Data Protection Bill [HL]
Debate between Baroness Williams of Trafford and Lord Stevenson of BalmacaraWednesday 13th December 2017
(6 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Stevenson of Balmacara
My Lords, we have Amendment 37 tabled in my name and that of my noble friend Lord Kennedy in this group. The focus of our amendment is to tease out from the Dispatch Box a sense of what is meant by “meaningful” in the context of the discussions we have already had about how organisations might disclose details of algorithms used in profiling and data-driven decision systems, to meet the obligation in the GDPR to provide meaningful information about what has been going on in that space. It will be difficult to do this because “meaningful” can involve many words and obligations and is, I think, a slightly slippery concept. It will probably exercise the noble and learned Lord, Lord Mackay of Clashfern, in its imprecision—but do not blame us, mate; it is the GDPR, which we are not allowed to discuss. However, I think that the Minister can help us here by providing a bit more information.
We have suggested that a way of dealing with this would be to look at how the information is used and make it a requirement that it should,
“be sufficient to enable the data subject to assess whether the profiling will be beneficial or harmful to their interests”.
That may not be sufficiently strict legal language but, if it is an important distinction, it would help to get us to the point at which the Minister might say that she will bring back improved wording in an amendment at Third Reading.
The real issue which is not discussed here is the question of whether we can access the algorithms themselves. The problem, and the reason for the solution to that problem lying in terms of the test of how it works in practice, is that it is not sufficient just to have simple information about the actual mathematics of the algorithm because that in itself would not give us enough information. What we need, for those in a particular part of the population cohort, is knowledge of the consequences of being in one category or another and how that is weighed up by those carrying out the processing. This covers all the ways in which decisions are made on credit, on our purchases and how we are advertised to. It is happening now, so the sooner we can get the information, the better. I look forward to hearing the Minister’s comments when she comes to respond.
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, I start by thanking noble Lords for their amendments, which bring us back to the important issues around the use of automated processing in what is an increasingly digital world. I apologise if my smile was misleading, I was just very pleased to see the noble Baroness in her place; it did not indicate anything other than that.
The range in which automated processing is applied includes everything from suggested views on YouTube to quotes for home insurance and beyond. In considering these amendments it is important to bear in mind that automated decision-making can bring benefits to data subjects, so we should not view these provisions simply through the prism of threats to data subjects’ rights. The Government are conscious of the need to ensure that stringent provisions are in place to regulate appropriately decisions based solely on automated processing. We have included in the Bill the necessary safeguards such as the right to be informed of automated processing as soon as possible, along with the right to challenge an automated decision made by a data controller or processor. We have considered the amendments proposed by noble Lords and believe that Clauses 13, 43, 48, 94, 95, 111 and 189 provide sufficient safeguards to protect data subjects of all ages—adults as well as children.
Data Protection Bill [HL]
Debate between Baroness Williams of Trafford and Lord Stevenson of BalmacaraWednesday 15th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV(b) Amendment for Committee, supplementary to the fourth marshalled list (PDF, 52KB) - (15 Nov 2017)
Baroness Williams of Trafford
My Lords, as the noble Baroness, Lady Hamwee, said in her opening remarks, the amendments in this group relate to the data protection principles as they apply to law enforcement processing.
I will deal first with the amendments in the name of the noble Baroness, Lady Hamwee, before moving on to the others. Amendments 129G and 129H would add a requirement that processing under Part 3 be transparent as well as lawful and fair, thus mirroring the data protection principles set out in Parts 2 and 4 of the Bill. There is a very simple explanation for the difference of approach. The GDPR and the Council of Europe Convention 108, on which the provisions of Parts 2 and 4 are based, are designed for general processing. Therefore, it is wholly appropriate in that context that the processing of personal data should be transparent. Of course, that data protection principle, as with certain others, will apply subject to the application of the exceptions provided for in Parts 2 and 4, including where necessary to safeguard national security. At first glance, I accept that it might seem odd that Part 4 of the Bill, which relates to processing by the intelligence services, contains a requirement for transparency, but the provisions in Part 4 must be compliant with the modernised Convention 108. As I have said, that data protection principle will operate subject to the application of the exceptions provided for in that part.
In contrast, Part 3 of the Bill reflects the provisions of the law enforcement directive, which is designed to govern law enforcement processing; in this context, it is appropriate that the transparency requirement should not apply. A requirement that all such processing be transparent would, for example, undermine police investigations and operation capabilities. That is not to say that controllers under Part 3 will not process data transparently where they can, and Chapter 3 of this part imposes significant duties on controllers to provide information to data subjects.
Amendments 129J and 133ZJ are not about a popular Saturday night television programme, but about the significance of the word “strictly” in the context of Clause 33(5). Our approach here, and elsewhere, has been to copy out the language of the law enforcement directive wherever possible. Article 10 of the LED uses the phrase “strictly necessary”. The noble Baroness asked whether references in Part 3 to “necessary” and “strictly necessary” should be interpreted differently. That must be the case: “strictly necessary” is a higher threshold than “necessary” on its own.
Amendment 130A brings us back to the report of the Delegated Powers and Regulatory Reform Committee, which was the subject of some debate on day two of Committee. As the noble Baroness, Lady Chisholm, indicated in response to that debate, we are carefully considering the Delegated Powers Committee’s report and will respond before the next stage of the Bill.
Amendment 133ZB would replace the term “legitimate” in Clause 34—which establishes the second data protection principle—with the phrase “authorised by law”. I do not believe that there is any material difference between the two terms. Moreover, “legitimate” is used in both the GDPR and the LED, so for that reason we should retain the language used in those instruments to avoid creating legal uncertainty.
The noble Baroness asked about ECJ case law, post Brexit. The European Union (Withdrawal) Bill sets out how judgments of the Court of Justice of the European Union are to be treated by domestic courts and tribunals after exit day. Clause 6 of that Bill draws a distinction between pre-exit and post-exit CJEU case law. Domestic courts and tribunals are not bound by post-exit case law but may have regard to it if they consider it appropriate. In contrast, pre-exit case law is binding on most domestic courts and tribunals in so far as it is relevant to questions pertaining to retained EU law. The Supreme Court and, in some circumstances, the High Court of Justiciary are, however, not bound. They may depart from pre-exit CJEU case law by reference to the same test that applies when they decide whether to depart from their own case law.
Amendment 133ZD seeks to strike out the reference to “where relevant” in Clause 36(3), which requires a controller to make a distinction between different categories of data subjects, such as suspects, convicted offenders and victims. There may well be a case where it simply would not be relevant for a controller to draw such a distinction. If a controller processes data in respect of only one of the categories of data subject, there is evidently no need for this provision.
Amendment 133ZE seeks to simplify the drafting of Clause 36(4). I do not believe the definitions in Clause 2 support the case for this amendment. Clause 2 defines processing, which includes disclosure, but it does not provide a general definition of disclosure, so it is preferable to retain the language in Clause 36(4).
Amendment 133ZK would introduce a requirement on controllers to publish their policy documents relating to sensitive processing. Such policy documents may contain operationally sensitive information that could well be damaging if published. Given this, scrutiny of such documents by the Information Commissioner, where necessary, provides an appropriate safeguard.
I turn to the amendments tabled by the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson. Amendment 133ZA would remove archiving from the list of conditions for processing sensitive data. Law enforcement agencies often archive data for public protection purposes. However, it is right that sufficient safeguards should be in place, particularly concerning sensitive data. The Bill achieves this by permitting archiving only where it is necessary.
The noble Lord asked in what circumstances archiving would be carried out for a purpose connected with law enforcement processing. It may be necessary where, for example, a law enforcement agency needs to review historical offences, such as allegations of child sexual exploitation. On this occasion, data have been processed for the purposes of reviewing the approach taken in child abuse cases investigated decades previously.
Lord Stevenson of Balmacara
I am grateful to the noble Baroness for that example. I could have used scientific or historical research. Again, I am not entirely clear why these are law enforcement categories. The general ability to take a derogation relating to either of the items listed is well spelled out in the schedule, but I was trying to address the narrow formulation of that in a law enforcement category. The particular example is fine and it is possible that could be right, but I do not think it applies across science, historical or statistical research. Does it?
Baroness Williams of Trafford
It may do if it pertains to law enforcement purposes, but we may be dancing on the head of a very small pin. Perhaps I could come back to the noble Lord, but where it overlaps into the law enforcement sphere I would think it relevant. However, I will write to him to clarify and confirm my thoughts on that.
The noble Lord also asked about retention of data. I am not sure that was on this amendment, but he is right that it is not—
Baroness Williams of Trafford
Okay, I will carry on to Amendment 133ZC, which seeks to require that further processing for law enforcement purposes must have a statutory basis. This would prevent further processing in circumstances that are lawful but not provided in statute. It cannot be in the public interest to unduly restrict the use of data that could assist law enforcement to carry out its legitimate functions.
Amendment 133ZF would remove the law enforcement qualification from Clause 36(4). Its purpose appears to be to ensure that inaccurate data cannot be processed irrespective of whether it is for a law enforcement purpose. For processing other than for a law enforcement purpose, the controller must apply Part 2 of the Bill. Also with reference to Clause 36, Amendment 133ZG would insert a requirement that inaccurate data must be erased if it is not corrected. I understand exactly why this might be a fitting addition. However, it will not always be appropriate for law enforcement where data may form part of a criminal case. For instance, it may be important for evidential reasons for data to be kept unaltered. Inaccurate information could also be evidence of perjury or perverting the course of justice.
Amendment 133ZH would require the controller to have in place a document outlining their retention policy, which would have to be made available to the Information Commissioner on request. Clause 42 already provides safeguards, including a duty to inform the subject about the period for which the data will be stored or the criteria used to determine the period. Moreover, in the policing context, there are policy documents already published that cover this ground, such as the College of Policing manual on the management of police information.
Finally, I will deal briefly with the three government amendments in this group, Amendments 131, 139 and 140, for which the noble Lord has stated his support. They relate to Schedules 8, 9 and 10, which set out a number of conditions, at least one of which must be met, where a law enforcement agency processes sensitive personal data, or one of the intelligence services processes any personal data. They clarify that any processing is lawful for the purposes of the exercise of a function conferred on a person by a rule of law as well as by an enactment. This is consistent with the existing scheme under the Data Protection Act 1998.
In the case of the police, the processing of personal data is, in some instances, undertaken utilising common-law powers in pursuit of their function to prevent crime. One such example is the operation of the domestic violence disclosure scheme, or Clare’s law. Under that scheme, a police force may disclose information to a person about a previous violent and abusive offending behaviour of their partner when he or she was in a previous relationship. It is vital that the police can continue to protect people by disclosing sensitive personal information using their common-law powers.
Amendments 139 and 140 to Schedules 9 and 10 respectively ensure consistency of approach across Parts 3 and 4 of the Bill.
To go back to the point about retention of data and the noble Lord’s point about reviewing whether data are still required, appropriate action should follow such a review. The fifth data protection principle makes this clear. If data are no longer required they should be deleted. I am not entirely sure which amendment that refers to, but I hope some of the explanations I have given will ensure that noble Lords and the noble Baroness are content not to press their amendments.
Baroness Williams of Trafford
Yes, that is the point I made.
One of the rights afforded by Part 4 is that a data subject can require a controller not to process their personal data if that processing is an unwarranted interference with their interests or rights. If such a request is received, the controller may require further information in order to comply with the request. This includes information so as to be satisfied of the identity of the requesting individual or information so that they can locate the data in question.
Amendment 146B would require the requesting individual to provide information to help the controller locate the data in question only if the individual themselves knows where the data is located. I think we can agree that it is very unlikely that a data subject would know the exact location of data processed by a controller. As such, this change could make it more difficult for a controller to locate the data in question, as the data subject could refuse to provide any information to aid in the locating of their data. This could make it impossible for the controller to comply with the request and would in turn deprive the data subject of having their request fulfilled.
Chapter 4 of Part 4 deals with the obligations of the controller and processor. Controllers must consider the impact of any proposed processing on the rights of data subjects and implement appropriate measures to ensure those rights. In particular, Clause 101(2)(b) requires that risks to the rights and freedoms of data subjects be minimised. Amendment 148A would require that those risks be also dealt with in accordance with the Bill. If I understand the purpose of this amendment correctly and the noble Baroness’s intention is that the broader requirements of Part 4 should apply to any new type of processing, I can concur with the sentiments behind this amendment. However, it is not necessary to state this requirement in Clause 101; all processing by the intelligence services must be in accordance with the relevant provisions of the Bill.
Finally, Clause 106 requires that the controller notify the Information Commissioner if the controller becomes aware of a serious personal breach of data for which it is responsible. A data breach is deemed serious if it seriously interferes with the rights and freedoms of a data subject. Amendment 148B seeks to alter the level at which a data breach must be notified to the commissioner by lowering the threshold from a serious interference with the rights and freedoms of a data subject to a significant interference. The threshold is set purposely at serious so that the focus and resources of the controller and commissioner are spent on breaches above a reasonable threshold. We also draw the noble Baroness’s attention to the draft modernised Convention 108, which uses the phrase “seriously interfere”.
I am mindful that some noble Lords in this Chamber will be utterly perplexed by the subject matter to which we have been referring, so I hope that, with those words, the noble Lord will be sufficiently reassured and will withdraw his amendment.
Lord Stevenson of Balmacara
The answer to that question is that we are not happy with what the Minister said about the ability of the intelligence services, uniquely in this whole area, to charge a fee to discourage people from getting access to the rights which they certainly have under the Act. I sensed that the Minister understands that; perhaps it is a little unfair to say that, as most other noble Lords were not able to see her smile, gently, as she tried to put substance and seriousness into the argument she was using, which was clearly very thin indeed. To make the point, we are relying on a convention which has yet to be signed. That is the fig leaf under which we will be smuggling these ridiculous fees. I urge the Minister to take this back and think again, and I look forward to a further discussion with her if she feels that any more information could be provided.