Age Appropriate Design Code
Debate between Baroness Chisholm of Owlpen and Lord Clement-Jones
Baroness Chisholm of Owlpen
My Lords, I think that I can safely stand here and say that that is true. Of course, the code works in conjunction with the GDPR, whose guidelines are already out there. This code is to gold-plate that part of the GDPR. It is true that there has been pushback from online companies. The Information Commissioner is working closely with them for them to understand how important it is. It is up to those companies to realise that this issue is vital and that they have to get their world in order.
Lord Clement-Jones (LD)
My Lords, the standards in the code will apply to all users unless there are robust age-verification mechanisms to distinguish adults from children. The BBFC has recently conducted research showing huge support among parents for the age-verification guidance under the Digital Economy Act. Can the Minister confirm that the guidance will be tabled at the earliest possible opportunity—that is, this week?
Baroness Chisholm of Owlpen
Am I right in thinking that the noble Lord is talking about the age verification—
Baroness Chisholm of Owlpen
As he knows, that has been with the EU. The standard three-month TSRD, where they look at the whole thing, is due to expire on 2 October, which is the day after tomorrow. We have not heard anything from them, so it seems unlikely that they will suddenly come up with a whole lot of comments between now and then, but obviously I cannot guarantee that.
Data Protection (Charges and Information) Regulations 2018
Debate between Baroness Chisholm of Owlpen and Lord Clement-Jones
Baroness Chisholm of Owlpen (Con)
My Lords, the work of the Information Commissioner and her office is of fundamental importance and relevance in today’s society. Data is a pivotal element of the digital revolution, enabling a multitude of technological innovations that support growth and benefit our society. However, for these innovations to be successful, we—both government and the general public—must be confident that our data is not being misused. For this reason, we are modernising our data protection laws through the Data Protection Bill, and providing new and stronger powers for the Information Commissioner.
An effective data protection regulatory framework is critical to retaining the right balance between innovation and privacy. This is particularly the case now, when data is at the forefront of the political agenda, both domestically, with the Data Protection Bill currently in Parliament, and internationally. This was highlighted in the Prime Minister’s recent Mansion House speech, which featured the UK’s exceptionally high standards of data protection as one of the foundations underpinning our post-Brexit trading relationship with the EU. This changing data protection landscape has increased the responsibilities of the Information Commissioner and the challenges she faces, and with these increased responsibilities comes an increased cost.
It is crucial that we ensure that the Information Commissioner and her office are adequately funded to fulfil their responsibilities and that government meets its responsibility under the GDPR to ensure that the ICO is funded for the effective performance of its tasks. As with other similar organisations, such as the Care Quality Commission, Ofcom and the BBC, it is only right and appropriate that this funding comes from charges levied on relevant stakeholders—in this case, data controllers.
Currently, data controllers pay two tiers of charge: tier 1, for organisations with less than 250 staff or turnover under £25.9 million, is £35 per annum; and tier 2, for the remaining larger data controllers, is £500 per annum. These charges have not increased at all since their introduction in 2001 and 2009 respectively. The regulations will implement a new charge structure in order to fund the Information Commissioner’s data protection activities, and will come into force on 25 May 2018, which is when the new Data Protection Act and the GDPR standards are due to take effect.
The new structure is made up of three categories of charge: “micro-organisations”—including individuals—which will pay a charge of £40; “small and medium organisations”, which will pay £60; and “large organisations”, which will pay £2,900. The structure is designed to be closely aligned with the standard government categorisation of businesses. Furthermore, a £5 discount applies to all organisations where they pay by direct debit. This in effect means that micro-organisations which pay by direct debit will pay the same charge that they have since 2001 and that all micro, small and medium data controllers are paying less than the annual cost of a Netflix subscription towards maintaining the ICO as a world-class data protection regulator.
Similar to the current approach under the Data Protection Act 1998, public authorities will be categorised on the basis of number of members of staff only. In addition, charities and small occupational pension schemes will continue automatically to pay the lowest charge. The new funding model for the Information Commissioner has three main policy objectives. It will ensure an adequate and stable level of funding for the ICO, build regulatory risk into the charge level and raise awareness of data protection obligations in organisations, thereby increasing their compliance. Let me expand on what that means in practice.
First, in designing the new charge structure, the Government, in conjunction with the ICO, have given detailed consideration to the income requirements of the ICO now and in future. The new charge levels recognise the increased funding required by the ICO under the new data protection regime and spread the funding provision appropriately across each of the three tier groups. The charge levels have been increased from the current level of fees primarily to reflect the increased responsibilities of the ICO under the GDPR. For example, the GDPR will expand the Information Commissioner’s responsibilities in relation to mandatory breach notification and data protection impact assessments, as well as increasing the scope and scale of her existing activities. In 2016, the Department for Culture, Media and Sport estimated that the ICO’s income requirements for its data protection functions will increase from approximately £19 million in 2016-17 to approximately £33 million in 2020-21. A financial forecast for the first year of operation under the GDPR—that is, 2018-19—sets the income requirement for the ICO at approximately £30 million. It is imperative for the ongoing success of the UK’s data protection regulatory framework that the ICO has the income it needs to continue fulfilling its vital functions to such a high standard.
Secondly, large organisations, including public authorities, often hold the most complex and sensitive datasets, as such represent a higher level of information risk and will generally draw more heavily on the ICO’s resources than small organisations that process small amounts of personal data. The charge structure has been designed to ensure that overall income from each group of data controllers—micro, small and medium, and large—adequately reflects the proportionate information risk accruing to each group, as well as to recognise that it would not be appropriate for large businesses and public authorities to be effectively subsidised by small and micro-businesses, which make up the majority of the register of data controllers.
Thirdly, and finally, in making these regulations we are highlighting the importance of compliance with the UK’s data protection regulatory framework to data controllers, thereby increasing their awareness of the ICO as the regulator and their own obligations. The new regulations substantially replicate the current exemptions from paying notification fees, with some exceptions. The regulations will remove the current exemption for some data controllers who are only undertaking processing for the purposes of safeguarding national security, and introduce clarification to the wording of the existing personal and household purposes exemption to make clear that homeowners using CCTV for these purposes are no longer required to pay a charge under the new scheme. I appreciate that there is appetite from stakeholders to review these exemptions in general; the Government have committed to undertake a public consultation on the exemptions later this year. Your Lordships may be interested to hear that we are especially minded to consider an exemption for elected representatives and the House of Lords.
In conclusion, the work of the Information Commissioner and her office is fundamental to the success of our digital economy. It is vital that we secure adequate funding, for now and the future. The new funding regime set out in these regulations maintains the spirit of notification fees in charging only those people and organisations that handle personal data without the need for direct government funding, while providing the ICO with the level of income it requires to continue to deliver as a world-class data protection regulator. I beg to move.
Lord Clement-Jones (LD)
I thank the Minister for her comprehensive introduction. We all accept the need for a well-resourced Information Commissioner’s Office. On Report, we welcomed what the noble Lord, Lord Ashton, who was the Minister at the time, had to say in response to an amendment from the noble Lord, Lord Puttnam, about the commitment to ensuring that the commissioner has adequate resources to fulfil her role as a world-class regulator and to take on the extra regulatory responsibilities set out in the Bill. There is no argument between us about the principles of funding the Information Commissioner’s Office. The pledges made by the noble Lord, Lord Ashton, were very welcome. We wish the Information Commissioner well with her extended role and her extended £33 million budget.
That does not come without a cost to data controllers. It is not simply a question of deciding the budget and then deciding what people pay, without considering affordability. Local authorities have put to me that they are very concerned at the lack of consultation offered to all affected parties, including the LGA, ahead of the new charging model. Apparently, approximately 40,000 data controllers were written to, inviting them to respond to the consultation: I understand that about 2,000 did so. However, not all affected parties were offered the opportunity to contribute. The consultation, and responses to it, are not publicly available, which differs from most government consultation. Will the Minister commit to publishing the outcome of the consultations?
Local authorities are concerned by what appears to be a rather arbitrary increase in the charges that they will have to pay to the ICO as data controllers. I also understand that it is proposed that elected representatives will be subject to a small increase in their charge. Under the new charging model, councils with 250 or more employees are defined as large data controllers and are subject to the highest fees under the SI. In practice, most councils that would have been paying £500 to register with the ICO will now have to pay £2,900. This is an increase of 480%; an inflationary increase would have seen the fees rise from £500 to £623.61. This comes at a time when local government is under significant financial pressure and local councils are receiving no additional government funding to help implement the GDPR.
It seems from the Explanatory Memorandum that the Government are considering an exemption for elected representatives, subject to a full review of exemptions in general. In the current process, there are exemptions from the requirement to register with the ICO. These include exemptions for those maintaining a public register, for staff administration purposes, for advertising and for accounting. I refer the Minister to paragraph 7.10 of the Explanatory Memorandum, where the Government state their intentions about the review.
On these Benches, we would definitely support an exemption for elected representatives. Councillors should not have to pay a charge to the Information Commissioner to correspond with their residents and should not incur a cost associated with their duties in representing their constituents. I am interested to hear what the Minister has to say about the review which is heralded in the Explanatory Memorandum.
Lord Clement-Jones
I do not think the Minister has really answered the question about the lack of consultation with local authorities and why they are being particularly hit by this new set of charges.
Baroness Chisholm of Owlpen
As I said earlier, it is because we feel they have quite a lot of risk. They hold a huge amount of data, so it will be quite a lot of work for the commissioner. It is only fair that they should pay their way. Does that satisfy the noble Lord?
Lord Stevenson of Balmacara
It is not so much whether they should be paying—we probably accept that they should, though how much is in question—it is the fact that they were not consulted. The consultation exercise did not reach that far and the Minister was going to try to give some information about why that could have been.
Electronic Commerce Directive (Miscellaneous Provisions) Regulations 2018
Debate between Baroness Chisholm of Owlpen and Lord Clement-Jones
Baroness Chisholm of Owlpen (Con)
These regulations, which were laid in both Houses on 30 January, seek to implement two parts of the electronic commerce directive —or e-commerce directive—in relation to various offences. These are the country of origin principle and provisions relating to the liability of intermediary service providers.
To explain further, when new legislation is brought in on a particular policy area and an element of this relates to offences or requirements that could apply to an information society service—for example, intimate images on an online platform—the directive must be implemented to apply these rules. This must be done for the UK to be compliant with EU law. Importantly, the SI does not create new policy. These regulations are a technical measure to ensure that these offences are consistent with the e-commerce directive. The regulations implement the directive in relation to various offences including, for example, the children’s hearings publishing restrictions offence.
The Committee should be aware that my department worked closely with officials in the Scottish Government and the Northern Ireland Assembly in preparing this draft instrument. The Scottish Government are keen to see this SI made law.
I will now look at what the e-commerce directive is and what the SI claims to achieve. The directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services within the EU. The directive is also relevant to the European Economic Area. This SI implements the e-commerce directive’s country of origin principle in relation to these offences, where relevant. Under the country of origin principle, an information society service should be only under the jurisdiction of the member state in which the service is established, not the European Economic Area country that the service is targeting. The country of origin rules are described in more detail in the Explanatory Memorandum at paragraph 4.2.
Finally, the SI also implements articles 12 to 14 of the directive, where relevant, which limit, in specified circumstances, the liability of intermediary service providers which carry out certain activities essential for the operation of the internet, namely those which act as “mere conduits” and those which “cache” or “host” information. I emphasise that the sole intention and outcome of this statutory instrument is to implement parts of the electronic commerce directive in relation to various offences, where this has not been done before. It will not create or set new policy; instead it is a technical measure to ensure compliance with EU law. I look forward to the Committee’s questions and hope that your Lordships will allow this SI to become UK law.
Lord Clement-Jones (LD)
I thank the Minister for her very clear introduction. This is a very interesting regulation—for aficionados. As she spoke in detail about it, that introduces the country of origin principle for discussion. I understand completely what the draft SI is meant to do. I expect that somebody in DDCMS woke up in a cold sweat and suddenly realised that there was quite a backlog of criminal offences in Scotland and Northern Ireland that needed to be brought within the scope of the e-commerce legislation. Such cold sweats can occur, even in the best-run government departments. We should not impede the passing of this SI simply because some of the offences are rather ancient. We are not dealing just with 2015 offences.
Of much more interest for those who are currently debating the European Union (Withdrawal) Bill is the whole question of the future application of the country of origin principle. After all, starting with the e-commerce directive, the EU Commission aimed to create an effective single market, particularly in the field of online retail. It is extremely pertinent to what is going to happen next. The current law is set out in the EU electronic commerce directive 2000, implemented into UK law in 2002. The regime covers almost every commercial website and is not restricted to online buying and selling but covers any service provided for remuneration at a distance using electronic means. On top of that, we have EU-derived distance selling and cookie regulation.
Much e-commerce law is implemented largely through secondary legislation, which will be preserved after Brexit takes place. However, the EU is obliged to revisit the directive every two years, so a divergence between the EU and the UK is possible. Therefore, the question arises as to whether we are going to need some sort of adequacy ruling for country of origin, rather in the way that we will probably have such a ruling for data protection. Indeed, is country of origin going to be available to us in the first place? Does the e-commerce directive fall away post Brexit? As I am sure the Minister is aware, country of origin principles applied to broadcasting will fall away unless there is a special deal which breaks through the normal cultural exceptions put into free trade agreements. So I am a little pessimistic about that.
Then, of course, the wagon rolls on. The consumer protection co-operation regulation was adopted by the Commission in December 2017. A regulation on addressing unjustified geo-blocking was adopted this February. There are two legislative proposals on the supply of digital content, and on online and other distance sales of goods, which the Commission proposed in December 2015 and are currently under negotiation in EU institutions. What are the Government’s intentions in respect of the new EU digital single market developments? Does they intend to stay aligned with e-commerce law in the EU? If so, how? If not, what will the consequences be? I would be extremely interested to hear from the Minister.
Lord Griffiths of Burry Port (Lab)
My Lords, the noble Lord, Lord Clement-Jones, must first hear from me. Perhaps that will give the Minister a little time. I am very grateful for the way in which an aficionado made me aware of this welter of material relating to the way that information flows and the activities that benefit from that flow of information across Europe in so many fields.
This SI is relentlessly logical. I cannot understand why the law on such important and serious matters as human trafficking, prostitution, the care of children, threatening comments, intimate images—all those things that are listed here—came on to the statute book in Brussels in 2000 and here in 2002 but it has taken us until 2018 to deal with it. The country of origin thing may be part of the answer, I do not know. But, as the noble Lord, Lord Clement-Jones, said, just this morning we received a visit from commercial broadcasting people who are terribly worried about this country of origin principle and how it will affect their business in the future.
This SI is intended to ensure the smooth functioning of the internal market and to ensure consistency with EU law—all of that—while we are still members of the EU. I share the bemusement of the noble Lord, Lord Clement-Jones, about what might happen afterwards. He talked about adequacy, the future application of country of origin—will that continue?—and possible divergence that may occur as two different regimes pursue ways forward according to their own respective best lights, which may not be the same.
Of course, Brexit is raising a whole host of details of this kind, which make us aware of how silly we were to go down this road in the first place. Perhaps that remark ought not to go on the record—it does not belong to this debate—but I could not forbear from making it. But here we are with something that makes obvious sense but raises questions of concern that lie beyond its scope and its date. We wonder about both the scope and the date and what will happen to us all very soon. But I have no hesitation in supporting this statutory instrument.
Baroness Chisholm of Owlpen
I thank the noble Lords, Lord Clement-Jones and Lord Griffiths, for their contributions, particularly the noble Lord, Lord Clement-Jones, who went off on one, I think. He will probably not think that the answer is good enough but, as we know, the UK will be leaving the digital single market but we will continue to work closely with the EU on digital issues as we build on an existing strong relationship in the future economic partnership. We will seek an ambitious agreement with the EU that enables the best possible access to each other’s markets. There is mutual advantage in the continued close relationship between the UK and the EU on digital issues and the advancement of digital transformation across Europe.
Baroness Chisholm of Owlpen
With that, I think I have covered everything that was mentioned. As I said, this SI is important, and I have set out clearly why we need these regulations, which are technical. They will provide legal certainty to UK online services to enable them to trade across the EU with confidence. I therefore commend them to the Committee.
Data Protection Bill [HL]
Debate between Baroness Chisholm of Owlpen and Lord Clement-JonesWednesday 13th December 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Clement-Jones
My Lords, I am inspired by the last two speeches to add some words here. This is a very imaginative amendment. There is a great debate about ownership or control of one’s personal data, and this may be an elegant solution to some of that in future, although I suspect that the noble Lord, Lord Stevenson, may be right in his prediction about the Government’s response at this stage. Again, it is a bit of future-proofing that we really should think about.
If the Government do not like this, how do they think portability will work? If portability is to be a substantive right that can be taken advantage of under the GDPR, this is a very good way to make sure that data can then be inserted into a vehicle as a result of it having been sought in a portable way. This could be a very imaginative way to give teeth to the right of portability. I shall be extremely interested to hear how, otherwise, the Government think it will take effect.
Baroness Chisholm of Owlpen (Con)
My Lords, I thank the noble Lord, Lord Stevenson, for explaining the amendment, and the noble Earl, Lord Erroll, the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, for their words. The amendment is fascinating. When I talked to the noble Lord, Lord Stevenson, about it earlier today, I thought that it just shows how interesting it is, how fast everything is moving in this world and how difficult it will be for us to keep up. I feel rather relieved that I may not be around to have to grapple with it myself and that there will be younger people better at dealing with it than I am.
The amendment would require the Information Commissioner to consult on the use of private personal data accounts, which provide for people to retain greater ownership of their data. While I recognise the intention behind this amendment—to stimulate debate and a shift in public attitudes towards personal data and its value—this is not the appropriate means through which to pursue these aims.
By way of explanation, I have three quick points to make. First, I question the value of the Information Commissioner consulting on the use of private data accounts, which are already available to those members of the public who wish to use them. Importantly, the priority for the commissioner at the moment and for the foreseeable future is helping companies and organisations of all sizes to implement the new law to ensure that the UK has the comprehensive data protection regime we need in place, and to help prepare the UK for our exit from the EU. I hardly need to point out that these are massive tasks, and we must not divert the commissioner’s resources from them at this point.
Secondly, it is a question not only of resource, but of remit. It is right that the commissioner monitors and advises on developments in the use and storage of personal data, but it is not her role to advise on broader issues in society. The question of whether individuals should have ownership of their personal data and be remunerated by companies for its use falls squarely into that category. The commissioner is first and foremost a regulatory body.
Thirdly, I take this opportunity to highlight that there are already mechanisms in the new regime which will support individuals to have more control over their data and place additional requirements on data subjects. For example, data controllers will be required, when obtaining personal data from an individual, to inform that person of: the purposes for which their personal data are being processed; the period for which their data will be stored, to the extent that this possible; their right, where applicable, to withdraw consent for their data to be used; and their right to lodge a complaint with the supervisory authority. Obviously, that is not an exhaustive list but it is illustrative of the protections that will be put in place. Such information must also be updated if the controller intends to process the personal data for any new purpose.
I fully agree with the noble Lord that the questions of an individual’s control over their data and the value of that data are worthy of debate and, as I said earlier, we will have to wrestle with them for years to come as the digital economy evolves. However, the Government’s view is that the Bill strikes the right balance between protecting the rights of data subjects and facilitating growth and innovation in the digital economy, and that placing an arbitrary requirement on the commissioner to consult would not be appropriate or the best use of her resources at this point. On that basis, I urge the noble Lord to withdraw his amendment.
Data Protection Bill [HL]
Debate between Baroness Chisholm of Owlpen and Lord Clement-JonesMonday 11th December 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Baroness Chisholm of Owlpen
My Lords, I thank all noble Lords for the points they made. In answer to the noble Lord, Lord Patel, as my noble friend Lord Ashton explained in previous debates, Clause 7 was never intended to provide an exhaustive list of public interest tasks but, rather, to ensure continuity with respect to those processing activities that cover paragraph 5 of Schedule 2 to the 1968 Act. However, I am happy to reiterate that medical research—and other types of research carried out by universities for the benefit of society—will almost always be seen as a public interest task. I appreciate the sector’s desire to have greater guidance from the Information Commissioner on the issue, and I shall certainly pass that on, but the noble Lord will appreciate that it is not for me to dictate the Information Commissioner’s precise programme of work from the Dispatch Box.
I thank the noble Lords, Lord Smith and Lord Macdonald, for their kind words. I think we have put universities on a safe footing in this regard. I reiterate my thanks to them for coming to see us and helping us with that amendment.
The noble Lord, Lord Clement-Jones, asked: is alumni fundraising always in the public interest, and what about medical research?
Baroness Chisholm of Owlpen
I think that gets more rather than less muddling, but I think I see where the noble Lord is coming from.
The amendment should relate to and rely either on article 6(1)(e) or (f). That should solve any possibility raised by the noble Lord.
Data Protection Bill [HL]
Debate between Baroness Chisholm of Owlpen and Lord Clement-JonesMonday 11th December 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Baroness Chisholm of Owlpen
I thank the noble Lord for those kind words. The noble Lord, Lord Clement-Jones, asked who would be consulted. While it is clearly impossible to be specific, the Secretary of State might consider it appropriate to consult, for example, representatives of data subjects or trade bodies, depending on the circumstances and regulations in question. I hope that that answers his question.
On why it is permissible to admit provisions added by regulations, we believe it is qualitatively different from admitting those added during the extensive parliamentary debate and scrutiny afforded to primary legislation. As I said, many other powers are not new. The 1998 Act already provides a power to add to conditions for sensitive processing. We feel it is prudent to retain the ability to amend Schedules 2 to 4 if necessary. As I said, this is a fast-moving area. We want to make sure that the Bill provides a framework for the constant evolution and developments in how we use and apply data, but it must be supportive rather than stifle innovation and growth.
Lord Clement-Jones
With the greatest respect, the point I was making was whether the right to vary was not omission by the backdoor. Perhaps I was not clear enough.
Data Protection Bill [HL]
Debate between Baroness Chisholm of Owlpen and Lord Clement-JonesWednesday 22nd November 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Clement-Jones
My Lords, in moving Amendment 183A I hope to astonish the Minister with my brevity. Clause 172 deals with the avoidance of certain contractual terms related to health records so that,
“A term or condition of a contract is void in so far as it purports to require an individual to supply another person with a record which — … (a) consists of the information contained in a health record, and … (b) has been or is to be obtained by a data subject in the exercise of a data subject access right”.
The NHS has committed to informing patients how their medical records are used. The legal protections in the Bill against an enforced subject access request on a medical record should also apply to such information about that record. Does this provide the required protection? I beg to move.
Baroness Chisholm of Owlpen
It is probably for the best that we are not doing a seventh day in Committee because the noble Lord, Lord Stevenson, has told us that his voice is going and I seem to have an infected eye. Slowly, we are falling by the way, so it is probably just as well that this is our last evening.
This amendment seeks to amend Clause 172, which concerns contractual terms relating to health records. As noble Lords are aware, the Bill will give people more control over use of their data, providing stronger access rights as well as new rights to move or delete personal data. Data subject access rights are intended to aid people in getting access to information held about them by organisations. While subject access provisions are present in current data protection law, the process will be simplified and streamlined under the new legal framework, reflecting the importance of data protection in today’s digital age.
There are, unfortunately, a minority of instances where service providers and employers seek to exploit the rights of data subjects, making it a condition of a contract that a person supplies to them health records obtained through use of their data subject access rights. It is with this in mind that Clause 172 was drafted, to protect data subjects from abuses of their rights. Organisations are able to use provisions in the Access to Medical Reports Act 1988 to gain access to a person’s health records for employment or insurance purposes, and so should not be unduly relying upon subject access rights to acquire such information.
Amendment 183A seeks to widen the clause to include prohibiting contractual terms from including a requirement to use subject access rights to supply a person with information “associated with” as well as “in” a health record. While I can see where the noble Lord is coming from with the amendment and appreciate the willingness further to protect data subjects from exploitation, we are not convinced that it is necessary to widen the scope of this clause. The Government believe that avoidance of contractual terms—that is to say a restriction on parties’ freedom of contract—is not something that should legislated for lightly. Our starting point must be that contractual terms are voided only where there is a known, rather than a hypothetical, abuse of them.
It is also important to point out that the clause has been carried over from the 1998 Act, which has served us well for many years and we are not aware of any issues with its scope. But I will certainly carefully read the noble Lord’s contribution in Hansard, and with this in mind I encourage the noble Lord to withdraw his amendment.
Data Protection Bill [HL]
Debate between Baroness Chisholm of Owlpen and Lord Clement-Jones
Baroness Chisholm of Owlpen
I am using it in the English sense. The noble Lord interrupted me, but I wanted to go on to say that, because of this, we can see no reason to distinguish information society services from any other type of data controller or processor.
Additionally, the definition of controller in the GDPR requires a case-by-case analysis to determine who the controller is, but it is likely that social media companies are controllers. Although the person posting personal data online is a controller, social media companies control personal data: in the context of activities which involve collecting such data; in retrieving, recording and organising it for indexing purposes; in storing it on their services; and in disclosing and making it available to users in the form of lists of search results. The Information Commissioner has also published guidance on this matter suggesting that, if a social media site’s operator has a moderating role over the site’s contents, then it is likely to be a controller.
In respect of Amendment 9, the recitals to the GDPR do not have normative effect—they are more akin to Explanatory Notes—and there is no requirement for the UK to enshrine them in legislation. In some places in the Bill we have adopted some language in the recitals to aid with clarity. For example, in Clause 8 we borrow from the recitals to make it clear that the consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child. We will return to this later in Amendment 17 in another group. It is important to say that recitals do not contain substantive law, nor can they override the express language of a regulation. I hope my clarification on this issue is sufficient, and I urge the noble Lord to withdraw his amendment.
Lord Clement-Jones
My Lords, I was hesitating as I thought perhaps the noble Lord, Lord Stevenson, might want to come back. I must admit that that was one of the most interesting answers in the light of what the noble Lord, Lord Ashton, said in the previous debate. He prayed in aid two recitals to the GDPR and yet they do not have “normative effect”, which is extremely interesting. I feel another amendment coming on in due course—at the appropriate time, of course. The noble Lord, Lord Ashton, was not in his place when I said I feared another chastisement from him, but that is why I emphasised that my amendment is purely a probing amendment.
Returning to what the Minister said about that, I think she is really saying that the GDPR is wide enough in article 4 to cover conversations, casual disclosure of information and so on and that the information does not have to be structured or in recorded form. That is a very useful explanation that people will rely on when they come to look at the Act in future years. I beg leave to withdraw the amendment.