Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsMonday 20th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Baroness Chisholm of Owlpen (Con)
My Lords, as my noble friend and I have mentioned previously, one of the Government’s primary concerns is to ensure that organisations of all sizes are supported in the transition to the new regime. To that end, the Bill maintains the requirement in the Data Protection Act 1998 for the Information Commissioner to publish codes of practice on data sharing and direct marketing.
When these codes are first published, they will rightly be subject to parliamentary scrutiny, although of course “first published” is slightly misleading as almost identical codes have been, or will have been, published under the 1998 Act before the Bill reaches Royal Assent. Either way, Amendments 153C and 153D seek to ensure that any future amendments to the data-sharing code of practice or the direct marketing code of practice are also subject to parliamentary scrutiny. I understand and appreciate the sentiment behind the amendments. I am happy to reassure the noble Lord that under Clause 121(8) it is already the case that amendments to the code are subject to parliamentary scrutiny.
Amendment 154A would require the commissioner to review the codes of practice at least once every three years. However, I point out to the noble Lord that the Bill already requires the commissioner to keep the codes of practice under review while they are in force and the Government do not consider that specifying a three-year timeframe between reviews would add any benefit. Indeed, it might create the misleading impression that the code should be reviewed only once every three years, when in fact it is a continuous process.
Finally, I turn to Amendment 154B. The Bill makes provision for the Information Commissioner to publish additional codes of practice beyond the two codes on data sharing and direct marketing. The noble Lord’s amendment would require any such additional codes to be subject to the affirmative resolution procedure. When preparing such codes, the commissioner must first consult trade associations, data subjects and other stakeholders the commissioner deems appropriate. The Government’s view is that, given the requirement for advance consultation with interested parties, and the fact that any regulations would simply place the commissioner under a duty to issue a code of practice providing practical guidance on the processing of specified classes of personal data of action, the negative resolution procedure remains appropriate.
To sum up, first, the purpose of the two codes of practice is to provide practical guidance to data controllers on the proper application of the data protection legislation; as such, they do not alter the law. Secondly, the procedure used to approve codes and amendments to codes is the same as found in Sections 52A and 52AA of the current Data Protection Act, the latter of which was inserted only earlier this year by the Digital Economy Act. That also means that the Delegated Powers and Regulatory Reform Committee of your Lordships’ House has considered this matter twice in the past year, and we are not aware that it had any concerns. I hope that has reassured the noble Lord and he feels able to withdraw his amendment.
Lord Stevenson of Balmacara
My Lords, I am grateful to the Minister for her comments. She always sounds so reassuring, it is very hard to be critical. She did a rather better job of summarising what my amendments are about than I did—and I say that without any rancour or any concern. I am very grateful to her on all these counts. I beg leave to withdraw the amendment.
Baroness Chisholm of Owlpen
My Lords, I shall speak briefly about the Government’s motives in tabling this group of amendments. There are 27 amendments in the group, but fear not: I shall avoid the temptation to talk through them all, instead focusing on only a few which may be of interest. Also, noble Lords received letters from my noble friend on 20 October and 14 November addressing the issues in the amendments.
I start with Amendments 163, 164 and 168. Clause 139 provides a criminal offence of failure to comply with an information notice. This is a hangover from the 1998 Act but, on reflection, the Government consider that it is no longer required, as the Information Commissioner will now have access to a much broader range of administrative penalties. Removing the criminal offence would also align the maximum penalty with that for failure to comply with an enforcement notice, ensuring that the commissioner is not disincentivised from serving an enforcement notice if she considers that that is the most appropriate course of action.
Amendments 165, 166 and 167 amend Schedule 16. Where the commissioner intends to give an administrative penalty, she must give a notice of intent, to which the data controller may make representations. The commissioner has six months from the point at which the notice of intent is given to issue a penalty notice. In some complex cases, the data controller may need more than six months to make their initial representations, or there may be a continuing technical dialogue between the parties. These amendments allow—but, importantly, do not compel—the commissioner and the controller to mutually agree to extend the six-month deadline to allow the process to reach its natural conclusion.
Finally among the many amendments in this group, Amendment 188A provides a list of consequential amendments. I mention it here for two reasons. First, as noble Lords will have noticed, it is a long list: references to the Data Protection Act appear in more than 50 other pieces of primary legislation. Secondly—this is a response to a point made by the noble Lord, Lord McNally, on a previous day in Committee—it is testament to the importance that the Government attach to having a regime that is fully operational in time for 25 May 2018. Such a tight turnaround means that there is no time to take through secondary legislation after Royal Assent, which is the Government’s usual approach to consequential amendments. Instead, we must put everything that we need for 25 May in the Bill. Amendment 188A is another step towards that goal.
On that note, my Lords, I beg to move.
Lord Griffiths of Burry Port (Lab)
My Lords, it is an extraordinary list of amendments that address things in great detail; they are all about tidying up and working things out as we go along. Since that is what we try to do as often as we can, it is nice to see the effort that has been made and hours that have been spent. Much of it is logical and needs no further discussion, but we have in respect of amendments in the range of Amendment 171, and so on, a bit of a worry about the notion that personal data is processed for special purposes—journalism, academic, artistic or literary purposes—and that there are exemptions in place so that the commissioner must first determine whether processing is for a special purpose before taking further enforcement action.
We have always understood that the provisions at this point are only asking in this Bill to replicate the conditions obtaining in such cases in the 1998 legislation. This particular detail makes it seem as if that might not be the case, because we have submissions from various people in the media to suggest that, while they understand the regulations, to step in before the material is put together to make this determination feels a bit threatening. Can the Minister guarantee that the provisions in this Bill are identical with those in the 1998 Act?
There is not an adequate mention, again, according to people in the field, of the relation of photography and photojournalism to written journalism. Could that be thought about, too? If everything is the same, we have no further questions but, if not, could the Minister tell us exactly what the differences are and whether she can write to us so that we may know what they are?
Baroness Chisholm of Owlpen
As the noble Lord said, this particular group of amendments is where personal data is processed for special purposes for journalism, academic, artistic or literary purposes. There are certain exemptions in place, so the commissioner must first determine whether processing is for special purposes before taking further enforcement action. A special purposes determination can be appealed to a court, not a tribunal; these amendments correct the Bill as only a court, not tribunals, are relevant. They also make technical corrections to ensure compatibility with Scots law. The definition of special purposes proceedings is also widened slightly so that special purposes can be asserted in a wider range of situations.
I think that I have inspiration coming from my right hand side. The noble Lord mentioned photojournalism, which is included in the data—I think that that is what he meant.
Lord Griffiths of Burry Port
I sympathise with the Minister, who sought inspiration from behind, because it is what I do all the time. Those who have expressed anxiety to us are worried that pressure will be put on them as programme makers and investigative journalists prior to publication and issuing their material in edited form, whereas currently they are subject to the regulation once that material has been put together. That is the area where anxieties have been expressed, and we need some reassurance on that point.
Baroness Chisholm of Owlpen
The best thing that I can do is to have a look and get back to the noble Lord on those points, if that is okay.
Lord Kennedy of Southwark
My Lords, the amendments in this group, in my name and that of my noble friend Lord Stevenson of Balmacara, take up a number of issues raised by the Delegated Powers and Regulatory Reform Committee in its report on the Data Protection Act. Our Amendment 163ZC adds a requirement on the commissioner to specify in guidance what constitutes “other failures” under subsection (8). Amendment 164C adds a requirement on the commissioner to specify, within three months of the Act coming into force, what constitutes “other failures”. I think it is important that we are clear, at least in guidance, what these “other failures” are.
Amendment 168A concerns the regulations for non-compliance with the charges regulations, deleting all the subsections and inserting new ones. The new subsections make provision for proper consultation with the commissioner and other persons that the Secretary of State considers appropriate, and state that any regulations made must be subject to the affirmative resolution procedure. The amendment sets a maximum penalty and the amount of penalty for different types of failure.
Amendment 168B seeks to replace “produce and publish” with “prepare”, which we think is better in this context. Amendment 168C seeks to put in the Bill a procedure that was recommended in the report of the Delegated Powers and Regulatory Reform Committee, which suggested that the guidance should be subject to some form of parliamentary scrutiny. Amendment 168D seeks to set out how the guidance can be amended or altered with the new procedures outlined in Amendment 168C.
The final four amendments in the group—Amendments 182D to 182G—take up the issue of the power in the Bill to make Henry VIII changes to reflect changes to the data protection convention. We are seeking to delete “or appropriate” from Clause 170(1) to make it only,
“as the Secretary of State considers necessary”.
We think that presently the subsection is worded too broadly. We also seek to delete “includes” and insert “is limited to” in respect of the powers. Then we make it clear that the power is in respect only of Part 4. Finally, as highlighted by the committee, we time-limit the period for changes to three years. I beg to move.
Baroness Chisholm of Owlpen
My Lords, the amendments tabled by the noble Lords, Lord Stevenson and Lord Kennedy, reflect the recommendations made by the Delegated Powers and Regulatory Reform Committee in its report on the Bill. As noble Lords will be aware, the Government hold the committee in high regard and, as always, we are grateful for its consideration of the delegated powers in the Bill. As set out in our previous discussions on delegated powers, the Government are considering the committee’s recommendations with a view to bringing forward amendments on Report. For that reason, I will keep my remarks brief but noble Lords should be reassured that I have listened to and will reflect on our discussions today.
As noble Lords know only too well, delegated powers are inserted into legislation to allow a degree of adaptability in law. As we have touched on in our earlier discussions of delegated powers, and as I am sure noble Lords will agree, no other sector or industry is evolving as quickly as the digital and data economy. The pace at which new forms of data processing are being developed, and the sophistication and complexity with which new data systems are being designed, will render any current governance obsolete in a very short time. It is for this reason that we consider it necessary to be able to adapt and update the Information Commissioner’s enforcement powers.
However, the Government recognise the need to provide certainty through clauses on the statute book. I therefore thank the noble Lord for his suggestions in Amendments 163ZC and 164C for how regulation-making powers relating to the commissioner’s enforcement and penalty notices in Clauses 142 and 148 could be more appropriately defined; this is certainly something that I will reflect upon. In Amendments 168A to 168D, I recognise other recommendations of the DPRRC relating to the Information Commissioner’s guidance and penalties.
As I have already set out, it is important that the Information Commissioner’s powers are subject to a degree of flexibility. She must be able not only to identify new areas of concern but to tackle them with proportionate but effective enforcement measures. In an ideal world, we would have a crystal ball that could tell us all but the reality is that we do not. We do not have one now and the Information Commissioner will not have one three months after Royal Assent. We must preserve the ability of the regulatory toolkit to constantly adapt to changing circumstances and keep data subjects’ rights protected.
I note the proposals in Amendments 182D to 182G, which would limit the scope of the regulation-making power in Clause 170. Clause 170 is intended to allow the Government to update the Bill to reflect amendments to convention 108.
As with previous amendments based on the Delegated Powers and Regulatory Reform Committee’s report, it is important that we consider these amendments alongside the broader recommendations given by that committee. The Government are keen to give proper consideration to these recommendations and, although this is ongoing, I am confident that we will have concluded our position on these amendments before we come to the next stage of the Bill. I am grateful for the informative discussion we have had today, which forms the final part of our reflection upon the committee’s report. I hope that the noble Lord will feel able to withdraw his amendment and I look forward to returning to these issues on Report.
Lord Kennedy of Southwark
My Lords, the Delegated Powers and Regulatory Reform Committee is one which the Opposition hold in high regard, as the Government do. It does an important job for the Government by going through legislation and looking at whether the powers the Government seek to take are applied appropriately. I thank the noble Baroness, Lady Chisholm, for that very much and I am pleased that she confirmed that the Government were looking at the matters in the report carefully. When they come back on Report, I hope that they will address the issues I have raised and others in that report. On that basis, I am happy at this stage to withdraw my amendment.
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsMonday 13th November 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Baroness Chisholm of Owlpen (Con)
My Lords, I want to reiterate what my noble friend Lord Ashton said. I think we are learning a lot about philosophy from the noble Lord, Lord Stevenson, during the passage of the Bill. It is a welcome addition as far as I am concerned.
I shall start with brief reference to the government amendments in this group. These amendments, Amendments 58 to 60 and 62 and 63, make further related provision in respect of processing undertaken to ensure the integrity of sport. This is necessary because, unusually, integrity issues in sport often relate to sensitive data, the processing of which may otherwise be prohibited under article 9 of the GDPR. I am grateful to a number of stakeholders for their help in making sure that these amendments will achieve their intended effect.
I turn now to the amendments tabled by the noble Lord, Lord Moynihan, and the noble Lord, Lord Stevenson. Amendments 57 and 61 seek to amend the processing condition in paragraph 21 on anti-doping in sport. This condition was included in the Bill following extensive engagement with sports governing bodies and UK Anti-Doping, which together implement and manage anti-doping policy in the UK. They are also responsible for eliminating the scourge of doping in sport. The paragraph as included in the Bill permits the processing of sensitive data for these purposes. UKAD is of the view that the measure as drafted will enable it to continue to perform this important function.
Amendment 57, tabled by my noble friend Lord Moynihan, who has such great expertise in this area and has done so much over the years to try to combat doping in sport, seeks to narrow the doping provision so that it allows processing only where it relates to an athlete who may be in breach of UKAD’s rules. Amendment 61, tabled by the noble Lord, Lord Stevenson, instead seeks to limit the provision to rules set by a sports governing body with responsibility for a single sport. Neither position reflects the reality of split responsibility for anti-doping in UK sport today. Removing the reference to “sporting event” and “sport generally” may potentially exclude the anti-doping processing carried out by UKAD and by those bodies which set and enforce anti-doping rules in a particular sporting event rather than a particular sport, such as 6 Nations rugby, the IOC or the Commonwealth Games Federation. The Bill must not be limited to only the interventions of UKAD but must allow processing in those sports and sporting events which have their own anti-doping rules. The fact that those bodies are not governed entirely by UKAD’s rules makes their processing no less important. Equally, the provision must allow processing in relation to participants who are not themselves athletes. As noble Lords will understand, the sensitive data or criminal record of a coach or relative may be fundamental to anti-doping cases.
A narrowing of the scope of this paragraph could create loopholes for participants who cheat. For these reasons, I am confident that the original drafting suffices. Paragraph 21 of Schedule 1 was subject to significant engagement with sports governing bodies. Given that the Bill comes out of the government department that is also responsible for sport, we have been able to take extra care. The large number of relationships we have with this sector have been used to test the draft, and UKAD is content.
Several noble Lords mentioned various items which I will also refer to. My noble friend Lord Moynihan wanted me to confirm that athletes cannot rely on the right to be forgotten. That right is not unlimited, and if the personal data has been lawfully processed, and needed to be processed, then it would be there only if there was no overriding legitimate interest for the processing of that data. The controller would have to erase the personal data in these circumstances.
My noble friend also asked why we did not criminalise doping. None of those interviewed as part of the review were in favour of criminalising doping in sport. This was a unanimous view. For example, sports governing bodies expected that their internal investigations would be negatively affected by the criminalisation of doping in sport. It would remain quicker to deal with an instance using regulatory or disciplinary proceedings, which must be proved to the civil standard of the balance of probabilities rather than beyond reasonable doubt. Others noted that the current penalties were already sufficient to end a sporting career.
My noble friend also wanted to know whether doping at a sporting event covered spectators. This is a broad measure to cover processing in connection with measures designed to eliminate doping, for the purposes of providing information about doping or suspected doping. This could include processing of special categories, such as data relating to spectators or third parties providing information, but not only when necessary in connection with anti-doping measures.
The noble Lord, Lord Stevenson, brought up a good point, about why sport is unique when there are other areas that could also be included in this. Particular provision for sport is needed because sports bodies are an unusual type of regulator, where the regulation they carry out is capable of meeting a substantial public interest test yet they cannot rely on paragraph 9—there is no statutory recognition of their function nor is it beyond argument that enforcement of their rules benefits all members of the public, as opposed to the protection of their participants. Reliance on paragraph 9 for this processing would be too narrow, but important to remedy given the amount of sensitive data that might be processed by sports bodies in pursuit of their integrity functions. This is not something that we are aware would apply to other types of regulators.
I will move the government amendments for the reasons I have set out, and will of course be happy to meet noble Lords if they wish to discuss this point further.
Lord Moynihan
First, I thank the noble Lords, Lord Stevenson and Lord Clement-Jones, for offering to stand in for me at the last Committee sitting. I was in my place for the first sitting, when we were expecting to reach this amendment, but regrettably had to travel to Australia on two occasions in the last month, only returning about four and a half hours ago. I apologise if I was not as lucid as I would like to have been, and I am very grateful to them for offering to assist if I had been absent again.
I will respond very briefly to a number of points raised. In response to the noble Lord, Lord Maxton, I took into consideration the question of what is a performance-enhancing drug and have suggested, in my amendment, that it should be a drug listed under the WADA—World Anti-Doping Agency—code as a performance-enhancing drug and part of the World Anti-Doping Code. I know this is a contentious issue and that there is an issue about what should or should not be in that code. Indeed, I have many reservations about a number of the drugs in it, which I do not see as performance enhancing, but it is the best international definition at the moment for sport and is used by the International Olympic Committee.
Data Protection Bill [HL]
Baroness Chisholm of Owlpen Excerpts(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Stevenson of Balmacara
My Lords, Clause 12 deals primarily with credit reference agencies. It is not an area that I think we want to go through in complete detail, but in comparing the current version of the Bill with the provisions in the Data Protection Act 1998, in particular Section 39(2), we wondered whether the updating of that provision was entirely correct and thought it would be helpful to give the Minister a chance to respond to that point.
The question that underlies the suggestion that the clause should not stand part is whether Clause 12 constitutes a restriction on a data subject’s access rights. It can be read as a presumption that a data subject in this area is asking only about their financial standing, and not for other data that the credit reference agency might have. The provision therefore might be said to run contrary to the underpinning rationale behind the GDPR that data controllers should be transparent and that data subjects should not be put in the position of having to guess what data is held about them in order to ask for it.
I am sorry to have to refer again to a recital, but recital 63, which the Minister might be aware of, specifies that among other purposes, the right of access is to allow a data subject to be aware of the data held about them so as to be able to,
“verify … the lawfulness of the processing”
that is taking place. This is different from the wording in Clause 12, in that the trigger appears to be based on the quantity of data rather than the type of controller. There is also no presumption about the nature of the data that the data subject wants. I think I have said enough to suggest that there is possibly an issue behind this and I would be grateful if the Minister could respond to that point.
Baroness Chisholm of Owlpen (Con)
My Lords, as your Lordships know, before giving somebody credit, lenders such as banks, loan companies and shops want to be confident that the person can repay the money they lend. To help them do this, they may look at the information held by credit reference agencies.
Credit reference agencies give lenders a range of information about potential borrowers, which lenders use to make decisions about whether or not to offer a person credit. It is safe to say that the three main credit reference agencies in the UK—Equifax, Experian and Callcredit—are likely to hold certain information about most adults in the country. Most of the information held by the credit reference agencies relates to how a person has maintained their credit and their service and utility accounts. It also includes details of people’s previous addresses and information from public sources such as the electoral roll, public records including county court judgments, and bankruptcy and insolvency data.
The information held by the credit reference agencies is also used to verify the identity, age and residency of individuals, to identify and track fraud, to combat money laundering and to help recover payment of debts. Government bodies may also access this credit data to check that individuals are entitled to certain benefits and to recover unpaid taxes and similar debts. Credit reference agencies are licensed by the Financial Conduct Authority.
As noble Lords may be aware, anyone can write to a credit reference agency to request a copy of their credit reference file. Given the sheer volume of requests that such agencies receive, Section 9 of the Data Protection Act 1998 provides that a subject access request made under Section 7 of the Act will be taken to mean a request for information about the person’s financial standing, unless the person makes it clear that he or she is seeking different information. Very importantly, when responding to such a request, Section 9(3) of the 1998 Act requires the credit reference agencies to provide the person with details about how he or she can go about correcting any wrong information held by the agencies. The process for doing so is set out in Section 159 of the Consumer Credit Act 1974, and the 1998 Act makes reference to it. If personal information held about someone is incorrect or out of date, noble Lords will appreciate that it could lead to that person being unfairly refused credit.
Clause 12 of the Bill simply replicates the provisions in Section 9 of the DPA in relation to handling of subject access requests made under article 15 of the GDPR. If it were omitted without anything being put in its place, this could create uncertainty for consumer reference agencies about how they should respond to a subject access request. It would create uncertainty for data subjects, who would no longer be supplied with guidance on how to update details in their file that were wrong or misleading. As far as we are aware, these provisions have worked well over the last 20 years and we can see no reason why they should be omitted from the Bill.
On that basis, I respectfully invite the noble Lord to accept that Clause 12 should stand part of the Bill.
Lord Stevenson of Balmacara
I am grateful to the Minister for her response. I think we agree that any impact on one’s credit standing is a major issue and that it is really important that we get this right. Although she did not specifically say so, I take it that all the big companies involved in this field were consulted before this measure was put forward. One notices, but does not make any comment, that Equifax is one of the companies concerned—and look what happened to it.
The message coming through is that the DPA 1998 provisions are being reproduced here: there is no intention to change them and people should not be concerned about this. On that basis, I will not object to Clause 12 standing part of the Bill.
Data Protection Bill [HL]
Baroness Chisholm of Owlpen ExcerptsMonday 13th November 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
Lord Stevenson of Balmacara
My Lords, we are all very grateful to the noble Lord, Lord Black, for his very full introduction to these amendments. I shall read very carefully what the noble Lord, Lord McNally, said and take his remarks on their merits. I have no problem with that.
I am sure that the noble Lord, Lord Black, will not mind if I quote what he said in Committee only a week ago and pose a question to him. He said:
“This Bill is very carefully crafted to balance rights to free expression and rights to privacy, which of course are of huge importance. It recognises the vital importance of free speech in a free society at the same time as protecting individuals. It replicates a system which has worked well for 20 years and can work well for another 20”.—[Official Report, 6/11/17; cols. 1667-68.]
What a difference a week makes to one’s thinking. The noble Lord was pressed by a number of noble Lords, including his noble friend Lord Attlee, to come up with a much more detailed and engaged critique. We would love to hear from him again if he is prepared to tell us why there has been a change in his thinking. However, I do not think that gets in the way of what he is saying, which is that some issues need to be addressed. We will look at them carefully when we have the chance to see them in print. I shall also be interested to hear what the noble Baroness makes of this when she replies.
Baroness Chisholm of Owlpen (Con)
As my noble friend Lord Black and the noble Lord, Lord Stevenson, said, the Government are firmly committed to preserving the freedom of the press, maintaining the balance between privacy and the freedom of expression in our existing law that has served us well.
I shall try to reply to my noble friend as I go through the many amendments—a soup of amendments, as the noble Lord, Lord McNally, said. As we heard, Amendments 87ZA, 87AA, 87AB and 87AC would enable the special purposes exemptions to be used when processing for other purposes in addition to a special purpose. The use of the word “only” in the Bill is consistent with the existing law. Examples have been given of where further processing beyond the special purposes might be justified without prejudicing the overall journalistic intent in the public interest. None the less, the media industry has been able to operate effectively under the existing law, and while we are all in favour of further clarity, we must be careful not to create any unintended consequences.
Paragraph 24(3) of Schedule 2 concerns the test to determine whether something is in the public interest. Amendment 87CA seeks to define the compatibility requirement, and Amendments 87DA and 87DB seek to clarify the reasonable belief test. The Bill is clear that the exemption will apply where the journalist reasonably believes that publication would be in the public interest, taking account of the special importance of the public interest in the freedom of expression and information. To determine whether publication is in the public interest is a decision for the journalist. They must decide one way or another. It is not necessary to change the existing position.
Amendments 89C to 89F seek to widen the available exemptions by adding in additional data rights that can be disapplied. Amendment 89C seeks to add an exemption for article 19 concerning the obligation to give the data subjects notice regarding the processing carried out under articles 16, 17 and 18 of the GDPR. The Bill already provides exemptions for the special purposes for these articles, rendering article 19 irrelevant in this context.
Amendment 89D seeks to add an exemption for article 36. This requires the controller to give notice to the Information Commissioner before engaging in high-risk processing. My noble friend Lord Black and the noble Lord, Lord McNally, both argued that this might require the commissioner to be given notice of investigative journalistic activity. This is not the case. We do not believe that investigative journalism needs to put people’s rights at high risk. Investigative journalism, like other data-processing activities, should be able to manage risks to an acceptable level.
Amendment 89E concerns the need for journalists to transfer data to third countries. We are carefully considering whether the GDPR creates any obstacles of the type described. We certainly do not intend to prevent the transfers the noble Lord describes.
Amendment 89F seeks to add an exemption from the safeguards in article 89 that relate to research and archiving. Following the interventions of the noble Lord, Lord Patel, the Government have agreed to look again at these safeguards. Once we have completed that, we will assess whether any related derogations also need reconsidering.
Amendment 91B seeks to introduce a time limit by which complaints can be brought. The Government agree that complaints should be brought in a timely manner and are concerned to hear of any perceived abuses. We will consider this further and assess the evidence base.
The Government are firmly committed to preserving the freedom of the press and preventing restrictions to journalists’ ability to investigate issues in the public interest. We will continue to consider the technical points raised by my noble friend, and I hope—at this late hour, and with the view that we will further consider points that have been raised—that he feels able to withdraw his amendment.
Lord Black of Brentwood
I am grateful to my noble friend for those words and to all noble Lords who have taken part in this short debate at this late hour. Apart from anything else, it has given me an opportunity to say words which I never thought I would hear myself say: I agree with virtually everything that the noble Lord, Lord McNally, said this evening.
Data Protection Bill [HL]
Baroness Chisholm of Owlpen Excerpts(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord McNally
I can imagine how it was when the legislative programme was discussed in the Cabinet Office, or even at No. 10: how on earth do we get all this through? I am sure that the Civil Service advice was—or at least one adviser said—“Well, you could try by Henry VIII powers and lots of secondary legislation. Looking at the present rules, that is the only way that we think you could get it through in that timetable”. And so the process started.
I know that the big problem for Ministers in this House is that there will be great impatience in No. 10 and down the Corridor at any delays or defeats—but, as has been said a number of times, they are going about it the wrong way. We are heading for a constitutional car crash unless there is intervention at the very highest level to look at this problem. It is a twin problem: how do you give flexibility to make legislation fool-proof in a rapidly changing technological situation, which is one of the central problems for the Bill; and how do you deal with Brexit legislation in such a tight timetable?
I know what cannot happen. It would be the irony of ironies if an exercise that was supposed to return sovereignty to this Parliament ended up with this Parliament accepting a whole range of precedents that diminished its sovereignty. Therefore, although it is unfair on each Minister, this debate will continue to take place, and I hope that when we get to Divisions we will put a halt to this solution, so that some really hard thinking will be done about how to achieve the end of the Government getting their business through without sacrificing parliamentary sovereignty.
Baroness Chisholm of Owlpen (Con)
My Lords, I welcome this opportunity to set out the Government’s position on various delegated powers contained in the Bill, which have been the subject of recommendations by the Delegated Powers and Regulatory Reform Committee. The Government are very grateful to the committee for its usual thoroughness in examining the delegated powers in the Bill, but I should begin my remarks by saying that the committee’s report, which ran to some 20 pages, was published only on 24 October, so we are still considering its conclusions and recommendations. The range of views expressed in tonight’s debate will be further input into that process.
The current Data Protection Act has stood firm for almost 20 years. This one will be in danger of lasting barely two if we start striking out the delegated powers contained within it. As the noble Lord, Lord Stevenson, and the noble Baroness, Lady Jones, said, such is the pace of change in this area that we need to keep up with what is going on. Furthermore, new forms of data processing not yet dreamed of will have been designed, developed and deployed even before the Bill reaches Royal Assent. It is essential that the law can keep up.
It is also worth reminding ourselves that the Government have taken the opportunity to include directly in the relevant schedules numerous provisions which had previously been included only in secondary legislation. The noble Lord, Lord Stevenson, has been extremely busy, and has taken the opportunity to table more than a dozen amendments to Schedule 1 alone. We will of course turn to those shortly.
That said, the Government recognise that there is tension between the need to provide for appropriate future-proofing of legislation, such as provided for in Clauses 9, 15, 33, 84 and 111, and the need to ensure proper parliamentary scrutiny of the resultant delegated powers. It follows that we are open to constructive suggestions as to how provisions in the Bill can be improved and, obviously, that includes its regulation-making powers.
I have listened with care and interest to the case put forward by my noble friend Lord Arbuthnot, the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for the application of the super-affirmative procedure. I am also grateful to the noble Lord, Lord Whitty, for reminding us that data subjects, not just data controllers, have an interest in the proper application of these powers.
I am sure that noble Lords will agree that the amendments before us should be considered in the context of the broader recommendations of the Delegated Powers and Regulatory Reform Committee report. As I said earlier, the process of considering these issues is still ongoing, but I am more than confident that it will conclude in time for the Bill’s next stage.
Before I conclude, I think that the noble Lord, Lord Stevenson, asked what was meant by “legislative measure”. Clause 15(1)(b) uses the term “legislative measure” to reflect the wording used in Article 23 of the GDPR. Recital 41 makes clear that a legislative measure would include an Act or statutory instrument. I hope that that answers the question.
I therefore humbly invite the noble Lord to withdraw his amendment on the understanding that we will return to this important issue on Report.
Lord Stevenson of Balmacara
I thank all noble Lords for their contributions; we have had a very good go at this, which has raised all the big issues. The Minister made a positive response, with a sideswipe at me for being too active on the amendment front; but that is what we do, and we expect Ministers to be able to deal with them without too much worry. We are enjoying this debate and will have lots of things to come back to on Report because of the interesting points being made.
However, on this issue, we are slightly narrower. The Government have got themselves into a bit of a hole here. I appreciate the wider context, and the point has been very well made. It seems to me that there are three options. They can tough it out and just say to the DPRRC that it has stepped too far from where they want to be and this is the only way forward. They can follow the DPRRC and find amendments that they can bring back on Report—I think the Minister was talking about Report; later than that would be too late. We are talking here about narrower powers to define down the areas within which discretion is operated. To follow the point made by the noble Baroness, Lady Neville-Jones, and the noble Lord, Lord Arbuthnot—I think this is my noble friend Lord Whitty’s concern and is shared widely around the House—the most egregious issue here is when the Government seek to omit legislation which has been passed as primary legislation by secondary legislation, or legislative measures, as we now call them.
The helpful suggestion, backed up by the noble Lord, Lord Clement-Jones—that we should have a super-affirmative measure when matters are almost of the status of requiring there to be primary legislation, but for which flexibility requires a lesser measure—seems to be the way forward. A very little research shows that “super-affirmative” has many meanings. That chosen by the noble Lord and the noble Baroness, Lady Neville-Jones, is one of about seven or eight. The Public Bill Office has published a table which noble Lords can pore over at leisure and find themselves completely confused at the end about the best route forward. I am sure the clerks will guide us as we go forward down that route. However, the best seems to be the one that provides for amendments to be made to the measure that is being considered before the vote. That is the sensibility which is being assembled around the Committee, and I hope that the Government will take it away and do it.
The noble Lord, Lord McNally, is right: there is a possibility here of a constitutional car crash. It is not restricted to this Bill, and no noble Lords who have spoken in this debate would want it to be taken, sui generis, to this Bill. It has to be taken more widely, because it is a much bigger issue. On the other hand, this provides an opportunity to go forward. In the meantime, I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Baroness Chisholm of Owlpen Excerpts(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Baroness Chisholm of Owlpen (Con)
My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point which has not been lost on noble Lords; nor has it been lost on organisations, business groups and others. We are grateful for all the feedback we have received through responses to the Government’s call for views and on our statement of intent, and, most recently, on the drafting of the Bill itself. Hence this large group of technical amendments seek to polish various provisions of the Bill in response to that feedback. If I may, I will save noble Lords from the tedium of going through each amendment in turn—we would be here all night—and instead focus on the small number of substantive amendments in the group.
I begin with Amendment 51, which ensures that automatic renewal insurance products purchased before 25 May 2018 can continue to function. Automatic renewal products work on the principle that, if the insured person does not respond to the renewal notice, their insurance continues uninterrupted. Without the amendment this would not be possible for products such as motor insurance, which require processing of special categories of personal data and criminal convictions and offences data, potentially leaving individuals unwittingly uninsured.
Amendment 55 responds to a request from the Welsh Government to extend an exemption on passing information about a prisoner to an elected representative to Members of the Welsh Assembly. I am very happy to give effect to that request.
Amendment 56 ensures that existing court reporting—so important for ensuring open justice—can continue. Judgments may include personal data, so this amendment will allow the courts to continue with current reporting practices.
Paragraph 9 of Schedule 2 provides a limited exemption in respect of certain regulatory activities which could otherwise be obstructed by a sufficiently determined individual. Amendment 86 adds five additional regulatory activities to that list to allow relevant existing data processing activities to continue.
Amendment 87 extends the common-sense protection provided by paragraph 22 of Schedule 2 for confidential employment references, so that it also expressly covers confidential references given for voluntary work.
Amendments 90 and 186 ensure a consistent definition of “publish” and “publication” throughout the Bill.
I conclude my brief tour—it did not seem very brief to me—of these amendments with reference to the amendments to Schedule 6. As noble Lords will recall, in creating the applied GDPR Schedule 6 anglicises its language, so as to ensure that it makes sense in a UK context. This is a mechanical process involving, for example, replacing the term “member state” with “United Kingdom”. Amendments 112 to 114, 116 to 118 and 120 to 124 refine that process further.
The remaining amendments that I have failed to mention will dot the “i”s and cross the “t”s, as detailed in the letter from my noble friends Lord Ashton and Lady Williams when the amendments were tabled on 20 October. For these reasons, I beg to move Amendment 8 and ask the House to support the other government amendments in this group.
Lord Knight of Weymouth
My Lords, I will be brief on this group but I have two points to make. One is a question in respect of Amendment 51, where I congratulate the insurance industry on its lobbying. Within proposed new paragraph 15A(1)(b) it says,
“if … the controller has taken reasonable steps to obtain the data subject’s consent”.
Can the Minister clarify, or give some sense of, what “reasonable” means in this context? It would help us to understand whether that means an email, which might go into spam and not be read. Would there be a letter or a phone call to try to obtain consent? What could we as citizens reasonably expect insurance companies to do to get our consent?
Assuming that we do not have a stand part debate on Clause 4, how are the Government getting on with thinking about simplifying the language of the Bill? The noble Baroness, Lady Lane-Fox, is temporarily not in her place, but she made some good points at Second Reading about simplification. Clause 4 is quite confusing to read. It is possible to understand it once you have read it a few times, but subsection (2) says, for example, that,
“the reference to a term’s meaning in the GDPR is to its meaning in the GDPR read with any provision of Chapter 2 which modifies the term’s meaning for the purposes of the GDPR”.
That sort of sentence is quite difficult for most people to understand, and I will be interested to hear of the Government’s progress.
Lord Stevenson of Balmacara
My Lords, I thank my noble friend Lord Knight and the noble Lord, Lord Clement-Jones, for raising points that I would otherwise have made. I endorse the points they made. It is important that those points are picked up, and I look forward to having the responses.
I had picked up that the Clause 4(2) definition of terms is probably a recital rather than a normative issue, and therefore my noble friend Lord Knight’s point is probably not as worrying as it might otherwise have been. But like him, I found that it was tending towards the Alice in Wonderland side. Subsection (1) says:
“Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR”.
I sort of get that, but it seems slightly unnecessary to say that, unless there is something that we are not picking up. I may be asking a negative: “There’s nothing in here that we ought to be alerted to, is there?”. I do not expect a response, but that is what we are left with at the end of this debate.
I have one substantial point relating to government Amendment 8. In the descriptions we had—this was taken from the letter—this is a technical amendment to ensure that there is clarity and that the definition of health professional in Clause 183 applies to Part 2 of the Bill. I do not think that many noble Lords will have followed this through, but it happens to pick up on a point which we will come back to on a later amendment: the question of certain responsibilities and exceptions applying to health professionals. There was therefore a concern in the back of my mind about how these would have been defined.
My point is that the definition that appears in the Bill, and which is signposted by the way that this amendment lies, points us to a list of professionals but does not go back into what those professionals do. I had understood from the context within which this part of the Bill is framed that the purpose of having health professionals in that position was that they were the people of whom it could be said that they had a duty of care to their patients. They could therefore by definition, and by the fact of the posts they occupied, have an additional responsibility attached to them through the nature of their qualifications and work. We are not getting that out of this government amendment. Can the Minister explain why polishing that amendment does or does not affect how that approach might be taken?
Baroness Chisholm of Owlpen
I thank noble Lords for all their contributions. The noble Lord, Lord Knight, wanted to know what “reasonable” meant in this context. The Financial Conduct Authority has set requirements on insurers in relation to the steps they must take in the case of insurance contracts that are automatically renewed. In this context, our view is that those steps are likely to be reasonable. As to how they get in contact, it is by normal business procedure acceptable to the FCA. Normally emails and so on is the way they do that.
Baroness Chisholm of Owlpen
Yes, it is the FCA. That would be the case.
The noble Lord, Lord Stevenson, talked about Amendment 8, the health amendment. It is to ensure that there is clarity for health professionals in Clause 183. The GDPR refers to health data being processed under the responsibility of a health professional whereas the Bill says,
“under the supervision of a health professional”,
to clarify that no intentional difference in the meaning is being conveyed. These amendments ensure that consistent language is used and so make it more understandable. I hope that has answered all noble Lords’ questions. Please come back to me if it has not.
Lord Kennedy of Southwark
My Lords, I have no interests whatever to declare in this debate.
Amendment 10, moved by my noble friend Lady Royall of Blaisdon and signed up to by the noble Lords, Lord Pannick and Lord Macdonald of River Glaven, raises the important issue of legitimate fundraising and alumni relations undertaken by schools, colleges and universities being at risk due to the changes being brought in by GDPR. My noble friend referred to various conditions and mentioned the lawfulness condition, specifically on the issue of consent.
As we have heard, GDPR sets a very high bar in requiring a positive opt in, and it is likely that existing consents will not reach the required standard. So educational institutions would have to take on the enormous task of rebuilding their databases from scratch to meet the condition, as my noble friend referred to.
The public interest condition does not really work, for various reasons. The legitimate-interest condition may provide a route for the justification of data processing for fundraising purposes but, as we have heard in this debate, there are issues here as well. To make that a realistic solution to this unintended consequence of the new regulations—I think we all agree that it is unintended—my noble friend is seeking to put in the Bill a subsection in Clause 6 that, for the purposes of GDPR, would make it clear that schools, colleges and universities are not public bodies.
I note that Clause 6(2) provides the Secretary of State with the power to designate those public bodies that are not regarded as public bodies for GDPR. I am not sure what the general attitude of the Minister is, although he seems to have indicated that he is broadly sympathetic, but if he is going to rely on subsection (2) then he is going to have to do a bit more. As I mentioned previously, when Governments tell us it will all be sorted out in regulations, that is often not the solution and things can take a very long time. I mention the Housing and Planning Act again.
This is not something that educational institutions can wait months or years for; it would cost them considerably in terms of their fundraising plans. I hope the Minister can deliver some positive news to my noble friend, who has raised an important issue. It is fair to say that if she pressed this or a similar amendment to a vote on Report, she would be likely to win the day because it is an issue that many noble Lords are very concerned about.
Baroness Chisholm of Owlpen
My Lords, I thank noble Lords for taking part in this debate. I always feel humbled when I realise how many chancellors, presidents and fellows of universities we have in this House. I think that is why our debates and discussions are always of such high quality, because that is what noble Lords bring to this House. I congratulate the noble Baroness, Lady Royall, on her appointment. I visited Somerville College a lot because my daughter went there; she had an extremely enjoyable time and loved her three years there.
Universities are classified as public authorities under the Freedom of Information Act, and the Bill extends that classification to data protection. We recognise that universities, as complex organisations with many varying functions and interests, also carry out other functions that may not count as “public tasks” under data protection law. The conundrum raised by the noble Baroness has also been raised with the Government by the universities. I thank them for their time and help in working with both the Government and the Information Commissioner to resolve the problem.
I fully appreciate that the intention of the amendment is to protect our schools, colleges and universities by allowing them to continue pursuing their interests outside of their public tasks. I reassure noble Lords that neither the Bill nor the GDPR puts that at risk. The Information Commissioner’s Office has confirmed that it will issue detailed guidance on this matter, including the processing of personal data for the purpose of maintaining alumni relations, in order to make this clear. Representatives of the higher education sector have also indicated to the Information Commissioner’s Office that they may wish to develop further sector-level guidance, and the Information Commissioner’s Office will assist with that.
However, we are very sympathetic to everything that noble Lords have said today. It is important that we should meet again, and I am happy to agree to a meeting between myself, my noble friend Lord Ashton and all interested Peers so that we can talk about this further, in order that when we come back on Report we will have something that perhaps everyone will wish to hear. I hope my clarification on this issue is sufficient for now, and that the noble Baroness will agree to withdraw her amendment.
Lord Kennedy of Southwark
The Minister mentioned guidance and said that these matters would be solved then. Can she give us an assurance that we will have the guidance before the Bill becomes law?
Baroness Chisholm of Owlpen
The guidance from the Information Commissioner’s Office is ongoing. I had better go and find out whether we will have it by the time this Bill becomes law, because I do not want to say something at the Dispatch Box that turns out to be wrong. I will have to get back to the noble Lord on that point.
Baroness Royall of Blaisdon
My Lords, I am grateful to the Minister for her semi-positive answer. I have to say that if the guidance were available before the Bill became law, that would be quite extraordinary because it is not the norm, but it would be very welcome. I am grateful for her sympathy and understanding, and I realise that there has been a meeting between the university sector and the Information Commissioner’s Office, but personally I still feel the guidance is not enough. I am therefore grateful for the offer of a meeting to discuss this further. I thank everyone who has participated in this short debate. I particularly thank my noble friend Lady Kennedy of The Shaws for quite rightly pointing out that this is a matter of importance for schools, universities and colleges up and down the land, not just the “elite”, as it were—everyone is going to suffer.
With the reassurance from the Minister that we can have a meeting to discuss this further, I beg leave to withdraw the amendment.