The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

-

My Lords, I am grateful to all noble Lords who have taken part in this informed and very interesting, although somewhat alarming, debate. I particularly thank the noble Lord, Lord Browne, for securing it and for sharing his thoughts with me beforehand. I am also pleased that the A-team on the Data Protection Bill, which has already been mentioned by the noble Lord, Lord Griffiths, is in place.

The issue here—in a sense, the dilemma—is that for millions of people gambling is an enjoyable leisure activity with no harmful consequences. Sixty-three per cent of adults gambled in one form or another in the last year. However, the Gambling Act makes it clear that gambling is subject to the licensing objectives set out by the Gambling Commission, including the protection of young and vulnerable people from gambling-related harm. Headline rates of problem gambling have remained relatively low over time, at below 1% of the adult population. As noble Lords have mentioned, the latest statistics found that 0.8% of the adult population—some 430,000 people—were classified as problem gamblers in 2015, but a further 2 million people were identified as being at risk of problem gambling.

I do of course realise, and the noble Lord, Lord Morrow, reminded us, that, in addition to those headline numbers, there may be severe consequences for families. I generally agree with the many statistics that have been mentioned in this debate—too many to come back on. The basic fact is that online gambling is big and growing, and 5% of those online gamblers are problem gamblers. The Government are clear that more must be done to protect people from harm, and on 31 October we published a consultation on proposals for changes to gaming machines and social responsibility measures across the gambling industry. The consultation sets out a package of measures to improve player protection for the online sector, including strengthening existing protections and outlining further measures relating to gambling advertising to minimise the risk to the most vulnerable.

Although online gambling is widely accessible and available 24 hours a day, it also has unique characteristics that provide opportunities to protect players. For example, all online gambling is account based, unlike land-based gambling where customers can often gamble anonymously. That means that online operators can know exactly who their customers are, what they are spending their money on and their patterns of gambling behaviour. We have seen some progress in this area with a number of operators adopting the use of behavioural analytics and algorithms to detect problem gambling on their websites. Recent research has found—this might address some of the identity issues raised by the noble Lord, Lord Trevethin and Oaksey—that operators are able to detect problem gambling using the data they collect from customers today.

While that is encouraging, the Government have made it clear that industry must act on the findings of the research to date and trial a range of harm-minimisation measures to strengthen player protection. We want to see the industry evaluate the action it takes and share best practice. In addition, the industry must continue to engage in GambleAware’s research and commit to implement the findings of this ongoing work. The next phase of the research aims to provide a best-practice model that can be used by online gambling companies in their responsible gambling operations, including recommended interventions which have been evaluated for their effectiveness to reduce the risk of harm.

In the light of those issues, what is the Gambling Commission doing? The Gambling Commission is monitoring this area closely and is encouraging operators to increase action to identify harmful play, design and pilot better interventions and put in place measures that work. The commission has already concluded that it will need to consult on changes to the licence conditions and codes of practice next year in order to raise standards in this area. The commission will also issue guidance to the industry setting out expectations in relation to operator interactions with customers.

I turn now to the issue of self-exclusion—an important tool for those who recognise that they have a problem with gambling and a vital means of protecting consumers from harm. All operators must offer self-exclusion to customers on their request, and more than 800,000 online self-exclusions were reported last year. However, as the average player has more than one account, that does not necessarily translate to 800,000 people. The Government understand just how important it is for recovering problem gamblers to be able to self-exclude from all licensed online gambling platforms in one step. A new multi-operator self-exclusion scheme for online gambling, called GAMSTOP, will be launched in spring next year. A range of stakeholders, including GambleAware and GamCare, have provided advice during development of the scheme. I am aware that the proposals for such a scheme were debated by noble Lords during the passage of the Gambling (Licensing and Advertising) Act 2014 and I pay tribute to the noble Lord, Lord Browne, who was a vocal champion of such a scheme back then and has remained a leading advocate for it since.

The new scheme will allow customers to self-exclude from all online licensed operators in a single step. The website will also set out other measures that are available to help people manage their gambling and will signpost specialist advice and support services. It will significantly strengthen the self-exclusion arrangements available for online gamblers and provide improved protection for those customers who have previously self-excluded from individual gambling websites, only to open an account with other operators. As the noble Lord, Lord Browne, asked, we want to see the industry promote awareness of the scheme and do more to increase its take-up along with other responsible gambling tools such as time-outs and deposit limits which are available. These are in the consultation that we have just published.

The noble Lord, Lord Griffiths, asked why this has taken so long. I share the noble Lord’s frustration, and I would have liked to have seen the scheme in operation sooner. Indeed, we called for the gambling consultation and review for implementation of the scheme to be completed at the earliest opportunity. The truth of the matter is that there have been a number of complex issues to consider which I will not bore noble Lords with, but it is absolutely vital that when GAMSTOP is launched, it actually meets its objectives and can ensure that customers who register with it are prevented from gambling online with licensed operators. It is an industry scheme, but the Gambling Commission is working closely with the industry on its development to ensure that it is robust and effective, again a point made by the noble Lord, Lord Browne. Certain technical barriers have had to be overcome, not least in relation to data protection. The system must be capable of dealing with millions of checks being made by operators every day in real time. It must provide a service to consumers that is effective and easy to use, and therefore while the delay is frustrating, it is important that it is robust and will work across all licensed operators. However—in reply to the noble Lord, Lord Griffiths—we expect it to be up and running by March 2018.

While self-exclusion is a useful tool, it is often the case that an individual who chooses to self-exclude may do so as the result of having suffered harm in relation to their gambling. The Government are clear that operators must act quickly to improve approaches to identifying problem gambling on their platforms and interacting with their customers to protect vulnerable people before serious harm occurs.

I turn now to the points raised by my noble friend Lord Chadlington. Where gambling operators have used children’s characters to front games, the Gambling Commission and the Advertising Standards Authority have written to them to make it crystal clear that they are in breach of advertising rules that prohibit gambling marketing material aimed at children. My noble friend also raised the question of independent research and transparency, as did the noble Lord, Lord Foster. We agree that this is an essential tool in building an evidence base and enhancing our understanding of gambling-related harm. GambleAware is an independent charity with an independent chair, and the majority of its board members are from outside the betting industry. We want to see the industry continue to fund GambleAware and others in this important work, as they do research, education and treatment for problem gamblers. We welcome the additional funding of £5 million to £7 million a year for the next two years that the industry is to invest to support a responsible gambling advertising campaign. This is a large sum in advertising terms which compares well with major national health campaigns.

If the current arrangements fall short, the Government will consider alternative options, including the introduction of a mandatory levy. But it is worth reminding ourselves that the current funding target to meet the needs of research, education and treatment, set by the Responsible Gambling Strategy Board, has been suggested to be around £10 million by 2018-19. This target is being actively pursued by GambleAware, but as and when funding targets change, the voluntary system must gear up to meet that need. I repeat: the consultation made it clear that the Government will consider alternative options, including a mandatory levy, if current arrangements fall short.

Let me address some of the points made by noble Lords in their speeches. As far as the two-tiered approach to self-exclusion is concerned—mentioned by, among others, the noble Lords, Lord Browne and Lord Alton, and the noble Baroness, Lady Howe—we want to see the industry build on the existing protections. Some consumers may wish to self-exclude from certain individual products and not the entire online sector, but we want to encourage self-exclusion. Websites are required to set out clearly the gambling management tools available, including self-exclusion. The important thing to remember is that self-exclusion is only part of the problem. Lots of problem gamblers do not self-exclude, so we must deal with the harms caused to others with perhaps worse problems than those who are prepared and self-aware enough to self-exclude.

The noble Lord, Lord Foster, mentioned FOBTs in the consultation, as did others. I can confirm that we are considering potentially going down to as low as £2 for the stake, and are consulting on that specific issue. We have asked the Gambling Commission for more information about how better tracking and monitoring of play on FOBTs can help with interventions to protect players and whether spin speeds on games such as roulette should be looked at.

The noble Lord, Lord Griffiths, asked about how the consultation is going and whether clarity is emerging. The consultation is ongoing and clarity may well emerge from it but we will not be certain until January next year. He also asked when we will produce our results, and he will not be surprised to hear that we will do that in due course. The noble Lord, Lord Morrow, talked about the problem of gambling in Northern Ireland. It is a bit difficult for me to address the issue here as it is a devolved matter for Northern Ireland.

The noble Baroness, Lady Benjamin, talked about children and what we have done to protect them online, and, more importantly, the issue of what we might do to protect them online and whether we will legislate. Under the Gambling Act, the Gambling Commission has broad powers to place new licensing requirements on operators and respond to the pace of change in the online gambling market. In addition, the Gambling Commission has powers to suspend or revoke a licence, impose financial penalties or take criminal action where there is a failure to prevent underage gambling. However, we are not complacent, which is why the Gambling Commission and the Responsible Gambling Strategy Board are currently examining the relationship between children and gambling to determine whether further action is necessary. We expect the gambling industry to play its part in protecting children online, in line with the Government’s internet safety strategy. We will keep the issue firmly under review, acting accordingly where necessary. As for her questions on age verification, children and free games, all licensed operators must have robust policies to prevent underage gambling. Where age verification is not satisfactorily completed within 72 hours, the operator must return any money that the customer has paid into their account and not pay out any winnings.

The noble Lords, Lord Trevethin and Oaksey and Lord Foster of Bath, asked why operators cannot exclude for life. Data protection rules regarding data retention prevent GAMSTOP from technically offering an indefinite self-exclusion option. However, procedures will be in place to notify self-excluders in these circumstances and give them the opportunity to renew their self-exclusions. The noble Lords asked what would happen if there was non-compliance of operators. It will be a licence condition that all operators sign up to GAMSTOP and the normal penalties will therefore apply, including losing their licence.

The noble Lord, Lord Wigley, mentioned the academic paper on gambling-related harm. He was right to point out that harm goes beyond that of the problem gambler—a point which I made at the beginning and was made also in our consultation. In that regard, I welcome the work that the Gambling Commission, the Responsible Gambling Strategy Board and GambleAware are doing better to understand and measure the extent of this issue, which we agree is very important.

My noble friend Lord Smith of Hindhead asked why we are allowing operators to use affiliates and tipsters to harvest data and target the vulnerable. All gambling operators must have a licence from the Gambling Commission to operate and are held responsible for the actions and behaviours of their affiliates. The commission published advice earlier this year on ensuring that direct marketing is not sent to those who have self-excluded from gambling. Operators and affiliates must comply with the requirements of the privacy and electronic communications regulations and the Data Protection Act, and the ICO may take enforcement action if there is evidence of a breach. The Advertising Standards Authority also has the power to take action if it were to receive evidence of irresponsible targeting.

The noble Baroness, Lady Howe, asked about financial transaction blocking. The Gambling Commission has had great success working with payment providers to prevent unlicensed websites accessing the British market. Payment providers work proactively to stop payments to and from unlicensed websites, which means that the true number of websites effectively blocked may be higher than the figures held by the commission, but I would certainly be happy to write to the noble Baroness with the latest figures held by the Gambling Commission.

I am coming to the end of my time. I will certainly write to other noble Lords, because there are several questions that I have not answered—I think that about 48 questions were asked during the debate. I will read what the noble Lord, Lord Alton, said and write to him on it.

This has been an informative and interesting debate. I thank again the noble Lord, Lord Browne, for bringing it and allowing us to discuss these important issues. We have seen significant changes to the market since the implementation of the Gambling Act, as well as to public perceptions of gambling and to our understanding of harm across the gambling landscape. Our objective in engaging in the gambling review is to strike the right balance between socially responsible growth and the protection of consumers and the communities in which they live. We have listened to what has been said today. I will take noble Lords’ speeches back to the department. I encourage all noble Lords who have a view on these matters to respond to the consultation, which they have until January to do.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I am very happy to take that request back to the department and put it before the Minister responsible for gambling.

The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

-

My Lords, I am grateful to all noble Lords who have spoken on this very important clause. I agree very much with the noble Lords, Lord Clement-Jones and Lord Stevenson, that these are important issues which we need to consider. The amendments seek to amend Clause 162, which introduces the offence of re-identifying data that has been de-identified. I will start by giving some background to this clause because, as noble Lords have mentioned, this is new to data protection legislation.

Pseudonymisation of datasets is increasingly commonplace in many organisations, both large and small. This is a very welcome development: where sensitive personal data is being processed in computerised files, it is important that people know that data controllers are taking cybersecurity seriously and that their records are kept confidential. Article 32 of the GDPR actively encourages controllers to implement technical and organisational measures to ensure an appropriate level of security, including, for example, through the pseudonymisation and encryption of personal data.

As noble Lords will be aware, the rapid advancement of technology has opened many doors for innovation in these sectors. However, as we continue to be able to do more with technology, the risk of its misuse also grows. Online data hackers and scammers are a much more prominent and substantial threat than was posed in 1998, when the original Data Protection Act was passed. It is appropriate, therefore, that the Bill addresses the contemporary challenges posed by today’s digital world. This clause responds to concerns raised by the National Data Guardian for Health and Care and other stakeholders regarding the security of data kept in online files, and is particularly timely following the well-documented cyberattacks on public and private businesses over the last few years.

It is important to note that the Bill recognises that there might be legitimate reasons for re-identifying data without the consent of the controller who encrypted it. The clause includes a certain number of defences, as my noble friend Lady Neville-Rolfe mentioned. These can be relied on in certain circumstances, such as where re-identification is necessary for the purpose of preventing or detecting crime, to comply with a legal obligation or is otherwise necessary in the public interest. I am aware that some academic circles, including Imperial College London, have raised concerns that this clause will prohibit researchers testing the robustness of data security systems. However, I can confidently reassure noble Lords that, if such research is carried out with the consent of the controller or the data subjects, no offence is committed. Even if the research is for legitimate purposes but carried out without the consent of the controller who de-identified the data in the first place, as long as researchers act quickly and responsibly to notify the controller, or the Information Commissioner, of the breach, they will be able to rely on the public interest defences in Clause 162. Finally, it is only an offence to knowingly or recklessly re-identify data, not to accidentally re-identify it. Clause 162(1) is clear on that point.

I turn to the specific amendments that have been tabled in this group. Amendment 170CA seeks to change the wording in line 3 from “de-identified” to “anonymised”. The current clause provides a definition of de-identification which draws upon the definition of “pseudonymisation” in article 4 of the GDPR. We see no obvious benefit in switching to “anonymised”. Indeed, it may be actively more confusing, given that recital 26 appears to use the term “anonymous information” to refer to information that cannot be re-identified, whereas here we are talking about data that can be—and, indeed, has been—re-identified.

Amendment 170CB seeks to provide an exemption for re-identification for the purpose of demonstrating how the personal data can be re-identified or is vulnerable to attacks. The Bill currently provides a defence for re-identification where the activity was consented to, was necessary for the purpose of preventing or detecting crime, was justified as being in the public interest, or where the person charged reasonably believes the activity was, or would have been, consented to. So long as those re-identifying datasets can prove that their actions satisfy any of these conditions, they will not be guilty of an offence. In addition, we need to be careful here not to create defences so wide that they become open to abuse.

Amendment 170CC seeks to add to the definition of what constitutes re-identification. I agree with the noble Lord that current techniques for re-identification involve linking datasets. However, we risk making the offence too prescriptive if we start defining exactly how re-identification will occur. As noble Lords, including the noble Lord, Lord Clement-Jones, mentioned, as technology evolves and offenders find new ways to re-identify personal data, we want the offence to keep pace.

Amendment 170E seeks to add an extra defence for persons who achieve approval for re-identifying de-identified personal data after the re-identification has taken place. The current clause provides a defence where a person acted in the reasonable belief that they would have had the consent of the controller or the data subject had they known about the circumstances of the re-identification. Retroactive approval for the re-identification could be relied on as evidence in support of that defence, so we believe that there is no need to provide a separate defence for retroactive consent.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

If we are talking about Amendment 170E, I am certainly prepared to look at that and address it.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.

Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.

Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.

It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.

I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I make it plain to my noble friend—my predecessor in this position—that I will arrange a meeting.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I am grateful to the noble Lord, Lord Kennedy, for turning the Committee’s attention to the provisions in Clause 163. The clause makes it a criminal offence for a data controller, or somebody employed by the controller, to deliberately frustrate a subject access request by altering, defacing or destroying information that a person would have been entitled to receive.

This offence is not new. A similar offence was provided for in Section 77 of the Freedom of Information Act 2000. The only difference between the offence in Clause 163 and the offence in the Act is that the latter was limited to the handling of subject access requests by public authorities and their employees and agents, whereas Clause 163 extends this to apply to all controllers.

The noble Lord’s amendment would make it clear that the offence applies where a data subject requests personal data about them contained in a review about workers written by a third party. I am grateful to the noble Lord for explaining the background to the amendment; nevertheless, I submit that it is unnecessary. Article 15 of the GDPR makes it clear that the data subject has the right to obtain from the controller confirmation as to whether data about him or her is being processed, as well as access to that data. Whether a report about the data subject was compiled by a third party or processor acting on the controller’s behalf is irrelevant, as it still amounts to personal data held by the controller.

It is always unacceptable for any controller to destroy or deface personal data with the sole intention of preventing somebody accessing what they were entitled to. That is precisely why Clause 163 creates a criminal offence targeted on that particular activity.

I hope that I have addressed the noble Lord’s concerns. If I have not, of course I will be more than happy to discuss them with him later. Therefore, I hope that he will be able to withdraw the amendment.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

If we have misunderstood the noble Lord’s intention behind the amendment, I apologise. As I said, we will be happy to discuss it with him.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I am grateful to all noble Lords who have contributed—in particular my noble friend Lord Lucas, who was even briefer than the noble Lord, Lord Clement-Jones. He made his point very succinctly and well.

With the greatest respect to the noble Lords, Lord Stevenson and Lord Clement-Jones—and I do mean that sincerely—during the passage of the 443 amendments in Committee that we are rapidly approaching the end of, we have listened carefully to each other, but in this case I am afraid that we reject Amendments 184 and 185 as being unnecessary. We believe that they are not required because the Bill already provides sufficient recourse for data subjects by allowing them to give consent to a non-profit organisation to represent their interests.

Clause 173, in conjunction with article 80(1) of the GDPR, provides data subjects with the right to authorise a non-profit organisation which has statutory objectives in the public interest and which is active in the field of data protection to exercise the rights described in Clauses 156 to 160 of the Bill. Taken together with existing provision for collective redress, and the ability of individuals and organisations to independently complain to the Information Commissioner where they have concerns, groups of like-minded data subjects will have a variety of redress mechanisms from which to choose. It is not true that when we have large numbers of data subjects they are unable, or too ignorant of their rights, to combine. For example, it is worth noting that more than 5,000 data subjects have brought one such action which is currently proceeding through the courts.

Furthermore, we would argue that the amendment is premature. If we were to make provision for article 80(2), it would be imperative to analyse the effectiveness not only of Clause 173 and article 80(1) of the GDPR but of other similar provisions in UK law to ensure that they are operating in the interests of data subjects and not third parties. We would also need to assess, for example, how effective the existing law has been in dealing with issues such as aggregate damages, which cases brought under article 80(2) might be subject to.

More generally, the Bill seeks to empower data subjects and ensure that they receive the information they need to enforce their own rights, with assistance from non-profit organisations if they wish. The solution to a perceived lack of data subject engagement cannot be to cut them out of the enforcement process as well. Indeed, there is a real irony here. Let us consider briefly a claim against a controller who should have sought, but failed to get, proper consent for their processing. Are noble Lords really suggesting that an unrelated third party should be able to enforce a claim for not having sought consent without first seeking that same consent?

We should also remember that these not-for-profit organisations are active in the field of data subjects’ rights; indeed, the GDPR states that they have to be. While many—the noble Lord, Lord Clement-Jones, mentioned Which?—will no doubt have data subjects’ true interests at heart and will be acting in those best interests, others will have a professional interest in achieving a different outcome: raising their own profile, for example.

I know that these amendments are well intentioned and I do have some sympathy with the ambition of facilitating greater private enforcement to complement the work of the Information Commissioner. But, for the reasons I have set out, I am not convinced that they are the right solution to the problems identified by noble Lords, and I therefore urge the noble Lord to withdraw his amendment.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.

To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point that has not been lost on noble Lords, nor the Government. That is why the Government have tabled Amendments 185A, 185B, 185C and 185D, which provide for a framework for data processing by government.

Inherent in the execution of the Government’s function is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is intended to set out the principles and processes that the Government must have regard to when processing personal data.

All government and public sector activities require some form of power to process personal data, which is derived from both statute and common law. In light of the requirements of the GDPR, such processing should be undertaken in a clear, precise and foreseeable way. The Government’s view is that the framework will serve further to improve the transparency and clarity of existing government data processing. The Government can, and should, lead by example on data protection. To that end, the proposed clauses provide the Secretary of State with the power to issue guidance in relation to the processing of personal data by government under existing powers. As I have already stated, government departments will be required to have regard to the guidance when processing personal data.

The Government have consulted the Information Commissioner in preparing the amendment and will, as required in Amendment 185A, consult the commissioner before preparing the framework. The Government are keen to benefit from the commissioner’s expertise in this area and to ensure that the framework does not conflict with the commissioner’s codes of practice. The guidance should provide reassurance to data subjects about the approach that government takes to processing data and the procedures it follows when doing so. It will also help to strengthen further the Government’s compliance with the GDPR’s principles. I beg to move.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I am grateful for those comments. We understand that the DPRRC will have to look at the powers under the clause. As usual, as we have done already, we take great note of what the committee says; no doubt it will opine soon. We will pay attention to that.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I have had some help from the officials, saying, “We debated this earlier”—which was not very helpful. I am not even sure that it was me who debated it, so I am afraid that I will have to look at what the noble Lord said. I do not have the facts at my fingertips. I will certainly write to him and put a copy of the letter in the Library.

The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

-

Could I ask the noble Baroness to repeat which provision she is referring to?

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I am grateful to the noble Lords for introducing these amendments. Perhaps I may begin by referring to Amendment 153. The requirement set out in the Data Protection Act 1998 for the Information Commissioner to maintain a register of data controllers, and for those controllers to register with the commissioner, was introduced to support the proper implementation of data protection law in the UK and to facilitate the commissioner’s enforcement activity. At the time when it was introduced, it was a feasible and effective measure. However, in the intervening 20 years, the use of data in our society has changed beyond all recognition. In today’s digital age, in which an ever-increasing amount of data is being processed, there has been a correspondingly vast increase in the number of data controllers and the data processing activities they undertake. There are now more than 400,000 data controllers registered with the Information Commissioner, a number which is growing rapidly. The ever-increasing amount and variety of data processing means that it is increasingly difficult and time consuming for her to maintain an accurate central register giving details on the wide range of processing activities they undertake.

The Government believe that the maintenance of such an ever-growing register of the kind required by the 1998 Act would not be a proportionate use of the Information Commissioner’s resources. Rather, as I am sure noble Lords will agree, the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data, seeking redress for the distress this causes and preventing the recurrence of such breaches. The GDPR does not require that a register similar to that created by the 1998 Act be maintained, but that does not mean there is a corresponding absence of transparency. Under articles 13 and 14 of the GDPR and Clauses 42 and 91 of the Bill, controllers must provide data subjects with a wide range of information about their processing activities or proposed processing activities at the point at which they obtain their data.

Nor will there be absence of oversight by the commissioner. Indeed, data controllers will be required to keep records of their processing activities and make those records available to the Information Commissioner on request. In the event of non-compliance with such a request, the commissioner can pursue enforcement action. The only material change from the 1998 Act is that the Information Commissioner will no longer have the burden of maintaining a detailed central register that includes controllers’ processing activities.

I turn now to Amendment 153ZA which would give the Information Commissioner two new duties. The Government believe that both are unnecessary. The first new duty, to verify the proportionality of a controller’s reliance on a derogation and ensure that the controller has adequate systems in place to safeguard the rights of data subjects, is unnecessary because proportionality and adequate safeguards are core concepts of both the GDPR and the Bill. For example, processing is permissible only under a condition listed in Schedule 1 if it is necessary for a reason of substantial public interest. Any provision to require the commissioner to enforce the law is at best otiose and at worst risks skewing the commissioner’s incentives to undertake enforcement action. Of course, if the noble Lord feels that the Bill would benefit from additional safeguards or proportionality requirements, I would be happy to consider them.

The second new duty, to consult on how to support claims taken by UK residents against a data controller based in another territory who has breached their data protection rights, is in our view also unnecessary. As made clear in her international strategy, which was published in June, the Information Commissioner is very aware of the need for international co-operation on data protection issues, including enforcement. For example, she is an active member of the Article 29 Working Party and the Global Privacy Enforcement Network, and her office provides the secretariat for the Common Thread Network, which brings together Commonwealth countries’ supervisory authorities. Only last month, her office led an international sweep of major consumer websites, in which 23 other data protection regulators from around the world participated. Clause 118 of the Bill and article 50 of the GDPR require her to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international enforcement. Against this background, the Government do not feel that additional prescriptive requirements would add value.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I am grateful to the noble Lord. I am just looking through my notes to find the bit that states what determines whether a case is urgent—but, before that, I thought he might like to hear the other things that I have to say.

In addition to the essential role of enforcing data protection law in the UK, the Information Commissioner has a role to play where personal data is processed in accordance with international obligations. We are aware of three cases where the commissioner’s oversight is currently required: the Schengen Information System, the Europol Information System and the Customs Information System. The conventions that establish these systems require the supervisory authority to have free access to national sections.

Clause 117 provides that the commissioner may inspect personal data to fulfil an international obligation, as long as the commissioner notifies the controller and any processor in any case where there is sufficient time to do so. The clause is very similar to Section 54A of the 1998 Act, with one slight change: namely, we have made a general power, which the noble Lord will be pleased to see in the Bill. This is intended simply to eliminate the need to legislate for every system the UK joins or leaves, thereby future-proofing the legislation. The amendment would remove the commissioner’s ability to make such an inspection without prior written notice in cases that the commissioner considers urgent. We certainly expect that the commissioner will not normally need to do that and that it will be the exception rather than the rule. The amendment would therefore be a retrograde step since it changes the position that currently pertains in the 1998 Act.

As to what is and is not urgent—I hasten to add that this has never actually been applied by the Information Commissioner—it is for the Information Commissioner to determine. That is consistent with the existing position, as I mentioned, and it remains appropriate, so that each case can be assessed on its own merits. Of course, if the decision of the Information Commissioner were unreasonable, it would be amenable to judicial review. As I said, there is only one example that we know of when the Information Commissioner has needed to make use of the section at all, which was a routine audit that was not deemed urgent. A hypothetical example might be if the commissioner needed to urgently inspect a system if the need arose in the context of a request for extradition. I hope that the noble Lord is satisfied with my explanation and will feel able to withdraw his amendment.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I am very grateful to the noble Lord, Lord Stevenson, for tabling this amendment, which allows us to return to our discussions on data ethics, which were unfortunately curtailed on the last occasion. The noble Lord invited me to give him a few choice words to summarise his amendments. I can think of a few choice words for some of his other amendments, but today I agree with a lot of the sentiment behind this one. It is useful to discuss this very important issue, and I am sure we will return to it. The noble Lord, Lord Puttnam, brought the 1931 Highway Code into the discussion, which was apposite, as I think the present Highway Code is about to have a rewrite due to autonomous vehicles—it is absolutely right, as he mentioned, that these codes have to be future-proofed. If there is one thing we are certain of, it is that these issues are changing almost by the day and the week.

The noble Lord, Lord Stevenson, has rightly highlighted a number of times during our consideration of the Bill that the key issue is the need for trust between individuals and data controllers. If there is no trust in what is set up under the Bill, then there will not be any buy-in from the general public. The noble Lord is absolutely right on that. That is why the Government are committed to setting up an expert advisory body on data ethics. The noble Lord mentioned the HFEA and the Committee on Climate Change, which are interesting prior examples that we are considering. I mentioned during our last discussion that the Secretary of State was personally leading on this important matter. He is committed to ensuring that just such a body is set up, and in a timely manner.

However, although I agree with and share the intentions that the noble Lord has expressed through this amendment, which other noble Lords have agreed with, I cannot agree with the mechanism through which he has chosen to express them. When we previously debated this topic, I was clear that we needed to draw the line between the function of an advisory ethics body and the Information Commissioner. The proposed ethics code in this amendment is again straddling this boundary.

Our new data protection law as found in this Bill and the GDPR will already require data controllers to do many of the things found in this amendment. Securing personal data, transparency of processing, clear consent, and lawful sharing and use are all matters set out in the new law. The commissioner will produce guidance, for that is already one of her statutory functions and, where the law is broken, the commissioner will be well equipped with enforcement powers. The law will be clear in this area, so all this amendment will do is add a layer of complexity.

The Information Commissioner’s remit is to provide expert advice on applying data protection law. She is not a moral philosopher. It is not her role to consider whether data processing is addressing inequalities in society or whether there are public benefits in data processing. Her role is to help us comply with the law to regulate its operation, which involves fairly handling complaints from data subjects about the processing of their personal data by controllers and processors, and to penalise those found to be in breach. The amendment that the noble Lord has tabled would extend the commissioner’s remit far beyond what is required of her as a UK supervisory authority for data protection and, given the breadth of the code set out in his amendment, would essentially require the commissioner to become a regulator on a much more significant scale than at present.

This amendment would stretch the commissioner’s resources and divert from her core functions. We need to examine the ethics of how data is used, not just personal data. However, the priority for the commissioner is helping us to implement the new law to ensure that the UK has in place the comprehensive data protection regime that we need and to help to prepare the UK for our exit from the EU. These are massive tasks and we must not distract the commissioner from them.

There is of course a future role for the commissioner to work in partnership with the new expert group on ethics that we are creating. We will explore that further once we set out our plans shortly. It is also worth noting that the Bill is equipped to future-proof the commissioner to take on this role: under Clause 124, the Secretary of State may by regulation require the commissioner to produce appropriate codes of practice. While the amendment has an arbitrary shopping list, much of which the commissioner is tasked with already, the Bill allows for a targeted code to be developed as and when the need arises.

The Government recognise the need for further credible and expert advice on the broader issues of the ethical use of data. As I mentioned last week, it is important that the new advisory body has a clearly defined role focused on the ethics of data use and gaps in the regulatory landscape. The body will as a matter of necessity have strong relationships with the Information Commissioner and other bodies that have a role in this space. For the moment, with that in mind, I would be grateful if the noble Lord withdrew his amendment. As I say, we absolutely understand the reasons behind it and we have taken on board the views of all noble Lords in this debate.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

At the moment, I do not think there is any anticipation for using that power in the near future, but it is there if necessary in the light of the broader discussions on data ethics.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I do not want to be prescriptive on this because the data ethics body has not been set up. We know where we think it is going, but it is still to be announced and the Secretary of State is working on this. The legal powers are in the Bill, and the data ethics body is more likely to be an advisory body.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I am grateful to the noble Baroness, Lady Hamwee, for tabling these amendments. I know that the Bar Council has raised similar concerns with officials in my department and I am keen that that dialogue continue.

Before I address the amendments, I would like to say something about the overarching principles in relation to the interaction between data protection and legal professional privilege.

The right of a person to seek confidential advice from a legal adviser is indeed, as my noble friend Lord Arbuthnot said, a fundamental right of any person in the UK and a crucial part of our legal system. The Government in no way dispute that, and I reassure noble Lords that this Bill does not erode the principle of legal professional privilege.

It is true that the Data Protection Act 1998 allows the Information Commissioner to use her powers to investigate alleged data breaches by law firms, and sometimes the information she requests in order to carry out a thorough investigation may contain information which is subject to legal professional privilege. The commissioner recognises the sensitivity of material protected by legal professional privilege and has established processes in place for protecting it. Any material identified by the data controller as privileged is isolated if seized during a search and it is then sent directly to independent counsel for review. Counsel then provides an opinion on whether privilege applies. If counsel decides that the data is not privileged, the data controller can still dispute the Information Commissioner’s right to access that material and has the right to appeal to a tribunal, which will carry out a full merits review.

The Government are seeking only to replicate, as far as possible, in the current Bill the existing provisions relating to legal professional privilege in the 1998 Act. It is, for example, vital that the Information Commissioner retains the power to investigate law firms. They, like other data controllers, can make mistakes. If personal data is lost, stolen or disclosed unlawfully, that can have serious consequences for data subjects. It is right that the Information Commissioner retains the ability to investigate potential breaches by lawyers. They are not above the law.

As a final point of principle before we examine the amendments in detail, it is also worth highlighting that Clause 128 introduces a new requirement for the Information Commissioner to publish guidance on how legally privileged material obtained in the course of her investigations will be safeguarded. There was no similar requirement in the 1998 Act, so in that respect the current Bill actively strengthens protections for legal professional privilege. This has been included because historically the commissioner has found that a minority of those in the legal profession refuse to allow her access to personal data on the basis that it is privileged. The profession has not always understood that it must disclose the data and that the commissioner then has processes and procedures to protect that data. This guidance will make it clearer to the legal profession that robust safeguards are in place.

I turn to the amendments in this group. As I have said, Clause 128 provides that the Information Commissioner must publish guidance on the safeguards in relation to legally privileged communications. Amendments 161A and 161B would amend subsection (1) to clarify that any guidance published by the commissioner should cover the handling of any “confidential legal materials” as well as any communications between legal adviser and client. Amendment 161D would then introduce a wide definition of “confidential legal materials”. This, in our view, is unnecessary. I have no doubt that the Information Commissioner will interpret this to include draft communications.

Bills have grown in length over the years and, if we were to cover off permutations and combinations of processing and preparatory work such as this in every clause, we would be debating this Bill until next summer. We would also, through overdefinition, create more worrying loopholes.

Amendment 161C would make further provision about the purposes of the guidance published by the Information Commissioner. It has been suggested that the aim of the guidance should be to make it clear that nobody can access legally privileged material without the consent of the client who provided the material in the expectation that it would be treated in confidence. As I have already said, it is vital that the Information Commissioner retains the ability to investigate, and this amendment would call that into question because an investigation could not happen if the client withheld consent. I hope that the reassurances I have already given about the lengths to which the Information Commissioner will go to keep any confidential information safe are sufficient on that point. We are clear that the commissioner must have the right to investigate.

I said I would return to the issue of the Information Commissioner’s enforcement powers and the interaction with legal professional privilege. When there is a suspected breach of the data protection legislation, the commissioner has a number of tools available to aid her investigation. The commissioner can use information notices and assessment notices to request information or access filing systems, use enforcement notices to order a data controller to stop processing certain data or to correct bad practices, and issue monetary penalty notices to impose fines for breaches of the data protection legislation. However, we understand from the commissioner that the powers to issue assessment notices and information notices are rarely used because controllers tend to co-operate with her request. There are, however, a number of restrictions on the use of these enforcement powers where they relate to legally privileged information. In relation to information notices these are set out in Clause 138, and in relation to assessment notices they are set out in Clause 141. The restrictions ensure that a person is not required to provide legally privileged information. The concept of legal privilege is therefore preserved, although it may be waived by the controller or processor.

Amendments 162A, 162B, 162C, 163ZA and 163ZB intend to broaden the restrictions in Clauses 138 and 141 regarding information and assessment notices so that they apply explicitly to all legally privileged communications, not just those which concern proceedings under data protection legislation. The Government carefully considered whether these restrictions should apply to a wider range of legally privileged material when we developed the Bill. The current practice is for the ICO to appoint independent counsel to assess all potentially legally privileged material, which is not therefore passed on to the ICO if found to be privileged.

Amendment 163B seeks to apply the same restrictions that apply to assessment and information notices to enforcement notices. While we understand that this amendment derives from a concern that there may be a gap in the enforcement notice provisions, as there is currently no reference in those provisions to protecting legal professional privilege I can reassure noble Lords that such provision is unnecessary because, unlike information and assessment notices, enforcement notices cannot be used to require a person to provide the commissioner with information, only to require the controller to correct bad practice.

Finally, I turn to Amendment 164B, which aims to add to the list of matters in Clause 148 that the Information Commissioner must consider when deciding whether to give a data controller a penalty notice and determining the amount of the penalty. If a legal adviser failed to comply with an information or assessment notice because the information concerned was legally privileged, it would require the Information Commissioner to take this into account as a mitigating factor when deciding whether to issue a penalty notice and setting the level of financial penalty. Clause 126 specifically provides that the duty of confidence should not preclude a legal adviser from sharing legally privileged material with the Information Commissioner. As I have previously explained, there are strict procedures in place to protect privileged material.

We have given all these amendments careful consideration, but I hope that I have convinced the Committee that the Bill already strikes the correct balance between the right to legal professional privilege and the rights and freedoms of data subjects. With that, I hope that the noble Baroness feels able to withdraw her amendment.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I thank the noble Lord for introducing his amendments, which touch on the fees that the Information Commissioner will be able to charge under the new regime. Noble Lords will recall that we discussed similar issues during the passage earlier this year of what became the Digital Economy Act. Perhaps I may start with some of the general points made by the noble Lord and then go on to address his specific amendments. I agree absolutely that this is a bigger issue than just the amendments; it is the question of how the Information Commissioner, to whom we have given these very important duties, will be able to sustain an effective service. I can assure the noble Lord that we are aware of and understand the specific problem he outlined about staff. In fact, I was present at a meeting three or four weeks ago at which we discussed that exact subject. Part of the issue to deal with that will, I hope, be addressed in the near future, in ways that I cannot talk about tonight.

On the noble Lord’s general question as to whether it is an adequate system, we believe that the suggested system is flexible enough to deal with the requirements of the Information Commissioner. We realise that increased burdens will be placed on her; at the moment, I believe that her office has not raised its fees for 18 years. Of course, the number of data controllers has risen, so the rate applies to a greater number of people. We will lay some statutory instruments that will deal with the fees for the Information Commissioner in the near future, so I am sure that we will come back to that.

On the specific amendments the noble Lord has tabled, Clause 129 permits the Information Commissioner to charge a “reasonable fee” when providing services to data controllers and other persons who are not data subjects or data protection officers. This is intended to cover, for example, the cost to the commissioner of providing bespoke training for a data controller. Amendment 161E would place a requirement on the commissioner to publish guidance on what constitutes a “reasonable fee” within three months of Royal Assent. We agree that data controllers and others should know what charges they should expect to pay before they incur them. However, the Government’s view is that this is already provided for through Clause 131, which requires that the commissioner produce and publish guidance about any fees that she proposes to charge for services under Clause 129. As there is already a requirement for the commissioner to publish guidance in advance of setting any fees, the Government do not consider a particular deadline necessary.

Amendment 161F would remove Clause 132(2) completely. I am concerned that the amendment would create ambiguity in an area where clarity is desirable. Clause 132 makes provision for a general charging regime in the absence of a compulsory notification regime like that provided in the 1998 Act. Clause 132(2) clarifies that the regime could require a data controller to pay a charge regardless of whether the Information Commissioner had provided, or would provide, a “service” to that controller. This maintains the approach that is currently in force under the 1998 Act—namely, that most data controllers are required to pay a fee to the commissioner whether or not a service is provided to them—and is intended to meet the costs of regulatory oversight.

The consultation on the new charging regime recently closed and the Government intend, as I said, to bring forward regulations setting out the proposed fees under the new regime early in the new year. No final decision has yet been taken in relation to those fees, but, as I committed to during the passage of what became the Digital Economy Act, charges will continue to be based on the principle of full cost recovery and, in line with the current model, fee levels will be determined by the size and turnover of an organisation but will also take account of the volume of personal data being processed by the organisation. That partly addresses the point made by the noble Lord.

Amendment 161G addresses a concern raised by the Delegated Powers and Regulatory Reform Committee that the fees regime established by Clause 132 should not raise excess funds beyond what is required to cover the costs of running the Information Commissioner’s Office. I must confess to a sense of déjà vu; we debated a very similar amendment in the Digital Economy Act. The Government are considering their response to the committee’s report, but they remain concerned that there should be sufficient flexibility within the new fees regime to cover the additional functions that the commissioner will be taking on under the new regime and any other changes that may be dictated by operational experience, once the new regime has bedded in. Indeed, if anything, the merit of having some limited flexibility in this regard is even clearer now than it was in March when we debated the Digital Economy Act.

I confirm once again that charges will be on the basis of full cost recovery. We take on board the point made by the noble Lord, Lord Stevenson, that the commissioner must be able to make sufficient charges to undertake and fulfil the requirements that we are asking of her.

Finally, on Amendment 161H, I can reassure the noble Lord that the Information Commissioner already prepares an annual financial statement, in accordance with paragraph 11 of Schedule 12 to the Bill, which is laid before Parliament. In addition, there may be occasions where the Secretary of State needs up-to-date information on the commissioner’s expenses mid-year—in order, for example, to set a fees regime that neither under-recovers nor over-recovers those costs. That is why Clause 132(5) is constructed as it is.

I hope that I have addressed the noble Lord’s concerns both in general and in particular and that he will feel able not to press his amendments.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

There is a duty for data controllers to pay a charge to the Information Commissioner in the same way as there is a duty today for data controllers to register with the Information Commissioner. The duty applies in both circumstances. In some cases, some data controllers do not register with the Information Commissioner—they are wrong not to do so, but they do not. In the same way, it is possible that some data controllers may not pay the charge that they should. In both cases, in today’s regime and that proposed, there is a duty on data controllers to perform the correct function that they are meant to perform. Controllers do not all register with the Information Commissioner today, although they should, and may not pay their charges. Under the new regime, they should, and an enforcement penalty is able to be levied if they do not.

The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

-

My Lords, I understand that the chair and the panel are currently finalising the report and recommendations in consultation with key stakeholders. It is hoped that they will submit the report to the Chancellor and the Secretary of State for DCMS before the end of the year.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

Of course, I understand the implications of the HLF’s fairly sudden decision to close the grants for the places of worship scheme. As a result, the Minister responsible has had discussions with the HLF. I am pleased to say that it has guaranteed to make available the same proportion for the next two years, so the funding will continue. As for other faiths, it is true that the review concentrates on the Church of England, but any lessons learned from that can be taken forward and applied to other faiths. The main government funding, of course, applies to other faiths.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

The Government have already committed to maintaining the funding until 2020. In fact, there is a good story to tell: over the past 40 years —so this includes Governments of both colours— £1.36 billion has been spent on historic places of worship. During the 2014-16 period, an exceptional total of £185 million per year was spent. Of course, the fund that my noble friend mentioned was just one area in which the Government have spent money. As a result of this 40 years of taxpayers’ money being spent on them, only 4% of those listed places of worship are on the at-risk register.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

As I said, the listed places of worship grant scheme applies to all faiths. The taxpayer has spent an extra £95 million in the past two years to support places of worship. As I mentioned in the previous answer, I think that we are in a pretty good place.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

Of course I agree with the right reverend Prelate that one way that churches can remain relevant is to involve themselves with things that go on in their community. That is exactly what the review is going to look at, among other things, including the uses of listed buildings for purposes beyond worship and what barriers prevent that happening.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

That is precisely why the Listed Places of Worship Grant Scheme covers all faiths.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I cannot comment on the former Chancellor’s personal finances, but I understand the point—I think it was implicit in what my noble friend Lord Cormack said.

The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

-

My Lords, I am grateful to all noble Lords who have spoken and for the opportunity to speak to Schedule 1 in relation to an industry in which I spent many years. I accept many of the things that the noble Earl, Lord Kinnoull, described and completely understand many of his points—and, indeed, many of the points that other noble Lords have made. As the noble Lord, Lord Clement-Jones, said, I have taken the noble Earl’s examples to heart, and I absolutely accept the importance of the insurance industry. The Government have worked with the Association of British Insurers and others to ensure that the Bill strikes the right balance between safeguarding the rights of data subjects and processing data without consent when necessary for carrying on insurance business—and a balance it must be. The noble Lord, Lord Stevenson, alluded to some of those issues when he took us away from the technical detail of his amendment to a higher plane, as always.

The noble Earl, Lord Kinnoull, and the noble Lords, Lord Clement-Jones and Lord Stevenson, have proposed Amendments 45B, 46A, 47, 47A, 48A and 50A, which would amend or replace paragraphs 14 and 15 of Schedule 1, relating to insurance. These amendments would have the effect of providing a broad basis for processing sensitive types of personal data for insurance-related purposes. Amendment 45B, in particular, would replace the current processing conditions for insurance business set out in paragraphs 14 and 15 with a broad condition covering the arrangement, underwriting, performance or administration of a contract of insurance or reinsurance, but the amendment does not provide any safeguards for the data subject.

Amendment 47 would amend the processing condition relating to processing for insurance purposes in paragraph 14. This processing condition was imported from paragraph 5 of the 2000 order made under the Data Protection Act 1998. Removal of the term might lessen the safeguards for data subjects, because insurers could potentially rely on the provisions even where it was reasonable to obtain consent. I shall come to the opinions of the noble Earl, Lord Erroll, on consent in a minute.

Amendments 46A, 47A, 48A and 50A are less sweeping, but would also remove safeguards and widen the range of data that insurers could process to far beyond what the current law allows. The Bill already contains specific exemptions permitting the processing of family health data to underwrite the insured’s policy and data required for insurance policies on the life of another or group contract. We debated last week a third amendment to address the challenges of automatic renewals.

These processing conditions are made under the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited—this partly addresses the point made by the noble Lord, Lord Stevenson—by the need to meet the “substantial public interest test” in the GDPR and the need to provide appropriate safeguards for the data subject. A personal or private economic or commercial benefit is insufficient: the benefits for individuals or society need to significantly outweigh the need of the data subject to have their data protected. On this basis, the Government consider it difficult to justify a single broad exemption. Taken together, the Government remain of the view that the package of targeted exemptions in the Bill is sufficient and achieves the same effect.

Nevertheless, noble Lords have raised some important matters and the Government believe that the processing necessary for compulsory insurance products must be allowed to proceed without the barriers that have been so helpfully described. The common thread in these concerns is how consent is sought and given. The noble Earl, Lord Kinnoull, referred to that and gave several examples. The Information Commissioner has published draft guidance on consent and the Government have been in discussions with her office on how the impact on business can be better managed. We will ensure that we resolve the issues raised.

I say to the noble Earl, Lord Erroll, that consent is important and the position taken by the GDPR is valid. We do not have a choice in this: the GDPR is directly applicable and when you are dealing with data, it is obviously extremely important to get consent, if you can. The GDPR makes that a first line of defence, although it provides others when consent is not possible. As I say, consent is important and it has to be meaningful consent, because we all know that you can have a pre-tick box and that is not what most people nowadays regard as consent. Going back to the noble Earl, Lord Kinnoull—

Lord Ashton of Hyde

- Hansard -

Copy Link

-

Of course, it is not for us to tell the Information Commissioner what guidance to issue. The guidance that has been issued is not in all respects completely helpful to the insurance industry.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I agree; I think I mentioned compulsory classes before. Going back to the guidance, we are having discussions. We have already had constructive discussions with the noble Earl, and we will have more discussions on this subject with the insurance industry, in which he has indicated that he would like to take part. I am grateful to him for coming to see me last week.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I may have misled the noble Lord. I did not say that it does not meet the substantial test but that we had to balance the need to meet the substantial public interest test in the GDPR and the need to provide appropriate safeguards for the data subject. I am not saying that those circumstances do not exist. There is clearly substantial public interest that, as we discussed last week, compulsory classes of insurance should be able to automatically renew in certain circumstances. I am sorry if I misled the noble Lord.

We realised that there are potentially some issues surrounding consent, particularly in the British way of handling insurance where you have many intermediaries, which creates a problem. That may also take place in other countries, so the Information Commissioner will also look at how they address these issues, because there is meant to be a harmonious regime across Europe. The noble Earl has agreed to come and talk to us, and I hope that on the basis of further discussions, he will withdraw his amendment.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

We can break it down simply between compulsory and non-compulsory classes. Some classes may more easily fulfil the substantial public interest test than others. In balancing the needs, it goes too far to give a broad exemption for all insurance, so we are trying to create a balance. However, we accept that compulsory classes are important.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I agree, which is why I mentioned the guidance that the Information Commissioner has already given. I am certainly willing to talk to her but it is not our place to order her into the room. However, we are constantly talking to her, and there is absolutely no reason why we would not do so on this important matter.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I begin by repeating, almost word-for-word, the noble Lord, Lord Kennedy: engaging voters is important in a healthy democracy. In order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so, and this includes the proper handling of the personal data they collect and hold.

Noble Lords will be aware that the Information Commissioner recently announced that she was conducting an assessment of the data protection risks arising from the use of data analytics, including for political purposes. She recognises that this is a complex and rapidly evolving area where organisations use a person’s internet or public profile to target communications or messaging. The level of awareness among the public about how data and analytics work and how their personal data is collected, shared and used through such tools is low. What is clear is that these tools have a significant potential impact on an individual’s privacy, and the Government welcome the commissioner’s focus on this issue. It is against this backdrop that we considered the amendments of the noble Lord.

The amendments seek to amend a processing condition relating to political parties in paragraph 17. The current clause permits political parties to process data revealing political opinions, provided that it does not cause substantial damage or substantial distress. This replicates the existing wording in the Data Protection Act 1998. I have said that political campaigning is a vital democratic activity but it can also generate heated debated. Removal of the word “substantial” could mean that data processing for political purposes which caused even mild offence or irritation becomes unlawful. I am sure noble Lords would agree that it is vital that the Bill, while recognising the importance of adequate data protection standards, does not unduly chill such an important aspect of the UK’s democracy. For that reason I ask the noble Lord to withdraw the amendments.

I thank the noble Lord for allowing me to reply later to his list of questions. I found it difficult to copy them down, let alone answer them all, but I take the point. In many instances we are all in the same boat on this, as far as political parties are concerned. I shall of course be happy to meet with him, and I take the point about who should attend. I am not sure it will be next week, when we have two days in Committee, but we will arrange it as soon as possible. I will have to get a big room because my office is too small for all the people who will be coming. I take the points the noble Lord made in his questions and will address them in the meeting.

The noble Baroness, Lady Hamwee, asked whether the Electoral Commission had been consulted. It did not respond to the Government’s call for views which was published earlier this year, and we have not solicited any views explicitly from it beyond that.

The noble Baroness also asked about the provision, acquisition and use of a marked electoral register within paragraph 17 of Schedule 1. As she explained, the marked register shows who has voted at an election but does not show how they voted. As such, it does not record political views and does not contain sensitive data—called special categories of data in the GDPR —and, as the protections for sensitive data in article 9 of the GDPR are not relevant, Schedule 1 does not apply.

Lastly, the noble Baroness asked why Members of the House of Lords are not within the definition of elected representatives. Speaking as an elected Member of the House of Lords—albeit with a fairly small electorate—I am obviously interested in this. I have discovered that none of us, I am afraid, are within the definition of elected representatives in the Bill. We recognise that noble Lords may raise issues on an individual’s behalf. Most issues will not concern sensitive data but, where they do, in most cases we would expect noble Lords to rely on the explicit consent of the person concerned. This arrangement has operated for the past 20 years under the current law, and that is the position at the moment.

I hope I have tackled the specific items relating to the amendments. I accept the points made by the noble Lord, Lord Kennedy, about the electoral issues that need to be raised in general.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

Quickly, because I will not remember all the questions and points, I want to emphasise that they are all very good points and I will reflect on them. My main mission is to get the GDPR and law enforcement directive in place by May 2018. I absolutely accept the point made by the noble Lord, Lord McNally—that this is the tip of iceberg—but we must bear in mind that this is about data protection, both today and on Report, so I will focus on that. We have already had other avenues to raise a lot of the points the noble Lord made, but I agree that it is a huge issue. He asked when the report from the Information Commissioner will be available. I would expect it before Christmas, so it will be before the Bill becomes law.

I certainly undertake to reflect on what the noble Baroness, Lady Jay, said about the Electoral Commission. I believe that our call for views was after the election; nevertheless, I take her point. I am very sorry but I cannot remember what the point from the noble Lord, Lord Whitty, was, but I accept these things have to be taken into account. When we have our meeting—it is becoming a big meeting—it will be for people concerned specifically with the Data Protection Act, not some of the issues that lie outside that narrow area, important though they are.

I ask noble Lords not to press their amendments.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, they have not been reduced. This is the position that exists today.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

No, it is not the first time because this is the position that exists under the Data Protection Act 1998.

The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

-

My Lords, I am grateful to the noble Baroness for making her debut in the Committee stage and to the noble Lord for his comments. By way of background, because I find it quite complicated, it is worth reminding ourselves that article 9 of the GDPR provides processing conditions for special categories of data. In particular, the processing necessary for,

“the establishment, exercise or defence of legal claims”,

is permitted by article 9(2)(f). It is directly applicable and does not allow any discretion to derogate from it in any way. Article 10 of the GDPR, which relates to criminal convictions and offences data, takes a different approach. It requires member states to set out in their law conditions relating to the processing of said criminal convictions and offences data in order to enable many organisations to process it. Paragraph 26 of Schedule 1 therefore seeks to maintain the status quo by replicating in relation to criminal convictions data the processing condition for the special categories of personal data contained in article 9(2)(f).

Government Amendment 65, referred to by the noble Baroness, responds to a request we have had from stakeholders to anglicise the language currently used in that paragraph. The Government strongly agree about the importance of ensuring that data protection law does not accidentally undermine the proper conduct of legal proceedings, which is why we have made this provision. We submit that Amendments 63A and 64A are unnecessary. They are predicated on the false premise that government Amendment 65 in some way changes the scope of paragraph 26. It does not, it simply anglicises it. However, even if different wording were to be used in Amendment 63A to that used in Amendment 65, we are certain that the Commission would take a dim view of member states attempting to use article 9(2)(g), the substantial public interest processing condition, to expand article 9(2)(f) in the way that Amendment 63A proposes. In the light of that explanation, I would be grateful if in this case the noble Baroness would withdraw her amendment.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, as we have heard, Part 3 of the Digital Economy Act 2017 requires online providers of pornographic material on a commercial basis to institute appropriate age verification controls. My noble friend’s Amendment 71ZA seeks to allow the age verification regulator to publish regulations relating to the protection of personal data processed for that purpose. The amendment aims to provide protection, choice and trust in respect of personal data processed for the purpose of compliance with Part 3 of the 2017 Act.

I think that I understand my noble friend’s aim. It is a concern I remember well from this House’s extensive deliberations on what became the Digital Economy Act, as referred to earlier. We now have before us a Bill for a new legal framework which is designed to ensure that protection, choice and trust are embedded in all data-processing practices, with stronger sanctions for malpractice. This partly answers my noble friend Lord Elton, who asked what we would produce to deal with this problem.

Personal data, particularly those concerning a data subject’s sex life or sexual orientation, as may be the case here, will be subject to rigorous new protections. For the reasons I have just mentioned, the Government do not consider it necessary to provide for separate standards relating exclusively and narrowly to age verification in the context of accessing online pornography. That is not to say that there will be a lack of guidance to firms subject to Part 3 of the 2017 Act on how best to implement their obligations. In particular, the age verification regulator is required to publish guidance about the types of arrangements for making pornographic material available that the regulator will treat as compliant.

As noble Lords will be aware, the British Board of Film Classification is the intended age verification regulator. I reassure noble Lords that in its preparations for taking on the role of age verification regulator, the BBFC has indicated that it will ensure that the guidance it issues promotes the highest data protection standards. As part of this, it has held regular discussions with the Information Commissioner’s Office and it will flag up any potential data protection concerns to that office. It will then be for the Information Commissioner to determine whether action or further investigation is needed, as is her role.

The noble Lord, Lord Clement-Jones, talked about anonymisation and the noble Lord, Lord Stevenson, asked for an update of where we actually were. I remember the discussions on anonymisation, which is an important issue. I do not have the details of exactly where we have got to on that subject—so, if it is okay, I will write to the noble Lord on that.

I can update the noble Lord, Lord Stevenson, to a certain extent. As I just said, the BBFC is in discussion with the Information Commissioner’s Office to ensure that best practice is observed. Age verification controls are already in place in other areas of internet content access; for example, licensed gambling sites are required to have them in place. They are also in place for UK-based video-on-demand services. The BBFC will be able to learn from how these operate, to ensure that effective systems are created—but the age verification regulator will not be endorsing a list of age verification technology providers. Rather, the regulator will be responsible for setting guidance and standards on robust age verification checks.

We continue to work with the BBFC in its engagement with the industry to establish the best technological solutions, which must be compliant with data protection law. We are aware that such solutions exist, focusing rightly on verification rather than identification—which I think was the point made by the noble Lord, Lord Clement-Jones. If I can provide any more detail in the follow-up letter that I send after each day of Committee, I will do so—but that is the general background.

Online age verification is a rapidly growing area and there will be much innovation and development in this field. Industry is rightly putting data privacy and security at the forefront of its design, and this will be underscored by the new requirements under the GDPR. In view of that explanation, I hope that my noble friend will be able to withdraw his amendment.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I believe that during our previous day in Committee, I offered to meet my noble friend.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I am grateful to the noble Lord, Lord Stevenson, for raising this important subject. I recall the questions that he posed at Second Reading about whether data subjects had sufficient support in relation to the power of companies that wanted to access, use and monetise their data, and I recognise the intention behind his amendment, which he carefully explained. I also agree wholeheartedly with him that these are questions worthy of debate, not only during the passage of this Bill, but over the coming months and years as the digital economy continues to develop. Later in Committee, we may discuss suitable forums where this could take place. These are big questions of data rights and how they are monetised, if they are, versus the growth of the digital economy for public benefit.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I thank the noble Lord, Lord Clement-Jones, who introduced this interesting debate; of course, I recognise his authority and his newfound expertise in artificial intelligence from being chairman of the Select Committee on Artificial Intelligence. I am sure that he is an expert anyway, but it will only increase his expertise. I thank other noble Lords for their contributions, which raise important issues about the increasing use of automated decision-making, particularly in the online world. It is a broad category, including everything from personalised music playlists to quotes for home insurance and far beyond that.

The noble Lord, Lord Stevenson, before speaking to his amendments, warned about some of the things that we need to think about. He contrasted the position on human embryology and fertility research and the HFEA, which is not exactly parallel because, of course, the genie is out of the bottle in that respect, and things were prevented from happening at least until the matter was debated. But I take what the noble Lord said and agree with the issues that he raised. I think that we will discuss in a later group some of the ideas about how we debate those broader issues.

The noble Baroness, Lady Jones, talked about how she hoped that the repressive bits would be removed from the Bill. I did not completely understand her point, as this Bill is actually about giving data subjects increased rights, both in the GDPR and the law enforcement directive. That will take direct effect, but we are also applying those GDPR rights to other areas not subject to EU jurisdiction. I shall come on to her amendment on the Human Rights Act in a minute—but we agree with her that human beings should be involved in significant decisions. That is exactly what the Bill tries to do. We realise that data subjects should have rights when they are confronted by significant decisions made about them by machines.

The Bill recognises the need to ensure that such processing is correctly regulated. That is why it includes safeguards, such as the right to be informed of automated processing as soon as reasonably practicable and the right to challenge an automated decision made by the controller. The noble Lord, Lord Clement-Jones, alluded to some of these things. We believe that Clauses 13, 47, 48, 94 and 95 provide adequate and proportionate safeguards to protect data subjects of all ages, adults as well as children. I can give some more examples, because it is important to recognise data rights. For example, Clause 47 is clear that individuals should not be subject to a decision based solely on automated processing if that decision significantly and adversely impacts on them, either legally or otherwise, unless required by law. If that decision is required by law, Clause 48 specifies the safeguards that controllers should apply to ensure the impact on the individual is minimised. Critically, that includes informing the data subject that a decision has been taken and providing them 21 days within which to ask the controller to reconsider the decision or retake the decision with human intervention.

I turn to Amendments 74, 134 and 136, proposed by the noble Lord, Lord Clement-Jones, which seek to insert into Parts 2 and 3 of the Bill a definition of the term,

“based solely on automated processing”,

to provide that human intervention must be meaningful. I do not disagree with the meaning of the phrase put forward by the noble Lord. Indeed, I think that that is precisely the meaning that that phrase already has. The test here is what type of processing the decision having legal or significant effects is based on. Mere human presence or token human involvement will not be enough. The purported human involvement has to be meaningful; it has to address the basis for the decision. If a decision was based solely on automated processing, it could not have meaningful input by a natural person. On that basis, I am confident that there is no need to amend the Bill to clarify this definition further.

In relation to Amendments 74A and 133A, the intention here seems to be to prevent any automated decision-making that impacts on a child. By and large, the provisions of the GDPR and of the Bill, Clause 8 aside, apply equally to all data subjects, regardless of age. We are not persuaded of the case for different treatment here. The important point is that the stringent safeguards in the Bill apply equally to all ages. It seems odd to suggest that the NHS could, at some future point, use automated decision-making, with appropriate safeguards, to decide on the eligibility for a particular vaccine—

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I was coming to recital 71. In the example I gave, it seems odd to suggest that the NHS could at some future point use automated decision-making with appropriate safeguards to decide on the eligibility for a particular vaccine of an 82 year-old, but not a two year-old.

The noble Lord referred to the rather odd wording of recital 71. On this point, we agree with the Article 29 working party—the group of European regulators—that it should be read as discouraging as a matter of best practice automated decision-making with significant effects on children. However, as I have already said, there can and will be cases where it is appropriate, and the Bill rightly makes provision for those.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I think that “chapter and verse” implies “written”—and I will certainly do that because it is important to write to all noble Lords who have participated in this debate. As we have found in many of these areas, we need to get these things right. If I am to provide clarification, I will want to check—so I will take that back.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I will. I had some inspiration from elsewhere on that very subject—but it was then withdrawn, so I will take up the offer to write on that. However, I take the noble Lord’s point.

We do not think that Amendment 75 would work. It seeks to prevent any decision being taken on the basis of automated decision-making where the decision would “engage” the rights of the data subject under the Human Rights Act. Arguably, such a provision would wholly negate the provisions in respect of automated decision-making as it would be possible to argue that any decision based on automated decision-making at the very least engaged the data subject’s right to have their private life respected under Article 8 of the European Convention on Human Rights, even if it was entirely lawful. All decisions relating to the processing of personal data engage an individual’s human rights, so it would not be appropriate to exclude automated decisions on this basis. The purpose of the Bill is to ensure that we reflect processing in the digital age—and that includes automated processing. This will often be a legitimate form of processing, but it is right that the Bill should recognise the additional sensitivities that surround it. There must be sufficient checks and balances and the Bill achieves this in Clauses 13 and 48 by ensuring appropriate notification requirements and the right to have a decision reassessed by non-automated means.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

Automated processing could do that. However, with the appropriate safeguards we have put in the Bill, we do not think that it will.

Amendment 77 seeks to define a significant decision as including a decision that has legal or similar effects for the data subject or a group sharing one of the nine protected characteristics under the Equality Act 2010 to which the data subject belongs.

We agree that all forms of discrimination, including discriminatory profiling via the use of algorithms and automated processing, are fundamentally wrong. However, we note that the Equality Act already provides a safeguard for individuals against being profiled on the basis of a particular protected characteristic they possess. Furthermore, recital 71 of the GDPR states that data controllers must ensure that they use appropriate mathematical or statistical procedures to ensure that factors which result in inaccuracies are minimised, and to prevent discriminatory effects on individuals,

“on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation”.

We therefore do not feel that further provision is needed at this stage.

Amendment 77A, in the name of the noble Lord, Lord Stevenson, seeks to require a data controller who makes a significant decision based on automated processing to provide meaningful information about the logical and legal consequences of the processing. Amendment 119, as I understand it, talks to a similar goal, with the added complication of driving a wedge between the requirements of the GDPR and applied GDPR. Articles 13 and 14 of the GDPR, replicated in the applied GDPR, already require data controllers to provide data subjects with this same information at the point the data is collected, and whenever it is processed for a new purpose. We are not convinced that there is much to be gained from requiring data controllers to repeat such an exercise, other than regulatory burden. In fact, the GDPR requires the information earlier, which allows the data subject to take action earlier.

Similarly, Amendment 77B seeks to ensure that data subjects who are the subject of automated decision-making retain the right to make a complaint to the commissioner and to access judicial remedies. Again, this provision is not required in the Bill, as data subjects retain the right to make a complaint to the commissioner or access judicial remedies for any infringement of data protection law.

Amendment 78 would confer powers on the Secretary of State to review the operational effectiveness of article 22 of the GDPR within three years, and lay a report on the review before Parliament. This amendment is not required because all new primary legislation is subject to post-legislative scrutiny within three to five years of receiving Royal Assent. Any review of the Act will necessarily also cover the GDPR. Not only that, but the Information Commissioner will keep the operation of the Act and the GDPR under review and will no doubt flag up any issues that may arise on this or other areas.

Amendment 153A would place a requirement on the Information Commissioner to investigate, keep under review and publish guidance on several matters relating to the use of automated data in the health and social care sector in respect of the terms on which enterprises gain consent to the disclosure of the personal data of vulnerable adults. I recognise and share noble Lords’ concern. These are areas where there is a particular value in monitoring the application of a new regime and where further clarity may be beneficial. I reassure noble Lords that the Information Commissioner has already contributed significantly to GDPR guidance being developed by the health sector and continues to work closely with the Government to identify appropriate areas requiring further guidance. Adding additional prescriptive requirements in the Bill is unlikely to help them shape that work in a way that maximises its impact.

As we have heard, Amendment 183 would insert a new clause before Clause 171 stating that public bodies who profile a data subject should inform the data subject of their decision. This is unnecessary as Clauses 13 and 48 state that when a data controller has taken a decision based solely on automated processing, they must inform the data subject in writing that they have done so. This includes profiling. Furthermore, Clauses 13 and 48 confer powers on the Secretary of State to make further provisions to provide suitable measures to safeguard a data subject’s rights and freedoms.

I thank noble Lords for raising these important issues, which deserve to be debated. I hope that, as a result of the explanation in response to these amendments, I have been able to persuade them that there are sufficient safeguards in relation to automated decision-making in the GDPR and Parts 2 to 4 of the Bill, and that their amendments are therefore unnecessary. On that basis, I invite noble Lords not to press their amendments.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I highlight that we do not disagree with that. I will study carefully what my noble friend Lord Lucas said. We agree that it is important that privacy rights continue to be protected, and we do not expect data subjects to have their lives run by computer alone. That is exactly why the Bill creates safeguards: to make sure that individuals can request not to be the subject of decisions made automatically if it might have a significant legal effect on them. They are also allowed to demand that a human being participate meaningfully in those decisions that affect them. I will look at what my noble friend said and include that in my write-round. However, as I said, we do not disagree with that. The illusion that we have got to a stage where our lives will be run unaccountably by computers is exactly what the Bill is trying to prevent.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, if it is mentioned in the GDPR, then it is there.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, the noble Lord, Lord Stevenson, has raised the important issue of data ethics. I am grateful to everyone who has spoken on this issue tonight and has agreed that it is very important. I assure noble Lords that we agree with that. We had a debate the other day on this issue and I am sure we will have many more in the future. The noble Lord, Lord Puttnam, has been to see me to talk about this, and I tried to convince him then that we were taking it seriously. By the sound of it, I am not sure that I completely succeeded, but we are. We understand the points he makes, although I am possibly not as gloomy about things as he is.

We are fortunate in the UK to have the widely respected Information Commissioner to provide expert advice on data protection issues—I accept that that advice is just on data protection issues—but we recognise the need for further credible and expert advice on the broader issue of the ethical use of data. That is exactly why we committed to setting up an expert advisory data ethics body in the 2017 manifesto, which, I am glad to hear, the noble Lord, Lord Clement-Jones, read carefully.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

Tonight the noble Lord can because the Secretary of State is leading on this important matter. She is as committed as I am to ensuring that such a body is set up shortly. She has been consulting widely with civil society groups, industry and academia, some of which has been mentioned tonight, to refine the scope and functions of the body. It will work closely with the Information Commissioner and other regulators. As the noble Lords, Lord Clement-Jones and Lord Patel, mentioned, it will identify gaps in the regulatory landscape and provide Ministers with advice on addressing those gaps.

It is important that the new advisory body has a clearly defined role and a strong relationship to other bodies in this space, including the Information Commissioner. The Government’s proposals are for an advisory body which may have a broader remit than that suggested in the amendment. It will provide recommendations on the ethics of data use in gaps in the regulatory landscape, as I have just said. For example, one fruitful area could be the ethics of exploiting aggregated anonymised datasets for social and commercial benefit, taking into account the importance of transparency and accountability. These aggregated datasets do not fall under the legal definition of personal data and would therefore be outside the scope of both the body proposed by the noble Lord and, I suspect, this Bill.

Technically, Amendment 78 needs to be more carefully drafted to avoid the risk of non-compliance with the GDPR and avoid conflict with the Information Commissioner. Article 51 of the GDPR requires each member state to appoint one or more independent public authorities to monitor and enforce the GDPR on its territory as a supervisory authority. Clause 113 makes the Information Commissioner the UK’s sole supervisory authority for data protection. The functions of any advisory data ethics body must not cut across the Information Commissioner’s performance of its functions under the GDPR.

The amendment proposes that the advisory board should,

“monitor further technical advances in the use and management of personal data”.

But one of the Information Commissioner’s key functions is to

“keep abreast of evolving technology”.

That is a potential conflict we must avoid. The noble Lord, Lord Patel, alluded to some of the conflicts.

Nevertheless, I agree with the importance that noble Lords place on the consideration of the ethics of data use, and I repeat that the Government are determined to make progress in this area. However, as I explained, I cannot agree to Amendment 78 tonight. Therefore, in the light of my explanation, I hope the noble Lord will feel able to withdraw it.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I cannot agree with the noble Baroness’s point. However, I accept that that is a possibility and that things will not last for ever. However, in this case we expect to have the proposals shortly and this Government will definitely be around at that time.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

The noble Baroness asked whether it would be enshrined in this Bill. As I tried to explain, it will have a far broader remit than this Bill.

The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

-

My Lords, as a non-lawyer, I am delighted to find myself in the same company as the noble and learned Lord, Lord Hope of Craighead, as this has also introduced me to an area of trust law which I am not familiar with. I thank noble Lords for their amendments, which concern the exemptions from data rights in the GDPR that the Bill creates. Two weeks ago we debated amendments that sought to create an absolute right to data protection. Today we will further debate why, in some circumstances, it is essential to place limitations on those rights.

The exemptions from data rights in the GDPR are found in Schedules 2 to 4 to the Bill. Part 6 of Schedule 2 deals with exemptions for scientific or historical research and archiving. Without these exemptions, scientific research which involves working on large datasets would be crippled by the administration of dealing with requests from individuals for their data and the need to give notice and service other data rights. This data provides the fuel for scientific breakthroughs, which the noble Lord, Lord Patel, and others have told us so much about in recent debates.

Amendment 79 seeks to remove “scientific or historical” processing from the signposting provision in Clause 14. Article 89 of the GDPR is clear that we may derogate only in relation to specifically historical or scientific research. We believe that Clause 14 needs to correctly describe the available exemption, although I reassure noble Lords that, as we have discussed previously, these terms are to be interpreted broadly, as outlined in the recitals.

Part 1 of Schedule 2 deals with exemptions relating to crime, tax and immigration. For example, where the tax authorities assess whether tax has been correctly paid or criminally evaded, that assessment must not be undermined by individuals accessing the data being processed by the authority. Amendments 79A and 79B, spoken to by the noble Lord, Lord Griffiths of Burry Port, would limit the available exemptions by removing from the list of GDPR rights that can be disapplied the right to restrict processing and the right to object to processing. In my example, persons subject to a tax investigation would be able to restrict and object to the processing by a tax authority. Clearly that is not desirable.

Amendments 80A and 83A seek to widen the exemption in paragraph 5(3) of Schedule 2 which exempts data controllers from complying with certain data rights where that data is to be disclosed for the purposes of legal proceedings. Without this provision, which mirrors the 1998 Act, individuals may be able to unfairly disrupt legal proceedings by blocking the processing of data. We are aware that the Bar Council has suggested that the exemption be widened as the amendments propose. This would enable data controllers to be wholly exempt from the relevant data rights. We believe that this is too wide and that the exemption should apply only where the data is, or will be, subject to a disclosure exercise, which is a process managed through court procedure rules. At paragraph 17 of Schedule 2, the Bill makes separate provision for exemptions to protect legal professional privilege. We think that the Bill continues to strike the right balance between the rights of data subjects and controllers processing personal data for the purposes of exercising their legal rights.

Amendment 83B seeks to remove paragraph 7 of Schedule 2 from the Bill. This paragraph sets out the conditions for restricting data subjects’ rights in respect of personal data processed for the purposes of protecting the public. Those carrying out functions to protect the public would include bodies and watchdogs concerned with protecting the public from incompetence, malpractice, dishonesty or seriously improper conduct, securing the health and safety of persons at work and protecting charities and fair competition in business. Paragraph 7, which is based on the current Section 31 of the 1998 Act, ensures that important investigations can continue without interference. Without this paragraph, persons would have to be given notice that they were being investigated and, on receipt of notice, they could require their data to be deleted, frustrating the investigation.

Paragraph 14 of Schedule 2 allows a data controller to refuse to disclose information to the data subject where doing so would involve disclosing information relating to a third party. Amendment 86A would remove the circumstances set out in sub-paragraph (3) to which a data controller must have regard when determining whether it is reasonable to disclose information relating to a third party without their consent. These considerations mirror those in the 1998 Act and we think that they remain important matters to be considered when determining reasonableness. They also allow for any duty of confidentiality to be respected.

Paragraph 15 of Schedule 2 ensures that an individual’s health, education or social work records cannot be withheld simply because they make reference to the health, education and social work professionals who contributed to them. Amendment 86B would allow a controller to refuse to disclose an individual’s health records to that individual on the grounds that they would identify the relevant health professionals who authored them. We believe that individuals should be able to access their health records in these circumstances.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

This was included in the letter I was sent today. I am afraid the noble Lord has not got it. The noble Lord, Lord Kennedy, helpfully withdrew his amendment before I was able to say anything the other night but the EU withdrawal Bill will convert the full text of direct EU instruments into UK law. This includes recitals, which will retain their status as an interpretive aid.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

We are not transposing the GDPR. It takes direct effect on 25 May.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

They will be part of UK law, because the withdrawal Bill will convert the full text into UK law. There will of course be a difference between the recitals and the articles; it will be like a statutory instrument, where the Explanatory Memorandum is part of the text of the instrument.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

Yes.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

One thing we can all be certain of is that the legal profession will cope.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

That the draft Order laid before the House on 7 September be approved.

The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

-

My Lords, the order forms a very small part of a package of secondary legislation that will enable charities that have adopted the company structure, or a community interest company, to use a simple process to convert into a charitable incorporated organisation —CIO—should they so wish, and makes some consequential amendments. The order provides a right of appeal against a decision of the Charity Commission not to permit a community interest company to convert into a CIO. This mirrors the right of appeal that already exists in statute in Schedule 6 to the Charities Act 2011 for a charitable company.

It may help the House if I explain the overall package of which the order forms a small part. If approved by Parliament, the two negative resolution regulations that complete the package will also be made. The first sets out the detail of the conversion process for community interest companies and supplements the provision for charitable companies. The second adds CIOs and Scottish CIOs to the index of company names to prevent the registration of new companies with names that are the same as, or too similar to, existing CIOs and Scottish CIOs on the index. This will help charities to protect their corporate identity. To assist in understanding the package of secondary legislation, my honourable friend the Minister for Sport and Civil Society has deposited draft versions of the two other statutory instruments in the House Library.

The CIO, available since 2013, is the first and only legal structure designed specifically for charities. It has the benefits of legal personality and limited liability for its members and trustees, but, unlike the company structure, it is subject to a single regulatory regime under the Charity Commission rather than a dual regime under both the Charity Commission and Companies House. It has proved popular, with more than 12,000 CIOs set up so far.

Some charities that had already chosen the company structure may want to change to become CIOs, and some community interest companies may want to become CIOs. That is the purpose of this package of legislation: to enable a smooth conversion process that makes it simple for charitable companies and community interest companies to convert if they want to. These changes have been developed in close consultation with the Charity Commission, Companies House and the Scottish Government. Consultation feedback showed overwhelming support, 95%, for establishing a statutory conversion process.

That is the background. The draft order before us today merely provides a right of appeal for community interest companies. I commend it to the House and beg to move.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I thank both noble Lords for their comments. I shall start with my noble friend. Of course we are aware that there will be some work involved in this for the Charity Commission, and we also acknowledge that it has limited resources. That is why we have agreed with the commission a phased approach to implementation. It has been planning for this for a number of years and has IT processes and support systems in place. I remind noble Lords that the Charity Commission received an £8 million investment in 2015 to support its transition into a modern, effective regulator and we believe that it has made very good progress. Work is under way within government to explore future funding options, including bringing the Charity Commission more into line with the model of other regulators. All options regarding the future funding model will be properly considered by the Government and will be subject to public consultation before any changes are made.

I am grateful to the noble Lord, Lord Stevenson, for his kind words about the preparation of this order, for which I take no credit, but the DCMS team, which does, will be very pleased: I think it is merited. I take his point about the issues more generally about charities. I agree with my noble friend Lord Hodgson that the report by your Lordships’ Committee on Charities, Stronger Charities for a Stronger Society, is awaiting a response. I can say that that will be coming soon, and soon means soon in this case.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I have spent a long time at this Dispatch Box debating what “soon” means, and “very soon” and “imminent”, but in this case it is soon. My noble friend Lord Hodgson said there are opportunities in that response. I think it will be worth reading. I am sure that in due course the business managers will arrange a debate on the report.

My noble friend did not mention, but the noble Lord, Lord Stevenson, did, that he was responsible for the statutory review of the Charities Act 2006. The Law Commission’s report, which was published in September, examined a range of technical changes in charity law, many of which my noble friend posited in his statutory review. We welcome the Law Commission’s report and we will respond formally in due course. I expect, but cannot guarantee, that our response will be positive. The challenge is likely to be securing a legislative slot, which may take some time.

The noble Lord, Lord Stevenson, asked why we chose 1 January. I can only assume—if I am wrong on this, I will confirm it—that it was because it is the beginning of the new year and we decided that would be a good time. He asked one more, rather technical, question, and I do not have an answer to it. I will certainly write to him.

As I explained, the order provides a right of appeal for community interest companies. The rest of the package will be laid if the order is agreed to. I commend it to the House.

The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

-

My Lords, the noble Lord, Lord Stevenson, said that he hoped I had a sense of where the Committee is coming from. I very much have a sense of that. I know that child online safety is an issue that is taken seriously by all noble Lords in the House, and it has been the subject of much debate apart from today. I am therefore grateful to the noble Baroness and to all who contributed for introducing this important subject. I assure all noble Lords that we have an open mind. However, I will pour a bit of cold water because some issues, to which we may well come back, need to be thought about. I apologise to the noble Baroness, Lady Kidron, for the fact that we have not met. I thought that we were arranging a meeting. I have certainly talked to my noble friend Lady Harding about these amendments. However, I repeat not only to her but to every noble Lord that I am very happy to talk to anyone about these matters before Report, and I have no doubt that I will be talking to the noble Baroness before too long.

At Second Reading we heard a good deal about the need to improve online safety and concerns about the role that social media companies play in young people’s lives. The Government are fully committed to this cause. Our approach has been laid out in the Internet Safety Strategy Green Paper, published earlier this month. In that strategy, the Government detailed a number of commitments to improve online safety for all users and issued a consultation on further work, including the social media code of practice, the social media levy and transparency reporting. Although the Government are currently promoting a voluntary approach to work with industry, we have clearly stated in the strategy—and I repeat it now—that legislation will be introduced if necessary, and this will be taken forward in the digital charter.

The Government’s clear intention is to educate all users on the safe use of online sites such as social media sites. Again, this is set out in the strategy. This includes efforts targeted at children, comprising working with civil society groups to support peer-to-peer programmes and revised national curriculums. We believe that education is fundamental to safe use of the internet because it enables users to build the skills and resilience needed to navigate the online world and to be capable of adapting to the continuous changes and innovations that we see in this space.

The aim of these amendments is to allow information society services to make use of the derogation in the GDPR to set the age threshold at 13 only if sites comply with guidance on the minimum standards of age-appropriate design as set out by the Information Commissioner. Although the Government are sympathetic to their goal to raise the level of safety online, we have some questions about how it would work in practice and some fundamental concerns about its possible unintended consequences.

The noble Lord, Lord Storey, said that we should not rest our case on EU law. That is an enticing argument, especially from a Liberal Democrat, but I think that there is a sense of frustration there and I would not hold him to that. However, the fact is that, as we discussed last week, we are determined to ensure that we preserve the free flow of data once the UK leaves the EU.

I have to raise the issue of compliance with the GDPR, because we have a very real concern that these amendments are not compatible with it. The GDPR was designed as a regulation to ensure harmonisation of data protection laws across the EU. The nature of the internet and the transnational flow of data that it entails mean that effective regulations need international agreement. However, these amendments would create additional burdens for data controllers. Article 8 of the GDPR says that member states may provide by law for a lower age but it does not indicate that exercising this derogation should be conditional on other requirements. These amendments go further than permitted, creating a risk for our future trading relationships.

The noble Baroness mentioned that she had advice from a prominent QC. If she would care to share that with us, I would be happy to discuss it with her, and we will put that in front of our lawyers as well. I have an open mind on this but we think that there is an issue as far as the GDPR’s compatibility is concerned.

Amendment 155 would require the Information Commissioner to produce guidance on standards and design. The Information Commissioner will already be providing guidance on minimum standards to comply with the requirement not to offer services to under-13s without parental consent. Indeed, it will be the role of the commissioner to enforce the new law on consent. Although the guidance will not include details on age-appropriate design, this is not something that should be overlooked by government. However, tackling the problem of age-appropriate design is not just a data protection issue, and we should be very cautious about using this age threshold as a tool to keep children off certain sites. This is about their data and not the more fundamental question of the age at which children should be able to use these sites.

We need to educate children and work with internet companies to keep them safe and allow them to benefit from being online. Where there is clearly harmful material, such as online pornography, we have acted to protect children through a requirement for age verification in the Digital Economy Act 2017. The Government’s Internet Safety Strategy addresses a wide range of ways to protect the public online. While online safety, particularly for children, is very important, we should not be confusing this with the age at which parental consent is no longer required for the processing of personal data by online services. The Government have a clear plan of action.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I do not think I mentioned confusion. What we are talking about in the Bill is purely data protection. We are talking about the age at which children can consent to information society services handling their data. What I think the noble Baroness, and a lot of Peers in the House, are talking about is keeping children safe online, which is more than just protection of their personal data.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

There may be some confusion now. I am not saying that children’s data is not important or that data protection for children is not important: clearly they are. However, the internet safety strategy addresses an overall, comprehensive range of measures that is about more than just data protection. We want to have a comprehensive strategy, which I am going to come to, to talk about safety. Nobody in their right mind is saying that we should not protect children, not only on the domestic front but internationally, as the noble Baroness, Lady Jay, said. Let me continue and I am sure all will become clear. If it does not, I am sure that the noble Baroness and others will cross-question me. If I have misunderstood what the noble Lord, Lord Knight, is getting at, I will look at Hansard and get back to him. I am sure we will come to this again.

We have a clear plan of action to raise the level of safety online for all users, as set out in the internet safety strategy. We are consulting on a new code of practice for the providers of online social media platforms, as required by the Digital Economy Act. That will set best practice for platform providers in offering adequate online protection policies, including minimum standards. Approaching the problem in this way as a safety matter, rather than a data protection matter, ensures we can tackle the problem while avoiding a debate over whether we are compliant with the GDPR. The internet safety strategy also outlines the Government’s promotion of “Think safety first” for online services. This will aim to educate and encourage new start-ups and developers to ensure that safety and privacy are built into their products from the design phase. Examples of this type of approach include having robust reporting mechanisms for users. We are looking at whether extra considerations should be in place on devices that are registered as being used by a child.

It is essential that we take a careful and considered approach to affecting the design standard of online services. Making overly complex or demanding requirements may result in negative consequences. Let me explain why. Amendments 18 and 19 essentially offer website operators a stark choice. Websites will need to either invest in upgrading standards and design or withdraw their services for use by under-16s. This is dangerous for the following reasons.

First, it could cause a displacement effect where children move to less popular platforms that would potentially not comply with such requirements—the noble Baroness, Lady Jay, talked about foreign sites. It is often more difficult to monitor these services and to ensure they have the basic protections that we expect from more legitimate sites. Platforms comply either because they are responsible or because they believe that the regulator will take enforcement action against them. Platforms hosted overseas may not always comply, because to do so would reduce the volume of users and potential monetisation, and the risk of enforcement action may be low.

Secondly, it is likely that young people, particularly those who already use these sites, may lie about their age to circumvent restrictions. This could have negative consequences for the prosecution of online grooming and underage sex: teenagers would be vulnerable to the assumption that they are over 16; adults could use this as a defence for their conduct; and sites may not be as accountable for the content that children are exposed to. This is not an imaginary problem. There have been cases of acquittal at trial, where men have had sexual relations with underage girls after meeting them on sites for over-18s only, using their presence on the site as a defence for believing them to be adults.

Thirdly, circumvention may be sought through the use of mechanisms to anonymise—I am having a problem with my pronunciation too—the use of the internet. Young people may adopt anonymising tools such as VPNs to access non-UK versions of the sites. This would make it more difficult for law enforcement to investigate, should they be exploited or subject to crime.

Fourthly, there is already in place a variety of legislation to safeguard children. Any change brought in through this Bill would have potential ramifications for other statutes. Altering how children make use of online service providers would need to be carefully worked through with law enforcement agencies to ensure that it did not damage the effectiveness of safeguarding vulnerable people.

Fifthly, these amendments do not just apply to social media services. A broad range of online services would be affected by this proposal, from media players to commerce sites. The kinds of services that would be caught by this amendment include many that develop content specifically for young people, including educational materials, not to mention the wider impact on digital skills if children are forced offline.

I move on now to more practical considerations. I am concerned that the amendments as drafted, while an elegant proposal, could serve to create confusion about what sites have to do. We know that the GDPR will apply from 25 May, and I am not convinced that this will allow enough time for the commissioner to consult on the guidance, prepare it, agree it and lay it before Parliament, and for companies to be compliant with it. Online service providers will need to adhere to the new requirements from May 2018, and may have existing customers that the new provisions will apply to. They will need some time to make any necessary changes in advance. Even with the transition period available in the amendment, this would lead to considerable uncertainty and confusion from online services about the rules they will have to follow come May. This could result in the problems that I have already laid out.

Finally, the Information Commissioner has raised a technical point. These amendments would apply only where consent is the lawful basis for processing data. Children also have access to online services where the data controller relies on a contractual basis or vital interests to offer services, rather than reliance on consent. Therefore, the amendments may have less reach than seems to be envisaged and are likely to lead to confusion as to which services the requirements apply to.

In summary, in spite of our appreciation of the aims of these amendments, we have concerns. They may prove dangerous to the online safety of children and young people. Creating unnecessary and isolated requirements runs the risk of being counterproductive to other work in this space. There needs to be some serious and detailed discussion on this before any changes are made. Furthermore, the technical and legal drafting of the amendments remains in question.

There is no doubt that further work needs to be done in the online safety space to ensure the robust and sustainable protection of our children and young people online. We have demonstrated commitment to this through the work on the internet safety strategy and the Digital Economy Act. We are working on these issues as a matter of priority, but strongly believe that it is better to address them as a whole rather than pursue them through the narrow lens of data protection. We need to work collaboratively with a wide range of stakeholders to ensure that we get the right approach. The noble Baroness, Lady Kidron, for example, was among those who attended the parliamentarians’ round table on the internet safety strategy, which she mentioned, hosted by the Secretary of State last week. We are engaged on this issue and are not pursuing the work behind locked doors. These specific amendments, however, are not the right course of action to take at this time.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I was not at the round table, and I am afraid that I would require some notice to answer that question. I am certainly happy to write to the Committee about that. I had not forgotten; I just do not have an answer.

Given the arguments that I have laid out, I would like to reassure the House that this issue remains high priority. The noble Lord, Lord Knight, asked whether GOV.UK’s Verify site could be used for age verification. Verify confirms identity against records held by mobile phone companies, HM Passport Office, the DVLA and credit agencies, so it is not designed for use by children. We will continue to work with interested parties to improve internet safety, but in a coherent and systematic way. For the moment, and in anticipation of further discussions, I ask the noble Baroness to withdraw her amendment.

I now move to Amendment 20A from the noble Lords, Lord Stevenson and Lord Kennedy, on the requirement for a review of Clause 8. Again, the Government agree with the spirit of this amendment in ensuring that the legislation we are creating offers the protections that we desire. However, there are a few issues that we would like to address.

First, it is government practice to review and report in cases of new legislation like this. Bringing about a mandatory report in this case is therefore unnecessary. Furthermore, prescribing the specific content of such a report at this stage is counterproductive. This is especially true given the complex and wide-ranging nature of child online safety and the work being conducted by the Government in this space.

Secondly, on timings, as noble Lords are aware, we must comply with the GDPR from 25 May next year, by which time the Bill must be passed. I am concerned, therefore, that to require a review to be published within 12 months of the Bill passing would not leave sufficient time to produce a meaningful report. Companies need the time to bring in new mechanisms to be compliant with the regulation. For data to be created and collected, time must be given for the sites to be tested and used following the new regulations. This will allow for the comparison of robust data and that which will reflect other work around online safety, which is still being developed. For those reasons, I ask the noble Lords not to press their amendments.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I am happy to confirm those two points. On extraterritoriality, I agree with the noble Baroness that it is difficult to control. Commercial sites are easier—an example of which is gambling. We can control the payments, so if they are commercial and cannot pay people, they may well lose their attractiveness. Of course, the only way to solve this is through international agreement, and the Government are working on that. Part of my point is that, if you drive children away to sites located abroad, there is a risk in that. The big, well-known sites are by and large responsible. They may not do what we want, but they will work with the Government. That is the thrust of our argument. We are working with the well-known companies and, by and large, they act responsibly, even if they do not do exactly what we want. As I say, however, we are working on that. The noble Baroness is right to say that, if we drive children on to less responsible sites based in jurisdictions with less sensible and acceptable regimes, that is a problem.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I cannot give the noble Lord chapter and verse on what the European bureaucrats were thinking when they produced the article, but age verification is not really the issue on this one, because it is extremely difficult to verify ages below 18 anyway. Although one can get a driving licence at 17, it is at the age of 18 when you can have a credit card. As I say, the issue here is not age verification—rather, it is about how, when we make things too onerous, that has the potential to drive people away on to other sites which take their responsibilities less seriously. That was the point I was trying to make.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I take that point completely. So that I get it right, it would be best if I write to the noble Baroness about what we are doing. I am afraid that I cannot recall whether it is the G8, the G20 or whatever. Ownership is obviously a key point as well, so I will write to the noble Baroness on those points.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I am grateful to the noble Lord, Lord Storey, whose long experience in education I acknowledge, and to all noble Lords who have contributed. I could not agree more about the importance of children and young people fully understanding how their data is collected, stored and used. That is why the Government have already taken steps to ensure that key aspects of data protection are taught in maintained schools. In 2014 we established a new and more rigorous national computing curriculum covering ages five to 16. It is compulsory in maintained schools in England and sets an ambitious benchmark that autonomous academies and free schools can use and improve on.

The new computing curriculum was developed by industry experts and includes safety, which helps to give children the tools that they need to make sensible choices online. I say to the noble Lord, Lord Puttnam, and my noble friend Lord Lucas that they were a bit pessimistic about what we are doing; we are certainly not doing nothing, as my noble friend implied. Children are taught how to use technology safely, respectfully and responsibly; how to recognise unacceptable behaviour; and how to report concerns about content and contact. Importantly, the curriculum also includes keeping personal information private and protecting their online identity and privacy, both of which are important parts of data protection. All schools can choose to teach children about data collection, storage and usage as part of these topics.

I also say to the noble Lord, Lord Puttnam, that the digital economy is actually not doing too badly; it is growing at twice the rate of the rest of the economy. The Government are spending to improve skills at all levels, including at PhD level, to prevent social exclusion. So we get the issues that he is talking about, and in my answer to the debate of the noble Baroness, Lady Lane-Fox, I outlined some of the things that we are doing.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I take that point. I also understand the difference that the noble Baroness, Lady Lane-Fox, highlighted between digital skills and digital understanding, and we need to address that. One of the issues that the data ethics body is going to look at is how society deals with these technical problems, albeit that they are changing incredibly fast.

I have talked about younger pupils. Older pupils are also taught citizenship as part of the national curriculum. That equips pupils to take their place in society as active and responsible citizens, including providing them with the knowledge and skills that they need to think critically and to research and interrogate evidence. These vital skills help our children understand how their data can be used and why data protection is important.

Amendment 20 would require the Secretary of State for Education to make changes to the current maintained schools national curriculum, and would create new requirements for independent schools and academies. In our view, now is not the time to make further changes to these subjects. We need to allow schools to fully embed the new curriculum in order to provide a period of stability for schools so that they can focus on ensuring that pupils are taught this new curriculum well, including the new aspects on data protection.

Having said that, we are not complacent. We realise that companies’ use of data in the online world is increasingly complex and that we need to support children to understand that. The changes introduced in the Children and Social Work Act 2017 represent a step change in education on online safety. For the first time it will be compulsory for all primary-aged children at school in England to be taught relationships education, and all secondary-school children will be taught relationships and sex education. In addition, we will carefully consider whether also to make personal, social, health and economic education compulsory in all schools.

The noble Lord, Lord Knight, took my lines to a certain extent. I was going to confirm that the Department for Education confirmed today that it has begun its engagement with stakeholders. This is a point that has come up before: that will help it reach evidence-based decisions on the content. I can tell the noble Lord that the head teacher who is running it will advise the Department for Education on what will be included in relationships and sex education and PSHE, whether it should be compulsory and, if so, what content may be included. It will be live to online issues and include what children need to know to be safe online, beyond what is already in the computing curriculum.

The Government will ensure that these new compulsory subjects in England address the challenges experienced by young people online and are seeking views to work out exactly what this should cover and how best to do so. The Department for Education will support schools to ensure that content is pitched at the right level for each school year and builds knowledge as children grow up. Engagement and consultation will help us to get the detail right.

My department, DCMS, and the Department for Education are working together on the online safety aspects of these subjects. We will work with partners, including social media and technology companies, subject experts, law enforcement—

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I am not an expert on education, but I do not think that “adapting” children is a recognised educational aspiration. We are trying to make children aware of the issues involved in the online world. We all accept that they are technically skilful, but they may not have the maturity to make the right decisions at certain times in their lives. As I said, we are trying to pitch it so that, as children develop, they are introduced to different things along the way. I hope that that answers the noble Baroness.

We are working with social media and technology companies, subject experts, law enforcement, English schools and teaching bodies to ensure these subjects are up to date with how children and young people access content online and the risks they face. We will also consider how best to support schools in the delivery of these new subjects. It is important to note that education on data processing does not exist in a vacuum but is viewed as a part of a wider programme of digital learning being promoted to improve user awareness of online safety and build digital capability. As such, we think that legislation focusing solely on data processing would risk detracting from the broader issues being tackled.

I am grateful to noble Lords for their amendment: it has prompted an interesting debate and raised issues which have gone beyond data protection, on which of course we are concentrating in the Bill. I hope that I have reassured the noble Lord that the Government take the issue of educating young people seriously, particularly in data protection matters. Not only do they already feature in the curriculum but we are considering how we might strengthen this teaching as a key part of our wider online safety work. With that reassurance, I hope that the noble Lord will feel able to withdraw the amendment.

The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)

- Hansard -

Copy Link

-

My Lords, I am grateful to all noble Lords who have participated. I am especially grateful for the clear way in which the noble Lord, Lord Griffiths, outlined the case for all his amendments. He could have chosen an easier Bill to start on, I must say, but he did it very well. I am grateful for the opportunity to set out the purpose of various conditions included in Schedule 1, this time specifically with reference to Part 2.

As we have already discussed, for “special categories of data” to be processed lawfully, controllers must demonstrate that their processing meets one of the processing conditions set out in article 9 of the GDPR. We have already touched on several of these. Here we turn to processing which is,

“necessary for reasons of substantial public interest”.

Clause 9 requires that controllers wishing to rely on this processing condition must meet one of the conditions set out in Part 2 of Schedule 1.

Paragraph 7 of Schedule 1 allows processing of certain specified special categories of personal data for the purpose of promoting equality of opportunity. Amendment 37 seeks to expand this condition to permit the processing of additional categories of personal data. This is unnecessary because the categories of data referred to in the amendment are either not considered by the GDPR framework to be special categories of data in the first place or covered by the categories already listed in paragraph 7 of Schedule 1; for example, “Personal data revealing age” need not be listed because it is not subject to additional protection to begin with.

The Government accept that the existing special categories of data are broad and in some circumstances will overlap with the categories of data suggested in the amendment; for example,

“Personal data revealing a disability”,

will fall within the special category of “Data concerning health”. But in these cases, paragraph 7 already permits the processing of such data for equality-monitoring purposes. I will read carefully the remarks of the noble Lord, Lord Lester. I suspect his point is to do with what is and what is not a special category of data, but I will read Hansard and write to him, and copy other noble Lords. I thank him for not requiring a considered answer tonight.

Amendments 38 and 39 address the condition in paragraph 8 which permits the processing of data where this is,

“necessary for the purposes of the prevention or detection of an unlawful act”.

Amendment 38 would make it clear that the condition was available only if the unlawful act in question was “serious”. I can understand the rationale behind the amendment but the Government consider that it might nevertheless be in the substantial public interest for an organisation to process data for the prevention or detection of an unlawful act that was not obviously “serious”. An offence such as driving without a licence or insurance may not be the most serious in terms of the maximum penalty available, but it could still be in the substantial public interest for it to be reported by the data controller. Paragraph 8 ensures that data controllers are empowered to make that call and be accountable for their decision.

Amendment 39 would make the condition available only,

“under circumstances in which it is reasonably clear that a data subject is unlikely to give consent”.

While similar provision is made in other conditions where required, the Government consider that it would not be appropriate in this case, given that the purpose is to process data in circumstances where seeking consent risks prejudicing the prevention or detection of an unlawful act.

Amendment 40 would remove the word “dishonesty” from paragraph 9(2)(a) so that an organisation could rely on this provision only if it were processing sensitive categories of personal data to protect the public from malpractice, other seriously improper conduct or the other listed behaviours. The Government consider that there might be situations where an organisation would also need to process data to protect the public from dishonesty that does not necessarily amount to malpractice or improper conduct. It is therefore right that the paragraph covers the full gamut. This processing condition is not new; a similarly worded provision already exists under the current Data Protection Act.

The noble Lord, Lord Griffiths, suggested that there was a need for a further definition of “dishonesty”. I am afraid we do not agree. The word has a plain English meaning, defined in the dictionary. Furthermore, to define it here would cause confusion as it is used throughout UK legislation.

Amendment 41 would extend the scope of the same processing condition so that it could also be used to protect bodies and associations, rather than just the general public, from dishonesty, malpractice and improper conduct. It is one thing to allow the processing of an individual’s personal data for the purposes of protecting the general public—that is, other individuals; there is a neat symmetry there—but quite another to suggest that it could be processed to protect organisations from reputational harm. On that basis, I cannot agree to include it.

Amendments 43 and 44 address the processing condition in paragraph 12 which allows organisations such as banks to make disclosures “in good faith” under the Terrorism Act 2000 and the Proceeds of Crime Act 2002 about third parties who are suspected of terrorist-financing offences or money laundering. This processing condition is intended to protect organisations that disclose data on the basis of a genuine suspicion, even if it turns out later not to have been well founded. Noble Lords will recall that this condition was debated and agreed to as part of the Criminal Finances Bill earlier this year. The condition is tied to the improvement of a specific statutory regime—known as the suspicious activity reports regime—and is designed to give legal clarity to encourage the sharing of information to prevent serious crime and terrorism. I know there are some in the financial sector who have suggested that these provisions should go further to permit screening by private companies for the purposes of checking against non-UK laws on terrorist financing and money laundering. As noble Lords may be aware, the relevant provisions in the Criminal Finances Act were commenced only at the end of last month. We are not convinced that there is a need to amend them at such an early stage.

Amendment 45 would amend the processing condition relating to,

“confidential counselling, advice or support”,

in paragraph 13. It would add “guidance” to the list of processing activities which are permitted under this provision. This paragraph is not new; the relevant wording is drawn directly from existing legislation. But I am happy to put on the record the Government’s view that guidance is already covered by this provision and thus there is no need to amend it.

Amendments 45A and 64 in the name of my noble friend Lady Neville-Jones seek to clarify the legal status of processing by patient support groups. The Government strongly support the varied and important work of patient support groups and I am grateful for my noble friend’s time in meeting me recently. It is important to reiterate that groups such as Unique will have access to a number of provisions already in the Bill, even in cases where consent cannot be obtained, or reobtained, from the data subject.

We discussed the provisions for scientific research last week. In addition, paragraph 13 of Schedule 1 makes provision for confidential counselling, advice and support. Taken together, the provisions I have mentioned—for consent, scientific research, and confidential counselling, advice and support—seem to cover a great deal of the vital work undertaken by patient support groups. But the Government retain an open mind on this and I will read my noble friend’s contribution in Hansard carefully.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I agree. I have the same. You have to put in your numerical password every so often just to check that you have still got the same finger. Technically, you might not have.

The amendments also seek to permit the processing of such data when biometric identification devices are installed by employers to allow employees to gain access to work premises or when the controller is using the data for internal purposes to improve ID verification mechanisms. I am grateful to the noble Lord for raising this important issue because the use of biometric verification devices is likely only to increase in the coming years. At the moment, our initial view is that, given the current range of processing conditions provided in Schedule 1 to the Bill, no further provision is needed to facilitate the activities to which the noble Lord referred. However, this is a technical issue and so I am happy to write to the noble Lord to set out our reasoning on that point. Of course, this may not be the case in relation to the application of future technology, and we have already discussed the need for delegated powers in the Bill to ensure that the law can keep pace. I think we will discuss that again in a later group.

On this basis, I hope I have tackled the noble Lord’s concerns, and I would be grateful if he will withdraw the amendment.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

My Lords, I am grateful to noble Lords who have spoken and for the opportunity to set out the purposes of various conditions included in Part 1 of Schedule 1.

It is worth recalling that, in order for special categories of data to be processed lawfully, controllers must demonstrate that their processing meets one of a defined list of processing conditions set out in article 9 of the GDPR. Many controllers will meet this requirement by seeking the explicit consent of the data subject but the reality is there will be circumstances where it would not be appropriate, or indeed possible, for a controller to seek consent. In these cases, alternative conditions include processing which is necessary for the purposes of employment and social security; for the provision of health or social care; for public health; and for archiving and research. But for UK controllers to take advantage of these particular processing conditions, the UK must make suitable provision in UK law. That is what the conditions set out in Part 1 of Schedule 1 seek to do.

Paragraph 1 of that schedule, referenced in Amendment 25, refers to the processing of sensitive personal data where necessary for exercising obligations under employment law, social security law or the law relating to social protection. This is a specific category under article 9(2)(b) of the GDPR, and paragraph 1 gives it legislative effect.

It is true that the 1998 Act did not refer to social security and social protection law, but the GDPR gives them specific emphasis in recognition of the reality that processing of special categories of data may be necessary for the purposes of calculating social security benefits or arranging interventions by social services when people are in need of support. In practice, it may not be possible to obtain consent to every measure or decision which is taken about a person when arranging benefit payments or care provisions. Amendment 25 would remove paragraph 1(1)(a) from Schedule 1, making this clause ineffective and closing off a potentially valuable processing condition to social services and other care providers.

The noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, suggested in Amendment 25A that “under” employment law should be replaced with “in connection with” employment law. I appreciate the sentiment behind the amendment, which is to ensure that the provision does not operate too restrictively. However, the Government are satisfied the term is sufficiently broad to cover processing that would have been permitted for these purposes under the Data Protection Act, while operating within the limits of the derogation provided for by the GDPR. The new condition, which permits processing that is,

“necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law”,

would have the same meaning as the Data Protection Act wording, which referred to, processing necessary for the purposes of,

“exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment”.

I therefore hope the noble Lords will accept my reassurances in that regard.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

I said that we believe that the term is sufficiently broad to cover processing that would have been permitted hitherto, which the noble Earl refers to. However, of course, if we have got it wrong and if the insurance industry has a point it wants to bring up, it would be sensible, and I would be delighted, to meet him and the industry to discuss that. As I said before, we have an open mind, so I will certainly do that.

On the provisions in paragraphs 2 and 3 of Schedule 1 on health and social care, and public health, respectively, which are the focus of Amendments 27 to 29, it is fair to say that the drafting here has moved on slightly from the approach taken in Schedule 3 to the 1998 Act. However, article 9(2)(h) of the GDPR refers specifically to processing which is necessary for,

“the assessment of the working capacity of an employee”,

and,

“the management of health … care systems”.

Article 9(2)(i) refers specifically to processing which is,

“necessary for reasons of public interest in the area of public health”.

The purpose of paragraphs 2 and 3 of Schedule 1 is to give these GDPR provisions legislative effect. To remove these terms from the clause by virtue of Amendments 27 to 29 would mean that healthcare providers might have no lawful basis to process special categories of data for such purposes after 25 May. I am sure that noble Lords would agree that that would be unwelcome.

The noble Lord, Lord Kennedy, asked some questions on paragraph 2 and asked for an example of data processed under paragraph 2(b). An example would be occupational health. The wording of paragraph 2(2)(f) of Schedule 1 is imported from article 9(2)(h), and I refer the noble Lord—I am sure that he has remembered it—to the exposition given in recital 53.

Paragraph 4—the focus of Amendments 32 to 34—provides for the processing of special categories of data for purposes relating to archiving and research. The outcome of these amendments would be to name specific areas of research and types of records. The terms “scientific research” and “archiving” cover a wide range of activities. Recital 157 to the GDPR specifically refers to “social science” in the context of scientific research, and recital 159 makes it clear that,

“scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”.

The Government are not aware of anything in the GDPR or the Bill which casts doubt on the application of these terms to social science research or digital archiving.

Finally, on the important issue of confidentiality, Amendments 31 and 70 are unnecessary, because all health professionals are subject to the common-law duty of confidentiality. The duty is generally understood to mean that, if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent. However, beyond relying on the common-law duty of confidentiality, health professionals and social work professionals are bound by the requirements in their employee contract to uphold rules on confidentiality, whether that information is held on paper, computer, visually or audio recorded, or even held in the memory of the professional. Health professionals and social work professionals as defined in Clause 183 are all regulated professionals.

I can therefore reassure the noble Lord, Lord Kakkar—I am also grateful to the noble Lord, Lord Lester, for his support with regard to the Human Rights Act—that the Government strongly agree on the importance of the common-law duty of medical confidentiality but also recognise that it is not absolute. For example, there already are, and will continue to be, instances where disclosure of personal data by a medical professional is necessary for important public interest purposes, such as certain crime prevention purposes or pursuant to a court order. I therefore cannot agree to Amendment 108A, although, as we have already said, the Government are committed to looking at the issue of delegated powers in the round. I will certainly include that in that discussion. Therefore, with that reassurance, I ask the noble Lord to withdraw his amendment.

Lord Ashton of Hyde

- Hansard -

Copy Link

-

It is always a pleasure to meet my noble friend, and I am happy to do that.