Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Scotland Office
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsMonday 6th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-II(Rev)(a) Amendment for Committee, supplementary to the revised second marshalled list (PDF, 55KB) - (6 Nov 2017)
Baroness Chisholm of Owlpen (Con)
My Lords, as the Minister said in responding to the previous group of amendments, in order for special categories of personal data, for example, data concerning health, to be processed, controllers must demonstrate that the processing meets one of the conditions for processing set out in Article 9. Article 9(2)(b) permits processing without the consent of the data subject where necessary for purposes of employment law, social security law and social protection law, provided that a legal basis is set out in UK law. Paragraph 1 of Schedule 1 therefore introduces the necessary processing condition.
The noble Lord queried whether the reference to “social protection law” could be removed in favour of a more general provision on social protection. I am aware that some local councils have raised concerns about whether some of the services they provide would be covered by the current wording. We are somewhat restricted by the wording of Article 9, which specifically refers to “social protection law”, so limited change is allowed. Nevertheless, I can reassure the noble Lord that the term has a broad interpretation. This is because paragraph 1(3) of Schedule 1 provides that “social protection” would include any intervention described in Article 2(b) of Regulation (EC) 458/2007 of the European Parliament. I am sure all here read the regs every night, but for those who are not familiar with that regulation, Article 2(b) covers interventions that are needed to support people who may be suffering difficulties in relation to healthcare or sickness; disability; old age; survivorship; family and children; unemployment; housing; and social exclusion. Given the breadth of issues covered, I think it would be fair to say that the current wording of the clause would cover a wide range of social services interventions.
It is worth adding that social protection law is a new ground for processing special categories of data in the Bill. It was not included in the Data Protection Act 1998 as a specific category. From that point of view, it should be more helpful to social service providers than the previous provisions in the Data Protection Act 1998 on which they currently rely.
I recognise the concern that Taxicard is a non-statutory service and therefore may not be able to use the derogation in Part 1 of Schedule 1, which uses the term,
“law relating to social protection”.
As I have already illustrated, the Government’s intention is to apply this derogation broadly. There is no desire to see vital services, which are often a lifeline to their clients, stopped. I am happy to take away the specific issue the noble Lord raised and to work with the Information Commissioner and her office to consider it further. I hope that reassures the noble Lord, Lord Tope, and I respectfully invite him to withdraw his amendment.
Lord Tope
My Lords, I am most grateful to the Minister for setting that out so fully and clearly. As I think I said when moving the amendment, I am quite sure it is not the intention of the Government that the Bill should have this effect, but at this stage of any legislation we always have to be particularly concerned about any unintended consequences. I will seek advice from those better able to determine such matters than I am. I am grateful to hear from the Minister that the Government are cognisant of the issue and are considering it. If necessary we can return to it at a later stage of the Bill with appropriate amendments. I beg leave to withdraw the amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsMonday 13th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Baroness Chisholm of Owlpen (Con)
My Lords, I want to reiterate what my noble friend Lord Ashton said. I think we are learning a lot about philosophy from the noble Lord, Lord Stevenson, during the passage of the Bill. It is a welcome addition as far as I am concerned.
I shall start with brief reference to the government amendments in this group. These amendments, Amendments 58 to 60 and 62 and 63, make further related provision in respect of processing undertaken to ensure the integrity of sport. This is necessary because, unusually, integrity issues in sport often relate to sensitive data, the processing of which may otherwise be prohibited under article 9 of the GDPR. I am grateful to a number of stakeholders for their help in making sure that these amendments will achieve their intended effect.
I turn now to the amendments tabled by the noble Lord, Lord Moynihan, and the noble Lord, Lord Stevenson. Amendments 57 and 61 seek to amend the processing condition in paragraph 21 on anti-doping in sport. This condition was included in the Bill following extensive engagement with sports governing bodies and UK Anti-Doping, which together implement and manage anti-doping policy in the UK. They are also responsible for eliminating the scourge of doping in sport. The paragraph as included in the Bill permits the processing of sensitive data for these purposes. UKAD is of the view that the measure as drafted will enable it to continue to perform this important function.
Amendment 57, tabled by my noble friend Lord Moynihan, who has such great expertise in this area and has done so much over the years to try to combat doping in sport, seeks to narrow the doping provision so that it allows processing only where it relates to an athlete who may be in breach of UKAD’s rules. Amendment 61, tabled by the noble Lord, Lord Stevenson, instead seeks to limit the provision to rules set by a sports governing body with responsibility for a single sport. Neither position reflects the reality of split responsibility for anti-doping in UK sport today. Removing the reference to “sporting event” and “sport generally” may potentially exclude the anti-doping processing carried out by UKAD and by those bodies which set and enforce anti-doping rules in a particular sporting event rather than a particular sport, such as 6 Nations rugby, the IOC or the Commonwealth Games Federation. The Bill must not be limited to only the interventions of UKAD but must allow processing in those sports and sporting events which have their own anti-doping rules. The fact that those bodies are not governed entirely by UKAD’s rules makes their processing no less important. Equally, the provision must allow processing in relation to participants who are not themselves athletes. As noble Lords will understand, the sensitive data or criminal record of a coach or relative may be fundamental to anti-doping cases.
A narrowing of the scope of this paragraph could create loopholes for participants who cheat. For these reasons, I am confident that the original drafting suffices. Paragraph 21 of Schedule 1 was subject to significant engagement with sports governing bodies. Given that the Bill comes out of the government department that is also responsible for sport, we have been able to take extra care. The large number of relationships we have with this sector have been used to test the draft, and UKAD is content.
Several noble Lords mentioned various items which I will also refer to. My noble friend Lord Moynihan wanted me to confirm that athletes cannot rely on the right to be forgotten. That right is not unlimited, and if the personal data has been lawfully processed, and needed to be processed, then it would be there only if there was no overriding legitimate interest for the processing of that data. The controller would have to erase the personal data in these circumstances.
My noble friend also asked why we did not criminalise doping. None of those interviewed as part of the review were in favour of criminalising doping in sport. This was a unanimous view. For example, sports governing bodies expected that their internal investigations would be negatively affected by the criminalisation of doping in sport. It would remain quicker to deal with an instance using regulatory or disciplinary proceedings, which must be proved to the civil standard of the balance of probabilities rather than beyond reasonable doubt. Others noted that the current penalties were already sufficient to end a sporting career.
My noble friend also wanted to know whether doping at a sporting event covered spectators. This is a broad measure to cover processing in connection with measures designed to eliminate doping, for the purposes of providing information about doping or suspected doping. This could include processing of special categories, such as data relating to spectators or third parties providing information, but not only when necessary in connection with anti-doping measures.
The noble Lord, Lord Stevenson, brought up a good point, about why sport is unique when there are other areas that could also be included in this. Particular provision for sport is needed because sports bodies are an unusual type of regulator, where the regulation they carry out is capable of meeting a substantial public interest test yet they cannot rely on paragraph 9—there is no statutory recognition of their function nor is it beyond argument that enforcement of their rules benefits all members of the public, as opposed to the protection of their participants. Reliance on paragraph 9 for this processing would be too narrow, but important to remedy given the amount of sensitive data that might be processed by sports bodies in pursuit of their integrity functions. This is not something that we are aware would apply to other types of regulators.
I will move the government amendments for the reasons I have set out, and will of course be happy to meet noble Lords if they wish to discuss this point further.
Lord Moynihan
First, I thank the noble Lords, Lord Stevenson and Lord Clement-Jones, for offering to stand in for me at the last Committee sitting. I was in my place for the first sitting, when we were expecting to reach this amendment, but regrettably had to travel to Australia on two occasions in the last month, only returning about four and a half hours ago. I apologise if I was not as lucid as I would like to have been, and I am very grateful to them for offering to assist if I had been absent again.
I will respond very briefly to a number of points raised. In response to the noble Lord, Lord Maxton, I took into consideration the question of what is a performance-enhancing drug and have suggested, in my amendment, that it should be a drug listed under the WADA—World Anti-Doping Agency—code as a performance-enhancing drug and part of the World Anti-Doping Code. I know this is a contentious issue and that there is an issue about what should or should not be in that code. Indeed, I have many reservations about a number of the drugs in it, which I do not see as performance enhancing, but it is the best international definition at the moment for sport and is used by the International Olympic Committee.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsMonday 13th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Lord Stevenson of Balmacara
My Lords, we are all very grateful to the noble Lord, Lord Black, for his very full introduction to these amendments. I shall read very carefully what the noble Lord, Lord McNally, said and take his remarks on their merits. I have no problem with that.
I am sure that the noble Lord, Lord Black, will not mind if I quote what he said in Committee only a week ago and pose a question to him. He said:
“This Bill is very carefully crafted to balance rights to free expression and rights to privacy, which of course are of huge importance. It recognises the vital importance of free speech in a free society at the same time as protecting individuals. It replicates a system which has worked well for 20 years and can work well for another 20”.—[Official Report, 6/11/17; cols. 1667-68.]
What a difference a week makes to one’s thinking. The noble Lord was pressed by a number of noble Lords, including his noble friend Lord Attlee, to come up with a much more detailed and engaged critique. We would love to hear from him again if he is prepared to tell us why there has been a change in his thinking. However, I do not think that gets in the way of what he is saying, which is that some issues need to be addressed. We will look at them carefully when we have the chance to see them in print. I shall also be interested to hear what the noble Baroness makes of this when she replies.
Baroness Chisholm of Owlpen (Con)
As my noble friend Lord Black and the noble Lord, Lord Stevenson, said, the Government are firmly committed to preserving the freedom of the press, maintaining the balance between privacy and the freedom of expression in our existing law that has served us well.
I shall try to reply to my noble friend as I go through the many amendments—a soup of amendments, as the noble Lord, Lord McNally, said. As we heard, Amendments 87ZA, 87AA, 87AB and 87AC would enable the special purposes exemptions to be used when processing for other purposes in addition to a special purpose. The use of the word “only” in the Bill is consistent with the existing law. Examples have been given of where further processing beyond the special purposes might be justified without prejudicing the overall journalistic intent in the public interest. None the less, the media industry has been able to operate effectively under the existing law, and while we are all in favour of further clarity, we must be careful not to create any unintended consequences.
Paragraph 24(3) of Schedule 2 concerns the test to determine whether something is in the public interest. Amendment 87CA seeks to define the compatibility requirement, and Amendments 87DA and 87DB seek to clarify the reasonable belief test. The Bill is clear that the exemption will apply where the journalist reasonably believes that publication would be in the public interest, taking account of the special importance of the public interest in the freedom of expression and information. To determine whether publication is in the public interest is a decision for the journalist. They must decide one way or another. It is not necessary to change the existing position.
Amendments 89C to 89F seek to widen the available exemptions by adding in additional data rights that can be disapplied. Amendment 89C seeks to add an exemption for article 19 concerning the obligation to give the data subjects notice regarding the processing carried out under articles 16, 17 and 18 of the GDPR. The Bill already provides exemptions for the special purposes for these articles, rendering article 19 irrelevant in this context.
Amendment 89D seeks to add an exemption for article 36. This requires the controller to give notice to the Information Commissioner before engaging in high-risk processing. My noble friend Lord Black and the noble Lord, Lord McNally, both argued that this might require the commissioner to be given notice of investigative journalistic activity. This is not the case. We do not believe that investigative journalism needs to put people’s rights at high risk. Investigative journalism, like other data-processing activities, should be able to manage risks to an acceptable level.
Amendment 89E concerns the need for journalists to transfer data to third countries. We are carefully considering whether the GDPR creates any obstacles of the type described. We certainly do not intend to prevent the transfers the noble Lord describes.
Amendment 89F seeks to add an exemption from the safeguards in article 89 that relate to research and archiving. Following the interventions of the noble Lord, Lord Patel, the Government have agreed to look again at these safeguards. Once we have completed that, we will assess whether any related derogations also need reconsidering.
Amendment 91B seeks to introduce a time limit by which complaints can be brought. The Government agree that complaints should be brought in a timely manner and are concerned to hear of any perceived abuses. We will consider this further and assess the evidence base.
The Government are firmly committed to preserving the freedom of the press and preventing restrictions to journalists’ ability to investigate issues in the public interest. We will continue to consider the technical points raised by my noble friend, and I hope—at this late hour, and with the view that we will further consider points that have been raised—that he feels able to withdraw his amendment.
Lord Black of Brentwood
I am grateful to my noble friend for those words and to all noble Lords who have taken part in this short debate at this late hour. Apart from anything else, it has given me an opportunity to say words which I never thought I would hear myself say: I agree with virtually everything that the noble Lord, Lord McNally, said this evening.
Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Home Office
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsWednesday 15th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV(b) Amendment for Committee, supplementary to the fourth marshalled list (PDF, 52KB) - (15 Nov 2017)
Lord Kennedy of Southwark (Lab Co-op)
My Lords, Amendment 93A in my name and that of my noble friend Lord Stevenson of Balmacara is the first amendment in a small group before the Committee this afternoon. They are probing amendments to allow us to begin to debate the issues around Schedule 3, specifically Part 2 and matters concerning health data and social work data.
Amendment 93A would delete the words “or another individual”. I want to understand clearly what the Government mean when they refer to the “serious harm test” for the data subject and to this very wide catch-all phrase, “or another individual”. Amendment 94A would delete specific wording as detailed in the Bill and replace it with the wording in my amendment.
I can see the point of paragraph 4(1)(c) of Schedule 3, but do not see why the Government would not wish to rely on the definition of lacking mental capacity, as defined by the Mental Capacity Act 2005. Can the Minister explain, if my amendment is not going to be accepted, why the Government appear to be relying on weaker words in this section?
Amendment 94B would delete paragraph 4(2)(a) of Schedule 3. Again, I stress that this is a probing amendment to give the Minister the opportunity to set out clearly how this is going to work so that it does not cause problems for research but respects people’s privacy regarding the data that they have been provided with.
On the other amendments in the group, Amendment 94C looks to broaden the definition of social work data to include education data and data concerning health, by probing what the Government mean by their definition of social work data in the Bill. Amendment 94D probes, regarding paragraph 8, the details on data processed by local authorities, by the regional health and social care boards, by health and social care trusts and by education authorities.
With Amendments 95A and 95B, I am looking for a greater understanding of what the Government mean. The wording in the Bill which these amendments would delete is quite vague. We want to understand much more what the Government are talking about here. I beg to move.
Baroness Chisholm of Owlpen (Con)
My Lords, the Bill sets new standards for protecting general data, in accordance with the GDPR, which will give people more control over use of their data and provide new rights to move or delete personal data. However, there will be occasions when it is not in the best interests of the data subject for these rights to be exercised, or where exercising them might impinge on the rights and freedoms of others. Schedule 3 considers this issue in the specific context of health, social work, education and child abuse data. It provides organisations operating in these fields with targeted exemptions where it is necessary for the protection of the data subject or the rights and freedoms of others. Importantly, much of Schedule 3 is directly imported from existing legislation.
The amendments which the noble Lords, Lord Stevenson and Lord Kennedy, have tabled focus on exemptions available for healthcare and social services providers. Let me deal first with the amendments relating to the healthcare exemptions. Amendment 93A would amend the serious harm test, in paragraph 2 of Schedule 3, by removing the reference to harm caused to other individuals. This is an important safeguard. For example, if a child informed a healthcare provider that they had been abused by a relative and then that person made a subject access request, it is obvious that disclosure could have serious consequences for the child. I am sure that this is not what the noble Lords envisage through their amendment; we consider there are good reasons for retaining the current wording. As I said earlier, these provisions are not new: they have been imported from paragraph 5 of the Data Protection (Subject Access Modification) (Health) Order 2000.
Amendments 94A and 94B would amend the exemption in paragraph 4 which allows health professionals to withhold personal data from parents or carers where the data in question has been provided by the data subject on the basis that it would not be disclosed to the persons making the request. Again, neither of these provisions is new. They too were provided for in paragraph 5 of the 2000 order and we think they remain appropriate.
“(ea) the Sheriff Court Adoption Rules 2009;”
“(ea) the Sheriff Court Adoption Rules 2009;”
The Deputy Chairman of Committees (Lord Brougham and Vaux) (Con)
If Amendment 108F is agreed to, I cannot call Amendment 109 due to pre-emption.
Baroness Chisholm of Owlpen
My Lords, I am grateful to the noble Lord for turning the attention of the Committee to the accreditation process. I recognise the intention behind his detailed amendments; namely, to reduce the administrative burden associated with requests for accreditation decisions to be reviewed and, subsequently, for the review process to be appealed. Under the new regime, both the Information Commissioner and the United Kingdom Accreditation Service will be able to accredit organisations that wish to offer a certification service for compliance with data protection legislation. Many organisations may wish to make use of certification services to support their compliance with the new law, and the accreditation process is intended to support them in choosing a provider of certification.
Schedule 5 establishes a mechanism for organisations that have applied for accreditation to seek redress against a decision made by UKAS or the Information Commissioner. The mechanism process has two elements. In the first instance, organisations can seek a review of the accreditation decision. Then, if they are unhappy with that review process, they can lodge an appeal. I share the noble Lord’s desire to minimise the administrative burden created by that review and appeal mechanism. Amendments 108C and 110A limit the documents that may be submitted when appealing. Amendment 108E reduces the time to lodge an appeal. Amendment 108F removes the ability of the appellant to object to members of the appeal panel.
I assure noble Lords that we want a fair and straightforward review and appeals mechanism. Our choice of process, time limits and other restrictions mirrors the appeals process that UKAS currently operates. That process is as provided for by the Accreditation Regulations 2009. Maintaining a consistent appeals process creates administrative simplicity and efficiency. The Government consider that the process in Schedule 5 strikes the right balance between limiting the administrative burden on the accrediting bodies, while also providing applicants with sufficient means of redress.
To add them up, there are four reasons why we feel that what is in there now works well: our choice of process, time limits and other restrictions limits the appeals process that UKAS currently operates; it maintains a consistent appeals process, which creates administrative simplicity and efficiency; it strikes the right balance between limiting the administrative burden but provides applicants with sufficient means of redress; and the accreditation process will give organisations confidence that they are choosing the right provider of certification. I hope I have addressed the noble Lord’s concerns and urge him to withdraw the amendment.
Lord Stevenson of Balmacara
I am grateful to the Minister for her response. I think I may have slightly misled the Committee: I think I am right in saying that this is a new process, brought in by the Bill. It was not in the Data Protection Act 1998. I should have said that there is an additional reason for wanting to scrutinise it, to make sure we are looking at the right things.
I should have asked one question, to which I do not expect a response now, unless the Minister has it to hand. I notice that the national accreditation body, which has to be set up by member states because of the GDPR, is set up under another EU instrument because it is the designated body under the Accreditation Regulations 2009. I take it that they will be brought forward in the withdrawal Bill as necessary regulations for that to be provided.
Baroness Chisholm of Owlpen
As the noble Lord said, the process is new to the GDPR and not in the 1995 directive or the DPA. The GDPR requires member states to ensure that certification bodies are accredited by the ICO and/or the national accreditation body. As such, the UK Government will need to demonstrate their compliance with that requirement, which Clause 16 and Schedule 5 fulfil.
Lord Stevenson of Balmacara
I thank the Minister for that response. I am sure that the narrow point about the regulations can be dealt with by correspondence, so I will not press it today. I beg leave to withdraw the amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsMonday 20th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Baroness Chisholm of Owlpen (Con)
My Lords, as my noble friend and I have mentioned previously, one of the Government’s primary concerns is to ensure that organisations of all sizes are supported in the transition to the new regime. To that end, the Bill maintains the requirement in the Data Protection Act 1998 for the Information Commissioner to publish codes of practice on data sharing and direct marketing.
When these codes are first published, they will rightly be subject to parliamentary scrutiny, although of course “first published” is slightly misleading as almost identical codes have been, or will have been, published under the 1998 Act before the Bill reaches Royal Assent. Either way, Amendments 153C and 153D seek to ensure that any future amendments to the data-sharing code of practice or the direct marketing code of practice are also subject to parliamentary scrutiny. I understand and appreciate the sentiment behind the amendments. I am happy to reassure the noble Lord that under Clause 121(8) it is already the case that amendments to the code are subject to parliamentary scrutiny.
Amendment 154A would require the commissioner to review the codes of practice at least once every three years. However, I point out to the noble Lord that the Bill already requires the commissioner to keep the codes of practice under review while they are in force and the Government do not consider that specifying a three-year timeframe between reviews would add any benefit. Indeed, it might create the misleading impression that the code should be reviewed only once every three years, when in fact it is a continuous process.
Finally, I turn to Amendment 154B. The Bill makes provision for the Information Commissioner to publish additional codes of practice beyond the two codes on data sharing and direct marketing. The noble Lord’s amendment would require any such additional codes to be subject to the affirmative resolution procedure. When preparing such codes, the commissioner must first consult trade associations, data subjects and other stakeholders the commissioner deems appropriate. The Government’s view is that, given the requirement for advance consultation with interested parties, and the fact that any regulations would simply place the commissioner under a duty to issue a code of practice providing practical guidance on the processing of specified classes of personal data of action, the negative resolution procedure remains appropriate.
To sum up, first, the purpose of the two codes of practice is to provide practical guidance to data controllers on the proper application of the data protection legislation; as such, they do not alter the law. Secondly, the procedure used to approve codes and amendments to codes is the same as found in Sections 52A and 52AA of the current Data Protection Act, the latter of which was inserted only earlier this year by the Digital Economy Act. That also means that the Delegated Powers and Regulatory Reform Committee of your Lordships’ House has considered this matter twice in the past year, and we are not aware that it had any concerns. I hope that has reassured the noble Lord and he feels able to withdraw his amendment.
Lord Stevenson of Balmacara
My Lords, I am grateful to the Minister for her comments. She always sounds so reassuring, it is very hard to be critical. She did a rather better job of summarising what my amendments are about than I did—and I say that without any rancour or any concern. I am very grateful to her on all these counts. I beg leave to withdraw the amendment.
Baroness Chisholm of Owlpen
My Lords, I shall speak briefly about the Government’s motives in tabling this group of amendments. There are 27 amendments in the group, but fear not: I shall avoid the temptation to talk through them all, instead focusing on only a few which may be of interest. Also, noble Lords received letters from my noble friend on 20 October and 14 November addressing the issues in the amendments.
I start with Amendments 163, 164 and 168. Clause 139 provides a criminal offence of failure to comply with an information notice. This is a hangover from the 1998 Act but, on reflection, the Government consider that it is no longer required, as the Information Commissioner will now have access to a much broader range of administrative penalties. Removing the criminal offence would also align the maximum penalty with that for failure to comply with an enforcement notice, ensuring that the commissioner is not disincentivised from serving an enforcement notice if she considers that that is the most appropriate course of action.
Amendments 165, 166 and 167 amend Schedule 16. Where the commissioner intends to give an administrative penalty, she must give a notice of intent, to which the data controller may make representations. The commissioner has six months from the point at which the notice of intent is given to issue a penalty notice. In some complex cases, the data controller may need more than six months to make their initial representations, or there may be a continuing technical dialogue between the parties. These amendments allow—but, importantly, do not compel—the commissioner and the controller to mutually agree to extend the six-month deadline to allow the process to reach its natural conclusion.
Finally among the many amendments in this group, Amendment 188A provides a list of consequential amendments. I mention it here for two reasons. First, as noble Lords will have noticed, it is a long list: references to the Data Protection Act appear in more than 50 other pieces of primary legislation. Secondly—this is a response to a point made by the noble Lord, Lord McNally, on a previous day in Committee—it is testament to the importance that the Government attach to having a regime that is fully operational in time for 25 May 2018. Such a tight turnaround means that there is no time to take through secondary legislation after Royal Assent, which is the Government’s usual approach to consequential amendments. Instead, we must put everything that we need for 25 May in the Bill. Amendment 188A is another step towards that goal.
On that note, my Lords, I beg to move.
Lord Griffiths of Burry Port (Lab)
My Lords, it is an extraordinary list of amendments that address things in great detail; they are all about tidying up and working things out as we go along. Since that is what we try to do as often as we can, it is nice to see the effort that has been made and hours that have been spent. Much of it is logical and needs no further discussion, but we have in respect of amendments in the range of Amendment 171, and so on, a bit of a worry about the notion that personal data is processed for special purposes—journalism, academic, artistic or literary purposes—and that there are exemptions in place so that the commissioner must first determine whether processing is for a special purpose before taking further enforcement action.
We have always understood that the provisions at this point are only asking in this Bill to replicate the conditions obtaining in such cases in the 1998 legislation. This particular detail makes it seem as if that might not be the case, because we have submissions from various people in the media to suggest that, while they understand the regulations, to step in before the material is put together to make this determination feels a bit threatening. Can the Minister guarantee that the provisions in this Bill are identical with those in the 1998 Act?
There is not an adequate mention, again, according to people in the field, of the relation of photography and photojournalism to written journalism. Could that be thought about, too? If everything is the same, we have no further questions but, if not, could the Minister tell us exactly what the differences are and whether she can write to us so that we may know what they are?
Baroness Chisholm of Owlpen
As the noble Lord said, this particular group of amendments is where personal data is processed for special purposes for journalism, academic, artistic or literary purposes. There are certain exemptions in place, so the commissioner must first determine whether processing is for special purposes before taking further enforcement action. A special purposes determination can be appealed to a court, not a tribunal; these amendments correct the Bill as only a court, not tribunals, are relevant. They also make technical corrections to ensure compatibility with Scots law. The definition of special purposes proceedings is also widened slightly so that special purposes can be asserted in a wider range of situations.
I think that I have inspiration coming from my right hand side. The noble Lord mentioned photojournalism, which is included in the data—I think that that is what he meant.
Lord Griffiths of Burry Port
I sympathise with the Minister, who sought inspiration from behind, because it is what I do all the time. Those who have expressed anxiety to us are worried that pressure will be put on them as programme makers and investigative journalists prior to publication and issuing their material in edited form, whereas currently they are subject to the regulation once that material has been put together. That is the area where anxieties have been expressed, and we need some reassurance on that point.
Baroness Chisholm of Owlpen
The best thing that I can do is to have a look and get back to the noble Lord on those points, if that is okay.
Lord Kennedy of Southwark
My Lords, the amendments in this group, in my name and that of my noble friend Lord Stevenson of Balmacara, take up a number of issues raised by the Delegated Powers and Regulatory Reform Committee in its report on the Data Protection Act. Our Amendment 163ZC adds a requirement on the commissioner to specify in guidance what constitutes “other failures” under subsection (8). Amendment 164C adds a requirement on the commissioner to specify, within three months of the Act coming into force, what constitutes “other failures”. I think it is important that we are clear, at least in guidance, what these “other failures” are.
Amendment 168A concerns the regulations for non-compliance with the charges regulations, deleting all the subsections and inserting new ones. The new subsections make provision for proper consultation with the commissioner and other persons that the Secretary of State considers appropriate, and state that any regulations made must be subject to the affirmative resolution procedure. The amendment sets a maximum penalty and the amount of penalty for different types of failure.
Amendment 168B seeks to replace “produce and publish” with “prepare”, which we think is better in this context. Amendment 168C seeks to put in the Bill a procedure that was recommended in the report of the Delegated Powers and Regulatory Reform Committee, which suggested that the guidance should be subject to some form of parliamentary scrutiny. Amendment 168D seeks to set out how the guidance can be amended or altered with the new procedures outlined in Amendment 168C.
The final four amendments in the group—Amendments 182D to 182G—take up the issue of the power in the Bill to make Henry VIII changes to reflect changes to the data protection convention. We are seeking to delete “or appropriate” from Clause 170(1) to make it only,
“as the Secretary of State considers necessary”.
We think that presently the subsection is worded too broadly. We also seek to delete “includes” and insert “is limited to” in respect of the powers. Then we make it clear that the power is in respect only of Part 4. Finally, as highlighted by the committee, we time-limit the period for changes to three years. I beg to move.
Baroness Chisholm of Owlpen
My Lords, the amendments tabled by the noble Lords, Lord Stevenson and Lord Kennedy, reflect the recommendations made by the Delegated Powers and Regulatory Reform Committee in its report on the Bill. As noble Lords will be aware, the Government hold the committee in high regard and, as always, we are grateful for its consideration of the delegated powers in the Bill. As set out in our previous discussions on delegated powers, the Government are considering the committee’s recommendations with a view to bringing forward amendments on Report. For that reason, I will keep my remarks brief but noble Lords should be reassured that I have listened to and will reflect on our discussions today.
As noble Lords know only too well, delegated powers are inserted into legislation to allow a degree of adaptability in law. As we have touched on in our earlier discussions of delegated powers, and as I am sure noble Lords will agree, no other sector or industry is evolving as quickly as the digital and data economy. The pace at which new forms of data processing are being developed, and the sophistication and complexity with which new data systems are being designed, will render any current governance obsolete in a very short time. It is for this reason that we consider it necessary to be able to adapt and update the Information Commissioner’s enforcement powers.
However, the Government recognise the need to provide certainty through clauses on the statute book. I therefore thank the noble Lord for his suggestions in Amendments 163ZC and 164C for how regulation-making powers relating to the commissioner’s enforcement and penalty notices in Clauses 142 and 148 could be more appropriately defined; this is certainly something that I will reflect upon. In Amendments 168A to 168D, I recognise other recommendations of the DPRRC relating to the Information Commissioner’s guidance and penalties.
As I have already set out, it is important that the Information Commissioner’s powers are subject to a degree of flexibility. She must be able not only to identify new areas of concern but to tackle them with proportionate but effective enforcement measures. In an ideal world, we would have a crystal ball that could tell us all but the reality is that we do not. We do not have one now and the Information Commissioner will not have one three months after Royal Assent. We must preserve the ability of the regulatory toolkit to constantly adapt to changing circumstances and keep data subjects’ rights protected.
I note the proposals in Amendments 182D to 182G, which would limit the scope of the regulation-making power in Clause 170. Clause 170 is intended to allow the Government to update the Bill to reflect amendments to convention 108.
As with previous amendments based on the Delegated Powers and Regulatory Reform Committee’s report, it is important that we consider these amendments alongside the broader recommendations given by that committee. The Government are keen to give proper consideration to these recommendations and, although this is ongoing, I am confident that we will have concluded our position on these amendments before we come to the next stage of the Bill. I am grateful for the informative discussion we have had today, which forms the final part of our reflection upon the committee’s report. I hope that the noble Lord will feel able to withdraw his amendment and I look forward to returning to these issues on Report.
Lord Kennedy of Southwark
My Lords, the Delegated Powers and Regulatory Reform Committee is one which the Opposition hold in high regard, as the Government do. It does an important job for the Government by going through legislation and looking at whether the powers the Government seek to take are applied appropriately. I thank the noble Baroness, Lady Chisholm, for that very much and I am pleased that she confirmed that the Government were looking at the matters in the report carefully. When they come back on Report, I hope that they will address the issues I have raised and others in that report. On that basis, I am happy at this stage to withdraw my amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsWednesday 22nd November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Baroness Neville-Rolfe (Con)
I also share the concerns expressed by my noble friend Lord Hunt, based on my experience, both in government and in a number of different businesses. We have the experience not only of the motor sector, which has been talked about, but obviously of PPI, where there was compensation that needed to be paid, but the whole business took years and generated not only claims management companies but also nuisance calls and lots of other harms. This is an area that one has to be very careful about, and I support looking at the drafting carefully to see what can be done, and at my noble friend’s idea of trying to estimate the economic impact—the costs—in terms of those affected. That would help one to come to a sensible conclusion on what is appropriate in this important Bill.
Baroness Chisholm of Owlpen (Con)
My Lords, I thank my noble friend Lord Hunt for explaining Amendment 170A and other noble Lords who have spoken. The amendment seeks to clarify the definition of “damage” provided by Clause 159 and its relationship to the language used in article 82 of the GDPR. This is important because article 82 of the GDPR provides a right to compensation when a person has suffered damage as the result of an infringement of the rights during the processing of their personal data.
Currently, the type of damage that can be claimed is broader under article 82 than Section 13 of the 1998 Act, as article 82 expressly extends to “non-material” damage. As a result, in drafting the Bill, the Government considered that some definition of “damage” was necessary, including specifying that it extends to distress, to provide clarity and certainty for data subjects and others as to their rights under article 82.
I stress that Clause 159 does not seek to provide a wider definition of “damage” than is currently provided in the GDPR, and nor indeed could it. The intention is simply to clarify the GDPR’s meaning. My noble friend Lord Hunt asked what estimates have been made of the financial consequences of the increase in litigation, but as Clause 159 does not provide a wider definition of damage there will be no financial consequence.
The concept of “damage” included in the GDPR reflects developments in case law over a period of some years. As such, I cannot agree with my noble friend’s suggestion that the Bill or the GDPR will suddenly unleash a free-for-all of claims. However, I am happy to reflect on my noble friend’s point that the Bill’s use of the term “other adverse effects” may unintentionally provide uncertainty rather than clarity. With the reassurance that I will go away and look at that, I hope my noble friend feels able to withdraw his amendment.
Lord Clement-Jones
My Lords, in moving Amendment 183A I hope to astonish the Minister with my brevity. Clause 172 deals with the avoidance of certain contractual terms related to health records so that,
“A term or condition of a contract is void in so far as it purports to require an individual to supply another person with a record which — … (a) consists of the information contained in a health record, and … (b) has been or is to be obtained by a data subject in the exercise of a data subject access right”.
The NHS has committed to informing patients how their medical records are used. The legal protections in the Bill against an enforced subject access request on a medical record should also apply to such information about that record. Does this provide the required protection? I beg to move.
Baroness Chisholm of Owlpen
It is probably for the best that we are not doing a seventh day in Committee because the noble Lord, Lord Stevenson, has told us that his voice is going and I seem to have an infected eye. Slowly, we are falling by the way, so it is probably just as well that this is our last evening.
This amendment seeks to amend Clause 172, which concerns contractual terms relating to health records. As noble Lords are aware, the Bill will give people more control over use of their data, providing stronger access rights as well as new rights to move or delete personal data. Data subject access rights are intended to aid people in getting access to information held about them by organisations. While subject access provisions are present in current data protection law, the process will be simplified and streamlined under the new legal framework, reflecting the importance of data protection in today’s digital age.
There are, unfortunately, a minority of instances where service providers and employers seek to exploit the rights of data subjects, making it a condition of a contract that a person supplies to them health records obtained through use of their data subject access rights. It is with this in mind that Clause 172 was drafted, to protect data subjects from abuses of their rights. Organisations are able to use provisions in the Access to Medical Reports Act 1988 to gain access to a person’s health records for employment or insurance purposes, and so should not be unduly relying upon subject access rights to acquire such information.
Amendment 183A seeks to widen the clause to include prohibiting contractual terms from including a requirement to use subject access rights to supply a person with information “associated with” as well as “in” a health record. While I can see where the noble Lord is coming from with the amendment and appreciate the willingness further to protect data subjects from exploitation, we are not convinced that it is necessary to widen the scope of this clause. The Government believe that avoidance of contractual terms—that is to say a restriction on parties’ freedom of contract—is not something that should legislated for lightly. Our starting point must be that contractual terms are voided only where there is a known, rather than a hypothetical, abuse of them.
It is also important to point out that the clause has been carried over from the 1998 Act, which has served us well for many years and we are not aware of any issues with its scope. But I will certainly carefully read the noble Lord’s contribution in Hansard, and with this in mind I encourage the noble Lord to withdraw his amendment.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsMonday 11th December 2017
(6 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Baroness Chisholm of Owlpen (Con)
My Lords, I am pleased to be moving the Government’s technical amendments this evening, and, in particular, Amendments 3, 4 and 5 which respond to the concerns raised by the noble Baroness, Lady Royall, and others on behalf of the UK’s universities, schools and colleges. They were worried that the Bill would restrict their ability to process the data of alumni for fundraising purposes. As the noble Baroness explained in Committee, universities, schools and colleges were concerned that being badged as public authorities by Clause 6 would mean they could not rely on the legitimate interests processing condition in article 6(1)(f). This is because the final sentence of article 6(1) states:
“Point (f) … shall not apply to processing carried out by public authorities in the performance of their tasks”.
Universities also doubted whether, in the context of alumni relations, they could rely on article 6(1)(e) of the GDPR, which relates to processing necessary for the performance of a task carried out in the public interest. Although there is a good argument that any fundraising or similar activity which allows universities to improve facilities for students would be considered a “public interest” task, the Government can see why universities might doubt whether all their fundraising work would fall into that category. If universities could not rely on article 6(1)(e) or (f), they say they would be left without an obvious processing condition in situations where obtaining the data subject’s consent, at least in the GDPR sense of that term, was not a realistic option.
Government Amendments 3, 4 and 5 address these concerns by making it clear that public authorities will be treated as public authorities for data protection purposes only when they are carrying out their public tasks. To the extent that they carry out non-public tasks, they would not be defined as a public authority for the purposes of the GDPR and would not be prevented from relying on the legitimate interests processing condition.
We recognise that the amendment does not refer to universities, schools or colleges by name. This is deliberate, meaning that any public authority which is processing data for non-public functions will be able to rely on this provision. The education sector is not the only one to have these worries. I know, for example, that our museums and galleries would welcome the same degree of flexibility, and this amendment will ensure they have it. I am grateful to the noble Baroness for raising this matter and I hope these amendments will provide universities and other similar organisations with the reassurance they need.
I will not go through the remaining amendments in the group one by one, but instead pick out a few which I think may be of broader interest—for example, Amendments 145 and 146. In Committee, my noble friend Lord Hunt of Wirral was among those to express concerns about the inclusion of the term “other adverse effects” in the definition of damage in Clause 159. He asked whether this was broader than the definition in the GDPR. As I set out then, the Government’s intention in including a definition of damage in Clause 159 was to provide clarity, specifically in relation to the inclusion of distress. Clause 159 does not seek to provide a wider definition of damage than is currently provided in the GDPR; nor indeed could it.
None the less, in light of the concerns expressed by my noble friend, the Government have reconsidered this issue and decided to amend the definition to ensure that it is as clear as possible and to minimise the risk of any uncertainty such as that which concerned noble Lords. The amended definition now simply states that the reference to “non-material damage” in the GDPR includes distress. The definition of damage for the purposes of the law enforcement and intelligence services regimes is set out separately in Clause 160. Amendment 146 makes a similar change to that definition so that it is as clear as possible and no longer refers to “other adverse effects”. I beg to move.
Lord Patel (CB)
My Lords, I will comment on Amendments 3, 4 and 5. The Minister and the noble Baroness may well feel that I do not give up, and I agree: I do not. I of course understand clearly what the Government are trying to do with the amendment from the noble Baroness, Lady Royall of Blaisdon—that they have agreed to get that into the Bill. It is helpful to know that public bodies need to be defined as such when they are processing data for tasks that are not defined as tasks in the public interest. This opens up the possibility of their instead using legitimate interests as a legal basis under some circumstances: for example, as has already been mentioned, for universities contacting alumni for fundraising purposes.
My point is different: universities and their research activities and how that is recognised, which we discussed. Here, it is more pressing to be clear on what counts as a task in the public interest, since public bodies will need to determine which legal basis is appropriate to the processing they are undertaking in different circumstances. For example, is research conducted in universities a task in the public interest, in which case the university would be considered as a public body for the purposes of the Bill, or is it not? In the latter case the university is not a public body for research purposes, and the research is therefore conducted on the legal basis of legitimate interest.
These differences matter, particularly as the GDPR requires data controllers to be clear on the legal basis they are using. How are public bodies such as universities to make this determination? The clearest answer would be, as I indicated in Committee, that the ICO gives guidance. I understand that the Government cannot direct the ICO to give guidance, so a way needs to be found to clarify which tasks fall under the public interest basis, specifically using the example of university research to provide that clarity. I would be grateful if the Minister commented on that.
Lord Kennedy of Southwark (Lab Co-op)
My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for her explanation of the government amendments in this group, which are largely in response to issues raised in Committee. I do not intend to speak for long on this group, because the amendments are largely to be welcomed. I want to pay particular tribute to my noble friend Lady Royall of Blaisdon, who raised the concern of the university sector during Committee that, under the Bill, universities could find themselves in difficulty over fundraising activities with alumni. We were pleased to see today that the Government have listened and addressed that. My noble friend cannot be with us today because of the weather making it difficult for her to travel to London. Generally, the higher education sector and others are grateful for what is proposed, although a couple of noble Lords have raised particular concerns, so it would be useful if the Minister could address those in her response. There may be one area that has not quite been resolved.
There are a couple of issues to mention. We are happy to support the amendment on police sharing of information for law enforcement purposes, as I am the amendment in respect of the Prisoner Ombudsman for Northern Ireland and the technical amendments on tribunals and courts to ensure consistency of language.
I shall not go on any further, because I am conscious that we have two Statements today and one will take at least an hour and the other 40 minutes, and the dinner break business for an hour, which will eat in to our time for Report today. I shall leave it here and say well done to the Government: thank you very much for that. It is better that we spend our day looking at issues that we have not quite resolved.
Baroness Chisholm of Owlpen
My Lords, I thank all noble Lords for the points they made. In answer to the noble Lord, Lord Patel, as my noble friend Lord Ashton explained in previous debates, Clause 7 was never intended to provide an exhaustive list of public interest tasks but, rather, to ensure continuity with respect to those processing activities that cover paragraph 5 of Schedule 2 to the 1968 Act. However, I am happy to reiterate that medical research—and other types of research carried out by universities for the benefit of society—will almost always be seen as a public interest task. I appreciate the sector’s desire to have greater guidance from the Information Commissioner on the issue, and I shall certainly pass that on, but the noble Lord will appreciate that it is not for me to dictate the Information Commissioner’s precise programme of work from the Dispatch Box.
I thank the noble Lords, Lord Smith and Lord Macdonald, for their kind words. I think we have put universities on a safe footing in this regard. I reiterate my thanks to them for coming to see us and helping us with that amendment.
The noble Lord, Lord Clement-Jones, asked: is alumni fundraising always in the public interest, and what about medical research?
Baroness Chisholm of Owlpen
I think that gets more rather than less muddling, but I think I see where the noble Lord is coming from.
The amendment should relate to and rely either on article 6(1)(e) or (f). That should solve any possibility raised by the noble Lord.
Baroness Chisholm of Owlpen
My Lords, as it is 4.25 pm and the Statement is due sometime after 4.30 pm, it would be unwise to start on another amendment now, particularly a very long amendment, so I need to adjourn the House during pleasure for four minutes until 4.30 pm.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsMonday 11th December 2017
(6 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
“(a) amend Schedule 1 —(i) by adding or varying conditions or safeguards, and(ii) by omitting conditions or safeguards added by regulations under this section, and(b) consequentially amend this section.”
Baroness Chisholm of Owlpen (Con)
My Lords, before I launch myself into the detail of these many amendments, I will express our thanks and gratitude for the detailed report of the Delegated Powers and Regulatory Reform Committee. We are also grateful for the extensive and informative discussions in Committee, and we have reflected on the views expressed by all noble Lords during the debates. We have carefully and comprehensively considered each of the committee’s recommendations, and none of our decisions have been reached lightly. A theme that noble Lords have heard me express previously is the extraordinary pace of change in the digital and data economy. I am very conscious that the Bill needs to provide a framework for the constant evolutions and developments in how we use and apply data. It must support rather than stifle innovation and growth and, primarily for this reason, in some areas we have deviated from the committee’s full recommendations.
I will speak to the key points. In its report, the committee raised concerns about the Henry VIII powers in Clauses 9(6), 33(6) and 84(3), which enable the Government to make regulations to “add to, vary or omit” the processing conditions and safeguards for sensitive data set out in Schedules 1, 8 and 10 respectively. Amendments 9, 90, and 99 respond to these concerns and narrow the regulation-making powers in these clauses. Amendment 9 removes the Government’s power to omit processing conditions and safeguards in Schedule 1. Amendments 90 and 99 remove the Government’s ability to vary or omit processing conditions in Schedules 8 and 10 respectively. We reflected at length as to whether we could go further than this but, on balance, considered it necessary to maintain the powers to add new processing conditions and to vary those in Schedule 1.
Many of these powers are not new. The 1998 Act already provides a power to add to the conditions for sensitive processing. In addition, many of the provisions in Schedule 1 in respect of which these powers will apply are currently set out in secondary legislation. This means that they can currently be added to, varied or omitted through other secondary legislation. Our experience under the 1998 Act and, indeed, in Committee, has highlighted the frequency with which scenarios can arise which require new processing conditions for sensitive data. Accepting the Committee’s recommendations in full would leave the Government unable to accommodate developments in data processing and the changing requirements of certain sectors. This in turn could render the UK at a disadvantage internationally if, for example, we were unable to make appropriate future provision for sectors, including those such as insurance, where the UK is a world leader, to reflect advances and changes in their approach to data processing.
The committee also raised concerns about Clause 15 of the Bill, which enables the Government by regulation to add to, vary or repeal the exemptions from certain specified data protection principles and data subject rights set out in Schedules 2, 3 and 4. Clause 111 contains a similar power to add, vary or repeal the list of exemptions in Schedule 11. The Government listened carefully to the debate in Committee, where the noble Lords, Lord Stevenson and Lord McNally, recognised the challenge of future-proofing the legislation to take account of changing technology. The noble Lord, Lord Stevenson, further suggested that,
“the most egregious issue here is when the Government seek to omit legislation which has been passed as primary legislation by secondary legislation”.—[Official Report, 6/11/17; col. 1639.]
I am hopeful that our amendments will set the noble Lord’s mind at rest.
Government Amendments 67 and 68 will remove the Government’s power in Clause 15 to omit provisions in Schedules 2, 3, and 4. It also removes Clause 15(1)(d) in its entirety. Amendment 103 removes the corresponding power in Clause 111(2) to vary or omit the existing provisions in Schedule 11. I am aware that there are some who would like us to go further than this, but it would not be a good idea for a number of reasons. First, a number of the provisions in Schedules 2 to 4 have been added to the Bill to address specific requirements arising from the new regime and have not yet been tested in operation. Others have been carried over from secondary legislation, where they can at present be added to, varied or removed. The Government therefore consider it prudent to retain the ability to amend Schedules 2 to 4 if it proves necessary. There is also a technical issue here. Schedules 3 and 4 contain a large number of references to subordinate legislation. The power to make and amend the instruments referred to does not always include the power to make consequential amendments to primary legislation. This provides a further, technical reason to retain the power in Clause 15 to vary these provisions.
Government Amendment 71 provides that any regulations made under Clause 17 will now be subject to the affirmative rather than negative resolution procedure. In cases of urgency, there is provision for the “made affirmative” procedure to be used if accompanied by an urgency statement. There is precedent for such an approach; for example, in the Legal Aid, Sentencing and Punishment of Offenders Act 2012. Amendments 168, 169, 170 and 184 make consequential provision later in the Bill.
I turn now turn to Amendments 130, 133, 134 and 136, which respond to the Committee’s concerns that the powers in Clauses 142 and 148 were too broad and gave the Government unlimited powers to determine types of additional failure that could attract the Information Commissioner’s enforcement powers, including unlimited penalties. Clearly, this was never the Government’s intention, and these amendments make it clear that any additional failures must be failures to comply with data protection legislation. They clarify also that the regulations making provision about the penalty for an additional failure will provide for the penalty to be either the standard maximum amount or the higher maximum amount referred to in Clause 150.
Amendment 144 provides that the Information Commissioner’s guidance about regulatory action will be subject to the negative resolution procedure when first produced. Generally, the Government believe that guidance of this kind should not be subject to parliamentary procedure. However, exceptionally in this instance, and in recognition of the large and ever-growing number of organisations for which this guidance will be relevant, on reflection the Government agree with the Committee that the negative resolution procedure would be appropriate. Amendments 139, 140, 141, 142 and 143 make consequential provision to ensure that the relevant clause functions as intended.
Amendment 166 reflects the concerns raised by noble Lords in Committee that regulations made under the Bill should be subject to consultation, not only with the Information Commissioner but also with consumer organisations and others who represent data subjects. Accordingly, we are including a requirement in Clause 169 that when the Secretary of State makes regulations under the Bill, she must consult “such other persons” as she considers appropriate. This will apply to all regulations save for those listed in new subsection (2A). We have also tabled consequential Amendments 126, 131, 135 and 138 to remove the equivalent requirement from Clauses 133(1), 142(9), 148(6) and 152(3) to avoid unnecessary duplication in the light of the new general requirement in Clause 169.
Lord Kennedy of Southwark (Lab Co-op)
My Lords, this group of overwhelmingly government amendments seeks to address issues raised by the Delegated Powers and Regulatory Reform Committee in its sixth report, published on 24 October this year, the only addition being Amendments 10 and 69 in the names of the noble Lords, Lord Clement-Jones and Lord Paddick. As we have heard, the Delegated Powers and Regulatory Reform Committee is widely respected in the House and I am pleased that the government amendments address the concerns raised by the committee. But as we have heard from the noble Baroness, Lady Chisholm of Owlpen, those concerns have not been accepted in full, and she has given the reasons for that.
I was particularly pleased to see government Amendments 9, 67 and 68, among others, which would limit the powers to amend the processing conditions and exemptions found in various schedules to the Bill. I am equally pleased to see the Government act in respect of the powers to make regulations. This will be done using the affirmative rather the negative procedure, starting with government Amendment 71. It gives Parliament the right level of scrutiny and the ability to reject or express regret about a particular decision, and allows for a proper level of scrutiny, a debate having to take place in both Houses.
In respect of Clauses 9 and 15, Amendments 10 and 69 seek to change the scrutiny procedure from the affirmative, as presently in the Bill, to the super-affirmative. I am not convinced that this is necessary as we have the tools at our disposal to scrutinise the proposals using the affirmative procedure. Starting with government Amendment 130, we have a series of amendments relating to the enforcement powers of the ICO, and again these are to be welcomed.
As I say, in general I welcome the government amendments and the explanation given by the noble Baroness.
Baroness Chisholm of Owlpen
I thank the noble Lord for those kind words. The noble Lord, Lord Clement-Jones, asked who would be consulted. While it is clearly impossible to be specific, the Secretary of State might consider it appropriate to consult, for example, representatives of data subjects or trade bodies, depending on the circumstances and regulations in question. I hope that that answers his question.
On why it is permissible to admit provisions added by regulations, we believe it is qualitatively different from admitting those added during the extensive parliamentary debate and scrutiny afforded to primary legislation. As I said, many other powers are not new. The 1998 Act already provides a power to add to conditions for sensitive processing. We feel it is prudent to retain the ability to amend Schedules 2 to 4 if necessary. As I said, this is a fast-moving area. We want to make sure that the Bill provides a framework for the constant evolution and developments in how we use and apply data, but it must be supportive rather than stifle innovation and growth.
Lord Clement-Jones
With the greatest respect, the point I was making was whether the right to vary was not omission by the backdoor. Perhaps I was not clear enough.
Baroness Hamwee (LD)
My Lords, from these Benches I support the noble and learned Lord, who is absolutely the right person to pursue this matter. If I might simply add to what he said, it is important that we bear in mind that in the same way as legal professional privilege is the privilege of the client, these provisions would be for the benefit of the public, the running of good democracy, good scrutiny and holding the Government to account. It is not a personal benefit that is proposed here and I hope—I trust, because this is very important—that the Government can find a way through this. I look forward to hearing from them, as the noble and learned Lord said, early in the new year.
Baroness Chisholm of Owlpen
My Lords, I am grateful to the noble and learned Lord, Lord Brown, for raising these amendments and for the words of the noble Baroness, Lady Hamwee. His amendments address concerns about the interaction of the Bill with parliamentary privilege. I agree wholeheartedly with him that parliamentary privilege should continue to be safeguarded and maintained for future generations, as it has been for centuries past. As I said in Committee, the Government’s view is that the Bill contains adequate protections to ensure that this is the case. However, we recognise the concerns that, in some areas, these protections could be enhanced and clarified, and we will bring forward amendments at Third Reading to address some of the points that the noble and learned Lord has raised in his amendments.
With that in mind, I will now turn briefly to the amendments themselves, starting with Amendments 16, 17 and 185. The Government recognise the concerns raised in these amendments about the way the conditions for processing sensitive personal data apply in respect of parliamentary proceedings, and liability under Clause 193(5). I am happy to reassure noble Lords that the Government intend to bring forward amendments to address these points at Third Reading.
Lord Stevenson of Balmacara (Lab)
Before the Minister sits down, I put it to her that, in the considerations that will take place between now and the return in January, one thing that changes between 1998 and today in terms of the Act is something we have not looked at specifically, although it comes up in the Bill. It is the need to ring-fence the Information Commissioner from any involvement with Parliament or the Government. She is answerable to Parliament, but she should not be in that sense exposed to considerations that might adversely affect her. I hope that might be taken into account as well.
Baroness Chisholm of Owlpen
I agree with the noble Lord, and we will take that into account.
Lord Brown of Eaton-under-Heywood
My Lords, I am most grateful for the reassurance given to us by the Minister. On the basis that all these matters will be brought back in some shape or form at Third Reading, I beg leave to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, we do not need to think very hard about this issue in terms of providing evidence that might be helpful to Ministers given that at Oral Questions today, at which I think the Minister and the noble Baroness were present, a case was raised by a Peer on our side of the House, in a Question to the DWP Minister, which verged on picking up a particular case. It was very useful in terms of making a broader political point. Are we saying that that will not be possible in future, as it raises significant questions? Secondly, as the noble Baroness, Lady Hamwee, said, irrespective of whether we have been an MP or a Member of the other House, we receive letters and emails almost daily offering individual data and information which, if we used it, would, I think, fall into the category mentioned by the noble and learned Lord.
At the weekend, I had the privilege of seeing the RSC perform the “Imperium” plays, adapted from the books of Robert Harris. These deal with a well-known orator, Cicero. Noble Lords will not be surprised to learn that he recommends to his clients—at one stage, he gives a tutorial to fellow citizens of Rome who intend to seek high office—that it is always helpful, and always catches the attention of an audience, if you give the specifics of an individual case and rise from that to the general. So if there is a possibility of placing a constraint on the ability of Members of this House to raise cases in an effort to improve the quality of life for citizens to whom we owe a duty of care and responsibility, that must be wrong. I hope that the Minister will take this away and work with the noble and learned Lord, Lord Brown, to bring something forward at Third Reading.
Baroness Chisholm of Owlpen
My Lords, Amendments 28 and 29 create a new processing condition for Members of this House. The Government’s view is that the provisions in paragraphs 19 and 21 of Schedule 1 are intended to reflect the unique and special nature of the relationship between an elected representative and their constituent.
Like the noble Baroness, Lady Hamwee, and the noble and learned Lord, Lord Brown, I am very aware of the important and valuable work that many noble Lords carry out on behalf of members of the public, advocating for their rights, taking up their cases with government departments and representing their interests in any number of scenarios. However, this relationship between a Peer and a member of the public is of a different nature and order from that conferred on an elected representative by their constituents. Elected representatives have particular rights and duties to act on behalf of the citizens they represent. The Government therefore consider it appropriate for them to be able to deal with urgent situations where they could not reasonably be expected to obtain consent; for example, in the case of an individual facing imminent deportation. There is no such need for Peers to be exempted from the provisions on consent. I stress again that nothing in the Bill or the GDPR prevents Peers undertaking casework if they first obtain the consent of the individual concerned.
I emphasise that these provisions are not new. The position under the 1998 Act is very similar and, in answer to the point made by the noble Lord, Lord Stevenson, it has not prevented Peers who are interested in undertaking casework doing so. Indeed, I have not found difficulty in this respect; I have just obtained consent first.
I hope I have reassured the noble and learned Lord that the Government understand the concerns raised, and that in this instance he will withdraw his amendment.
Lord Brown of Eaton-under-Heywood
I confess to being disappointed by the Minister’s response to this. I dealt with the fact that things have changed over the 15 years since the 2002 order. Of course there will continue to be circumstances in which it is possible to get, without inhibiting problems, the express consent of the person concerned. However, it will not always be possible, and to that extent it will inhibit the future ability of Members to discharge a function they have been discharging. Of course I will not divide the House at this stage; nevertheless, I urge the Government to reread the arguments and submissions that the noble Baroness and I have advanced today and see whether they cannot bring themselves to recognise that there is a substantial point here. Although there is a natural reluctance to treat us as elected Members, they should for this limited purpose do so; that is justified in the narrow circumstances in which this point arises.
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Baroness Chisholm of Owlpen
Main Page: Baroness Chisholm of Owlpen (Non-affiliated - Life peer)Department Debates - View all Baroness Chisholm of Owlpen's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsWednesday 13th December 2017
(6 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Clement-Jones
My Lords, I am inspired by the last two speeches to add some words here. This is a very imaginative amendment. There is a great debate about ownership or control of one’s personal data, and this may be an elegant solution to some of that in future, although I suspect that the noble Lord, Lord Stevenson, may be right in his prediction about the Government’s response at this stage. Again, it is a bit of future-proofing that we really should think about.
If the Government do not like this, how do they think portability will work? If portability is to be a substantive right that can be taken advantage of under the GDPR, this is a very good way to make sure that data can then be inserted into a vehicle as a result of it having been sought in a portable way. This could be a very imaginative way to give teeth to the right of portability. I shall be extremely interested to hear how, otherwise, the Government think it will take effect.
Baroness Chisholm of Owlpen (Con)
My Lords, I thank the noble Lord, Lord Stevenson, for explaining the amendment, and the noble Earl, Lord Erroll, the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, for their words. The amendment is fascinating. When I talked to the noble Lord, Lord Stevenson, about it earlier today, I thought that it just shows how interesting it is, how fast everything is moving in this world and how difficult it will be for us to keep up. I feel rather relieved that I may not be around to have to grapple with it myself and that there will be younger people better at dealing with it than I am.
The amendment would require the Information Commissioner to consult on the use of private personal data accounts, which provide for people to retain greater ownership of their data. While I recognise the intention behind this amendment—to stimulate debate and a shift in public attitudes towards personal data and its value—this is not the appropriate means through which to pursue these aims.
By way of explanation, I have three quick points to make. First, I question the value of the Information Commissioner consulting on the use of private data accounts, which are already available to those members of the public who wish to use them. Importantly, the priority for the commissioner at the moment and for the foreseeable future is helping companies and organisations of all sizes to implement the new law to ensure that the UK has the comprehensive data protection regime we need in place, and to help prepare the UK for our exit from the EU. I hardly need to point out that these are massive tasks, and we must not divert the commissioner’s resources from them at this point.
Secondly, it is a question not only of resource, but of remit. It is right that the commissioner monitors and advises on developments in the use and storage of personal data, but it is not her role to advise on broader issues in society. The question of whether individuals should have ownership of their personal data and be remunerated by companies for its use falls squarely into that category. The commissioner is first and foremost a regulatory body.
Thirdly, I take this opportunity to highlight that there are already mechanisms in the new regime which will support individuals to have more control over their data and place additional requirements on data subjects. For example, data controllers will be required, when obtaining personal data from an individual, to inform that person of: the purposes for which their personal data are being processed; the period for which their data will be stored, to the extent that this possible; their right, where applicable, to withdraw consent for their data to be used; and their right to lodge a complaint with the supervisory authority. Obviously, that is not an exhaustive list but it is illustrative of the protections that will be put in place. Such information must also be updated if the controller intends to process the personal data for any new purpose.
I fully agree with the noble Lord that the questions of an individual’s control over their data and the value of that data are worthy of debate and, as I said earlier, we will have to wrestle with them for years to come as the digital economy evolves. However, the Government’s view is that the Bill strikes the right balance between protecting the rights of data subjects and facilitating growth and innovation in the digital economy, and that placing an arbitrary requirement on the commissioner to consult would not be appropriate or the best use of her resources at this point. On that basis, I urge the noble Lord to withdraw his amendment.
Lord Stevenson of Balmacara
I thank all noble Lords who have spoken in this short debate, particularly the noble Earl, Lord Erroll, for the idea about agency, which is an important construct that we will need to keep an eye on. He is quite right about that. I thank the noble Baroness, Lady Kidron, for reminding me, correctly, that I had got a lot of information from the IEEE, whose work on this I have praised before. I reiterate that: it has done a great job in trying to think through some of the bigger issues involved in this area. I also take this opportunity to acknowledge the debt I owe an organisation called HATDeX, which has been working in this area and from which I got the original idea of a private personal data account.
I agree with the noble Lord, Lord Clement-Jones, that this is something that will come back to haunt us. Obviously, as long as the Minister is there with her beaming smile, we will be able to resist all blandishments to come at it, but I think it will come and bite us. It was not an arbitrary thought of mine that it might be something that the ICO would want to look at it. I know from talking to the ICO that it is interested in this as well. I think the Minister is saying that the proposal, as it is, stands outside the Bill framework, but that is because the Bill focuses on a particular area, and perhaps that is a pity. But if it is not the ICO, who is it? I hope it will be the data ethics commissioner that we hope to establish in the future. I beg leave to withdraw the amendment.