Data Protection Bill [Lords] Debate
Full Debate: Read Full DebateRanil Jayawardena
Main Page: Ranil Jayawardena (Conservative - North East Hampshire)Department Debates - View all Ranil Jayawardena's debates with the Department for Digital, Culture, Media & Sport
(6 years, 6 months ago)
Commons ChamberIt is an established term. It is used in the Immigration Act 2014 and the Freedom of Information Act 2000 uses a similar term, namely “operation of immigration controls”.
Without this immigration exemption, might not the Home Office have to disclose sources of tip-offs, which would not be conducive to ensuring that illegal immigration is properly controlled?
I think it highly likely that if, for example, someone were to undertake a full data subject review of whatever information the Home Office held about them—as was posited earlier by the right hon. Member for Kingston and Surbiton—the review would contain sources of information as well as the information itself. A further limitation is that exemptions can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of immigration control. This “prejudice” test must be applied first, and as a result the situations in which the exemption can be used are limited. The Government recognise the concerns that have been expressed in this debate.
We are permitted under GDPR to make these exemptions and are doing so in a very selective way and on a case-by-case basis, so it will not result in a widespread denial of people’s data rights.
The exemption should be as limited as possible, which is why we have brought forward amendments 141 and 142. These amendments will ensure that migrants enjoy the rights afforded under all of the data protection principles, except where a restriction on those principles is a consequence of restricting one of the other rights coming within the scope of the exemption.
I now turn to Opposition amendments 18 and 19 on primary care providers, and Government amendments 22 to 24 on parish councils. Parish and community councils are not exempt from the new law. None the less, by describing parish and community councils as “public authorities” the Bill gives these councils additional obligations above and beyond those placed on other small organisations, including that they must appoint a data protection officer. We have been working to minimise the impact of this requirement, and have concluded that as parish and community councils process very little personal data, the burden they would face would be disproportionate. Amendments 22, 23 and 24 therefore take these councils out of the definition of “public authorities” for data protection purposes.
I commend my hon. Friend the Minister on amendment 24, which recognises that councils are often so tiny—indeed, some are not even parish councils, and some do not employ any staff—that it would be wholly disproportionate to treat them in the way originally intended. I commend the Minister for listening to so many Members who made these points and recognising that parish councils must be treated separately.
I thank my hon. Friend for his comments. He and other colleagues across the House made these arguments, and given that such organisations are often very small and process only small amounts of personal data, we have decided to take parish councils out of the definition of “public authorities” for data protection purposes. Their status in respect of other legislation, including the Freedom of Information Act, is unaffected, however.
Similar arguments have been advanced in respect of primary care providers, but although I have sympathy with amendments 18 and 19, primary care providers are different from parish councils in that they process sizeable quantities of sensitive health data, whether that be an individual’s mental health status, the fact that they are pregnant, or details of their prescription for a terminal illness. All of these matters are highly personal, and in the world of health, data protection is rightly paramount.
The Dean Street Express case in 2015 illustrates the potential harm that even a single data breach can cause. In that incident, the names and email addresses of almost 800 people, many living with HIV, were disclosed to other recipients. It does not seem unreasonable that bodies who process that kind of data should have a single point of contact on data protection matters.
Government amendments 139 and 140 relate to legal professional privilege. We recognise the importance of protecting legal professional privilege and that is why in the Bill we have replicated the existing measures and exemptions for legal professional privilege found in the Data Protection Act 1998, which have worked well for many years.
Amendments 10 and 11 seek to widen the legal professional privilege exemptions found in schedules 2 and 11. They offer some thoughtful changes that are intended to recognise the broader range of material covered by a lawyer’s ethical duty of confidentiality. We agree that the Bill could be clearer, and have tabled amendments 139 and 140 in response.