Wednesday 15th November 2017
(6 years, 5 months ago)
Lords ChamberData Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Amendment Paper: HL Bill 66-IV(b) Amendment for Committee, supplementary to the fourth marshalled list (PDF, 52KB) - (15 Nov 2017)
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am thrilled that the day of the noble Lord, Lord Stevenson, has got better, and I hope that at the end of my speech it will get better still. Things are definitely looking up for the noble Lord, I hope.
I will be reasonably brief on this because we have debated other delegated powers before and much of what my noble friend Lady Chisholm said on day two of Committee holds here.
On Amendment 108B, I agree with much of what my noble friend Lord Arbuthnot said. I shall answer the noble Lord, Lord Paddick, in a different way which will address his point. The amendment would prevent the Secretary of State using the delegated power contained in Clause 15 to,
“amend, repeal or revoke the GDPR”.
I am happy to reassure the noble Lord not only that the Government do not intend to use the power in Clause 15 to amend, repeal or revoke the GDPR but that they actively cannot. As the opening line of Clause 15 describes, the power contained in it permits the Secretary of State only to,
“make provision altering the application of the GDPR”.
The noble Lord’s amendment is therefore unnecessary.
Clause 17(1)(a) would allow the Secretary of State to specify in regulations circumstances in which a transfer of personal data to a third country is necessary for an important reason of public interest not already recognised in law. Public interest is one of a number legal bases on which a controller can rely when justifying such a transfer. This is very much a backstop power. In many cases, reasons of public interest will already be recognised in law, so the power is likely to be needed only when there is a pressing need to recognise a particular but novel reason for transferring personal data as being one of public interest. We are wary of any change such as that proposed in Amendment 110B, which may hamper its exercise in emergency situations such as financial crises.
Amendment 180B seeks to amend Part 7 of the Bill to ensure that the power contained in Clause 21 cannot be exercised without consulting the Information Commissioner. The clause is a backstop power which allows the Secretary of State to amend Part 2 of Chapter 3 of the Bill—that is, the applied GDPR and associated provisions—to mirror changes made using Section 2(2) of the European Communities Act 1972 in relation to the GDPR. As I am sure we are all aware, a Bill is being considered in another place that would repeal the European Communities Act, so this power is already specific and time-limited. We are not sure what consulting the Information Commissioner before exercising it would add. However, these points notwithstanding, we are happy to consider the role of Clause 21 and Amendments 110B and 180B in the context of the Government’s response to the Delegated Powers and Regulatory Reform Committee’s recent report on the Bill.
The Government have previously committed to considering amendments substantively similar to Amendment 180A and I am happy to consider that amendment as well. However, I echo what my noble friend Lady Chisholm said about the importance of the law being able to keep up with a fast-moving field.
With those reassurances, I hope the noble Lord will feel able to withdraw the amendment.
Lord Stevenson of Balmacara
It certainly is turning out to be my day. I am grateful to the Minister for his comments. We are perhaps anticipating a further debate that we may have to have on the basis of what the Government intend to take back to the DPRRC, but it is good to have a sense of where the thinking is going, which I am sure we will look at in a sympathetic light. Where he ended up will be an appropriate way of progressing on this point.
On the Minister’s first point in relation to Clause 15, I hesitate to ask because I know he is already burdened, but it would be helpful if he can write to me about subsection (1) because our reading of the line:
“The following powers to make provision altering the application of the GDPR”,
could not, according to what he has said, change the GDPR itself, only the way that it is applied. We may be talking only about nuances of language. Interpretations from the far north, where the noble Lord resides, down to the metropolitan south may well not survive the discussion, so I would be grateful to have something in writing. With that, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
“(2) But sub-paragraph (1) does not have effect—(a) in the case of the references which are modified or inserted by paragraphs 9(f)(ii), 15(b), 16(a)(ii), 35, 36(a) and (e)(ii) and 38(a)(i);(b) in relation to the references in points (a) and (b) of paragraph 2 of Article 61, as inserted by paragraph 49.”
Lord Ashton of Hyde
Lord Stevenson of Balmacara
My Lords, in moving Amendment 113A I will speak to Amendments 114A, 118A, 119A and 121A. Schedule 6 changes references to “the Union” to “the United Kingdom” and deals with the transposition between the GDPR and the applied GDPR as and when we move beyond Brexit.
The paragraphs to which these amendments relate may be a bit confusing unless we understand the timescale under which they operate. We think that the GDPR, as originally drafted, aims to say that there should be a free flow of information between member states, creating a single market for data flows across the whole of the EU, applied irrespective of the concerns of the various national regimes. Once we leave the EU it hardly seems necessary to have such a provision because it would seem to imply we need to provide powers for data to flow within the United Kingdom. Therefore, the heart of the amendment and of part of this group is the suggestion that this is otiose. Will the Government explain what they are trying to do if it is not about the flow of data within the United Kingdom? If it is, it surely is not needed because we should not have that situation arising.
The concern is not really about whether the Bill refers to Union or domestic law, but which space we are talking about. Are we talking about the United Kingdom or parts of the United Kingdom? Will different rules apply in Jersey, Guernsey and the Isle of Man? These are all the issues that regularly come up about the United Kingdom. By focusing too narrowly on this we raise a danger that we might be overcomplicating what should be a relatively straightforward issue. I beg to move.
Lord Ashton of Hyde
My Lords, it is a great pleasure to speak on these amendments, which cover the applied GDPR. Before I address them directly, it is worth recalling that the purpose of the applied GDPR is to extend GDPR standards to those additional areas of processing that are outside the scope of EU law and not covered separately in Parts 3 and 4 of the Bill. The benefit of taking this approach is that it avoids relevant controllers and processors needing to adapt their systems to two different sets of standards, or even needing to know which set of standards they should be applying. However, if the need for such analysis arises, it is crucial that the data subjects and controllers and processors are clear about their respective rights and obligations.
In such circumstances, reference to text that contains concepts that have no meaning or practical application for processing out of scope of EU law will result in confusion and uncertainty. So, while the intention of the applied GDPR is to align as closely as possible with the GDPR, Schedule 6 adapts the GDPR’s wording where necessary so that it is clear and meaningful. It is important to remember that the GDPR does not apply to such processing, so the creation of equivalent standards under UK law is a voluntary measure we are making in the Bill.
In particular, paragraph 4 of Schedule 6—the subject of Amendment 113A—replaces references to such terms as “the Union” and “member state” with reference to the UK. This simply clarifies that, unlike the GDPR itself, the applied GDPR is a UK-only document and should be read in that context. References to “the Union” et cetera are at best confusing and at worst create uncertainty for the small number of controllers whose processing is captured by the applied GDPR. Paragraph 4 provides important legal clarity to them and, of course, to the Information Commissioner. The United Kingdom in this context refers to England, Wales, Scotland and Northern Ireland only, in accordance with Clause 193.
Paragraph 8, the subject of Amendment 114A, limits the territorial application of the applied GDPR so that it is consistent with that for Parts 3 and 4 of the Bill, as set out in Clause 186, without the EU-wide, and indeed extraterritorial, application of the GDPR itself. As we have touched on in a previous debate, the applied GDPR will apply almost exclusively to processing by UK public bodies relating to areas such as defence and the UK consular services. Controllers in these situations either are in the UK or, if overseas, are not offering goods and services to those in the UK. As such, there is simply no need for the applied GDPR to have the same EU-wide or extraterritorial application as the GDPR.
Article 9.2(j) of the GDPR provides for a derogation for processing of special categories of personal data for archiving and research purposes, and references the need to comply with the safeguards set out in Article 89 when conducting such processing. The Bill makes full use of this derogation, so paragraph 12(f) of Schedule 6, the subject of Amendment 118A, tidies up the drafting of Article 9.2(j) for the purposes of the applied GDPR so that, rather than setting out the need for derogation, it refers directly to the relevant provisions in the Bill.
Paragraph 27, the subject of Amendment 119A, removes certain requirements on the Information Commissioner relating to data protection impact assessments on the grounds that those provisions exist mainly or wholly to assist the European Data Protection Board in ensuring consistent application among member states. There is clearly no need for such consistency in respect of the applied GDPR—a document which exists only in UK law—and the Information Commissioner will in any case undertake very comparable activities in respect of the GDPR itself. Paragraph 46(d), the subject of Amendment 121A, simply makes further provision to the same end, both specifically in relation to data protection impact assessments and more broadly. I hope that, with those reassurances, the noble Lord will feel able to withdraw his amendment.
Lord Stevenson of Balmacara
I am grateful to the Minister for that very full response. I shall read it in Hansard, because there is a lot of detail in it, but I want to make sure that I have got the essence of it to help in subsequent discussions.
On Amendment 113A, I think the Minister’s argument was that the provision was mainly a tidying-up and voluntary measure which was not required by the GDPR but was being done by the Government as a matter of good practice to make sure that data controllers in particular—I suppose it would apply also to data subjects—do not have to keep worrying about how the rules might change once we get to Brexit or later. I understand that point. I think he also clarified that this was a UK mainland rather than a total-UK situation —again, it is helpful to have that clarification.
Perhaps I may ask the Minister about extraterritoriality —our second favourite word. The implication from discussion on a previous set of amendments was that the requirements under the GDPR for extraterritorial application—so that when companies are not established in the EU, they need to have a representative here—will be dropped once we leave the EU. I worry that that would make it harder for data subjects in particular to gain access to data held by data controllers from extraterritorial companies—we have one or two in mind —if a representative is not required to be in the UK. I wonder whether the Minister might reflect on that.
On Amendment 119A, I think that the Minister said that the reason for the original requirement for data protection impact assessments was to satisfy any concern that the European Data Protection Board might have that the same standards were not being applied equally in all EU countries. That is fine, and if we leave the EU, it would not apply. Am I right in assuming that the ICO effectively takes the place of the European Data Protection Board in that respect and that to some extent the question of whether comparability is operating throughout the EU is also true of the United Kingdom? Would there not be a case for maintaining the board in that case? I do not know whether the Minister wants to respond in writing or today.
Lord Ashton of Hyde
I think it would be sensible to reply in writing, just because I want to get it right. It would be more useful for noble Lords to get a letter.
Lord Stevenson of Balmacara
I thank the Minister for that offer, I look forward to a letter and I beg leave to withdraw the amendment.
Lord Ashton of Hyde
114: Page 157, line 28, at end insert— “(including paragraph 3(1)”
Lord Ashton of Hyde
“(ii) for “Article 51” substitute “Article 51 of the GDPR”;”
Lord Ashton of Hyde
“(d) in paragraph 9, for “of this Article” substitute “of Article 45 of the GDPR”.”
Lord Ashton of Hyde
“(ba) in paragraph 3, in point (b), for “the Member State government” substitute “the Secretary of State”;”
Baroness Hamwee (LD)
My Lords, from these Benches we also have some concerns about the national security and defence exemption. My noble friends Lord Clement-Jones and Lord Paddick have their names to a clutch of amendments to Clauses 24 and 26, and to a replacement for Clause 25—these are Amendment 124C and so on. These amendments essentially probe what Clause 24 means and question whether the requirements for national security certificates are adequate.
My first question is: what processing is outside the scope of EU law, and so would fall within Part 2 and not within Parts 3 and 4, the parts of the Bill on law enforcement and the intelligence services? Many of these amendments were suggested to us by Privacy International and one or two by Big Brother Watch. Those who know about these things say that they do not know what certificates exist under the current regime, so they do not know what entities may benefit from Clauses 24 to 26. However, Privacy International says that in their current form certificates are timeless in nature, lack transparency, are near impossible to challenge and offer overly broad exemptions from data protection principles, and all the rights of the data subject.
My second question is: what are “defence purposes”? That phrase does not feature in the interpretation clause of the Bill. The Explanatory Notes, in referring to the 1998 Act, refer to the section about national security. Is defence not a national security matter? There are very broad exemptions in Clause 24 and Privacy International even says that the clause has the potential to undermine an adequacy decision. For us, we are not convinced that the clause does not undermine the data protection principles—fairness, transparency, and so on—and the remedies, such as notification to the commissioner and penalties.
I note that under Clause 25(2)(a), a certificate may identify data,
“by means of a general description”.
A certificate from a Minister is conclusive evidence that the exemption is, or was, required for a purpose of safeguarding national security, so is “general description” adequate in this context?
Amendment 124L proposes a new Clause 25 and is put forward against the background that national security certificates have not been subject to immediate, direct oversight. When parliamentary committees consider them, they are possibly tangential and post hoc. Crucially, certificates are open-ended in time. There may be an appeal but the proposed new clause would allow for an application to a judicial commissioner, who must consider the Minister’s request as to necessity and proportionality—words that I am sure we will use quite a bit in the next few hours—applying these to each and every provision from which exemption is sought. The Committee may spot that this could owe something to the Investigatory Powers Act.
Amendment 137P takes us forward to Part 3, the law enforcement part of the Bill. Clause 77(5) gives individuals the right to appeal against a national security certificate, but individuals will not know that they have been subject to such a national security certificate if the certificate itself takes away the specific rights which would require a controller or a processor to inform individuals that there was such a restriction in effect against them. The whole point of a right to access personal information and, on the basis of that, the right to appeal against a restriction, does not seem to us to work. The amendment provides for informing the data subject that he is a subject to a certificate.
Amendment 148C is an amendment to Part 4, which is the intelligence services part of the Bill. Clause 108 refers to an exemption being “required” for the purposes of national security. Our amendment would substitute “necessary”, which is a more objective test. I might require something to be done, but it might not be necessary. It is more subjective. Amendment 148D would—I note the irony here—require a certificate because Clause 109 seems not to require it, although the certificate itself would be conclusive. Finally, Amendment 148H is our response to the Constitution Committee, which recommended that the Government clarify the grounds of appeal for proceedings relating to ministerial certificates under Clause 109, other than judicial review. We have set out some provisions which I hope will enable the Minister to respond to the committee’s recommendation.
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, I thank all noble Lords who have spoken to these amendments on the scope of the national security and defence exemptions in Parts 2 and 4 and the provisions in respect of national security certificates.
Amendments 124A, 124M and 124N relate to the exemption in Clause 24 for defence purposes. Amendments 124A and 124N seek to reinstate wording used in the Data Protection Act 1998 which used the term “combat effectiveness”. While it may have been appropriate for the 1998 Act to refer to “combat effectiveness”, the term no longer adequately captures the wide range of vital activities that the Armed Forces now undertake in support of the longer-term security of the British islands and their interests abroad and the central role of personal data, sometimes special categories of personal data, in those activities. I think that is what the noble Lord was requiring me to explain.
Such a limitation would not cover wider defence activities which defence staff are engaged in, for example, defence diplomacy, intelligence handling or sensitive administration activities. Indeed, the purpose of many of these activities is precisely to avoid traditional forms of combat. Yet without adequate provision in the Bill, each of the activities I have listed could be compromised or obstructed by a sufficiently determined data subject, putting the security, capability and effectiveness of British service personnel and the civilian staff who support them at risk.
Let me be absolutely clear at this stage: these provisions do not give carte blanche to defence controllers. Rights and obligations must be considered on a case-by-case basis. Only where a specific right or obligation is found to be incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. In every other circumstance, personal data will be processed in accordance with GDPR standards.
Amendment 124M probes the necessity of the applied GDPR’s article 9 exemption for defence purposes. Article 9 provides for a prohibition on processing of special categories of personal data. If we did not modify the application of article 9 for defence purposes, we would be hampering the ability of the Armed Forces to process certain personal data, for example, biometric data. This could have a detrimental impact on operations and other activities carried out by the Armed Forces.
I firmly believe that it is in the UK’s national interest to recognise that there may sometimes be a conflict between the individual’s right to have their personal data protected and the defence of the realm, and to make appropriate provision in the Bill to this end. I think that the noble Baroness, Lady Hamwee, asked about the publication of security certificates. National security certificates are public in nature, given that they may be subject to legal challenge. They are not secret and in the past they have been supplied if requested. A number are already published online and we will explore how we can make information about national security certificates issued under the Bill more accessible in future. She also asked about the timelessness of these certificates. They are general and prospective in nature, and arguably no purpose would be served by a requirement that they be subject to a time limitation. For example, in so far as a ministerial certificate allows the intelligence services to apply a “neither confirm nor deny” response to a subject access request, any certificate will inevitably require such a provision.
Amendments 124C, 124D, 124E, 124F, 124P and 148E seek to restrict the scope of the national security exemption provided for in Parts 2 and 4 of the Bill. I remind the Committee that Section 28 of the Data Protection Act 1998 contains a broad exemption from the provisions of that Act if the exemption is required for the purpose of safeguarding national security. Indeed, Section 28 provides for an exemption on such grounds from, among other things, all the data protection principles, all the rights of data subjects and all the enforcement provisions. Although we have adopted a more nuanced approach in the Bill, it none the less broadly replicates the provisions in the 1998 Act, which have stood the test of time. Crucially, under the Bill—as under the 1998 Act—the exception can be relied upon only when it is necessary to do so to protect national security; it is not a blanket exception.
It may assist the Committee if I provide a couple of examples, first in the context of Part 4, of why the exemption needs to be drawn as widely as it is. Clause 108 includes an exemption from Clauses 137 to 147 relating to information, assessment and enforcement notices issued by the Information Commissioner. It may be necessary for an intelligence service to apply this exemption in cases of extreme sensitivity or where the commissioner requested sensitive data but was unable to provide sufficient assurances that it would be held securely enough to protect the information.
In relation to the offence of unlawfully obtaining personal data, much intelligence work involves obtaining and then disclosing personal data without the consent of the controller. For example, if GCHQ intercepts personal data held on a foreign terrorist group’s computer, the data controller is the terrorist group. Without the national security exemption, the operation, although authorised by law, would be unlawful as the data controller has not consented. Similarly, reidentification of deidentified personal data may be a valuable source of intelligence if it can be reidentified. For example, an intelligence service may obtain from a computer a copy of a list of members of a terrorist group who are identified using code names, and from other sources the service believes that it can tie the code names to real identities.
The need for a wide-ranging exemption applies equally under Part 2 of the Bill. Again, a couple of examples will serve to illustrate this. Amendment 124C would mean that a controller processing data under the applied GDPR scheme could not be exempted from the first data protection principle as it relates to transparency. This principle goes hand in hand with the rights of data subjects. It cannot be right that a data subject should be made aware of a controller providing information to, say, the Security Service where there are national security concerns, for example because the individual is the subject of a covert investigation.
To take another example which touches on Amendment 124D, it is wholly appropriate to be able to limit the obligation on controllers under article 33 of the applied GDPR to disclose information to the Information Commissioner where the disclosure would be damaging to national security because, say, it would reveal the identity of a covert human intelligence source. As is the case under Part 4, this exemption would be applied so as to restrict the information provided to the commissioner, not to remove entirely the obligation to report appropriate details of the breach.
I hope that this has given the Committee a flavour of why the national security exemption has been framed in the way that it has. As I have indicated, the Bill’s provisions clearly derive from a similar provision in the existing Data Protection Act and are subject to the same important qualification: namely, that an exemption may be applied in a given case only where it is required for the purpose of safeguarding national security.
Lord Kennedy of Southwark
My Lords, the noble Baroness’s clarification of these probing amendments is very helpful. As we have heard, a competent authority in this context of the Bill means a person as specified in Schedule 7, to the extent that the person has functions for law enforcement purposes.
Amendments 124Q and 124R would add useful clarifications that the persons listed in Schedule 7 come under the same classification as “any other person” referred to in Clause 28(1)(b) and the persons listed in Clause 28(3)(b). That would be a useful clarification in the Bill.
I do not support Amendment 124S in the name of the noble Baroness, Lady Hamwee, but support the three government amendments in the name of the noble Lord, Lord Ashton of Hyde. As I say, I do not support Amendment 124S, which makes the case for Amendments 124Q and 124R even more important.
I support the amendment that would add police and crime commissioners to the schedule, and the other amendments in the group which would widen the definitions, as that would be very useful. I look forward to the noble Baroness’s response to the points that have been raised.
Lord Young of Cookham (Con)
The co-pilot is in charge of this leg of the legislative journey, so there may be some turbulence.
I am very grateful to the noble Baroness for her explanation of these amendments. I particularly welcome what she said at the beginning of her remarks—namely, that these were probing amendments designed to improve the style. We are all in favour of improving style. Having read previous Hansards, I know that there has been broad cross-party support for the Bill’s provisions, particularly this part of it. I know that the Liberal Democrat Benches are particular enthusiasts for enshrining in UK law the provisions of the EU law enforcement directive.
As the noble Baroness has indicated, this group of amendments relates to the definition of various terms used in Part 3, including that of a competent authority and the meaning of “profiling”. I also welcome the contribution of the noble Lord, Lord Kennedy, in support of some of the amendments.
The scope of the law enforcement processing regime is provided for in Part 3 of the Bill. Unlike Part 4, which applies to all processing of personal data by the intelligence services, the scheme in Part 3 is purpose-driven. The Part 3 scheme applies to processing by competent authorities, as defined in Clause 28, for any of the law enforcement purposes, as defined in Clause 29. This approach is clear from a reading of Part 3 as a whole. For example, each of the data protection principles in Clauses 33 to 38 refers to processing for any of the law enforcement purposes.
The definition of a competent authority needs to be viewed in that context. Competent authorities will process personal data under the scheme in Part 3 only where such processing is for one of the law enforcement purposes. If they process data for another purpose, as the noble Baroness indicated—for example, for HR management purposes—the processing would be undertaken under either the GDPR or applied GDPR scheme, as the case may be. That would be the default regime. I am not sure there is a case for yet another regime on top of the two we already have. As paragraph 167 of the Explanatory Notes to the Bill makes clear, a government department will be a competent authority for the purposes of Part 3 only to the extent that it processes personal data for a law enforcement purpose. For example, where DWP processes data in the course of investigating criminal offences linked to benefit fraud, it will do so as a competent authority.
The approach we have taken in Schedule 7 is to list all the principal law enforcement agencies, including police forces, prosecutors and those responsible for offender management, but also to list other office holders and organisations that have law enforcement functions supplementary to their primary function. For example, the list in Schedule 7 includes some significant regulators. We should remember that the definition of “law enforcement purposes” includes the “execution of criminal penalties”, as set out in Clause 29. That being the case, it is entirely appropriate to list contractors providing offender management services. I hope this explanation deals with Amendment 129A. As I explained a moment ago, where such contractors process data for a non-law enforcement purpose—again, an example given by the noble Baroness—they will do so under the GDPR or applied GDPR scheme.
Schedule 7 is not, and is not intended to be, a wholly exhaustive list, and other organisations with incidental law enforcement functions will come within the scope of the definition of a competent authority by virtue of Clause 28(1)(b). Police and crime commissioners, to which Amendment 127A relates, may be a case in point, but if they process personal data for a law enforcement purpose, they will do so as a competent authority by virtue of Clause 28(1)(b). The government amendments in this group should be viewed against that backdrop.
Since the Bill was introduced, we have identified a number of other organisations that it would be appropriate to add to the list in Schedule 7, and Amendments 125, 126, 128 and 129 are directed to that end. Government Amendment 127 modifies the existing entry in respect of the independent office for police conduct in recognition of the fact that under the reforms we are making to the Independent Police Complaints Commission, the director-general will be the data controller of the reformed organisation.
The amendments to Clause 31 all seek to amend the definition of profiling. First, Amendment 129C seeks to include “attributes” in the definition of profiling, which currently refers to “aspects”. The existing wording reflects the terminology used in the LED, which is clear. In any event, the two words do not differ much in substance, so little is gained by the proposed addition.
In Amendment 129B and Amendments 129D to 129F the noble Baroness seeks to widen the definition of profiling so that it is not restricted to “certain” areas of profiling or to the aspects listed. However, the personal aspects itemised in the definition are not intended to act as an exhaustive list, and the inclusion of the words “certain” and “in particular” do not have this effect. The list refers to those aspects considered of most importance to profiling. Again, for these reasons, these amendments are not necessary. I think the noble Baroness conceded that we were simply replicating the existing terminology.
I hope I have been able to reassure her on these points and that she will be content to withdraw her Amendment 124Q and support the government amendments.
Baroness Hamwee
My Lords, to take that last point about certain areas of profiling first, obviously I did not make myself clear, as I want the opposite of what the Minister read me as wanting. I want to be clear that I do not want to leave areas for doubt, so I sought to restrict rather than to extend.
On police and crime commissioners, I am a little baffled as to why, if so many other organisations which have some functions that are about law enforcement are included, police and crime commissioners should be left to rely on Clause 28(1)(b) rather than being included specifically.
Finally, yes, we are enthusiasts for incorporating the directive. We want to be clear that the incorporation works. Should I talk for another moment or two in case a message is coming? There was a thumbs up to that suggestion. We are great enthusiasts for certain things that the EU is proposing—I am being a little flippant and this will read terribly badly in Hansard. As I said at the start, all this is so that we may be assured—and this is the stage at which to do it—that what is being incorporated works in the way that reading the words as a sort of narrative suggests.
Lord Young of Cookham
Some in-flight refuelling has arrived. The noble Baroness made a valid point about why we had added certain organisations to Schedule 7 but not the police and crime commissioners. We will reflect on that between now and Report.
Baroness Hamwee
I am grateful for that. I beg leave to withdraw the amendment.
Lord Young of Cookham
“3_ Any Northern Ireland department.”
Lord Young of Cookham
“20A_ The Welsh Revenue Authority.20B_ Revenue Scotland.”
Baroness Williams of Trafford
My Lords, as the noble Baroness, Lady Hamwee, said in her opening remarks, the amendments in this group relate to the data protection principles as they apply to law enforcement processing.
I will deal first with the amendments in the name of the noble Baroness, Lady Hamwee, before moving on to the others. Amendments 129G and 129H would add a requirement that processing under Part 3 be transparent as well as lawful and fair, thus mirroring the data protection principles set out in Parts 2 and 4 of the Bill. There is a very simple explanation for the difference of approach. The GDPR and the Council of Europe Convention 108, on which the provisions of Parts 2 and 4 are based, are designed for general processing. Therefore, it is wholly appropriate in that context that the processing of personal data should be transparent. Of course, that data protection principle, as with certain others, will apply subject to the application of the exceptions provided for in Parts 2 and 4, including where necessary to safeguard national security. At first glance, I accept that it might seem odd that Part 4 of the Bill, which relates to processing by the intelligence services, contains a requirement for transparency, but the provisions in Part 4 must be compliant with the modernised Convention 108. As I have said, that data protection principle will operate subject to the application of the exceptions provided for in that part.
In contrast, Part 3 of the Bill reflects the provisions of the law enforcement directive, which is designed to govern law enforcement processing; in this context, it is appropriate that the transparency requirement should not apply. A requirement that all such processing be transparent would, for example, undermine police investigations and operation capabilities. That is not to say that controllers under Part 3 will not process data transparently where they can, and Chapter 3 of this part imposes significant duties on controllers to provide information to data subjects.
Amendments 129J and 133ZJ are not about a popular Saturday night television programme, but about the significance of the word “strictly” in the context of Clause 33(5). Our approach here, and elsewhere, has been to copy out the language of the law enforcement directive wherever possible. Article 10 of the LED uses the phrase “strictly necessary”. The noble Baroness asked whether references in Part 3 to “necessary” and “strictly necessary” should be interpreted differently. That must be the case: “strictly necessary” is a higher threshold than “necessary” on its own.
Amendment 130A brings us back to the report of the Delegated Powers and Regulatory Reform Committee, which was the subject of some debate on day two of Committee. As the noble Baroness, Lady Chisholm, indicated in response to that debate, we are carefully considering the Delegated Powers Committee’s report and will respond before the next stage of the Bill.
Amendment 133ZB would replace the term “legitimate” in Clause 34—which establishes the second data protection principle—with the phrase “authorised by law”. I do not believe that there is any material difference between the two terms. Moreover, “legitimate” is used in both the GDPR and the LED, so for that reason we should retain the language used in those instruments to avoid creating legal uncertainty.
The noble Baroness asked about ECJ case law, post Brexit. The European Union (Withdrawal) Bill sets out how judgments of the Court of Justice of the European Union are to be treated by domestic courts and tribunals after exit day. Clause 6 of that Bill draws a distinction between pre-exit and post-exit CJEU case law. Domestic courts and tribunals are not bound by post-exit case law but may have regard to it if they consider it appropriate. In contrast, pre-exit case law is binding on most domestic courts and tribunals in so far as it is relevant to questions pertaining to retained EU law. The Supreme Court and, in some circumstances, the High Court of Justiciary are, however, not bound. They may depart from pre-exit CJEU case law by reference to the same test that applies when they decide whether to depart from their own case law.
Amendment 133ZD seeks to strike out the reference to “where relevant” in Clause 36(3), which requires a controller to make a distinction between different categories of data subjects, such as suspects, convicted offenders and victims. There may well be a case where it simply would not be relevant for a controller to draw such a distinction. If a controller processes data in respect of only one of the categories of data subject, there is evidently no need for this provision.
Amendment 133ZE seeks to simplify the drafting of Clause 36(4). I do not believe the definitions in Clause 2 support the case for this amendment. Clause 2 defines processing, which includes disclosure, but it does not provide a general definition of disclosure, so it is preferable to retain the language in Clause 36(4).
Amendment 133ZK would introduce a requirement on controllers to publish their policy documents relating to sensitive processing. Such policy documents may contain operationally sensitive information that could well be damaging if published. Given this, scrutiny of such documents by the Information Commissioner, where necessary, provides an appropriate safeguard.
I turn to the amendments tabled by the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson. Amendment 133ZA would remove archiving from the list of conditions for processing sensitive data. Law enforcement agencies often archive data for public protection purposes. However, it is right that sufficient safeguards should be in place, particularly concerning sensitive data. The Bill achieves this by permitting archiving only where it is necessary.
The noble Lord asked in what circumstances archiving would be carried out for a purpose connected with law enforcement processing. It may be necessary where, for example, a law enforcement agency needs to review historical offences, such as allegations of child sexual exploitation. On this occasion, data have been processed for the purposes of reviewing the approach taken in child abuse cases investigated decades previously.
Lord Stevenson of Balmacara
I am grateful to the noble Baroness for that example. I could have used scientific or historical research. Again, I am not entirely clear why these are law enforcement categories. The general ability to take a derogation relating to either of the items listed is well spelled out in the schedule, but I was trying to address the narrow formulation of that in a law enforcement category. The particular example is fine and it is possible that could be right, but I do not think it applies across science, historical or statistical research. Does it?
Baroness Williams of Trafford
It may do if it pertains to law enforcement purposes, but we may be dancing on the head of a very small pin. Perhaps I could come back to the noble Lord, but where it overlaps into the law enforcement sphere I would think it relevant. However, I will write to him to clarify and confirm my thoughts on that.
The noble Lord also asked about retention of data. I am not sure that was on this amendment, but he is right that it is not—
Baroness Williams of Trafford
Okay, I will carry on to Amendment 133ZC, which seeks to require that further processing for law enforcement purposes must have a statutory basis. This would prevent further processing in circumstances that are lawful but not provided in statute. It cannot be in the public interest to unduly restrict the use of data that could assist law enforcement to carry out its legitimate functions.
Amendment 133ZF would remove the law enforcement qualification from Clause 36(4). Its purpose appears to be to ensure that inaccurate data cannot be processed irrespective of whether it is for a law enforcement purpose. For processing other than for a law enforcement purpose, the controller must apply Part 2 of the Bill. Also with reference to Clause 36, Amendment 133ZG would insert a requirement that inaccurate data must be erased if it is not corrected. I understand exactly why this might be a fitting addition. However, it will not always be appropriate for law enforcement where data may form part of a criminal case. For instance, it may be important for evidential reasons for data to be kept unaltered. Inaccurate information could also be evidence of perjury or perverting the course of justice.
Amendment 133ZH would require the controller to have in place a document outlining their retention policy, which would have to be made available to the Information Commissioner on request. Clause 42 already provides safeguards, including a duty to inform the subject about the period for which the data will be stored or the criteria used to determine the period. Moreover, in the policing context, there are policy documents already published that cover this ground, such as the College of Policing manual on the management of police information.
Finally, I will deal briefly with the three government amendments in this group, Amendments 131, 139 and 140, for which the noble Lord has stated his support. They relate to Schedules 8, 9 and 10, which set out a number of conditions, at least one of which must be met, where a law enforcement agency processes sensitive personal data, or one of the intelligence services processes any personal data. They clarify that any processing is lawful for the purposes of the exercise of a function conferred on a person by a rule of law as well as by an enactment. This is consistent with the existing scheme under the Data Protection Act 1998.
In the case of the police, the processing of personal data is, in some instances, undertaken utilising common-law powers in pursuit of their function to prevent crime. One such example is the operation of the domestic violence disclosure scheme, or Clare’s law. Under that scheme, a police force may disclose information to a person about a previous violent and abusive offending behaviour of their partner when he or she was in a previous relationship. It is vital that the police can continue to protect people by disclosing sensitive personal information using their common-law powers.
Amendments 139 and 140 to Schedules 9 and 10 respectively ensure consistency of approach across Parts 3 and 4 of the Bill.
To go back to the point about retention of data and the noble Lord’s point about reviewing whether data are still required, appropriate action should follow such a review. The fifth data protection principle makes this clear. If data are no longer required they should be deleted. I am not entirely sure which amendment that refers to, but I hope some of the explanations I have given will ensure that noble Lords and the noble Baroness are content not to press their amendments.
Lord Young of Cookham
Lord Kennedy of Southwark
My Lords, the five amendments in this group are all in the name of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Paddick. I should say at the start that I am not convinced by Amendment 133ZL and I look forward to the response of the Government. I am not sure that it is proportionate in respect of law enforcement processing. I had concerns about it before the debate and I have heard nothing to change my mind.
Amendment 133ZM widens the scope of the provisions and I am content with that. I am interested to hear from the Government why the three words to be deleted are so important: perhaps they can convince me of the merits of having them in the Bill.
Amendment 133ZN is proportionate and I happy to support it. I do not support Amendment 133ZP and, again, I have heard nothing yet to convince me otherwise. I await a response from the Government. Amendment 133ZQ seems proportionate to me in respect of the data controller being able to record reasons to restrict provision of information to a data subject and the reasons for refusing requests.
Baroness Williams of Trafford
I thank the noble Baroness, Lady Hamwee, for explaining her amendments in relation to the rights of data subjects. Having disappointed her so much in the last group of amendments, I have some very good news: the Government are content to agree to her Amendment 133ZQ. Perhaps it is right that I did not put my name to it, because she can claim full credit for the amendment, which corrects an erroneous cross-reference in Clause 46(6).
I turn to the other amendments in the group, which have a little more substance. Amendment 133ZL seeks to place a duty on controllers to inform individuals without undue delay that they are a data subject. The right of access conferred on data subjects by Clause 43 largely replicates the existing provision in Section 7 of the Data Protection Act 1998, as I think the noble Lord, Lord Kennedy, pointed out. Clause 42 already includes obligations on the controller to provide individuals with information in general terms and in specific cases to enable a data subject to access their rights. We consider that this is the right approach and one which reflects the terms of the LED. We welcome the enhanced rights for data subjects provided for in Part 3, but it is important that such rights are proportionate and that we take account of the resource implications for police forces and other competent authorities. Placing a duty on controllers proactively to notify individuals that they are data subjects would, we believe, place an unnecessary burden on competent authorities. In practice, many individuals will know that their personal data is being processed by a particular controller; where they are unsure they can submit a subject access request. It is important to note that under the new regime subject access requests will generally be free of charge.
Amendment 133ZM seeks to probe the need for the phrase “in specific cases” in Clause 42(2). This phrase, which appears in article 13(2) of the law enforcement directive, is simply designed to distinguish between the duty on a controller, under Clause 42(1), to provide certain general information to data subjects which might be discharged by posting the information on the controller’s website, and the separate duty, in Clause 42(2), to provide certain additional information directly to a data subject to enable them to exercise their rights. Moreover, the information which must be provided under Clause 42(2) may be person-specific and the drafting makes this clear.
Amendment 133ZN seeks to define the term “fundamental rights” as used in Clause 42(4) and elsewhere in this part. This is not the occasion to reopen the debate we had at the start of Committee on article 8 of the European Charter of Fundamental Rights. The Committee will be aware that it is not the Government’s intention to enshrine the charter into UK law. That being the case, and recognising that Part 3 of the Bill provides for a scheme for law enforcement processing which is enshrined in our domestic law, the reference to fundamental rights should be interpreted in accordance with UK law by the UK courts, rather than seeking to enshrine the charter.
In Amendment 133ZP to Clause 42(4)(a), the noble Baroness seeks clarification of what constitutes an “official inquiry”, as opposed to a “legal inquiry”. I start by pointing out that the law enforcement directive uses both terms, and we have followed our usual practice of copying the directive wherever possible. There are, of course, legally constituted inquiries established under the Inquiries Act 2005, but not all official inquiries are formally constituted under that Act. The use of both terms recognises that formally constituted inquiries may take different forms and be conducted by different entities. It is important to emphasise that a controller is subject to the limitations in the opening words of Clause 42(4) and cannot restrict the provision of information simply by virtue of the fact that the information pertains to an inquiry.
I hope that I have been able to reassure the noble Baroness—she certainly looks happier than on the previous group of amendments—and that she will be content to withdraw her Amendment 133ZL. As I have indicated, I will be happy to endorse Amendment 133ZQ when she comes to move it formally.
Baroness Williams of Trafford
My Lords, these amendments return us to the issue of automated decision-making, which we debated on Monday, albeit principally in the context of Part 2.
The noble Baroness, Lady Hamwee, has indicated that the purpose of Amendment 134A is to probe why Clause 48(1)(b) is required. Clauses 47 and 48 should be read together. Clause 47 essentially operates to prohibit the controller making a significant decision based solely on automated processing, unless such a decision is required or authorised by law. Where automated decision-making is authorised or required by law, Clause 48 permits the controller to make a qualifying significant decision, subject to the specified safeguards.
A significant decision based solely on automated processing which is not required or authorised by law is an unlawful decision and therefore null and void. That being the case, we should not seek to legitimise an unlawful decision by conferring a right on a data subject to request that such a decision be reconsidered. Should such a decision be made contrary to Clause 47(1), the proper way to deal with it is through enforcement action by the Information Commissioner, not through the provisions of Clause 48.
Amendments 135 and 144 seek to prevent any decision being taken on the basis of automated decision-making where the decision would engage the rights of the data subject under the Human Rights Act. As my noble friend Lord Ashton indicated on Monday when the Committee debated Amendment 75, which was framed in similar terms, such a restriction would arguably wholly negate the provisions in respect of automated decision-making as it would be possible to argue that any decision based on automated decision-making would, at the very least, engage the data subject’s right to respect for privacy under Article 8 of the European Convention on Human Rights.
At the same time, the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore be to prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act. Where a decision will have legal or similarly significant effects for a data subject, data controllers will be required to notify data subjects to ensure that they can seek the remaking of that decision with human intervention. We believe that this affords sufficient safeguards.
Turning to Amendment 135A, I can assure the noble Baroness, Lady Hamwee, that automated processing does indeed include profiling. This is clear from the definition of profiling in Clause 31 which refers to,
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual”.
Given that, I do not believe more is needed, but I confirm that there is no significance in omitting the word “profiling”. We did not include a reference to profiling as an example of automated decision-making on the grounds that it is just that, an example, and therefore an express reference to including profiling would add nothing.
Amendment 135B would require controllers to notify data subjects within 72 hours where a qualifying significant decision has been made based solely on automated processing. While it is appropriate elsewhere in the Bill to require controllers to report data breaches to the Information Commissioner, where feasible, within 72 hours, we consider that the existing requirement to notify data subjects of what is a lawful qualifying significant decision as soon as reasonably practicable establishes the need for prompt notification while recognising that there needs to be some flexibility to reflect the operational environment.
Amendment 136A seeks to require the Information Commissioner to appoint an independent person to oversee the operation of automated decision-making under Part 3. I am unpersuaded of the case for this amendment. The Information Commissioner is, of course, already an independent regulator with express statutory duties to, among other things, monitor and enforce the provisions in Part 3, so it is unclear to me why the commissioner should be obliged to, in effect, subcontract her functions in so far as they relate to automated decision-making. Such processing is subject to the commissioner’s oversight functions as much as any other processing, so I do not see why we need to single it out for special treatment. If the argument is that automated processing can have a more acute impact on data subjects than any other forms of processing, then it is open to the commissioner to reflect this in how she undertakes her regulatory functions and to monitor compliance with Clauses 47 and 48 more closely than other aspects of Part 3, but this should be left to the good judgment of the commissioner rather than adding a new layer of regulation.
The noble Baroness asked whether it is 21 days from receipt of notification or another time. Clause 48(2)(b) makes it clear that it is 21 days from receipt.
I have some sympathy for Amendment 137, which requires controllers subject to Part 3, on request, to provide data subjects with the reasons behind the processing of their personal data. I agree that data subjects should, in general, have the right to information about decision-making which affects them, whether or not that decision-making derives from automated processing. However, this is not straightforward. For example, as with the rights to information under Clauses 42 and 43, this cannot be an absolute right otherwise we risk compromising ongoing criminal investigations. If the noble Baroness will agree not to move Amendment 137, I undertake to consider the matter further ahead of Report.
Amendments 142C and 143B in the name of the noble Lord, Lord Stevenson, seek to confer a new duty on controllers to inform data subjects of their right to intervene in automated decision-making. I believe the Bill already effectively provides for this. Clause 95(3) already places a duty on a controller to notify a data subject that a decision about them based solely on automated processing has been made.
Amendments 145 and 146 seek to strike out the provisions in Part 4 that enable automated decision-making in relation to the consideration of contracts. The briefing issued by Liberty suggested that there was no like provision under the GDPR, but recital 71 to the GDPR expressly refers to processing,
“necessary for the entering or performance of a contract between the data subject and a controller”,
as one example of automated processing which is allowed when authorised by law. Moreover, we envisage the intelligence services making use of this provision—for example, considering whether to enter into a contract may initially require a national security assessment whereby an individual’s name is run through a computer program to determine potential threats.
Finally, Amendment 146A would place a duty on the intelligence services to inform the Information Commissioner of the outcome of their consideration of a request by a data subject to review a decision based solely on automated processing. We are not persuaded that a routine notification of this kind is necessary. The Information Commissioner has a general function in relation to the monitoring and enforcement of Part 4 and in pursuance of that function can seek necessary information from the intelligence services, including in respect of automated processing.
I hope again that my detailed explanation in response to these amendments has satisfied noble Lords, and as I have indicated, I am ready to consider Amendment 137 further ahead of Report. I hope that on that note, the noble Baroness will withdraw the amendment.
Baroness Hamwee
My Lords, I am grateful for the long response and for the Minister agreeing to consider Amendment 137. As regards oversight of automated processing, which is not quite where I would be coming to as something that was suggested to us, it would be fair to say that the commissioner has a resource issue covering all these developments. Maybe it is something that we will think about further in order to approach it from a different direction, perhaps by requiring some regular reporting about how the development of automated processing is controlled and affecting data subjects. I will consider that, but for the moment I beg leave to withdraw the amendment.
Baroness Hamwee
My Lords, Clause 56 anticipates that competent law enforcement authorities may work together, and designates them as “joint controllers”. Clause 56(2) allows them to “determine their respective responsibilities”, although there is an exception when the responsibility is,
“determined under or by virtue of an enactment”.
Amendment 137A would, I suggest, take us a step further by providing that, in any event, if there is a failure to comply with a controller’s statutory obligations, each joint controller is liable—or does this not need to be spelled out? I beg to move.
Lord Young of Cookham
My Lords, these are narrow but important amendments relating to the liability of joint controllers. I agree with the noble Baroness that there should be clarity as to where liability rests when a controller contravenes the provisions of the Bill. The concept of joint data controllers is not new; indeed, it is recognised in the Data Protection Act 1998. In a similar vein, Clause 56 makes provision for joint controllers under Part 3—the shared responsibility for the police national computer by chief officers is a case in point. Upholding the rights of data subjects is dependent on the clear understanding of responsibilities. Clause 56 requires joint controllers to determine transparently their respective responsibilities so that data subjects know who to look to in order to access their rights or to seek redress. There should be no ambiguity as to who is responsible for compliance with the provisions of Part 3.
The issue of liability is dealt with elsewhere in the Bill. For example, Clause 160 provides that an individual has the right to compensation from a controller if they suffer damage because of a contravention of this legislation. Subsection (4) makes specific provision for joint controllers: it provides that liability for damages flows from the legal responsibility for compliance as determined by an arrangement made under Clause 56. These types of arrangement already exist, and this is as it should be. What matters to the data subject is that the legal position in relation to joint controllers is clear, and Clause 160, read with Clause 56, provides such clarity. I also refer the noble Baroness to Clauses 145, 149 and 158, which make like provision in respect of enforcement notices, penalty notices and compliance orders.
The government amendments in this group, which are technical, address much the same point. As I have indicated, the Bill adopts the principle that a court order in relation to controllers operating under a joint controller arrangement may be made only against the controller responsible for compliance with the relevant provision of data protection legislation. That has to be right, whereas under the noble Baroness’s amendment, they would all be liable, whether or not they were responsible for compliance with the relevant provision. Amendments 143, 147 and 148 are needed to ensure that the principle is carried through when joint controllers are operating under Clause 102 and that the liability of such controllers is clear. Providing such clarity is in everyone’s interests, including data subjects.
I hope I have been able to satisfy the noble Baroness that the position on the liability of joint controllers is clear and that she will be content to withdraw her amendment and support the government amendments.
Baroness Williams of Trafford
My Lords, this quite extensive group of amendments relates to the obligations on controllers and processors and the transfer of personal data to third countries. As the noble Baroness, Lady Hamwee, explained, Amendment 137B seeks to probe the necessity for the words “where applicable” in Clause 59(2)(g), which places a duty on a controller to record details of the use of profiling in the course of processing. This wording is transposed directly from Article 24 of the LED—and. to be clear, we are not excluding types of profiling from being recorded. Rather, the clause provides that all profiling is recorded where profiling has taken place. The wording acknowledges that some processing may not involve profiling.
Amendment 137C seeks to add a definition of the word “nature” as used in Clause 62(4). References to the,
“nature, scope, context, and purposes of the processing”,
are found throughout the LED and we have faithfully transposed this. We accept that the nature of the processing does include the aspects set out in the noble Baroness’s amendment, but we do not believe it necessary to set that out on the face of the Bill, and there is a danger that doing so in these terms could unwittingly narrow the scope of this provision. I might add that the Information Commissioner’s Office already publishes guidance on conducting privacy impact assessments and will be issuing further guidance on issues related to the Bill in due course.
Amendment 137D to Clause 63 would confer on the Information Commissioner a power to make regulations specifying further circumstances in which a controller must consult the commissioner before undertaking processing activities. Currently the requirement is for controllers to consult the commissioner when a data protection impact assessment indicates that processing would pose a high risk to the rights and freedoms of data subjects. Clause 63 reflects the provisions in Article 28 of the LED and sets an appropriate threshold for mandatory consultation with the Information Commissioner. This is not to preclude consultation in other cases, but I am unpersuaded that we should go down the rather unusual road of conferring regulation-making powers on the commissioner. Instead, we should leave this to the co-operative relationship we expect to see between the commissioner and controllers and, if appropriate, to any guidance issued by the commissioner.
Amendment 137E seeks to specify the content of the written advice which the Information Commissioner must provide to a controller in the event that she considers that a proposed processing operation would contravene the provisions of Part 3. I do not disagree with the point that the amendment is seeking to make—indeed, it echoes some of what is said at paragraph 209 of the Explanatory Notes—but we believe that we can sensibly leave it to the good judgment of the commissioner to determine on a case-by-case basis what needs to be covered in her advice.
Amendment 137F would expressly require controllers to account for the cost of implementation when putting in place appropriate organisational and technical measures to keep data safe. I entirely agree with the spirit of this amendment; there needs to be a proportionate approach to data protection. However, I refer the noble Baroness to Clause 53(3), which already includes a provision to this effect. On Amendment 137G, we believe the use of the present tense is correct in Clause 66(3)(a) in that the implementation of the measures is ongoing and not set in the past.
Amendment 137H would require a controller to inform the commissioner when they have restricted the information available to data subjects in the event of a data breach. Clause 66(7) is one of four instances in Part 3 where a controller may restrict the rights of data subjects. I do not believe that there is a case for singling out this provision as one where a duty to report the exercise of the restriction should apply. If the commissioner wants information about the exercise of the power in Clause 66(7), she can ask for it.
Amendment 137J seeks to add to the role of data protection officers by requiring them to update the controller on relevant developments in the data protection standards of third countries. I do not deny that awareness of such standards by police forces and others is important for the purposes of the operation of the safeguards in Chapter 5 of Part 3. However, Clause 69 properly reflects the terms of the LED. It does not preclude data protection officers exercising other functions such as the one described in Amendment 137J.
Amendments 137K, 137L and 137M relate to Clause 71, which sets out the general principles for transfers of personal data to a third country or international organisation. The whole purpose of Chapter 5 of Part 3 is to provide safeguards where personal data is transferred across borders. Given that, I am not sure what Amendment 137K would add. Amendment 137L would narrow the circumstances in which onward transfers of personal data may take place with express authorisation from the originator of the data. In contrast, Amendment 137M, in seeking to remove Clause 71(5)(b), would expand those circumstances —which I am not sure is the noble Baroness’s intention. Subsection (5) is a direct transposition of article 35(2) of the LED, so we should remain faithful to its provisions. What constitutes the essential interests of a member state must be for the controller to determine in the circumstances of a particular case—but, here as elsewhere, they are open to challenge, including enforcement action by the commissioner if they were to abuse such provisions.
Amendment 137N would require a controller to pay due regard to any ICO guidance before coming to a decision under Clause 74(2), which relates to the transfer of data on the basis of special circumstances. The Bill already caters for this. Clause 119 places a duty on the commissioner to prepare a data-sharing code of practice and, under the general principles of public law, controllers will be required to consider the code—or for that matter any other guidance issued by the commissioner.
Finally, Amendment 137EA in the name of the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson, seeks to set in statute the retention period for personal data derived from ANPR cameras. ANPR is an important tool used by the police and others for the prevention and detection of crime. I understand that the National Police Chiefs’ Council has recently changed its policy on the retention of ANPR records, reducing the retention period from two years to 12 months. The new policy requires all data not related to a specific case to be deleted after 12 months. This will be reflected in revised national ANPR standards. We know that the Information Commissioner had concerns about the retention of ANPR records and we welcome the decision by the NPCC in this regard.
Given this, I have no difficulty with the spirit of the noble Lord’s amendment, but the detail is too prescriptive and we are not persuaded that we should be writing into the Bill the retention period for one category of personal data processed by competent authorities. The amendment is unduly prescriptive as it takes no account of the fact that there will be operational circumstances where the data needs to be retained for longer than 12 months—in particular, where it is necessary to do so for investigative or evidential purposes.
More generally, I remind the noble Lord that the fifth data protection principle—the requirement that personal data be kept no longer than is necessary—will regulate the retention policies of controllers for all classes of personal data. In addition, Clause 37(2) requires controllers to undertake a periodic review of the need for the continued retention of data. Given these provisions, I am not persuaded that we should single out ANPR-related data for special treatment on the face of the Bill.
I apologise again for the extensive explanation of the amendments, and I hope that noble Lords will be happy not to press them.
Baroness Hamwee
Certainly. I feel that I ought perhaps to apologise to the House for the speed at which we have been going; it has caused a bit of a flurry. I know that I have been quite telegraphic in speaking to the amendments. I have possibly been too telegraphic, but I will read the detail of the response, and beg leave to withdraw my amendment.
Lord Young of Cookham
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for explaining these amendments, which relate to intelligence services processing.
Amendment 137R would provide that sensitive processing for a condition under Schedule 10 was lawful when the condition was not also a condition in Schedule 9. Clause 84 provides that processing is lawful only as long as one of the conditions in Schedule 9 is met, and for sensitive processing one of the conditions in Schedule 10 must also be met. We consider that the two-stage consideration process when processing sensitive personal data is important, as it requires the controller to ensure that conditions in both schedules can be satisfied.
We accept that there is a degree of overlap between some of the conditions provided for in the schedules, but that is necessary. For example, consent is a condition for processing in both schedules, but that reflects the fact that consent may often be the most appropriate grounds for processing personal data, such as when people consent to their sensitive personal data being processed for medical purposes. That position is not new: Schedules 9 and 10 reflect the equivalent Schedules 2 and 3 to the Data Protection Act, both of which provide that consent is a condition for processing. The amendment adds nothing, but has the potential to reduce clarity and is likely to confuse by departing from a well-established, two-stage consideration process.
Amendment 138A, which the noble Baroness said was probing, would restrict the power of the Secretary of State to amend the conditions for sensitive processing set out in Schedule 10 to adding conditions rather than also varying or omitting. The issue was debated in the context of other parts of the Bill last Monday, and I repeat the commitment given by my noble friend to take account of the noble Baroness’s amendment as part of our consideration of the report from the Delegated Powers Committee.
Amendment 139A would remove as a condition for lawful processing under Schedule 9 processing that is necessary for the purposes of legitimate interests pursued by the data controller. In the case of the intelligence services, their legitimate interests are dictated by their statutory functions, including safeguarding national security and preventing and detecting serious crime. I should also add that this is a condition currently provided for in Schedule 2 to the Data Protection Act 1998, so it may not surprise noble Lords that we could not support an amendment that would preclude the intelligence services from processing personal data in pursuance of their vital functions.
Amendment 139B would preclude the processing of personal data by the intelligence agencies in pursuit of their legitimate interests—that is, their statutory functions—whenever the processing prejudices the rights and freedoms or legitimate interests of the data subjects, rather than the current drafting, which prevents such processing in circumstances where it would be unwarranted in any particular case because of prejudice to those rights or interests. This more restrictive approach would mean that the intelligence services would be unable to process personal data in pursuit of their legitimate interests—for example, safeguarding national security—since it could be argued that such processing is likely to engage such rights, in particular the right to respect private life. It would prevent data processing that was otherwise lawful, necessary and proportionate and carried out in full compliance with the Human Rights Act. The ECHR provides that some rights, including the right to private life, are qualified rights, recognising the fact that while a right may be engaged, lawful interference with that right should be permissible in certain circumstances. As a result, this amendment would appear to go further than that required by the ECHR as, whenever a right was engaged, interference would not be possible, even if such interference were lawful, proportionate and necessary. Again, the condition in the Bill replicates the existing condition in Schedule 2 to the Data Protection Act 1998. Given this, I am not aware of any powerful reasons for changing the existing established approach.
Amendment 139C would require the Information Commissioner to be informed when processing is necessary to protect the vital interests of the data subject in circumstances, for instance, where consent cannot be given by or on behalf of the data subject or the controller cannot reasonably be expected to obtain the consent of the data subject. Such processing is a condition for sensitive processing under Schedule 10 and it mirrors precisely the equivalent provisions in Schedule 3 to the Data Protection Act 1998. The amendment does not add to a data subject’s rights nor does it strengthen protections. The processing of personal data in these circumstances already attracts the protections and safeguards provided for in the Bill, including the general oversight of the Information Commissioner. It is therefore in our view unnecessary and, I might add, I am not aware that the Information Commissioner has asked for such a provision.
Amendment 139D—which the noble Baroness was gracious enough to concede that she had not thought through—would limit the processing of personal data in connection with legal proceedings related to an offence or alleged offence. This amendment would have an extremely damaging effect, preventing processing in connection with all other legal proceedings, such as court or tribunal proceedings under this Bill, complaints to the Investigatory Powers Tribunal about unlawful conduct by the intelligence services and assistance with other civil proceedings and inquiries. I am sure that this was not the noble Baroness’s intention. Furthermore, the wording at paragraph 5 of Schedule 10 reflects that currently provided for at paragraph 6 of Schedule 3 to the Data Protection Act, so the Bill goes no further than existing legislation in this respect.
Amendment 140A would remove from Schedule 10 processing personal data necessary for medical purposes as a condition for sensitive processing. However, this is relevant for the intelligence services for straightforward processing of medical data by medical professionals processing the services’ data. An example would be an intelligence service’s occupational health services carrying out fitness for work assessments and providing medical advice. In such circumstances the intelligence service would likely rely on this condition as a lawful basis for the processing. This is to the benefit of both the services as employers and to their employees.
Finally, Amendment 140B relates to Clause 85, which provides for the second data protection principle: the requirement that the purposes of processing be specified, explicit and not excessive. Subsection (4) of the clause provides that processing is to be regarded as compatible with the purpose for which it is collected if the processing is for purposes such as archiving and scientific or historical research. This amendment has the effect of rendering processing compatible only if it was for those specific purposes. I am sure that was not the noble Baroness’s intention given that the amendment would prevent the intelligence services processing personal data in pursuance of their vital statutory functions.
I hope that noble Lords will agree that in relation to these amendments the Bill, with possibly one exception, adopts the right approach. In relation to the possible exception, namely the delegated power in Clause 84, I have reiterated the commitment that we will take account of Amendment 138A when we respond to the report from the Delegated Powers Committee. I therefore ask the noble Baroness to withdraw her amendment.
Baroness Hamwee
My Lords, almost all these amendments were probing, except for Amendment 138A, which is how the noble Lord described it—it was distinctly not probing, so I am glad to have had his assurance in that regard. I commented on an earlier group about either the intelligence services or law enforcement—I cannot remember which—being advantaged as against other employers outside their immediate job. It seemed to me from the noble Lord’s comments about medical data that the services would be advantaged as against employers in completely different fields. He gave a long answer, and I am grateful for that; it of course deserves reading and I will do so. I thank him for this comments on Amendment 138A and beg leave to withdraw the amendment.
Lord Young of Cookham
Lord Young of Cookham
Baroness Williams of Trafford
My Lords, government Amendments 141 and 142 to Clause 90 are technical in nature and simply ensure that the summary description of the rights conferred on data subjects by Chapter 3 of Part 4, as set out in subsection (1), fully itemises each of the relevant rights. I look forward to hearing from the noble Lord, Lord Kennedy, and the noble Baroness, Lady Hamwee, about their amendments in this group and I will respond to them when winding up.
Baroness Hamwee
My Lords, I cannot be quite so quick but I will be fairly quick. Amendment 142B concerns Clause 91(3), which states:
“The controller is not required … to give a data subject information that the data subject already has”.
When I read that, I wondered how the controller would know that the data subject had the information. Therefore, my alternative wording would refer to information which the,
“controller has previously provided to the data subject”.
There can therefore be no doubt about that.
Amendment 143A concerns Clause 92, which deals with a right of access within a time limit of a month of the relevant day, as that is defined, or a longer period specified in regulations. What is anticipated here? Why is there the possibility of an extension? This cannot, I believe, be dealt with on a case-by-case basis as that would be completely impracticable and, I think, improper. Is it to see whether experience shows that it is a struggle to provide information within a month, and therefore a time limit of more than a month would benefit the controller, which at the same time would be likely to disbenefit the data subject, given the importance of the information? I hope the Minister can explain why this slightly curious power for the Secretary of State is included in the Bill.
Amendment 146B concerns Clause 97, which deals with the right to object to processing. I might have misunderstood this but I believe that the controller is obliged to comply only if he needs to be informed of the location of data. I do not know whether I have that right, so Amendment 146B proposes the wording,
“if its location is known to the data subject”,
so that the amendment flows through in terms of language, if not in sense. The second limb of Clause 97(2), whereby the data subject is told that the controller needs to know this, suggests this. That enables me to make the point that this puts quite a heavy burden on the data subject.
Amendment 148A concerns Clause 101. I, of course, support the requirement that the controller should implement measures to minimise the risks to rights and freedoms. However, I question the term “minimise”. The Bill is generally demanding in regard to this protection, so to root the requirement in the detail of the Bill the amendment would add,
“in accordance with this Act”.
As regards the test of whether a personal data breach seriously interferes with rights, I suggest this is not as high a threshold as that required by the term “significantly” proposed in Amendment 148B.
Following the noble Lord’s co-piloting analogy, I now say, “Over and out”.
Baroness Williams of Trafford
My Lords, I thank the noble Baroness, Lady Hamwee, and the noble Lord, Lord Stevenson, who negated the need for me to speak to Amendment 142A, so I shall not do so.
I turn straight to Amendment 142B. This requires the controller to provide a data subject with specified information about the processing of their personal data unless the controller has previously provided the data subject with that information. This contrasts with the existing approach in Clause 91(3), which provides that the controller is not required to give the data subject information that the data subject already has. Although similar, the shift in emphasis of this amendment could undermine Clause 91(2) by requiring the data controller to provide information directly to the data subject rather than to generally provide it. The effect of this could be to place an undue burden on the controller by preventing them providing such information generally, such as by means of their website.
Clause 92 provides for an individual to obtain confirmation from a controller of whether the controller is processing personal data concerning them and, if so, to be provided with that data and information relating to it. It sets out how an individual would request such information and places certain restrictions and obligations on meeting such requests.
Amendment 142C would add to the information that must be provided to a data subject. I do not believe this amendment is necessary. Clause 91 already provides that the general information that must be provided by a controller is information about how to exercise rights under Chapter 3 of Part 4 and I am sure that the Information Commissioner will put out further information about data subjects’ rights under each of the schemes covered by the Bill.
The purpose of Amendment 142D is to remove the ability of the intelligence services to charge a fee for providing information in response to a request by a data subject in any circumstances. The noble Lord, Lord Stevenson, or the noble Lord, Lord Kennedy—I am not quite sure who it was; I think it was the noble Lord, Lord Stevenson—has contrasted the position in Part 4 with that in Parts 2 and 3 of the Bill, whereby a controller may charge a fee only where the subject access request is manifestly unfounded or excessive. The fact remains, however, that the modernised Convention 108, on which Part 4 is based, continues to allow for the charging of a reasonable fee for subject access requests and we are retaining the power to specify a maximum fee, which currently stands at £10.
It is entirely right that the intelligence services should be required to respond to subject access requests, but we believe it is appropriate to retain the ability to charge because we do not want the intelligence services to be exposed to vexatious or frivolous requests that could impose a significant burden upon Part 4 controllers. As I have said, the modernised Convention 108 allows for the charging of a fee and there is a power in Clause 92 not just to place a cap on the amount of the fee but to provide that, in specified cases, no fee may be charged. I think this is the right approach and we should therefore retain Clause 92(3) and (4).
Amendment 143A would require every subject access request under Clause 92 to be fulfilled within one month and would remove the Secretary of State’s ability to extend the applicable time period to up to three months for any cases. The Delegated Powers and Regulatory Reform Committee has considered this Bill and made no comment on this regulation-making power. In our delegated powers memorandum we explained the need for this provision, and the equivalent power in Part 3 of the Bill, as follows:
“Meeting the default one month time limit for responding to subject access requests or to requests to rectify or erase personal data may, in some cases, prove to be challenging, particularly where the data controller holds a significant volume of data in relation to the data subject. A power to extend the applicable time period to up to three months will afford the flexibility to take into account the operational experience of police forces, the CPS, prisons and others in responding to requests from data subjects under the new regime”.
I hope the noble Baroness would agree that this is a prudent regulation-making power which affords us limited flexibility to take into account the operational experience of the intelligence services in operating under the new scheme.
Baroness Hamwee
Before the Minister moves on, I asked whether the power would be used on a case-by-case basis, which I thought was what she was saying, or as a result of overall experience—and then she went on to talk about overall experience. So is it the latter, extending to all cases in the light of experience gathered over a period?
Baroness Williams of Trafford
Yes, that is the point I made.
One of the rights afforded by Part 4 is that a data subject can require a controller not to process their personal data if that processing is an unwarranted interference with their interests or rights. If such a request is received, the controller may require further information in order to comply with the request. This includes information so as to be satisfied of the identity of the requesting individual or information so that they can locate the data in question.
Amendment 146B would require the requesting individual to provide information to help the controller locate the data in question only if the individual themselves knows where the data is located. I think we can agree that it is very unlikely that a data subject would know the exact location of data processed by a controller. As such, this change could make it more difficult for a controller to locate the data in question, as the data subject could refuse to provide any information to aid in the locating of their data. This could make it impossible for the controller to comply with the request and would in turn deprive the data subject of having their request fulfilled.
Chapter 4 of Part 4 deals with the obligations of the controller and processor. Controllers must consider the impact of any proposed processing on the rights of data subjects and implement appropriate measures to ensure those rights. In particular, Clause 101(2)(b) requires that risks to the rights and freedoms of data subjects be minimised. Amendment 148A would require that those risks be also dealt with in accordance with the Bill. If I understand the purpose of this amendment correctly and the noble Baroness’s intention is that the broader requirements of Part 4 should apply to any new type of processing, I can concur with the sentiments behind this amendment. However, it is not necessary to state this requirement in Clause 101; all processing by the intelligence services must be in accordance with the relevant provisions of the Bill.
Finally, Clause 106 requires that the controller notify the Information Commissioner if the controller becomes aware of a serious personal breach of data for which it is responsible. A data breach is deemed serious if it seriously interferes with the rights and freedoms of a data subject. Amendment 148B seeks to alter the level at which a data breach must be notified to the commissioner by lowering the threshold from a serious interference with the rights and freedoms of a data subject to a significant interference. The threshold is set purposely at serious so that the focus and resources of the controller and commissioner are spent on breaches above a reasonable threshold. We also draw the noble Baroness’s attention to the draft modernised Convention 108, which uses the phrase “seriously interfere”.
I am mindful that some noble Lords in this Chamber will be utterly perplexed by the subject matter to which we have been referring, so I hope that, with those words, the noble Lord will be sufficiently reassured and will withdraw his amendment.
Lord Stevenson of Balmacara
The answer to that question is that we are not happy with what the Minister said about the ability of the intelligence services, uniquely in this whole area, to charge a fee to discourage people from getting access to the rights which they certainly have under the Act. I sensed that the Minister understands that; perhaps it is a little unfair to say that, as most other noble Lords were not able to see her smile, gently, as she tried to put substance and seriousness into the argument she was using, which was clearly very thin indeed. To make the point, we are relying on a convention which has yet to be signed. That is the fig leaf under which we will be smuggling these ridiculous fees. I urge the Minister to take this back and think again, and I look forward to a further discussion with her if she feels that any more information could be provided.
“( ) section 96 deals with the right to information about decision-making;”
“( ) A court may make an order under subsection (11) in relation to a joint controller whose responsibilities are determined in an arrangement under section 102 only if the controller is responsible for compliance with the obligation to which the order relates.”
“( ) A court may make an order under subsection (5) in relation to a joint controller whose responsibilities are determined in an arrangement under section 102 only if the controller is responsible for compliance with the obligation to which the order relates.”
“( ) A court may make an order under this section in relation to a joint controller whose responsibilities are determined in an arrangement under section 102 only if the controller is responsible for carrying out the rectification, erasure or restriction of processing that the court proposes to order.”