details of their prescription for a terminal illness. All of these matters are highly personal, and in the world of health, data protection is rightly paramount.
The Dean Street Express case in 2015 illustrates the potential harm that even a single data breach can cause. In that incident, the names and email addresses of almost 800 people, many living with HIV, were disclosed to other recipients. It does not seem unreasonable that bodies who process that kind of data should have a single point of contact on data protection matters.
Government amendments 139 and 140 relate to legal professional privilege. We recognise the importance of protecting legal professional privilege and that is why in the Bill we have replicated the existing measures and exemptions for legal professional privilege found in the Data Protection Act 1998, which have worked well for many years.
Amendments 10 and 11 seek to widen the legal professional privilege exemptions found in schedules 2 and 11. They offer some thoughtful changes that are intended to recognise the broader range of material covered by a lawyer’s ethical duty of confidentiality. We agree that the Bill could be clearer, and have tabled amendments 139 and 140 in response.
It is interesting that we are making lots of exemptions for the Government, parish councils, lawyers and so on. I spoke to some lawyers this morning, and they were not convinced by the measures either. However, small businesses seem to be disproportionately affected, and there is real confusion out there. As I say, a lot of work has been done to protect the Government, parish councils and lawyers, but what about the little people—the people who make this country grow? There is even confusion in the Information Commissioner’s Office, which gave the wrong advice in briefings here to MPs’ staff only the other week. What are we going to do to protect the small people? They think that they are doing the right thing, but they have probably been ill advised. They are spending a lot of money trying to get things right, but there is real confusion out there.
My right hon. Friend raises several important points. As for the effect on small businesses, he will be reassured to learn that the issues with the processing of highly personal data that I was discussing do not apply to the majority of SMEs. They will not have to appoint a data protection officer, so that is one comfort.
As for training and guidance, I am sorry that colleagues and their research staff attended courses that were put together before the Bill was even in Committee, and thus did not take numerous amendments into account—not least the amendment clarifying the rights of Members of Parliament and other elected individuals. I apologise for that confusion.
I draw businesses’ attention to the excellent ICO website, which contains good sources of guidance for SMEs, including frequently asked questions. The ICO also provides an advice line for any follow-up questions on subjects that businesses might not be clear about. Ultimately, there is a need for better data protection, and that is not just what is set out in the GDPR. Dreadful examples, such as the case of Facebook and Cambridge Analytica, have demonstrated the need for more rigorous data rights and for greater security of data.
The Minister is being ever so generous in giving way not just to me, but to Members from across the House, and I thank her. Returning to the parliamentary stuff—we are only a small part of all this—some of the staff present at the briefing I mentioned left in tears, and I know that for a fact, because a member of my staff was there. Believe it or not, even though the ICO knew that the briefing was completely flawed, it has today issued certificates of attendance saying that it was the right thing for staff to have done.
More important, however, are the SMEs. Small businesses have approached me today to tell me that they have been told to delete all their data unless they get permission from the relevant people. Companies that did work for people three, four or five years ago—even last year—must get permission to hold their addresses so that they can fulfil, for example, warranty agreements. Other companies are getting completely different advice, and the lawyers are getting different advice. There seems to be a rush to protect Government agencies, local government, parish councils and lawyers, but not enough is being done to protect the small people of this country—the people who account for so much of our money.
I thank my right hon. Friend for his points. I want to reassure the small businesses that he mentions. I sympathise with businesses that are getting conflicting advice, and with those that are approached by firms of consultants who appear to be exaggerating the scale of the task of complying with the legislation. I am afraid that that always happens when there is change; people think that they can exaggerate the impact and the implications of a change and—who knows?—perhaps they will be remunerated for helping businesses to comply.
I also want to reassure my right hon. Friend about the specific case that he mentioned, in which companies were being advised that they needed to delete all the data for which they did not have consent. I want to reassure him that the vast majority of businesses will not have to delete the personal data that they hold. If they have gained the personal data lawfully, there are five, if not six, lawful bases on which they can process that personal data, of which consent is only one. I draw his attention particularly to legitimate interests, which is a lawful basis for processing data. For example, if a small firm has been supplying a much-needed service to people for a number of years, it is in the pursuit of its legitimate interests to communicate with its database of customers or new prospects, and it does not need to have consent. I would advise people not to delete their data without very careful consideration, or without consultation with the ICO website in particular.
I will give way to my right hon. Friend in a second. I want to respond to my right hon. Friend the Member for Hemel Hempstead (Sir Mike Penning) on the alleged discrimination involved in our taking steps to protect lawyers, parliamentarians, local councillors and so on but not to protect small businesses. The reason is that small businesses are less affected, in the sense that most of them do not process huge quantities of personal data. They therefore come under the purview of the ICO to a lesser extent, and enforcement is less likely to focus on organisations that do not process highly personal data. Those organisations do not need to appoint a data protection officer. I hope that I have gone some way towards allaying my right hon. Friend’s—
I will come back to my right hon. Friend in a moment, but I did say that I would give way to my right hon. Friend the Member for Broxtowe (Anna Soubry).
I thank my hon. Friend for that information, but it was mainly complete news to me, as I suspect it was to my right hon. Friend the Member for Hemel Hempstead too. We have a really serious problem here. I just cannot overestimate the amount of concern among small businesses. Medium-sized businesses with more than 250 employees have the benefit of a team of people, but this is a real crisis for small businesses and I am afraid that the lack of information is truly troubling. There are solutions, and perhaps we should discuss them in a different debate, but as a Government we have an absolute duty to get this right. There are devices available—HMRC sends out tax returns, for example—and there are many opportunities to get this information out there. At the moment, however, there is a lot of disinformation, and as my right hon. Friend the Member for Hemel Hempstead says, these businesses are the lifeblood of our economy. They do not know what is happening, and they are worried.
I sympathise with the points that my right hon. Friend has raised. In fact, we have secured almost £500,000 to launch an information campaign to bolster what the Information Commissioner’s Office is already doing for small businesses. I also draw her attention to the need for this legislation, and to the need for businesses and all of us in public life to respect people’s data rights. The landscape has changed. We now live in a digital world, and there is so much abuse of people’s privacy and data that I must bring her attention back to the need for the Bill. Of course she is right, however, to say that people need to be properly informed, and that is what the ICO is doing and what the Government campaign that we are about to launch will also do.
What the Minister said at the Dispatch Box a moment ago was also news to me. I have been campaigning and pushing on this for months—I spoke to the Secretary of State over the bank holiday weekend—and I was going to vote against the Bill this evening. Yes, we need data protection, but we do not want to destroy or frighten our businesses in the process. However, I take my hon. Friend at her word, and I will vote for the legislation this evening.
I quite agree. In fact, both the Secretary of State and I were small business owners before entering this place, so I feel what my right hon. Friend says very deeply. I must commend my hon. Friend the Member for Mid Worcestershire (Nigel Huddleston) on the excellent advice that his office has put together on what it will be doing in this respect. For the benefit of my staff, I have set out exactly what my office will be doing to comply with the legislation. If my right hon. Friend has any concerns about his own situation—
I am not worried about us; I am worried about small businesses.
In that case, I will proceed no further down that path. I am glad that I have been able to reassure my right hon. Friend and thank him for raising those important points.
I thank the Minister for that clarification, but I am not sure that it is clear enough. She will undoubtedly be aware that the Windrush documents were supposedly destroyed as a result of data protection requirements. There remains a significant possibility that there will be a wholesale destruction of data, some of which might be important, useful and legitimately kept, unless the Government take further action.
I commend the hon. Lady for that observation, because she has a fair point. I will raise her concern with the Information Commissioner. My right hon. Friend the Member for Hemel Hempstead said that some businesses have been advised that they should delete their data, so I can see where the hon. Lady is going on that. It raises the prospect that some organisations might use this as an excuse to delete data that it would be in the data subject’s interests to preserve.
I have not been able to address every amendment in the time available, but I am mindful of the number of colleagues who wish to contribute, and we have less than 60 minutes remaining. I have addressed most of the matters that came up in the Public Bill Committee, and the Government’s position will remain the same on many of them.
In short, we have enhanced the ICO’s enforcement powers, we have changed the way we share data, we have reached out to parish councils, we have narrowed the immigration exemption and we have responded to calls to better protect lawyer-client confidentiality. We have also dealt—effectively, I hope—with the concern expressed by my hon. Friend the Member for Totnes about the sharing of data between the Department of Health and Social Care and the Home Office.
May I start by welcoming the new powers for the Information Commissioner, which we called for in Committee? Nobody who observed the debacle of the investigation into Cambridge Analytica will have needed persuading that that those powers are necessary—it took the court five or six days to issue the requisite search warrants, and that time might well have been used by Cambridge Analytica to destroy evidence—so I am glad that the Minister has heeded our calls and introduced the proposals this afternoon. We are happy to give them our support.
I will speak to a number of new clauses and amendments in the group, particularly new clause 4, which is our enabling clause for creating a bold and imaginative Bill of data rights for the 21st century. I want to make the case for universal application of those rights, including their application to newcomers, who need rights in order to challenge bad decisions made by Governments, which is why our amendment 15 would strike out the immigration provisions that have so unwisely been put into the Bill. I will also say a few words about new measures that are needed in the Bill to defend the integrity of our democracy in the digital age.
The Minister took the time to make a comprehensive speech, which included an excellent explanation of the Government amendments, so I will be brief. Let me start with the argument for a Bill of data rights. Every so often we have to try to democratise both progress and protections. In this country we are the great writers of rights—we have been doing it since Magna Carta. Over the years, the universal declaration of human rights, the UN convention on the rights of the child, the charter of fundamental rights, the Human Rights Act 1998, the Equality Act 2010 and, indeed, the original Data Protection Act have all been good examples of how good and wise people in this country have enshrined into charters and other legal instruments a set of rights that we can all enjoy, that give us all a set of protections, and that help us to democratise progress.
My hon. Friend is right. We have been on the receiving end of a huge number of data breaches in this country—really serious infringements of basic 21st-century rights—which is why we need a bold declaration of those rights so that the citizens of this country know what they are entitled to. Unless we get this right, we will not be able to build the environment of trust that is the basis of trade in the digital economy. At the moment, trust in the online world is extremely weak—that trust is going down, not up—so we need to put in place measures now, as legislators, to fix this, turn it around and put in place preparations for the future.
The Government’s proposal of a digital charter is a bit like the cones hotline approach to public service reform. The contents of the charter are not really rights but guidelines. There are no good methods of redress or transparency. Frankly, if we try to introduce rights and redress mechanisms in that way, they will basically fail and will not lead to any kind of change. That is why we urge the Government to follow the approach that we are setting out.
I put on record my profound thanks to Baroness Kidron and the 5Rights movement. Her work forms the basis of the bill of rights we are proposing to the House: the right to remove data, as enshrined in the GDPR—that right is very important to children—the right to know; the right to safety and support; the right to informed and conscious use; and the right to digital literacy. Those are the kinds of rights we should now be talking about as the rights of every child and every citizen.
The right hon. Gentleman makes some good points. I agree with the rights he is talking about, but those rights exist under the GDPR and are intrinsic to the Bill, so I see no need for his amendment.
There is no right to digital literacy under the Bill, which is why we propose the five rights as the core of new schedule 1 in which, as the Minister knows, we go much further. The provision sets out rights to equality of treatment, security, free expression, access, privacy, ownership and control, the right not to be discriminated against as a result of automated decision making, and rights on participation, protection and removal.
Rights are sometimes scattered through thousands and thousands of pages of legislation, which is where we are on data protection today. That is why from time to time, as a country, we decide to make bold declaratory statements of what principles should guide us. These are methods of simplification and consolidation, and we are pretty good at that in this country. When we press our proposal to enable the creation of such a bill of rights to a Division a little later, we hope that it will be the call that the Government need to begin the process of consultation, thought, argument and debate about the digital rights that we need in this century and what they need to look like. Rights should not be imposed from the top down; they should come from the grassroots up, and the process of conversation and consultation is long overdue. To help the Government, we will accelerate that debate during this year.
The second point I wish to make is about amendment 15, which would ensure that the rights set out in the GDPR would stretch to everyone in this country. It would mean that the Government would not be permitted to knock out selective rights for certain people who just happen to be newcomers to this country. The proposal to withhold data rights from migrants and newcomers is a disgrace and does not deserve to be in the Bill. In Committee, Ministers were unable to tell us why the Bill’s crime prevention provisions could not be stretched to accommodate their ambitions for immigration control. The Minister has not been able to give us a succinct definition of “immigration control” today, and we have not been able to hear about the lessons learned from Windrush. Frankly, the debate has been left poorly informed, and we have had promises that letters will be sent to hon. Members long after tonight’s vote.
I rise to speak to new clause 12, which was tabled in my name, that of my colleague, the hon. Member for Stockton South (Dr Williams), and those of other members of the Health and Social Care Committee and Members from all parties.
I wish to speak about the importance of medical confidentiality, because it lies at the heart of the trust between clinicians and their patients, and we mess with that at our peril. If people do not have that trust, they are less likely to come forward and seek the care that they need. There were many unintended consequences as a result of the decision enshrined in a memorandum of understanding between the Home Office, the Department of Health and NHS Digital, which allowed the sharing of addresses at a much lower crime threshold than serious crime. That was permitted under the terms of the Health and Social Care Act 2012, but patients were always protected, in effect, because the terms of the NHS constitution, the guidance from the General Medical Council and a raft of guidance from across the NHS and voluntary agencies protected the sharing of data in practice.
This shift was therefore particularly worrying. There were many unintended consequences for the individuals concerned. The Health and Social Care Committee was also deeply concerned about the wider implications that this might represent a shift to data sharing much more widely across Government Departments. There was a risk, for example, that the Department for Work and Pensions might take an interest in patients’ addresses to see whether people were co-habiting for the purpose of investigating benefit fraud. There was a really serious risk of that.
I am afraid that the letter that we received from the Department of Health and Social Care and the Home Office declining to withdraw from the memorandum of understanding made the risk quite explicit. I would just like to quote from the letter, because it is very important. I also seek further clarification from the Minister on this. The letter states that
“it is also important to consider the expectations of anybody using the NHS—a state provided national resource. We do not consider that a person using the NHS can have a reasonable expectation when using this taxpayer-funded service that their non-medical data, which lies at the lower end of the privacy spectrum, will not be shared securely between other officers within government in the exercise of their lawful powers in cases such as these.”
I profoundly object to that statement. There was no such contract in the founding principles of the NHS. As I have said, it is vital that we preserve that fundamental principle of confidentiality, including for address data. I was delighted to hear the Minister’s words at the Dispatch Box, but can she just confirm for me absolutely that that statement has now been superseded?
Yes, I can confirm absolutely that the statement that my hon. Friend quoted from the letter of 23 February has been superseded by today’s announcements.
The significance of the Bill and the importance of data and data protection to the economy and the whole of society is reflected in this debate. The fact that amendments have been tabled on Report through the work of three different departmental Select Committees shows how wide-ranging this issue is.
I principally want to talk about amendments 20 and 21, which stand in my name and those of other members of the Digital, Culture, Media and Sport Committee and which are addressed by Government amendments, too. Before I do so, I want to add that the Chair of the Home Affairs Committee, the right hon. Member for Normanton, Pontefract and Castleford (Yvette Cooper), made a very important point about the fact that some people—particularly those involved in immigration cases—may not have full access to the data rights enjoyed by others. If the Minister can provide any further clarification, I will be happy to give way before I move on.
After the exchange I had with the hon. Member for Newcastle upon Tyne Central (Chi Onwurah), I wanted to confirm that the Home Office will certainly not destroy any data for which there is still a legitimate and ongoing need not just for the Home Office but for data subjects.
I am grateful to the Minister for that further clarification.
Amendments 20 and 21 get to the heart of an issue that has been raised by a number of Members, which is the power of the Information Commissioner to act in data investigations. The Minister, the right hon. Member for Birmingham, Hodge Hill (Liam Byrne) and others have referenced the Cambridge Analytica data breach scandal, which is a very good example of why these additional powers are needed. We raised that in the Select Committee with the Secretary of State. The Information Commissioner raised it with us and it was raised on the Floor of the House on Second Reading.
The ability to fine companies for being in breach of data rules is important, but what is most significant is that we get hold of the data needed by investigators, so that we understand who is doing what, how they are doing it and how wide-ranging this is. It is crucial that the Information Commissioner has the enforcement powers she needs to complete those investigations.
In the case of Cambridge Analytica, an information notice was issued by the Information Commissioner to that company to comply with requests for data and information. Not only did Cambridge Analytica not comply, but Cambridge Analytica and Facebook knew that. That information notice expired at 5 o’clock on the evening of the day when that deadline was set; it was the beginning of the week. Before the notice had expired and a warrant could even be applied for, Facebook had sent in its own lawyers and data experts to try to recover data that was relevant to the Information Commissioner’s request.
The Information Commissioner found out about that live on “Channel 4 News” and then effectively sent a cease and desist note to Facebook, telling it to withdraw its people. She might very well not have been made aware of what Facebook was doing that evening, and data vital for her investigation could have been taken out of her grasp by parties to the investigation, which would have been completely wrong. Not only did that happen—thankfully, Facebook stood down—but a further five days expired before a warrant could be issued—before the right judge in the right court had the time to grant the warrant to enable her to complete her work. We live in a fast-moving world, and data is the fuel of that fast-moving world, so we cannot have 19th or even 20th-century legal responses. We must give our investigatory authorities the powers they need to be effective, which means seizing data on demand, without notice, as part of an investigation, and having the ability to see how data is used in the workplace or wider environment.
The Government are bringing forward amendments, which I think have the support of the House, that will give us one of the most effective enforcement regimes in the world. They will give us the power to do something we have not been able to do before, which is to go behind the curtain to see what tech companies, even major tech companies, are doing and make sure they comply with our data rules and regulations. Without that or an effective power to inspect, we would largely be in the position of having to take their word for it when they said they were complying with the GDPR. Particularly with companies such as Facebook that run closed systems—they have closed algorithms and their data is not open in any way—there are very good commercial reasons for doing so, but there are also consumer safety reasons. We must have the power to go in and check what they are doing, so the amendments are absolutely vital.
There are further concerns. The shadow Minister, the right hon. Member for Birmingham, Hodge Hill, was right to raise concerns about honesty and transparency in political advertising. Both the Information Commissioner and the Electoral Commission are examining the use of data in politics, as well as looking at who places the ads. It is already a breach of the law in the UK, as it is in other countries, for people outside our jurisdiction to run political advertising during election campaigns in this country.
In the case of Facebook, it is unacceptable that its ad check teams have not spotted such advertising and stopped it happening when someone is breaking the law. If this were about the financial services sector, we would not let a company say, “Well, we thought someone was breaking the law, but we weren’t told to do anything about it, so we didn’t”. We would expect such a company to spot it and to take effective action. We need to see a lot more progress on this, particularly in relation to the placement of micro-targeting ads and dark ads. The Institute of Practitioners in Advertising has called for a moratorium on the micro-targeting of political ads, which may be seen only by the person who receives an ad and the person who places it.
When the chief technology officer of Facebook, Mike Schroepfer, gave evidence to the Select Committee, I asked him whether, if someone set up a Facebook page to run ads during a campaign and micro-targeted individual voters before taking down the page at the end of the campaign and destroying the adverts, Facebook would have any record that that advertising had ever run, he said that he did not know. We have written to him and Mark Zuckerberg saying that we need to know, because unless we know, a bad actor could run ads in huge volumes, investing a huge amount of money in breach of electoral law, and if they did not declare it, there would be no record of that advertising ever having been placed.
I will be very brief, Madam Deputy Speaker, because we are incredibly tight for time.
There is so much in the Bill that I would like to talk about, such as effective immigration control, delegated powers and collective redress, not to mention the achievement of adequacy, but I will concentrate on amendment 5, which appears in my name and those of my hon. Friend the Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) and the hon. Member for Brighton, Pavilion (Caroline Lucas).
The amendment seeks to provide protection for individuals where automated decision making could have an adverse impact on their fundamental rights. It would require that, where human rights are or could be impacted by automated decisions, ultimately, there will always be a human decision maker at the end of the process. It would instil that vital protection of human rights in respect of the general processing of personal data. We believe strongly that automated decision making without human intervention should be subject to strict limitations to promote fairness, transparency and accountability, and to prevent discrimination. As it stands, the Bill provides insufficient safeguards.
I am talking about decisions that are made without human oversight, but that can have long-term, serious consequences for an individual’s health or financial, employment, residential or legal status. As it stands, the Bill will allow law enforcement agencies to make purely automated decisions. That is fraught with danger and we believe it to be at odds not just with the Data Protection Act 1998, but with article 22 of the GDPR, which gives individuals the right not to be subject to a purely automated decision. We understand that there is provision within the GDPR for states to opt out, but that opt-out does not apply if the data subject’s rights, freedoms or legitimate interests are undermined.
I urge the House to support amendment 5 and to make it explicit in the Bill that, where automated processing that could have long-term consequences for an individual’s health or financial, employment or legal status is carried out, a human being will have to decide whether it is reasonable and appropriate to continue. Not only will that human intervention provide transparency and accountability; it will ensure that the state does not infringe an individual’s fundamental rights and privacy—issues that are often subjective and are beyond the scope of an algorithm. We shall press the amendment to the vote this evening.
I would give way, Minister, but I am very pushed for time.
I would like to voice my support and that of the SNP for amendment 15 on effective immigration control. We believe that the exemption is fundamentally wrong, disproportionate and grossly unfair, and we call on the Government to stop it.
I can now inform the House that I have completed certification of the Bill, as required by the Standing Order. I have confirmed the view expressed in the Speaker’s provisional certificate issued on 8 May. Copies of the final certificate will be made available in the Vote Office and on the parliamentary website.
Under Standing Order No. 83M, a consent motion is therefore required for the Bill to proceed. Copies of the motion are available in the Vote Office and on the parliamentary website, and have been made available to Members in the Chamber. Does the Minister intend to move the consent motion?
indicated assent.
The House forthwith resolved itself into the Legislative Grand Committee (England and Wales) (Standing Order No. 83M).
[Dame Rosie Winterton in the Chair]