Baroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Home Office
Wednesday 15th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV(b) Amendment for Committee, supplementary to the fourth marshalled list (PDF, 52KB) - (15 Nov 2017)
Baroness Hamwee (LD)
My Lords, from these Benches we also have some concerns about the national security and defence exemption. My noble friends Lord Clement-Jones and Lord Paddick have their names to a clutch of amendments to Clauses 24 and 26, and to a replacement for Clause 25—these are Amendment 124C and so on. These amendments essentially probe what Clause 24 means and question whether the requirements for national security certificates are adequate.
My first question is: what processing is outside the scope of EU law, and so would fall within Part 2 and not within Parts 3 and 4, the parts of the Bill on law enforcement and the intelligence services? Many of these amendments were suggested to us by Privacy International and one or two by Big Brother Watch. Those who know about these things say that they do not know what certificates exist under the current regime, so they do not know what entities may benefit from Clauses 24 to 26. However, Privacy International says that in their current form certificates are timeless in nature, lack transparency, are near impossible to challenge and offer overly broad exemptions from data protection principles, and all the rights of the data subject.
My second question is: what are “defence purposes”? That phrase does not feature in the interpretation clause of the Bill. The Explanatory Notes, in referring to the 1998 Act, refer to the section about national security. Is defence not a national security matter? There are very broad exemptions in Clause 24 and Privacy International even says that the clause has the potential to undermine an adequacy decision. For us, we are not convinced that the clause does not undermine the data protection principles—fairness, transparency, and so on—and the remedies, such as notification to the commissioner and penalties.
I note that under Clause 25(2)(a), a certificate may identify data,
“by means of a general description”.
A certificate from a Minister is conclusive evidence that the exemption is, or was, required for a purpose of safeguarding national security, so is “general description” adequate in this context?
Amendment 124L proposes a new Clause 25 and is put forward against the background that national security certificates have not been subject to immediate, direct oversight. When parliamentary committees consider them, they are possibly tangential and post hoc. Crucially, certificates are open-ended in time. There may be an appeal but the proposed new clause would allow for an application to a judicial commissioner, who must consider the Minister’s request as to necessity and proportionality—words that I am sure we will use quite a bit in the next few hours—applying these to each and every provision from which exemption is sought. The Committee may spot that this could owe something to the Investigatory Powers Act.
Amendment 137P takes us forward to Part 3, the law enforcement part of the Bill. Clause 77(5) gives individuals the right to appeal against a national security certificate, but individuals will not know that they have been subject to such a national security certificate if the certificate itself takes away the specific rights which would require a controller or a processor to inform individuals that there was such a restriction in effect against them. The whole point of a right to access personal information and, on the basis of that, the right to appeal against a restriction, does not seem to us to work. The amendment provides for informing the data subject that he is a subject to a certificate.
Amendment 148C is an amendment to Part 4, which is the intelligence services part of the Bill. Clause 108 refers to an exemption being “required” for the purposes of national security. Our amendment would substitute “necessary”, which is a more objective test. I might require something to be done, but it might not be necessary. It is more subjective. Amendment 148D would—I note the irony here—require a certificate because Clause 109 seems not to require it, although the certificate itself would be conclusive. Finally, Amendment 148H is our response to the Constitution Committee, which recommended that the Government clarify the grounds of appeal for proceedings relating to ministerial certificates under Clause 109, other than judicial review. We have set out some provisions which I hope will enable the Minister to respond to the committee’s recommendation.
The Minister of State, Home Office (Baroness Williams of Trafford) (Con)
My Lords, I thank all noble Lords who have spoken to these amendments on the scope of the national security and defence exemptions in Parts 2 and 4 and the provisions in respect of national security certificates.
Amendments 124A, 124M and 124N relate to the exemption in Clause 24 for defence purposes. Amendments 124A and 124N seek to reinstate wording used in the Data Protection Act 1998 which used the term “combat effectiveness”. While it may have been appropriate for the 1998 Act to refer to “combat effectiveness”, the term no longer adequately captures the wide range of vital activities that the Armed Forces now undertake in support of the longer-term security of the British islands and their interests abroad and the central role of personal data, sometimes special categories of personal data, in those activities. I think that is what the noble Lord was requiring me to explain.
Such a limitation would not cover wider defence activities which defence staff are engaged in, for example, defence diplomacy, intelligence handling or sensitive administration activities. Indeed, the purpose of many of these activities is precisely to avoid traditional forms of combat. Yet without adequate provision in the Bill, each of the activities I have listed could be compromised or obstructed by a sufficiently determined data subject, putting the security, capability and effectiveness of British service personnel and the civilian staff who support them at risk.
Let me be absolutely clear at this stage: these provisions do not give carte blanche to defence controllers. Rights and obligations must be considered on a case-by-case basis. Only where a specific right or obligation is found to be incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. In every other circumstance, personal data will be processed in accordance with GDPR standards.
Amendment 124M probes the necessity of the applied GDPR’s article 9 exemption for defence purposes. Article 9 provides for a prohibition on processing of special categories of personal data. If we did not modify the application of article 9 for defence purposes, we would be hampering the ability of the Armed Forces to process certain personal data, for example, biometric data. This could have a detrimental impact on operations and other activities carried out by the Armed Forces.
I firmly believe that it is in the UK’s national interest to recognise that there may sometimes be a conflict between the individual’s right to have their personal data protected and the defence of the realm, and to make appropriate provision in the Bill to this end. I think that the noble Baroness, Lady Hamwee, asked about the publication of security certificates. National security certificates are public in nature, given that they may be subject to legal challenge. They are not secret and in the past they have been supplied if requested. A number are already published online and we will explore how we can make information about national security certificates issued under the Bill more accessible in future. She also asked about the timelessness of these certificates. They are general and prospective in nature, and arguably no purpose would be served by a requirement that they be subject to a time limitation. For example, in so far as a ministerial certificate allows the intelligence services to apply a “neither confirm nor deny” response to a subject access request, any certificate will inevitably require such a provision.
Amendments 124C, 124D, 124E, 124F, 124P and 148E seek to restrict the scope of the national security exemption provided for in Parts 2 and 4 of the Bill. I remind the Committee that Section 28 of the Data Protection Act 1998 contains a broad exemption from the provisions of that Act if the exemption is required for the purpose of safeguarding national security. Indeed, Section 28 provides for an exemption on such grounds from, among other things, all the data protection principles, all the rights of data subjects and all the enforcement provisions. Although we have adopted a more nuanced approach in the Bill, it none the less broadly replicates the provisions in the 1998 Act, which have stood the test of time. Crucially, under the Bill—as under the 1998 Act—the exception can be relied upon only when it is necessary to do so to protect national security; it is not a blanket exception.
It may assist the Committee if I provide a couple of examples, first in the context of Part 4, of why the exemption needs to be drawn as widely as it is. Clause 108 includes an exemption from Clauses 137 to 147 relating to information, assessment and enforcement notices issued by the Information Commissioner. It may be necessary for an intelligence service to apply this exemption in cases of extreme sensitivity or where the commissioner requested sensitive data but was unable to provide sufficient assurances that it would be held securely enough to protect the information.
In relation to the offence of unlawfully obtaining personal data, much intelligence work involves obtaining and then disclosing personal data without the consent of the controller. For example, if GCHQ intercepts personal data held on a foreign terrorist group’s computer, the data controller is the terrorist group. Without the national security exemption, the operation, although authorised by law, would be unlawful as the data controller has not consented. Similarly, reidentification of deidentified personal data may be a valuable source of intelligence if it can be reidentified. For example, an intelligence service may obtain from a computer a copy of a list of members of a terrorist group who are identified using code names, and from other sources the service believes that it can tie the code names to real identities.
The need for a wide-ranging exemption applies equally under Part 2 of the Bill. Again, a couple of examples will serve to illustrate this. Amendment 124C would mean that a controller processing data under the applied GDPR scheme could not be exempted from the first data protection principle as it relates to transparency. This principle goes hand in hand with the rights of data subjects. It cannot be right that a data subject should be made aware of a controller providing information to, say, the Security Service where there are national security concerns, for example because the individual is the subject of a covert investigation.
To take another example which touches on Amendment 124D, it is wholly appropriate to be able to limit the obligation on controllers under article 33 of the applied GDPR to disclose information to the Information Commissioner where the disclosure would be damaging to national security because, say, it would reveal the identity of a covert human intelligence source. As is the case under Part 4, this exemption would be applied so as to restrict the information provided to the commissioner, not to remove entirely the obligation to report appropriate details of the breach.
I hope that this has given the Committee a flavour of why the national security exemption has been framed in the way that it has. As I have indicated, the Bill’s provisions clearly derive from a similar provision in the existing Data Protection Act and are subject to the same important qualification: namely, that an exemption may be applied in a given case only where it is required for the purpose of safeguarding national security.
Baroness Hamwee
My Lords, the Minister has just proved a point that I made to a colleague who asked me whether I could explain all my amendments, and I said, “If I don’t, the Minister will”. Let us see what the Constitution Committee has to say, as I take its concerns seriously. To dispose of one small point, I accept what she says about the “timelessness”, which I think was the word she used, of certificates. I accept that some must always apply, but perhaps it is a point that the Government can take into account when thinking about publication of certificates whose relevance has—“expired” is probably the wrong term—passed.
I am still concerned about what is meant by “defence purposes”. The Minister referred to civilian staff. I cannot remember what the object was in the sentence, but we all know what she means by civilian staff. To take a trite example, can the Minister confirm that in “defence purposes”, we are not talking about records of holiday leave taken by cleaners, secretaries and so on working in the Ministry of Defence? “Defence purposes” could be read as something very broad. I will not ask the Minister to reply to that now, but perhaps I can leave the thought in her head.
Finally, I do not think that the right of appeal provides the same protection as applying oversight from the very start of the process. We have had that debate many times, but I shall leave it there for now. There is quite a lot to read, so I am grateful to the Minister for replying at such length.
Lord Kennedy of Southwark
My Lords, I thank the Minister for her response, which was very detailed. It was helpful to the House to get it on record. These are serious matters. The rights of the data subject must be protected, but equally there are issues of national security, and we must get that balance right. The House has been assured that we will get the balance right, which is an important part of our work here today. I am very pleased with the detailed response, and I have no issue with it whatever.
I shall read Hansard again tomorrow, as these are very serious matters, to fully take in all that the Minister has said. At this stage, I am happy to withdraw my amendment.
Baroness Hamwee
Baroness Hamwee
I shall speak to Amendment 124Q and to a number of amendments in this group. I start with a general point. The number of amendments that we have tabled to Part 3 in particular, but also to Part 4, might suggest considerable opposition to the Bill, but I reassure the Committee that that is not the case. We are on a probing mission generally. We have some serious objections but, in general, we support where the Bill is going.
The probing in many cases is because of the language used. It is about the different uses of language in EU and UK legislation, and how language is used when something is transposed, to use the term non-technically, into UK law. There are different traditions; laws develop in different ways. I might sum it up by saying that it is a matter of style, but the style may have an impact on the meaning. That is why we are using the fact that the Bill has started in this House, where we have a tradition of reading every word and questioning every other word, to get on the record some of the things that we have identified as being helped by explanation.
This group is about definitions. Amendment 124Q would limit “competent authorities”, as they are defined and listed, to the extent of their law enforcement functions. I mentioned just now staff who work at the Ministry of Defence but do not have jobs that come remotely close, in themselves, to defending the country, although they support those who do. It occurred to me that police forces similarly, even if it is above that kind of administrative level, deal with more than law enforcement, if there are still enough coppers around. Prevention work in schools is one example. Then there is dealing with internal human rights—I beg noble Lords’ pardon, I mean human resources—records. I use the acronym HR too often.
The parties to a collaboration agreement are not necessarily policing bodies or even public sector bodies, which fall within these provisions. Criticising my own amendment, I wondered if it would be confusing to have different regimes applying to different activities—the law enforcement ones on one hand and the others on the other—but there are similar distinctions elsewhere in the Bill.
Lord Young of Cookham (Con)
The co-pilot is in charge of this leg of the legislative journey, so there may be some turbulence.
I am very grateful to the noble Baroness for her explanation of these amendments. I particularly welcome what she said at the beginning of her remarks—namely, that these were probing amendments designed to improve the style. We are all in favour of improving style. Having read previous Hansards, I know that there has been broad cross-party support for the Bill’s provisions, particularly this part of it. I know that the Liberal Democrat Benches are particular enthusiasts for enshrining in UK law the provisions of the EU law enforcement directive.
As the noble Baroness has indicated, this group of amendments relates to the definition of various terms used in Part 3, including that of a competent authority and the meaning of “profiling”. I also welcome the contribution of the noble Lord, Lord Kennedy, in support of some of the amendments.
The scope of the law enforcement processing regime is provided for in Part 3 of the Bill. Unlike Part 4, which applies to all processing of personal data by the intelligence services, the scheme in Part 3 is purpose-driven. The Part 3 scheme applies to processing by competent authorities, as defined in Clause 28, for any of the law enforcement purposes, as defined in Clause 29. This approach is clear from a reading of Part 3 as a whole. For example, each of the data protection principles in Clauses 33 to 38 refers to processing for any of the law enforcement purposes.
The definition of a competent authority needs to be viewed in that context. Competent authorities will process personal data under the scheme in Part 3 only where such processing is for one of the law enforcement purposes. If they process data for another purpose, as the noble Baroness indicated—for example, for HR management purposes—the processing would be undertaken under either the GDPR or applied GDPR scheme, as the case may be. That would be the default regime. I am not sure there is a case for yet another regime on top of the two we already have. As paragraph 167 of the Explanatory Notes to the Bill makes clear, a government department will be a competent authority for the purposes of Part 3 only to the extent that it processes personal data for a law enforcement purpose. For example, where DWP processes data in the course of investigating criminal offences linked to benefit fraud, it will do so as a competent authority.
The approach we have taken in Schedule 7 is to list all the principal law enforcement agencies, including police forces, prosecutors and those responsible for offender management, but also to list other office holders and organisations that have law enforcement functions supplementary to their primary function. For example, the list in Schedule 7 includes some significant regulators. We should remember that the definition of “law enforcement purposes” includes the “execution of criminal penalties”, as set out in Clause 29. That being the case, it is entirely appropriate to list contractors providing offender management services. I hope this explanation deals with Amendment 129A. As I explained a moment ago, where such contractors process data for a non-law enforcement purpose—again, an example given by the noble Baroness—they will do so under the GDPR or applied GDPR scheme.
Schedule 7 is not, and is not intended to be, a wholly exhaustive list, and other organisations with incidental law enforcement functions will come within the scope of the definition of a competent authority by virtue of Clause 28(1)(b). Police and crime commissioners, to which Amendment 127A relates, may be a case in point, but if they process personal data for a law enforcement purpose, they will do so as a competent authority by virtue of Clause 28(1)(b). The government amendments in this group should be viewed against that backdrop.
Since the Bill was introduced, we have identified a number of other organisations that it would be appropriate to add to the list in Schedule 7, and Amendments 125, 126, 128 and 129 are directed to that end. Government Amendment 127 modifies the existing entry in respect of the independent office for police conduct in recognition of the fact that under the reforms we are making to the Independent Police Complaints Commission, the director-general will be the data controller of the reformed organisation.
The amendments to Clause 31 all seek to amend the definition of profiling. First, Amendment 129C seeks to include “attributes” in the definition of profiling, which currently refers to “aspects”. The existing wording reflects the terminology used in the LED, which is clear. In any event, the two words do not differ much in substance, so little is gained by the proposed addition.
In Amendment 129B and Amendments 129D to 129F the noble Baroness seeks to widen the definition of profiling so that it is not restricted to “certain” areas of profiling or to the aspects listed. However, the personal aspects itemised in the definition are not intended to act as an exhaustive list, and the inclusion of the words “certain” and “in particular” do not have this effect. The list refers to those aspects considered of most importance to profiling. Again, for these reasons, these amendments are not necessary. I think the noble Baroness conceded that we were simply replicating the existing terminology.
I hope I have been able to reassure her on these points and that she will be content to withdraw her Amendment 124Q and support the government amendments.
Baroness Hamwee
My Lords, to take that last point about certain areas of profiling first, obviously I did not make myself clear, as I want the opposite of what the Minister read me as wanting. I want to be clear that I do not want to leave areas for doubt, so I sought to restrict rather than to extend.
On police and crime commissioners, I am a little baffled as to why, if so many other organisations which have some functions that are about law enforcement are included, police and crime commissioners should be left to rely on Clause 28(1)(b) rather than being included specifically.
Finally, yes, we are enthusiasts for incorporating the directive. We want to be clear that the incorporation works. Should I talk for another moment or two in case a message is coming? There was a thumbs up to that suggestion. We are great enthusiasts for certain things that the EU is proposing—I am being a little flippant and this will read terribly badly in Hansard. As I said at the start, all this is so that we may be assured—and this is the stage at which to do it—that what is being incorporated works in the way that reading the words as a sort of narrative suggests.
Lord Young of Cookham
Some in-flight refuelling has arrived. The noble Baroness made a valid point about why we had added certain organisations to Schedule 7 but not the police and crime commissioners. We will reflect on that between now and Report.
Baroness Hamwee
Baroness Hamwee
My Lords, this group of amendments is about data protection principles. Our Amendments 129G and 129H would add transparency to the requirements of lawfulness and fairness for processing. Here, the directive is again being reflected, but why, since transparency is a requirement in the case of the intelligence services? I confess that I found this counterintuitive. I might have expected the services to have an argument against transparency because of the very nature of what they do, but not so law enforcement—at least, not so much.
Amendment 129J enables me to ask, as I did at Second Reading, why some activities are “strictly necessary” and others merely “necessary”. This arises in several places and this is the first example, although for good measure my Amendment 133ZJ seeks to add “strictly” to another of these—I am not sure that it was my best choice, but there you go. The point is that “strictly” calls into question just how necessary something that does not attract the term is. This may be an example of adopting language used in other legislation and directives without it having been considered in the context of UK legislation.
The Minister used the example of our seeking in the first group of amendments on these parts to change a term used in current legislation. I take that point, because it opens up a question as to whether there is any distinction. The point I am making about terminology is not a million miles away from that.
Amendment 130A concerns the scope for the Secretary of State to amend Schedule 8 by regulations. That schedule sets out the conditions for “sensitive processing”—in other words, when that processing is permitted. Should the Secretary of State be able to add circumstances when it is permitted, or to vary the schedule, omitting items from the schedule by regulations would fulfil the objective of protecting the data subject. That is very different from “adding” or “varying”.
Amendment 133ZB deals with another instance of different legislative styles. In Clause 34(1), the law enforcement purpose must be “legitimate”—an interesting term when applied to law enforcement. I suggest as an alternative “authorised by law”, a term used later in the clause, in order to probe this. In not very technical language “legitimate” suggests something wider than legal. It has elements of logic and justification and might import the notion of balance. The term comes from not only the GDPR but the 1995 directive—so there is a history to this—and there are many examples of the accepted meaning of “legitimate” in EU law. However, I am concerned about how we interpret the term and apply it in the UK. Looking to the future, what will happen when we are cut adrift from the European Court of Justice? Presumably we will have to rely on the development of case law in the UK and the different UK jurisdictions. It is worth thinking about how this may be dealt with as we go forward.
On Amendment 133ZD, under Clause 36(3) a clear distinction needs to be made “where relevant”—the amendment would delete this—as far as possible between data relating to different categories of data subject. I do not see what “where relevant” means in this context. It begs the question of whether or not something is relevant and whether the provision is applicable.
Amendment 133ZE applies to Clause 36(4), which deals what must be done—or, rather, not done—with inaccurate, incomplete or out-of-date data, which must not be “transmitted or made available”. That is the phrase used and my amendment probes the question of why the term “disclosed” is not used. There is a definition of “processing” in Clause 2, which includes,
“disclosure by transmission, dissemination or otherwise making available”.
In other words, “disclosed” would cover everything.
Amendment 133ZK relates to Clause 40, which deals with the controller having an appropriate policy document. Under that clause, the controller must make the document available to the Information Commissioner. Is it not a public document? Should it not be published? The amendment proposes that it should be. I beg to move.
Lord Stevenson of Balmacara
My Lords, we have a number of amendments in this group which fit very well with what has just been said by the noble Baroness, Lady Hamwee. I hope she will take it from that that we support broadly where she is coming from and hope to extend it slightly in a couple of areas.
Amendment 130—which is a DPRRC recommendation —affects Schedule 8. This was touched on in earlier groups and I will not delay the Committee by repeating the points now. They will be covered in the Minister’s response, which we confidently expect to be that this is under consideration, that a further air travel bulletin will be emerging shortly and that we should not worry too much about it at this stage. However, I am prepared to argue for it if necessary, and if the noble Lord challenges me I will do so.
The government amendments have not yet been introduced. However, in anticipation, we welcome them. They take out one or two of the points I will be making later. Once they have been introduced and looked at we will be able to rely on them. They cover a particular gap in the Bill in terms of the need to rely on a function conferred on a person by rule of law as well as simply by an enactment.
Amendment 133ZA is a probing amendment to quite an important clause that we would like to see retained. The reason for putting down the amendment in this form is to probe further into what is going on here. The terms of Clause 39 apply only,
“in relation to the processing of personal data for a law enforcement purpose”,
and would be conferred by rule of law as well. It repeats other areas that cover,
“archiving purposes in the public interest … scientific or historical research purposes, or … statistical purposes”.
I am not clear why these are linked to law enforcement purposes. Why would archiving be necessary for such a purpose? Perhaps the Minister can respond on that particular point. It is a narrow one, but I should like to know the answer.
Clause 33(5) deals with processing without the consent of the data subject, of which this is a part, and makes the point that it is permissible only for the purposes listed in Schedule 8. However, Clause 33(6) permits amendment to this derogation, so purposes could be added or indeed lost. There is of course a wide research exception in Schedule 8 with no specific safeguards. So it is important to understand why the framing of this is so open-ended, and I would be grateful for a response.
When we check the GDPR, the antecedent impulse for this is present in the wording of article 4(3). That goes on to say that the processing has to be subject to appropriate safeguards for the rights and freedoms of data subjects, yet we do not see these in either Clause 33 or Clause 39—or indeed at any point in between. Why is that? Is there a reason why it should not be part of the processing conditions? If so, can we have an example of why that would be necessary?
Amendment 133ZC relates to quite an important area, which is a derogation to allow personal data to be processed for different law enforcement purposes other than when it is initially processed, as long as it is a lawful purpose and is proportionate and necessary. That is quite open-ended, so it would be helpful if in his response the Minister could speculate a little about where the boundaries there exist. We have no objection to the provision in principle, but it is important to ensure that the scope is not so impossibly broad that anything can be hung on one particular issue. If that was coming forward, I am sure that it would be possible to do that. The scope seems to be too broad to be considered proportionate—which, as I said, is what the directive requires.
Amendment 133ZE builds on Amendment 133ZD to which the noble Baroness, Lady Hamwee, has already spoken. This is about what happens to data that is found to be inaccurate and the requirement that it should not be disclosed for any law enforcement purpose. This is a slightly different wording and I am looking for confirmation that the Government do not see a difference in the two possibilities. The original requirement was that data should not be “transmitted or made available” if it is inaccurate, but this would say that it should not be “disclosed”, which is an active rather than a passive expression of that—but is it different? The amendment tries to broaden the provision so that reasonable steps are taken to make sure that data is not made available for any purpose, which I think would be a more satisfactory approach.
I turn to Amendment 133ZG. I think I am right in saying that the GDPR envisages that inaccurate personal data should be corrected or deleted at the initiative of the controller, but that provision does not appear in the Bill. I wonder whether there is an explanation for that. If there is not, who will be responsible for correcting data that is found to be inaccurate or needs to be corrected or deleted?
Finally in this group, Amendment 133ZH relates to Clause 37, which requires that personal data should be kept for no longer than necessary. To comply with this principle, the data controller should establish time limits for erasure or for a periodic review. The current drafting seems to suggest that all that is required to be done by controllers is that from time to time they should review their procedures; it does not say that they have to do it. Perhaps the Minister could respond on this point. Surely what we want here is a clear requirement for both reviews and action. You can review the data, but if it is no longer required and should be deleted, there should be an appropriate follow-up. Time limits are not enough: you do it within the time limits but then you have to follow up. We do not think it currently makes sense. I look forward to the Minister’s responses.
Lord Stevenson of Balmacara
I am very grateful for the late intelligence that came across on the point about withdrawal. The issue was not that there is not sufficient power in the Bill—there is, we accept that—but just that there seems to be an unfortunate separation between the need periodically to review the length of time for which the data is held and the fact that, when a decision has been arrived at, the data is no longer required. There seems to be no prod to remove the data that should be removed. I understand the point made earlier by the Minister that some data, although wrong, should be kept, but that was not the point I was making. However, I think we can deal with this outside the Chamber.
Baroness Hamwee
My Lords, without wanting to appear ungrateful, I am very troubled by some of what we have heard about the incorporation of language used in the law enforcement directive and in the modernised 108. Simply to reflect that language, incorporate it into our primary legislation and cause confusion thereby does not seem to be a very good way to proceed. My questions about the difference between “strictly necessary” and “necessary” illustrate this well. To be told that “necessary” is a lower threshold than “strictly necessary”—which is certainly how I would read it—calls into question how necessary something which is necessary really is.
We will have to come back to this—it may be something that we can discuss outside the Chamber before Report. I wonder whether I should threaten to unleash my noble friend Lord Lester of Herne Hill—that might be enough to lead us to a resolution, but I have not consulted him yet. However, I am troubled, because we are in danger of doing a disservice to the application of these important provisions. For the moment, of course, I beg leave to withdraw the amendment.
Baroness Hamwee
“( ) The controller must without undue delay inform each data subject that he is (or, as the case may be, is again) a data subject.”
Baroness Hamwee
My Lords, Amendment 133ZL is an amendment to Clause 42. Clause 43 deals with a data subject’s right of access. The onus is on the data subject to ask whether their personal data is being processed. If so, they have a right of access, although there are provisions about restrictions and the controller must tell them.
We have already touched on how you know that you are a data subject. The amendment would place an obligation on the controller to tell you. I appreciate that there would be considerable practical considerations. However, in a different context, time and again during the passage of the Bill we have heard noble Lords express surprise about what organisations know about each of us. It is irritating when it is a commercial organisation; it is a different matter when it is a law enforcement body.
Amendment 133ZM is a way of asking why the information to be given to a data subject under Clause 42(2) is limited to “specific cases”. Is this is a bit of the narrative style that I referred to earlier? Restrictions are set out later in the clause. What are the specific cases to which the controller’s duties are restricted? Should there be a cross-reference somewhere? The term suggests something more—or maybe something less—than the clause provides.
Amendment 133ZN takes us to Clause 42(4), which refers to the data subject’s “fundamental rights”— this phrase is used also in a number of other clauses. My amendment would insert references to the Human Rights Act and the European Charter of Fundamental Rights, seeking not to reopen the argument about the retention of the charter but to probe how fundamental rights are identified in UK law. It is not an expression that I recognise other than as a narrative term. This is fundamental—if noble Lords will forgive the pun—to my questioning and the workability of all this.
On Amendment 133ZP, the same subsection refers to an “official” inquiry. I know what that means in common sense—in human speak, if you like—but what does it mean in legislative speak?
Amendment 133ZQ is a cross-reference. I queried what was in the clause and have had exchanges with officials about it. I thought that the Minister’s name would be added to the amendment. I would have been very happy if the correction had been made quietly, but apparently that was not possible. So the drafting is not mine, but it corrects a mis-drafting—would that be a gentle term for it? At any rate, that is what the amendment is about. I beg to move.
Lord Kennedy of Southwark
My Lords, the five amendments in this group are all in the name of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Paddick. I should say at the start that I am not convinced by Amendment 133ZL and I look forward to the response of the Government. I am not sure that it is proportionate in respect of law enforcement processing. I had concerns about it before the debate and I have heard nothing to change my mind.
Amendment 133ZM widens the scope of the provisions and I am content with that. I am interested to hear from the Government why the three words to be deleted are so important: perhaps they can convince me of the merits of having them in the Bill.
Amendment 133ZN is proportionate and I happy to support it. I do not support Amendment 133ZP and, again, I have heard nothing yet to convince me otherwise. I await a response from the Government. Amendment 133ZQ seems proportionate to me in respect of the data controller being able to record reasons to restrict provision of information to a data subject and the reasons for refusing requests.
Baroness Hamwee
My Lords, the noble Lord, Lord Kennedy, need not have been apologetic: it is perfectly fair to make the point that he did not think the amendment was proportionate. I will not claim the credit for Amendment 133ZQ because it is not my drafting, but much more importantly, yes, fundamental rights should be interpreted by the UK courts, but on what basis? It really is a matter of “New readers start here” with that, and the same applies to “official inquiry”: the very fact that there is an Inquiries Act was in my mind in asking what an official inquiry is. It is all the same argument—the same discussion, would be a better way of putting it—as on earlier groups. I said then that I was troubled; I am troubled in this connection. I think I made it clear that I was not trying to reopen the question of the European Charter of Fundamental Rights now; there will be other occasions to do that. I beg leave to withdraw the amendment.
Baroness Hamwee
Baroness Hamwee
Baroness Hamwee
My Lords, we debated automated decision-making under Part 2 on Monday. Clause 48 provides for automated decision-making in the case of law enforcement. No doubt we will return to the issues raised on Monday in this connection, but for now, Clause 48(1) provides that a “qualifying significant decision” must be,
“required or authorised by law”.
This is perhaps a slightly frivolous probe, but may a controller take a decision that is not required or authorised by law? If it is not authorised, how is the data subject protected?
Amendment 135 refers to not engaging the rights of the data subject under the Human Rights Act. Again, we had a debate on this on Monday and it is a subject to which we may return. I simply ask: does the Minister have anything to add to what her noble friend Lord Ashton of Hyde had to say then? He told us that human rights are always engaged—indeed they are—and that the amendment therefore did not really work but that there are, as he said in col. 1871, “appropriate safeguards”. Are the Government satisfied that the balance between processing and protection is the right one? As I say, I am sure we will come back to this issue.
Amendment 135A is to Clause 48(2), which deals with decisions based solely on automated processing. Article 11 of the directive, which I believe is the basis for this, provides for automated processing, including profiling. Profiling is a defined term, so I merely want to check that there is no significance in omitting the reference to it. I doubt there is but the language is reproduced exactly elsewhere, so this is a simple check.
Clause 48(2)(a) provides that notification of a decision must be given “as soon as … practicable”. Amendment 135B would limit this to a maximum of 72 hours. I do not want to describe what is in the Bill as open-ended but I think the Minister would accept that it is less certain than it could be, which is a pity as the requirement under this clause to notify the right to ask for reconsideration is important. I note that at another point close to this, the data subject has an exact limit of 21 days. That may not be practicable for the data subject but perhaps the Minister can confirm whether that means within 21 days of actual receipt, not 21 days of delivery, as the means of serving that notification.
Amendment 136A would insert a new provision. We have been considering some form of independent oversight of automated decision-making. That would not be quite right because we have the commissioner, who is independent, but the amendment proposes more assistance and advice in this connection and the publication of reports on the subject.
Amendment 137 proposes a new clause. We debated a more elaborate amendment on the right to information about decisions based on algorithmic profiling on Monday. The proposed new clause would allow the data subject to obtain an understanding of the reasoning underlying the processes, when the results of it are applied to him. The wording might seem familiar to noble Lords, which would show that they have read on in the Bill. The amendment would reproduce in the law enforcement part a right that is included in Clause 96 in Part 4, which deals with the intelligence services. If they can do it, why not law enforcement? I was quite surprised that they could do it and were expected to provide the underlying reasoning, but that is a good thing. I am not arguing that this would be a silver bullet for all the issues around algorithms but it would be significant. Perhaps it would be courteous and appropriate to say I understand that as regards the intelligence services exemptions, the UK is proposing one of the most advanced explanation rights in the world—tick.
Amendment 144 raises the human rights point again, in the context of the intelligence services’ automated decision-making. Amendments 145 and 146 are to ask the Government to justify decisions based solely on automated processing which significantly affects the data subject when it relates to a contract. Clause 94(2)(c) refers to,
“considering whether to enter into a contract with the data subject”,
and,
“with a view to entering into … a contract”,
with them. There must be a fine distinction between those two provisions but they are dealt with differently. These are all in Part 4, on the intelligence services. Finally, Amendment 146A is to ask whether the commissioner should have a role in the process, because there is a bit more scope for people doing their own thing in this part of the Bill than under Part 3. I beg to move.
Lord Stevenson of Balmacara
My Lords, I support the amendments that have just been moved and spoken to by the noble Baroness, Lady Hamwee. We should perhaps have signed up to them but I do not think we had the time to do so. However, they all bear on important issues that need to be addressed and I look forward to hearing the responses from the Minister.
Our amendments in this group are also about automated processing but they attach to a slightly different arrangement. In Clause 92, on page 52, the right of access provisions are largely copied from earlier parts of the Bill and are extensive. Like the noble Baroness, Lady Hamwee, we appreciate that. The Government have moved a long way to try to reassure everyone that the intelligence services, as well as the defence services, are trying to operate in a manner that could be taken almost directly from the GDPR. While this may be gold-plating, it is a good way of making progress. Having said that, halfway down page 52 are two things that our amendments address. In Amendment 142C, we suggest that there should be a,
“right to object to automated-decision making”,
within automatic processing, because at the end of Clause 92(2) all the other rights are there but the one present in other parts of the Bill on the right to object is not. I wonder why it has been missed out. It would be interesting to hear from the Minister about that.
In Amendment 143B, we also wish to challenge why the fee has to be paid for this. The Government have tried hard to make an equality of approach right the way across but fees suddenly appear here, in a way which seems rather strange. It cannot be that the information services of Her Majesty’s Government are so starved of cash that they have to charge money to get their services completed for those who just want reasonable information, which should specifically be made available. It seems a double bind to have a situation where these rights and obligations are tantalisingly included in the Bill, but are then removed from reasonable access because of the costs that might be charged. I know that the Secretary of State would have to do it by regulations, which would be subject to further scrutiny, but perhaps this could be looked at again.
Baroness Williams of Trafford
My Lords, these amendments return us to the issue of automated decision-making, which we debated on Monday, albeit principally in the context of Part 2.
The noble Baroness, Lady Hamwee, has indicated that the purpose of Amendment 134A is to probe why Clause 48(1)(b) is required. Clauses 47 and 48 should be read together. Clause 47 essentially operates to prohibit the controller making a significant decision based solely on automated processing, unless such a decision is required or authorised by law. Where automated decision-making is authorised or required by law, Clause 48 permits the controller to make a qualifying significant decision, subject to the specified safeguards.
A significant decision based solely on automated processing which is not required or authorised by law is an unlawful decision and therefore null and void. That being the case, we should not seek to legitimise an unlawful decision by conferring a right on a data subject to request that such a decision be reconsidered. Should such a decision be made contrary to Clause 47(1), the proper way to deal with it is through enforcement action by the Information Commissioner, not through the provisions of Clause 48.
Amendments 135 and 144 seek to prevent any decision being taken on the basis of automated decision-making where the decision would engage the rights of the data subject under the Human Rights Act. As my noble friend Lord Ashton indicated on Monday when the Committee debated Amendment 75, which was framed in similar terms, such a restriction would arguably wholly negate the provisions in respect of automated decision-making as it would be possible to argue that any decision based on automated decision-making would, at the very least, engage the data subject’s right to respect for privacy under Article 8 of the European Convention on Human Rights.
At the same time, the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore be to prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act. Where a decision will have legal or similarly significant effects for a data subject, data controllers will be required to notify data subjects to ensure that they can seek the remaking of that decision with human intervention. We believe that this affords sufficient safeguards.
Turning to Amendment 135A, I can assure the noble Baroness, Lady Hamwee, that automated processing does indeed include profiling. This is clear from the definition of profiling in Clause 31 which refers to,
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual”.
Given that, I do not believe more is needed, but I confirm that there is no significance in omitting the word “profiling”. We did not include a reference to profiling as an example of automated decision-making on the grounds that it is just that, an example, and therefore an express reference to including profiling would add nothing.
Amendment 135B would require controllers to notify data subjects within 72 hours where a qualifying significant decision has been made based solely on automated processing. While it is appropriate elsewhere in the Bill to require controllers to report data breaches to the Information Commissioner, where feasible, within 72 hours, we consider that the existing requirement to notify data subjects of what is a lawful qualifying significant decision as soon as reasonably practicable establishes the need for prompt notification while recognising that there needs to be some flexibility to reflect the operational environment.
Amendment 136A seeks to require the Information Commissioner to appoint an independent person to oversee the operation of automated decision-making under Part 3. I am unpersuaded of the case for this amendment. The Information Commissioner is, of course, already an independent regulator with express statutory duties to, among other things, monitor and enforce the provisions in Part 3, so it is unclear to me why the commissioner should be obliged to, in effect, subcontract her functions in so far as they relate to automated decision-making. Such processing is subject to the commissioner’s oversight functions as much as any other processing, so I do not see why we need to single it out for special treatment. If the argument is that automated processing can have a more acute impact on data subjects than any other forms of processing, then it is open to the commissioner to reflect this in how she undertakes her regulatory functions and to monitor compliance with Clauses 47 and 48 more closely than other aspects of Part 3, but this should be left to the good judgment of the commissioner rather than adding a new layer of regulation.
The noble Baroness asked whether it is 21 days from receipt of notification or another time. Clause 48(2)(b) makes it clear that it is 21 days from receipt.
I have some sympathy for Amendment 137, which requires controllers subject to Part 3, on request, to provide data subjects with the reasons behind the processing of their personal data. I agree that data subjects should, in general, have the right to information about decision-making which affects them, whether or not that decision-making derives from automated processing. However, this is not straightforward. For example, as with the rights to information under Clauses 42 and 43, this cannot be an absolute right otherwise we risk compromising ongoing criminal investigations. If the noble Baroness will agree not to move Amendment 137, I undertake to consider the matter further ahead of Report.
Amendments 142C and 143B in the name of the noble Lord, Lord Stevenson, seek to confer a new duty on controllers to inform data subjects of their right to intervene in automated decision-making. I believe the Bill already effectively provides for this. Clause 95(3) already places a duty on a controller to notify a data subject that a decision about them based solely on automated processing has been made.
Amendments 145 and 146 seek to strike out the provisions in Part 4 that enable automated decision-making in relation to the consideration of contracts. The briefing issued by Liberty suggested that there was no like provision under the GDPR, but recital 71 to the GDPR expressly refers to processing,
“necessary for the entering or performance of a contract between the data subject and a controller”,
as one example of automated processing which is allowed when authorised by law. Moreover, we envisage the intelligence services making use of this provision—for example, considering whether to enter into a contract may initially require a national security assessment whereby an individual’s name is run through a computer program to determine potential threats.
Finally, Amendment 146A would place a duty on the intelligence services to inform the Information Commissioner of the outcome of their consideration of a request by a data subject to review a decision based solely on automated processing. We are not persuaded that a routine notification of this kind is necessary. The Information Commissioner has a general function in relation to the monitoring and enforcement of Part 4 and in pursuance of that function can seek necessary information from the intelligence services, including in respect of automated processing.
I hope again that my detailed explanation in response to these amendments has satisfied noble Lords, and as I have indicated, I am ready to consider Amendment 137 further ahead of Report. I hope that on that note, the noble Baroness will withdraw the amendment.
Baroness Hamwee
My Lords, I am grateful for the long response and for the Minister agreeing to consider Amendment 137. As regards oversight of automated processing, which is not quite where I would be coming to as something that was suggested to us, it would be fair to say that the commissioner has a resource issue covering all these developments. Maybe it is something that we will think about further in order to approach it from a different direction, perhaps by requiring some regular reporting about how the development of automated processing is controlled and affecting data subjects. I will consider that, but for the moment I beg leave to withdraw the amendment.
Baroness Hamwee
“( ) Notwithstanding any determination under subsection (2), joint controllers are each liable for any failure to comply with the obligations of a controller under this Part.”
Baroness Hamwee
My Lords, Clause 56 anticipates that competent law enforcement authorities may work together, and designates them as “joint controllers”. Clause 56(2) allows them to “determine their respective responsibilities”, although there is an exception when the responsibility is,
“determined under or by virtue of an enactment”.
Amendment 137A would, I suggest, take us a step further by providing that, in any event, if there is a failure to comply with a controller’s statutory obligations, each joint controller is liable—or does this not need to be spelled out? I beg to move.
Lord Young of Cookham
My Lords, these are narrow but important amendments relating to the liability of joint controllers. I agree with the noble Baroness that there should be clarity as to where liability rests when a controller contravenes the provisions of the Bill. The concept of joint data controllers is not new; indeed, it is recognised in the Data Protection Act 1998. In a similar vein, Clause 56 makes provision for joint controllers under Part 3—the shared responsibility for the police national computer by chief officers is a case in point. Upholding the rights of data subjects is dependent on the clear understanding of responsibilities. Clause 56 requires joint controllers to determine transparently their respective responsibilities so that data subjects know who to look to in order to access their rights or to seek redress. There should be no ambiguity as to who is responsible for compliance with the provisions of Part 3.
The issue of liability is dealt with elsewhere in the Bill. For example, Clause 160 provides that an individual has the right to compensation from a controller if they suffer damage because of a contravention of this legislation. Subsection (4) makes specific provision for joint controllers: it provides that liability for damages flows from the legal responsibility for compliance as determined by an arrangement made under Clause 56. These types of arrangement already exist, and this is as it should be. What matters to the data subject is that the legal position in relation to joint controllers is clear, and Clause 160, read with Clause 56, provides such clarity. I also refer the noble Baroness to Clauses 145, 149 and 158, which make like provision in respect of enforcement notices, penalty notices and compliance orders.
The government amendments in this group, which are technical, address much the same point. As I have indicated, the Bill adopts the principle that a court order in relation to controllers operating under a joint controller arrangement may be made only against the controller responsible for compliance with the relevant provision of data protection legislation. That has to be right, whereas under the noble Baroness’s amendment, they would all be liable, whether or not they were responsible for compliance with the relevant provision. Amendments 143, 147 and 148 are needed to ensure that the principle is carried through when joint controllers are operating under Clause 102 and that the liability of such controllers is clear. Providing such clarity is in everyone’s interests, including data subjects.
I hope I have been able to satisfy the noble Baroness that the position on the liability of joint controllers is clear and that she will be content to withdraw her amendment and support the government amendments.
Baroness Hamwee
My Lords, I am certainly happy with the latter. I simply observe that in other walks of life when people act jointly, each is often responsible for what the other does, but of course I beg leave to withdraw the amendment.
Baroness Hamwee
Baroness Hamwee
My Lords, under Clause 59, the controller must record certain information, including, according to subsection (2)(g),
“where applicable, details of the use of profiling”.
The purpose of Amendment 137B is to ask whether, if profiling is used, this is not applicable. My amendment would delete the words, but the Minister will understand that I am probing.
I am afraid this is quite a big group of amendments. Clause 62 provides for data protection impact assessments when there is a “high risk” to “rights and freedoms”. In assessing the risk, the controller,
“must take into account the nature, scope, context and purposes of the processing”.
Amendment 137C would insert a reference to,
“new technologies, mechanisms and procedures”,
picking up wording which is in articles 27 and 28 of the law enforcement directive.
Clause 63 requires consultation with the commissioner where there is a “high risk” to “rights and freedoms”. Article 28(3) of the directive allows for the “supervisory authority”—the commissioner, in our case—to,
“establish a list of the processing operations which are to be subject to prior consultation”.
Amendment 137D would allow the commissioner to “specify other conditions” where consultation is required. I am not sure I would defend the approach of having regulations under a negative resolution. The amendment was tabled following a certain amount of toing and froing—aka consultation with me—because my original amendment did not quite work, or at any rate I was not clear enough about it. I was not at Westminster at the time and I think I did not take in properly over the phone what was being proposed. I am sure the Minister will not take me too much to task for that, but focus instead on the nub of this.
Under Clause 63, the commissioner is required to give advice to the controller and the processor when she thinks that the intended processing would infringe Part 3. Amendment 137E set outs what advice would be included “to mitigate the risk” and would be a reminder of the commissioner’s powers in the event of non-compliance. The amendment builds on rather fuller provisions in article 28 of the directive, which provides for the use of powers.
Amendment 137F would amend Clause 64, which deals with the security of processing and refers to,
“appropriate measures … to ensure a level of security appropriate to the risks”.
The amendment proposes what “appropriate measures” might be, in particular whether cost is a criterion. Article 29(1) seems to envisage this—are we envisaging it in the Bill?
As for Amendment 137G, there is a duty in Clause 66 to inform the data subject when there is a breach, but not when the controller has implemented protection measures. In seeking to change “has” to “had” implemented, I just seek confirmation that the measures in question were applied before the breach. One might read the clause as meaning that, subsequently, steps had been taken and protection measures implemented. That will be good for the future, but would not address the specific breach.
On Amendment 137H, Clause 66(7) gives a wide exemption, setting out the reasons for restricting the provision of information to a data subject. I assume from the words “so long as necessary” that, once a specific security threat has passed or a court case is over, the right to that information would revive. Can the Minister confirm this? Again, I am not sure what the role of the commissioner would be here.
On Amendment 137J, Clause 69 sets out the tasks of the data protection officer. Chapter 5 of this part deals with transfers to third countries. By requiring the updating of controllers on the development of standards of third countries, my amendment suggests that the data protection officer should keep on top of international issues.
Amendment 137K is an amendment to Clause 71 in Chapter 5, on the principles for the transfer of data to a third country or international organisation. It would insert an explicit requirement that the rights of the data subject be protected. Article 44 provides:
“All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
That is broad and overarching. My amendment probes how that protection is covered: is it in the detail of the subsequent clauses? It is spelled out in the article; does that imply that the clauses might not always properly provide protection if we do not spell it out in the same way, given the reflections that the Bill provides?
On Amendments 137L and 137M, authorisation under Clause 71(1)(b) from another member state from which the data originated is not required if the transfer is necessary for the prevention of a threat to the essential interests of a member state and authorisation cannot be obtained in good time. The amendments probe whether “essential interests” are more than law enforcement purposes—the first condition for transfer. Will the interests be clear? Is there a confusing element of subjectivity here? The person who wants the data might see things quite differently from the person who is being asked to transfer it. It is open to us to provide higher safeguards, which is what I am working towards. “Obtaining in good time” perhaps suggests a slightly more relaxed attitude than the subject matter should demand. I would substitute a reference to urgency.
On Amendment 137N—noble Lords will be relieved to know that I am on the last of our amendments in this group—there can be a transfer on the basis of special circumstances under Clause 74. I welcome the fact that, in some cases, the controller can refuse a transfer because fundamental rights and freedoms override the public interest in the transfer. Presumably, the controller’s determination must be reasonable. This seems to give some discretion to the commissioner; I wonder whether the commissioner might give guidance rather than leaving it entirely up to the controller. I beg to move.
Lord Stevenson of Balmacara
My Lords, we have one amendment in this group, and I will speak to it. It affects what appears to be a lacuna—if that is not too technical a term for Hansard—in relation to the storage and retention of data collected by local police forces under the automatic number plate recognition system. Each local police force has an ANPR system. There are thousands of cameras, which we are all too aware of. Anyone who drives past one and has a picture of their number plate taken has a momentary shudder in case they are doing something wrong. When you add them all together, it is one of the biggest surveillance systems in the world—probably the world’s biggest non-military system—and it is growing every day. At the moment, there are probably about 1 billion shots of people cars in circulation. It is of course personal data, as it tracks people’s journeys, or can be read to do so.
There are two problems. First, the ANPR system has grown and grown but does not have proper governance or structure. Attention needs to be paid to that. This is not the Bill for that, but the noble Baroness might wish to take that point back with her. Secondly, an FOI request revealed in 2015 that the police had no systematic retention or disposal policy; they simply just kept the data because it might come in useful at some time. I do not think that works under the Data Protection Act 1998 and does not seem appropriate, given the way the Bill is framed.
In case there is any doubt whether those systems fall within the scope of the Act or whether there should be a change of policy, we have tabled the amendment to probe what is going on. There has been a recent change—I hope that the noble Baroness will update us about it—and several billion deletions, but there is still a question about the appropriate retention system. Our amendment is an attempt to move forward on that issue.
The problem is that the ANPR is not covered anywhere in statute. Despite the fact that it is very large, it is simply run. The Home Office does not see it as an espionage system—that is fair enough—so it is not covered in the Investigatory Powers Act. There is a case, however, for using the Bill to get this issue back into scope. The proposal here is simple. These particular words need not be used, but I hope the noble Baroness will accept that something should be done. We propose that the approach should be in accordance with the arrangements currently adopted in surveillance systems elsewhere.
Baroness Williams of Trafford
My Lords, this quite extensive group of amendments relates to the obligations on controllers and processors and the transfer of personal data to third countries. As the noble Baroness, Lady Hamwee, explained, Amendment 137B seeks to probe the necessity for the words “where applicable” in Clause 59(2)(g), which places a duty on a controller to record details of the use of profiling in the course of processing. This wording is transposed directly from Article 24 of the LED—and. to be clear, we are not excluding types of profiling from being recorded. Rather, the clause provides that all profiling is recorded where profiling has taken place. The wording acknowledges that some processing may not involve profiling.
Amendment 137C seeks to add a definition of the word “nature” as used in Clause 62(4). References to the,
“nature, scope, context, and purposes of the processing”,
are found throughout the LED and we have faithfully transposed this. We accept that the nature of the processing does include the aspects set out in the noble Baroness’s amendment, but we do not believe it necessary to set that out on the face of the Bill, and there is a danger that doing so in these terms could unwittingly narrow the scope of this provision. I might add that the Information Commissioner’s Office already publishes guidance on conducting privacy impact assessments and will be issuing further guidance on issues related to the Bill in due course.
Amendment 137D to Clause 63 would confer on the Information Commissioner a power to make regulations specifying further circumstances in which a controller must consult the commissioner before undertaking processing activities. Currently the requirement is for controllers to consult the commissioner when a data protection impact assessment indicates that processing would pose a high risk to the rights and freedoms of data subjects. Clause 63 reflects the provisions in Article 28 of the LED and sets an appropriate threshold for mandatory consultation with the Information Commissioner. This is not to preclude consultation in other cases, but I am unpersuaded that we should go down the rather unusual road of conferring regulation-making powers on the commissioner. Instead, we should leave this to the co-operative relationship we expect to see between the commissioner and controllers and, if appropriate, to any guidance issued by the commissioner.
Amendment 137E seeks to specify the content of the written advice which the Information Commissioner must provide to a controller in the event that she considers that a proposed processing operation would contravene the provisions of Part 3. I do not disagree with the point that the amendment is seeking to make—indeed, it echoes some of what is said at paragraph 209 of the Explanatory Notes—but we believe that we can sensibly leave it to the good judgment of the commissioner to determine on a case-by-case basis what needs to be covered in her advice.
Amendment 137F would expressly require controllers to account for the cost of implementation when putting in place appropriate organisational and technical measures to keep data safe. I entirely agree with the spirit of this amendment; there needs to be a proportionate approach to data protection. However, I refer the noble Baroness to Clause 53(3), which already includes a provision to this effect. On Amendment 137G, we believe the use of the present tense is correct in Clause 66(3)(a) in that the implementation of the measures is ongoing and not set in the past.
Amendment 137H would require a controller to inform the commissioner when they have restricted the information available to data subjects in the event of a data breach. Clause 66(7) is one of four instances in Part 3 where a controller may restrict the rights of data subjects. I do not believe that there is a case for singling out this provision as one where a duty to report the exercise of the restriction should apply. If the commissioner wants information about the exercise of the power in Clause 66(7), she can ask for it.
Amendment 137J seeks to add to the role of data protection officers by requiring them to update the controller on relevant developments in the data protection standards of third countries. I do not deny that awareness of such standards by police forces and others is important for the purposes of the operation of the safeguards in Chapter 5 of Part 3. However, Clause 69 properly reflects the terms of the LED. It does not preclude data protection officers exercising other functions such as the one described in Amendment 137J.
Amendments 137K, 137L and 137M relate to Clause 71, which sets out the general principles for transfers of personal data to a third country or international organisation. The whole purpose of Chapter 5 of Part 3 is to provide safeguards where personal data is transferred across borders. Given that, I am not sure what Amendment 137K would add. Amendment 137L would narrow the circumstances in which onward transfers of personal data may take place with express authorisation from the originator of the data. In contrast, Amendment 137M, in seeking to remove Clause 71(5)(b), would expand those circumstances —which I am not sure is the noble Baroness’s intention. Subsection (5) is a direct transposition of article 35(2) of the LED, so we should remain faithful to its provisions. What constitutes the essential interests of a member state must be for the controller to determine in the circumstances of a particular case—but, here as elsewhere, they are open to challenge, including enforcement action by the commissioner if they were to abuse such provisions.
Amendment 137N would require a controller to pay due regard to any ICO guidance before coming to a decision under Clause 74(2), which relates to the transfer of data on the basis of special circumstances. The Bill already caters for this. Clause 119 places a duty on the commissioner to prepare a data-sharing code of practice and, under the general principles of public law, controllers will be required to consider the code—or for that matter any other guidance issued by the commissioner.
Finally, Amendment 137EA in the name of the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson, seeks to set in statute the retention period for personal data derived from ANPR cameras. ANPR is an important tool used by the police and others for the prevention and detection of crime. I understand that the National Police Chiefs’ Council has recently changed its policy on the retention of ANPR records, reducing the retention period from two years to 12 months. The new policy requires all data not related to a specific case to be deleted after 12 months. This will be reflected in revised national ANPR standards. We know that the Information Commissioner had concerns about the retention of ANPR records and we welcome the decision by the NPCC in this regard.
Given this, I have no difficulty with the spirit of the noble Lord’s amendment, but the detail is too prescriptive and we are not persuaded that we should be writing into the Bill the retention period for one category of personal data processed by competent authorities. The amendment is unduly prescriptive as it takes no account of the fact that there will be operational circumstances where the data needs to be retained for longer than 12 months—in particular, where it is necessary to do so for investigative or evidential purposes.
More generally, I remind the noble Lord that the fifth data protection principle—the requirement that personal data be kept no longer than is necessary—will regulate the retention policies of controllers for all classes of personal data. In addition, Clause 37(2) requires controllers to undertake a periodic review of the need for the continued retention of data. Given these provisions, I am not persuaded that we should single out ANPR-related data for special treatment on the face of the Bill.
I apologise again for the extensive explanation of the amendments, and I hope that noble Lords will be happy not to press them.
Baroness Hamwee
Certainly. I feel that I ought perhaps to apologise to the House for the speed at which we have been going; it has caused a bit of a flurry. I know that I have been quite telegraphic in speaking to the amendments. I have possibly been too telegraphic, but I will read the detail of the response, and beg leave to withdraw my amendment.
Baroness Hamwee
Baroness Hamwee
My Lords, sensitive processing requires meeting at least one condition from the menu in Schedule 9 and one in Schedule 10. This could be achieved, for instance, because the processing is necessary to protect someone’s vital interests under Schedule 9, and for the same reason under Schedule 10 when consent cannot be given. I wondered whether the repetition amounted to there being only one condition to be met, rather than two or perhaps one and a half—hence Amendment 137R.
Amendment 138A is another amendment suggesting that the Secretary of State’s regulation-making power is too wide under the Bill. In our view, the Secretary of State should be able to add conditions—in other words, protections—but not vary or omit them. That is a thread that runs through the whole of the Bill.
Amendments 139A and 139B probe the condition in Schedule 9 that processing is necessary for the purposes of legitimate interests pursued by the controller or a third party to whom the data is disclosed. Again, “legitimate interest” made me pause. It is made lawful by Clause 84 because it meets one of the lawfulness conditions, so there is a circularity here. The schedule then applies a condition to the condition—it is not lawful if it prejudices rights and freedoms or legitimate interests of data subjects, or rather is unwarranted because of prejudice to the rights and freedoms or interests of the data subject. Does that allow for the risk of prejudice? It struck me as quite a clumsy phrase—“unwarranted … because of prejudice”. I realise that the person who drafted it—I do not want to say “draftsman”—must have had some very particular thoughts in mind.
Lord Young of Cookham
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for explaining these amendments, which relate to intelligence services processing.
Amendment 137R would provide that sensitive processing for a condition under Schedule 10 was lawful when the condition was not also a condition in Schedule 9. Clause 84 provides that processing is lawful only as long as one of the conditions in Schedule 9 is met, and for sensitive processing one of the conditions in Schedule 10 must also be met. We consider that the two-stage consideration process when processing sensitive personal data is important, as it requires the controller to ensure that conditions in both schedules can be satisfied.
We accept that there is a degree of overlap between some of the conditions provided for in the schedules, but that is necessary. For example, consent is a condition for processing in both schedules, but that reflects the fact that consent may often be the most appropriate grounds for processing personal data, such as when people consent to their sensitive personal data being processed for medical purposes. That position is not new: Schedules 9 and 10 reflect the equivalent Schedules 2 and 3 to the Data Protection Act, both of which provide that consent is a condition for processing. The amendment adds nothing, but has the potential to reduce clarity and is likely to confuse by departing from a well-established, two-stage consideration process.
Amendment 138A, which the noble Baroness said was probing, would restrict the power of the Secretary of State to amend the conditions for sensitive processing set out in Schedule 10 to adding conditions rather than also varying or omitting. The issue was debated in the context of other parts of the Bill last Monday, and I repeat the commitment given by my noble friend to take account of the noble Baroness’s amendment as part of our consideration of the report from the Delegated Powers Committee.
Amendment 139A would remove as a condition for lawful processing under Schedule 9 processing that is necessary for the purposes of legitimate interests pursued by the data controller. In the case of the intelligence services, their legitimate interests are dictated by their statutory functions, including safeguarding national security and preventing and detecting serious crime. I should also add that this is a condition currently provided for in Schedule 2 to the Data Protection Act 1998, so it may not surprise noble Lords that we could not support an amendment that would preclude the intelligence services from processing personal data in pursuance of their vital functions.
Amendment 139B would preclude the processing of personal data by the intelligence agencies in pursuit of their legitimate interests—that is, their statutory functions—whenever the processing prejudices the rights and freedoms or legitimate interests of the data subjects, rather than the current drafting, which prevents such processing in circumstances where it would be unwarranted in any particular case because of prejudice to those rights or interests. This more restrictive approach would mean that the intelligence services would be unable to process personal data in pursuit of their legitimate interests—for example, safeguarding national security—since it could be argued that such processing is likely to engage such rights, in particular the right to respect private life. It would prevent data processing that was otherwise lawful, necessary and proportionate and carried out in full compliance with the Human Rights Act. The ECHR provides that some rights, including the right to private life, are qualified rights, recognising the fact that while a right may be engaged, lawful interference with that right should be permissible in certain circumstances. As a result, this amendment would appear to go further than that required by the ECHR as, whenever a right was engaged, interference would not be possible, even if such interference were lawful, proportionate and necessary. Again, the condition in the Bill replicates the existing condition in Schedule 2 to the Data Protection Act 1998. Given this, I am not aware of any powerful reasons for changing the existing established approach.
Amendment 139C would require the Information Commissioner to be informed when processing is necessary to protect the vital interests of the data subject in circumstances, for instance, where consent cannot be given by or on behalf of the data subject or the controller cannot reasonably be expected to obtain the consent of the data subject. Such processing is a condition for sensitive processing under Schedule 10 and it mirrors precisely the equivalent provisions in Schedule 3 to the Data Protection Act 1998. The amendment does not add to a data subject’s rights nor does it strengthen protections. The processing of personal data in these circumstances already attracts the protections and safeguards provided for in the Bill, including the general oversight of the Information Commissioner. It is therefore in our view unnecessary and, I might add, I am not aware that the Information Commissioner has asked for such a provision.
Amendment 139D—which the noble Baroness was gracious enough to concede that she had not thought through—would limit the processing of personal data in connection with legal proceedings related to an offence or alleged offence. This amendment would have an extremely damaging effect, preventing processing in connection with all other legal proceedings, such as court or tribunal proceedings under this Bill, complaints to the Investigatory Powers Tribunal about unlawful conduct by the intelligence services and assistance with other civil proceedings and inquiries. I am sure that this was not the noble Baroness’s intention. Furthermore, the wording at paragraph 5 of Schedule 10 reflects that currently provided for at paragraph 6 of Schedule 3 to the Data Protection Act, so the Bill goes no further than existing legislation in this respect.
Amendment 140A would remove from Schedule 10 processing personal data necessary for medical purposes as a condition for sensitive processing. However, this is relevant for the intelligence services for straightforward processing of medical data by medical professionals processing the services’ data. An example would be an intelligence service’s occupational health services carrying out fitness for work assessments and providing medical advice. In such circumstances the intelligence service would likely rely on this condition as a lawful basis for the processing. This is to the benefit of both the services as employers and to their employees.
Finally, Amendment 140B relates to Clause 85, which provides for the second data protection principle: the requirement that the purposes of processing be specified, explicit and not excessive. Subsection (4) of the clause provides that processing is to be regarded as compatible with the purpose for which it is collected if the processing is for purposes such as archiving and scientific or historical research. This amendment has the effect of rendering processing compatible only if it was for those specific purposes. I am sure that was not the noble Baroness’s intention given that the amendment would prevent the intelligence services processing personal data in pursuance of their vital statutory functions.
I hope that noble Lords will agree that in relation to these amendments the Bill, with possibly one exception, adopts the right approach. In relation to the possible exception, namely the delegated power in Clause 84, I have reiterated the commitment that we will take account of Amendment 138A when we respond to the report from the Delegated Powers Committee. I therefore ask the noble Baroness to withdraw her amendment.
Baroness Hamwee
My Lords, almost all these amendments were probing, except for Amendment 138A, which is how the noble Lord described it—it was distinctly not probing, so I am glad to have had his assurance in that regard. I commented on an earlier group about either the intelligence services or law enforcement—I cannot remember which—being advantaged as against other employers outside their immediate job. It seemed to me from the noble Lord’s comments about medical data that the services would be advantaged as against employers in completely different fields. He gave a long answer, and I am grateful for that; it of course deserves reading and I will do so. I thank him for this comments on Amendment 138A and beg leave to withdraw the amendment.
Lord Stevenson of Balmacara
My Lords, I can be very brief. We had intended to withdraw Amendment 142A in this group but, unfortunately, we could not do so in time so I will not speak to it. To complete the icing on the cake, I have already spoken, rather stupidly, to Amendment 142D, and therefore I do not need to repeat myself. I simply await the noble Baroness’s response on it.
Baroness Hamwee
My Lords, I cannot be quite so quick but I will be fairly quick. Amendment 142B concerns Clause 91(3), which states:
“The controller is not required … to give a data subject information that the data subject already has”.
When I read that, I wondered how the controller would know that the data subject had the information. Therefore, my alternative wording would refer to information which the,
“controller has previously provided to the data subject”.
There can therefore be no doubt about that.
Amendment 143A concerns Clause 92, which deals with a right of access within a time limit of a month of the relevant day, as that is defined, or a longer period specified in regulations. What is anticipated here? Why is there the possibility of an extension? This cannot, I believe, be dealt with on a case-by-case basis as that would be completely impracticable and, I think, improper. Is it to see whether experience shows that it is a struggle to provide information within a month, and therefore a time limit of more than a month would benefit the controller, which at the same time would be likely to disbenefit the data subject, given the importance of the information? I hope the Minister can explain why this slightly curious power for the Secretary of State is included in the Bill.
Amendment 146B concerns Clause 97, which deals with the right to object to processing. I might have misunderstood this but I believe that the controller is obliged to comply only if he needs to be informed of the location of data. I do not know whether I have that right, so Amendment 146B proposes the wording,
“if its location is known to the data subject”,
so that the amendment flows through in terms of language, if not in sense. The second limb of Clause 97(2), whereby the data subject is told that the controller needs to know this, suggests this. That enables me to make the point that this puts quite a heavy burden on the data subject.
Amendment 148A concerns Clause 101. I, of course, support the requirement that the controller should implement measures to minimise the risks to rights and freedoms. However, I question the term “minimise”. The Bill is generally demanding in regard to this protection, so to root the requirement in the detail of the Bill the amendment would add,
“in accordance with this Act”.
As regards the test of whether a personal data breach seriously interferes with rights, I suggest this is not as high a threshold as that required by the term “significantly” proposed in Amendment 148B.
Following the noble Lord’s co-piloting analogy, I now say, “Over and out”.
Baroness Williams of Trafford
My Lords, I thank the noble Baroness, Lady Hamwee, and the noble Lord, Lord Stevenson, who negated the need for me to speak to Amendment 142A, so I shall not do so.
I turn straight to Amendment 142B. This requires the controller to provide a data subject with specified information about the processing of their personal data unless the controller has previously provided the data subject with that information. This contrasts with the existing approach in Clause 91(3), which provides that the controller is not required to give the data subject information that the data subject already has. Although similar, the shift in emphasis of this amendment could undermine Clause 91(2) by requiring the data controller to provide information directly to the data subject rather than to generally provide it. The effect of this could be to place an undue burden on the controller by preventing them providing such information generally, such as by means of their website.
Clause 92 provides for an individual to obtain confirmation from a controller of whether the controller is processing personal data concerning them and, if so, to be provided with that data and information relating to it. It sets out how an individual would request such information and places certain restrictions and obligations on meeting such requests.
Amendment 142C would add to the information that must be provided to a data subject. I do not believe this amendment is necessary. Clause 91 already provides that the general information that must be provided by a controller is information about how to exercise rights under Chapter 3 of Part 4 and I am sure that the Information Commissioner will put out further information about data subjects’ rights under each of the schemes covered by the Bill.
The purpose of Amendment 142D is to remove the ability of the intelligence services to charge a fee for providing information in response to a request by a data subject in any circumstances. The noble Lord, Lord Stevenson, or the noble Lord, Lord Kennedy—I am not quite sure who it was; I think it was the noble Lord, Lord Stevenson—has contrasted the position in Part 4 with that in Parts 2 and 3 of the Bill, whereby a controller may charge a fee only where the subject access request is manifestly unfounded or excessive. The fact remains, however, that the modernised Convention 108, on which Part 4 is based, continues to allow for the charging of a reasonable fee for subject access requests and we are retaining the power to specify a maximum fee, which currently stands at £10.
It is entirely right that the intelligence services should be required to respond to subject access requests, but we believe it is appropriate to retain the ability to charge because we do not want the intelligence services to be exposed to vexatious or frivolous requests that could impose a significant burden upon Part 4 controllers. As I have said, the modernised Convention 108 allows for the charging of a fee and there is a power in Clause 92 not just to place a cap on the amount of the fee but to provide that, in specified cases, no fee may be charged. I think this is the right approach and we should therefore retain Clause 92(3) and (4).
Amendment 143A would require every subject access request under Clause 92 to be fulfilled within one month and would remove the Secretary of State’s ability to extend the applicable time period to up to three months for any cases. The Delegated Powers and Regulatory Reform Committee has considered this Bill and made no comment on this regulation-making power. In our delegated powers memorandum we explained the need for this provision, and the equivalent power in Part 3 of the Bill, as follows:
“Meeting the default one month time limit for responding to subject access requests or to requests to rectify or erase personal data may, in some cases, prove to be challenging, particularly where the data controller holds a significant volume of data in relation to the data subject. A power to extend the applicable time period to up to three months will afford the flexibility to take into account the operational experience of police forces, the CPS, prisons and others in responding to requests from data subjects under the new regime”.
I hope the noble Baroness would agree that this is a prudent regulation-making power which affords us limited flexibility to take into account the operational experience of the intelligence services in operating under the new scheme.
Baroness Hamwee
Before the Minister moves on, I asked whether the power would be used on a case-by-case basis, which I thought was what she was saying, or as a result of overall experience—and then she went on to talk about overall experience. So is it the latter, extending to all cases in the light of experience gathered over a period?
Baroness Williams of Trafford
Yes, that is the point I made.
One of the rights afforded by Part 4 is that a data subject can require a controller not to process their personal data if that processing is an unwarranted interference with their interests or rights. If such a request is received, the controller may require further information in order to comply with the request. This includes information so as to be satisfied of the identity of the requesting individual or information so that they can locate the data in question.
Amendment 146B would require the requesting individual to provide information to help the controller locate the data in question only if the individual themselves knows where the data is located. I think we can agree that it is very unlikely that a data subject would know the exact location of data processed by a controller. As such, this change could make it more difficult for a controller to locate the data in question, as the data subject could refuse to provide any information to aid in the locating of their data. This could make it impossible for the controller to comply with the request and would in turn deprive the data subject of having their request fulfilled.
Chapter 4 of Part 4 deals with the obligations of the controller and processor. Controllers must consider the impact of any proposed processing on the rights of data subjects and implement appropriate measures to ensure those rights. In particular, Clause 101(2)(b) requires that risks to the rights and freedoms of data subjects be minimised. Amendment 148A would require that those risks be also dealt with in accordance with the Bill. If I understand the purpose of this amendment correctly and the noble Baroness’s intention is that the broader requirements of Part 4 should apply to any new type of processing, I can concur with the sentiments behind this amendment. However, it is not necessary to state this requirement in Clause 101; all processing by the intelligence services must be in accordance with the relevant provisions of the Bill.
Finally, Clause 106 requires that the controller notify the Information Commissioner if the controller becomes aware of a serious personal breach of data for which it is responsible. A data breach is deemed serious if it seriously interferes with the rights and freedoms of a data subject. Amendment 148B seeks to alter the level at which a data breach must be notified to the commissioner by lowering the threshold from a serious interference with the rights and freedoms of a data subject to a significant interference. The threshold is set purposely at serious so that the focus and resources of the controller and commissioner are spent on breaches above a reasonable threshold. We also draw the noble Baroness’s attention to the draft modernised Convention 108, which uses the phrase “seriously interfere”.
I am mindful that some noble Lords in this Chamber will be utterly perplexed by the subject matter to which we have been referring, so I hope that, with those words, the noble Lord will be sufficiently reassured and will withdraw his amendment.