Data Protection and Digital Information (No. 2) Bill (Fourth sitting)
Tuesday 16th May 2023
(11 months, 2 weeks ago)
Public Bill CommitteesData Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Amendment Paper: Public Bill Committee Amendments as at 16 May 2023 - (16 May 2023)
The Committee divided: - Ayes: 7 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 7 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 6 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 10 / Noes: 6 - Question accordingly agreed to.
The Committee divided: - Ayes: 6 / Noes: 10 - Question accordingly negatived.
The Committee divided: - Ayes: 10 / Noes: 6 - Question accordingly agreed to.
The Minister for Data and Digital Infrastructure (Sir John Whittingdale)
When the Committee adjourned this morning, I was nearly at my conclusion; I was responding to points made by the hon. Member for Barnsley East and by the hon. Member for Glasgow North West, who has not yet rejoined us. I was saying that the exemption applies where the data originally collected is historic, where to re-contact to obtain consent would require a disproportionate effort, and where that data could be of real value in scientific research. We think that there is a benefit to research and we are satisfied that the protection is there. There was some debate about the definition of scientific research, which we covered earlier; that is a point that is appealable to the Information Commissioner’s Office. On the basis of what I said earlier, and that assurance, I hope that the Committee will agree to the clause.
Question put and agreed to.
Clause 9 accordingly ordered to stand part of the Bill.
Clause 10 ordered to stand part of the Bill.
Clause 11
Automated decision-making
Stephanie Peacock (Barnsley East) (Lab)
I beg to move amendment 78, in clause 11, page 18, line 13, after “subject” insert “or decision subject”.
This amendment, together with Amendments 79 to 101, would apply the rights given to data subjects by this clause to decision subjects (see NC12).
The Chair
With this it will be convenient to discuss the following:
Amendment 79, in clause 11, page 18, line 15, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 80, in clause 11, page 18, line 16, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 81, in clause 11, page 18, line 27, after “subject” insert “or decision subject”.
See explanatory statement to Amendment 78.
Amendment 82, in clause 11, page 18, line 31, after “subject” insert “or decision subject”.
See explanatory statement to Amendment 78.
Amendment 83, in clause 11, page 19, line 4, after “subject” insert “or decision subject”.
See explanatory statement to Amendment 78.
Amendment 84, in clause 11, page 19, line 7, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 85, in clause 11, page 19, line 11, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 86, in clause 11, page 19, line 12, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 87, in clause 11, page 19, line 13, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 88, in clause 11, page 19, line 15, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 89, in clause 11, page 19, line 17, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 90, in clause 11, page 19, line 26, after “subject” insert “or decision subject”.
See explanatory statement to Amendment 78.
Amendment 91, in clause 11, page 20, line 8, after “subject” insert “or decision subject”.
See explanatory statement to Amendment 78.
Amendment 92, in clause 11, page 20, line 10, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 93, in clause 11, page 20, line 12, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 94, in clause 11, page 20, line 23, after “subject” insert “or decision subject”.
See explanatory statement to Amendment 78.
Amendment 95, in clause 11, page 20, line 28, after “subject” insert “or decision subject”.
See explanatory statement to Amendment 78.
Amendment 96, in clause 11, page 20, line 31, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 97, in clause 11, page 20, line 35, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 98, in clause 11, page 20, line 37, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 99, in clause 11, page 20, line 39, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 100, in clause 11, page 21, line 1, leave out “data”.
See explanatory statement to Amendment 78.
Amendment 101, in clause 11, page 21, line 31, after “subject” insert “or decision subject”.
See explanatory statement to Amendment 78.
Amendment 106, in clause 27, page 47, line 27, after “subjects”, insert “decision subjects,”.
This amendment would require the ICO to have regard to decision subjects (see NC12) as well as data subjects as part of its obligations.
Amendment 108, in clause 29, page 53, line 11, at end insert—
“(ba) decision subjects;”.
This amendment, together with Amendments 109 and 110, would require codes of conduct produced by the ICO to have regard to decision subjects (see NC12) as well as data subjects.
Amendment 109, in clause 29, page 53, line 13, at end insert—
“(d) persons who appear to the Commissioner to represent the interests of decision subjects.”.
See explanatory statement to Amendment 108.
Amendment 110, in clause 29, page 53, line 21, after “subjects”, insert “, decision subjects”.
See explanatory statement to Amendment 108.
New clause 12—Decision subjects—
“(1) The UK GDPR is amended as follows.
(2) In Article 4, after paragraph (A1), insert—
‘(A1A) “decision subject” means an identifiable individual who is subject to data-based and automated decision making;’”.
This new clause would provide a definition of “decision subjects”, enabling them to be given rights similar to those given to data subjects (see, for example, Amendment 78).
Stephanie Peacock
I am pleased to speak to new clause 12, which would insert a definition of decision subjects, and to amendments 79 to 101, 106 and 108 to 110, which seek to insert rights and considerations for decision subjects that mirror those of data subjects at various points throughout the Bill.
Most of our data protection legislation operates under the assumption that the only people affected by data-based and automated decision making are data subjects. The vast majority of protections available for citizens are therefore tied to being a data subject: an identifiable living person whose data has been used or processed. However, as Dr Jeni Tennison described repeatedly in evidence to the Committee, that assumption is unfortunately flawed. Although data subjects form the majority of those affected by data-based decision making, they are not the only group of people impacted. It is becoming increasingly common across healthcare, employment, education and digital platforms for algorithms created and trained on one set of people to be used to reach conclusions about another, wider set of people. That means that an algorithm can make an automated decision that affects an individual to a legal or similarly significant degree without having used their personal data specifically.
For example, as Connected by Data points out, an automated decision could be made about a neighbourhood area, such as a decision on gritting or a police patrol route, based on personal data about some of the people who live in that neighbourhood, with the outcome impacting even those residents and visitors whose data was not directly used. For those who are affected by the automated decision but are not data subjects, there is currently no protection, recognition or method of redress.
The new clause would therefore define the decision subjects who are impacted by the likes of AI without their data having been used, in the hope that we can give them protections throughout the Bill that are equal to those for data subjects, where appropriate. That is especially important because special category data is subject to stricter safeguards for data subjects but not for decision subjects.
Connected by Data illustrates that point using the following example. Imagine a profiling company that uses special category data about the mental health of some volunteers to construct a model that predicts mental health conditions based on social media feeds, which would not be special category data. From that information, the company could give an estimate of how much time people are likely to take off work. A recruitment agency could then use that model to assess candidates and reject those who are likely to have extended absences. The model would never use any special category data about the candidates directly, but those candidates would have been subject to an automated decision that made assumptions about their own special category data, based on their social media feeds. In that scenario, by virtue of being a decision subject, the individual would not have the right to the same safeguards as those who were data subjects.
Furthermore, there might be scenarios in which someone was subject to an automated decision despite having consciously prevented their personal data from being shared. Connected by Data illustrates that point by suggesting that we consider a person who has set their preferences on their web browser so that it does not retain tracking cookies or share information such as their location when they visit an online service. If the online service has collected data about the purchasing patterns of similarly anonymous users and knows that such a customer is willing to pay more for the service, it may automatically provide a personalised price on that basis. Again, no personal data about the purchaser will have been used in determining the price that they are offered, but they will still be subject to an automated decision based on the data of other people like them.
What those scenarios illustrate is that it is whether an automated decision affects an individual in a legal or similarly significant way that should be central to their rights, rather than whether any personal data is held about them. If the Bill wants to unlock innovation around AI, automated decisions and the creative use of data, it is only fair that that be balanced by ensuring that all those affected by such uses are properly protected should they need to seek redress.
This group of amendments would help our legislative framework to address the impact of AI, rather than just its inputs. The various amendments to clause 11 would extend to decision subjects rights that mirror those given to data subjects regarding automated decision making, such as the right to be informed, the right to safeguards such as contesting a decision and the right to seek human intervention. Likewise, the amendments to clauses 27 and 29 would ensure that the ICO is obliged to have regard to decision subjects both generally and when producing codes of conduct.
Finally, to enact the safeguards to which decision subjects would hopefully be entitled via the amendments to clause 11, the amendment to clause 39 would allow decision subjects to make complaints to data controllers, mirroring the rights available to data subjects. Without defining decision subjects in law, that would not be possible, and members of the general public could be left without the rights that they deserve.
Sir John Whittingdale
I am very much aware of the concern about automated decision making. The Government share the wish of the hon. Member for Barnsley East for all those who may be affected to be given protection. Where I think we differ is that we do not recognise the distinction that she tries to make between data subjects and decision subjects, which forms the basis of her amendments.
The hon. Lady’s amendments would introduce to the UK GDPR a definition of the term “decision subject”, which would refer to an identifiable individual subject to data- based and automated decision making, to be distinguished from the existing term “data subject”. The intended effect is to extend the requirements associated with provisions related to decisions taken about an individual using personal data to those about whom decisions are taken, even though personal information about them is not held or used to take a decision. It would hence apply to the safeguards available to individuals where significant decisions are taken about them solely through automated means, as amendments 78 to 101 call for, and to the duties of the Information Commissioner to have due regard to decision subjects in addition to data subjects, as part of the obligations imposed under amendment 106.
I suggest to the hon. Lady, however, that the existing reference to data subjects already covers decision subjects, which are, if you like, a sub-group of data subjects. That is because even if an individual’s personal data is not used to inform the decision taken about them, the fact that they are identifiable through the personal data that is held makes them data subjects. The term “data subject” is broad and already captures the decision subjects described in the hon. Lady’s amendment, as the identification of a decision subject would make them a data subject.
I will not, at this point, go on to set out the Government’s wider approach to the use of artificial intelligence, because that is somewhat outside the scope of the Bill and has already been set out in the White Paper, which is currently under consultation. Nevertheless, it is within that framework that we need to address all these issues.
Damian Collins (Folkestone and Hythe) (Con)
I have been closely following the speeches of the Minister and the hon. Member for Barnsley East. The closest example that I can think of for this scenario is the use of advertising tools such as lookalike audiences on Facebook and customer match on YouTube, where a company holding data about users looks to identify other customers who are the closest possible match. It does not hold any personal data about those people, but the platform forms the intermediary to connect them. Is the Minister saying that in that situation, as far as the Bill is concerned, someone contacted through a lookalike audience has the same rights as someone who is contacted directly by an advertiser that holds their data?
Sir John Whittingdale
Essentially, if anybody is affected by automated decision making on the basis of the characteristics of another person whose data is held—in other words, if the same data is used to take a decision that affects them, even if it does not personally apply to them—they are indeed within the broader definition of a data subject. With that reassurance, I hope that the hon. Member for Barnsley East will consider withdrawing her amendment.
Stephanie Peacock
I appreciate the Minister’s comments, but the point is that the data could be used—I gave the example that it might affect a group of residents who were not identifiable but were still subject to that data—so I am not quite sure that I agree with the Minister’s comparison. As the use of automated decision making evolves and expands, it is crucial that even if a person’s data is not being used directly, they are afforded protections and rights if they are subject to the outcome. I would like to press my amendment to a vote.
Question put, That the amendment be made.
Stephanie Peacock
I beg to move amendment 77, in clause 11, page 19, line 12, at end insert
“and about the safeguards available to the subject in accordance with this paragraph and any regulations under Article 22D(4);”.
This amendment would require controllers proactively to provide data subjects with information about their rights in relation to automated decision-making.
The Chair
With this it will be convenient to discuss amendment 120, in clause 11, page 19, line 12, at end insert—
“(aa) require the controller to inform the data subject when a decision described in paragraph 1 has been taken in relation to the data subject;”.
This amendment would require a data controller to inform a data subject whenever a significant decision about that subject based entirely or partly on personal data was taken based solely on automated processing.
Stephanie Peacock
New article 22C of the UK GDPR, inserted by clause 11, sets out the safeguards available to those who are subject to automated decision making. One such safeguard is that controllers must provide information to subjects relating to significant decisions taken through solely automated processing. That includes notifying subjects when a decision has been taken or informing them of the logic involved in producing that decision.
That provision is important. After all, how can the subject of an automated decision possibly exercise their other rights surrounding that decision if they do not even know that it has been taken on a solely automated basis? By the same logic, however, the average member of the general public is not likely to be aware of those other rights in the first place, including the rights to express their point of view with respect to automated decisions, to contest them and to seek human intervention.
Amendment 77 therefore recommends that as well as controllers being required to inform subjects about the decision, the same notice should be used as a vehicle to ensure that the subject is aware of the rights and safeguards in place to protect them and offer them redress. It would require no extra administrative effort on behalf of the controllers, because they will already be informing subjects. A proactive offer of redress may also encourage controllers to have extra regard to the way in which their automated systems are operating, in order to avoid unlawful activity that may cause them to receive a complaint or a request for human intervention.
An imbalance of power between those who conduct automated decisions and those who are subject to them already largely exists. Those who conduct decisions hold the collective power of the data, whereas each individual subject to a decision has only their own personal information; I will address that issue in greater detail in relation to other amendments, but there is no reason why that power imbalance should be exacerbated by hiding an individual’s own rights from them. If the intention of new article 22C is, as stated, to ensure that controllers are required to review and correct decisions that have produced a systematically wrongful outcome, there should be no issue with ensuring that the mechanism is properly communicated to the people it purports to serve. I am pleased to see that the hon. Member for Glasgow North West has tabled a similar amendment.
Carol Monaghan (Glasgow North West) (SNP)
I rise to speak to my amendment 120. The explanatory notes to the Bill clarify that newly permitted automated decisions will not require the existing legal safeguard of notification, stating only:
“Where appropriate, this may include notifying data subjects after such a decision has been taken”.
Clause 11 would replace article 22 of the GDPR, which regulates AI decision making, with new articles 22A to 22D. According to Connected by Data, it is built on the faulty assumption that the people who are affected by automated decision making are data subjects—identifiable individuals within the data used to make the automated decision. However, now that AI decisions can be based on information about other people, it is becoming increasingly common for algorithms created through training on one set of people to be used to reach conclusions about another set.
A decision can be based on seemingly innocuous information such as someone’s postcode or whether they liked a particular tweet. Where such a decision has an impact on viewing recommendations for an online player, we would probably not be that concerned, but personal data is being used more and more to make decisions that affect whole groups of people rather than identified individuals. We need no reminding of the controversy that ensued when Ofqual used past exam results to grade students during the pandemic.
Another example might be an electricity company getting data from its customers about home energy consumption. Based on that data, it could automatically adjust the time of day at which it offered cheaper tariffs. Everyone who used the electricity company would be affected, whether data about their energy consumption patterns were used to make the decision or not. It is whether an automated decision has a legal or similarly significant effect on an individual that should be relevant to their rights around automated decision making.
Many of the rights and interests of decision subjects are protected through the Equality Act 2010, as the Committee heard in oral evidence last week. What is not covered by other legislation, however, is how data can be used in automated decisions and the rights of decision subjects to be informed about, control and seek redress around automated decisions with a significant effect on them. According to Big Brother Watch:
“This is an unacceptable dilution of a critical safeguard that will not only create uncertainty for organisations seeking to comply, but could lead to vastly expanded ADM operating with unprecedented opacity.”
Amendment 120 would require a data controller to inform a data subject whenever a significant decision about that subject was based solely on automated processing. I am pleased that the hon. Member for Barnsley East has tabled a similar amendment, which I support.
Sir John Whittingdale
The Government absolutely share hon. Members’ view of the importance of transparency. We agree that individuals who are subject to automated decision making should be made aware of it and should have information about the available safeguards. However, we feel that those requirements are already built into the Bill via article 22C, which will ensure that individuals are provided with information as soon as is practicable after such decisions have been taken. This will need to include relevant information that an individual would require to contest such decisions and seek human review of them.
The reforms that we propose take an outcome-focused approach to ensure that data subjects receive the right information at the right time. The Information Commissioner’s Office will play an important role in elaborating guidance on what that will entail in different circumstances.
Chi Onwurah (Newcastle upon Tyne Central) (Lab)
If I understood the Minister correctly, he said that decision subjects are a subset of data subjects. Can he envisage any circumstances in which a decision subject is not included within the group “data subjects”?
Sir John Whittingdale
It is certainly our view that anybody who is affected by an automated decision made on the basis of data held about individuals themselves becomes a data subject, so I think the answer to the honourable Lady’s question is no. As I said, the Information Commissioner’s Office will provide guidance in this area. If such a situation does arise, obviously it will need to be considered.The hon. Members for Barnsley East and for Glasgow North West asked about making information available to all those affected, and about safeguards, which we think are contained within the requirements under article 22C.
Damian Collins
Further to the point that was made earlier, let us say that a Facebook user was targeted with an advert that was based on their protected characteristics data—data relevant to their sexual orientation, for example—but that user said that they had never shared that information with the platform. Would they have the right to make a complaint, either to the advertiser or to the platform, for inferring that data about them and making it available to a commercial organisation without their informed consent?
Sir John Whittingdale
They would obviously have that right, and indeed they would ultimately have the right to appeal to the Information Commissioner if they felt that they had been subjected unfairly to a decision where they had not been properly informed of the fact. On the basis of what I have said, I hope the hon. Member for Barnsley East might withdraw her amendment.
Stephanie Peacock
I appreciate the Minister’s comment, but the Government protection does not go as far as we would like. Our amendment speaks to the potential imbalance of power in the use of data and it would not require any extra administrative effort on behalf of controllers. For that reason, I will press it to a vote.
Question put, That the amendment be made.
Carol Monaghan
I will not move it formally, Mr Hollobone, but I may bring it back on Report.
Stephanie Peacock
I beg to move amendment 76, in clause 11, page 19, line 34, at end insert—
“5A. The Secretary of State may not make regulations under paragraph 5 unless—
(a) following consultation with such persons as the Secretary of State considers appropriate, the Secretary of State has published an assessment of the impact of the change to be made by the regulations on the rights and freedoms of data and decision subjects (with particular reference to children),
(b) the Commissioner has reviewed the Secretary of State’s statement and published a statement of the Commissioner’s views on whether the change should be made, with reasons, and
(c) the Secretary of State has considered whether to proceed with the change in the light of the Commissioner’s statement.”
This amendment would make the Secretary of State’s ability to amend the safeguards for automated decision-making set out in new Articles 22A to D subject to a requirement for consultation with interested parties and with the Information Commissioner, who would be required to publish their views on any proposed change.
The Chair
With this it will be convenient to discuss amendment 75, in clause 11, page 19, line 36, at end insert—
“7. The Commissioner must prepare a code of practice under section 124A of the Data Protection Act 2018 on the interpretation of references in this Regulation to “meaningful human involvement” and “similarly significant”.
8. The code of practice prepared under paragraph 7 must include examples of the kinds of processing which do, and which do not, fall within the definitions which use the terms referred to in that paragraph.”
This amendment would require the ICO to produce a code of practice on the interpretation of references to “meaningful human involvement” and “similarly significant” in connection with automated decision-making, with examples of the kinds of processing that would not count as falling within these definitions.
Stephanie Peacock
I will begin by discussing amendment 76 in the context of the general principles of this clause. The rise of AI and algorithmic decision making has happened at an unprecedented speed—so much so, in fact, that when the first version of this Bill was published, the likes of ChatGPT were not even launched yet. Now we live in a world where the majority of people across the country have been affected by or have used some form of AI-based or automated decision-making system.
When algorithms and automation work well, not only do they reduce administrative burdens, increase efficiency and free up capacity for further innovation and growth; they can also have remarkable outcomes. Indeed, PwC UK suggests that UK GDP could be up to 10.3% higher in 2030 as a result of artificial intelligence. AI is already being used to develop vaccines and medicines, for example, which are saving lives across the country and the entire world. Labour’s belief, outlined in our industrial strategy, is that the UK should be leading the world on efforts to ensure that transformative AI is aligned with the public interest in that way, and that regulations ensure we are well positioned to do that.
Despite the potential of AI to be harnessed for the public good, however, where things go wrong, the harms can be serious. The first way in which automation is prone to go wrong is by producing discriminatory outcomes. An algorithm, although intelligent in itself, is only ever as fair as the information and the people used to train it. That means that where biases exist in our world, they can become entrenched in our automated systems too. In in 2020, thousands of students in England and Wales received A-level exam results where, due to the pandemic, their grades were determined by an algorithm rather than by sitting an exam. At the hands of the automated system, almost 40% of students received grades lower than they had anticipated, with pupils from certain backgrounds and areas such as those that I represent disproportionately impacted by the lower marks. Within days of the results being published, there was widespread public outcry about the distress caused, as well as threats of mass protests and legal action. Similarly, Amazon was reported to have used an AI tool that systematically penalised women in job application processes. The tool had been trained on a decade’s worth of CVs, predominantly submitted by men. As such examples show, AI on its own can produce discriminatory outcomes. Our regulation must therefore recognise that and seek to protect against it.
The second major way in which automated decision making tends to go wrong, or can be abused, is when it makes legal or critical decisions about our lives based on mismanaged, abused or faulty systems. In the most extreme cases, automated systems can even contribute to deciding whether someone’s employment will be terminated, with grave consequences when that goes wrong. As mentioned in the oral evidence sessions, for example, last month the courts upheld the finding that three UK-based Uber drivers were robotically fired without redress, having been accused of fraudulent activity on the basis of an automated detection system. The court found that human involvement in the firing process was
“not much more than a purely symbolic act”,
and that implementing such a decision without a mechanism for appeal was unjust. Where livelihoods are at risk, data regulation must ensure that proper safeguards are in place to protect against mismanaged and faulty automated systems.
Serious harms sometimes occur under the existing system, but there are laws under the GDPR that try to protect us against discriminatory outcomes and mismanagement. Indeed, article 21 of GDPR gives a data subject the right to object at any time to the processing of their personal data, unless the controller can demonstrate “compelling legitimate grounds” for the processing to override the data subject’s rights. In conjunction, article 22 prevents data subjects from being subject to a decision based solely on automated processing that has significant effects, except in a few circumstances, including when it is based on explicit consent and does not rely on special categories of data. In all cases where automated decision making is allowed, suitable measures to safeguard the data subjects’ rights and freedoms must also be implemented.
Albeit from different perspectives, stakeholders from techUK to the TUC have emphasised the importance of those articles and of the core principles that they promote. For example, the articles place an element of control in the hands of those that an automated decision affects. They emphasise the need for appropriate safeguards, and they consider the need for a different approach where sensitive data is concerned.
Where the clause adjusts the threshold on automated decision making to unlock innovation, therefore—as the likes of the A-level algorithm scandal and the robo- firings show—it is vital that any changes to regulation maintain and in some cases strengthen the principles set out in articles 21 and 22 of the GDPR. However, as the likes of the Ada Lovelace Institute, Which? and the TUC warn, in reality the Bill does the opposite, watering down existing protections. The amendments I have tabled are designed to rectify that.
Sir John Whittingdale
The hon. Lady began her remarks on the broader question of the ambition to ensure that the UK benefits to the maximum extent from the use of artificial intelligence. We absolutely share that ambition, but also agree that it needs to be regulated. That is why we have published the AI regulation White Paper, which suggests that it is most appropriate that each individual regulator should develop its own rules on how that should apply. I think in the case that she was quoting of those who had lost their jobs, maybe through an automated process, the appropriate regulator—in that case, presumably, the special employment tribunal —would need to develop its own mechanism for adjudicating decisions.
I will concentrate on the amendment. On amendment 76, we feel that clause 44 already provides for an overarching requirement on the Secretary of State to consult the Information Commissioner and other persons that she or he considers appropriate before making regulations under UK GDPR, including the measures in article 22. When the new clause 44 powers are used in reference to article 22 provisions, they will be subject to the affirmative procedure in Parliament. I know that the hon. Lady is not wholly persuaded of the merits of using the affirmative procedure, but it does mean that parliamentary approval will be required. Given the level of that scrutiny, we do not think it is necessary for the Secretary of State to have to publish an assessment, as the hon. Lady would require through her amendment.
On amendment 75, as we have already debated in relation to previous amendments, there are situations where non-statutory guidance, which can be produced without being requested under regulations made by the Secretary of State, may be more appropriate than a statutory code of practice. We believe that examples of the kinds of processing that do and do not fall within the definitions of the terms “meaningful human involvement” and “similarly significant” are best placed in non-statutory guidance produced by the ICO, as this will give the flexibility to amend and change the examples where necessary. What constitutes a significant decision or meaningful human involvement is often highly context-specific, and the current wording allows for some inter-pretability to enable the appropriate application of this provision in different contexts, rather than introducing an absolute definition that risks excluding decisions that ought to fall within this provision and vice versa. For that reason, we are not minded to accept the amendments.
Stephanie Peacock
I appreciate the Minister’s remarks about consultation and consulting relevant experts. He is right to observe that I am not a big fan of the affirmative procedure as a method of parliamentary scrutiny but I appreciate that it is included in this Bill as part of that.
I think the problem is that we fundamentally disagree on the power to change these definitions being concentrated in the hands of the Secretary of State. It is one thing to future-proof the Bill but another to allow the Secretary of State alone to amend things as fundamental as the safeguards offered here. I would therefore like to proceed to a vote.
Question put, That the amendment be made.
Stephanie Peacock
I beg to move amendment 121, in clause 11, page 19, line 36, at end insert—
“7. When exercising the power to make regulations under this Article, the Secretary of State must have regard to the following statement of principles:
Digital information principles at work
1. People should have access to a fair, inclusive and trustworthy digital environment at work.
2. Algorithmic systems should be designed and used to achieve better outcomes: to make work better, not worse, and not for surveillance. Workers and their representatives should be involved in this process.
3. People should be protected from unsafe, unaccountable and ineffective algorithmic systems at work. Impacts on individuals and groups must be assessed in advance and monitored, with reasonable and proportionate steps taken.
4. Algorithmic systems should not harm workers’ mental or physical health, or integrity.
5. Workers and their representatives should always know when an algorithmic system is being used, how and why it is being used, and what impacts it may have on them or their work.
6. Workers and their representatives should be involved in meaningful consultation before and during use of an algorithmic system that may significantly impact work or people.
7. Workers should have control over their own data and digital information collected about them at work.
8. Workers and their representatives should always have an opportunity for human contact, review and redress when an algorithmic system is used at work where it may significantly impact work or people. This includes a right to a written explanation when a decision is made.
9. Workers and their representatives should be able to use their data and digital technologies for contact and association to improve work quality and conditions.
10. Workers should be supported to build the information, literacy and skills needed to fulfil their capabilities through work transitions.”
This amendment would insert into new Article 22D of the UK GDPR a requirement for the Secretary of State to have regard to the statement of digital information principles at work when making regulations about automated decision-making.
The Chair
With this it will be convenient to discuss amendment 122, in clause 11, page 22, line 2, at end insert—
“(7) When exercising the power to make regulations under this section, the Secretary of State must have regard to the following statement of principles:
Digital information principles at work
1. People should have access to a fair, inclusive and trustworthy digital environment at work.
2. Algorithmic systems should be designed and used to achieve better outcomes: to make work better, not worse, and not for surveillance. Workers and their representatives should be involved in this process.
3. People should be protected from unsafe, unaccountable and ineffective algorithmic systems at work. Impacts on individuals and groups must be assessed in advance and monitored, with reasonable and proportionate steps taken.
4. Algorithmic systems should not harm workers’ mental or physical health, or integrity.
5. Workers and their representatives should always know when an algorithmic system is being used, how and why it is being used, and what impacts it may have on them or their work.
6. Workers and their representatives should be involved in meaningful consultation before and during use of an algorithmic system that may significantly impact work or people.
7. Workers should have control over their own data and digital information collected about them at work.
8. Workers and their representatives should always have an opportunity for human contact, review and redress when an algorithmic system is used at work where it may significantly impact work or people. This includes a right to a written explanation when a decision is made.
9. Workers and their representatives should be able to use their data and digital technologies for contact and association to improve work quality and conditions.
10. Workers should be supported to build the information, literacy and skills needed to fulfil their capabilities through work transitions.”
This amendment would insert into new section 50D of the DPA2018 a requirement for the Secretary of State to have regard to the statement of digital information principles at work when making regulations about automated decision-making.
Stephanie Peacock
Amendments 121 and 122 would ensure that close attention is paid to the specific and unique circumstances of workers and the workplace when regulations are made under the clause. Indeed, as has already been referenced, the workplace has dramatically evolved in the last decade with the introduction and growth of technology. Whether it be Royal Mail using the postal digital assistant service to calculate the length of time posties spend walking, on doorsteps and standing still, or Amazon collecting data from handheld scanners to calculate how much time workers are spending “off task”, the digital monitoring of workers and subsequent use of that data by managers to assess performance, allocate work hours and decide on levels of pay, is on the rise.
Of course it is absolutely right that workplaces embrace technology. As Andrew Pakes of Prospect said to this Committee, our economy and the jobs that people do each day can be made better and more productive through the good deployment of technology—but the key is in the phrase “good deployment”, and in order to have deployment that works for the greater good, the rights and protections in place at work must keep pace with the changing nature of the workplace and these technological advancements. As Labour outlined in our industrial strategy, we want to do just that: harness data for the public good and ensure that data and the innovation it brings with it benefit our wider society, not just large corporations. Further, as is written in our “New Deal for Working People”, Labour wants to introduce new rights to protect workers in the modern age—for example by legislating to make proposals to introduce surveillance technologies subject to consultation and agreement of trade unions, or elected staff representatives where there is no trade union. After all, we can only truly unlock the benefits of data and become a world leader in this space if there is genuine public trust in these technologies. Good regulation breeds that trust.
Currently, however, and particularly in the Bill, the kinds of measures that would allow for good deployment of technology in the workplace—technology that operates in the greater interest including that of workers—are missing from the Government’s plans. Instead, as the TUC note, we are overseeing a growing power imbalance between worker and employer. This imbalance not only exists by the nature of the relationship, but it is now being exacerbated by the increasing level of knowledge and control that employers have over personal data as the workplace becomes digitised, compared with workers, who have very little power over, expertise on or access to such data.
Some impressive projects have sought to address that imbalance. For example, in 2020 Prospect worked with a coalition of unions, tech specialists and researchers to launch a beta version of WeClock, a free mobile app that helps workers to track and manage their own data such as that related to their location, their commute and when they are doing work on their phone. Those data profiles could then potentially be used by trade union campaigners to improve rights for workers. However, it should not just be down to individual projects to ensure that there is an equal balance between worker and employer. The Bill is a huge missed opportunity to write into law this balance and the principles that we should consider with regard to worker’s rights in the modern age.
The amendment, which has been prepared in partnership with the Institute for the Future of Work, is designed to right that wrong and ensure that where regulations are made about automated decision making, the full impact on workers is considered and strong principles about worker involvement are upheld. It will mean that the Secretary of State has to consider that people have an inclusive digital environment at work, that they should be protected from harms by algorithmic systems, and that they should be meaningfully consulted before and after the use of such tools. Further, under this amendment, consideration will be given to supporting workers in building the information, literacy and skills needed to understand these transitions in the workplace, thereby addressing some of the imbalances in knowledge and understanding.
I will end with an example of the real-life consequences of employment and data laws lagging behind technology. As was revealed by a report by the Worker Info Exchange just last month, 11 Just Eat couriers in the UK were recently robotically fired after receiving allegations of fraudulent activity identified by an automated system. According to the report, these workers were falsely accused of receiving “undeserved financial gain” relating to nominal waiting time payments at restaurants. Just Eat argued that the workers left the restaurant while continuing to claim waiting fees. However, GPS evidence showed that workers had stayed in the vicinity of the restaurant, usually in the car park. In each case, the worker collected the food and completed the delivery, and the average value of the alleged undeserved payments justifying the robo-firings was just £1.44. Cases such as those, in which real livelihoods are impacted and rights infringed for the sake of profit margins, can and must be avoided.
The amendment would take the first steps in ensuring that regulations around automated decision making centre the unique experience of workers. It also highlights the Bill’s failure to move towards a legislative framework in which a distinct focus is placed on harnessing data for the public good, which is something that Labour would have placed at the heart of a data Bill such as this one.
Chi Onwurah
I rise to speak briefly in support of the amendment tabled by my hon. Friend the Member for Barnsley East and to emphasise the points that she made regarding the importance of putting forward a vision for the protection of workers as the nature of working environments change. That is part of what the amendment’s “digital information principles at work” seek to do. I declare an interest: I worked for Ofcom as head of technology before coming to this House. That work highlighted to me the importance of forward-looking regulation. As my hon. Friend set out, artificial intelligence is not forward looking; it is here with us and in the workplace.
Many technological changes have made work more accessible to more people: covid showed us that we could work from many different locations—indeed, Parliament successfully worked from many locations across the country. Technological changes have also made work more productive, and companies and public sector organisations are taking advantage of that increase in productivity. But some technologies have accelerated bad employment practices, driven down standards and damaged the wellbeing of workers—for example, workplace surveillance technologies such as GPS tracking, webcam monitoring and click monitoring, which encroach on workers’ privacy and autonomy. My constituents often say that they feel that technology is something that is done to them, rather than something that has their consent and empowers them.
It is important, as I am sure that the Minister will agree, that working people welcome and embrace the opportunities that technology can bring, both for them and for the companies and organisations they work for, but that cannot happen without trust in those technologies. For that, there need to be appropriate regulation and safeguards. Surely the Minister must therefore agree that it is time to bring forward a suite of appropriate principles that follows amendment’s principle of
“a fair, inclusive and trustworthy digital environment at work.”
I hope that he cannot disagree with any of that.
If we are to get ourselves out of the economic stagnation and lack of growth of the last 10 or 13 years, we need to build on new technologies and productivity, but we cannot do that without the support and trust of people in the workforce. People must feel that their rights—new rights that reflect the new environment in the workplace—are safeguarded. I hope that the Minister will agree that the principles set out in the amendment are essential to building that trust, and to ensuring a working environment in which workers feel protected and able to benefit from advances in technology.
Sir John Whittingdale
I am grateful to the hon. Members for Barnsley East and for Newcastle upon Tyne Central for setting out the thinking behind the amendment. We share the view, as the hon. Member for Newcastle upon Tyne Central has just said, that those who are subject to artificial intelligence and automated decision making need to have trust in the process, and there need to be principles underlying the way in which those decisions are taken. In each case, the contributions go above and beyond the provision in the Bill. On what we are proposing regarding data protection, the changes proposed in clause 11 will reinforce and provide further clarification, as I have said, in respect of the important safeguards for automated decision making, which may be used in some workplace technologies. These safeguards ensure that individuals are made aware of and can seek human intervention on significant decisions that are taken about them through solely automated means. The reforms to article 22 would make clear employer obligations and employee rights in such scenarios, as we debated in the earlier amendments.
On the wider question, we absolutely recognise that the kind of deployment of technology in the workplace shown in the examples that have already been given needs to be considered across a wide range of different regulatory frameworks in terms of not just data protection law, but human rights law, legal frameworks regarding health and safety and, of course, employment law.
Chi Onwurah
I thank the Minister for his comments. I note that he castigates us, albeit gently, for tabling an amendment to this data protection Bill, while he argues that there is a need for wider legislation to enshrine the rights he apparently agrees with. When and where will that legislation come forward? Does he recognise that we waited a long time and listened to similar arguments about addressing online harms, but have ended up in a situation where—in 2023—we still do not have legislation on online harms? My question is: if not now, when?
Sir John Whittingdale
As I was Chair of the Culture, Media and Sport Committee in 2008 when we published a report calling for legislation on online safety, I recognise the hon. Lady’s point that these things take a long time—indeed, far too long—to come about. She calls for action now on governance and regulation of the use of artificial intelligence. She will know that last month the Government published the AI regulation White Paper, which set out the proposals for a proportionate outcomes-focused approach with a set of principles that she would recognise and welcome. They include fairness, transparency and explainability, and we feel that this has the potential to address the risks of possible bias and discrimination that concern us all. As she knows, the White Paper is currently out to consultation, and I hope that she and others will take advantage of that to respond. They will have until 21 June to do so.
I assure the hon. Lady and the hon. Member for Barnsley East that the Government are keenly aware of the need to move swiftly, but we want to do so in consultation with all those affected. The Bill looks at one relatively narrow aspect of the use of AI, but certainly the Government’s general approach is one that we are developing at pace, and we will obviously respond once the consultation has been completed.
Stephanie Peacock
The power imbalance between employer and worker has no doubt grown wider as technology has developed. Our amendment speaks to the real-life consequences of that, and to what happens when employment and data law lags behind technology. For the reasons that have been outlined by my hon. Friend the Member for Newcastle upon Tyne Central and myself, I would like to continue with my amendment.
Question put, That the amendment be made.
Sir John Whittingdale
We have, I think, covered a lot of ground already in the debates on the amendments. To recap, clause 11 reforms the rules relating to automated decision making in article 22 of the UK GDP and relevant sections of the Data Protection Act 2018. It expands the lawful grounds on which solely automated decision making that produces a legal or similarly significant effect on an individual may be carried out.
Currently, article 22 of the UK GDPR restricts such activity to a narrow set of circumstances. By expanding the available lawful grounds and ensuring we are clear about the required safeguards, these reforms will boost confidence that the responsible use of this technology is lawful, and will reduce barriers to responsible data use.
The clause makes it clear that solely automated decisions are those that do not involve any meaningful human involvement. It ensures that there are appropriate constraints on the use of sensitive personal data for solely automated decisions, and that such activities are carried out in a fair and transparent manner, providing individuals with key safeguards.
The clause provides three powers to the Secretary of State. The first enables the Secretary of State to describe cases where there is or is not meaningful human involvement in the taking of a decision. The second enables the Secretary of State to further describe what is and is not to be taken as having a significant effect on an individual. The third enables the introduction of further safeguards, and allows those already set out in the reforms to be amended but not removed.
The reformed section 50 of the Data Protection Act mirrors the changes in subsection (1) for solely automated decision making by law enforcement agencies for a law enforcement purpose, with a few differences. First, in contrast to article 22, the rules on automated decision making apply only where such decisions have an adverse legal or similarly significant effect on the individual. Secondly, the processing of sensitive personal data cannot be carried out for the purposes of entering into a contract with the data subject for law enforcement purposes.
The final difference relates to the safeguards for processing. This clause replicates the UK GDPR safeguards for law enforcement processing but also allows a controller to apply an exemption to them where it is necessary for a particular reason, such as to avoid obstructing an inquiry. This exemption is available only where the decision taken by automated means is reconsidered by a human as soon as reasonably practicable.
The subsections amending relevant sections of the Data Protection Act 2018, which apply to processing by or on behalf of the intelligence services, clarify that requirements apply to decisions that are entirely automated, rather than solely automated. They also define what constitutes a decision based on this processing. I have explained the provisions of the clause, and hope the Committee will feel able to accept it.
Stephanie Peacock
I talked at length about my views about the changes to automated decision making when we debated amendments 77, 120, 76, 75, 121 and 122. I have nothing further to add at this stage, but those concerns still stand. As such, I cannot support this clause.
Question put, That the clause stand part of the Bill.
Sir John Whittingdale
I beg to move amendment 17, in schedule 3, page 140, line 9, leave out sub-paragraph (3) and insert—
“(3) In paragraph 2—
(a) for “under Articles 15 to 22”, in the first place, substitute “arising under or by virtue of Articles 15 to 22D”, and
(b) for “his or her rights under Articles 15 to 22” substitute “those rights”.”.
This amendment adjusts consequential amendments of Article 12(2) of the UK GDPR for consistency with other amendments of the UK GDPR consequential on the insertion of new Articles 22A to 22D.
The Chair
With this it will be convenient to discuss the following:
Government amendments 18 to 23.
That schedule 3 be the Third schedule to the Bill.
Sir John Whittingdale
I can be reasonably brief on these amendments. Schedule 3 sets out the consequential changes needed to reflect references to the rules on automated decision making in reformed article 22 and section 50 and other provisions in the UK GDPR and the Data Protection Act 2018. Schedule 3 also sets out that section 14 of the Data Protection Act is repealed. Instead, reformed article 22 sets out the safeguards that must apply, regardless of the lawful ground on which such activity is carried out.
Government amendments 17 to 23 are minor technical amendments ensuring that references elsewhere in the UK GDPR and the Data Protection Act to the provisions on automated decision making are comprehensively updated to reflect the reforms related to such activity in this Bill. That means that references to article 22 UK GDPR are updated to the reformed article 22A to 22D provisions, and references to sections 49 and 50 in the Data Protection Act are updated to the appropriate new sections 50A to 50D.
Stephanie Peacock
I thank the Minister for outlining these technical changes. I have nothing further to add on these consequential amendments beyond what has already been discussed on clause 11 and the rules around automated decision making. Consistency across the statute book is important, but all the concerns I raised when discussing the substance of those changes remain.
Amendment 17 agreed to.
Amendments made: 18, in schedule 3, page 140, line 30, before second “in” insert “provided for”.
This amendment and Amendment 19 adjust consequential amendments of Article 23(1) of the UK GDPR for consistency with other amendments of the UK GDPR consequential on the insertion of new Articles 22A to 22D.
Amendment 19, in schedule 3, page 140, line 31, leave out “in or under” and insert
“arising under or by virtue of”.
See the explanatory statement for Amendment 18.
Amendment 20, in schedule 3, page 140, line 33, leave out from “protection” to end of line 35 and insert
“in accordance with, and with regulations made under, Articles 22A to 22D in connection with decisions based solely on automated processing (including decisions reached by means of profiling)”.
This amendment adjusts the consequential amendment of Article 47(2)(e) of the UK GDPR to reflect the way in which profiling is required to be taken into account for the purposes of provisions about automated decision-making (see Article 22A(2) inserted by clause 11).
Amendment 21, in schedule 3, page 140, line 36, leave out paragraph 10 and insert—
“10 In Article 83(5) (general conditions for imposing administrative fines)—
(a) in point (b), for “22” substitute “21”, and
(b) after that point insert—
“(ba) Article 22B or 22C (restrictions on, and safeguards for, automated decision-making);””.
This amendment adjusts the consequential amendment of Art 83(5) of the UK GDPR (maximum amount of penalty) for consistency with the consequential amendment of equivalent provision in section 157(2) of the Data Protection Act 2018.
Amendment 22, in schedule 3, page 141, line 8, leave out sub-paragraph (2) and insert—
“(2) In subsection (3), for “by the data subject under section 45, 46, 47 or 50” substitute “made by the data subject under or by virtue of any of sections 45, 46, 47, 50C or 50D”.”.
This amendment adjusts the consequential amendment of section 52(3) of the Data Protection Act 2018 for consistency with other amendments of that Act consequential on the insertion of new sections 50A to 50D.
Amendment 23, in schedule 3, page 141, line 9, leave out sub-paragraph (3) and insert—
“(3) In subsection (6), for “under sections 45 to 50” substitute “arising under or by virtue of sections 45 to 50D””.—(Sir John Whittingdale.)
This amendment adjusts the consequential amendment of section 52(6) of the Data Protection Act 2018 for consistency with other amendments of that Act consequential on the insertion of new sections 50A to 50D.
Schedule 3, as amended, agreed to.
Clause 12
General obligations
Question proposed, That the clause stand part of the Bill.
Sir John Whittingdale
One of the main criticisms that the Government have received of the current legislative framework is that it sets out a number of prescriptive requirements that organisations must satisfy to demonstrate compliance. They include appointing independent data protection officers, keeping records of processing, appointing UK representatives, carrying out impact assessments and consulting the ICO about intended processing activities in specified circumstances.
Those rules can sometimes generate a significant and disproportionate administrative burden, particularly for small and medium-sized enterprises and for some third sector organisations. The current framework provides some limited exemptions for small businesses and organisations that are carrying out low-risk processing activities, but they are not always as clear or as useful as they should be.
We are therefore taking the opportunity to improve chapter 4 of the UK GDPR, and the equivalent provisions in part 3 of the Data Protection Act, in respect of law enforcement processing. Those provisions deal with the policies and procedures that organisations and law enforcement organisations must put in place to monitor and ensure compliance. Clauses 12 to 20 will give organisations greater flexibility to implement data protection management programmes that work for their organisations, while maintaining high standards of data protection for individuals.
Clause 12 is technical in nature. It will improve the terminology in the relevant articles of the UK GDPR by replacing the requirement to implement
“appropriate technical and organisational measures”.
In its place, data protection risks must be managed with
“appropriate measures, including technical and organisational measures,”.
That will give organisations greater flexibility to implement any measures that they consider appropriate to help them manage risks. A similar clarification is made to equivalent parts of the Data Protection Act.
Clause 13 will remove article 27 of the UK GDPR, ending the requirement for overseas controllers or processors to appoint a representative in the UK where they offer goods or services to, or monitor the behaviour of, UK citizens—
The Chair
Order. I am sorry, Minister, but we are talking about clause 12 at the moment; we will come on to clause 13 later. Have you concluded your remarks on clause 12?
Sir John Whittingdale
I think I have covered the points that I would like to make on clause 12.
Stephanie Peacock
Clause 12 is a set of largely technical amendments to terminology that I hope will provide clarity to data controllers and processors. I have no further comments to make at this stage.
Question put and agreed to.
Clause 12 accordingly ordered to stand part of the Bill.
Clause 13
Removal of requirement for representatives for controllers etc outside the UK
Question proposed, That the clause stand part of the Bill.
Sir John Whittingdale
As I was saying, clause 13 will remove article 27 of the UK GDPR, ending the requirement for overseas controllers or processors to appoint a representative in the UK where they offer goods or services to, or monitor the behaviour of, UK citizens. By no longer mandating organisations to appoint a representative, we will be allowing organisations to decide for themselves the best way to comply with the requirements for effective communication. That may still include the appointment of a UK-based representative. The removal of this requirement is therefore in line with the Bill’s wider strategic aim of removing unnecessary prescriptive regulation.
Stephanie Peacock
The rules set out in the UK GDPR apply to all those who are active in the UK market, regardless of whether their organisation is based or located in the UK. Article 27 of the UK GDPR currently requires controllers and processors based outside the UK to designate a UK-based representative, unless they process only occasionally without special categories of data, providing an element of proportionality, or are a public authority or body. The idea is that the representative will act on behalf of the controller or processor regarding their UK GDPR compliance and will deal with the ICO and data subjects in that respect, acting as a primary contact for all things data within the country.
The removal of the requirement for a UK representative was not included in the Government’s consultation, “Data: a new direction”, nor was it even mentioned in their response. As a result, stakeholders have not been given an opportunity to put forward their opinions on this change. I wish to represent some of those opinions so that they are on the record for the Minister and his Department to consider.
Concern among the likes of Lexology, DataRep and Which? relates primarily to the fact that the current requirements for UK-based representatives ensure that UK data subjects can conveniently reach the companies that process their personal data, so that they can exercise their rights under the GDPR. Overseas data handlers may have a different first language, operate in a different time zone or have local methods of contact that are not easily accessible from the UK. Having a UK-based point of contact therefore ensures that data subjects do not struggle to apply the rights to which they are entitled because of the inevitable differences that occur across international borders.
As Lexology has pointed out, the Government’s own impact assessment says:
“There is limited information and data on the benefits of having an Article 27 representative as it is a relatively new and untested requirement and also one that applies exclusively to businesses and organisations outside of the UK which makes gathering evidence very challenging.”
By their own admission, then, the Government seem to recognise the challenges in gathering information from organisations outside the UK. If the Government find it difficult to get the information that they require, surely average citizens and data subjects may also face difficulties.
Not only is having a point of contact a direct benefit for data subjects, but a good UK representative indirectly helps data subjects by facilitating a culture of good data protection practice in the organisation that they represent. For example, they may be able to translate complex legal concepts into practical business terms or train fellow employees in a general understanding of the UK GDPR. Such functions may make it less likely that a data subject will need to exercise their rights in the first place.
As well as things being harder for data subjects in the ways I have outlined, stakeholders are not clear about the benefits of removing representatives for UK businesses. For example, the Government impact assessment estimates that the change could save a large organisation £50,000 per year, but stakeholders have said that that figure is an overestimation. Even if the figure is accurate, the saving will apply only to organisations outside the UK and will be made through a loss of employment for those who are actually based in the UK and performing the job.
The question therefore remains: if the clause is not in the interests of data subjects, of UK businesses or of UK-based employees who act as representatives, how will this country actually benefit from the change? I am keen to hear from the Minister on that point.
Sir John Whittingdale
If there are concerns that were not fed in during the consultation period, obviously we will consider them. However, it remains the case that even without the article 27 representative requirement, controllers will have to maintain contact with UK citizens and co-operate with the ICO under other provisions of the UK GDPR. For example, overseas controllers and processors must still co-operate with the ICO as a result of the specific requirements to do so under article 31 of the UK GDPR. To answer the hon. Lady’s question about where the benefit lies, the clause is part of a streamlining process to remove what we see as unnecessary administrative requirements and bureaucracy.
Question put and agreed to.
Clause 13 accordingly ordered to stand part of the Bill.
Clause 14
Senior responsible individual
Question proposed, That the clause stand part of the Bill.
Sir John Whittingdale
As I mentioned in our debate on clause 12, clauses 12 to 18 will give organisations greater flexibility about the policies, procedures or programmes that they put in place to ensure compliance with the legislation. As we have discussed, a criticism of the current legal framework is that many of the existing requirements are so prescriptive that they impose unnecessary burdens on businesses. Many organisations could manage data protection risks effectively without appointing an independent data protection officer, but they are forced to do so by the prescriptive rules that we inherited from the European Union.
Clause 14 will therefore abolish existing requirements on data protection officers and replace them with new requirements for organisations to designate a senior responsible individual where appropriate. That individual would be part of the organisation’s senior management and would be responsible for overseeing data protection matters within the organisation. In particular, the individual would be responsible for monitoring compliance with the legislation, ensuring the implementation of appropriate risk management procedures, responding to data protection breaches and co-operating with the information commissioner, or for ensuring that those tasks are performed by another suitably skilled person where appropriate. Senior responsible individuals may perform the tasks specified in clause 14 themselves, delegate them to suitably skilled members of staff or, if it is right for the company and its clients, seek advice from independent data protection experts.
We recognise that some people have raised concerns that giving organisations more flexibility in how they monitor and ensure compliance with the legislation could reduce standards of protection for individuals. We are confident that that will not be the effect of the clause. On the contrary, the clause provides an opportunity to elevate discussions about data protection risks to senior levels within organisations by requiring a senior responsible individual to take ownership of data protection risks and embed a culture of data protection. On that basis, I commend the clause to the Committee.
Stephanie Peacock
In a number of places in the Bill, the Government have focused on trying to ensure a more proportionate approach to data protection. That often takes the form of reducing regulatory requirements on controllers and processors where low-risk processing, which presents less of a threat of harm to data subjects, is taking place. Clause 14 is one place in which Ministers have applied that principle, replacing data protection officers with a requirement to appoint a senior responsible individual, but only where high-risk processing is being carried out.
Such a proportionate approach makes sense in theory. Where the stakes are lower, less formalised oversight of GDPR compliance will be required, which will be particularly helpful in small business settings where margins and resources are tight. Where the stakes are higher, however, a senior responsible individual will have a similar duty to that of a data protection officer, but with the added benefit of being part of the senior leadership team, ensuring that data protection is considered at the highest level of organisations conducting high-risk processing.
However, the Government have admitted that the majority of respondents to their consultation disagreed with the proposal to remove the requirement to designate a data protection officer. In particular, respondents were concerned that removing DPOs would result in
“a loss of data protection expertise”
and
“a potential fall in trust and reassurance to data subjects.”
Indeed, data protection officers perform a vital role in upholding GDPR, taking on responsibility for informing people of their obligations; monitoring compliance, including raising awareness and training staff; providing advice, where requested, on data protection impact assessments; co-operating with the regulator; and acting as a contact point. That provides not only guaranteed expertise to organisations, but reassurance to data subjects that they will have someone to approach should they feel the need to exercise any of their rights under the GDPR.
The contradiction between the theory of the benefits of proportionality and the reality of the concerns expressed by respondents to the consultation emphasises a point that the Government have repeatedly forgotten throughout the Bill: although removing truly unnecessary burdens can sometimes be positive, organisations often want clear regulation more than they want less regulation. They believe in the principles of the GDPR, understand the value of rights to data subjects and often over-comply with regulation out of fear of breaking the rules.
In this context, it makes sense that organisations recognise the value of having a data protection officer. They actually want in-house expertise on data—someone they can ask questions and someone they can rely on to ensure their compliance. Indeed, according to the DPO Centre, in September 2022, the UK data protection index panel of 523 DPOs unequivocally disagreed with the idea that the changes made by the clause would be in the best interests of data subjects. Furthermore, when asked whether the proposal to remove the requirement for a DPO and replace it with a requirement for a senior responsible individual would simplify the management of privacy in their organisation, 42% of DPOs surveyed gave the lowest score of 1.
Did the Department consider offering clarification, support and guidance to DPOs, rather than just removing them? Has it attempted to assess the impact of their removal on data subjects? In practice, it is likely that many data protection officers will be rebranded as senior responsible individuals. However, many will be relieved of their duties, particularly since the requirement to be part of the organisation’s senior management team could be problematic for external DPO appointments and those in more junior positions. Has the Department assessed how many data protection officers may lose their job as a result of these changes? Is the number expected to be substantial? Will there be any protections to support those people in transitioning to skilled employment surrounding data protection and to prevent an overall reduction of data protection expertise in organisations?
Sir John Whittingdale
The clause does not in any way represent a lessening of the requirement on organisations to comply with data protection law. It simply introduces a degree of flexibility. An organisation could not get rid of data protection officers without ensuring that processing activities likely to pose high risks to individuals are still managed properly. The senior responsible individual will be required to ensure that that is the case.
At the moment, even small firms whose core activities do not involve the processing of sensitive data must have a data protection officer. We feel that that is an unnecessary burden on those small firms, and that allowing them to designate an individual will give them more flexibility without reducing the overall level of data protection that they require.
Question put and agreed to.
Clause 14 accordingly ordered to stand part of the Bill.
Clause 15
Duty to keep records
Question proposed, That the clause stand part of the Bill.
Sir John Whittingdale
Clauses 15 and 16 will improve the record-keeping requirements under article 30 of the UK GDPR and the logging requirements under part 3 of the Data Protection Act, which is concerned with records kept for law enforcement purposes. Article 30 of the UK GDPR requires most organisations to keep records of their processing activities and includes a list of requirements that should be included in the record. Those requirements can add to the paperwork that organisations have to keep to demonstrate compliance. Although there is an exemption from those requirements in the UK GDPR for some small organisations, it has a limited impact because it applies only where their processing of personal data is “occasional”.
Clause 15 will replace the record-keeping requirements under article 30. It will make it easier for data controllers to understand exactly what needs to be included in the record. Most importantly, organisations of any size will no longer have to keep records of processing, unless their activities are
“likely to result in a high risk”
to individuals. That should help small businesses in particular, which have found the current small business exemption difficult to understand and apply in practice.
Clause 16 will make an important change to the logging requirements for law enforcement purposes in part 3 of the Data Protection Act. It will remove the ineffective requirement to record a justification when an officer consults or discloses personal data for the purposes of an investigation. The logging requirements are unique to the law enforcement regime and aim to assist in monitoring and auditing data use. Recording a justification for accessing data was intended to help protect against unlawful access, but the reality is that someone is unlikely to record an honest reason if their access is unlawful. That undermines the purpose of this requirement, because appropriate and inappropriate uses would both produce essentially indistinguishable data.
As officers often need to access large amounts of data quickly, especially in time-critical scenarios, the clause will facilitate the police’s ability to investigate and prevent crime more swiftly. We estimate that the change could save approximately 1.5 million policing hours. Other elements of the logs, such as the date and time of the consultation or disclosure and the identity of the person accessing them, are likely to be far more effective in protecting personal data against misuse; those elements remain in place. On that basis, I commend the clauses to the Committee.
Stephanie Peacock
Record keeping is a valuable part of data processing. It requires controllers, and to a lesser extent processors, to stay on top of all the processing that they are conducting by ensuring that they record the purposes for processing, the time limits within which they envisage holding data and the categories of recipients to whom the data has been or will be disclosed.
Many respondents to the Government’s consultation “Data: a new direction” said that they did not think the current requirements were burdensome. In fact, they said that the records allow them easily to understand the personal data that they are processing and how sensitive it is. It is likely that that was helped by the fact that the requirements were proportionate, meaning that organisations that employed under 250 people and were not conducting high-risk processing were exempt from the obligations.
It is therefore pleasing to see the Government rolling back on the idea of removing record-keeping requirements entirely, as was suggested in their consultation. As was noted, the majority of respondents disagreed with that proposal, and it is right that it has been changed. However, some respondents indicated a preference for more flexibility in the record-keeping regime, which is what I understand the clause is trying to achieve. Replacing the current requirements with a requirement to keep an appropriate record of processing, tied to high-risk activities, will give controllers the flexibility that they require.
As with many areas of the Bill, it is important that we be clear on the definition of “appropriate” so that it cannot be used by those who simply do not want to keep records. I therefore ask the Minister whether further guidance will be available to assist controllers in deciding what counts as appropriate.
I also wish to highlight the point that although in isolation the clause does not seem to change requirements much, other than by adding an element of proportionality, it cannot be viewed in isolation. In combination with other provisions, such as the reduced requirements on DPIAs and the higher threshold for subject access requests, it seems that there will be less records overall on which a data subject might be able to rely to understand how their personal information is being used or to prove how it has been used when they seek redress. With that in mind, I ask the Minister whether the Government have assessed the potential impact of the combination of the Bill’s clauses on the ability of data subjects to exercise their rights. Do the Government have any plans to work with the commissioner to monitor any such impacts on data subjects after the Bill is passed?
I turn to clause 16. Section 62 of the Data Protection Act 2018 requires competent authorities to keep logs that show who has accessed certain datasets, and at what time. It also requires that that access be justified: the reason for consulting the data must be given. Justification logs exist to assist in disciplinary proceedings, for example if there is reason to believe that a dataset has been improperly accessed or that personal data has been disclosed in an unauthorised way. However, as Aimee Reed, director of data at the Met police and chair of the national police data board, told the Committee:
“It is a big requirement across all 43 forces, largely because…we are operating on various aged systems. Many of the technology systems…do not have the capacity to log section 62 requirements, so police officers are having to record extra justification in spreadsheets alongside the searches”.––[Official Report, Data Protection and Digital Information (No. 2) Public Bill Committee, 10 May 2023; c. 56, Q118.]
That creates what she described as a “considerable burden”.
Understandably, therefore, the Bill removes the justification requirement. There are some—the Public Law Project, for example—who have expressed concern that this change would pose a threat to individual rights by allowing the police to provide a retrospective justification for accessing records. However, as the explanatory notes indicate, it is highly unlikely that in an investigation concerning inappropriate use, a justification recorded by the individual under investigation for improper access or unauthorised access could be relied on anyway. Clause 16 would therefore not stop anyone from being investigated for improper access; it would simply reduce the burden of recording a self-identified justification that could hardly be relied on anyway. I welcome the intent of the clause and the positive impact that it could have on our law enforcement processing.
Sir John Whittingdale
The intention behind clause 15 is to reduce the burden on organisations by tying the record-keeping requirements to high-risk processing activities. If there is uncertainty about the nature of the risk, organisations will be able to refer to ICO guidance. The ICO has already published examples on its website of processing that is likely to be high-risk for the purposes of completing impact assessments; clause 17 will require it to apply the guidance to the new record-keeping requirements as well. It will continue to provide guidance on the matter, and we are happy to work with it on that.
With respect to clause 16, I am most grateful for the Opposition’s welcome recognition of the benefits for crime prevention and law enforcement.
Question put and agreed to.
Clause 15 accordingly ordered to stand part of the Bill.
Clause 16 ordered to stand part of the Bill.
Clause 17
Assessment of high risk processing
Stephanie Peacock
I beg to move amendment 102, in clause 17, page 32, line 12, leave out from “with” to the end of line 28 on page 33 and insert
“subsection (2)
(2) In Article 57(1) (Information Commissioner’s tasks), for paragraph (k) substitute—
‘(k) produce and publish a document containing examples of types of processing which the Commissioner considers are likely to result in a high risk to the rights and freedoms of individuals (for the purposes of Articles 27A, 30A and 35);’.”
This amendment would remove the provisions of clause 17 which replace the existing data protection impact assessment requirements with new requirements about “high risk processing”, leaving only the requirement for the ICO to produce a document containing examples of types of processing likely to result in a high risk to the rights and freedoms of individuals.
The Chair
With this it will be convenient to discuss the following:
Amendment 103, in clause 17, page 33, line 9, at end insert—
“(4A) After Article 35(11) insert—
‘(11A) Any public authority, government department, or contractor of a government department which routinely uses public data in the discharge of its functions must publish any assessments of high risk processing conducted pursuant to this Article. Any assessments published under this Article must be redacted where necessary for the purposes of—
(a) removing sensitive details,
(b) protecting public interests, or
(c) ensuring the security of data processing operations.’”
This amendment inserts a new requirement into Article 35 of UKGDPR, for any public authority which uses public data to publish any assessment of high risk processing they conduct under Article 35.
Clause stand part.
Clause 18 stand part.
Stephanie Peacock
As was the intention, the Bill loosens restrictions on processing personal data in many areas: it adds a new lawful basis and creates new exceptions to purpose limitation, removes blocks to automated decision-making and allows for much thinner record keeping. Each change in isolation may make only a relatively small adjustment to the regime. Collectively, however, they result in a large-scale shift towards controllers being able to conduct more processing, with less transparency and communication, and having fewer records to keep, all of which reduces opportunities for accountability.
As mentioned, loosening restrictions is an entirely deliberate consequence of a Bill that seeks to unlock innovation through data—an aim that Members across the House, including me, are strongly behind, given the power of data to influence growth for the public good. However, given the cumulative impact of this deregulation, where increasingly opaque processing is likely to result in a large risk to people’s rights, a processor might at the very least record how they will ensure that any high-risk activities that they undertake do not lead to unlawful or discriminatory outcomes for the general public. That is exactly what the current system of DPIAs, as outlined in article 35 of GDPR, allows for. These assessments, which require processors to measure their activities against the risk to the rights and freedoms of data subjects, are not just a tick-box exercise, unnecessary paperwork or an administrative burden; they are an essential tool for ensuring that organisations do not deploy, and individuals are not subjected to, systems that may lead to a fundamental breach of their rights.
Assessments of that kind are not a concept unique to data processing. The Government routinely publish impact assessments on the legislation that they want to introduce; any researcher or scientist is likely to conduct an assessment of the safety and morality of their methodology; and a teacher will routinely and formally measure the risks involved when taking pupils on a school trip. Where activities pose a high risk to others, it is simply common practice to keep a record of where the risks lie, and to make plans to ensure that they are mitigated where possible.
In the case of data, not only are DPIAs an important mechanism to ensure that risks are managed, but they act as a key tool for data subjects. That is first because the process of conducting a DPIA encourages processors to consult data subjects, either directly or through a representative, on how the type of processing might impact them. Secondly, where things go wrong for data subjects, DPIAs act as a legal record of the processing, its purpose and the risks involved. Indeed, the Public Law Project, a registered charity that employs a specialist lawyer to conduct research, provide training and take on legal casework, identified DPIAs as a key tool in litigating against the unlawful use of data processing. They show a public law record of the type of processing that has been conducted, and its impact.
The TUC and the Institute for the Future of Work echo that, citing DPIAs as a crucial process and consultation tool for workers and trade unions in relation to the use of technology at work. The clause, however, seeks to water down DPIAs, which will become “assessments of high-risk processing”. That guts both the fundamental benefit of risk management that they offer in a data protection system that is about to become increasingly transparent, and the extra benefits that they give to data subjects.
Instead of requiring a systematic description of the processing operations and purposes, under the new assessments the controller would be required only to summarise the purpose of the processing. Furthermore, instead of conducting a proportionality assessment, controllers will be required only to consider whether the processing is necessary for the stated purpose. The Public Law Project describes the proportionality assessment as a crucial legal test that weighs up whether an infringement of human rights, including the right not to be discriminated against, is justified in relation to the processing being conducted.
When it comes to consultation, where previously it was encouraged for controllers to seek the views of those likely to be impacted by the processing, that requirement to seek those views will now be entirely omitted, despite the important benefit to data subjects, workers and communities. The new tests therefore simply do not carry the same weight or benefit as DPIAs, which in truth could themselves be strengthened. It is simply not appropriate to remove the need to properly assess the risk of processing, while simultaneously removing restrictions that help to mitigate those risks. For that reason, the clause must be opposed; we would keep only the requirement for the ICO to produce that much-needed guidance on what constitutes high-risk processing.
Moving on to amendment 103, given the inherent importance of conducting risk assessments for high-risk processing, and their potential for use by data subjects when things go wrong, it seems only right that transparency be built into the system where it comes to Government use of public data. The amendment would do just that, and only that. It would not adjust any of the requirements on Government Departments or public authorities to complete high-risk assessments; it would simply require an assessment to be published in any case where one is completed. Indeed, the ICO guidance on DPIAs says:
“Although publishing a DPIA is not a requirement of UK GDPR, you should actively consider the benefits of publication. As well as demonstrating compliance, publication can help engender trust and confidence. We would therefore recommend that you publish your DPIAs, where possible, removing sensitive details if necessary.”
However, very few organisations choose to publish their assessments. This is a chance for the Government to lead by example, and foster an environment of trust and confidence in data protection
Alongside the amendment I tabled on compulsory reporting on the use of algorithms, this amendment is designed to afford the general public honesty and openness on how their data is used, especially where the process has been identified as having a high risk of causing harm. Again, a published impact assessment would provide citizens with an official record of high-risk uses of their data, should they need that when seeking redress. However, a published impact assessment would also encourage responsible use of data, so that redress does not need to be sought in the first place.
The Government need not worry about the consequences of the amendment if they already meet the requirement to conduct the correct impact assessments and process them in such a way that the benefits are not heavily outweighed by a risk to data rights. If rules are being followed, the amendment will only provide proof of that. However, if anyone using public data in a public authority’s name did so without completing the appropriate assessments, or processed that data in a reckless or malicious way, there would be proof of that. Where there is transparency, there is accountability, and where the Government are involved, accountability is always crucial in a democracy. The amendment would ensure that accountability shined through in data protection law.
Finally, I turn to clause 18. The majority of respondents to the “Data: a new direction” consultation agreed that organisations are likely to approach the ICO voluntarily before commencing high-risk processing activities if that is taken into account as a mitigating factor in any future investigation or enforcement action. The loosening of requirements in the clause is therefore not a major concern. However, when that is combined with the watering down of the impact assessments, there remains an overarching concern about the oversight of high-risk processing. I refer to my remarks on clause 17, in which I set out the broader problems that the Bill poses to protection against harms from high-risk processing.
Sir John Whittingdale
As we have discussed, one of the principal objectives of this part of the Bill is to remove some of the prescriptive unnecessary requirements on organisations to do things to demonstrate compliance. Clauses 17 and 18 reduce the unnecessary burdens placed on organisations by articles 35 and 36 of the UK GDPR in respect of data protection impact assessments and prior consultation with the ICO respectively.
Clause 17 will replace the EU-derived notion of a data protection impact assessment with more streamline requirements for organisations to document how they intend to assess and mitigate risks associated with high-risk processing operations. The changes will apply to both the impact assessment provisions under the UK GDPR and the section of the Data Protection Act 2018 that deals with impact assessments for processing relating to law enforcement. Amendment 102 would reverse those changes to maintain the current data protection impact assessment requirements, but we feel that this would miss an important opportunity for reform.
There are significant differences between the new provisions in the Bill and current provisions on data protection impact assessments. First, the new provisions are less prescriptive about the precise processing activities for which a risk assessment will be required. We think organisations are best placed to judge whether a particular activity poses a high risk to individuals in the context of the situation, taking account of any relevant guidance from the regulator.
Secondly, we have also removed the mandatory requirement to consult individuals about the intended processing activity as part of a risk-assessment process, as that imposes unnecessary burdens. There are already requirements in the legislation to ensure that any new processing is fair, transparent and designed with the data protection principles in mind. It should be open to businesses to consult their clients about intended new processing operations if they wish, but that should not be dictated to them by the data protection legislation.
Clause 18 will make optional the previous requirement for data controllers to consult the commissioner when a risk assessment indicates a potential high risk to individuals. The Information Commissioner will be able to consider any voluntary actions that organisations have taken to consult the ICO as a factor when imposing administrative fines on a data controller. Currently, compliance with the prior consultation requirement is low, likely due to a lack of clarity in the legislation and a reluctance for organisations to engage directly with the regulator on potential high-risk processing. The clause will encourage a more proactive, open and collaborative dialogue between the ICO and organisations, so that they can work together to better mitigate the risks.
The Opposition’s amendment 103 would mandate the publication of risk assessments by all public sector bodies. That requirement would, in our view, place a disproportionate burden on public authorities of all sizes. It would apply not just to Departments but to smaller public authorities such as schools, hospitals, independent pharmacies and so on. The amendment acknowledges that each public authority would have to spend time redacting sensitive details from risk assessments prior to publication. As those assessments can already be requested by the ICO as part of its investigations, or by members of the public via freedom of information requests, we do not think it is necessary to impose that significant new burden on all public bodies. I therefore invite the hon. Member for Barnsley East to withdraw her two amendments, and I commend clauses 17 and 18 to the Committee.
Stephanie Peacock
I am happy not to press amendment 103 to a vote, but on amendment 102, I simply do not think it is appropriate to remove the need to properly assess the risk of processing while removing the restrictions that help to mitigate it. For those reasons, I will press it to a vote.
Question put, That the amendment be made.
Sir John Whittingdale
I beg to move amendment 1, in clause 19, page 35, leave out lines 23 to 25 and insert—
“(5) The Commissioner must encourage expert public bodies to submit codes of conduct described in subsection (1) to the Commissioner in draft.”.
This amendment replaces a duty on expert public bodies to submit draft codes of conduct relating to compliance with Part 3 of the Data Protection Act 2018 to the Information Commissioner with a duty on the Information Commissioner to encourage such bodies to do so.
The Chair
With this it will be convenient to discuss the following:
Government amendments 2 to 4.
Clause stand part.
Sir John Whittingdale
Clause 19 introduces an ability for public bodies with the appropriate knowledge and expertise to produce codes of conduct applicable to the law enforcement regime. The clause mirrors the equivalent provision in the UK GDPR.
As with regular guidance, these codes of conduct will be drafted by law enforcement data protection experts and tailored to the specific data protection issues that affect law enforcement agencies, to help improve compliance with the legislation and encourage best practice. However, they are intended to carry more weight, because they will additionally have the formal approval of the Information Commissioner.
When a code of conduct is produced, there is a requirement to submit a draft of it to the Information Commissioner. While that is good practice, we think it is unnecessary to mandate that. Government amendment 1 replaces that requirement with a duty on the commissioner to instead encourage public bodies to do that. Government amendments 2 and 3 are consequential to that.
Where a public body has submitted a code of conduct to the commissioner for review, Government amendment 4 removes the requirement for the commissioner to review any subsequent amendments made by the public body until the initial draft has been considered. This change will promote transparency, greater clarity and confidence in how police process personal data under the law enforcement regime. Codes of conduct are not a new concept. The clause mirrors what is already available under the UK GDPR.
Stephanie Peacock
The Bill fails to fully recognise that the burdens that organisations face in complying with data protection legislation are not always best dealt with by simply removing the protections in place. In many cases, clarification and proper guidance can be just as fruitful in allowing data protection to work more seamlessly. Clauses such as clause 19, which seeks to create an environment in which best practice is shared on how to comply with data protection laws and deal with key data protection challenges, are therefore very welcome. It is absolutely right that we should capitalise on pockets of experience and expertise, especially in the public sector, where resources have often been stretched, particularly over the last 13 years. We should ensure that learnings are shared with those who are less familiar with how to resolve challenges around data.
It is also pleasing to see that codes that give sector-specific guidance will be approved by the commissioner before being published. That will ensure absolute coherence between guidance and the enforcement of data protection law more widely. I look forward to seeing what positive impact the codes of conduct will have on how personal data is handled by public bodies, to the benefit of the general public as well as the public bodies themselves; the burden on them will likely be lifted as a result of the clarity provided by the guidance.
Sir John Whittingdale
I welcome the Opposition’s support.
Amendment 1 agreed to.
Amendments made: 2, in clause 19, page 35, line 26, leave out from ‘body’ to ‘, the’ in line 27 and insert ‘does so’.
This amendment is consequential on Amendment 1.
Amendment 3, in clause 19, page 35, line 28, leave out ‘draft’.
This amendment is consequential on Amendment 2.
Amendment 4, in clause 19, page 35, line 33, leave out from ‘conduct’ to the end of line 34 and insert—
‘that is for the time being approved under this section as they apply in relation to a code’.—(Sir John Whittingdale.)
This amendment makes clear that the Commissioner’s duty under new section 68A of the Data Protection Act 2018 to consider whether to approve amendments of codes of conduct relates only to amendments of codes that are for the time being approved under that section.
Clause 19, as amended, ordered to stand part of the Bill.
Clause 20
Obligations of controllers and processors: consequential amendments
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to consider the following:
Government amendments 42 and 43.
That schedule 4 be the Fourth schedule to the Bill.
Government amendments 40 and 41.
Sir John Whittingdale
As clauses 12 to 18 remove terms such as data protection officers and data protection impact assessments from the legislation, some consequential changes are required to other parts of the legislation where the same terms are used. Clause 20 therefore introduces schedule 4, which sets out the details of the consequential changes required. An example of that is in article 13 of the UK GDPR, which currently requires controllers to provide individuals with the contact details of the data protection officer, where appropriate. In future, that provision will refer to the organisation’s senior responsible individual instead. Removal of the term data protection officer from the UK GDPR will have knock-on effects in other areas, including in relation to the types of people from whom the ICO receives requests and queries.
Government amendment 40 will provide that the commissioner may refuse to deal with vexatious or excessive requests made by any person, not just those made by data protection officers or data subjects. Government amendments 41 to 43 make further minor and technical changes to the provisions in schedule 4 to reflect the changes we have made to the terminology.
Stephanie Peacock
I have no comments to add on the consequential amendments in clause 20 beyond what has been discussed regarding the obligations on controllers and processors. With regard to Government amendments 40 to 44 and schedule 4, I will address changes to the ICO’s powers to refuse requests when we come to them further on in the Bill.
Question put and agreed to.
Clause 20 accordingly ordered to stand part of the Bill.
Schedule 4
Obligations of controllers and processors: consequential amendments
Amendments made: 42, in schedule 4, page 143, line 20, leave out ‘and section 135’.—(Sir John Whittingdale.)
This amendment is consequential on Amendment 40.
Amendment 43, in schedule 4, page 143, line 24, leave out paragraph 18.
This amendment is consequential on Amendment 40.
Schedule 4, as amended, agreed to.
Clause 21
Transfers of personal data to third countries and international organisations
Question proposed, That the clause stand part of the Bill.
The Chair
With this it will be convenient to discuss the following:
Amendment 104, in schedule 5, page 144, line 28, at end insert—
‘4 All provisions in this Chapter must be applied in such a way as to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.’
This amendment would reinsert into the new Article on general principles for international data transfers the principle that all provisions of this Chapter of the UK GDPR should be applied in such a way as to ensure that the level of protection of natural persons guaranteed by the Regulation is not undermined.
Government amendments 24 to 26.
That schedule 5 be the Fifth schedule to the Bill.
Government amendments 27 to 29.
That schedule 6 be the Sixth schedule to the Bill.
That schedule 7 be the Seventh schedule to the Bill.
Sir John Whittingdale
Clause 21 refers to schedules 5 to 7, which introduce reforms to the provisions of the UK GDPR and the Data Protection Act 2018, which regulate the international transfers of personal data. Schedule 5 introduces changes to the UK’s general processing regime for transferring personal data internationally. In order to provide for a clearer structure than the current UK regime, schedule 5 will consolidate the existing provisions on international transfers. It replaces article 44 with article 44A, setting out in clearer terms the general principles for international transfers and listing the same bases under which personal data can be lawfully transferred overseas.
Schedule 5 also introduces article 45A, which sets out the Secretary of State’s power to make regulations approving transfers of personal data to a third country or international organisation. The Government now use the term “data bridges” to refer to those regulations, which allow the free flow of personal data. Article 45A outlines that the Secretary of State may make such regulations only if they are satisfied that the data protection test is met. In addition to the requirement that the Secretary of State be satisfied that the data protection test is met, article 45A specifies that the Secretary of State may have regard to other matters that he or she considers relevant when making those regulations, including the desirability of facilitating transfers of personal data to and from the UK.
Article 45B sets out the data protection test that the Secretary of State must consider is met in order to establish new data bridges. In order for a country or international organisation to meet the data protection test, the standard of protection for personal data in that country or international organisation must be “not materially lower” than the standard of protection under the UK’s data protection framework. The reformed law recognises that the Secretary of State must exercise their judgment when making a determination. Their assessment will be made with respect to the outcomes of data protection in a third country, instead of being prescriptive about the form and means of protection, recognising that no two data protection regimes are identical.
The article also sets out a more concise and streamlined list of key factors that the Secretary of State must consider as part of their assessment. However, article 45B(2) is a non-exhaustive list, and the Secretary of State may also need to consider other matters in order to determine whether the required standard of protection exists.
Article 45C amends the system for formally reviewing data bridge regulations, removing the requirement for them to be reviewed periodically. The Secretary of State will still be subject to the requirement to monitor developments in other countries on an ongoing basis. Schedule 5 also amends article 46, which sets out the rules for controllers and processors to make international transfers of personal data using alternative transfer mechanisms.
The new article 46 requirements are tailored for data exporters to transfer defined types of data in specific circumstances. They stipulate that the data exporter, acting reasonably and proportionately, must consider that the standard of protection provided for the data subject would be “not materially lower” than the standard of protection in the UK in the specific circumstances of the transfer. The new requirements accommodate disparities between data exporters, where what is right for a multinational organisation transferring lots of sensitive data may not be right for a small charity making ad hoc transfers.
Schedule 5 also introduces article 47A, which provides a power for the Secretary of State to create or recognise new UK and non-UK alternative transfer mechanisms. The new power will help to future-proof the UK’s international transfers regime by allowing the Government to shape international developments and react quickly to global trends, helping UK businesses connect and trade with their partners around the world.
Schedule 6 amends relevant parts of the Data Protection Act 2018 governing international transfers of personal data, which are governed by the law enforcement processing regime. Paragraph 4 omits the section governing transfers based on adequacy assessments and inserts a new provision to mirror the approach being adopted in schedule 5. As with the changes described in schedule 5, schedule 6 amends the power in new section 74AA for the Secretary of State to make regulations approving transfers of personal data to another jurisdiction. It replaces the current list of considerations with a broader, non-exhaustive one. The schedule also clarifies the test found in new section 74AB that must be applied when regulations are made, giving greater clarity to the UK regulations decision-making process.
The Chair
The Minister is being very courteous and generous, and he makes a very sensible suggestion. Will he respond to amendment 104 after the Opposition have spoken to it?
Sir John Whittingdale
It would make sense to explain the reasons why we are not convinced after we have heard the arguments in favour.
Stephanie Peacock
I am grateful to the Minister, and I will focus my remarks particularly on the contents of schedule 5 before explaining the thought process behind amendment 104.
In the globalised world in which we live, we have an obligation to be outward looking and to consider not just the activities that take place in the UK, but those that occur worldwide. When it comes to data protection, that means accepting that data will likely need to travel across borders, and inserting appropriate safeguards so that UK citizens do not lose the protection of data protection laws if their personal data is transferred away from this country. The standard of those safeguards is absolutely crucial to the integrity of our entire data protection regime. After all, if a controller can simply send the personal data of UK citizens to a country that has limited data protection laws for processing that would be unlawful here, and if they can transfer that data back afterwards, in reality our laws are only as strong as the country with the weakest protections in the world.
As things stand, there is only a limited set of circumstances under which personal data can be transferred to a third party outside the UK. One such circumstance is where there is an adequacy agreement, similar to that which we have with the EU. For such an agreement to be reached, the Secretary of State must have considered many things, including the receiver’s respect for human rights and data rules; the presence, or lack thereof, of a regulator, and its independence; and any international commitments they have made in relation to data protection. These amendments ensure that data can flow freely between the UK and another country as long as the level of protection received by citizens is not undermined by the regulatory structure in that country.
The Bill amends the adequacy-based framework and replaces it with a new outcomes-based approach through the data protection test. The test is met if the standard of the protection provided for data subjects, with regard to the general processing of personal data in the country or by the organisation, is not materially lower than the standard of protection under the UK GDPR and relevant parts of the DPA 2018.
When deciding whether the test is met, the Secretary of State must still consider many of the same things: their respect for human rights, the existence of a regulator, and international obligations. However, stakeholders such as Reset.tech and the TUC have expressed concern that the new test could mean that UK data is transferred to countries with lower standards of protection than previously. That is significant not just for data subjects in the UK, who may be faced with weaker rights, but for business, which fears that this may signify a divergence from the EU GDPR that could threaten the UK’s own adequacy status. Losing this agreement would have real-world consequences for UK consumers and businesses to the tune of hundreds of millions of pounds. What conversations has the Minister had with representatives of the European Commission to ensure that the new data protection test does not threaten adequacy? Does he expect the new data protection test to result in the data of UK citizens being passed to countries with weaker standards than are allowed under the current regime?
Moving on to amendment 104, one reason why some stakeholders are expressing concern about the new rules is because they appear to omit article 44. As it stands, for those who are concerned about the level of data protection available to them as a result of international transfers, article 44 of the UK GDPR provides a guarantee that the integrity of the UK’s data protection laws will be protected. Indeed, it sets out that all provisions relating to the international transfer of UK personal data
“shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”
If UK data will not be transferred to countries with weaker protections, it is not clear why this simple guarantee would be removed. The amendment would clear up any confusion around that and reinsert the article so that data subjects can be reassured of the strength of this new data protection test and of their rights.
Again, it is important to emphasise that getting the clause right is absolutely essential, as it underpins the entire data protection regime in the country. Getting it wrong could cost a huge amount, rendering the Bill, the UK GDPR and the Data Protection Act 2018 essentially useless. It is likely that the Government do not intend to undermine their own regulatory framework. Reinserting the article would confirm that in the Bill, offering complete clarity that the new data protection test will not result in lower levels of protection for UK data subjects.
Sir John Whittingdale
We completely agree with the hon. Lady that we would not wish to see data transferred to countries that have an inferior data protection regime. However, we do not think amendment 104 is required to achieve that, because the reforms in chapter 5 already provide for a clear and high standard of protection when transferring personal data overseas. It states that the standard of protection in that country must not be “materially lower” than the standard under the UK GDPR. That ensures that high standards of data protection are maintained. In addition, we feel that the amendment would return us to the confusion of the existing regime. At present, the legislative framework makes it difficult for organisations and others to understand what standard needs to be applied when transferring personal data internationally, with several terms used in the chapter and in case law. Our reforms ensure that a clear standard applies, which maintains protection for personal data.
The hon. Lady raised the EU’s data adequacy assessment. That is something that featured earlier in our debates on the Bill, and, as we heard from a number of our witnesses, including the information commissioner, there is no reason to believe that this in any way jeopardises the EU’s assessment of the UK’s data adequacy.
Government amendment 24 revises new article 45B(3)(c) of the UK GDPR, which is inserted by schedule 5 and which makes provision about the data protection test that must be satisfied for data bridge regulations to be made. An amendment to the Bill is required for the Secretary of State to retain the flexibility to make data bridge regulations covering transfers from the UK or elsewhere. The amendment will preserve the status quo under the current regime, in which the Secretary of State’s power is not limited to covering only transfers from the UK. In addition to these amendments, four other minor and technical Government amendments —25, 26, 28 and 29—were tabled on 10 May.
Question put and agreed to.
Clause 21 accordingly ordered to stand part of the Bill.
Schedule 5
Transfers of personal data to third countries etc: general processing
Amendments made: 24, in schedule 5, page 147, line 3, leave out “from the United Kingdom” and insert
“to the country or organisation by means of processing to which this Regulation applies as described in Article 3”.
New Article 45B(3)(c) of the UK GDPR explains how references to processing of personal data in a third country should be read (in the data protection test for regulations approving international transfers of personal data). This amendment changes a reference to data transferred from the United Kingdom to include certain data transferred from outside the United Kingdom.
Amendment 25, in schedule 5, page 147, line 12, leave out
“the transfer of personal data”
and insert “transfer”.
This amendment and Amendment 26 simplify the wording in new Article 45B(4)(b) of the UK GDPR.
Amendment 26, in schedule 5, page 147, line 14, leave out
“the transfer of personal data”
and insert “transfer”.—(Sir John Whittingdale.)
See the explanatory statement for Amendment 25.
Schedule 5, as amended, agreed to.
Schedule 6
Transfers of personal data to third countries etc: law enforcement processing
Amendments made: 27, in schedule 6, page 155, line 39, leave out “from the United Kingdom” and insert—
“to the country or organisation by means of processing to which this Act applies as described in section 207(2)”.
New section 74AB(3)(c) of the Data Protection Act 2018 explains how references to processing of personal data in a third country should be read (in the data protection test for regulations approving international transfers of personal data). This amendment changes a reference to data transferred from the United Kingdom to include certain data transferred from outside the United Kingdom.
Amendment 28, in schedule 6, page 156, line 6, leave out
“the transfer of personal data”
and insert “transfer”.
This amendment and Amendment 29 simplify the wording in new section 74AB(4)(b) of the Data Protection Act 2018.
Amendment 29, in schedule 6, page 156, line 8, leave out
“the transfer of personal data”
and insert “transfer”.—(Sir John Whittingdale.)
See the explanatory statement for Amendment 28.
Schedule 6, as amended, agreed to.
Schedule 7 agreed to.
Clause 22
Safeguards for processing for research etc purposes
Sir John Whittingdale
I beg to move amendment 34, in clause 22, page 36, leave out lines 20 to 22.
This amendment and Amendment 37 transpose the requirement for processing of personal data for research, archiving and statistical purposes to be carried out subject to appropriate safeguards from the beginning to the end of new Article 84B of the UK GDPR.
The Chair
With this it will be convenient to discuss the following:
Government amendments 35 to 39.
Clause stand part.
Clause 23 stand part.
Sir John Whittingdale
Clause 22 creates a new chapter in the UK GDPR that provides safeguards for the processing of personal data for the purposes of scientific research or historical research, archiving in the public interest, and for statistical purposes. Currently, the provisions that provide safeguards for those purposes are spread across the UK GDPR and the Data Protection Act 2018.
Clause 22 consolidates those safeguards in a new chapter 8A of the UK GDPR. Those safeguards ensure that the processing of personal data for research, archiving and statistical purposes does not cause substantial damage or substantial distress and that appropriate technical and organisational measures are in place to respect data minimisation. Clause 23 sets out consequential changes to the UK GDPR and Data Protection Act 2018 required as a result of the changes being made in clause 22 to consolidate safeguards for research.
Government amendments 34 to 39 are minor, technical amendments clarifying that, as part of the pre-existing additional requirement when processing for research, archiving and statistical purposes, a controller is to use anonymous—rather that personal—data, unless that means that those purposes cannot be fulfilled. It makes clear that processing to anonymise the personal data is permitted. On that basis, I commend the clauses, and indeed the Government amendments, to the Committee.
Stephanie Peacock
With regards to clause 22, it is pleasing to see a clause confirming the safeguards that are applicable when processing under the new research and scientific purposes. For example, it is welcome that it is set out that such processing must not cause substantial damage or distress to a data subject, must respect the principle of data minimisation and must not make decisions related to a particular data subject unless it is for approved medical research.
Those safeguards are especially important given the concerns that I laid out over the definition of scientific research in clause 2, which could lead to the abuse of data under the guise of legitimate research. I have no further comments on the clause or the Government’s amendments to it at this stage, other than to reiterate that the definition of scientific research must have clear boundaries if any of the clauses that concern research are to be used as intended.
Clause 23 makes changes consequential on those in clause 22, so I refer to the substance of my remarks during the discussion of the previous clause.
Amendment 34 agreed to.
The Chair
With this it will be convenient to discuss the following:
Amendment 105, in clause 25, page 44, line 6, leave out “must consult the Commissioner” and insert
“must apply to the Commissioner for authorisation of the designation notice on the grounds that it satisfies subsection (1)(b).”
This amendment seeks to increase independent oversight of designation notices by replacing the requirement to consult the Commissioner with a requirement to seek the approval of the Commissioner.
Clauses 25 and 26 stand part.
Sir John Whittingdale
Clause 24 introduces an exemption that can be applied to the processing of personal data for law enforcement purposes under the law enforcement regime for the purposes of safeguarding national security. It will replace the current, more limited national security exemptions that exist in the law enforcement regime and mirror the existing exemptions in the UK GDPR and intelligence services regime.
The clause will allow organisations to exempt themselves from specified provisions in the law enforcement regime of the Data Protection Act 2018, such as some of the data protection principles and the rights of the individual, but only where it is necessary to do so for the purposes of safeguarding national security. Like the other exemptions in the Act, it must be applied on a case-by-case basis. There are limits to what the exemption applies to. The processing of data by law enforcement authorities must always be lawful, and the protections surrounding sensitive processing remain.
Subsection (2) amends the general processing regime of the Data Protection Act, regarding processing under UK GDPR, to remove the ability of organisations to exempt themselves, on the grounds of safeguarding national security, from article 77 of the UK GDPR, which provides the right for individuals to lodge a complaint with the Information Commissioner. That is because we do not consider exemption from that provision necessary. The change will align the national security exemption applicable to UK GDPR processing with the other national security exemptions in the Data Protection Act 2018, which do not permit the exemption to be applied in relation to an individual’s right to complain to the Commissioner.
The ability of a Minister of the Crown to issue a certificate certifying the application of the exemption for the purposes of safeguarding national security, which previously existed, is retained; clause 24(8) simply updates that provision to reflect the new exemption. That change will assist closer working between organisations operating under the three distinct data protection regimes by providing greater confidence that data that, for example, may be of importance to a police investigation but also pertinent to a separate national security operation can be properly safeguarded by both organisations. I will allow the hon. Member for Barnsley East to speak to amendment 105, because I wish to respond to her.
Stephanie Peacock
I am grateful to the Minister. I want to speak today about a concern that has been raised about clauses 24, 25 and 26, so I will address them before speaking to amendment 105.
In essence, the clauses increase the opportunities for competent authorities to operate in darkness when it comes to personal data through both national security certificates and designation notices. Though it may of course be important in some cases to adjust data protection regulation in a minimal way to protect national security or facilitate working with the intelligence services, important too is the right to understand how any competent authority is processing our personal data—particularly given the growing mistrust around police culture.
To cite one stark example of why data transparency in law enforcement is important, after Sarah Everard was murdered, more than 30 police officers were reportedly investigated for unnecessarily looking up her personal data. First, that demonstrates that there is a temptation for officers to access personal data without due reason, perhaps particularly when it is related to a high-profile case. Secondly, however, it shows that transparency does hold people accountable. Indeed, thankfully, the individuals who were accused of accessing the data were swiftly investigated. That would not have been possible if that transparency had been restricted—for example, had there been a national security certificate or a designation notice in place.
The powers to apply for the certificates and notices that allow the police and law enforcement authorities exemptions from data protection, although sometimes needed, must be used extremely sparingly and must be proportionate to the need to protect national security. However, that proportionate approach does not appear to be guaranteed in the Bill, despite it being a requirement in human rights law.
In their oral and written evidence, representatives from Rights and Security International warned that clauses 24 to 26 could actually violate the UK’s obligations under the Human Rights Act 1998 and the European convention on human rights. Everything that the UK does, including in the name of national security or intelligence services, must comply with human rights and the ECHR. That means that any time there is interference with the privacy of people in the UK—which is considered a fundamental right—for it to be lawful, the law in question must do only what is truly necessary for national security. That necessity standard is a high one, and it does not take into account whether a change might be more convenient for a competent authority.
Will the Minister clearly explain in what way the potential powers given to law enforcement under clauses 24 to 26, in both national security certificates and designation notices, would be strictly proportionate and necessary for national security, rather than simply making the operations of law enforcement easier and more convenient?
Primarily, the concern is for those whose data could be used in a way that fundamentally infringes on their privacy, but there are practical concerns too. Any clauses that contain suspected violations of human rights could set up the Government for lengthy legal battles, both in the UK and at the European Court of Human Rights, about their data protection and surveillance regimes. Furthermore, any harm to the UK’s important relationships with the EU around data could threaten the adequacy agreement which, as we have all repeatedly heard, is vital to our economy.
It is vital, then, that Minister confirms that both national security certificates and designation notices will be used only where necessary, and exemptions will be allowed only where necessary. If that cannot be satisfied, we must oppose the clauses.
I will now focus on amendment 105. Where powers are available to provide exemptions to privacy protections on grounds of national security, it is important that they are protected from exploitation, and not unduly concentrated in any individual’s hands without appropriate checks and balances. However, Rights and Security International warned that that was not taken into appropriate consideration in clause 25. Instead, the power to issue designation notices has been concentrated almost entirely in the hands of the Secretary of State, with no accountability measures built in.
Designation notices allow for joint processing between a qualifying competent authority and the intelligence services, which could have greatly beneficial consequences for tackling crime and threats to our national security, but they will also allow for both those parties to be exempt from what are usually crucial data protections. They must therefore be used sparingly, and only when necessary and proportionate.
As we have seen—and as I will argue countless times—we cannot rely on the Secretary of State’s acting in good faith. Our legislation must instead protect against a Secretary of State who acts in bad faith. Neither can we rely on the Secretary of State having the level of expertise needed to make complex and technical decisions, especially those that impact on national security and data rights at the same time.
Despite that, under clause 25(2), the Secretary of State alone can specify which competent authorities qualify as able to apply for a designation notice. Under subsection (3), it is the Secretary of state alone to whom qualifying competent authorities will jointly apply. It is the Secretary of State who reviews a notice and has the power to withdraw it, and it is the Secretary of State who makes transition arrangements.
Although there is a requirement in the Bill to consult the commissioner, the amendment seeks to formalise some independent oversight of the designation process by ensuring that the commissioner has an actual say in approving the notices and adjusting the concentration of power so that it does not lie solely in the Secretary of State’s hands. That would mean that should the Secretary of State act in bad faith, or lack the expertise needed to make such a decision—whether aware or unaware of this fact—the commissioner would be able to help to ensure that an informed and proportionate decision was made with regard to each notice applied for. This would not present any designation notices from being issued when they were genuinely necessary; it would simply safeguard their approval when they were.
Sir John Whittingdale
I assure the hon. Lady that clauses 25 and 26 are necessary for the improvement of national security. The reports on events such as the Manchester and Fishmongers’ Hall terrorist incidents have demonstrated that better joined-up working between the intelligence services and law enforcement is in the public interest to safeguard national security. A current barrier to such effective joint working is that only the intelligence services can operate under part 4 of the Data Protection Act, which is drafted to reflect the unique operational nature of their processing.
Carol Monaghan
Of course, the reports on incidents such as those at Fishmongers’ Hall and the Manchester Arena pointed to a general lack of effective collaboration between security forces and the police. It was not data that was the issue; it was collaboration.
Sir John Whittingdale
I certainly accept that greater collaboration would have been beneficial as well, but there was a problem with data sharing and that is what the clause is designed to address.
As the hon. Member for Barnsley East will know, law enforcement currently operates under part 3 of the Data Protection Act when processing data for law enforcement purposes. That means that even when they work together, law enforcement and the intelligence services must each undertake separate assessments regarding the same joint-working processing.
The Chair
Order. I am making a habit of interrupting the Minister—I do apologise—but we have some news from the Whip.
Ordered, That the debate be now adjourned.—(Steve Double.)