Social Media: News
Lord Ashton of Hyde Excerpts(8 years, 3 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am very grateful to all noble Lords for their interesting and succinct contributions—I know how difficult that is on a subject such as this. I very much support the noble Lord, Lord McNally, in his view that this is part of a process and that we will not provide all the answers tonight. I hope that I will answer some noble Lords’ questions, but there is an awful lot to get through. Of course I also thank the noble Baroness, Lady Kidron, for convening this debate.
There is a lot to cover, but I say at the outset that the Government get the message which I think the House in aggregate is giving today, which is that social media companies and the way they work have developed rapidly and that there are issues that need to be considered. I hope that I can show that we are taking that seriously.
For example, I think we all agree that the internet offers a huge range of opportunities but, as we have heard, there are legitimate concerns about illegal and harmful content online. A number of noble Lords have expressed specific concerns about the role that major social media platforms play. Because we are so acutely aware that the internet can have both a positive and a negative effect on users, particularly children, the Government have developed a clear ambition, as stated in our manifesto commitment, to make the UK the safest place in the world to be online. We aim to realise that ambition via policies developed through our new digital charter.
If I may initially confine myself to the noble Baroness’s Motion—which I know is not always the practice in this House—I must make the point that online platforms such as social media companies, auction sites and cloud service providers are, as has been alluded to, currently defined as information society services, as set out in European Union law. While we are still a member of the EU, the UK is subject to the e-commerce directive, but the directive was drafted in 2000, when the internet was in its infancy. The intention behind it was laudable: to create a regulatory environment in which cross-EU online commerce could flourish and prevent member states creating barriers to the growth of the digital single market. But since the turn of the century, digital technology has developed faster than society has adapted to that change, and citizens now have legitimate concerns about rising online threats. The noble Lord, Lord Bew, explained the dilemma that this creates.
Around the globe, it is now increasingly acknowledged that there are problems with online behaviour and content and that they must be addressed. The EU Commission recently published guidelines on how online platforms should increase the proactive prevention, detection and removal of illegal online content, and it is currently considering whether further action should be taken.
The noble Baroness, Lady Kidron, asked about legal liability structures to which I alluded. I thought it would be helpful to show what the new Secretary of State said in his evidence to the Select Committee on polling and digital media—the noble Lord, Lord McNally, might be interested in the philosophical nature of this. He said:
“The approach that we take as a whole to the internet and internet companies is encompassed in what we call the digital charter. Essentially, this is about changing the attitude towards what happens online from a libertarian view that the more people connect in the world, the better, and that Governments should have no view, which was probably the founding political philosophy of the internet, to a liberal values view whereby you support and promote the freedom that the internet brings while ensuring that that freedom does not trample on the freedom of others. That involves mitigating harms”.
We agree, and as long as the UK remains a member of the EU, and bound by its rules, we will work closely with the Commission, and other member states, to secure further progress in this area. Of course, consideration of online liability is fraught with complexities, not least because we will be leaving the EU. Similarly, an ill-considered approach might also produce technical problems for online service providers. If they were to become fully liable for all third-party content, this could be fundamentally prohibitive to many service models, including those operated by cloud storage providers, video-sharing sites and others. Balancing these various interests is a delicate matter, but essential if we are to meet safeguarding concerns for users while still supporting the internet as a useful vehicle for exchanging ideas and promoting the digital economy.
These points are not intended in any way to downgrade the importance of tackling online harms, but rather to outline the need for a well-developed and, if possible, consensual approach. The digital charter is our primary response to the more fundamental questions of ensuring that new technologies work for the benefit of everyone. The noble Lord, Lord Knight, talked about new policy thinking. While I talk about that, I remind noble Lords that we intend to set up a data ethnics and innovation body, and we have allocated £9 million in this budget to do that. It could consider things such as the verification ideas that the noble Baroness, Lady O’Neill, mentioned, and the suggestion of the noble Baroness, Lady Eaton, of an innovation fund, among many other things. We intend to develop the policies and actions to make the UK the safest place to be online, and to drive innovation and growth across the economy.
As the noble Baroness, Lady Lane-Fox, mentioned, that includes women, who are a valuable and essential resource. I am pleased to say that the Government are supporting the recently launched Tech Talent Charter, to which over 125 tech companies have already signed a pledge to take concrete measures to improve the gender diversity of their workforces.
What we are trying to achieve cannot be achieved by government alone. So we will work collaboratively with citizens, businesses, charities and others to build both our understanding of the challenges, and a consensus around the solutions. As I have mentioned, the challenges we face online are global. The international element was mentioned by the noble Baronesses, Lady Kidron, Lady Benjamin, and my noble friend Lord Inglewood, among others. It is at this global scale that we should be looking to gain consensus on our approach. We have already begun to hold international discussions on the key issues under the charter, including at the recent G20 digital taskforce in Hamburg. Going forward, we will look to expand this work, including bilaterally with like-minded countries such as France, and through multilateral organisations, including the OECD and the D5.
The very first element of the digital charter is our work on online safety, a reflection of how seriously the Government take this issue. In October, we published the Internet Safety Strategy Green Paper, an important next step in meeting our relevant manifesto commitments. The strategy set out our ambition for everyone to play a role in tackling online harms. For example, we are working closely with the Department for Education to ensure that online safety, which the noble Baroness, Lady Grey-Thompson, mentioned, is part of new compulsory relationships and sex education curriculums, and that parents have the support they need to keep their children safe. We will certainly pass on my noble friend Lady Eaton’s suggestions about innovation to the department.
In answer to the views of the noble Lord, Lord Puttnam, on understanding how these large sites work and what they do, we acknowledge his point. The Department for Education issued a call for evidence late last year to help shape the new content and guidance, and we expect the new curriculums to cover digital literacy and critical thinking skills. The noble Baroness, Lady Lane-Fox, had a debate recently about digital understanding, which was extremely useful and interesting. Alongside the publication of the strategy, a public consultation was launched, which asked for views on a range of new safety initiatives—this is the scope that the noble Baroness, Lady Kidron, asked about—that included a social media code of practice, a social media levy, and transparency reporting. The consultation closed on 7 December, with a good number of responses from a range of contributions.
The noble Lord, Lord Bew, mentioned the report of his Committee on Standards in Public Life, Intimidation in Public Life. I think that the right reverend Prelate the Bishop of Gloucester also mentioned that. We will address its recommendations in the government response, which is due to be published shortly.
As set out in the strategy, we are working with the main social media platforms on a voluntary basis because we believe that that secures faster results. However, the previous Secretary of State was crystal clear, and the new Secretary of State agrees, that we will not hesitate to bring forward legislation, if necessary. I hope that that commitment reassures my noble friends Lady Harding and Lady Fall. The age verification protections for online pornography show that we are willing to tackle online harms through legislative means. The internet safety strategy is not the only vehicle through which we will protect children online. I am very pleased to be responding to the noble Baroness, Lady Kidron, so soon after we worked together closely on securing improvements to the Data Protection Bill. I commend her persistence and firmness, but also her good humour. We have never once fallen out—yet!
I am sure that the House does not need reminding that the Government were pleased to support an amendment to that Bill to address the concerns of many noble Lords. We supported a statutory code of practice for age-appropriate design for all information society services. We look forward to working with the Information Commissioner’s Office to drive up the levels of protection afforded to children online.
Many noble Lords mentioned fake news. The Government are committed in their manifesto to protect the reliability and objectivity of information as an essential component of democracy. Work is now under way, also under the digital charter, to ensure that we have a news environment where accurate content can prevail. As my noble friend Lord Black said, it is the UK’s robust, free, wide, vibrant and varied media landscape that remains our key defence against disinformation.
I shall go through as quickly as I can some of the points that noble Lords have raised. The noble Baroness, Lady O’Neill, mentioned competition policy. We have a world-leading competition regime, and we will continue to keep it under review. The Competition and Markets Authority recently announced a new technology team to strengthen its ability to deal with competition issues surrounding algorithms, artificial intelligence and big data. We are also setting up a new Centre for Data Ethics and Innovation, as I mentioned, which will be well placed to support the CMA in its work.
The noble Viscount, Lord Colville, and the noble Baroness, Lady Lane-Fox, talked about trust in the media. We absolutely agree with the trusted role of the traditional media sectors in the UK, but I do not believe that the trust has been eroded quite as much as some may fear by the newer forms of content. A recent Radiocentre survey in 2017 on levels of trust in media sources among UK citizens found that 77% of respondents trusted radio news, 74%—just under three-quarters—trusted TV news and only 15% trusted news on social media. The public are not complete fools.
The right reverend Prelate the Bishop of Gloucester, who is my bishop, I might add—I do not mean “my” bishop; I must push on—asked why we are not establishing an independent digital commissioner. The Digital Minister, supporting the Culture Secretary, who is personally invested in raising the level of online safety, plays that convening role on this issue across government.
The noble Viscount, Lord Colville, talked about the filter bubble effect and I thank him for his interesting views on this. The Government consider the effect of news, advertising and other content being tailored algorithmically to personal preferences to be an issue. The work on the digital charter will consider this and what response is most appropriate.
I have an answer from the Box on the gambling questions that the noble Baroness, Lady Howe, asked. It says, “We will write”. It also says, “Wrong officials in the Box”. But, more seriously, I have a reply in train to the noble Baroness on this subject, following the recent debate that we had on gambling. That is ongoing and I will write to her.
The right reverend Prelate the Bishop of Gloucester talked about Germany’s new law, under which social media companies are fined for not removing hate speech on their services quickly enough. We are aware of that and, through the digital charter, we will look right across the range of potential solutions for tackling that issue. We will look at steps that other countries, including Germany, are taking to inform this work.
The noble Baroness, Lady Worthington, and the noble Lord, Lord Vaux, asked what we are doing about online anonymity, which I think is an interesting point. We asked questions about online anonymity in the internet safety strategy consultation and we are analysing those responses. We will formally respond to them soon.
Online advertising was raised by my noble friend Lord Black and the noble Lord, Lord Vaux. They were right to raise the role of online advertising in many of the issues discussed. We have a good advertising regulatory system but we recognise that there have been rapid developments in the marketplace. We are working alongside the Advertising Standards Authority to monitor developments and respond appropriately. This is a key part of much of our work under the digital charter, including ensuring that there are sustainable business models for high-quality online news media, protecting people’s personal data and ensuring that value created online is rewarded appropriately.
The noble Baronesses, Lady Benjamin and Lady Howe, asked about the BBFC and age verification in social media. The age verification regulator will not duplicate the Internet Watch Foundation’s remit. If, in the course of investigations, the age verification regulator identifies child abuse images hosted in the UK, it will report these to the IWF. We recognise the concerns about the availability of pornographic material on some social media platforms but, as we discussed during the passage of the Bill, it is our intention for age verification to apply to the pornography industry. Within the regulator’s powers will be the ability to notify ancillary service providers, including the social media platforms, if, for example, a person is using a social media platform to market their non-compliant website.
I want to end by repeating that the Government are very much concerned about the impact that online harms are having, particularly on young people and children. That is why we are launching a range of initiatives to keep people safe online—and we agree with the noble Baroness, Lady Grey-Thompson, that social media sites should take responsibility. Social media platforms should be aware that, if we do not get results, we will not be afraid to go further.
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsWednesday 10th January 2018
(8 years, 3 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
Lord Ashton of Hyde
(a) by adding conditions; (b) by omitting conditions added by regulations under paragraph (a).”
Lord Ashton of Hyde
“( ) Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (5) has effect as if it included a reference to that Part.”
Lord Ashton of Hyde
(a) by adding conditions;(b) by omitting conditions added by regulations under paragraph (a).”
Lord Ashton of Hyde
“(1) The Secretary of State may by regulations amend Schedule 11 —(a) by adding exemptions from any provision of this Part;(b) by omitting exemptions added by regulations under paragraph (a).”
Lord Puttnam (Lab)
My Lords, the last time I cleared a room like this, it was a very bad film indeed.
Amendment 103A is connected to Amendments 103B, 103C, 124A, 124B and 125A, and I move it with the support of my noble friend Lord Stevenson and the noble Lords, Lord Clement-Jones and Lord Holmes. In a well-run world, this group of amendments should not really need to be moved or pressed. They are designed purely to ensure that we have the data commissioner—and the office of that commissioner—that we need. Frankly, they are the natural consequence of all the debates that have occurred during the passage of the data protection legislation.
There can be no more important role over the next few years than that of the Data Commissioner. The organisation she is being asked to regulate is the largest in the world. A quite extraordinary statistic is that the four largest companies—Google, Amazon, Facebook and Apple—have between them a larger market capitalisation than the FTSE 100. That is the scale of the businesses we are asking the Data Commissioner to regulate. At the same time, under the Bill at present the resources available to her are wholly inadequate to that task. We went through a similar operation 15 years ago with Ofcom, and out of that, and through the collective wisdom of this House, we were able to ensure that Ofcom had the resources to become what is genuinely the gold standard of any media and telecoms industry regulator in the world. That is an achievement of this House of which we should be very proud. The purpose of these amendments is to achieve exactly the same for our ICO—something we can be proud of and that can do the job given to it.
During the passage of the Bill, we have loaded the ICO with significant new and additional responsibilities. The idea that we might have an underfunded and underresourced regulator that is not adequate to the task we are giving it is unthinkable. The purpose of these amendments is to prevent that. I could go on at some length, but I think the mood of the House is that it wishes to move on, so I shall listen to the Minister’s response. I beg to move.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, it might be for the convenience of the House if I speak now as I have some information which may help the noble Lord, Lord Puttnam, and other noble Lords who have put their names to these amendments.
As I have repeatedly said during the debates on the Bill, the Government are committed to ensuring that the commissioner has adequate resources to fulfil her role as a world-class regulator and to take on the extra regulatory responsibilities set out in this Bill, so I agree with pretty well everything the noble Lord said. That is why we legislated for a new, GDPR-compliant charging regime in the Digital Economy Act, which we will turn to in the next group, but it is also why the commissioner needs to be able to recruit and retain expert staff.
I am therefore very pleased to announce that the Government have today granted the Information Commissioner’s Office pay flexibility up to 2020-21 so that it can review its pay and grading structure. The commissioner will have the independence to determine the levels of pay necessary for the ICO to maintain the expertise it needs to fulfil its new and revised functions as a supervisory authority, subject to the standard public spending principles. I am also pleased to say that the Information Commissioner has agreed these arrangements. She said:
“I welcome the positive response to my business case for pay flexibility at the ICO. I am confident that this will allow me to prepare the ICO for its critical role under the new data protection regime ensuring that the UK has a strong and expert regulator in an area recognised for its importance to the digital economy and society as a whole”.
This flexibility underscores the UK’s commitment to an independent and effective data protection regulator, and I think goes a long way in responding to the points raised by the noble Lord’s amendments. We all want an efficient, well-resourced ICO, so I am very pleased that this agreement has been reached. I should have said at the outset that I am very grateful to the noble Lord for coming to talk to me about it. I am glad to say he was pushing at an open door.
Lord Puttnam
I thank the noble Lord, who has been extraordinarily generous with his time. He and his officials could not have been more helpful in reaching what I regard as a perfectly satisfactory conclusion. My only wish is that we have a regulator that can do the job required of it and tackle the abuses along the way confidently and competently. I am extraordinarily grateful for this outcome. I am very happy to withdraw the amendment.
Lord Ashton of Hyde
“(and see also the Commissioner’s duty under section (Protection of personal data))”
Lord Ashton of Hyde
Lord Stevenson of Balmacara (Lab)
My Lords, the noble Lord, Lord Deben, said that a small number of people do everything in small communities. It sometimes feels like that here. I do not think that we need to say much more; all the issues have been raised and I am sure that when he responds, the Minister will answer some, if not all, of the questions. The underlying theme is that we do not want to spoil what is a very good Bill with desirable aims by failing to pick up all the areas that it needs to address, because there will be benefits from it, as we have heard. I think that the Government understand that, but they must not be in the position of willing the ends of policy without also willing the means.
Lord Ashton of Hyde
My Lords, I am grateful to all noble Lords who have spoken. I begin by thanking my noble friend Lady Neville-Rolfe, my predecessor in this role, for once again bringing the topic of small businesses to the House’s attention. Other noble Lords have extended that from small businesses to small organisations—indeed, even clans. While I am on the important subject of the clan, the noble Earl asked whether they would be classed as small organisations. I am sure that they are not small, but the answer is yes, they will be subject to the provisions of the GDPR.
The serious, general reason is that the GDPR, which is EU legislation which comes into direct effect on 25 May, is there to protect personal data. We must remember that the importance of protecting people’s personal data, particularly as it has developed since the most recent Data Protection Act was passed in 1998, has extended dramatically and concerns very personal items that belong to people. That is why it does not entirely matter whether it is a small or large organisation. Public authorities, such as parish councils, and other small organisations, such as charities, must take personal data seriously. They have obligations under the existing Act, but under the GDPR, they have more, and that is why. However, I and the Government instinctively support small organisations where we have it in our power to do so. I shall return to some of the specific points later.
I thank my noble friend for bringing this matter to the House’s attention and for coming to discuss it at length; I welcome this opportunity to provide some reassurance. As I have said at previous stages of the Bill, I wholeheartedly agree that the Government should recognise the concerns of the smallest organisations and continuously look at ways to support them through the transition to a new data protection framework. The amendments tabled by my noble friend have all been designed with small organisations, charities and parish councils in mind.
Before I address each amendment in turn, I remind noble Lords that the Information Commissioner’s Office already produces a variety of supportive materials intended to help organisations of all sizes to navigate their way to data protection compliance. I strongly encourage businesses to consult these, and to make use of the commissioner’s new dedicated helpline, provided specifically for small organisations. I am pleased to say, in answer to my noble friend Lord Marlesford and, in part, to my noble friend Lord Deben, that the Information Commissioner has agreed to issue advice to parish councils, which will be published shortly. That is one of the organisations to which my noble friend referred. I understand exactly what he is saying, as I live in a small village and my wife is a parish councillor. I assure noble Lords that the issues of the Data Protection Act in relation to parish councils have been aired vociferously, and not only in this Chamber.
In addition, it is worth noting that the process for paying annual charges to the commissioner will become simpler and less burdensome, which I am sure will come as welcome news to small organisations—but we will return to that point shortly.
Amendment 106 would add a new clause that would give the Information Commissioner a duty to provide additional support to small businesses, charities and parish councils to meet their requirements under the GDPR. This may include, among other things, additional advice and discounted fees paid to the commissioner. I think that my noble friend Lord Marlesford, raised a point earlier on, and I hope that it will be helpful if I put it on record that parish councils can share duties like a data protection officer, which is a public authority that they have to have, under the GDPR, with other parish councils as well as with district councils. Parish clerks can also fulfil that role.
While I agree with my noble friend that small organisations should be supported to meet new obligations under the GDPR and this Bill, I cannot agree with the obligations that that would place on the commissioner. As I mentioned earlier, the commissioner has already published a wide breadth of guidance online and is continuing to develop this guidance as we near the date of GDPR implementation. I mentioned an example just now. Only recently, she updated her small business portal to make it easier for organisations to access GDPR-related resources. Given that the commissioner is already so active in this field, which the Government and, I think, my noble friend fully support, I fear that additional prescriptive requirements would distract rather than contribute.
Lord Storey (LD)
While the Minister is responding on this issue—I was not allowed to move Amendment 87A because somebody shouted out “not moved” when it was in fact not moved by myself—could he include schools in his comments?
Lord Ashton of Hyde
We were going to have a debate on that—I gather that the Liberal Democrats did not want to bring it forward—but the basic answer is that schools have responsibilities under the GDPR. They particularly have responsibility for personal data relating to children; they already have extensive responsibilities under the current Data Protection Act. So it is very much an issue for schools. In this case, to help them, the Department for Education is going to provide guidance—and I am assured that it will be out very soon. So they have particular responsibilities. The kind of personal data that they handle on a regular basis is very important; I believe that the noble Lord, Lord Clement-Jones, mentioned an example of some of the personal data that they hold in relation to free school meals, which has to be protected and looked after carefully. One benefit for the school system, as far as other organisations are concerned, is that they will have central guidance from the Department for Education—and I repeat that that is due to come out very soon.
I turn to Amendment 125, also proposed by my noble friend. It seeks to introduce a requirement on the Secretary of State, when making regulations under Clause 132, to consider making provision for a discounted charge—or no charge at all—to be payable by small businesses, small charities and parish councils to the Information Commissioner. Clause 132(3) already allows the Secretary of State to make provision for cases in which a discounted charge or no charge is payable. The new charge structure will take account of the need not to impose additional burdens on small businesses. This may include a provision in relation to small organisations.
I am happy to confirm that the Government have given very serious consideration to the appropriate charges for smaller businesses as part of the broader process for setting the Information Commissioner’s 2018 charges. The new charge structure will take account of the need to not impose additional burdens on small businesses. It is important to note, however, that small and medium organisations form a significant proportion of the data controllers currently registered with the ICO—approximately 99%, in fact. The process of determining a new charge structure is nearly complete and we will bring forward the resulting statutory instrument shortly. I would, however, like to put one thing on the record: in putting together that charging regime, we have been mindful of the need to ensure that the Information Commissioner is adequately resourced during this crucial transitional period, but I want to be clear that the Government do not consider the 2018 charges to be the end of the story. There may well be more we can do further down the line to modernise a regime that has not been touched for the best part of a decade.
Amendment 127 would place an obligation on the commissioner, in her annual report to Parliament, to include an economic assessment of the actions that the commissioner has taken on small businesses, charities and parish councils. I agree with my noble friend about the importance of the commissioner being aware of the impact of her approach to regulation during this crucial period. As I said to the commissioner when we met, we must nevertheless also be mindful of maintaining her independence in selecting an approach. Even if we did not think that having an independent regulator was important—I want to be clear: we do —articles 51 to 59 of the GDPR impose a series of particular requirements in that regard. But, all of the above notwithstanding, I agree with a lot of what my noble friend has said this afternoon.
Turning to amendment 107A, in the name of the noble Lord, Lord Clement-Jones, concerning the registration of data controllers, I remember the Committee debate where the noble Lord tabled a similar amendment. I hope that I can use this opportunity to provide further reassurance that it is unnecessary. The Government replaced the existing notification system with a new system of charges payable by data controllers in the Digital Economy Act. We did this for two reasons. First, the new GDPR has done away with the need for notification. Secondly, and consequentially, we needed a replacement system to fund the important work of the Information Commissioner. All this Bill does is re-enact what was done and agreed in the Digital Economy Act last year. We legislated on this a year earlier than the GDPR would come into force because changes to fees and charges need more of a lead time to take effect. As I have already said, these new charges must be in place by the time the GDPR takes effect in May and we will shortly be laying regulations before Parliament which set those fees.
Returning to the subject matter of the amendment, under the current data protection law, notification, accompanied by a charge, is the first step to compliance. Similarly, under the new law, a charge will also need to be paid and, as under the previous law, failure to pay the charge is enforceable. We have replaced the unwieldy criminal sanction with a new penalty scheme—found in Clause 151 of the Bill.
Lord Clement-Jones
My Lords, can the Minister explain what the trigger is for the payment of the fees?
Lord Clement-Jones
That is not what I meant. That is not a trigger; it is notification by the data controller.
Lord Ashton of Hyde
If you process and control data, you will need to make a notification to the data commissioner. I do not understand why that is not a trigger.
Lord Ashton of Hyde
Exactly, so my point, which I was coming to but which the noble Lord has very carefully made for me, is that, in doing this, the Information Commissioner will obviously keep a list of the names and addresses of those people who have paid the charge. The noble Lord may even want to call that a register. The difference is, unlike the previous register, it will not have all the details included in the previous one. That was fine in 1998, and had some benefit, but the Information Commissioner finds it extremely time-consuming to maintain this. In addition, as regards the information required in the existing register, under the GDPR that now has to be notified to the data subjects anyway. Therefore, if the noble Lord wants to think of this list of people who have paid the charge as a register, he may feel happier.
I have talked about the penalty sanction. When the noble Lord interrupted me, I was just about to say—I will repeat it—that the commissioner will maintain a database of those who have paid the new charge, and will use the charge income to fund her operation. So what has changed? The main change is that the same benefits of the old scheme are achieved with less burden on business and less unnecessary administration for the commissioner. The current scheme is cumbersome, demanding lots of information from the data processors and controllers, and for the commissioner, and it demands regular updates. It had a place in 1998 and was introduced then to support the proper implementation of data protection law in the UK. However, in the past two decades, the use of data in our society has changed dramatically. In our digital age, in which an ever-increasing amount of data is being processed, data controllers find this process unwieldy. It takes longer and longer to complete the forms and updates are needed more and more often, and the commissioner herself tells us that she has limited use for this information.
My hope is that Amendment 107A is born out of a feeling shared by many, which is to a certain extent one of confusion. I hope that with this explanation the situation is now clearer. When we lay the charges regulations shortly, it will, I hope, become clearer still. The amendment would simply create unnecessary red tape and may even be incompatible with the GDPR as it would institute a register which is not required by the GDPR. I am sure that cannot be the noble Lord’s intention. For all those reasons, I hope he will withdraw the amendment.
Baroness Neville-Rolfe
I thank the Minister for going into the issues in such detail, and for the support that is now being offered by the ICO through the transition. We have heard about the helpline, the websites, and new guidance—not only for parish councils, which I regard as a major breakthrough, but for small business and schools. That is all very good news. There will be a charge but it will be modulated, as I understand it, in a way to be decided and brought before the House in an order. I think the Minister understands the wish of this House not to load lots of costs on smaller businesses as a result of this important legislation, which we all know is necessary for a post-Brexit world.
My only concern related to the Minister’s comments on what we might put into the report, because he rightly said that the Information Commissioner had to be independent, which I totally agree with. Equally, I thought that without undermining her independence, it was possible to ask her to report on economic matters and, for example, on how business learns about data protection and how that is going. I do not know whether he is able to confirm that today, but he made a point about independence and it was not clear whether it would be possible to put something into the reporting system.
Lord Ashton of Hyde
We are keen that the Information Commissioner be independent and is seen to be independent, and I know that the commissioner herself is aware of that. I cannot commit to anything today, but I will certainly take back my noble friend’s question and see what can be done while maintaining the Information Commissioner’s independence.
Baroness Neville-Rolfe
On that basis, I am happy to beg leave to withdraw my amendment.
Lord Stevenson of Balmacara
My Lords, in earlier amendments I have tried to interest the Government in the idea of establishing what I loosely call a copyright of one’s personal data. Another possibility put forward in a different amendment is that one could think of data provided by individuals as matters that would be controlled by them through the role of a data controller. I am not trying to be in any sense critical of the Government’s response to this but I think I was ahead of my time—a nice place to be if you can—and I do not think the idea is quite ready to be turned into legislative form. I suspect that the solution lies in a data ethics commission, an idea that we will come to later in the agenda. Such a commission may be established by statute, either today or through some future legislative process, so that we can begin to think through these important issues. I was interested in a lot of what the noble Lord, Lord Mitchell, said in his introduction of the amendment because it has bearing on these issues.
I agree with the noble Lord, Lord Clement-Jones, that we are not quite there yet. However, worrying issues have been raised that need to be addressed, particularly in relation to data that is acquired, used and commercially exploited without necessarily being certain that we are getting value for money from it. The amendments are relatively mild in their exhortations to the Government, but they certainly point the way to further work that should be done and I support them.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Mitchell, for taking the time to come and see me to explain these amendments. We had an interesting conversation and I learned a lot—although clearly I did not convince him that they should not be put forward. I am grateful also to the noble Lords, Lord Clement-Jones and Lord Stevenson, who said, I think, that there may be more work to do on this—I agree—and that possibly this is not the right time to discuss these issues because they are broader than the amendment. Notwithstanding that, I completely understand the issues that the noble Lord, Lord Mitchell, has raised, and they are certainly worth thinking about.
These amendments seek to ensure that public authorities—for example, the NHS—are, with the help of the Information Commissioner, fully cognisant of the value of the data that they hold when entering into appropriate data-sharing agreements with third parties. Amendment 107B would also require the Information Commissioner to keep a register of this data of “national significance”. I can see the concerns of the noble Lord, Lord Mitchell. It would seem right that when public authorities are sharing data with third parties, those agreements are entered into with a full understanding of the value of that data. We all agree that we do not want the public sector disadvantaged, but I am not sure that the public sector is being disadvantaged. Before any amendment could be agreed, we would need to establish that there really was a problem.
Opening up public data improves transparency, builds trust and fosters innovation. Making data easily available means that it will be easier for people to make decisions and suggestions about government policies based on detailed information. There are many examples of public transport and mapping apps that make people’s lives easier that are powered by open data. The innovation that this fosters builds world-beating technologies and skills that form the cornerstone of the tech sector in the UK. While protecting the value in our data is important, it cannot be done with a blunt tool, as we need equally to continue our efforts to open up and make best use of government-held data.
In respect of health data, efforts are afoot to find this balance. For example, Sir John Bell proposed in the Life Sciences: Industrial Strategy, published in August last year, that a working group be established to explore a new health technology assessment and commercial framework that would capture the value in algorithms generated using NHS data. This type of body would be more suitable to explore these questions than a code of practice issued by the Information Commissioner, as the noble Lord proposes.
I agree that it is absolutely right that public sector bodies should be aware of the value of the data that they hold. However, value can be extracted in many ways, not solely through monetary means. For example, sharing health data with companies who analyse that data may lead to a deeper understanding of diseases and potentially even to new cures—that is true value. The Information Commissioner could not advise on this.
That sharing, of course, raises ethical issues as well as financial ones and we will debate later the future role and status of the new centre for data ethics and innovation, as the noble Lord, Lord Stevenson, mentioned. This body is under development and I am sure that this House would want to contribute to its development, not least the noble Lord, Lord Clement-Jones, and his Select Committee on Artificial Intelligence.
For those reasons, I am not sure that a code is the right answer. Having heard some of the factors that need to be considered, I hope the noble Lord will not press his amendment.
Perhaps I may offer some further reassurance. If in the future it emerged that a code was the right solution, the Bill allows, at Clause 124, for the Secretary of State to require the Information Commissioner to prepare appropriate codes. If it proves better that the Government should provide guidance, the Secretary of State could offer his own code.
There are technical questions about the wording of the noble Lord’s amendment. I will not go into them at the moment because the issues of principle are more important. However, for the reasons I have given that the code may not be the correct thing at the moment, I invite him to withdraw his amendment.
Lord Mitchell
My Lords, I thank all noble Lords for their contributions to this short debate. I also thank the Minister for agreeing to see me prior to the Recess and for his comments today. However, this is an issue of precision—and we need precision on the statute book. All that has been suggested to me, which is that it can be found elsewhere or will be looked at in the future, does not give the definitive answer we require. That is why I would like to test the opinion of the House.
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“(2) But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016. (3) Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“Approval of first guidance about regulatory action
(1) When the first guidance is produced under section 153(1)— (a) the Commissioner must submit the final version to the Secretary of State, and(b) the Secretary of State must lay the guidance before Parliament.(2) If, within the 40-day period, either House of Parliament resolves not to approve the guidance—(a) the Commissioner must not issue the guidance, and(b) the Commissioner must produce another version of the guidance (and this section applies to that version).(3) If, within the 40-day period, no such resolution is made—(a) the Commissioner must issue the guidance, and(b) the guidance comes into force at the end of the period of 21 days beginning with the day on which it is issued.(4) Nothing in subsection (2)(a) prevents another version of the guidance being laid before Parliament.(5) In this section, “the 40-day period” means—(a) if the guidance is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or(b) if the guidance is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.(6) In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsWednesday 10th January 2018
(8 years, 3 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
Lord Ashton of Hyde
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I turn to the new offence of reidentifying de-identified personal data. As a new clause, with no corresponding parallel in the 1998 Act, it has been a hot topic throughout the passage of the Bill and the Government welcome the insightful debates on it that took place in Committee. Those debates have influenced our thinking on aspects of the clause and I will elaborate on the amendments we have tabled in response to concerns raised by noble Lords.
By way of background, Clause162(3) and (4) provide a number of defences for circumstances where reidentification may be lawful, including where it was necessary for the prevention or detection of crime, to comply with a legal obligation, or was otherwise justified as being in the public interest. Further defences are available where the controller responsible for de-identifying the personal data, or the data subjects themselves, consented to its reidentification.
As noble Lords will recall, concerns were raised in Committee that researchers who acted in good faith to test the robustness of an organisation’s de-identification mechanisms may not be adequately protected by the defences in the current clause. Although we continue to believe that the public interest defence would be broad enough to cover this type of activity, we recognise that the perception of a gap in the law may itself be capable of creating harm. We therefore tabled Amendments 151A, 156A and 161A to fix this. These amendments introduce a new, bespoke defence for those for whom reidentification is a product of their testing of the effectiveness of the de-identification systems used by other controllers.
A number of safeguards are included to prevent abuse. I particularly draw noble Lords’ attention to the requirement to notify either the original controller or the Information Commissioner. In addition, the researcher cannot intend to cause, or threaten to cause, damage or distress to a legal person. That means, for example, that those self-styled researchers who attempt to use their discovery to extort money from either the data controller or the data subjects they have reidentified are not protected by this new defence.
We fully appreciate the importance of the work undertaken by legitimate security researchers. I assured noble Lords in Committee that it was in no way our intention to put a halt on this activity where it is done in good faith, and the amendments I am moving today make good on that commitment. On that basis, I beg to move.
Lord Clement-Jones (LD)
My Lords, I thank the Minister. We on these Benches had considerable activity from the academic community, security researchers and so on. I am delighted that the Minister has reflected those concerns with the new amendments.
Lord Stevenson of Balmacara (Lab)
My Lords, I echo the noble Lord’s words. We also welcome these amendments. As has been said, this issue was raised by the academic community, whose primary concern was that the way the Bill had originally been phrased would make important security research illegal and weaken data protection for everyone by that process. It would also mean that good and valid research going on in our high-quality institutions might be at risk.
I do not in any sense want to question the amendments’ approach, but I have been in further correspondence with academics who have asked us to make a few points. I am looking for a sense that the issues raised are being dealt with. Either a letter or a confirmation that these will be picked up later in the process of the Bill is all that is necessary.
First, it is fairly common-sense to say that companies probably would not be very happy if a researcher picks up that they are not doing what they say on the tin—in other words, if their claim that their data has been anonymised turns out not to be the case. Therefore, proposed new subsection (2)(b) may well be used against researchers to threaten or shut down their work. The wording refers to “distress” that might be caused, but,
“without intending to cause, or threaten to cause, damage or distress to a person”,
seems a particularly weak formulation. If it is only a question of distress, I could be distressed by something quite different from what might distress the noble Lord, who may be more robust about such matters. I think that is a point to take away.
Secondly, we still do not have, despite the way the Minister introduced the amendment, definitions in the Bill that will work in law. “Re-identification”, which is used in the description and is part of the argument around it, is still not defined. Therefore, in proposed new Clause 161A(3), as mentioned by the noble Lord who introduced the amendment, the person who,
“notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification”,
has to do this,
“without undue delay, and … where feasible, not later than 72 hours after becoming aware of it”.
That is a very tight timetable. Again, I wonder if there might be a bit more elasticity around that. It does say “where feasible”, but it puts rather tight cordon around that.
We are trying to make it safe for researchers and data scientists to report improperly de-identified data, but in the present arrangements the responsibility for doing all this lies with the researcher. We are asking a researcher to go to court, perhaps, and defend themselves, including arguing that they have satisfied Clause 162(2)(a) and (b) and Clause 162(3)(a), (b) and (c), which is a fairly high burden. All in all, we just wonder whether how this has been framed does the trick satisfactorily. I would be grateful for further correspondence with the Minister on this point.
Finally, there is nothing in this amendment about industry. It may not be necessary but it raises a question that has been picked up by a couple of people who have corresponded with us. The burden, again, is on the researcher. Is there not also a need to try to inculcate a culture of transparency in the anonymisation processes which are being carried out in industry? In other words, if there is a duty on researchers to behave properly and do certain things at a certain time, should there not also be a parallel responsibility, for example, on companies to properly and transparently anonymise the data? If there is no duty for them to do it properly, what is in it for them? It may well be that that is just a natural aspect of the work they are doing, but maybe the Government should reflect on whether they are leaving this a little one-sided. I put that to the Minister and hope to get a response in due course.
Lord Ashton of Hyde
I thank the noble Lord, Lord Clement-Jones, for his support on this. I accept that there may be things to look at that the noble Lord, Lord Stevenson, has mentioned. It is better to consider those things properly rather than give an answer off the top of my head at the Dispatch Box. I certainly commit to taking those points back and having a look at them. It may be that, when we correspond, something can take place in another place. In the meantime, I beg to move.
Lord Ashton of Hyde
Lord Ashton of Hyde
“Re-identification: effectiveness testing conditions
(1) For the purposes of section 162, in relation to a person who re-identifies information that is de-identified personal data, “the effectiveness testing conditions” means the conditions in subsections (2) and (3).(2) The first condition is that the person acted—(a) with a view to testing the effectiveness of the de-identification of personal data,(b) without intending to cause, or threaten to cause, damage or distress to a person, and(c) in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.(3) The second condition is that the person notified the Commissioner or the controller responsible for de-identifying the personal data about the re- identification—(a) without undue delay, and(b) where feasible, not later than 72 hours after becoming aware of it.(4) Where there is more than one controller responsible for de-identifying personal data, the requirement in subsection (3) is satisfied if one or more of them is notified.”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“(2) Before making regulations under this Act, the Secretary of State must consult—(a) the Commissioner, and(b) such other persons as the Secretary of State considers appropriate.(2A) Subsection (2) does not apply to”
Lord Ashton of Hyde
“(a) to amend or replace the definition of “the Data Protection Convention” in section 2;(b) to amend Chapter 3 of Part 2 of this Act;(c) to amend Part 4 of this Act;(d) to make provision about the functions of the Commissioner, courts or tribunals in connection with processing of personal data to which Chapter 3 of Part 2 or Part 4 of this Act applies, including provision amending Parts 5 to 7 of this Act;(e) to make provision about the functions of the Commissioner in connection with the Data Protection Convention or an instrument replacing that Convention, including provision amending Parts 5 to 7 of this Act;(f) to consequentially amend this Act.”
Lord Ashton of Hyde
Baroness Kidron (CB)
My Lords, I too want to speak to this amendment, to which I have added my name, and I acknowledge and welcome the support of the Information Commissioner on this issue. I support the collective redress of adults but I specifically want to support the noble Lord, Lord Stevenson, on this question of children.
At Second Reading and again in Committee I raised the problem of expecting a data subject who is a child to act on their own behalf. Paragraph (b) of proposed new subsection (4B) stipulates that,
“in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’ s own rights have been infringed".
This is an important point about the right of a child to have an advocate who may be separate from that child and whose own rights have not been abused. Children cannot take on the stress and responsibility of representing themselves and should not be expected to do so, nor should they be expected to police data compliance. Children whose data is processed unlawfully or who suffer a data breach may be unaware that something mischievous, harmful or simply incorrect has been attached to their digital identity. We know that data is not a static or benign thing and that assumptions are made on what is already captured to predict future outcomes. It creates the potential for those assumptions to act as a sort of lead boot to a child’s progress. We have to make sure that children are not left unprotected because they do not have the maturity or circumstances to protect themselves.
As the noble Lord, Lord Stevenson, said, earlier this evening, the age-appropriate design code was formally adopted as part of this Bill. It is an important and welcome step, and I thank the Minister and the new Secretary of State Matt Hancock, whose appointment I warmly welcome, for their contribution to making that happen. Children’s rights have been recognised in the Bill, but rights are not meaningful unless they can be enacted. Children make up nearly one-third of all users worldwide, but rarely do they or the vast majority of their parents have the skills necessary to access data protection.
The amendment would ensure that data controllers worked to a higher standard of data security when dealing with children’s data in the first place. Rather than feeling that the risk of a child bringing a complaint was vanishingly low, they would know that those of us who advocate for and protect the rights of children were able to make sure that their data was treated with the care, security and respect that we all believe it deserves.
Lord Ashton of Hyde
My Lords, I am very grateful to noble Lords for their comments. Although I have to say at the outset that we have some reservations about these amendments, I think we might be able to find a way forward this evening. I have listened to the noble Lords, Lord Stevenson and Lord Clement-Jones, and taken their remarks on board, but I have especially listened to the noble Baroness, Lady Kidron, who spoke about children. We have some experience of her input in this Bill. I obviously take a lot of notice of what the noble Lords, Lord Stevenson and Lord Clement-Jones, say but, as you know, familiarity and all that, so I have certainly listened especially to the noble Baroness, Lady Kidron.
The Government are sympathetic to the idea of facilitating greater private enforcement, but we continue to believe that the Bill as drafted provides significant and sufficient recourse for data subjects. In our view, there is no need to invoke article 80(2) of the GDPR, with all the risks and potential pitfalls that that entails. To recap, the GDPR provides for, and the Bill allows, data subjects to mandate a suitable non-profit organisation to represent their interests following a purported infringement. The power will, in other words, be in their hands. They will have control over which organisation is best placed to represent their interests, what action to take and what remedy to seek. The GDPR also places robust obligations on the data controller to notify the data subject if there has been a breach which is likely to result in a high risk to the data subject’s rights and freedoms. This is almost unprecedented and quite different from, say, consumer law where compulsory notification of customers is rarely proportionate or achievable.
These are very significant developments from the 1998 Act and augment a rapidly growing list of enforcement options available to data subjects. That list already includes existing provisions for collective redress, such as group litigation orders, which were used so effectively in the recent Morrisons data breach case, and the ability for individuals and organisations to independently complain to the Information Commissioner where they have concerns about how personal data is being processed.
What these initiatives have in common is that they, like the GDPR as a whole, seek to empower data subjects and ensure they receive the information they need to enforce their own data rights. By comparison, Amendments 175 and 175A would go much further. I stress that, as I have already said, we are not against greater private enforcement, and I have borne in mind the points the noble Baroness made about children. We also have reservations about the drafting and purpose of these amendments, all of which I could of course go through at length, if the House wishes, but in view of what I am about to say, I hope that will not be necessary.
Since Committee, the Government have reflected on the principles at stake here and agree it would be reasonable for a review to be undertaken, two years after Royal Assent, of the effectiveness of Clause 173 as it is currently drafted. The Government are fully prepared to look again at the issue of article 80(2) in the context of that review. We are serious about this. We will therefore amend the Bill in the other place to provide for such a review and to provide the power for the Government to implement its conclusions.
In view of that, I would be very grateful if the noble Lord will withdraw his amendment this evening and other noble Lords do not press theirs.
Baroness Kidron
Before the Minister sits down, can I get absolute reassurance from him that this is not pushing it into the future, where it will languish? Will the Government be looking to this review to actually solve the problem that we have put forward on behalf of children?
Lord Ashton of Hyde
It absolutely will not and cannot languish, because we are going to put in the Bill—so on a statutory basis—that this has to be reviewed in two years. It will not languish. As I said, if we were just going to kick it into the long grass, I would not have said what I just said, which everyone can read. We would not have put it in the Bill and made the commitments we have made tonight.
Lord Clement-Jones
My Lords, I thank the Minister for his response and am only sorry that I, rather than the noble Lord, Lord Stevenson, have the privilege of responding. The Minister came back, I thought, very helpfully. The noble Baroness, Lady Kidron, made a superb case for these rights to be implemented earlier rather than later. If we are creating all those new rights for children under the Bill, as she says, we must have a mechanism to enforce them. I believe the Minister said that the review would be two years after the Bill comes into effect. I hope that that is an absolute—
Lord Clement-Jones
Let us hope that that is treated as an important timetable. I was interested that the Minister expressed his sympathy—I know that that was genuine—but then went on to talk about risks and pitfalls, and very significant developments, which all sounded a bit timid. I understand that we are in relatively novel territory, but it sounded rather timid in the circumstances, especially where the rights of children are concerned.
One point the Minister did come back on was group litigation orders. Class actions are very different from the kinds of representative action that we are talking about under these amendments. For example, they would be anonymous and the consent of the data subject would not have had to be acquired, unlike with a class action. They are very different, which is worth pointing out. There are some egregious issues in terms of the use of people’s data—the Equifax case, Uber, and so on. We need to remind ourselves that these are really important data breaches and there need to be remedies available. We, on this side of the House, and those on the Benches of the noble Baroness, Lady Kidron, will be vigilant on this aspect.
The one area of clarification that I did not receive from the Minister was whether this would apply to processing of personal data that was not under the GDPR. Will it be under the applied GDPR, and would that apply?
Lord Ashton of Hyde
I think it applies to the whole thing, but if I am wrong, I will certainly write to everyone who is here.
Earl Attlee
The noble Lord may be right but, of course, it is equally very rare that we turn down an affirmative order.
Lord Ashton of Hyde
My Lords, I am grateful to all those who have participated. I take on board what the noble Lord, Lord Clement-Jones, said about our brief debate on the final day in Committee, so we can do a bit tonight. I hope that by the end I will be able to convince noble Lords that this is not quite as sinister as has been made out. I am going to duck, if I may, the argument about the affirmative procedure and whether it should be amendable, particularly given other Bills that are coming before this House soon. After all, I was only reappointed yesterday.
It is helpful to have this opportunity to further set out the purpose and operation of Clauses 175 to 178 and, in doing so, explain why the amendments in this group are unnecessary—except, of course, the government amendments. As noble Lords will now be aware, the Bill creates a comprehensive and modern scheme for data protection in the UK. No one is above the law, including the Government. That partly answers the point made by the noble Lord, Lord Clement-Jones. The Secretary of State cannot do whatever she or he wants because they are subject to the GDPR and the Bill, like everyone else. When I go further and explain the relationship between this framework and the ICO’s guidance, if it is issued, I hope that will further reassure noble Lords.
While we are on this subject, the reason the Bill uses the term “framework” is that it uses the term “code of practice” to refer to a number of documents produced by the Information Commissioner. As this document will be produced by the Government, we felt that it would be clearer not to use that term in this case. It is purely a question of naming conventions—nothing significant at all.
Inherent in the execution of the Government’s functions is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is therefore intended to set out the principles and processes that the Government must have regard to when processing personal data. Government departments will be required to have regard to the framework when processing personal data. This is not a novel concept. Across the country, organisations and businesses produce guidance on data processing that addresses the specific circumstances relevant to them or the sector in which they operate. This sector, or organisation-specific guidance, coexists with the overarching guidance provided by the Information Commissioner.
This framework adopts a similar approach; it is the Government producing guidance on their own processing of data. The Information Commissioner was consulted during the preparation of these clauses and will be consulted during the preparation of the framework itself to ensure that the framework complements the commissioner’s high-level national guidance when setting out more detailed provision for government.
Lord Clement-Jones
My Lords, the Minister said that the Information Commissioner was consulted, but what was her view? Can the Minister put on record what the Information Commissioner’s view about the final architecture was? She has made it fairly clear to us that this is not satisfactory, as far as she is concerned.
Lord Ashton of Hyde
When I said that she was consulted, I said what I meant. This is one of the few areas in the whole Bill, I think, where we do not have complete agreement with the Information Commissioner. I think that she is worried about complications regarding independence and the extent of her authority in this. I am not pretending that she is completely happy with this, but I hope that I will address how the two interlink and we can come back to this if the noble Lord wants. I acknowledge his point that she is not completely happy with this but, as I said before, it is one of the few areas in the whole Bill where that is the case. Certainly, we have a very good relationship with the Information Commissioner, as evidenced earlier this evening by her agreement on pay and flexibility. Importantly though, whatever she thinks of it, she will be consulted during the preparation of the framework itself to ensure that it complements the commissioner’s high-level national guidance when setting out more detailed provision for the Government.
As I explained in Committee, the Government’s view is that the framework will serve to further improve the transparency and clarity of existing government data processing. The Government can and should lead by example on data protection. Amendment 176 is designed to address concerns about the potential for confusion if the framework is produced by the Government, I respectfully suggest that these concerns are misplaced. The Secretary of State’s framework will set out principles for the specific context of data processing by government. It will, as I have set out, complement rather than supplant the commissioner’s statutory codes of practice and guidance, which will, by necessity, be high level and general as they will apply to any number of sectors and organisations.
Requiring the commissioner to dedicate time and resources to producing guidance specifically for the Government, as the noble Lord’s amendment would require, would hardly seem to the best use of her resources. Just like a sectoral representative body, it is the Government who have the experience and knowledge to devise a framework that speaks to their own context in more specific terms.
Lord Clement-Jones
I am sorry to keep interrupting the Minister, but is he therefore saying that the frameworks cover government and that the ICO’s codes of practice cover government as well?
Lord Ashton of Hyde
Absolutely. The framework exists like other sectoral guidance that is produced, under the overarching guidance produced by the Information Commissioner. In a minute I will provide further reassurance on how the two interlink.
As I have already set out, the Government will consult the commissioner in preparing the framework. Importantly, she is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents.
Lord Stevenson of Balmacara
I know that we should not be intervening like this on Report, but the phrasing that the Minister just used is of interest—to the noble Lord, Lord Clement-Jones, as well, I think. What does “irrelevant” mean? Can the Minister unpick that a little? Either the Secretary of State has the power to do something, or not. If that power is conditional on the ICO having given broad agreement to it, under what conditions can the ICO intervene? Can it be because the commissioner regards it as irrelevant? What does that mean?
Lord Ashton of Hyde
I think it means that, if the Information Commissioner were considering the case of a data breach committed by the Government, she would normally take the framework into account, as she would take into account the guidance that other sectors produce. If, however, there were circumstances in which she did not consider that it was relevant for her investigation into whether the law had been broken, given that she is the enforcer of the law, she would be free to disregard it. The words “must take into account” mean that she is not bound by the provision but has to take it into account. She is, after all, the regulator who sits above all data processors.
I reiterate that the guidance will provide reassurance to data subjects about the approach the Government take to processing data and the procedures that they follow when doing so. It will help further strengthen the Government’s compliance with the principles of the GDPR.
Amendments 177 and 178, in the name of the noble Lord, Lord Clement-Jones, concern the process for making the guidance. The guidance may be revised if Parliament does not approve it or if it needs adjustment to be compatible with international obligations. It would be odd and irresponsible to abandon the problem these clauses are trying to resolve if Parliament does not approve the guidance. A revised version should be prepared. Similarly, data protection rules are often international in nature and indeed this Bill is based on three international instruments, so revising the guidance to maintain compatibility must be the sensible approach.
Amendments 179 and 180 seek to limit the effect of the guidance. Persons must have regard to the guidance but there may be good reasons why processing data in a particular set of circumstances can lawfully be conducted in a manner outside the guidance. As long as regard has been had to the guidance but good reasons for departing from it or for its non-applicability have been established, it is perfectly proper and within the norm of usual public law principles to do so. Clause 178 ensures that those principles are enforced.
In our view, the existence of a framework in no way impinges upon the commissioner’s independence. Clause 178(5) simply requires the commissioner to take a provision in the Government’s framework into account if it appears to her to be relevant to the matter in hand. For example, if the commissioner were to investigate a data breach by a government department, she may consider it relevant to consider whether or not that department had applied the principles set out in the framework. It is standard practice for the Information Commissioner to take into account relevant sectoral guidance when examining issues related to the processing of personal data by a particular sector. Clause 178(5) simply reflects that practice. Furthermore, nothing in Clause 178(5) constrains the Information Commissioner in any way. She is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents, as I said.
Government Amendments 184A and 184B are technical amendments and are similarly designed to assist with the Government’s compliance with the GDPR. Most bodies falling within the Bill’s definition of government departments are Crown bodies. Such bodies cannot contract with each other as the Crown cannot contract with itself. This constitutional quirk means that the usual GDPR requirement that controllers and processors must have a contractual relationship is impossible to satisfy where one department is processing on behalf of another. These amendments resolve this situation by allowing departments to enter into a memorandum of understanding between each other instead and remain GDPR-compliant.
On the basis of my comments, I hope that the noble Lord will feel able to withdraw his amendment and support the government amendments in this group.
Lord Stevenson of Balmacara
I thank the Minister very much indeed for his very full response. I will read it carefully in Hansard but at this stage, although it is a rather complicated issue, I understand where he is coming from and I think we can probably let it rest at this point. If there is anything else, I will write to him rather than prolong the discussion today.
I opined that negative resolutions were rarely voted down and cited 1940 as the last occasion that that happened, but I was wrong. Some 40 years ago on 24 October 1979, the Paraffin (Maximum Retail Prices) (Revocation) Order 1979 was defeated late at night during what appears to have been rather unsavoury activity by members of the Labour Party who hid in cupboards and things and then jumped out. Mr Hamish Gray, whom Members may recall, was unable to sustain the standing order and it had to be brought back later on—it was all very complicated and Hansard is wonderful about it. I beg leave to withdraw the amendment.
Lord Clement-Jones
My Lords, we are at the last knockings on most of the Bill. It is rather ironic that one of the most important concepts that we need to establish is a new data ethics body—a new stewardship body—called for by the Government in their manifesto, by the Royal Society, by the British Academy and by many others. Many of those who gave evidence to our Select Committee want to see an overarching body of the kind that is set out, and with a code of ethics to go with it. We all heard what the Minister had to say last time; we hope that he can perhaps give us more of an update on the work being carried out in this area.
This should not be and I do not think it will be a matter of party contention; I think there will be a great deal of consensus on the need to have this kind of body, not just for the narrow field of data protection and the use of data but generally, for the wider application in the whole field, whether it is the internet of things or artificial intelligence, and so on. There is therefore a desire to see progress in fairly short order in this kind of area. One of the reasons for that is precisely because of the power of the tech majors. We want to see a much more muscular approach to the use of data by those tech majors. It is coming down the track in all sorts of different varieties. We have seen it in debates in this House; no doubt there will be a discussion tomorrow about social media platforms and their use of news and content and so on. This is therefore a live issue, and I very much hope that the Minister will be able to tell us that the new Secretary of State is dynamically taking this forward as one of the top items on his agenda.
Lord Ashton of Hyde
My Lords, I can certainly confirm that the new Secretary of State is dynamic. In this group we are in danger of violently agreeing with each other. There is a definite consensus on the need for this; whether there will be consensus on the results is another matter. I agree with the analysis given by the noble Lord, Lord Stevenson, that the trouble is that to get this into the Bill, we have to concentrate on data. As the noble Lord, Lord Clement-Jones, outlined, many other things need to be included in this grouping, not least artificial intelligence.
I will briefly outline what we would like to do. For the record, we understand that the use of data and the data-enabled technologies is transforming our society at unprecedented speed. We should expect artificial intelligence and machine learning to inform ever more aspects of our life in increasingly important ways. These new advances have the potential to deliver enormous benefits to society and the economy but, as we are made aware on a daily basis—like the noble Lord, Lord Clement-Jones, I am sure that this will be raised tomorrow in the debate that we are all looking forward to on social media—they are also raising a host of new and profoundly important challenges that we need to consider. One of those challenges, and the focus of this Bill, is protecting people’s personal data—ensuring that it is collected, retained and used appropriately. However, the other challenges and opportunities raised by these technologies go far beyond that, and there are many examples that I could give.
Therefore, in the Autumn Budget the Government announced their intention to create a centre for data ethics and innovation to maximise the benefits of AI and data technologies to society and the economy, and to help identify and address the ethical challenges that they pose. The centre will advise the Government and regulators on how they can strengthen and improve the way that data and artificial intelligence are governed. It will also support the effective, innovative and ethical use of data and artificial intelligence so that we maximise the positive impact that these technologies can have on our economy and society.
We are in the process of working up the centre’s terms of reference in more detail and will consult on this soon. The issues it will consider are pressing, and we intend to set it up in an interim form as soon as possible, in parallel to this consultation. However, I fully share the noble Lord’s view that the centre, whatever its precise form, should be placed on a statutory footing, and I can commit that we will bring forward appropriate legislation to do so at the earliest opportunity. I accept the reasoning from the noble Lord, Lord Stevenson, on why this is not the appropriate place due to the limitations of this Bill, and I therefore hope that he will be able to withdraw his amendment.
Lord Stevenson of Balmacara
I am very grateful to the Minister for that response. That is probably the right way forward, and I beg leave to withdraw the amendment.
Lord Ashton of Hyde
(a) its functions under the data protection legislation, or(b) its other functions relating to the Commissioner’s acts and omissions.(2) But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016. (3) Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.”
Lord Ashton of Hyde
“the made affirmative resolution procedure | section 169” |
Lord Ashton of Hyde
Lord Ashton of Hyde
BBC: Unfair Pay
Lord Ashton of Hyde Excerpts(8 years, 3 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, with the leave of the House, I shall now repeat in the form of a Statement the Answer given by my right honourable friend the Secretary of State for the Department for Digital, Culture, Media and Sport to an Urgent Question in another place. The Statement is as follows:
“Thank you very much, Mr Speaker. Like most Members of the House, I strongly support the BBC, and like most of the licence fee payers who fund it, I would go so far as to say that I love it. Now in this digital age, perhaps more than ever, if the BBC did not exist, we would need to invent it. But as a treasured national institution, the BBC must not only uphold, but be a beacon for, the British values of fairness that this nation holds dear. That includes fair pay and equal pay for equal jobs. By introducing reforms in the BBC charter, this Government, under the leadership of my two predecessors, have vastly improved BBC transparency and shone a light on gender and pay issues at the BBC. This new transparency includes requiring the BBC annually to publish the salary details of all BBC staff paid more than £150,000. Publishing these details for the first time in July resulted in much-needed public scrutiny of pay at the BBC. The BBC’s overall gender pay gap stands at around 9%. But the figures also show that two-thirds of those earning over £150,000 were men, and reveal a lack of staff from BAME backgrounds among top earners.
At the time of publication, some male presenters were understandably uncomfortable with the results. John Humphrys even acknowledged that he would not necessarily be able to explain his salary of £600,000. This is a matter not just of levelling women’s pay up: it is a matter of pay equality. Working for the BBC is public service and a great privilege, yet some men at the BBC are paid far more than other equivalent public servants. The BBC has now begun to act, and I welcome that. But more action—much more action—is needed, especially when BBC foreign editors can earn more than Her Majesty’s ambassadors in the same jurisdiction. In the specific case of Carrie Gracie, I welcome the EHRC’s decision to look into the issues she has raised. The EHRC is the regulatory body responsible for policing equal pay and it is for it, not the Government, to investigate this matter further and take further action if necessary.
Of course, the BBC is operationally and editorially independent of government—rightly so. The director-general has, commendably, committed to sorting out this issue by 2020 and we will hold him to that. I understand that its report on on-air presenter salaries will be published in the next few weeks. But we expect the BBC to observe pay restraint and deliver value for money for licence fee payers. We will watch closely. The BBC must act. The brilliant women working at all levels of the BBC deserve better”.
Lord Griffiths of Burry Port (Lab)
My Lords, I am grateful to the Minister for repeating that Answer to an Urgent Question given in another place. I must say, as I take part in this exercise for the first time, that I had expected in an Urgent Question to hear a note of urgency. While I sense a little self-congratulation about measures that have been brought in and reforms that have been introduced, as regards the BBC I do not sense that deep desire to achieve objectives that are in line with public expectations at large, deeply held and urgently sought. Of course, the measures that are mentioned must continue, but 2020 seems a long way away. We understand that the BBC must look after its own internal affairs, but can the Government assure us that, with some urgency, all appropriate measures will be applied to encourage, goad and pressurise it to come forward with a solution to these questions, so that the beacon referred to can serve as a benchmark against which to measure progress in other sectors of our public life?
Lord Ashton of Hyde
I stress that the Government absolutely support urgent action on this. Of course, it was this Government who brought in the requirement for the BBC to publish salaries over £150,000, which is one of the reasons why we are talking about this issue today. The Statement makes it quite clear that the Government expect the BBC to act in accordance with what we have expected it to do as regards the gender pay gap. We understand that when you have a deep-seated and probably long-established problem, it takes some time to deal with and it is a difficult management issue. But let us be under no illusions—the Government expect the director-general and the new unitary board to deal with that. They are the people who have responsibility for that. We are pleased that the EHRC will look at this. For individuals, it has been illegal to pay people unequally because of their gender for over 40 years, and we expect all companies—not only the BBC but especially the BBC, which is a public institution —to obey the law.
Baroness Burt of Solihull (LD)
My Lords, the Minister says that it has been illegal to pay women less than men for 40years. However, is not the crux of the matter that many employers, even those as publicly exposed as the BBC, will pay as little as they think they can get away with, and they think they can get away with paying women less than men? The BBC is in a pickle and it needs to sort itself out, otherwise it will be sorted out by the EHRC. Any employer worth his or her salt appreciates that women are often more hard-working and conscientious—indeed, better employees —than men. However, men know how to demand, and we are conditioned to believe that demanding things, especially money, is strident and inappropriate. But when men do it, that is assertive and appropriate. Enough already—let us have full transparency over pay for everyone. What can the Minister do to ensure that that happens at the BBC and other public bodies?
Lord Ashton of Hyde
I agree with some of what the noble Baroness has said but I do not agree with the general statement that sometimes women work harder or are better at their jobs than men. We are talking about equality here. People should be paid the same for doing the same job and should be treated equally and given the same opportunities. As far as the BBC is concerned, this Government have made transparency available—both by introducing transparency regulations on the gender pay gap for all organisations with more than 250 employees and by making the BBC publish the details of employees earning over £150,000—so that we can look at this situation. We can get all organisations to do what they should be doing, which we all support, by making it transparent when they do not do so, so that their customers, employees and all the stakeholders that deal with them know the sort of organisations they are.
Baroness McIntosh of Pickering (Con)
Does my noble friend not agree that it is unacceptable for this situation to continue so many months after the initial transparency regulations were introduced, with the exposure of the differences in salaries? Had this particular female employee of the BBC not resigned on a matter of principle, it would have been swept under the carpet. How can this situation, where she is so well qualified as a Mandarin speaker and outperforms her two male colleagues, persist?
Lord Ashton of Hyde
I am certainly not going to get into the details of whether she outperformed her male colleagues. People should be paid equally for doing the same jobs, but that does not mean that two people, be they men or women, will be paid exactly the same at different levels, as there are different levels of experience. The fact is that, if somebody does not believe that they are receiving equal pay for gender reasons, under the Equality Act they can go to an employment tribunal.
Baroness Bakewell (Lab)
My Lords, I speak as a long-term employee of the BBC, which, I have to say, has taken a long time to obey this law. The BBC is not above the law. It is good at arguing a very complicated case, which in fact is very simple: people should be given equal pay for doing an equal job. The BBC will say, “Ah, yes, we need until 2020 to sort it out. It is very difficult”, but it is not very difficult. The BBC tries to feed off the difference between information and entertainment. Different entertainers receive entirely different fees. Graham Norton is not paid the same as Jonathan Ross, and Sandi Toksvig is not paid the same as Sue Perkins. They are entertainers, but journalists are something else. An absolute condition of their job is that they are efficient and able in the same sort of way. Four people called foreign editors in different zones of the globe are not identical. Who could claim that the reporter, Jon Sopel, who works out of Washington, has a more difficult job than Carrie Gracie, who works out of China? It may well be said that she has a tougher job trying to penetrate the news situation there than he has in Washington, which is abundant with news, leads, leaks and so on. Therefore, I invite the Minister not to be confused by the BBC’s strategy of, and skill in, confusing the issue, which is very straightforward: women want equal pay for equal work, and they have waited too long to get it.
Lord Ashton of Hyde
I am very grateful for that instruction. I have listened to everything that the noble Baroness has said, particularly with reference to her experience of being paid by the BBC. Of course, the BBC has not totally disregarded the situation—it knows that we take it seriously. I remember that we spent a long time discussing pay transparency during the charter renewal process. The compromise position that was reached—that we should make the BBC publish all salaries above £150,000—was not straightforward, and I cannot say that the BBC particularly wanted to do it. However, we made it do that and, as a result, we are talking about these issues today, whereas it is unlikely that we would be doing so had we not done that. As a result, the BBC committed to publish its gender pay gap data earlier than was required under the law, it carried out an independent audit of pay for the majority of its staff, and it is undertaking a separate review of on-air presenters, editors and correspondents, which will come out soon.
Baroness Stowell of Beeston (Con)
My Lords, I very much support the stance that the women at the BBC are taking in demanding equal pay. I support also the fact that they have made it clear that they are not seeking pay increases, and are raising awareness of and concerns about high pay for some of the top presenters. Has my noble friend had the opportunity to reflect on the allegation in Carrie Gracie’s public letter at the weekend that the BBC often settles cases out of court—these are disputes about pay—and demands non-disclosure agreements? What is the Government’s view of the BBC, a public organisation, using NDAs?
Lord Ashton of Hyde
That is a genuine issue to consider. These things have to be taken on a case-by-case basis, and there are times when non-disclosure agreements are right. However, the BBC has to remember that it is a mainly publicly funded organisation and has to set an example of how to treat male and female employees and all questions of diversity. We expect the BBC to do that and to be an example, and we will continue to make sure that it is.
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsWednesday 13th December 2017
(8 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am not quaking in my boots when addressing an amendment from my noble friend, first, because he is a helpful man and, secondly, because I am getting quite used to it, to be quite honest, particularly after the Digital Economy Bill.
As we heard, my noble friend’s amendment would restrict the provision in the Bill that allows anti-doping bodies to process sensitive personal data without consent to just UK Anti-Doping. It would permit other bodies to process sensitive data only if allowed by the Secretary of State. This House agrees, I think, how important sport is and that it can only continue to be successful if it is, and is seen to be, clean. It should therefore come as no surprise when I say that the Government remain fully committed to combating doping and protecting the integrity of sport. We are at one with the noble Baroness, Lady Billingham, on that.
At the moment, a large number of organisations, both domestic and international, work to prevent and eliminate doping in sport in this country in accordance with agreed international standards. UKAD, as the UK’s national anti-doping organisation, plays a vital role. But we must recognise that other bodies, some of which have been mentioned, also have important roles to play, including in particular sports’ national governing bodies. The amendment would see UKAD as the only body with automatic responsibility for processing sensitive data for the purposes of preventing doping in the UK. Other bodies would have a role only if named by the Secretary of State.
I am not convinced that this is a positive change for a number of reasons. First, it is not immediately clear to me why such an amendment is needed. UKAD’s role, and that of other sporting bodies, is set out in the national anti-doping policy, and this arrangement is largely seen to be effective, not just here in the UK but internationally. But we can never be complacent, and that is why my honourable friend the Minister for Sport, Tracey Crouch, has already commissioned a review of UKAD. That review is looking closely at UKAD’s functions, efficiency and effectiveness and has consulted widely. The findings of this review will be published early next year and will inform the revision of the UK national anti-doping policy, which will also take account of the recently published review of the criminalisation of doping. As part of this policy revision process, the Government will consult all relevant stakeholders, and will no doubt welcome discussions with my noble friend Lord Moynihan.
In addition, the arrangement outlined in my noble friend’s amendment would appear to present a number of risks. As he mentioned, the World Anti-Doping Code and the UNESCO convention set a clear framework that allows major events organisers and international federations to conduct their own anti-doping activities. Their ability to test cannot, without risking a breach of the convention, be contingent on them having obtained prior authorisation by a national Government.
Sports bodies change regularly as new sports are recognised and new bodies gain funding and manage competitions. A new round of designations would be required every time a new sporting body came into being or organised competitions or an old body changed its name. Under the system proposed by my noble friend, even a short delay in doing so could allow a drugs cheat to escape sanction by challenging the validity of the data processing undertaken by a sports body weeks, months or even years prior. That is not least because the Secretary of State’s decision to designate a body would itself be subject to judicial review. This could turn a relatively straightforward process of designation into a lengthy process of review, consultation and litigation. Similarly, if international bodies wanted to hold competitions in this country, they would, on the face of it, need to be officially designated by the Secretary of State. In a competitive marketplace, this could discourage organisers of major events from bringing their events to the UK.
To summarise, the Government believe that my noble friend’s amendment will put the UK’s status as a leading destination for clean sport at risk. It will create uncertainty in the sporting world and will be out of step with the recognised international framework that is already in place. It is widely understood that UKAD is the recognised body in the UK with responsibility for enforcing anti-doping rules. But the Bill must not be used as a tool to limit interventions by internationally recognised sporting bodies, such as the England and Wales Cricket Board, the Football Association and the Rugby Football Union. They, like UKAD, should be allowed to set and enforce anti-doping rules in sports. The fact that these bodies are not governed entirely by UKAD’s rules does not make their need to process data without consent for anti-doping purposes any less important. We are clear on that, the World Anti-Doping Code is clear on that, and the bodies themselves are clear on that.
Indeed, I have a statement from four of our leading sports bodies: the Football Association, the Rugby Football Union, the England and Wales Cricket Board, and the British Horseracing Authority. They are not speaking with different voices. This is a joint quote, which they have authorised me to announce. They say:
“We welcome further discussion with all parties on this issue but do not believe that this Amendment, that has not been discussed with or subject to any consultation with our organisations, is the right way to proceed today”.
In answer to the noble Viscount, Lord Falkland, who asked about the horseracing authority, I am afraid he should direct his question to my noble friend Lord Moynihan, because it is his amendment that would change the current system. Therefore, while I understand the desire of my noble friend to assist in the fight against doping, which we all support, I do not believe that the Bill is the proper vehicle to achieve it; nor do I believe that my noble friend’s amendment would in fact achieve it.
Let me be clear: if my noble friend or the noble Lord, Lord Stevenson, want to keep talking about anti-doping in general, I am very happy to do so, as is my honourable friend the Minister for Sport; I have already said that. But the Government have spent a great deal of time working with UKAD and sports bodies to design paragraph 23 of Schedule 1, and I have heard nothing in the debates in Committee and today that would suggest that we should alter our view before the review of UKAD is complete. On that basis, I urge my noble friend to withdraw his amendment.
Lord Moynihan
My Lords, I am grateful to all noble Lords who have contributed. I will respond to the Minister first. I was disappointed that he did not respond to the suggestion of the noble Lord, Lord Clement-Jones, which I also touched on, namely, that it was important, if at all possible, to take away this amendment and consider it in greater detail so that the Government could bring it back at Third Reading. The Government have decided not to do so, and in so doing they have argued the following points.
The first was that there has been inadequate consultation—for example, no discussion between the BHA and myself. If I may respond to the noble Viscount, Lord Falkland, I had a conference call with, I think, four BHA people last Friday to discuss in detail the consequences of the proposed amendment. It was a constructive and helpful discussion. It was very important to them that they did not come under the umbrella of UKAD, and they would not. Amendment 31 says very specifically that the references are,
“to be read as references to … UKAD … , its successor bodies or a body designated by the Secretary of State”.
They asked me whether that would be a cumbersome process, and I said, “Certainly not”. The Secretary of State could respond to a letter pretty much immediately by saying, “Continue the good work that you’re doing”. That would be absolutely fine under the amendments I have tabled to Schedule 1.
This would apply to any organising group that exercises authority in anti-doping in this country outside UKAD, which covers the wide majority. Indeed, UKAD can test any athlete in this country, if it so wishes, at any level of competition. But there are organisations which will operate outside UKAD, for example the international federations and the International Olympic Committee. The other organisations which the noble Lord mentioned operate within UKAD in any event. Organisations such as the Football Association and the Rugby Football Union have a relationship with it to continue its good work, not least because those are Olympic sports, so they are covered in any event by the phrase,
“a body designated by the Secretary of State”.
I want further to assist my noble friend the Minister by suggesting that, instead of simply leaving it at that, every single point that he made could be covered by the regulations that he is being asked to bring forward under the Bill. There would be no uncertainty; there would be complete clarity, and we would have the opportunity to address those points in detail prior to that secondary legislation coming forward.
Why was it important to amend a general catch-all clause on sport to deal with these issues? It was important so that the BHA knew its position and could continue the good work with minimum bureaucracy, simply by a letter recognising that it continues the good work. I have heard nobody—not from the Bill team, which I met, not the policy advisers from DCMS and not the BHA, which I had a long conference call with last Friday—mention that there is anybody who seeks to change the way in which the BHA does excellent work in this area. It would simply be recognised on the face of the secondary legislation and so it should be—
Lord Ashton of Hyde
Does my noble friend not accept, then, that if the situation is exactly the same as now, he is proposing a new process which will possibly be subject to litigation and achieve exactly the same status that we have today?
Lord Moynihan
First, there is no evidence whatever that it is subject to litigation. If the Secretary of State—
Lord Ashton of Hyde
I am sorry to interrupt again. Of course there has not been any litigation because the system that my noble friend proposes has not been put in place.
Lord Moynihan
But there are no grounds for litigation. If the BHA is doing good work in anti-doping then, in the context of this paragraph, all that is being done is for that to be recognised within the legislation and by the Secretary of State in designating the BHA to continue its good work. Who would wish to litigate on that? Nobody is changing any relationship between the BHA, and those who work within it, and the excellent anti-doping policy that it currently runs. I am sure the Government would not want to change that.
The reason why this should be on the face of the Bill and in the secondary legislation—the regulations—is that this is of serious importance. We are asking athletes to give up a lot of personal data, and we should protect them when giving up personal data. It is important and right for an anti-doping policy that they should do so, but its importance should be recognised and my noble friend the Minister did not even mention it in his response. It is about the data management.
I conclude by saying simply this, and I will happily give way to my noble friend the Minister. If he is prepared, as I hope he is, to follow the initiative of the noble Lord, Lord Clement-Jones, which I fully support, on improving the wording of the amendment, I stand absolutely ready to find consensus with all governing bodies, the Government, the Bill team and everybody else who is interested in the subject, including all Members of your Lordships’ House, in order to find an improved amendment. I think the amendment works perfectly satisfactorily, and I have just tried to explain that to my noble friend and the House, but I am sure it could be improved by further discussions. Is my noble friend the Minister willing to take it away and bring it back at Third Reading? If he is, I will happily give way.
Lord Ashton of Hyde
I have to be very clear about what we are doing, particularly as this is the first group on our first day on Report. To be absolutely clear, I am not content to return to this issue at Third Reading of the Data Protection Bill because we have heard nothing that would suggest to us that paragraph 23 would benefit from further consideration at this time. I have to repeat that the wording on the face of the Bill was drawn up—this is a quote from the governing bodies that I mentioned—
“in close consultation with the sports governing bodies and the Sport and Recreation Alliance and we support the original wording as the right way forward”.
Lord Moynihan
I hear what the Minister said. We have had many discussions with different members of governing bodies and others who have argued that this provision could be improved. Indeed, the noble Lord, Lord Stevenson, and I sat opposite UKAD and governing bodies last Monday, so what the right hand in some of these governing bodies is doing is clearly not what the left hand is doing. I think this amendment is a significant improvement that protects the rights of individual athletes. That is what we should be doing in this Bill because it is about data management. Regretfully, because I hoped that the Minister would take this away and come back with a consensus on something better, I wish to test the opinion of the House.
Lord Ashton of Hyde
Lord Stevenson of Balmacara
My Lords, I intend to be brief, but not because this is a minor matter—quite the reverse. This is one of the biggest concerns that we should have about how we engage through the public view on the issues that affect many of our citizens. I am talking particularly here about safeguarding, especially in relation to sport, although it also has wider concerns, wherever an adult has responsibility for a child.
The public concern has mostly focused on issues such as football and swimming in recent months and the last few years, but there are wider concerns that have been dealt with under various inquiries, and we await the results. The narrow issue relating to this Bill is that those individuals or bodies that have a protective function of safeguarding children or, indeed, vulnerable adults, and need to process sensitive data, even though they have no legal obligation to do it and have no statutory function may be an issue that the Government wish to return to. There is no doubt that UK Anti-Doping has the powers that are necessary in sports. But when members of the public and their children are not being sufficiently looked after, extra vigilance must be taken, and we must ensure that the Bill in no way affects that.
I have tabled this amendment, sent to us by a number of bodies involved in sport, but there are other groups outside the sporting area with interests here. The Government are currently discussing these issues and hoping to come to a conclusion shortly. On that basis, I hope that the Minister can give us some indication of the progress that has been made here and, if he can, some sense of the timescale in which the Government will act. I beg to move.
Lord Ashton of Hyde
My Lords, I will be brief. Amendment 33 seeks to introduce a condition permitting the processing of special categories of personal data where it is necessary for the purposes of safeguarding children or vulnerable adults. The Government take the issue of safeguarding extremely seriously and recognise the need for the Bill to provide certainty to organisations with safeguarding responsibilities, so I thank the noble Lord, Lord Stevenson, for raising this issue.
Organisations in all sectors wish to ensure that they have a lawful basis when they process special categories of data for safeguarding purposes. In many—maybe even all—circumstances, organisations will be able to rely on existing conditions under the Bill: for example, where processing is necessary for the purposes of preventing or detecting unlawful acts or where the processing is necessary for the exercise of functions under legislation or under a rule of law. However, I recognise that there is an argument for having a specific safeguarding condition to put the issue beyond doubt.
This is an issue which requires careful consideration and noble Lords may be assured that my department is actively working across government and with stakeholders in the voluntary and private sectors to consider the issue. We must be mindful, for example, of the broader implications of defining safeguarding and vulnerability within data protection law. Inclusion of such definitions within the Bill could have unforeseen consequences for other legislation which uses the same, or similar, terminology. As such, I can assure noble Lords that the Government are sympathetic to the objective of this amendment. However, given the importance of this issue and the potential impacts both within and beyond data protection law, we are sure that further consideration is required before any amendment can be brought forward. I can assure noble Lords that we will continue to examine this issue urgently. While it will not be possible to conclude our consideration in time for Third Reading, I am confident of doing so in time for Committee stage in the Commons. On the understanding that we will return to the issue of safeguarding in the Commons, I hope that the noble Lord feels able to withdraw his amendment this evening.
Lord Stevenson of Balmacara
I am grateful to the Minister for giving such a precise response to this, not only on the substance, recognising the issue and confirming that it needs to be put beyond doubt that the powers will exist, but giving us the assurance that this matter will be brought back in the Commons, which is wonderful. I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsWednesday 13th December 2017
(8 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Ashton of Hyde
Lord Ashton of Hyde
“( ) in Chapter IV of the GDPR (controller and processor), Article 36 (requirement for controller to consult Commissioner prior to high risk processing);( ) in Chapter V of the GDPR (transfers of data to third countries etc), Article 44 (general principles for transfers);”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“(3) Regulations under this section—(a) are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them;(b) are otherwise subject to the affirmative resolution procedure.(4) For the purposes of this section, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.”
Lord Ashton of Hyde
Lord Ashton of Hyde
“Minor definitionMeaning of “court”
Section 4(1) (terms used in this Chapter to have the same meaning as in the GDPR) does not apply to references in this Chapter to a court and, accordingly, such references do not include a tribunal.”
Lord Kennedy of Southwark
My Lords, the amendment in my name, and that of my noble friend Lord Stevenson of Balmacara, would insert a new clause in the Bill that requires a data controller to notify both the Information Commissioner and the police if they are subject to a ransomware attack. Ransomware attacks involve hackers taking control of your information held on a computer and agreeing to release the information back to you only on the payment of a large sum of money. It is kidnapping not of a person but of information.
Apparently thousands of UK businesses have paid these ransom demands and do not bring these issues to the attention of the authorities for fear of damaging their reputation. This is a really serious issue, and one that we cannot allow not to be addressed. I find it shocking that companies are paying these ransom demands, effectively on the quiet. The amendment would make it a legal requirement to notify. It is only by being able to understand the scale of these attacks and understand what has happened—whether or not it is successful is irrelevant—that the authorities can undertake the important work of analysis needed to prevent these attacks happening in the future.
I would go further, and say that it is irresponsible of data controllers or their businesses and organisations not to come forward to notify the proper authorities. They are vulnerable and making the problem worse by hindering the efforts to tackle the problem. Not only are they at risk of whoever is behind the attack coming back for more money later—having paid the hacker, the person will be seen as an easy touch—they are exposing other people, businesses and organisations to this form of attack in the future. My amendment would require notification, and I look forward to a detailed response to the issues I have raised. I beg to move.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Kennedy, for his amendment on data protection breaches and ransomware attacks. The repercussions of such attacks are felt by everyone, whether or not they are a direct victim of the crime. It is estimated that in 2016 the cost of fraud and cybercrime in the UK was £193 billion, with the full social cost likely to be much higher. It is therefore essential that stringent measures are in place in legislation to ensure that cyberattacks and fraud are prevented, and any perpetrators found and stopped.
We, nevertheless, believe that Amendment 78A is unnecessary. Article 33 of the GDPR, referenced in the noble Lord’s amendment, requires the data controller to inform the Information Commissioner within 72 hours of all data breaches, including as a result of ransomware attacks. The controller is required to provide information of the likely consequences of the personal data breach, and to describe the measures taken or proposed by the controller to address the breach. There is one exception, given in Article 33, for breaches unlikely to result in a risk to data subjects, but that hardly seems relevant in cases where hackers have proven access to the data in question.
The GDPR does not require data controllers to report cyberattacks to the relevant police forces, for good reason. It is well understood that the Information Commissioner has the expertise and resources to take the appropriate and necessary action in the first instance, including, if she deems it appropriate, referrals to the police or to investigate and bring prosecutions herself under data protection law. I am also puzzled by the amendment’s intention to single out ransomware as the only form of cyberattack worth reporting to the police. A huge range of cyberattacks cause substantial distress and harm to individuals, such as insider attacks, attacks from third countries and other cybercrimes, such as malware and phishing. In addition, organisations can report cyberattacks or fraud to Action Fraud, which in turn ensures that the correct crime reporting procedures are followed. This organisation is overseen by the City of London Police, the national lead for economic crime, and we believe that it represents an effective and scalable structure. For the reasons I have stated, therefore, I would be grateful if the noble Lord would withdraw his amendment this evening.
Lord Kennedy of Southwark
I am happy to withdraw my amendment this evening. I wanted to raise the issue here. The Minister cited the figure of £193 billion lost through these and other forms of attacks—he went through a number of them—and this is a very serious matter. I hope that he is correct that companies are required to notify the Information Commissioner on the back of this legislation. This is very serious. I hope that he is correct that it is not necessary to go to the police—the sums of money that he mentioned are absolutely shocking. At one point, he said that the Information Commissioner can start prosecutions. That is fine, if we can find the people behind the crime and if they are in this country. If they are somewhere in lands far away, I wish him all the best, but I suspect that we will have some trouble in catching the perpetrators or bringing them to justice. My worry is that, because of reputational damage, companies will be reluctant to notify anyone about this stuff. It is very serious.
Lord Ashton of Hyde
Can I just echo what the noble Lord says? We agree that it is serious, which is why we have set up the National Cyber Security Centre to help to protect public services online and why the Chancellor allocated nearly £2 billion for cybersecurity when he launched that centre.
Lord Kennedy of Southwark
It is very pleasing to hear that. I welcome that, but these are matters that we will have to keep under review. Unfortunately in this world, the people involved in this stuff are usually quite skilful and bright and can keep one step ahead of the law or the people trying to catch them. We should keep these matters under review but, unfortunately, they are not going to go away. My worry is that these crimes are committed many miles from these shores and catching the perpetrators is the problem. However, I am very happy at this stage to withdraw my amendment.
Lord Ashton of Hyde
Baroness Hamwee (LD)
At the risk of making myself unpopular for one more minute, all I can say to my noble friend is: Humpty Dumpty.
At an earlier stage of the Bill I asked how we would interpret a particular provision when we were no longer tethered to the European Court of Justice. The response I received was that it would be interpreted in accordance with UK law at the time. If this amendment is agreed, it will be an extremely helpful contribution to UK law applying while taking into account the impact of the recitals.
Lord Ashton of Hyde
My Lords, I cannot think of a better way to end our debate than with a discussion on recitals, which we have talked about a lot during the course of this Bill. I point out to both noble Lords that it was not only me who referred to recitals; they have both done so ad nauseam.
Lord Ashton of Hyde
Sorry, I should have said “ad infinitum”—that is perfectly correct.
The Government do not dispute that recitals form an important part of the GDPR. As I said, we have all referred to one recital or another many times. There is nothing embarrassing or awkward about that. It is a fact of EU law that courts often require assistance in properly interpreting the articles of a directly applicable regulation—and we, as parliamentarians, need to follow that logic, too.
I would remind noble Lords that the Government have been clear that the European Union (Withdrawal) Bill will be used to deliver two things which are very important in this context. First, under Clause 3 of the withdrawal Bill, recitals of directly applicable regulations will be transferred into UK law at the same time as the articles are transferred. There is no risk of them somehow being cast adrift. Where legislation is converted under this clause, it is the text of the legislation itself which will form part of domestic legislation. This will include the full text of any EU instrument, including its recitals.
Secondly, Clause 6 of the withdrawal Bill ensures that recitals will continue to be interpreted as they were prior to the UK’s exit from the EU. They will, as before, be capable of casting light on the interpretation to be given to a legal rule, but they will not themselves have the status of a substantive legal rule. Clause 20(5) of this Bill ensures that whatever is true for the interpretation of the GDPR proper is also true for the applied GDPR.
More than 10,000 regulations are currently in force in the European Union. Some are more important than others but, however you look at it, there must be more than 100,000 recitals across the piece. The European Union (Withdrawal) Bill provides a consistent solution for every single one of them. It seems odd that we would want to use this Bill to highlight the status of 0.1% of them. Nor, as I say, is there a need to: Clause 20 already ensures that the applied GDPR will be interpreted consistently with the GDPR, which means that it will be interpreted in accordance with the GDPR’s recitals wherever relevant, both before and after exit.
There is one further risk that I must draw to the House’s attention. Recitals are not the only interpretive aid available to the courts. Other sources, such as case law or definitions of terms in other EU legislation, may also be valid depending on the circumstances. Clause 20(5) as drafted provides for all interpretive aids to the GDPR to apply to the applied GDPR. By singling out recitals the amendment could uniquely elevate their status in the context of the applied GDPR above any other similar aids. This, in turn, may cause the GDPR and applied GDPR to diverge.
The drafting of the noble Lord’s amendment is also rather perplexing. It seeks to affect only the interpretation of the applied GDPR. The applied GDPR is an important part of the Bill but it is relatively narrow in its application. I am not sure it has the importance that the noble Lord’s amendment seeks to attach to it. It is, at most, a template for what will follow post exit.
I will not stand here and say that the noble Lord’s amendment would be the end of the world. That would be disingenuous. However, it is unnecessary, it risks unintended consequences and it does not achieve what the noble Lord is, I think, attempting. For those reasons, I am afraid I am unable to support his amendment this evening and I ask him to withdraw it.
Lord Stevenson of Balmacara
That is a very disappointing end to a rather splendid day. If you read Amendment 81 closely, it simply says “having regard to”, which is probably the weakest form of expression you can find in any legal circumstance. I am a bit surprised that the Minister could not come to a better conclusion than he did. In fact, we got a sort of Pepper v Hart-ish approach to it; we can rely on it but it is not as good as it would have been if we had agreed Amendment 81. I can say nothing more on this except that I am sure that we will return to this at some stage. I beg leave to withdraw the amendment.
Electronic Communications Code (Jurisdiction) Regulations 2017
Lord Ashton of Hyde Excerpts(8 years, 4 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
That the draft Regulations laid before the House on 1 November be approved.
Considered in Grand Committee on 6 December
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsMonday 11th December 2017
(8 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Lord Ashton of Hyde
“Protection of personal data
(1) The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—(a) requiring personal data to be processed lawfully, on the basis of the data subject’s consent or another specified basis,(b) conferring rights on the data subject to obtain information about the processing of personal data, and(c) conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.(2) When carrying out functions under the GDPR, the applied GDPR and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest.”
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, it is with some degree of anticipation that I open the debate on the first day of Report on this Bill with amendments relating to the EU Charter of Fundamental Rights. While we have, in the great tradition of this House, managed to discuss and settle many of our differences over recent weeks while debating this legislation, it was this topic, concerning the charter, where we first found ourselves at odds, really since arguments at the other end of the Palace were sent here to tease us.
Since we last considered this matter, the European Union (Withdrawal) Bill has been making progress in the other place. On 21 November, there was an extensive debate on the future of the charter. My honourable friend the Minister of State for Justice and my honourable friend the Solicitor-General explained at length that the charter is not the original source of the rights contained within it; it was only intended to catalogue rights that already existed in EU law. Those rights, codified by the charter, came from a wide variety of sources, including the treaties, EU legislation and, indeed, case law, which recognised fundamental rights as general principles. All those substantive rights, of which the charter is a reflection not the source, will already be protected in domestic law by the European Union (Withdrawal) Bill. It is not necessary to retain the charter in order to protect such substantive rights.
Last week, on 5 December, the Government published a detailed memorandum setting out how each article of the charter will be reflected in UK law after we leave. That document explains in detail how the right to data protection is already reflected in our law. The Government are well aware of the economic benefit of ensuring that, once we have left the EU, we preserve the free flow of personal data with our main trading partners. Indeed, that is one of the guiding principles that underpins this legislation. On 7 August, when we published our statement of intent before we introduced this Bill, we set that out clearly, and we have repeated this time and again. Every amendment that noble Lords have proposed to this Bill has to be considered against that key test. Will it support or will it harm our arguments that we have wholly implemented the necessary data protection reforms to support the free flow of personal data?
There is no doubt in our minds that we have fully implemented the right to data protection in our law. No one has convincingly put forward any counter argument. None the less, our Amendment 1 is designed to provide additional reassurance on this point. Not only will it be clear in the substance of the legislation and all of the statements and announcements around the legislation; it will also be written into the Bill. This Bill exists to protect individuals with regard to the processing of personal data. Personal data must be processed lawfully. Individuals have rights, and the Information Commissioner will enforce those. The Bill does what it says on the tin.
Lord Ashton of Hyde
My Lords, I turn first to the amendment of the noble Lord, Lord Stevenson. During the course of the Bill I met the noble Lord frequently, both formally and informally. When I met him two weeks ago he told me that he was working on his Amendment 2 and he had a look of foreboding about him. He said, “Wish me luck”. I had sympathy with his position—I almost felt sorry for him—because this is a legally and constitutionally complex area. Amendment 2 reads well—it sounds attractive and has seductive packaging—but when taken out of that packaging and slotted into this Bill it is not only ineffective but damaging. It is rather like pouring diesel into a petrol engine.
The amendment makes great play of creating a new and freestanding right. Unlike the government version it is not framed within the context of the Bill. It is a wider right. Indeed, it is far wider even than article 8 of the charter. It is not constrained to the context of EU law but applies to everything. It is attractive, perhaps, but it is seriously problematic.
How is the court to interpret this new right? If this was in the context of the Human Rights Act, there is a framework within which to operate, so if a court finds primary legislation to be incompatible with a convention right, it will make a declaration of incompatibility. The Human Rights Act sets out the effect of that finding on the validity, continuing operation and enforcement of the legislation. This simply would not exist if we were to agree Amendment 2, so the consequences of any finding would be unclear. That could create legal, regulatory and economic chaos.
How would data controllers operate if they could not tell whether the apparently incompatible legislation they were operating under was still effective or not and there was no mechanism to fill any gap? What if the courts found parts of the GDPR incompatible with this new super-right? Rather than enabling the free flow of data we could be crippling it. Further, how would the courts approach other legislation in light of this new right and how would they approach other rights? Could this new right be balanced against other rights, and if so, would it carry additional weight?
Apart from these legal problems, in our view Amendment 2 is simply unnecessary. The general principles of EU law will be retained when we leave the EU by the European Union (Withdrawal) Bill for the purposes of interpretation of retained EU law. The GDPR will be retained. Indeed, this Bill firmly entrenches it in our law. The right to protection of personal information is a general principle of EU law and has been recognised as such since the 1960s. The European Union (Withdrawal) Bill requires our courts to interpret the GDPR consistently with the general principle reflected in article 8, and with retained CJEU case law so far as it is possible to do so. In that context, the jurisprudence of the CJEU will continue to have influence in much the same way as the judgment of a court in Australia might have an influence on how common legal principles should be applied.
The amendment also refers to the status of judgments of the European Court of Human Rights. This is completely unnecessary and unwelcome. Section 2 of the Human Rights Act already requires our courts to take into account relevant judgments of the Strasbourg court. If we write this here, where else must we write it? We do not want to cast doubt on our absolute and total respect for human rights on any issue, not just data protection. The Government have reaffirmed and renewed our commitment to human rights law. It is reflected through UK national law as well as in a range of domestic legislation that implements our specific obligations under UN and other international treaties, from the convention against torture to the Convention on the Rights of the Child. Of course, the principal international treaty most relevant to the UK’s human rights laws is the European Convention on Human Rights. I am happy to repeat the commitment made by my fellow Ministers in recent months that the Government are committed to respecting and remaining a party to the ECHR. There will be no weakening of our human rights protections because we are leaving the EU.
All of these issues interlink. Article 6 of the Treaty on European Union makes clear that due regard must be had to the explanations of the charter when interpreting and applying it. The explanations for article 8 of the charter confirm that the right to data protection is based on the right to respect for private life in article 8 of the ECHR. The European Court of Human Rights has confirmed that article 8 of the ECHR encompasses personal data protection.
It is easy to conclude that we are spiralling in circles on this matter, and in a sense, we are. We believe that there is simply no problem here of any substance. The right to data protection is fully implemented in our law and it is fully enforceable. Government Amendment 1 makes it clear that this is the case. While Amendment 2 seeks to do the same it trips and falls, creating confusion rather than the clarity the noble Lord is after. So I hope that he will feel able to withdraw his amendment. I wish to press government Amendment 1. As the noble Lord, Lord Pannick, said, we are seeking to provide reassurance. I said at the beginning that we would remain open for discussions on this, and if we can provide any further reassurance, taking into account some of the four points made by the noble Lord, Lord Pannick, we will do so.
The noble Baroness, Lady Ludford, gave a long explanation of why adequacy is important and some of the extra issues that will be taken into account when we have to approach an adequacy decision from the EU, including for example areas of law which at the moment are not susceptible to EU jurisdiction, such as national security. I agree completely that that will be taken into account when we go for an adequacy arrangement. That is exactly why we have tried to apply the GDPR principles to all our laws, so that we have a complete and systematic data protection regime. On that basis, I accept the four questions asked by the noble Lord, Lord Pannick. We will consider those issues in the discussions.
Baroness Ludford
I thank the Minister for his response. I was glad that he addressed the question of an adequacy assessment at the end of his remarks, but with respect, it is not enough—or adequate—to address an adequacy assessment only at the point of asking for it. We must lay the foundations now. I cannot see the point in storing up potential problems when we could solve the problem of the basis. We ought to do everything in that prism. We can have delightful legal discussions—it is important to get the law right—but this is also crucial to business. We have had so many representations on that point. I am sure that the Minister’s colleague, the Secretary of State for Digital, Culture, Media and Sport, is preoccupied with this question. Surely we need to front-load our response? We cannot wait until the UK applies for an adequacy assessment to be told, “Well, it’s a pity that you didn’t enshrine the principles and the essence of article 8 of the charter”. We have a chance to do that now and ensure a solid platform for requesting an adequacy assessment. I admit that I am puzzled as to why the Government would not want to do that; it is important for law enforcement as well. Why would we not want to solve that problem now, instead of finding later that we have entirely predictable problems as a result of not doing so?
Lord Ashton of Hyde
I completely agree with the noble Baroness. We have applied the GDPR principles to areas such as defence, national security and the intelligence services in different parts of the Bill so that when we seek an adequacy arrangement, we can say to the EU that we have arranged a comprehensive data protection regime that takes all the GDPR principles into account, including areas that are not subject to EU law. That is why, contrary to what we said in Committee, we have taken the arguments on board and tabled government Amendment 1 to provide reassurance on that exact point. We originally said that the rights under article 8 were contained in the Bill, but we are now putting further reassurance in the Bill. Other areas of the Bill, without direct effect, signpost how the Bill should be regarded.
The noble Baroness supports the amendment but would like, I think, to create a free-standing right. I have explained why we do not agree with that. Before Third Reading, we will try to seek a form of words in our amendment that provides more reassurance, so that when it comes to seeking an adequacy decision—we cannot do that until we leave the EU—there will be no doubt about what this regime provides. That would be the best way to do it, I think.
Lord Pannick
Does the Minister also agree that a further answer to the points made by the noble Lord, Lord Faulks, and the noble and learned Lord, Lord Mackay of Clashfern, is that it is absolutely inevitable that the detailed provisions of the Bill will be, on occasion, the subject of dispute, uncertainty and litigation, and that it would be very helpful to have a statement of principle on what is intended at the commencement of the Bill? This would not be the first time that a Bill has done that. Everybody would then know what the principles were. Of course, the Minister still needs to consider before Third Reading what that statement should be, but that is the point, as I understand it, of government Amendment 1.
Lord McNally
Why does the Minister feel it so necessary to push ahead with his amendment when it is quite clear that the best and most constructive way forward would be for both amendments not to be pressed to allow constructive discussion and resolution at Third Reading?
Lord Ashton of Hyde
Government Amendment 1 provides a basis for the discussion that we will have before Third Reading. Of course, I accept that it could be amended at that stage.
As for the remarks of the noble Lord, Lord Pannick, I will have to read my noble friend Lord Faulks’s words. I was not entirely sure that he was as supportive as the noble Lord feels, but I may have misinterpreted him.
Lord Pannick
As I understand them, both the noble Lord, Lord Faulks, and the noble and learned Lord, Lord Mackay, doubt the need for any amendments of this sort. I am suggesting to the Minister that there is a real need for a statement of principle—that is all.
Lord Ashton of Hyde
I thank the noble Lord. As I said in Committee, we too saw no need for this. The Government have moved because they are always listening and we hope that we can make this more acceptable. I will read what was said by the noble Lords, Lord Pannick and Lord McNally, and my noble friend Lord Faulks, but I would like to press my amendment so that we might have it as a basis for further discussion before Third Reading.
Lord Stevenson of Balmacara
My Lords, the Minister has received quite a lot of comment from around the Chamber on this and I made it clear in my opening remarks that I though the best solution was to have neither amendment. If we are to have a genuine discussion, it does not seem helpful to have in the Bill the wording which the Minister has alighted on at this stage in his conversion. It would be much better to start with a blank sheet and try to work to a common solution. I beg him to reconsider his view and withdraw his amendment; I will not press mine. We could then move to Third Reading with a clean slate.
Lord Ashton of Hyde
My Lords, I understand what the noble Lord is saying. This amendment has been around the houses in government; it has had many people from many departments looking at it from top to bottom. The feeling of the Government at the moment is that it is better to have something on paper as a basis for discussion. I would like to press my amendment.
Data Protection Bill [HL]
Lord Ashton of Hyde Excerpts(8 years, 4 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Stevenson of Balmacara (Lab)
My Lords, we have had a good discussion this evening about topics raised in Committee, where the strength of feeling and expertise displayed was highly instrumental in persuading Ministers to think again about the approach they were taking towards the regulatory process for children’s data being transferred into the internet. It shows that well-argued cases can get through even the most impervious armour put on by Ministers when they start battling on their Bills. I am delighted to see it.
The noble Lord, Lord Clement-Jones, commented on Amendment 117, tabled by the noble Earl, Lord Clancarty. I wondered why that amendment had been included in the group because it seemed to point in a different direction. It deals with data collected and used by the Government, having cleared what would presumably be the highest standards of propriety in relation to it. However, the story that emerged, endorsed by the noble Lord, Lord Clement-Jones, is shocking and I hope that the Minister will be able to help us chart a path through this issue. Several things seem to be going wrong. The issues were raised by my noble friend Lord Knight in Committee, but this amendment and the paperwork supplied with it give me a chill. The logic behind the amendment’s being in this group is that this is the end-product of the collection of children’s data—admittedly by others who are providing it for them in this case—and it shows the kinds of dangers that are about. I hope that point will be answered well by the Minister when he comes to respond.
I turn to the substantive amendment; it is an honour to have been invited to sign up to it. I have watched with admiration—as have many others—the skilful way in which the noble Baronesses, Lady Kidron and Lady Harding, and others have put together a case, then an argument and then evidence that has persuaded all of us that something can be done, should be done and now will be done to make sure that our children and grandchildren will have a safe environment in which they can explore and learn from the internet.
When historic moments such as this come along you do not often notice them. However, tonight we are laying down a complete change in the way in which individuals relate to the services that have now been provided on such a huge scale, as has been described. I welcome that—it is an important point—and we want to use it, savour it and build on it as we go forward.
I first sensed that we were on the right path here when I addressed an industry group of data-processing professionals recently. Although I wowed them with my knowledge of the automatic processing of data and biometric arguments—I even strayed into de-anonymisation, and got the word right as I spoke in my cups—they did not want anything to do with that: they only wanted to talk about what we were going to do to support the noble Baroness, Lady Kidron, and her amendments. When the operators in industry are picking up these debates and realising that this is something that they had always really wanted but did not know how to do—and now it is happening and they are supporting it all they can—we are in the right place.
The noble Baroness, Lady Harding, said something interesting about it being quite clear now that self-regulation does not work—she obviously has not read Adam Smith recently; I could have told her that she might have picked that up from earlier studies. She also said, to redeem herself, that good regulation has a chance to change behaviour and to inculcate a self-regulatory approach, where those who are regulated recognise the strength of the regulations coming forward and then use it to develop a proper approach to the issue and more. In that sense she is incredibly up to date. Your Lordships’ House discussed this only last week in a debate promoted by the noble Baroness, Lady Neville-Rolfe, on what good regulation meant and how it could be applied. We on these Benches are on all fours with her on this. It is exactly the way to go. Regulation for regulation’s sake does not work. Stripping away regulation because you think it is red tape does not work. Good regulation or even better regulation works, and that is where we want to go.
There are only three points I want to pick out of the contribution made by the noble Baroness, Lady Kidron, when she introduced the amendment. First, it is good that the problem we saw at the start of the process about how we were going to get this code applied to all children has been dealt with by the Government in taking on the amendment and bringing it back in a different way. As the noble Baroness admits, their knowledge and insight was instrumental in getting this in the Bill. I think that answers some of the questions that the noble Baroness, Lady Howe, was correctly asking. How do the recommendations and the derogation in the Bill reducing the age from 16 to 13 work in relation to the child? They do so because the amendment is framed in such a way that all children, however they access the internet, will be caught by it, and that is terrific.
The second point I want to make picks up on a concern also raised by the noble Baroness, Lady Harding. While we are probably not going to get a timescale today, the Bill sets a good end-stop for when the code is going to be implemented. However, one hopes that when the Minister comes to respond, he will be able to give us a little more hope than having to wait for 18 months. The amendment does say,
“as soon as reasonably practicable”,
but that is usually code for “not quite soon”. I hope that we will not have to wait too long for the code because it is really important. The noble Baroness, Lady Harding, pointed out that if the message goes out clearly and the descriptions of what we intend to do are right, the industry will want to move before then anyway.
Thirdly, I turn to the important question of how the code will be put into force in such a way that it makes sure that those who do not follow it will be at risk. Yes, there will be fines, and I hope that the Minister is able to confirm what the noble Baroness asked him when introducing her amendment. I would also like to pick up the point about the need to ensure that we encourage the Government to think again about the derogation of article 82. I notice in a document recently distributed by the Information Commissioner that she is concerned about this, particularly in relation to vulnerable people and children, who might not be expected to know whether and how they can exercise their rights under data protection law. It is clear that very young people will not be able to do that. If they cannot or do not understand the situation they are in, how is enforcement going to take place? Surely the right thing to do is to make sure that the bodies which have been working with the noble Baroness, Lady Kidron, which know and understand the issues at stake here, are able to raise what are known as super complaint-type procedures on behalf of the many children to whom damage might be being done but who do not have a way of exercising their rights.
If we can have a response to that when we come to it later in the Bill, and in the interim get answers to some of the questions I have set out, we will be at the historic moment of being able to bless on its way a fantastic approach to how those who are the most vulnerable but who often get so much out of the internet can be protected. I am delighted to be able to support the amendment.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, first, like other noble Lords, I pay tribute to the noble Baroness, Lady Kidron, for her months—indeed, years—of work to ensure that the rights and safety of children are protected online. I commend her efforts to ensure that the Bill properly secures those rights. She has convinced us that it is absolutely right that children deserve their own protections in the Bill. The Government agree that these amendments do just that for the processing of a child’s personal data.
Amendment 109 would require the Information Commissioner to produce a code of practice on age-appropriate design of online services. The code will carry the force of statutory guidance and set out the standards expected of data controllers to comply with the principles and obligations on data processors as set out by the GDPR and the Bill. I am happy to undertake that the Secretary of State will work in close consultation with the Information Commissioner and the noble Baroness, Lady Kidron, to ensure that this code is robust, practical and, most importantly, meets the development needs of children in relation to the gathering, sharing, storing and commoditising of their data. I have also taken on board the recommendations of the noble Lord, Lord Clement-Jones, on the internet safety strategy. We have work to do on that and I will take his views back to the department.
The Government will support the code by providing the Information Commissioner with a list of minimum standards to be taken into account when designing it. These are similar to the standards proposed by the noble Baroness in Committee. They include default privacy settings, data minimisation standards, the presentation and language of terms and conditions and privacy notices, uses of geolocation technology, automated and semi-automated profiling, transparency of paid-for activity such as product placement and marketing, the sharing and resale of data, the strategies used to encourage extended user engagement, user reporting and resolution processes and systems, the ability to understand and activate a child’s right to erasure, rectification and restriction, the ability to access advice from independent, specialist advocates on all data rights, and any other aspect of design that the commissioner considers relevant.
Lord Clement-Jones
I may have to add later to what I have said, which I think the Minister will find totally unpalatable. I will try to move on.
The Minister also said:
“You are concerned that if consent is not a genuine option in these situations and there are no specific processing conditions in the Bill to cover this on grounds of substantial public interest. Processing in these circumstances would be unlawful. To make their consent GDPR compliant, an employer or school must provide a reasonable alternative that achieves the same ends, for example, offering ‘manual’ entry by way of a reception desk”.
Consent is rarely valid in an employment context. If an employer believes that certain premises require higher levels of security, and that biometric access controls are a necessary and proportionate solution, it cannot be optional with alternative mechanisms that are less secure, as that undermines the security reasons for needing the higher levels of security in the first place: for example, where an employer secures a specific office or where the staff are working on highly sensitive or confidential matters, or where the employer secures a specific room in an office, such as a server room, where only a small number of people can have access and the access needs to be more secure.
Biometrics are unique to each person. A pass card can easily be lost or passed to someone else. It is not feasible or practical to insist that organisations employ extra staff for each secure office or secure room to act as security guards to manually let people in.
The Minister further stated:
“You also queried whether researchers involved in improving the reliability or ID verification mechanisms would be permitted to carry on their work under the GDPR and the Bill. Article 89(1) of the GDPR provides that processing of special categories of data is permitted for scientific research purposes, providing that appropriate technical and organisational safeguards are put in place to keep the data safe. Article 89(1) is supplemented by the safeguards of clause 18 of the Bill. For the purposes of GDPR, ‘scientific research’ has a broad meaning. When taken together with the obvious possibility of consent-based research, we are confident that the Bill allows for the general type of testing you have described”.
It is good to hear that the Government interpret the research provisions as being broad enough to accommodate the research and development described. However, for organisations to use these provisions with confidence, they need to know whether the ICO and courts will take the same broad view.
There are other amendments which would broaden the understanding of the research definition, which no doubt the Minister will speak to and which the Government could support to leave no room for doubt for organisations. However, it is inaccurate to assume that all R&D will be consent based; in fact, very little of it will be. Given the need for consent to be a genuine choice to be valid, organisations can rarely rely on this as they need a minimum amount of reliable data for R&D that presents a representative sample for whatever they are doing. That is undermined by allowing individuals to opt in and out whenever they choose. In particular, for machine learning and AI, there is a danger of discrimination and bias if R&D has incomplete datasets and data that does not accurately represent the population. There have already been cases of poor facial recognition programmes in other parts of the world that do not recognise certain races because the input data did not contain sufficient samples of that particular ethnicity with which to train the model.
This is even more the case where the biometric data for research and development is for the purpose of improving systems to improve security. Those employing security and fraud prevention measures have constantly to evaluate and improve their systems to stay one step ahead of those with malicious intent. The data required for this needs to be guaranteed and not left to chance by allowing individuals to choose. The research and development to improve the system is an integral aspect of providing the system in the first place.
I hope that the Minister recognises some of those statements that he made in his letter and will be able, at least to some degree, to respond to the points that I have made. There has been some toing and froing, so I think that he is pretty well aware of the points being raised. Even if he cannot accept these amendments, I hope that he can at least indicate that biometrics is the subject of live attention within his department and that work will be ongoing to find a solution to some of the issues that I have raised. I beg to move.
Baroness Hamwee (LD)
My Lords, I wonder whether I might use this opportunity to ask a very short question regarding the definition of biometric data and, in doing so, support my noble friend. The definition in Clause 188 is the same as in the GDPR and includes reference to “behavioural characteristics”. It states that,
“‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data”.
Well:
“There’s no art
To find the mind’s construction in the face”.
How do behavioural characteristics work in this context? The Minister may not want to reply to that now, but I would be grateful for an answer at some point.
Lord Ashton of Hyde
My Lords, I thank the noble Lord, Lord Clement-Jones, for engaging constructively on this subject since we discussed it in Committee. I know that he is keen for data controllers to have clarity on the circumstances in which the processing of biometric data would be lawful. I recognise that the points he makes are of the moment: my department is aware of these issues and will keep an eye on them, even though we do not want to accept his amendments today.
To reiterate some of the points I made in my letter so generously quoted by the noble Lord, the GDPR regards biometric data as a “special category” of data due to its sensitivity. In order to process such data, a data controller must satisfy a processing condition in Article 9 of the GDPR. The most straightforward route to ensure that processing of such data is lawful is to seek the explicit consent of the data subject. However, the GDPR acknowledges that there might be occasions where consent is not possible. Schedule 1 to the Bill makes provision for a range of issues of substantial public interest: for example, paragraph 8, which permits processing such as the prevention or detection of an unlawful act. My letter to noble Lords following day two in Committee went into more detail on this point.
The noble Lord covered much of what I am going to say about businesses such as banks making use of biometric identification verification mechanisms. Generally speaking, such mechanisms are offered as an alternative to more conventional forms of access, such as use of passwords, and service providers should have no difficulty in seeking the data subject’s free and informed consent, but I take the point that obtaining proper, GDPR-compliant consent is more difficult when, for example, the controller is the data subject’s employer. I have considered this issue carefully following our discussion in Committee, but I remain of the view that there is not yet a compelling case to add new exemptions for controllers who wish to process sensitive biometric data without the consent of data subjects. The Bill and the GDPR make consent pre-eminent wherever possible. If that means employers who wish to install biometric systems have to ensure that they also offer a reasonable alternative to those who do not want their biometric data to be held on file, then so be it.
There is legislative precedent for this principle. Section 26 of the Protection of Freedoms Act 2012 requires state schools to seek parental consent before processing biometric data and to provide a reasonable alternative mechanism if consent is not given or is withdrawn. I might refer the noble Lord to any number of speeches given by members of his own party—the noble Baroness, Lady Hamwee, for example—on the importance of those provisions. After all, imposing a legislative requirement for consent was a 2010 Liberal Democrat manifesto commitment. The GDPR merely extends that principle to bodies other than schools. The noble Lord might respond that his amendment’s proposed subsection (1) is intended to permit processing only in a tight set of circumstances where processing of biometric data is undertaken out of necessity. To which I would ask: when is it genuinely necessary to secure premises or authenticate individuals using biometrics, rather than just cheaper or more convenient?
We also have very significant concerns with the noble Lord’s subsections (4) and (5), which seek to drive a coach and horses through fundamental provisions of the GDPR—purpose limitation and storage limitation, in particular. The GDPR does not in fact allow member states to derogate from article 5(1)(e), so subsection (5) would represent a clear breach of European law.
For completeness, I should also mention concerns raised about whether researchers involved in improving the reliability of ID verification mechanisms would be permitted to carry on their work under the GDPR and the Bill. I reassure noble Lords, as I did in Committee, that article 89(1) of the GDPR provides that processing of special categories of data is permitted for scientific research purposes, providing appropriate technical and organisational safeguards are put in place to keep the data safe. Article 89(1) is supplemented by the safeguards in Clause 18 of the Bill. Whatever your opinion of recitals and their ultimate resting place, recital 159 is clear that the term “scientific research” should be interpreted,
“in a broad manner including for example technological development and demonstration”.
This is a fast-moving area where the use of such technology is likely to increase over the next few years, so I take the point of the noble Lord, Lord Clement-Jones, that this is an area that needs to be watched. That is partly why Clause 9(6) provides a delegated power to add further processing conditions in the substantial public interest if new technologies, or applications of existing technologies, emerge. That would allow us to make any changes that are needed in the future, following further consultation with the parties that are likely to be affected by the proposals, both data controllers and, importantly, data subjects whose sensitive personal data is at stake. For those reasons, I hope the noble Lord is persuaded that there are good reasons for not proceeding with his amendment at the moment.
The noble Baroness, Lady Hamwee, asked about behavioural issues. I had hoped that I might get some inspiration, but I fear I have not, so I will get back to her and explain all about behavioural characteristics.
Lord Clement-Jones
My Lords, I realise that, ahead of the dinner break business, the House is agog at details of the Data Protection Bill, so I will not prolong the matter. The Minister said that things are fast-moving, but I do not think the Government are moving at the pace of the slowest in the convoy on this issue. We are already here. The Minister says it is right that we should have alternatives, but for a lab that wants facial recognition techniques, having alternatives is just not practical. The Government are going to have to rethink this, particularly in the employment area. As more and more banks require it as part of their identification techniques, it will become of great importance.
We are just around the corner from these things, so I urge the Minister, during the passage of the Bill, to look again at whether there are at least some obvious issues that could be dealt with. I accept that some areas may be equivocal at this point, only we are not really talking about the future but the present. I understand what the Minister says and I will read his remarks very carefully, as no doubt will the industry that increasingly uses and wants to use biometrics. In the meantime, I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsMonday 11th December 2017
(8 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
Lord Ashton of Hyde
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, in Committee the noble Earl, Lord Kinnoull—I am very grateful to him for his help and that of the industry bodies that I have now met—told us that the language in the Bill enabling the processing of sensitive data relating to employment might be interpreted more narrowly than the similar wording in paragraph 2 of Schedule 3 to the Data Protection Act 1998. This was never the Government’s intention and I thank the noble Earl and the noble Lord, Lord Clement-Jones, for bringing the issue to the Government’s attention. Amendments 11 and 12 to address these concerns by reverting to the wording used in the 1998 Act, thereby removing any doubts as to their proper interpretation. I will sit down and wait for the noble Earl to propose his amendments and reply to them after. I beg to move.
The Earl of Kinnoull (CB)
My Lords, I am very grateful to the Minister for that news on those government amendments. It is very helpful and will prevent a lot of insurers having to redo their administrative systems. I shall speak to Amendments 25 and 26, which are another pair of insurance amendments. I declare my interests as set out in the register of the House, particular those in respect of the insurance industry.
I thank the noble Lord, Lord Clement-Jones, who has been very helpful. He brings great clarity at all times of day to our discussions. Although he is the chairman of the Artificial Intelligence Select Committee, his intelligence is far from artificial and is most helpful. Also, I see the Bill team over there. They have been excellent. Given the amount of fire coming in they are very calm, collected and user-friendly. I thank them for everything they have done so far on the Bill.
The Lloyd’s Market Association, the British Insurance Brokers’ Association and the Association of British Insurers, among other insurance associations, have helped in the preparation of some of these remarks. The insurance industry is trying to deliver products in the public interest. Indeed, some major classes of insurance, such as motor insurance and employers’ liability insurance, are compulsory. There is a long list of other insurances that are quasi-compulsory. For instance, one cannot get a mortgage without buying household insurance. It is greatly to society’s benefit that a wide choice of good products is available at a reasonable price.
Lord Kennedy of Southwark
My Lords, I welcome government Amendments 11 and 12. As we have heard, they address some of the concerns that were raised in Committee. The Government have said that they never intended to have a narrow interpretation and they have put back the words of the 1998 Act, which is very welcome. As was said earlier, the noble Earl, Lord Kinnoull, has laid out in great detail the issues addressed in his Amendments 25 and 26. He makes a very important and clear case and raised some important issues. I hope that the noble Lord, Lord Ashton of Hyde, will respond to those. I certainly think that there is a case for bringing these things back at Third Reading to address the points the noble Earl has raised.
Lord Ashton of Hyde
My Lords, I am grateful to everyone who has spoken in this debate. As we have just heard, Amendment 25 would replace the existing processing conditions:
“Insurance and data concerning health of relatives of insured person”,
and:
“Third party data processing insurance policies and insurance on the life of another”,
with a broader insurance processing condition. Amendment 26 would require the Information Commissioner to produce sector-specific guidance for the insurance sector. These processing conditions are made under article 9(2)(g), the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited by the need to meet this substantial public interest test. We are also required to provide appropriate safeguards for data subjects.
The Government recognise the importance of insurance products, in particular compulsory classes and the protection afforded by third-party liability. As the noble Earl mentioned, engagement between the insurance sector and government officials has continued since this matter was discussed in Committee and, indeed, since I met him and representatives of the insurance industry after Committee. There is still some work to do on the precise drafting of the relevant provisions, but I am grateful for the opportunity to place on record the Government’s intention to table an amendment addressing this issue at Third Reading, if we can finalise the drafting in time and the House is content for us to do so. At the moment I am not aware of any insuperable problems in that regard, but noble Lords will recognise that this is a complex issue and one that we want to get absolutely right.
As for the Information Commissioner producing sector-specific guidance, as proposed by Amendment 26, I will certainly take that back and pass it on to the department. With that reinsurance, or rather reassurance—“reinsurance” was a bit of a Freudian slip there—I respectfully invite the noble Earl not to move his amendments this evening. I beg to move.
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Stevenson of Balmacara
My Lords, I add my voice in support of the noble Baroness’s amendment and wish it well. I suspect she has run into the logjam that constitutes the waiting list to see the Bill team and the Ministers, who have been worked so hard in the last few months. But I hope it will be possible, given that there is a bit of time now before Third Reading, for this matter to be resolved quickly and expeditiously before then.
Lord Ashton of Hyde
My noble friend Lady Neville-Jones explained in Committee that Unique plays a hugely important role in providing advice and support to sufferers of rare chromosomal disorders and their carers. Some of these charities have large databases dating back many years, so we understand their desire to maintain these when the GDPR comes into force without necessarily obtaining fresh consent to GDPR standards for each data subject included on the database. When families are providing support to their loved ones, some of whom may need round-the-clock care, filling in a new consent form may not be high on their agenda.
However, they may still value the support and services that patient support groups provide and would be concerned if they were removed from the charities’ databases. If charities such as Unique had to stop processing or delete records because consent could not be obtained, they worry that this would impede the work they do to put patients and their families in touch with others suffering from rare genetic conditions, help clinicians to deliver diagnoses and facilitate research projects. We recognise that this could be particularly damaging when there is barely any knowledge of the condition other than what they may hold on their database.
Let me be clear: if there is a grey area in the Bill that puts this work at risk, the Government are fully prepared to amend it. Legislating in this area is not straightforward and I am keen that the policy and legal teams in the department are able to continue with the constructive discussions they have been having with Unique and the UK Genetic Alliance to ensure that the legislation adequately covers the specific processing activities they are concerned about, while providing adequate safeguards for data subjects. I assure noble Lords that we will use our best endeavours to work on this legislative solution as quickly as possible. If it is not ready by Third Reading, and I am afraid I cannot promise it will be, the Government will endeavour to introduce any necessary provisions at the next possible amending stage of the Bill. I will of course ensure that my noble friend gets the credit she deserves for her persistent efforts on this subject when that time comes.
Government Amendments 72 to 77 are the products of detailed discussion with the noble Lord, Lord Patel, the noble Baroness, Lady Manningham-Buller, and representatives of the Wellcome Trust. I thank them very much for those constructive and helpful discussions. In Committee we discussed the operation of the safeguards in Clause 18 and the potentially damaging impact they would have on pioneering medical research. As I explained at the time, it was never the Government’s intention to undermine such important work, so it is with great pleasure that I table these amendments today.
Noble Lords will recall that the greatest concern stemmed from the safeguard in what is currently Clause 18(2)(a). That paragraph was designed to prevent researchers using personal data to make measures and decisions in respect of particular data subjects but, as the noble Lord explained, there are certain types of medical research where this is inevitable. In the context of a clinical trial, for example, a data subject might willingly agree to participate, but in the course of the trial researchers might need to make decisions about whether the treatment should continue or stop, with respect to some or all data subjects. Government Amendment 77 addresses this concern by making it clear that the safeguard is automatically met where processing is necessary for the purposes of approved medical research. Approved medical research is defined in the new clause and includes, for example, research approved by an ethics committee established by the Health Research Authority or relevant NHS body. Importantly, the new clause also contains an order-making power so that the definition of approved research can be kept up to date.
Baroness Hamwee
My Lords, I am very glad that the noble Lord is keeping this on the agenda. I had a note to ask what was happening about the meeting to which lots of people were invited at the previous stage. I do not believe that we have heard anything about it. This is not a whinge but a suggestion that it is important to discuss this very widely.
I find this paragraph in Schedule 1 very difficult. One of the criteria is that the processing is necessary for the purposes of political activities. I honestly find that really hard to understand. Necessary clearly means more than desirable, but you can campaign, which is one of the activities, without processing personal data. What does this mean in practice? I have a list of questions, by no means exhaustive, one of which comes from outside, asking what is meant by political opinion. That is not voting intention. Political opinion could mean a number of things across quite a wide spectrum. We heard at the previous stage that the Electoral Commission had not been involved in this, and a number of noble Lords urged that it should be. It did not respond when asked initially, but that does not mean it should be kept out of the picture altogether. After all, it will have to respond to quite a lot of what goes on. It might not be completely its bag, but it is certainly not a long way from it.
We support pinning down the detail of this. I do not actually agree with the noble Lord’s amendment as drafted, but I thank him for finding a mechanism to raise the issue again.
Lord Ashton of Hyde
I am grateful to the noble Lord, Lord Kennedy, for raising this issue, and to the noble Baroness for her comments. These issues are vital to our system of government, and we agree with that.
Amendment 27 seeks to expand the umbrella term “political activities” to include any additional activities determined to be appropriate by the Electoral Commission. Noble Lords will agree that engaging and interacting with the electorate is crucial in a democratic society, and we must therefore ensure that all activity to facilitate this is done in a lawful manner. Although paragraph 18(4) includes campaigning, fundraising, political surveys and case work as illustrative examples of political activities, it should not be taken to represent an exhaustive list.
Noble Lords will be aware that the Electoral Commission’s main areas of expertise concern the regulation of political funding and spending, and we are of the opinion that much, if not all the activities they regulate will be captured under the heading “political activity”. As I have just set out, fundraising is included as an illustrative example, which ought to provide some reassurance on this point. Moreover, the greater the number of activities denoted by the Electoral Commission, the less likely it is that any other activity would be considered by a court to be a political activity by dint of its omission. The commission, a body which as far as I am aware claims no expertise in data protection matters, would find itself in an endless spiral of denoting new activities as being permissible under the GDPR. Nevertheless, in recognition of the importance of such processing to the democratic process, the Government are continuing to consider the broader issues at stake and may well return to them in the second House. In this vein, the noble Lord made a number of good points, and I look forward to meeting him with the Minister for Digital, my right honourable friend Matt Hancock, on Thursday this week to discuss the matter in more detail than the parameters of this debate allow. We will see what the noble Lord feels about the timing of that after the meeting.
As for the noble Baroness, Lady Hamwee, we talked about having bigger meetings, and I am sure the time will come. This is just a preliminary meeting to decide on timings and to give the noble Lord, Lord Kennedy, the chance to discuss this with the Minister for Digital. I envisage that further meetings will include the noble Baroness.
I appreciate the sentiment behind the noble Lord’s amendment. In the light of our forthcoming discussions, I hope he feels able to withdraw it.
Lord Kennedy of Southwark
I thank the Minister for his response. I tabled the amendment to keep the issue live and to illustrate the problem we have here. In his response, he talked about the responsibilities of the commission and data protection responsibilities and how they may conflict, belonging to different bodies. That begins to highlight the problem that we potentially have here. You could have different regulators trying to enforce different bits of legislation, all on the statute book at the same time and equally legitimate. We have got a real problem here.
I look forward to the meeting on Thursday. It is very important that we have a meeting after that, though, with a much wider group of people from different parties and campaigns. It is a genuine problem that affects every political party represented in this House and the other place and those that are not in either House. There is no advantage here—it is a question of getting a procedure in place that allows political parties to campaign and do their job properly and fairly. Equally, it protects the volunteers so that they understand what they can and cannot do so that they do not unintentionally get themselves in difficulty. I look forward to the meeting, but there are one or two things to sort out before then. I hope that it can get done by Thursday but, if it cannot, we have the other place. But it would be much better to sort it out at this end rather than the other end. I beg leave to withdraw the amendment.
Lord Ashton of Hyde