Political Influence: Artificial Intelligence
Lord Kennedy of Southwark Excerpts(7 years, 5 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Kennedy of Southwark (Lab Co-op)
My Lords, when does the Minister think that the Government are going to move on from being concerned about this and looking across Whitehall to actually taking some action to deal with this urgent matter?
Lord Ashton of Hyde
The online harms White Paper will be published in the winter of 2018-19.
Sport: Performance-Enhancing Drugs
Lord Kennedy of Southwark Excerpts(7 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
Criminal activities are subject to the negotiations that will take place and the Home Office is responsible for those. On doping in sport, we already have an international system based on WADA which I do not think will change just because we are coming out of Europe. This is an international problem that extends far beyond the borders of Europe. However, I take the noble Lord’s point that it is very important that we continue with that system and I see no reason why we should not be able to.
Lord Kennedy of Southwark (Lab Co-op)
My Lords, I agree with the noble Lord, Lord Addington, that we need to ensure that we drive these drugs out of individual sports, both at amateur and professional level. It is important to drive them out of team sports as well, but it is also important that football clubs have grounds they can actually play at. Will the noble Lord take back to his honourable friend the Minister for Sport our thanks for her support for Dulwich Hamlet? However, the club is still locked out of its ground, and we are only allowed to play thanks to Tooting and Mitcham. We need further help to get back into our home ground at Champion Hill.
A noble Lord
Data Protection Bill [HL]
Lord Kennedy of Southwark Excerpts(7 years, 9 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Clement-Jones (LD)
My Lords, I thank the Minister for that lucid exposition. When one has 282 amendments from the Commons, which I think is fairly unusual after the Lords have worked on a Bill, we find that the Commons have made many improvements, with one or two notable exceptions that no doubt we will come to in later groups. I welcome Amendments 8, 9 and 10 in particular, and Amendment 12. I heard what the Minister said in caveating the intended extent of the amendment. I very much hope that it will have the effect he hopes for. The automated decision-making provisions have to be in line with the GDPR, so it is clearly necessary to amend the Bill in that respect, but I generally welcome this group of amendments.
Lord Kennedy of Southwark (Lab Co-op)
My Lords, I too welcome this group of amendments. First, on Amendments 8, 9 and 10, I recall the debate led by the noble Lord, Lord Marlesford, who is not in his place at the moment. He talked about his experience of the parish council in his area, explaining that a part-time clerk did a couple of days a week and it was impossible. He made his case well and I am happy to support him in it. I am glad to see that the Government have listened. I also believe that many Members on all sides of the House in the other place made similar points. I thank the Government very much for that.
I am very pleased with Amendment 12. We, with the Liberal Democrats, raised this issue during a debate in this House. We could not get it all agreed before it left to go to the other place but I had two very positive meetings with Matt Hancock and Margot James. The noble Lord, Lord McNally, also came along to our other meetings and the noble Lord, Lord Hayward, from the Conservative Benches, was also involved. We got to a good place. Nobody from any party thought that this issue should not be properly recognised in legislation. I am very pleased that the Minister and his colleagues have listened to us.
The Minister is of course right that technology changes all the time. We have no idea what we will be doing in four or five years’ time. Things move so fast now, so it is good that our legislation is written to take that into account. I was also pleased to hear the Minister say that the Government intend to consult and work with the Parliamentary Parties Panel, which is very important. It is a statutory body, set up in the PPERA 2000, where practitioners from all political parties can come together and talk with both the Electoral Commission and Cabinet Office officials. It really is the body where the people who know what they are talking about can come together. I sat on the body for many years and there was a lot of agreement among party officials about what needs to be done. I am glad that the Government will do it and I am pleased with what has come forward today.
Personal Data
Lord Kennedy of Southwark Excerpts(7 years, 9 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Kennedy of Southwark
To ask Her Majesty’s Government what action they propose to take to regulate platforms that hold personal data.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, the UK’s forthcoming data protection laws will empower people to take control of their personal data and ensure that all businesses, including platforms, take necessary steps to protect the information that they hold. This is a crucial step in giving the public confidence that their data will be managed securely and safely. Beyond this, the digital charter that we are developing in the UK sets out the principles for our approach to agree the norms and rules of the online world and put them into practice. In some cases this will be through shifting expectations of behaviour, in some we will need to agree new standards, and in others we may need to update our laws and regulations.
Lord Kennedy of Southwark (Lab Co-op)
I am sure that, like me, the Minister saw the media reports of Mr Mark Zuckerberg’s appearance on Capitol Hill last week. He seemed to accept that some form of regulation was now inevitable. Will the Government look at what can be done in that respect? Does the Minister think the solution may be to regulate the people working in the industry, giving them clear obligations and clear standards to adhere to?
Lord Ashton of Hyde
My Lords, as I mentioned in my Answer, legislation is coming. The combination of the GDPR, which comes into effect on 25 May, and the Data Protection Bill, which should be in place by then, will make a real difference. Other things need to be done. One of the biggest changes in the last few months has been the acceptance that these social platforms have some responsibility for their content. That does not mean to say that they are publishers as such but Mr Zuckerberg accepted responsibility for content on Facebook. The Prime Minister, in her Davos speech, made much the same point.
Data Protection Bill [HL]
Lord Kennedy of Southwark ExcerptsWednesday 13th December 2017
(8 years, 2 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Kennedy of Southwark
My Lords, Amendment 42, moved by the noble Baroness, Lady Hamwee, was also debated in Committee. The noble Baroness, her noble friend and other noble Lords raised concerns in Committee about paragraph 4 of Schedule 2 in respect of the broad nature, the wide-ranging exemptions and the application of those exemptions. I see the point about the application of this part of the Bill. The amendments tabled by the noble Lord, Lord Ashton of Hyde, set out in the Bill those rights which might be restricted by virtue of article 23(1) of the GDPR and so give more focus to this part of the schedule.
I want to see effective immigration controls and also fair immigration controls, but I do not want to see people unable to get access to data held on them or to how that data is being used and shared except in limited circumstances. I hope the Minister can confirm that the government amendments will do this on a case-by-case basis and do not provide a blanket power. These things are very sensitive and are a matter of balancing important principles, protections and rights carefully and coming down with the right protections in place. I think it would be a problem if we were left in a situation where we could disclose to data subjects information that could give them the opportunity to circumvent our immigration controls.
The noble Baroness, Lady Williams of Trafford, gave a detailed explanation of the Government’s opposition to the amendment in Committee and highlighted a number of the issues that would come forward. I do not think anyone wants a situation where we are making things worse for ourselves. I recall the examples given of an overstayer where the authorities are seeking to enforce an administrative removal or where there is an application to extend the leave to stay and it is suspected that false information has been given. These seem perfectly reasonable to me. The amendments tabled by the Government provide important clarification on what is exempt, limit the power in the Bill and seek to address the concerns highlighted during the previous debate and today.
Lord Clement-Jones
Before the noble Lord sits down, does he therefore agree with the Government that this is all about the circumvention of immigration controls? Does he not think that essentially, as my noble friend Lady Hamwee mentioned, most of the circumstances are about people asserting their rights?
Lord Kennedy of Southwark
I accept that people want to assert their rights. Of course I do. I also think that we had a very detailed debate in Committee. Points were raised about the broad-brush approach; the Government have responded, and I am happy to support their amendments.
Baroness Williams of Trafford
My Lords, these amendments bring us back to the immigration exemption in paragraph 4 of Schedule 2 which, as the noble Lord, Lord Kennedy, said, was debated at some length in Committee. As this is Report, I am not going to repeat all the arguments I made in the earlier debate, not least because noble Lords will have seen my follow-up letter of 23 November, but it is important to reiterate a few key points about the nature of this provision, not least to allay the concerns that have been expressed by noble Lords.
Let me begin by restating the core objective underpinning this provision. The noble Lord, Lord Kennedy, specifically asked for further clarity on this point. The UK’s ability to maintain an effective system of immigration control and to enforce our immigration laws should not be threatened by the impact of the GDPR. It is therefore entirely appropriate to restrict, on a case-by-case basis, certain rights of a data subject in circumstances where giving effect to those rights would undermine that objective. That is the sole purpose and effect of this provision—nothing more, nothing less.
The GDPR recognises this by enabling member states to place restrictions on the rights of data subjects where it is necessary and proportionate to do so to safeguard,
“important objectives of general public interest”.
The maintenance of effective immigration control is one such objective. This is the basis for the provision in paragraph 4 of Schedule 2.
The noble Baroness referred to article 23 of the GDPR. It does not expressly allow restrictions for the purposes of immigration control. She asked whether the immigration restriction is legal. She pointed to Liberty’s claim that the exemption is unlawful. It is not the case.
Data Protection Bill [HL]
Lord Kennedy of Southwark ExcerptsWednesday 13th December 2017
(8 years, 2 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
“Duty to notify of data protection breaches due to ransomware attacks
(1) In addition to notifying the Commissioner of a personal data breach under Article 33 of the GDPR, a data controller must also notify the relevant police force if the data breach was the result of a ransomware attack.(2) In this section,“ransomware attack” means an attack of a form of malware which holds the information on a user's computer hostage until a ransom fee is paid; and“police force” has the same meaning as in section 3 of the Prosecution of Offences Act 1985.”
Lord Kennedy of Southwark
My Lords, the amendment in my name, and that of my noble friend Lord Stevenson of Balmacara, would insert a new clause in the Bill that requires a data controller to notify both the Information Commissioner and the police if they are subject to a ransomware attack. Ransomware attacks involve hackers taking control of your information held on a computer and agreeing to release the information back to you only on the payment of a large sum of money. It is kidnapping not of a person but of information.
Apparently thousands of UK businesses have paid these ransom demands and do not bring these issues to the attention of the authorities for fear of damaging their reputation. This is a really serious issue, and one that we cannot allow not to be addressed. I find it shocking that companies are paying these ransom demands, effectively on the quiet. The amendment would make it a legal requirement to notify. It is only by being able to understand the scale of these attacks and understand what has happened—whether or not it is successful is irrelevant—that the authorities can undertake the important work of analysis needed to prevent these attacks happening in the future.
I would go further, and say that it is irresponsible of data controllers or their businesses and organisations not to come forward to notify the proper authorities. They are vulnerable and making the problem worse by hindering the efforts to tackle the problem. Not only are they at risk of whoever is behind the attack coming back for more money later—having paid the hacker, the person will be seen as an easy touch—they are exposing other people, businesses and organisations to this form of attack in the future. My amendment would require notification, and I look forward to a detailed response to the issues I have raised. I beg to move.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Kennedy, for his amendment on data protection breaches and ransomware attacks. The repercussions of such attacks are felt by everyone, whether or not they are a direct victim of the crime. It is estimated that in 2016 the cost of fraud and cybercrime in the UK was £193 billion, with the full social cost likely to be much higher. It is therefore essential that stringent measures are in place in legislation to ensure that cyberattacks and fraud are prevented, and any perpetrators found and stopped.
We, nevertheless, believe that Amendment 78A is unnecessary. Article 33 of the GDPR, referenced in the noble Lord’s amendment, requires the data controller to inform the Information Commissioner within 72 hours of all data breaches, including as a result of ransomware attacks. The controller is required to provide information of the likely consequences of the personal data breach, and to describe the measures taken or proposed by the controller to address the breach. There is one exception, given in Article 33, for breaches unlikely to result in a risk to data subjects, but that hardly seems relevant in cases where hackers have proven access to the data in question.
The GDPR does not require data controllers to report cyberattacks to the relevant police forces, for good reason. It is well understood that the Information Commissioner has the expertise and resources to take the appropriate and necessary action in the first instance, including, if she deems it appropriate, referrals to the police or to investigate and bring prosecutions herself under data protection law. I am also puzzled by the amendment’s intention to single out ransomware as the only form of cyberattack worth reporting to the police. A huge range of cyberattacks cause substantial distress and harm to individuals, such as insider attacks, attacks from third countries and other cybercrimes, such as malware and phishing. In addition, organisations can report cyberattacks or fraud to Action Fraud, which in turn ensures that the correct crime reporting procedures are followed. This organisation is overseen by the City of London Police, the national lead for economic crime, and we believe that it represents an effective and scalable structure. For the reasons I have stated, therefore, I would be grateful if the noble Lord would withdraw his amendment this evening.
Lord Kennedy of Southwark
I am happy to withdraw my amendment this evening. I wanted to raise the issue here. The Minister cited the figure of £193 billion lost through these and other forms of attacks—he went through a number of them—and this is a very serious matter. I hope that he is correct that companies are required to notify the Information Commissioner on the back of this legislation. This is very serious. I hope that he is correct that it is not necessary to go to the police—the sums of money that he mentioned are absolutely shocking. At one point, he said that the Information Commissioner can start prosecutions. That is fine, if we can find the people behind the crime and if they are in this country. If they are somewhere in lands far away, I wish him all the best, but I suspect that we will have some trouble in catching the perpetrators or bringing them to justice. My worry is that, because of reputational damage, companies will be reluctant to notify anyone about this stuff. It is very serious.
Lord Ashton of Hyde
Can I just echo what the noble Lord says? We agree that it is serious, which is why we have set up the National Cyber Security Centre to help to protect public services online and why the Chancellor allocated nearly £2 billion for cybersecurity when he launched that centre.
Lord Kennedy of Southwark
It is very pleasing to hear that. I welcome that, but these are matters that we will have to keep under review. Unfortunately in this world, the people involved in this stuff are usually quite skilful and bright and can keep one step ahead of the law or the people trying to catch them. We should keep these matters under review but, unfortunately, they are not going to go away. My worry is that these crimes are committed many miles from these shores and catching the perpetrators is the problem. However, I am very happy at this stage to withdraw my amendment.
Data Protection Bill [HL]
Lord Kennedy of Southwark ExcerptsMonday 11th December 2017
(8 years, 2 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Lord Clement-Jones (LD)
My Lords, I hope to be as brief as the Minister, who I thought was admirably so in introducing the government amendments. However, there are some issues that arise. I applaud the noble Baroness, Lady Royall, and others who have been so instrumental in persuading the Government on this. As the noble Lord, Lord Patel, indicated in various ways, there are ambiguities; the particular way in which the Government have chosen to amend the Bill potentially leaves a gap. I wonder, for instance, whether alumni fundraising for, say, a research institute can never be in the public interest. Is there not a possibility that it might fall outside the exemptions as a result? Perhaps the Minister can give me the correct interpretation. It is very important that this is on the record and that it is very clear what the formulation means. It would have been much more straightforward to have approached the subject directly in the Freedom of Information Act, but that is not the way the Government have chosen to help alumni fundraising in universities. In talking about universities, I should declare an interest as chairman of the council of Queen Mary University as well.
Another question arises. By and large there is nothing particularly controversial in the remainder of the amendments, but I do not quite understand why new Section 76C of the Freedom of Information Act, which was introduced in the original version of the Bill, is now being taken out by Amendment 198. Is it because Clause 127 already provides the necessary duty of confidentiality of information by the commissioner and employees of the Information Commissioner’s Office? The Minister might have given us a bit of explanation about that, which would have been extremely helpful.
Otherwise, many of the other provisions are welcome. Amendments 119, 182 and 197 demonstrate that it would be a good idea to have prompt enactment or implementation of legislation, so that weird and wonderful new clauses such as are introduced by those amendments would be unnecessary.
Lord Kennedy of Southwark (Lab Co-op)
My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for her explanation of the government amendments in this group, which are largely in response to issues raised in Committee. I do not intend to speak for long on this group, because the amendments are largely to be welcomed. I want to pay particular tribute to my noble friend Lady Royall of Blaisdon, who raised the concern of the university sector during Committee that, under the Bill, universities could find themselves in difficulty over fundraising activities with alumni. We were pleased to see today that the Government have listened and addressed that. My noble friend cannot be with us today because of the weather making it difficult for her to travel to London. Generally, the higher education sector and others are grateful for what is proposed, although a couple of noble Lords have raised particular concerns, so it would be useful if the Minister could address those in her response. There may be one area that has not quite been resolved.
There are a couple of issues to mention. We are happy to support the amendment on police sharing of information for law enforcement purposes, as I am the amendment in respect of the Prisoner Ombudsman for Northern Ireland and the technical amendments on tribunals and courts to ensure consistency of language.
I shall not go on any further, because I am conscious that we have two Statements today and one will take at least an hour and the other 40 minutes, and the dinner break business for an hour, which will eat in to our time for Report today. I shall leave it here and say well done to the Government: thank you very much for that. It is better that we spend our day looking at issues that we have not quite resolved.
Baroness Chisholm of Owlpen
My Lords, I thank all noble Lords for the points they made. In answer to the noble Lord, Lord Patel, as my noble friend Lord Ashton explained in previous debates, Clause 7 was never intended to provide an exhaustive list of public interest tasks but, rather, to ensure continuity with respect to those processing activities that cover paragraph 5 of Schedule 2 to the 1968 Act. However, I am happy to reiterate that medical research—and other types of research carried out by universities for the benefit of society—will almost always be seen as a public interest task. I appreciate the sector’s desire to have greater guidance from the Information Commissioner on the issue, and I shall certainly pass that on, but the noble Lord will appreciate that it is not for me to dictate the Information Commissioner’s precise programme of work from the Dispatch Box.
I thank the noble Lords, Lord Smith and Lord Macdonald, for their kind words. I think we have put universities on a safe footing in this regard. I reiterate my thanks to them for coming to see us and helping us with that amendment.
The noble Lord, Lord Clement-Jones, asked: is alumni fundraising always in the public interest, and what about medical research?
Data Protection Bill [HL]
Lord Kennedy of Southwark ExcerptsMonday 11th December 2017
(8 years, 2 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Lord Clement-Jones (LD)
My Lords, the noble Baroness having sat through my last speech, I am in no position to judge. That was a skilful summary of the memorandum put to the Delegated Powers and Regulatory Reform Committee and it is useful to have it on the parliamentary record.
I remind the House that the amendments we have brought forward do not take the ultra position, if you like. They are about having an appropriate level of parliamentary control over delegated legislation in a field where these are important matters—rights which are inextricably linked to human rights. To boil down a long memorandum, the Minister’s arguments are about flexibility and future proofing. However, the horse has bolted. In previous legislation such regulations were permitted to be made by government and therefore we should roll over and put them into the next bit of legislation.
The one essence that I take away is that the consultation duty is enshrined. I accept that it is a considerable improvement that the Secretary of State must consult the commissioner and such other persons as the Secretary of State considers appropriate. It would be useful at this stage at least to have on the record the kinds of bodies the Minister thinks are appropriate in these circumstances.
The real issue and the reason why we have tabled our amendments—I am not saying they are perfect but they allow for a parliamentary process in which there is an ability to suggest amendments and to have a full consultation on regulation changes—is the controversy about “omission”, “addition” and “varying”. The Government have clearly come to the view that omitting provisions is permissible in certain circumstances but they are relying on adding or varying. They say that varying is a light-touch aspect but why, in certain circumstances, is it permissible to omit provisions added by regulations? Is this a kind of second thoughts aspect, whereby regulations are brought forward under this Bill and then the Government think they want to omit some of them? I do not quite understand the rationale behind that.
I accept that in some of the crucial cases they are limiting themselves to “adding” or “varying”. However, variation can be extremely broad and virtually equivalent to omitting. It seems that one can vary a right all the way down to a minuscule situation which can impinge on the human rights of an individual, even though it is not technically an omission where a safeguard is provided. These are very broad rights. They are broad powers to create new exemptions to data protection rules as they affect a data subject and they can add exemptions to safeguards for processing sensitive personal data. These matters could have a powerful effect on individuals.
I should remind the Minister of a sad aspect, which is that in its procedures, the Delegated Powers and Regulatory Reform Committee does not seem to have a second bite of the cherry—something I am sure the Minister approves of entirely. But for those of us who relied on the very useful original DPRRC report, it is unfortunate that the committee has not come back and said what it thinks of the ministerial memorandum. In the original report the committee went as far as to say:
“We consider that clause 9(6) is inappropriately wide and recommend its removal from the Bill”.
That is pretty heavy stuff, even for this useful committee. It had even more to say about Clause 15:
“We regard this is an insufficient and unconvincing explanation for such an important power”.
I must put on the record that we on these Benches do not think that the Government have discharged the onus of proof, showing why they need these extraordinary powers under the Bill, and we hope that they will further reduce their regulation-making powers.
Lord Kennedy of Southwark (Lab Co-op)
My Lords, this group of overwhelmingly government amendments seeks to address issues raised by the Delegated Powers and Regulatory Reform Committee in its sixth report, published on 24 October this year, the only addition being Amendments 10 and 69 in the names of the noble Lords, Lord Clement-Jones and Lord Paddick. As we have heard, the Delegated Powers and Regulatory Reform Committee is widely respected in the House and I am pleased that the government amendments address the concerns raised by the committee. But as we have heard from the noble Baroness, Lady Chisholm of Owlpen, those concerns have not been accepted in full, and she has given the reasons for that.
I was particularly pleased to see government Amendments 9, 67 and 68, among others, which would limit the powers to amend the processing conditions and exemptions found in various schedules to the Bill. I am equally pleased to see the Government act in respect of the powers to make regulations. This will be done using the affirmative rather the negative procedure, starting with government Amendment 71. It gives Parliament the right level of scrutiny and the ability to reject or express regret about a particular decision, and allows for a proper level of scrutiny, a debate having to take place in both Houses.
In respect of Clauses 9 and 15, Amendments 10 and 69 seek to change the scrutiny procedure from the affirmative, as presently in the Bill, to the super-affirmative. I am not convinced that this is necessary as we have the tools at our disposal to scrutinise the proposals using the affirmative procedure. Starting with government Amendment 130, we have a series of amendments relating to the enforcement powers of the ICO, and again these are to be welcomed.
As I say, in general I welcome the government amendments and the explanation given by the noble Baroness.
Baroness Chisholm of Owlpen
I thank the noble Lord for those kind words. The noble Lord, Lord Clement-Jones, asked who would be consulted. While it is clearly impossible to be specific, the Secretary of State might consider it appropriate to consult, for example, representatives of data subjects or trade bodies, depending on the circumstances and regulations in question. I hope that that answers his question.
On why it is permissible to admit provisions added by regulations, we believe it is qualitatively different from admitting those added during the extensive parliamentary debate and scrutiny afforded to primary legislation. As I said, many other powers are not new. The 1998 Act already provides a power to add to conditions for sensitive processing. We feel it is prudent to retain the ability to amend Schedules 2 to 4 if necessary. As I said, this is a fast-moving area. We want to make sure that the Bill provides a framework for the constant evolution and developments in how we use and apply data, but it must be supportive rather than stifle innovation and growth.
Lord Clement-Jones
My Lords, it is a pleasure to follow the noble Earl, Lord Kinnoull, who has very impressively pursued these issues with considerable care and determination. He has said pretty much everything that needs to be said. Processing special category data, including health data and criminal convictions is, as he said, fundamental to calculating levels of risk and underwriting. I hardly need to say that to the Minister. His amendments are welcome, but of course the essence of the noble Earl’s amendments is to get from the Minister a progress report on how things are moving on in terms of enabling the continued processing of special category and criminal conviction data and whether we can get something along the right lines that allows a derogation for processing of special category and criminal conviction data where it is necessary in relation to insurance policies and claims. That would prevent disruption to consumers in the way the noble Earl mentioned. Then, of course, there is the guidance produced by Amendment 26; this is what you might call a sprat to catch a mackerel and I hope that the Minister will deliver the mackerel.
Lord Kennedy of Southwark
My Lords, I welcome government Amendments 11 and 12. As we have heard, they address some of the concerns that were raised in Committee. The Government have said that they never intended to have a narrow interpretation and they have put back the words of the 1998 Act, which is very welcome. As was said earlier, the noble Earl, Lord Kinnoull, has laid out in great detail the issues addressed in his Amendments 25 and 26. He makes a very important and clear case and raised some important issues. I hope that the noble Lord, Lord Ashton of Hyde, will respond to those. I certainly think that there is a case for bringing these things back at Third Reading to address the points the noble Earl has raised.
Lord Ashton of Hyde
My Lords, I am grateful to everyone who has spoken in this debate. As we have just heard, Amendment 25 would replace the existing processing conditions:
“Insurance and data concerning health of relatives of insured person”,
and:
“Third party data processing insurance policies and insurance on the life of another”,
with a broader insurance processing condition. Amendment 26 would require the Information Commissioner to produce sector-specific guidance for the insurance sector. These processing conditions are made under article 9(2)(g), the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited by the need to meet this substantial public interest test. We are also required to provide appropriate safeguards for data subjects.
The Government recognise the importance of insurance products, in particular compulsory classes and the protection afforded by third-party liability. As the noble Earl mentioned, engagement between the insurance sector and government officials has continued since this matter was discussed in Committee and, indeed, since I met him and representatives of the insurance industry after Committee. There is still some work to do on the precise drafting of the relevant provisions, but I am grateful for the opportunity to place on record the Government’s intention to table an amendment addressing this issue at Third Reading, if we can finalise the drafting in time and the House is content for us to do so. At the moment I am not aware of any insuperable problems in that regard, but noble Lords will recognise that this is a complex issue and one that we want to get absolutely right.
As for the Information Commissioner producing sector-specific guidance, as proposed by Amendment 26, I will certainly take that back and pass it on to the department. With that reinsurance, or rather reassurance—“reinsurance” was a bit of a Freudian slip there—I respectfully invite the noble Earl not to move his amendments this evening. I beg to move.
Lord Kennedy of Southwark
My Lords, I tabled this amendment to keep the issue that I raised in Committee on the agenda. I spoke about it at some length in Committee. I think it is better determined by your Lordships’ House, rather than going off to the other place. I know the Minister has kindly agreed to a meeting. We have not had a chance to have it yet, but we will later this week.
I know that the noble Lord, Lord Hayward, who sits on the Government Benches, fully supports this issue being debated. He, like me, hopes it can be sorted out here by Third Reading, rather than going to the other place. The basic problem is that provisions in the Bill potentially conflict with legislation in respect of elections and other matters already on the statute book. I went through those in Committee. I am sure we do not want to pass legislation that conflicts with existing legislation, but we risk doing that here. That cannot be right. What political parties, campaigners and politicians need—and certainly what the regulators need—is crystal clear legislation and regulation that they can apply. To pass something that is in direct conflict with the Representation of the People Act would be unwise. We need to have our meeting later this week and I hope we can bring something back at Third Reading. These are important issues that we need to get right to ensure that all legislation is working together. I beg to move.
Baroness Hamwee
My Lords, I am very glad that the noble Lord is keeping this on the agenda. I had a note to ask what was happening about the meeting to which lots of people were invited at the previous stage. I do not believe that we have heard anything about it. This is not a whinge but a suggestion that it is important to discuss this very widely.
I find this paragraph in Schedule 1 very difficult. One of the criteria is that the processing is necessary for the purposes of political activities. I honestly find that really hard to understand. Necessary clearly means more than desirable, but you can campaign, which is one of the activities, without processing personal data. What does this mean in practice? I have a list of questions, by no means exhaustive, one of which comes from outside, asking what is meant by political opinion. That is not voting intention. Political opinion could mean a number of things across quite a wide spectrum. We heard at the previous stage that the Electoral Commission had not been involved in this, and a number of noble Lords urged that it should be. It did not respond when asked initially, but that does not mean it should be kept out of the picture altogether. After all, it will have to respond to quite a lot of what goes on. It might not be completely its bag, but it is certainly not a long way from it.
We support pinning down the detail of this. I do not actually agree with the noble Lord’s amendment as drafted, but I thank him for finding a mechanism to raise the issue again.
Lord Ashton of Hyde
I am grateful to the noble Lord, Lord Kennedy, for raising this issue, and to the noble Baroness for her comments. These issues are vital to our system of government, and we agree with that.
Amendment 27 seeks to expand the umbrella term “political activities” to include any additional activities determined to be appropriate by the Electoral Commission. Noble Lords will agree that engaging and interacting with the electorate is crucial in a democratic society, and we must therefore ensure that all activity to facilitate this is done in a lawful manner. Although paragraph 18(4) includes campaigning, fundraising, political surveys and case work as illustrative examples of political activities, it should not be taken to represent an exhaustive list.
Noble Lords will be aware that the Electoral Commission’s main areas of expertise concern the regulation of political funding and spending, and we are of the opinion that much, if not all the activities they regulate will be captured under the heading “political activity”. As I have just set out, fundraising is included as an illustrative example, which ought to provide some reassurance on this point. Moreover, the greater the number of activities denoted by the Electoral Commission, the less likely it is that any other activity would be considered by a court to be a political activity by dint of its omission. The commission, a body which as far as I am aware claims no expertise in data protection matters, would find itself in an endless spiral of denoting new activities as being permissible under the GDPR. Nevertheless, in recognition of the importance of such processing to the democratic process, the Government are continuing to consider the broader issues at stake and may well return to them in the second House. In this vein, the noble Lord made a number of good points, and I look forward to meeting him with the Minister for Digital, my right honourable friend Matt Hancock, on Thursday this week to discuss the matter in more detail than the parameters of this debate allow. We will see what the noble Lord feels about the timing of that after the meeting.
As for the noble Baroness, Lady Hamwee, we talked about having bigger meetings, and I am sure the time will come. This is just a preliminary meeting to decide on timings and to give the noble Lord, Lord Kennedy, the chance to discuss this with the Minister for Digital. I envisage that further meetings will include the noble Baroness.
I appreciate the sentiment behind the noble Lord’s amendment. In the light of our forthcoming discussions, I hope he feels able to withdraw it.
Lord Kennedy of Southwark
I thank the Minister for his response. I tabled the amendment to keep the issue live and to illustrate the problem we have here. In his response, he talked about the responsibilities of the commission and data protection responsibilities and how they may conflict, belonging to different bodies. That begins to highlight the problem that we potentially have here. You could have different regulators trying to enforce different bits of legislation, all on the statute book at the same time and equally legitimate. We have got a real problem here.
I look forward to the meeting on Thursday. It is very important that we have a meeting after that, though, with a much wider group of people from different parties and campaigns. It is a genuine problem that affects every political party represented in this House and the other place and those that are not in either House. There is no advantage here—it is a question of getting a procedure in place that allows political parties to campaign and do their job properly and fairly. Equally, it protects the volunteers so that they understand what they can and cannot do so that they do not unintentionally get themselves in difficulty. I look forward to the meeting, but there are one or two things to sort out before then. I hope that it can get done by Thursday but, if it cannot, we have the other place. But it would be much better to sort it out at this end rather than the other end. I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Kennedy of Southwark ExcerptsWednesday 22nd November 2017
(8 years, 2 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
“( ) In this section, a request made by a data subject under subsection (1)(a) includes, but is not limited to, requests about reviews written by a third party about workers.”
Lord Kennedy of Southwark (Lab Co-op)
My Lords, Amendment 170J, which stands in my name and that of my noble friend Lord Stevenson of Balmacara, seeks to address an issue that I am not convinced is sufficiently covered in the Bill as it stands.
Freelance workers or self-employed people—whatever you want to call them—offering a range of services and seeking work through various platforms, have sprung up in recent years. In many cases, their customers are able to rate them and the work they have done. However, these individuals often find that they cannot take that rating information with them if they move on to another platform. The reviews are written by third parties, who rate the quality of the work, and understandably it is very valuable to the trades- persons if they can carry those reviews forward with them.
This is a very strange situation. Various companies often maintain that they do not have employees and that they are merely acting as a platform, a noticeboard or a portal where people can find tradespersons. However, those tradespersons then find that it is not very easy to take information about them with them when they move on. This is intended as an enabling amendment to put on the face of the Bill that data subjects have the right to take with them the information written about them by third parties when they move on to another platform.
At this stage, this is obviously a probing amendment but I am keen to hear what the noble Lord has to say about this issue. It is important for the people concerned—if you have done a good job, you want to take recognition of that with you. I look forward to the noble Lord’s response.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Kennedy, for turning the Committee’s attention to the provisions in Clause 163. The clause makes it a criminal offence for a data controller, or somebody employed by the controller, to deliberately frustrate a subject access request by altering, defacing or destroying information that a person would have been entitled to receive.
This offence is not new. A similar offence was provided for in Section 77 of the Freedom of Information Act 2000. The only difference between the offence in Clause 163 and the offence in the Act is that the latter was limited to the handling of subject access requests by public authorities and their employees and agents, whereas Clause 163 extends this to apply to all controllers.
The noble Lord’s amendment would make it clear that the offence applies where a data subject requests personal data about them contained in a review about workers written by a third party. I am grateful to the noble Lord for explaining the background to the amendment; nevertheless, I submit that it is unnecessary. Article 15 of the GDPR makes it clear that the data subject has the right to obtain from the controller confirmation as to whether data about him or her is being processed, as well as access to that data. Whether a report about the data subject was compiled by a third party or processor acting on the controller’s behalf is irrelevant, as it still amounts to personal data held by the controller.
It is always unacceptable for any controller to destroy or deface personal data with the sole intention of preventing somebody accessing what they were entitled to. That is precisely why Clause 163 creates a criminal offence targeted on that particular activity.
I hope that I have addressed the noble Lord’s concerns. If I have not, of course I will be more than happy to discuss them with him later. Therefore, I hope that he will be able to withdraw the amendment.
Lord Kennedy of Southwark
I thank the noble Lord for his response. He has not really addressed the point that I was making, so I will be very happy to have a discussion outside the Chamber. This is a real problem that is happening now and I am not convinced that what we have in the Bill will be enough to deal with it. It may well be that my amendment is not in the right place, but there is an issue with people not easily accessing data that is held on them, particularly for the self-employed and others seeking work through various platforms.
Lord Ashton of Hyde
If we have misunderstood the noble Lord’s intention behind the amendment, I apologise. As I said, we will be happy to discuss it with him.
Lord Kennedy of Southwark
I do not think that the noble Lord misunderstood; it is just that there are several issues around the gig economy that we need to look at, and I shall be happy to discuss them outside the Chamber. I beg leave to withdraw the amendment.
Lord Ashton of Hyde
My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point that has not been lost on noble Lords, nor the Government. That is why the Government have tabled Amendments 185A, 185B, 185C and 185D, which provide for a framework for data processing by government.
Inherent in the execution of the Government’s function is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is intended to set out the principles and processes that the Government must have regard to when processing personal data.
All government and public sector activities require some form of power to process personal data, which is derived from both statute and common law. In light of the requirements of the GDPR, such processing should be undertaken in a clear, precise and foreseeable way. The Government’s view is that the framework will serve further to improve the transparency and clarity of existing government data processing. The Government can, and should, lead by example on data protection. To that end, the proposed clauses provide the Secretary of State with the power to issue guidance in relation to the processing of personal data by government under existing powers. As I have already stated, government departments will be required to have regard to the guidance when processing personal data.
The Government have consulted the Information Commissioner in preparing the amendment and will, as required in Amendment 185A, consult the commissioner before preparing the framework. The Government are keen to benefit from the commissioner’s expertise in this area and to ensure that the framework does not conflict with the commissioner’s codes of practice. The guidance should provide reassurance to data subjects about the approach that government takes to processing data and the procedures it follows when doing so. It will also help to strengthen further the Government’s compliance with the GDPR’s principles. I beg to move.
Lord Kennedy of Southwark
My Lords, government Amendments 185A, 185B, 185C and 185D add four fairly substantial new clauses to the Bill on the last day of Committee. I can see the point made by the Minister when he moved the amendments, but it is disappointing that they were not included right at the start. Have the Government just thought about them as a good thing?
The Delegated Powers and Regulatory Reform Committee has not had time to look at these matters. I note that in Amendment 185A, the Government suggest that regulations be approved by Parliament under the negative procedure. I will look very carefully at anything that the committee wants to bring to the attention of the House when we look at these matters again on Report. I am sure the committee will have reported by then.
I will not oppose the amendments today, but that is not to say that I will not move some amendments on Report—particularly if the committee draws these matters to the House’s attention.
Lord Clement-Jones
My Lords, I want to echo that point. There is time for reflection on this set of amendments and I sympathise with what the noble Lord, Lord Kennedy, said.
Data Protection Bill [HL]
Lord Kennedy of Southwark ExcerptsMonday 20th November 2017
(8 years, 2 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
“( ) Within three months of this Act coming into force, the Commissioner must specify in guidance what constitutes “other failures” under subsection (8).”
Lord Kennedy of Southwark
My Lords, the amendments in this group, in my name and that of my noble friend Lord Stevenson of Balmacara, take up a number of issues raised by the Delegated Powers and Regulatory Reform Committee in its report on the Data Protection Act. Our Amendment 163ZC adds a requirement on the commissioner to specify in guidance what constitutes “other failures” under subsection (8). Amendment 164C adds a requirement on the commissioner to specify, within three months of the Act coming into force, what constitutes “other failures”. I think it is important that we are clear, at least in guidance, what these “other failures” are.
Amendment 168A concerns the regulations for non-compliance with the charges regulations, deleting all the subsections and inserting new ones. The new subsections make provision for proper consultation with the commissioner and other persons that the Secretary of State considers appropriate, and state that any regulations made must be subject to the affirmative resolution procedure. The amendment sets a maximum penalty and the amount of penalty for different types of failure.
Amendment 168B seeks to replace “produce and publish” with “prepare”, which we think is better in this context. Amendment 168C seeks to put in the Bill a procedure that was recommended in the report of the Delegated Powers and Regulatory Reform Committee, which suggested that the guidance should be subject to some form of parliamentary scrutiny. Amendment 168D seeks to set out how the guidance can be amended or altered with the new procedures outlined in Amendment 168C.
The final four amendments in the group—Amendments 182D to 182G—take up the issue of the power in the Bill to make Henry VIII changes to reflect changes to the data protection convention. We are seeking to delete “or appropriate” from Clause 170(1) to make it only,
“as the Secretary of State considers necessary”.
We think that presently the subsection is worded too broadly. We also seek to delete “includes” and insert “is limited to” in respect of the powers. Then we make it clear that the power is in respect only of Part 4. Finally, as highlighted by the committee, we time-limit the period for changes to three years. I beg to move.
Baroness Chisholm of Owlpen
My Lords, the amendments tabled by the noble Lords, Lord Stevenson and Lord Kennedy, reflect the recommendations made by the Delegated Powers and Regulatory Reform Committee in its report on the Bill. As noble Lords will be aware, the Government hold the committee in high regard and, as always, we are grateful for its consideration of the delegated powers in the Bill. As set out in our previous discussions on delegated powers, the Government are considering the committee’s recommendations with a view to bringing forward amendments on Report. For that reason, I will keep my remarks brief but noble Lords should be reassured that I have listened to and will reflect on our discussions today.
As noble Lords know only too well, delegated powers are inserted into legislation to allow a degree of adaptability in law. As we have touched on in our earlier discussions of delegated powers, and as I am sure noble Lords will agree, no other sector or industry is evolving as quickly as the digital and data economy. The pace at which new forms of data processing are being developed, and the sophistication and complexity with which new data systems are being designed, will render any current governance obsolete in a very short time. It is for this reason that we consider it necessary to be able to adapt and update the Information Commissioner’s enforcement powers.
However, the Government recognise the need to provide certainty through clauses on the statute book. I therefore thank the noble Lord for his suggestions in Amendments 163ZC and 164C for how regulation-making powers relating to the commissioner’s enforcement and penalty notices in Clauses 142 and 148 could be more appropriately defined; this is certainly something that I will reflect upon. In Amendments 168A to 168D, I recognise other recommendations of the DPRRC relating to the Information Commissioner’s guidance and penalties.
As I have already set out, it is important that the Information Commissioner’s powers are subject to a degree of flexibility. She must be able not only to identify new areas of concern but to tackle them with proportionate but effective enforcement measures. In an ideal world, we would have a crystal ball that could tell us all but the reality is that we do not. We do not have one now and the Information Commissioner will not have one three months after Royal Assent. We must preserve the ability of the regulatory toolkit to constantly adapt to changing circumstances and keep data subjects’ rights protected.
I note the proposals in Amendments 182D to 182G, which would limit the scope of the regulation-making power in Clause 170. Clause 170 is intended to allow the Government to update the Bill to reflect amendments to convention 108.
As with previous amendments based on the Delegated Powers and Regulatory Reform Committee’s report, it is important that we consider these amendments alongside the broader recommendations given by that committee. The Government are keen to give proper consideration to these recommendations and, although this is ongoing, I am confident that we will have concluded our position on these amendments before we come to the next stage of the Bill. I am grateful for the informative discussion we have had today, which forms the final part of our reflection upon the committee’s report. I hope that the noble Lord will feel able to withdraw his amendment and I look forward to returning to these issues on Report.
Lord Kennedy of Southwark
My Lords, the Delegated Powers and Regulatory Reform Committee is one which the Opposition hold in high regard, as the Government do. It does an important job for the Government by going through legislation and looking at whether the powers the Government seek to take are applied appropriately. I thank the noble Baroness, Lady Chisholm, for that very much and I am pleased that she confirmed that the Government were looking at the matters in the report carefully. When they come back on Report, I hope that they will address the issues I have raised and others in that report. On that basis, I am happy at this stage to withdraw my amendment.