Youth Orchestras
Lord Ashton of Hyde Excerpts(8 years, 4 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Storey (LD)
My Lords, on behalf of my noble friend Lady Bonham-Carter of Yarnbury, and at her request, I beg leave to ask the Question standing in her name on the Order Paper.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, the Government support a number of national young music organisations, including the national youth music orchestra, with over £1 million of public funding a year confirmed until 2020. These organisations undertook at least 125 performances across the country in 2016-17. The Government remain committed to supporting our orchestras and classical music organisations across the country and at all scales. Music, as well as art and design, is a compulsory subject in the national curriculum for five to 14 year-olds.
Lord Storey
I thank the Minister for his reply and the importance the Government attach to these orchestras. Will the Minister give the House an assurance that, if we were to leave the EU, the finance given to youth orchestras and to other cultural institutions, for example for touring, will continue?
Lord Ashton of Hyde
I can confirm that, when we leave the EU, the existing amounts that we spend on British youth orchestras will continue. For example, the total Arts Council investment, which includes music, has been guaranteed until 2020.
Lord Howell of Guildford (Con)
My Lords, one answer to the noble Baroness’s concern is the Commonwealth Youth Orchestra, which I think the Government currently support, and I hope they will continue to do so strongly.
Baroness McIntosh of Hudnall (Lab)
I am sure the Minister is aware that youth orchestras in this country, and indeed elsewhere, perform to an extremely high standard, and that the young people who participate put in hours and hours of work although not all—fewer than half of them—actually anticipate having a career as a professional musician. What we need in order to keep those standards up is a good supply of young people who have the skills to take part. What proportion of children and young people in the maintained sector have affordable access to music tuition for long enough to bed in the skills that they need to perform to that standard?
Lord Ashton of Hyde
I cannot give exactly the proportions that the noble Baroness has asked for. I can say that we have music education hubs, which were established after the Henley review into music education in 2011. There are 120 music education hubs in place, and they are funded by the Department for Education and overseen by Arts Council England. They create joined-up, high-quality music opportunities for all children and young people in and out of school, and the Government spend £75 million a year on this.
Baroness Finlay of Llandaff (CB)
My Lords, I declare my interest as patron of the South Glamorgan Youth Orchestra, now the Cardiff County and Vale of Glamorgan Youth Orchestra. Do the Government recognise the importance of music in intellectual development, with a crossover into the sciences and mathematical skills, and therefore that it is very important to have feeder orchestras from junior schools, school transition and so on finally feeding into youth orchestras? Some children do not achieve that but they achieve the intellectual development necessary to underpin our national development of skills.
Lord Ashton of Hyde
I agree with the noble Baroness. I think we realise that music has particular relevance to mathematics and science. That is why music is a compulsory subject in the national curriculum and why we continue to invest in music in our schools.
Baroness Smith of Basildon (Lab)
My Lords, this takes me back to my trumpet-playing days at school, which I will not inflict on your Lordships’ House. The Minister has heard from across the House great pride in our youth orchestras. Not only is our cultural and social life enriched by them but the economic life of the country gains. I have heard the Minister talk about the funding for youth orchestras, but do the notes in his folder tell him that since 2010 this Government have taken £48 million away from the arts councils that support them? I accept that he understands the importance of this. Does he not therefore think it is time to ensure that every primary school in the country has money available so that they can enhance the cultural life of all pupils?
Lord Ashton of Hyde
I am tempted to bring my trumpet in to have a duet with the noble Baroness, but I am sure she is better at it than I am. I have said that we agree that art and music are important, which is why they are part of the national curriculum. Arts Council England has increased funding for music since 2014-15, so in the difficult choices that have had to be made we think we have sustained our support for the arts. We recognise that the arts, including music, are important as part of an overall education.
Lord Lexden (Con)
What reassurance can the Government offer the National Youth String Orchestra, of which I am patron, whose concerns over things like insurance cover and the movement of musical instruments across borders after Brexit have led it to consider abandoning its customary European tours?
Lord Ashton of Hyde
I think the orchestra should check with its insurance broker because I am not sure whether that is a critical factor for travelling orchestras. Much more important is the visa requirements that will be needed after Brexit, and we are working hard with the Home Office to ensure that they are acceptable. The other measure that we are taking is the orchestra tax relief, which allows orchestras to travel.
The Earl of Clancarty (CB)
My Lords, is the Minister concerned at the continuing fall in income from the National Lottery—the lottery benefiting youth orchestras alongside other areas of the art—and, if so, what measures might be taken to reverse this trend?
Lord Ashton of Hyde
The noble Earl is a doughty champion of the arts, for which I pay tribute to him. Of course we are concerned that lottery receipts are reducing. I believe work is under way to look at that. I do not have the information to hand but the Minister responsible in my department is looking at it very closely.
Video Games: Domestic Violence and Child Abuse
Lord Ashton of Hyde Excerpts(8 years, 4 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Storey
To ask Her Majesty’s Government what action they are taking to restrict the sale of video games featuring domestic violence and child abuse.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, under the Video Recordings Act, games on physical media are referred to the Video Standards Council for classification if they contain content unsuitable for children. Anyone supplying a game rated 12, 16 or 18 under the Pan-European Game Information age-rating system to someone below the appropriate age risks a fine or jail sentence. The Video Standards Council can refuse to certify a game containing material that is illegal or that it considers would cause harm to players.
Lord Storey (LD)
I thank the Minister for his reply. I am sure that he would agree with Andy Burrows from the NSPCC, who said:
“Any video game that trivialises or normalises child abuse, neglect or domestic violence for entertainment is unacceptable”.
The Video Standards Council, which took over from the British Board of Film Classification, is more like a trade organisation than a regulatory body and uses a very light-touch approach to classifying video games, which does not meet the concerns of parents. In fact, none has been made unavailable or removed from the shelves. Will he consider strengthening how we deal with young people—children—and video games?
Lord Ashton of Hyde
The noble Lord is absolutely correct to say that, at the moment, the council has not effectively banned any video game, but its members are the professionals, set up to do the job under the Act. They were the people who Parliament decided were correct to do this and have access to expert advice, including psychologists and legal advice. The video games industry knows that the council can effectively ban a video game if it is unsuitable. However, I take the point that these things need looking at occasionally, and part of the internet safety strategy deals directly with video games. We are asking questions about that to see whether anything further needs to be done.
Lord Laming (CB)
Does the Minister agree that we should never allow anything to give the impression that either domestic violence or the abuse of children is normal or acceptable behaviour? This issue needs to be taken very seriously indeed.
Lord Ashton of Hyde
I do agree, as any sensible and rational person would. That is why we are looking at child safety in the round, particularly online, which is the new area, and will consider further things that need to be done.
Baroness Howe of Idlicote (CB)
My Lords, does the Minister agree that because of amendments introduced in your Lordships’ House to the Digital Economy Bill in March, it will now be perfectly possible for adults using the internet to access very realistic animated computer-generated images of child sex abuse and pornographic violence against women? Does he further agree that it was a terrible mistake to introduce this different enforcement standard online from that which applies offline, and will he undertake to introduce urgent legislation to address this error?
Lord Ashton of Hyde
I took the Digital Economy Bill through this House so I cannot agree with the first part of the noble Baroness’s question. These things that are beyond the pale in many ways were available on the internet before and have nothing to do with what is now the Digital Economy Act. We are looking at ways to make this country the best place to be safe online and we will continue to do that.
Lord Cormack (Con)
My Lords, why is there any equivocation here? Cannot my noble friend accept that the logical consequence of what every noble Lord has said this afternoon—and what he himself has said—is that these things should be banned, full stop?
Lord Ashton of Hyde
That is why we set up an independent body. That is better than giving me or any other Minister the power of censorship over these things.
Baroness Smith of Basildon (Lab)
My Lords, I think the noble Lord is really missing the point here. He says there is an independent body set up to do this, but the fact is that it is not doing it. It is all very well having a body to do it, and having rules, regulations and legislation, but if they are not acted upon there is a serious problem. He has said several times that it needs looking at and that something needs to be done. May I press him to take this away and, on the specific issue of violence in video games, to come back to this House with a report of what can be done, and how the Government can take some responsibility for this and not leave it to an independent body that is clearly not doing its job?
Lord Ashton of Hyde
I do not agree with the noble Baroness and I see no evidence that this body is not doing its job. It classified the age for 146 out of 498 video games in 2016 as 18, meaning that only adults should be allowed to watch them and that it is a criminal offence to allow other people below that age to do so.
Lord Paddick (LD)
My Lords, does the Minister not agree that any depiction of child abuse is likely to normalise that behaviour, not just in the minds of children who are less likely to report it, but also in those of potential perpetrators? Does he not agree that if no video game has ever been banned, something really needs to be done about this so-called independent body that is supposed to be taking action?
Lord Ashton of Hyde
I agree that showing child abuse in a video game is likely to normalise it and I accept there is a difference between, for example, showing it in a play or a film, which does happen. But, set in the context, it might give the right message, depending on what the results are. The difference is that an adult of a particularly perverted nature can access a video game and choose to go down that path, so I do agree. However, I do not agree with the argument—I see no evidence—that because no game has been banned, the Video Standards Council is not doing a proper job. Its members are the experts—they have help from psychologists and they rate these video games according to that advice.
Communications Act 2003 and the Digital Economy Act 2017 (Consequential Amendments to Primary Legislation) Regulations 2017
Lord Ashton of Hyde Excerpts(8 years, 4 months ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
That the Grand Committee do consider the Communications Act 2003 and the Digital Economy Act 2017 (Consequential Amendments to Primary Legislation) Regulations 2017.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I intend to be brief. Noble Lords will recall that the Digital Economy Act 2017 received Royal Assent in April this year. That Act included reforms to the Electronic Communications Code, which provides the statutory framework for agreements between site providers and digital communications network operators.
The purpose of the reforms is to make it easier and cheaper for digital communications infrastructure to be installed and maintained, ensuring that this statutory framework supports the wider benefits of the UK’s world-leading digital communications services. The reformed code is subject to commencement by a separate statutory instrument, which will not require parliamentary scrutiny. We expect to bring the code into force by the end of December. However, before taking this step, we need to ensure that a number of sets of supporting regulations are in place.
In addition to the regulations before the Committee today, the supporting measures include two sets of regulations that were laid on 19 October 2017 under the negative procedure, which amend secondary legislation and make specific transitional provisions. Together, the purpose of all these regulations is to ensure a smooth transition from the existing legislation to the new code. They will therefore take effect only when the new code commences, which, as I mentioned, we expect to be by the end of December.
The draft Communications Act 2003 and the Digital Economy Act 2017 (Consequential Amendments to Primary Legislation) Regulations 2017 amend references in other primary legislation to the existing code and to provisions in the existing code, replacing them with terminology and cross-referencing aligned to the new code.
The draft Electronic Communications Code (Jurisdiction) Regulations 2017 bring into effect one of the code’s key reforms: transferring the jurisdiction for code disputes from the county courts to the Lands Tribunal in England and Wales, and from the sheriff court to the Lands Tribunal in Scotland. This reform was strongly recommended by the Law Commission following its consultation on the code, and is expected to ensure that code disputes can be dealt with more quickly and efficiently. The DCMS has worked closely with colleagues in the Ministry of Justice, and their counterparts in Scotland, to prepare for this change. I beg to move.
Lord Clement-Jones (LD)
My Lords, the Minister has reminded us of our happy days during the passage of the Digital Economy Bill—now the Digital Economy Act. Of course, we all like to be reminded of our days in the salt mines. These regulations are straightforward and we welcome them. I certainly do not intend to raise again any issues relating to the Electronic Communications Code. Certainly, I would not want to provoke another speech from the noble Lord, Lord Grantchester; that would be very unwise.
However, I will make a couple of comments relating to the implementation of the code. As I understand it, Ofcom is issuing a code of practice on top of that. There is some concern that although the direction of travel of the ECC was very clear, the code of practice is in a sense bringing back a slight bias in favour of the landowners. That is a concern of some commentators. One says:
“While the consultation around the code of practice is to be welcomed, if implemented in its current form, the code of practice is in danger of swinging the pendulum back too far in favour of landowners who will be able to challenge operators at every stage”.
I know that the Government were very keen to get the balance right. It will be interesting to hear what the Minister has to say about that.
The Minister may want to write to me about this, but this is a useful opportunity to ask about the direction of government policy in terms of EU regulatory reforms—if we can bear it. It looks like there are plans from Brussels for a new Electronic Communications Code which includes e-privacy regulation. Obviously, before we exit—if we exit—it will continue to be important to keep the digital single market and the single telecoms market in place. The question arises: will there be time? Will the new Electronic Communications Code, however it is brought in—whether by directive or regulation, I am not quite sure—happen? Will it fall outside? Will it be after 29 March? Will it fall during a transition period? I suspect there are many in the telecoms field and the general area of technology infrastructure who will be extremely interested in the answer to that.
Those are the two areas on which I would very much like to have an answer from the Minister, either now or at some stage in the future.
Lord Griffiths of Burry Port
From the noble Lord’s tone of voice, I honestly thought that it was a sunnier experience than that. Between that and a hypothetical happy future, when other things may or may not happen, I will stick to what is in front of us.
It all seems logical to me. I guess the simplicity of the proposals led to this being referred to me, with my simple mind. I understand perfectly that with the developments in electronic communications we have to have methods appropriate for handling the expansions of systems across the land. I note that the speed and effectiveness of dispute resolution becomes a possible consequence of decisions taken. The balance to which the noble Lord, Lord Clement-Jones, referred is indeed mentioned in these documents and is being sought. I am in no position to judge whether the view expressed that suggested movement back towards landowners is true, but I am sure the Minister will answer that question.
There is a consultation. I note that there is to be no impact assessment because there is no impact, it seems. It is nice to have read that at least six times in these papers. I commend all those who have gone through all the legislation, both past legislation in general and localised legislation from across the land. It is a job for somebody and I pay tribute to the nameless people who have done this trawl. It even goes into the county of my birth—Dyfed in south Wales—where I was rather disturbed to find that “statutory undertakers” are now to be called “operators”. In my life’s work as a Methodist minister, I had rather a lot to do with statutory undertakers and I am sorry that they have been defined out of existence.
There is a logic running through this. It is simplicity itself. It tidies up what is in front of us. I have no hesitation in supporting these measures.
Lord Ashton of Hyde
My Lords, I am grateful for both noble Lords’ comments. On the question from the noble Lord, Lord Clement-Jones, on the code of practice, it is not yet published. Extensive consultation was carried out. It is a bit difficult to speculate on its content, but it is important to remember that the code of practice is not binding and cannot change the balance that the law delivers. We spent some time considering that balance. It is certainly true that one of the points of the code was that it should enable operators to do things that were taking too long. There is certainly no intention to change that balance. We absolutely understand the need for operators to access land more easily and more speedily, but preferably on a consensual basis. That was the whole object. These regulations are to do with the occasions, which we hope will not be very often, where agreement cannot be reached, so we can go to a tribunal that has expert surveyors and people like that on it, rather than the county court, which is not expert. I say to the noble Lord that we have no intention and there was no desire to change the balance between landowners and operators. We will have to see what the code of practice says. It is not binding, but if need be we can talk to him when it comes out. We expect to commence the code in December. Ofcom has assured us that the code will come out before it comes into force.
We do not know the timings for the European ECC. If it is acceptable to the Committee I will look at some of the questions the noble Lord asked and do some research into them. We might not know the answers. I do not have them to hand, but if we do know I will come back to the noble Lord.
I am pleased that the noble Lord, Lord Griffiths, was able to come in at the end of this long process. He had one of the more happy experiences. I am very grateful to him. With that, I beg to move.
Electronic Communications Code (Jurisdiction) Regulations 2017
Lord Ashton of Hyde Excerpts(8 years, 4 months ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
That the Grand Committee do consider the Electronic Communications Code (Jurisdiction) Regulations 2017.
Data Protection Bill [HL]
Lord Ashton of Hyde Excerpts(8 years, 4 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
That the amendments for the Report stage be marshalled and considered in the following order:
Clauses 1 to 9, Schedule 1, Clauses 10 to 14, Schedules 2 to 4, Clauses 15 and 16, Schedule 5, Clauses 17 to 20, Schedule 6, Clauses 21 to 28, Schedule 7, Clauses 29 to 33, Schedule 8, Clauses 34 to 84, Schedules 9 and 10, Clauses 85 to 110, Schedule 11, Clauses 111 and 112, Schedule 12, Clauses 113 and 114, Schedule 13, Clauses 115 and 116, Schedule 14, Clauses 117 to 147, Schedule 15, Clause 148, Schedule 16, Clauses 149 to 171, Schedule 17, Clauses 172 to 194, Schedule 18, Clauses 195 to 198, Title.
Online Gambling
Lord Ashton of Hyde Excerpts(8 years, 5 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have taken part in this informed and very interesting, although somewhat alarming, debate. I particularly thank the noble Lord, Lord Browne, for securing it and for sharing his thoughts with me beforehand. I am also pleased that the A-team on the Data Protection Bill, which has already been mentioned by the noble Lord, Lord Griffiths, is in place.
The issue here—in a sense, the dilemma—is that for millions of people gambling is an enjoyable leisure activity with no harmful consequences. Sixty-three per cent of adults gambled in one form or another in the last year. However, the Gambling Act makes it clear that gambling is subject to the licensing objectives set out by the Gambling Commission, including the protection of young and vulnerable people from gambling-related harm. Headline rates of problem gambling have remained relatively low over time, at below 1% of the adult population. As noble Lords have mentioned, the latest statistics found that 0.8% of the adult population—some 430,000 people—were classified as problem gamblers in 2015, but a further 2 million people were identified as being at risk of problem gambling.
I do of course realise, and the noble Lord, Lord Morrow, reminded us, that, in addition to those headline numbers, there may be severe consequences for families. I generally agree with the many statistics that have been mentioned in this debate—too many to come back on. The basic fact is that online gambling is big and growing, and 5% of those online gamblers are problem gamblers. The Government are clear that more must be done to protect people from harm, and on 31 October we published a consultation on proposals for changes to gaming machines and social responsibility measures across the gambling industry. The consultation sets out a package of measures to improve player protection for the online sector, including strengthening existing protections and outlining further measures relating to gambling advertising to minimise the risk to the most vulnerable.
Although online gambling is widely accessible and available 24 hours a day, it also has unique characteristics that provide opportunities to protect players. For example, all online gambling is account based, unlike land-based gambling where customers can often gamble anonymously. That means that online operators can know exactly who their customers are, what they are spending their money on and their patterns of gambling behaviour. We have seen some progress in this area with a number of operators adopting the use of behavioural analytics and algorithms to detect problem gambling on their websites. Recent research has found—this might address some of the identity issues raised by the noble Lord, Lord Trevethin and Oaksey—that operators are able to detect problem gambling using the data they collect from customers today.
While that is encouraging, the Government have made it clear that industry must act on the findings of the research to date and trial a range of harm-minimisation measures to strengthen player protection. We want to see the industry evaluate the action it takes and share best practice. In addition, the industry must continue to engage in GambleAware’s research and commit to implement the findings of this ongoing work. The next phase of the research aims to provide a best-practice model that can be used by online gambling companies in their responsible gambling operations, including recommended interventions which have been evaluated for their effectiveness to reduce the risk of harm.
In the light of those issues, what is the Gambling Commission doing? The Gambling Commission is monitoring this area closely and is encouraging operators to increase action to identify harmful play, design and pilot better interventions and put in place measures that work. The commission has already concluded that it will need to consult on changes to the licence conditions and codes of practice next year in order to raise standards in this area. The commission will also issue guidance to the industry setting out expectations in relation to operator interactions with customers.
I turn now to the issue of self-exclusion—an important tool for those who recognise that they have a problem with gambling and a vital means of protecting consumers from harm. All operators must offer self-exclusion to customers on their request, and more than 800,000 online self-exclusions were reported last year. However, as the average player has more than one account, that does not necessarily translate to 800,000 people. The Government understand just how important it is for recovering problem gamblers to be able to self-exclude from all licensed online gambling platforms in one step. A new multi-operator self-exclusion scheme for online gambling, called GAMSTOP, will be launched in spring next year. A range of stakeholders, including GambleAware and GamCare, have provided advice during development of the scheme. I am aware that the proposals for such a scheme were debated by noble Lords during the passage of the Gambling (Licensing and Advertising) Act 2014 and I pay tribute to the noble Lord, Lord Browne, who was a vocal champion of such a scheme back then and has remained a leading advocate for it since.
The new scheme will allow customers to self-exclude from all online licensed operators in a single step. The website will also set out other measures that are available to help people manage their gambling and will signpost specialist advice and support services. It will significantly strengthen the self-exclusion arrangements available for online gamblers and provide improved protection for those customers who have previously self-excluded from individual gambling websites, only to open an account with other operators. As the noble Lord, Lord Browne, asked, we want to see the industry promote awareness of the scheme and do more to increase its take-up along with other responsible gambling tools such as time-outs and deposit limits which are available. These are in the consultation that we have just published.
The noble Lord, Lord Griffiths, asked why this has taken so long. I share the noble Lord’s frustration, and I would have liked to have seen the scheme in operation sooner. Indeed, we called for the gambling consultation and review for implementation of the scheme to be completed at the earliest opportunity. The truth of the matter is that there have been a number of complex issues to consider which I will not bore noble Lords with, but it is absolutely vital that when GAMSTOP is launched, it actually meets its objectives and can ensure that customers who register with it are prevented from gambling online with licensed operators. It is an industry scheme, but the Gambling Commission is working closely with the industry on its development to ensure that it is robust and effective, again a point made by the noble Lord, Lord Browne. Certain technical barriers have had to be overcome, not least in relation to data protection. The system must be capable of dealing with millions of checks being made by operators every day in real time. It must provide a service to consumers that is effective and easy to use, and therefore while the delay is frustrating, it is important that it is robust and will work across all licensed operators. However—in reply to the noble Lord, Lord Griffiths—we expect it to be up and running by March 2018.
While self-exclusion is a useful tool, it is often the case that an individual who chooses to self-exclude may do so as the result of having suffered harm in relation to their gambling. The Government are clear that operators must act quickly to improve approaches to identifying problem gambling on their platforms and interacting with their customers to protect vulnerable people before serious harm occurs.
I turn now to the points raised by my noble friend Lord Chadlington. Where gambling operators have used children’s characters to front games, the Gambling Commission and the Advertising Standards Authority have written to them to make it crystal clear that they are in breach of advertising rules that prohibit gambling marketing material aimed at children. My noble friend also raised the question of independent research and transparency, as did the noble Lord, Lord Foster. We agree that this is an essential tool in building an evidence base and enhancing our understanding of gambling-related harm. GambleAware is an independent charity with an independent chair, and the majority of its board members are from outside the betting industry. We want to see the industry continue to fund GambleAware and others in this important work, as they do research, education and treatment for problem gamblers. We welcome the additional funding of £5 million to £7 million a year for the next two years that the industry is to invest to support a responsible gambling advertising campaign. This is a large sum in advertising terms which compares well with major national health campaigns.
If the current arrangements fall short, the Government will consider alternative options, including the introduction of a mandatory levy. But it is worth reminding ourselves that the current funding target to meet the needs of research, education and treatment, set by the Responsible Gambling Strategy Board, has been suggested to be around £10 million by 2018-19. This target is being actively pursued by GambleAware, but as and when funding targets change, the voluntary system must gear up to meet that need. I repeat: the consultation made it clear that the Government will consider alternative options, including a mandatory levy, if current arrangements fall short.
Let me address some of the points made by noble Lords in their speeches. As far as the two-tiered approach to self-exclusion is concerned—mentioned by, among others, the noble Lords, Lord Browne and Lord Alton, and the noble Baroness, Lady Howe—we want to see the industry build on the existing protections. Some consumers may wish to self-exclude from certain individual products and not the entire online sector, but we want to encourage self-exclusion. Websites are required to set out clearly the gambling management tools available, including self-exclusion. The important thing to remember is that self-exclusion is only part of the problem. Lots of problem gamblers do not self-exclude, so we must deal with the harms caused to others with perhaps worse problems than those who are prepared and self-aware enough to self-exclude.
The noble Lord, Lord Foster, mentioned FOBTs in the consultation, as did others. I can confirm that we are considering potentially going down to as low as £2 for the stake, and are consulting on that specific issue. We have asked the Gambling Commission for more information about how better tracking and monitoring of play on FOBTs can help with interventions to protect players and whether spin speeds on games such as roulette should be looked at.
The noble Lord, Lord Griffiths, asked about how the consultation is going and whether clarity is emerging. The consultation is ongoing and clarity may well emerge from it but we will not be certain until January next year. He also asked when we will produce our results, and he will not be surprised to hear that we will do that in due course. The noble Lord, Lord Morrow, talked about the problem of gambling in Northern Ireland. It is a bit difficult for me to address the issue here as it is a devolved matter for Northern Ireland.
The noble Baroness, Lady Benjamin, talked about children and what we have done to protect them online, and, more importantly, the issue of what we might do to protect them online and whether we will legislate. Under the Gambling Act, the Gambling Commission has broad powers to place new licensing requirements on operators and respond to the pace of change in the online gambling market. In addition, the Gambling Commission has powers to suspend or revoke a licence, impose financial penalties or take criminal action where there is a failure to prevent underage gambling. However, we are not complacent, which is why the Gambling Commission and the Responsible Gambling Strategy Board are currently examining the relationship between children and gambling to determine whether further action is necessary. We expect the gambling industry to play its part in protecting children online, in line with the Government’s internet safety strategy. We will keep the issue firmly under review, acting accordingly where necessary. As for her questions on age verification, children and free games, all licensed operators must have robust policies to prevent underage gambling. Where age verification is not satisfactorily completed within 72 hours, the operator must return any money that the customer has paid into their account and not pay out any winnings.
The noble Lords, Lord Trevethin and Oaksey and Lord Foster of Bath, asked why operators cannot exclude for life. Data protection rules regarding data retention prevent GAMSTOP from technically offering an indefinite self-exclusion option. However, procedures will be in place to notify self-excluders in these circumstances and give them the opportunity to renew their self-exclusions. The noble Lords asked what would happen if there was non-compliance of operators. It will be a licence condition that all operators sign up to GAMSTOP and the normal penalties will therefore apply, including losing their licence.
The noble Lord, Lord Wigley, mentioned the academic paper on gambling-related harm. He was right to point out that harm goes beyond that of the problem gambler—a point which I made at the beginning and was made also in our consultation. In that regard, I welcome the work that the Gambling Commission, the Responsible Gambling Strategy Board and GambleAware are doing better to understand and measure the extent of this issue, which we agree is very important.
My noble friend Lord Smith of Hindhead asked why we are allowing operators to use affiliates and tipsters to harvest data and target the vulnerable. All gambling operators must have a licence from the Gambling Commission to operate and are held responsible for the actions and behaviours of their affiliates. The commission published advice earlier this year on ensuring that direct marketing is not sent to those who have self-excluded from gambling. Operators and affiliates must comply with the requirements of the privacy and electronic communications regulations and the Data Protection Act, and the ICO may take enforcement action if there is evidence of a breach. The Advertising Standards Authority also has the power to take action if it were to receive evidence of irresponsible targeting.
The noble Baroness, Lady Howe, asked about financial transaction blocking. The Gambling Commission has had great success working with payment providers to prevent unlicensed websites accessing the British market. Payment providers work proactively to stop payments to and from unlicensed websites, which means that the true number of websites effectively blocked may be higher than the figures held by the commission, but I would certainly be happy to write to the noble Baroness with the latest figures held by the Gambling Commission.
I am coming to the end of my time. I will certainly write to other noble Lords, because there are several questions that I have not answered—I think that about 48 questions were asked during the debate. I will read what the noble Lord, Lord Alton, said and write to him on it.
This has been an informative and interesting debate. I thank again the noble Lord, Lord Browne, for bringing it and allowing us to discuss these important issues. We have seen significant changes to the market since the implementation of the Gambling Act, as well as to public perceptions of gambling and to our understanding of harm across the gambling landscape. Our objective in engaging in the gambling review is to strike the right balance between socially responsible growth and the protection of consumers and the communities in which they live. We have listened to what has been said today. I will take noble Lords’ speeches back to the department. I encourage all noble Lords who have a view on these matters to respond to the consultation, which they have until January to do.
Lord Browne of Belmont
My Lords, I am extremely grateful to everyone, including the Minister, who has taken part in today’s debate. It has been an excellent debate, with support right across the House. I do not think that anyone could have failed to be moved by all the contributions. I find myself at the conclusion with a strong sense that, to coin a phrase, something must be done.
I am grateful to the Minister for setting out what has been done, but the Government should not underestimate the level of public concern and I hope they will mediate on the political significance of the recent evidence from the Gambling Commission. Public faith in gambling has fallen dramatically in the past nine years. While I certainly did not hear complacency in the Minister’s response, I am not totally convinced that the Government are fully seized of the importance of this issue.
There is a mismatch between the significant technological possibilities for enhancing online gambling and the current proposals in the DCMS consultation. I very much hope that the Minister and the Secretary of State will take away all the excellent proposals that have been made in today’s debate and use them in the current consultation process. I hope that they will accept that while the current consultation proposals for online gambling are good as far as they go, they need to go further. I hope that when they respond to the consultation they make clear their determination not to allow multiple individual self-exclusion mechanisms to continue to exist but mandate their replacement with GAMSTOP. I hope that they will prohibit the marketing of gambling games to children and, even more importantly, prevent children’s access to such games through age verification. I hope that they will introduce a statutory level of at least 0.8% and that they will end the lending of money for gambling through credit cards. I hope that they will look at prohibiting online betting between midnight and 6 am.
I have listened very carefully to the Minister, but I do not think he responded to my specific request for a meeting with himself, GAMSTOP, the Gambling Commission and problem gamblers.
Lord Ashton of Hyde
I am very happy to take that request back to the department and put it before the Minister responsible for gambling.
Lord Browne of Belmont
I welcome that. Finally, I think there is a lot more work to be done. As we do it, we should not forget Joshua Jones, Omair Abbas, Adam Billing and, back home, Lewis Keogh, and their families. We should seek to build a public policy framework that means that their suffering will not be repeated by others.
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsWednesday 22nd November 2017
(8 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Lord Ashton of Hyde
( ) has failed to comply with an information notice, an assessment notice or an enforcement notice,”
Lord Ashton of Hyde
Lord Ashton of Hyde
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have spoken on this very important clause. I agree very much with the noble Lords, Lord Clement-Jones and Lord Stevenson, that these are important issues which we need to consider. The amendments seek to amend Clause 162, which introduces the offence of re-identifying data that has been de-identified. I will start by giving some background to this clause because, as noble Lords have mentioned, this is new to data protection legislation.
Pseudonymisation of datasets is increasingly commonplace in many organisations, both large and small. This is a very welcome development: where sensitive personal data is being processed in computerised files, it is important that people know that data controllers are taking cybersecurity seriously and that their records are kept confidential. Article 32 of the GDPR actively encourages controllers to implement technical and organisational measures to ensure an appropriate level of security, including, for example, through the pseudonymisation and encryption of personal data.
As noble Lords will be aware, the rapid advancement of technology has opened many doors for innovation in these sectors. However, as we continue to be able to do more with technology, the risk of its misuse also grows. Online data hackers and scammers are a much more prominent and substantial threat than was posed in 1998, when the original Data Protection Act was passed. It is appropriate, therefore, that the Bill addresses the contemporary challenges posed by today’s digital world. This clause responds to concerns raised by the National Data Guardian for Health and Care and other stakeholders regarding the security of data kept in online files, and is particularly timely following the well-documented cyberattacks on public and private businesses over the last few years.
It is important to note that the Bill recognises that there might be legitimate reasons for re-identifying data without the consent of the controller who encrypted it. The clause includes a certain number of defences, as my noble friend Lady Neville-Rolfe mentioned. These can be relied on in certain circumstances, such as where re-identification is necessary for the purpose of preventing or detecting crime, to comply with a legal obligation or is otherwise necessary in the public interest. I am aware that some academic circles, including Imperial College London, have raised concerns that this clause will prohibit researchers testing the robustness of data security systems. However, I can confidently reassure noble Lords that, if such research is carried out with the consent of the controller or the data subjects, no offence is committed. Even if the research is for legitimate purposes but carried out without the consent of the controller who de-identified the data in the first place, as long as researchers act quickly and responsibly to notify the controller, or the Information Commissioner, of the breach, they will be able to rely on the public interest defences in Clause 162. Finally, it is only an offence to knowingly or recklessly re-identify data, not to accidentally re-identify it. Clause 162(1) is clear on that point.
I turn to the specific amendments that have been tabled in this group. Amendment 170CA seeks to change the wording in line 3 from “de-identified” to “anonymised”. The current clause provides a definition of de-identification which draws upon the definition of “pseudonymisation” in article 4 of the GDPR. We see no obvious benefit in switching to “anonymised”. Indeed, it may be actively more confusing, given that recital 26 appears to use the term “anonymous information” to refer to information that cannot be re-identified, whereas here we are talking about data that can be—and, indeed, has been—re-identified.
Amendment 170CB seeks to provide an exemption for re-identification for the purpose of demonstrating how the personal data can be re-identified or is vulnerable to attacks. The Bill currently provides a defence for re-identification where the activity was consented to, was necessary for the purpose of preventing or detecting crime, was justified as being in the public interest, or where the person charged reasonably believes the activity was, or would have been, consented to. So long as those re-identifying datasets can prove that their actions satisfy any of these conditions, they will not be guilty of an offence. In addition, we need to be careful here not to create defences so wide that they become open to abuse.
Amendment 170CC seeks to add to the definition of what constitutes re-identification. I agree with the noble Lord that current techniques for re-identification involve linking datasets. However, we risk making the offence too prescriptive if we start defining exactly how re-identification will occur. As noble Lords, including the noble Lord, Lord Clement-Jones, mentioned, as technology evolves and offenders find new ways to re-identify personal data, we want the offence to keep pace.
Amendment 170E seeks to add an extra defence for persons who achieve approval for re-identifying de-identified personal data after the re-identification has taken place. The current clause provides a defence where a person acted in the reasonable belief that they would have had the consent of the controller or the data subject had they known about the circumstances of the re-identification. Retroactive approval for the re-identification could be relied on as evidence in support of that defence, so we believe that there is no need to provide a separate defence for retroactive consent.
Lord Clement-Jones
My Lords, I think that the noble Lord is misreading the amendment. As I read my own amendment, I thought it was substitutional.
Lord Ashton of Hyde
If we are talking about Amendment 170E, I am certainly prepared to look at that and address it.
Lord Clement-Jones
That may have been the original intention, but perhaps it was never put properly into effect.
Lord Ashton of Hyde
In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.
Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.
Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.
It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.
I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.
Lord Stevenson of Balmacara
I thank the noble Baroness, Lady Neville-Rolfe, and welcome her to her first full session. I am glad that we have been able to reorganise our timings so that she has been able to attend and contribute—something that we have missed until now. I also thank the noble Lords, Lord Lucas and Lord Clement-Jones, for their comments and support for this series of amendments.
There is a whiff of Gilbert and Sullivan about this. We are talking about a technology that has not yet settled down, and about protections which I do not in any way say are wrong. The technology is still developing and still uncertain, and we are told by experts that what the Bill is trying to do cannot happen anyway. The amendments offer the Government the chance to think again about the need to find a progressive path. We set out on what is often a voluntary basis, under the Government’s approach, with a code that works. People are brought in and consulted, and eventually the crime to be committed is defined—until we have that, we really do not have anything—and we try to be respectful of the fact that people would move out of the sector if they felt that their work would be attacked because it was illegal.
I am grateful to the noble Lord for listening to the debates. I hope that we can have a meeting about this to pick up some of the points and take the matter forward from there. I beg leave to withdraw the amendment.
Baroness Neville-Rolfe
My Lords, I simply wish to associate myself with the comments of the noble Lord, Lord Stevenson, and say that a meeting on this would be helpful. As I said, I hope that we can find a solution. If we cannot, I have reservations about this measure being part of the Bill.
Lord Ashton of Hyde
I make it plain to my noble friend—my predecessor in this position—that I will arrange a meeting.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Kennedy, for turning the Committee’s attention to the provisions in Clause 163. The clause makes it a criminal offence for a data controller, or somebody employed by the controller, to deliberately frustrate a subject access request by altering, defacing or destroying information that a person would have been entitled to receive.
This offence is not new. A similar offence was provided for in Section 77 of the Freedom of Information Act 2000. The only difference between the offence in Clause 163 and the offence in the Act is that the latter was limited to the handling of subject access requests by public authorities and their employees and agents, whereas Clause 163 extends this to apply to all controllers.
The noble Lord’s amendment would make it clear that the offence applies where a data subject requests personal data about them contained in a review about workers written by a third party. I am grateful to the noble Lord for explaining the background to the amendment; nevertheless, I submit that it is unnecessary. Article 15 of the GDPR makes it clear that the data subject has the right to obtain from the controller confirmation as to whether data about him or her is being processed, as well as access to that data. Whether a report about the data subject was compiled by a third party or processor acting on the controller’s behalf is irrelevant, as it still amounts to personal data held by the controller.
It is always unacceptable for any controller to destroy or deface personal data with the sole intention of preventing somebody accessing what they were entitled to. That is precisely why Clause 163 creates a criminal offence targeted on that particular activity.
I hope that I have addressed the noble Lord’s concerns. If I have not, of course I will be more than happy to discuss them with him later. Therefore, I hope that he will be able to withdraw the amendment.
Lord Kennedy of Southwark
I thank the noble Lord for his response. He has not really addressed the point that I was making, so I will be very happy to have a discussion outside the Chamber. This is a real problem that is happening now and I am not convinced that what we have in the Bill will be enough to deal with it. It may well be that my amendment is not in the right place, but there is an issue with people not easily accessing data that is held on them, particularly for the self-employed and others seeking work through various platforms.
Lord Ashton of Hyde
If we have misunderstood the noble Lord’s intention behind the amendment, I apologise. As I said, we will be happy to discuss it with him.
Lord Kennedy of Southwark
I do not think that the noble Lord misunderstood; it is just that there are several issues around the gig economy that we need to look at, and I shall be happy to discuss them outside the Chamber. I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
(a) proceedings under section 158 (including proceedings on an application under Article 79 of the GDPR), or(b) proceedings under Article 82 of the GDPR or section 160 .”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
My Lords, I am grateful to all noble Lords who have contributed—in particular my noble friend Lord Lucas, who was even briefer than the noble Lord, Lord Clement-Jones. He made his point very succinctly and well.
With the greatest respect to the noble Lords, Lord Stevenson and Lord Clement-Jones—and I do mean that sincerely—during the passage of the 443 amendments in Committee that we are rapidly approaching the end of, we have listened carefully to each other, but in this case I am afraid that we reject Amendments 184 and 185 as being unnecessary. We believe that they are not required because the Bill already provides sufficient recourse for data subjects by allowing them to give consent to a non-profit organisation to represent their interests.
Clause 173, in conjunction with article 80(1) of the GDPR, provides data subjects with the right to authorise a non-profit organisation which has statutory objectives in the public interest and which is active in the field of data protection to exercise the rights described in Clauses 156 to 160 of the Bill. Taken together with existing provision for collective redress, and the ability of individuals and organisations to independently complain to the Information Commissioner where they have concerns, groups of like-minded data subjects will have a variety of redress mechanisms from which to choose. It is not true that when we have large numbers of data subjects they are unable, or too ignorant of their rights, to combine. For example, it is worth noting that more than 5,000 data subjects have brought one such action which is currently proceeding through the courts.
Furthermore, we would argue that the amendment is premature. If we were to make provision for article 80(2), it would be imperative to analyse the effectiveness not only of Clause 173 and article 80(1) of the GDPR but of other similar provisions in UK law to ensure that they are operating in the interests of data subjects and not third parties. We would also need to assess, for example, how effective the existing law has been in dealing with issues such as aggregate damages, which cases brought under article 80(2) might be subject to.
More generally, the Bill seeks to empower data subjects and ensure that they receive the information they need to enforce their own rights, with assistance from non-profit organisations if they wish. The solution to a perceived lack of data subject engagement cannot be to cut them out of the enforcement process as well. Indeed, there is a real irony here. Let us consider briefly a claim against a controller who should have sought, but failed to get, proper consent for their processing. Are noble Lords really suggesting that an unrelated third party should be able to enforce a claim for not having sought consent without first seeking that same consent?
We should also remember that these not-for-profit organisations are active in the field of data subjects’ rights; indeed, the GDPR states that they have to be. While many—the noble Lord, Lord Clement-Jones, mentioned Which?—will no doubt have data subjects’ true interests at heart and will be acting in those best interests, others will have a professional interest in achieving a different outcome: raising their own profile, for example.
I know that these amendments are well intentioned and I do have some sympathy with the ambition of facilitating greater private enforcement to complement the work of the Information Commissioner. But, for the reasons I have set out, I am not convinced that they are the right solution to the problems identified by noble Lords, and I therefore urge the noble Lord to withdraw his amendment.
Lord Clement-Jones
My Lords, I am baffled by the Minister’s response. The Government have taken on board huge swathes of the GDPR; in fact, they extol the virtues of the GDPR, which is coming into effect, as are many of its articles. Yet they are baulking at a very clear statement in article 80(2), which could not be clearer. Their prevarication is extravagant.
Lord Ashton of Hyde
The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.
To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.
Lord Stevenson of Balmacara
I thank the Minister for his honesty and transparency—but not for the content. Like the noble Lord, Lord Clement-Jones, I find this very odd. Is it not true that when early consultations on the Bill were carried out, the consultation included the possibility that article 80(2) would be implemented—in other words, that the derogation would be accepted—and responses were gathered on that basis? That is what we were told by some of those who were consulted. Therefore, the Government must have had a formal change of mind, either based on their own whim or because they received substantial contributions from very important people who felt that these things should not go forward. I would be interested to follow that up with the Minister, perhaps in another meeting.
I do think this is very strange. Here is an opportunity to win friends, get people on side and offer them something that will be really helpful. We have heard about children; and there are other vulnerable people who are not experts in these areas, for whom a little extra help was promised by the Government because they felt that that would be right. The idea that, in some senses, this would empower a whole industry of people to manufacture claims to get at data holders seems completely ridiculous.
If we look at the comparable arrangements in the consumer field that I tried to draw the Minister’s attention to, we see very strict rules about the levels at which super-complaints can be made: they must be proportionate, relevant and have evidence of support from a wider group of people that allows them to go forward. We are not talking about an open-ended commitment—that would be daft—but when we look at the best way to combat bad practice that affects particular vulnerable groups and is being practised by people who should not do it, this must be in our armoury. We will certainly come back to this—but in the interim, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
“Framework for Data Processing by GovernmentFramework for Data Processing by Government
(1) The Secretary of State may prepare a document, called the Framework for Data Processing by Government, which contains guidance about the processing of personal data in connection with the exercise of functions of—(a) the Crown, a Minister of the Crown or a United Kingdom government department, and(b) a person with functions of a public nature who is specified or described in regulations made by the Secretary of State.(2) The document may make provision relating to all of those functions or only to particular functions or persons.(3) The document may not make provision relating to, or to the functions of, a part of the Scottish Administration, the Welsh Government, a Northern Ireland Minister or a Northern Ireland department.(4) The Secretary of State may from time to time prepare amendments of the document or a replacement document.(5) Before preparing a document or amendments under this section, the Secretary of State must consult—(a) the Commissioner, and (b) any other person the Secretary of State considers it appropriate to consult.(6) Regulations under subsection (1)(b) are subject to the negative resolution procedure.(7) In this section, “Northern Ireland Minister” includes the First Minister and deputy First Minister in Northern Ireland.”
Lord Ashton of Hyde
My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point that has not been lost on noble Lords, nor the Government. That is why the Government have tabled Amendments 185A, 185B, 185C and 185D, which provide for a framework for data processing by government.
Inherent in the execution of the Government’s function is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is intended to set out the principles and processes that the Government must have regard to when processing personal data.
All government and public sector activities require some form of power to process personal data, which is derived from both statute and common law. In light of the requirements of the GDPR, such processing should be undertaken in a clear, precise and foreseeable way. The Government’s view is that the framework will serve further to improve the transparency and clarity of existing government data processing. The Government can, and should, lead by example on data protection. To that end, the proposed clauses provide the Secretary of State with the power to issue guidance in relation to the processing of personal data by government under existing powers. As I have already stated, government departments will be required to have regard to the guidance when processing personal data.
The Government have consulted the Information Commissioner in preparing the amendment and will, as required in Amendment 185A, consult the commissioner before preparing the framework. The Government are keen to benefit from the commissioner’s expertise in this area and to ensure that the framework does not conflict with the commissioner’s codes of practice. The guidance should provide reassurance to data subjects about the approach that government takes to processing data and the procedures it follows when doing so. It will also help to strengthen further the Government’s compliance with the GDPR’s principles. I beg to move.
Lord Kennedy of Southwark
My Lords, government Amendments 185A, 185B, 185C and 185D add four fairly substantial new clauses to the Bill on the last day of Committee. I can see the point made by the Minister when he moved the amendments, but it is disappointing that they were not included right at the start. Have the Government just thought about them as a good thing?
The Delegated Powers and Regulatory Reform Committee has not had time to look at these matters. I note that in Amendment 185A, the Government suggest that regulations be approved by Parliament under the negative procedure. I will look very carefully at anything that the committee wants to bring to the attention of the House when we look at these matters again on Report. I am sure the committee will have reported by then.
I will not oppose the amendments today, but that is not to say that I will not move some amendments on Report—particularly if the committee draws these matters to the House’s attention.
Lord Clement-Jones
My Lords, I want to echo that point. There is time for reflection on this set of amendments and I sympathise with what the noble Lord, Lord Kennedy, said.
Lord Ashton of Hyde
My Lords, I am grateful for those comments. We understand that the DPRRC will have to look at the powers under the clause. As usual, as we have done already, we take great note of what the committee says; no doubt it will opine soon. We will pay attention to that.
Lord Ashton of Hyde
“Approval of the Framework
(1) Before issuing a document prepared under section (Framework for Data Processing by Government), the Secretary of State must lay it before Parliament.(2) If, within the 40-day period, either House of Parliament resolves not to approve the document, the Secretary of State must not issue it.(3) If no such resolution is made within that period—(a) the Secretary of State must issue the document, and(b) the document comes into force at the end of the period of 21 days beginning with the day on which it is issued.(4) Nothing in subsection (2) prevents another version of the document being laid before Parliament.(5) In this section, “the 40-day period” means—(a) if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or(b) if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.(6) In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.(7) This section applies in relation to amendments prepared under section (Framework for Data Processing by Government) as it applies in relation to a document prepared under that section.”
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“SCHEDULE 18 MINOR AND CONSEQUENTIAL AMENDMENTSPart 1ACTS AND MEASURESParliamentary Commissioner Act 1967 (c. 13)
1_ In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Local Government Act 1974 (c. 7)
2_ The Local Government Act 1974 is amended as follows.3_ In section 33A(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or (ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”4_ In section 34O(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Consumer Credit Act 1974 (c. 39)
5_ The Consumer Credit Act 1974 is amended as follows.6_ In section 157(2A) (duty to disclose name etc of agency)—(a) in paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and(b) in paragraph (b), after “any” insert “other”.7_ In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers)”.8_ In section 189(1) (definitions), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.Medical Act 1983 (c. 54)
9_ The Medical Act 1983 is amended as follows.10_(1) Section 29E (evidence) is amended as follows.(2) In subsection (5), after “enactment” insert “or the GDPR”.(3) For subsection (7) substitute—“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”11_(1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.(2) In subsection (4), after “enactment” insert “or the GDPR”.(3) For subsection (5A) substitute—“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”12_ In section 55 (interpretation), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.13_(1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows. (2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.(3) For sub-paragraph (8A) substitute—“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”Dentists Act 1984 (c. 24)
14_ The Dentists Act 1984 is amended as follows.15_(1) Section 33B (the General Dental Council’s power to require disclosure of information: the dental profession) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”16_(1) Section 36Y (the General Dental Council’s power to require disclosure of information: professions complementary to dentistry) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Access to Medical Reports Act 1988 (c. 28)
17_ In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—““health professional” has the same meaning as in the Data Protection Act 2017 (see section 183 of that Act);”.Opticians Act 1989 (c. 44)
18_(1) Section 13B of the Opticians Act 1989 (the Council’s power to require disclosure of information) is amended as follows. (2) In subsection (3), after “enactment” insert “or the GDPR”.(3) For subsection (4) substitute—“(4) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (9) insert—“(10) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Human Fertilisation and Embryology Act 1990 (c. 37)
19_(1) Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)
20_(1) Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Tribunals and Inquiries Act 1992 (c. 53)
21_ In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “section 112 of the Data Protection Act 2017”.Health Service Commissioners Act 1993 (c. 46)
22_ In section 18A(1) of the Health Service Commissioners Act 1993 (power to disclose information)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Data Protection Act 1998 (c. 29)
23_ The Data Protection Act 1998 is repealed.Crime and Disorder Act 1998 (c. 37)
24_ In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”. Food Standards Act 1999 (c. 28)
25_(1) Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration and Asylum Act 1999 (c. 33)
26_(1) Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported) is amended as follows.(2) For subsection (4) substitute—“(4) For the purposes of Article 49(1)(d) of the GDPR, the provision under this section of identification data is a transfer of personal data which is necessary for important reasons of public interest.”(3) After subsection (4) insert—“(4A) “The GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Financial Services and Markets Act 2000 (c. 8)
27_ The Financial Services and Markets Act 2000 is amended as follows.28_ In section 86(9) (exempt offers to the public), for “the Data Protection Act 1998 or any directly applicable EU legislation relating to data protection” substitute “—(a) the data protection legislation, or(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection”.29_ In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.30_ In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.31_ In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.32_ In section 417 (definitions), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Terrorism Act 2000 (c. 11)
33_ In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.Freedom of Information Act 2000 (c. 36)
34_ The Freedom of Information Act 2000 is amended as follows.35_ In section 2(3) (absolute exemptions), for paragraph (f) substitute—“(f) section 40(1),(fa) section 40(2) so far as relating to cases where the first condition referred to in that subsection is satisfied,”.36_ In section 18 (the Information Commissioner) omit subsection (1). 37_(1) Section 40 (personal information) is amended as follows.(2) In subsection (2)—(a) in paragraph (a), for “do” substitute “does”, and(b) in paragraph (b), for “either the first or the second” substitute “the first, second or third”.(3) For subsection (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (4) substitute—“(4A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14, 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) For subsection (5) substitute—“(5A) The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).(5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies—(a) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—(i) would (apart from this Act) contravene any of the data protection principles, or(ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(6) Omit subsection (6).(7) For subsection (7) substitute—“(7) In this section—“the data protection principles” means the principles set out in— (a)Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act).(8) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”38_ Omit section 49 (reports to be laid before Parliament).39_ For section 61 (appeal proceedings) substitute—“61 Appeal proceedings(1) Tribunal Procedure Rules may make provision for regulating the exercise of rights of appeal conferred by sections 57(1) and (2) and 60(1) and (4).(2) In relation to appeals under those provisions, Tribunal Procedure Rules may make provision about—(a) securing the production of material used for the processing of personal data, and(b) the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.(3) Subsection (4) applies where—(a) a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal on an appeal under those provisions, and(b) if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.(4) The First-tier Tribunal may certify the offence to the Upper Tribunal.(5) Where an offence is certified under subsection (4), the Upper Tribunal may—(a) inquire into the matter, and(b) deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.(6) Before exercising the power under subsection (5)(b), the Upper Tribunal must—(a) hear any witness who may be produced against or on behalf of the person charged with the offence, and(b) hear any statement that may be offered in defence.(7) In this section,“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4) and (14) of that Act).”40_ In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “the data protection legislation”.41_ After section 76A insert—“76B Disclosure of information to Commissioner or TribunalNo enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner, the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of their functions under this Act. 76C Confidentiality of information provided to Commissioner(1) A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which—(a) has been obtained by, or provided to, the Commissioner under or for the purposes of this Act,(b) relates to an identified or identifiable individual or business, and(c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,unless the disclosure is made with lawful authority.(2) For the purposes of subsection (1), a disclosure is made with lawful authority only if and to the extent that—(a) the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,(b) the information was provided for the purpose of its being made available to the public (in whatever manner) under a provision of this Act or the data protection legislation,(c) the disclosure was made for the purposes of, and is necessary for, the discharge of a function under this Act or the data protection legislation,(d) the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,(e) the disclosure was made for the purposes of criminal or civil proceedings, however arising, or(f) having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.(3) It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).(4) A person guilty of an offence under this section is liable—(a) on summary conviction in England and Wales, to a fine;(b) on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;(c) on conviction on indictment, to a fine.(5) No proceedings for an offence under this section may be instituted—(a) in England and Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;(b) in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.”42_ In section 77(1)(b) (offence of altering etc records with intent to prevent disclosure), omit “or section 7 of the Data Protection Act 1998,”.43_ In section 84 (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Political Parties, Elections and Referendums Act 2000 (c. 41)
44_(1) Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.(2) In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph,“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Finance and Accountability (Scotland) Act 2000 (asp 1)
45_ The Public Finance and Accountability (Scotland) Act 2000 is amended as follows.46_ In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.47_ In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.48_ In section 29(1) (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice and Police Act 2001 (c. 16)
49_ The Criminal Justice and Police Act 2001 is amended as follows.50_ In section 57(1) (retention of seized items)—(a) omit paragraph (m), and(b) after paragraph (s) insert—“(t) paragraph 10 of Schedule 15 to the Data Protection Act 2017;”.51_ In section 65(7) (meaning of “legal privilege”)—(a) for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017”, and(b) for “paragraph 9” substitute “paragraph 11 (matters exempt from inspection and seizure: privileged communications)”.52_ In Schedule 1 (powers of seizure)—(a) omit paragraph 65, and(b) after paragraph 73R insert—“Data Protection Act 201773S_ The power of seizure conferred by paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017 (powers of entry and inspection).”Anti-terrorism, Crime and Security Act 2001 (c.24)
53_ The Anti-terrorism, Crime and Security Act 2001 is amended as follows.54_(1) Section 19 (disclosure of information held by revenue departments) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.55_(1) Part 1 of Schedule 4 (extension of existing disclosure powers) is amended as follows.(2) Omit paragraph 42.(3) After paragraph 52 insert—“52A_ Section 76C(1) of the Freedom of Information Act 2000.”(4) After paragraph 53F insert—“53G_ Section 127(1) of the Data Protection Act 2017.”Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))
56_(1) Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.(2) In subsection (3), after “provision” insert “or the GDPR”.(3) For subsection (5) substitute— “(5) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (7) insert—“(8) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Justice (Northern Ireland) Act 2002 (c. 26)
57_(1) Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Proceeds of Crime Act 2002 (c. 29)
58_ The Proceeds of Crime Act 2002 is amended as follows.59_ In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.60_ In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.61_ In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.62_ In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.63_ In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.64_ After section 442 insert—“442A Data protection legislationIn this Part, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Scottish Public Services Ombudsman Act 2002 (asp 11)
65_(1) In Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (disclosure of information by the Ombudsman), the entry for the Information Commissioner is amended as follows.(2) In paragraph 1, for sub-paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”.(3) For paragraph 2 substitute—“2_ The commission of an offence under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Freedom of Information (Scotland) Act 2002 (asp 13)
66_ The Freedom of Information (Scotland) Act 2002 is amended as follows. 67_ In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection (2)(a)(i) or (b) of that section”.68_(1) Section 38 (personal information) is amended as follows.(2) In subsection (1), for paragraph (b) substitute—“(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));”.(3) For subsection (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit subsection (4).(6) In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act);”.(7) After that subsection insert—“(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Courts Act 2003 (c. 39)
69_ Schedule 5 to the Courts Act 2003 (collection of fines) is amended as follows.70_(1) Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.(2) In sub-paragraph (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”71_(1) Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.(2) In sub-paragraph (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In sub-paragraph (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Sexual Offences Act 2003 (c. 42)
72_(1) Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice Act 2003 (c. 44)
73_ The Criminal Justice Act 2003 is amended as follows.74_ In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “the data protection legislation”.75_ In section 327B (disclosure of information about convictions etc of child sex offenders to members of the public: interpretation), after subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Audit (Wales) Act 2004 (c. 23)
76_(1) Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (5), at the beginning insert “In this section—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Domestic Violence, Crime and Victims Act 2004 (c. 28)
77_(1) Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children Act 2004 (c. 31)
78_ The Children Act 2004 is amended as follows.79_(1) Section 12 (information databases) is amended as follows.(2) In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (13) insert—“(14) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”80_(1) Section 29 (information databases: Wales) is amended as follows. (2) In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (14) insert—“(15) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Constitutional Reform Act 2005 (c. 4)
81_(1) Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act 2005 (c. 9)
82_ In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—““health record” has the same meaning as in the Data Protection Act 2017 (see section 184 of that Act);”.Public Services Ombudsman (Wales) Act 2005 (c. 10)
83_(1) Section 34X of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (5) substitute—“(5) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc);(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Commissioners for Revenue and Customs Act 2005 (c. 11)
84_(1) Section 22 of the Commissioners for Revenue and Customs Act 2005 (data protection, etc) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Gambling Act 2005 (c. 19)
85_(1) Section 352 of the Gambling Act 2005 (data protection) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Commissioner for Older People (Wales) Act 2006 (c. 30)
86_(1) Section 18 of the Commissioner for Older People (Wales) Act 2006 (power to disclose information) is amended as follows.(2) In subsection (7), for paragraph (a) substitute— “(a) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (8) substitute—“(8) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”National Health Service Act 2006 (c. 41)
87_ The National Health Service Act 2006 is amended as follows.88_(1) Section 251 (control of patient information) is amended as follows.(2) In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “of the data protection legislation”.(3) In subsection (13), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.89_ In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.National Health Service (Wales) Act 2006 (c. 42)
90_ The National Health Service (Wales) Act 2006 is amended as follows.91_(1) Section 201C (provision of information about medical supplies: supplementary) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”92_ In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.Tribunals, Courts and Enforcement Act 2007 (c. 15)
93_ The Tribunals, Courts and Enforcement Act 2007 is amended as follows.94_ In section 11(5)(b)(right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.95_ In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.Statistics and Registration Service Act 2007 (c. 18)
96_ The Statistics and Registration Service Act 2007 is amended as follows.97_(1) Section 45A (information held by other public authorities) is amended as follows.(2) In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”. (3) In subsection (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(5) In subsection (12)(c), after the first “legislation” insert “(which is not part of the data protection legislation)”.98_(1) Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.(2) In paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (c), after the first “legislation” insert “(which is not part of the data protection legislation)”.99_(1) Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.(2) In paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (d), after the first “legislation” insert “(which is not part of the data protection legislation)”.100_ In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “the data protection legislation”.101(1) Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.(2) In subsection (6), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(4) In subsection (17), for “the Data Protection Act 1998” substitute “the data protection legislation”.102(1) Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.(2) In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(3) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.103(1) Section 54 (Data Protection Act 1998 and Human Rights Act 1998) is amended as follows.(2) In the heading omit “Data Protection Act 1998 and”.(3) Omit paragraph (a) (together with the final “or”).104_ In section 67 (general interpretation: Part 1), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Serious Crime Act 2007 (c. 27)
105_ The Serious Crime Act 2007 is amended as follows.106(1) Section 5A (verification and disclosure of information) is amended as follows.(2) In subsection (6)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”107(1) Section 68 (disclosure of information to prevent fraud) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”. (3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”108(1) Section 85 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Legal Services Act 2007 (c. 29)
109(1) Section 169 of the Legal Services Act 2007 (disclosure of information to the Legal Services Board) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Adoption and Children (Scotland) Act 2007 (asp 4)
110_ In section 74 of the Adoption and Children (Scotland) Act 2007 (disclosure of medical information about parents), for subsection (5) substitute—“(5) In subsection (4)(e), “processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act).”Criminal Justice and Immigration Act 2008 (c. 4)
111_ The Criminal Justice and Immigration Act 2008 is amended as follows.112_ Omit—(a) section 77 (power to alter penalty for unlawfully obtaining etc personal data), and(b) section 78 (new defence for obtaining etc for journalism and other special purposes).113(1) Section 114 (supply of information to Secretary of State etc) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (6) insert—“(6A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Regulatory Enforcement and Sanctions Act 2008 (c. 13)
114(1) Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2008 (c. 14)
115_ In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.Counter-Terrorism Act 2008 (c. 28)
116(1) Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows. (2) In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Health etc.(Scotland) Act 2008 (asp 5)
117(1) Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (7) insert—“(7A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Banking Act 2009 (c. 1)
118(1) Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.(2) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Borders, Citizenship and Immigration Act 2009 (c. 11)
119(1) Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.(2) In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine and Coastal Access Act 2009 (c. 23)
120_ The Marine and Coastal Access Act 2009 is amended as follows.121(1) Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”122(1) Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Broads Authority Act 2009 (c. i)
123(1) Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (6), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”. Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))
124(1) Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.(2) In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Terrorist Asset-Freezing etc. Act 2010 (c. 38)
125(1) Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (6), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Marine (Scotland) Act 2010 (asp 5)
126(1) Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Charities Act 2011 (c. 25)
127(1) Section 59 of the Charities Act 2011 (disclosure: supplementary) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Welsh Language (Wales) Measure 2011 (nawm 1)
128_ The Welsh Language (Wales) Measure 2011 is amended as follows.129(1) Section 22 (power to disclose information) is amended as follows.(2) In subsection (4)—(a) in the English language text, for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”, and(b) in the Welsh language text, for paragraph (a) substitute—“(a) adrannau 137 i 147, 153 i 155, neu 164 i 166 o Ddeddf Diogelu Data 2017 neu Atodlen 15 i’r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);”.(3) For subsection (5)—(a) in the English language text substitute—“(5) The offences referred to under subsection (3)(b) are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of exercise of warrant etc); or (b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”, and(b) in the Welsh language text substitute—“(5) Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw’r rhai—(a) o dan ddarpariaeth yn Neddf Diogelu Data 2017 ac eithrio paragraff 15 o Atodlen 15 (rhwystro gweithredu gwarant etc); neu(b) o dan adran 76C neu 77 o Ddeddf Rhyddid Gwybodaeth 2000 (troseddau o ddatgelu gwybodaeth ac altro etc cofnodion gyda’r bwriad o atal datgelu).”(4) In subsection (8)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(5) In subsection (9)—(a) at the appropriate place in the English language text insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) at the appropriate place in the Welsh language text insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.130(1) Paragraph 8 of Schedule 2 (inquiries by the Commissioner: reports) is amended as follows.(2) In sub-paragraph (7)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(3) In sub-paragraph (8)—(a) in the English language text, after “paragraph” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) in the Welsh language text, after “hwn” insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation “yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.Safeguarding Board Act (Northern Ireland) 2011 (c. 7 (N.I))
131(1) Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2012 (c. 7)
132_ The Health and Social Care Act 2012 is amended as follows.133_ In section 250(7) (power to publish information standards), for the definition of “processing” substitute— ““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.134(1) Section 251A (consistent identifiers) is amended as follows.(2) In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”135(1) Section 251B (duty to share information) is amended as follows.(2) In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Protection of Freedoms Act 2012 (c. 9)
136_ The Protection of Freedoms Act 2012 is amended as follows.137(1) Section 27 (exceptions and further provision about consent and notification) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”138_ In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.139_ In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.HGV Road User Levy Act 2013 (c. 7)
140(1) Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Crime and Courts Act 2013 (c. 22)
141_ The Crime and Courts Act 2013 is amended as follows.142(1) Section 42 (other interpretive provisions) is amended as follows.(2) In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “Article 82 of the GDPR or section 159 or 160 of the Data Protection Act 2017 (compensation for contravention of the data protection legislation)”.(3) After subsection (5) insert—“(5A) In subsection (5)(a), “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).” 143(1) Paragraph 1 of Schedule 7 (statutory restrictions on disclosure) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph, insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine Act (Northern Ireland) 2013 (c. 10 (N.I.))
144(1) Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Local Audit and Accountability Act 2014 (c. 2)
145(1) Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.(2) In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (3) insert—“(3A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”(4) In sub-paragraph (4), for “comprise or include” substitute “comprises or includes”.Anti-social Behaviour, Crime and Policing Act 2014 (c. 12)
146(1) Paragraph 7 of Schedule 4 to the Anti-social Behaviour, Crime and Policing Act 2014 (anti-social behaviour case reviews: information) is amended as follows.(2) In sub-paragraph (4)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After sub-paragraph (5) insert—“(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Immigration Act 2014 (c. 22)
147(1) Paragraph 6 of Schedule 6 to the Immigration Act 2014 (information: limitation on powers) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Care Act 2014 (c. 23)
148_ In section 67(9) of the Care Act 2014 (involvement in assessment, plans etc), for paragraph (a) substitute—“(a) a health record (within the meaning given in section 184 of the Data Protection Act 2017),”.Social Services and Well-being (Wales) Act 2014 (anaw 4)
149_ In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—(a) in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”, and(b) in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “personal data” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2017 (gweler adran 2(2) a (14) o’r Ddeddf honno))”.Counter-Terrorism and Security Act 2015 (c. 6)
150(1) Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Small Business, Enterprise and Employment Act 2015 (c. 26)
151(1) Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies) is amended as follows.(2) In subsection (7)—(a) for paragraph (b) substitute—“(b) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers);”, and(b) omit paragraph (c).(3) After subsection (7) insert—“(7A) In subsection (7) “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Modern Slavery Act 2015 (c. 30)
152(1) Section 54A of the Modern Slavery Act 2015 (Gangmasters and Labour Abuse Authority: information gateways) is amended as follows.(2) In subsection (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 (c. 2 (N.I.))
153_ The Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 is amended as follows.154_ In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “the data protection legislation”.155_ In section 25(1) (interpretation of this Act), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.156_ In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “the data protection legislation”. Justice Act (Northern Ireland) 2015 (c. 9 (N.I.))
157(1) Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration Act 2016 (c. 19)
158(1) Section 7 of the Immigration Act 2016 (information gateways: supplementary) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Investigatory Powers Act 2016 (c. 25)
159_ The Investigatory Powers Act 2016 is amended as follows.160_ In section 1(5)(b), for sub-paragraph (ii) substitute—“(ii) in section 161 of the Data Protection Act 2017 (unlawful obtaining etc of personal data),”.161_ In section 199 (bulk personal datasets: interpretation), for subsection (2) substitute—“(2) In this Part, “personal data” means—(a) personal data within the meaning of section 2(2) of the Data Protection Act 2017 which is subject to processing described in section 80 (1) of that Act, and(b) data relating to a deceased individual where the data would fall within paragraph (a) if it related to a living individual.”162_ In section 202(4) (restriction on use of class BPD warrants), in the definition of “sensitive personal data”, for “which is of a kind mentioned in section 2(a) to (f) of the Data Protection Act 1998” substitute “the processing of which would be sensitive processing for the purposes of section 84(7) of the Data Protection Act 2017”.163_ In section 206 (additional safeguards for health records), for subsection (7) substitute—“(7) In subsection (6)—“health professional” has the same meaning as in the Data Protection Act 2017 (see section 183(1) of that Act);“health service body” has the meaning given by section 183(4) of that Act.”164(1) Section 237 (information gateway) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (2) insert—“(3) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))
165(1) Section 49 of the Police Services Ombudsman Act (Northern Ireland) 2016 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 and 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”. (3) For subsection (5) substitute—“(5) The offences are those under—(a) any provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc),(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”(4) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (c. 12 (N.I.))
166(1) Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.(2) In subsection (8), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (12) insert—“(12A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act (Northern Ireland) 2016 (c. 18 (N.I.))
167_ In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—““health record” has the meaning given by section 184 of the Data Protection Act 2017;”.Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))
168_ The Justice Act (Northern Ireland) 2016 is amended as follows.169(1) Section 17 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.170_ In section 44(3)(disclosure of information)—(a) in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Policing and Crime Act 2017 (c. 3)
171(1) Section 50 of the Policing and Crime Act 2017 (Freedom of Information Act etc: Police Federation for England and Wales) is amended as follows.(2) The existing text becomes subsection (1). (3) In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection, insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children and Social Work Act 2017 (c. 12)
172_ In Schedule 5 to the Children and Social Work Act 2017—(a) in Part 1 (general amendments to do with social workers etc in England) omit paragraph 6, and(b) in Part 2 (renaming of Health and Social Work Professions Order 2001) omit paragraph 47(g).Higher Education and Research Act 2017 (c. 29)
173_ The Higher Education and Research Act 2017 is amended as follows.174(1) Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.175(1) Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert —“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Digital Economy Act 2017 (c. 30)
176_ The Digital Economy Act 2017 is amended as follows.177(1) Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”178(1) Section 43 (codes of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.179(1) Section 49 (further provision about disclosures under section 48) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”180(1) Section 52 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”. 181(1) Section 57 (further provision about disclosures under section 56) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”182(1) Section 60 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.183(1) Section 65 (supplementary provision about disclosures under section 64) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”184(1) Section 70 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.185_ Omit sections 108 to 110 (charges payable to the Information Commissioner).Landfill Disposals Tax (Wales) Act 2017 (anaw 3)
186(1) Section 60 of the Landfill Disposals Tax (Wales) Act 2017 (disclosure of information to the Welsh Revenue Authority) is amended as follows.(2) In subsection (4)(a)—(a) in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”, and(b) in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri’r ddeddfwriaeth diogelu data”.(3) After subsection (7)—(a) in the English language text insert—“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”, and(b) in the Welsh language text insert—“(8) Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno).”This Act
187(1) Section 183 (meaning of “health professional” and “social work professional”) is amended as follows (to reflect the arrangements for the registration of social workers in England under Part 2 of the Children and Social Work Act 2017).(2) In subsection (1)(g)—(a) omit “and Social Work”, and(b) omit “, other than the social work profession in England”.(3) In subsection (2), for paragraph (a) substitute— “(a) a person registered as a social worker in the register maintained by Social Work England under section 39(1) of the Children and Social Work Act 2017;”.Part 2SUBORDINATE LEGISLATIONChannel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)
188(1) Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.(2) In paragraph (2)—(a) for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “section 186 of the Data Protection Act 2017 (“the 2017 Act”), data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.(3) In paragraph (3)—(a) for “section 5 of the 1998 Act, data which are” substitute “section 186 of the 2017 Act, data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)
189_ The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.190_ In Article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”, and(b) for “are” substitute “is”.191_ In Article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”,(b) for “are” substitute “is”, and(c) for “section 5” substitute “section 186 ”.Environmental Information Regulations 2004 (S.I. 2004/3391)
192_ The Environmental Information Regulations 2004 are amended as follows.193(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act);”.(3) For paragraph (4) substitute—“(4A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a public authority as defined in these Regulations, and (b) the references to personal data held by such an authority were to be interpreted in accordance with regulation 3(2).”194(1) Regulation 13 (personal data) is amended as follows.(2) For paragraph (1) substitute—“(1) To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—(a) the first condition is satisfied, or(b) the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.”(3) For paragraph (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—(a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”(4) For paragraph (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(5) Omit paragraph (4).(6) For paragraph (5) substitute—“(5A) For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—(a) the condition in paragraph (5B)(a) is satisfied, or(b) a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.(5B) The conditions mentioned in paragraph (5A) are—(a) giving a member of the public the confirmation or denial—(i) would (apart from these Regulations) contravene any of the data protection principles, or (ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 97 of the Data Protection Act 2017 (right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;(e) on a request under section 92(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(7) After that paragraph insert—“(6) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”195_ In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “regulation 13(1)(b) or (5A)”.196_ In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “regulation 13(5A)”.Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)
197_ The Environmental Information (Scotland) Regulations 2004 are amended as follows.198(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (2) and (14) of that Act);”.(3) For paragraph (3) substitute—“(3A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and(b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.”199(1) Regulation 11 (personal data) is amended as follows.(2) For paragraph (2) substitute— “(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if—(a) the first condition set out in paragraph (3A) is satisfied, or(b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.”(3) For paragraph (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For paragraph (4) substitute—“(4A) The third condition is that any of the following applies to the information—(a) it is exempt from the obligation under Article 15(1) of the GDPR (general processing: right of access by the data subject) to provide access to, and information about, personal data by virtue of provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit paragraph (5).(6) After paragraph (6) insert—“(7) In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)
200(1) Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.(2) In paragraph (1)(d)—(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.(3) After paragraph (1) insert—“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene— (a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).(1C) The condition in this paragraph is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.(1D) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).”(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”(4) Omit paragraphs (2) to (4).INSPIRE Regulations 2009 (S.I. 2009/3157)
201(1) Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.(2) In paragraph (2)—(a) omit “or” at the end of sub-paragraph (a),(b) for sub-paragraph (b) substitute—“(b) Article 21 of the GDPR (general processing: right to object to processing), or(c) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”, and(c) omit the words following sub-paragraph (b).(3) After paragraph (7) insert—“(8) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act; “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).(9) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)
202_ In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co- operation in criminal matters).Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (S.R.(N.I.) 2014 No. 224)
203_ In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—(a) in paragraph (9) omit sub-paragraph (b) and the word “and” before it, and(b) in paragraph (11) omit the definition of “processing” and “sensitive personal data” and the word “and” before it.Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)
204_ In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—(a) in paragraph (7) omit sub-paragraph (b) and the word “and” before it, and(b) omit paragraph (8).Provision inserted in subordinate legislation by this Schedule
205_ Provision inserted into subordinate legislation by this Schedule may be amended or revoked as if it had been inserted using the power under which the subordinate legislation was originally made.”
Lord Ashton of Hyde
My Lords, I have had some help from the officials, saying, “We debated this earlier”—which was not very helpful. I am not even sure that it was me who debated it, so I am afraid that I will have to look at what the noble Lord said. I do not have the facts at my fingertips. I will certainly write to him and put a copy of the letter in the Library.
Lord Ashton of Hyde
Lord Ashton of Hyde
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsMonday 20th November 2017
(8 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-VI Sixth marshalled list for Committee (PDF, 286KB) - (20 Nov 2017)
Baroness O’Neill of Bengarve (CB)
My Lords, I have a question about proposed new subsection (2) in Amendment 153, which says that,
“personal data must not be processed unless an entry in respect of the data controller is included in the register”.
That goes a certain distance, but since enormous amounts of personal data in the public domain are not in the control of any data controller, it is perhaps ambiguous as drafted. Surely it should read, “Personal data must not be processed by a data controller unless an entry in respect of the data controller is included in the register”. If that is the intention, the proposed new clause should say that. If it is not, we should recognise that controlling data controllers does not achieve the privacy protections we seek.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
Could I ask the noble Baroness to repeat which provision she is referring to?
Baroness O’Neill of Bengarve
Subsection (2) of Amendment 153:
“Subject to subsection (3), personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner”.
That would be an adequate formulation if all the personal data being processed was within the control of some data controller. Since much of it is not, the drafting does not quite meet the purpose.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lords for introducing these amendments. Perhaps I may begin by referring to Amendment 153. The requirement set out in the Data Protection Act 1998 for the Information Commissioner to maintain a register of data controllers, and for those controllers to register with the commissioner, was introduced to support the proper implementation of data protection law in the UK and to facilitate the commissioner’s enforcement activity. At the time when it was introduced, it was a feasible and effective measure. However, in the intervening 20 years, the use of data in our society has changed beyond all recognition. In today’s digital age, in which an ever-increasing amount of data is being processed, there has been a correspondingly vast increase in the number of data controllers and the data processing activities they undertake. There are now more than 400,000 data controllers registered with the Information Commissioner, a number which is growing rapidly. The ever-increasing amount and variety of data processing means that it is increasingly difficult and time consuming for her to maintain an accurate central register giving details on the wide range of processing activities they undertake.
The Government believe that the maintenance of such an ever-growing register of the kind required by the 1998 Act would not be a proportionate use of the Information Commissioner’s resources. Rather, as I am sure noble Lords will agree, the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data, seeking redress for the distress this causes and preventing the recurrence of such breaches. The GDPR does not require that a register similar to that created by the 1998 Act be maintained, but that does not mean there is a corresponding absence of transparency. Under articles 13 and 14 of the GDPR and Clauses 42 and 91 of the Bill, controllers must provide data subjects with a wide range of information about their processing activities or proposed processing activities at the point at which they obtain their data.
Nor will there be absence of oversight by the commissioner. Indeed, data controllers will be required to keep records of their processing activities and make those records available to the Information Commissioner on request. In the event of non-compliance with such a request, the commissioner can pursue enforcement action. The only material change from the 1998 Act is that the Information Commissioner will no longer have the burden of maintaining a detailed central register that includes controllers’ processing activities.
I turn now to Amendment 153ZA which would give the Information Commissioner two new duties. The Government believe that both are unnecessary. The first new duty, to verify the proportionality of a controller’s reliance on a derogation and ensure that the controller has adequate systems in place to safeguard the rights of data subjects, is unnecessary because proportionality and adequate safeguards are core concepts of both the GDPR and the Bill. For example, processing is permissible only under a condition listed in Schedule 1 if it is necessary for a reason of substantial public interest. Any provision to require the commissioner to enforce the law is at best otiose and at worst risks skewing the commissioner’s incentives to undertake enforcement action. Of course, if the noble Lord feels that the Bill would benefit from additional safeguards or proportionality requirements, I would be happy to consider them.
The second new duty, to consult on how to support claims taken by UK residents against a data controller based in another territory who has breached their data protection rights, is in our view also unnecessary. As made clear in her international strategy, which was published in June, the Information Commissioner is very aware of the need for international co-operation on data protection issues, including enforcement. For example, she is an active member of the Article 29 Working Party and the Global Privacy Enforcement Network, and her office provides the secretariat for the Common Thread Network, which brings together Commonwealth countries’ supervisory authorities. Only last month, her office led an international sweep of major consumer websites, in which 23 other data protection regulators from around the world participated. Clause 118 of the Bill and article 50 of the GDPR require her to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international enforcement. Against this background, the Government do not feel that additional prescriptive requirements would add value.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord. I am just looking through my notes to find the bit that states what determines whether a case is urgent—but, before that, I thought he might like to hear the other things that I have to say.
In addition to the essential role of enforcing data protection law in the UK, the Information Commissioner has a role to play where personal data is processed in accordance with international obligations. We are aware of three cases where the commissioner’s oversight is currently required: the Schengen Information System, the Europol Information System and the Customs Information System. The conventions that establish these systems require the supervisory authority to have free access to national sections.
Clause 117 provides that the commissioner may inspect personal data to fulfil an international obligation, as long as the commissioner notifies the controller and any processor in any case where there is sufficient time to do so. The clause is very similar to Section 54A of the 1998 Act, with one slight change: namely, we have made a general power, which the noble Lord will be pleased to see in the Bill. This is intended simply to eliminate the need to legislate for every system the UK joins or leaves, thereby future-proofing the legislation. The amendment would remove the commissioner’s ability to make such an inspection without prior written notice in cases that the commissioner considers urgent. We certainly expect that the commissioner will not normally need to do that and that it will be the exception rather than the rule. The amendment would therefore be a retrograde step since it changes the position that currently pertains in the 1998 Act.
As to what is and is not urgent—I hasten to add that this has never actually been applied by the Information Commissioner—it is for the Information Commissioner to determine. That is consistent with the existing position, as I mentioned, and it remains appropriate, so that each case can be assessed on its own merits. Of course, if the decision of the Information Commissioner were unreasonable, it would be amenable to judicial review. As I said, there is only one example that we know of when the Information Commissioner has needed to make use of the section at all, which was a routine audit that was not deemed urgent. A hypothetical example might be if the commissioner needed to urgently inspect a system if the need arose in the context of a request for extradition. I hope that the noble Lord is satisfied with my explanation and will feel able to withdraw his amendment.
Lord Stevenson of Balmacara
I thank the Minister; he adequately covered the points and I am happy to withdraw the amendment.
Lord Ashton of Hyde
My Lords, I am very grateful to the noble Lord, Lord Stevenson, for tabling this amendment, which allows us to return to our discussions on data ethics, which were unfortunately curtailed on the last occasion. The noble Lord invited me to give him a few choice words to summarise his amendments. I can think of a few choice words for some of his other amendments, but today I agree with a lot of the sentiment behind this one. It is useful to discuss this very important issue, and I am sure we will return to it. The noble Lord, Lord Puttnam, brought the 1931 Highway Code into the discussion, which was apposite, as I think the present Highway Code is about to have a rewrite due to autonomous vehicles—it is absolutely right, as he mentioned, that these codes have to be future-proofed. If there is one thing we are certain of, it is that these issues are changing almost by the day and the week.
The noble Lord, Lord Stevenson, has rightly highlighted a number of times during our consideration of the Bill that the key issue is the need for trust between individuals and data controllers. If there is no trust in what is set up under the Bill, then there will not be any buy-in from the general public. The noble Lord is absolutely right on that. That is why the Government are committed to setting up an expert advisory body on data ethics. The noble Lord mentioned the HFEA and the Committee on Climate Change, which are interesting prior examples that we are considering. I mentioned during our last discussion that the Secretary of State was personally leading on this important matter. He is committed to ensuring that just such a body is set up, and in a timely manner.
However, although I agree with and share the intentions that the noble Lord has expressed through this amendment, which other noble Lords have agreed with, I cannot agree with the mechanism through which he has chosen to express them. When we previously debated this topic, I was clear that we needed to draw the line between the function of an advisory ethics body and the Information Commissioner. The proposed ethics code in this amendment is again straddling this boundary.
Our new data protection law as found in this Bill and the GDPR will already require data controllers to do many of the things found in this amendment. Securing personal data, transparency of processing, clear consent, and lawful sharing and use are all matters set out in the new law. The commissioner will produce guidance, for that is already one of her statutory functions and, where the law is broken, the commissioner will be well equipped with enforcement powers. The law will be clear in this area, so all this amendment will do is add a layer of complexity.
The Information Commissioner’s remit is to provide expert advice on applying data protection law. She is not a moral philosopher. It is not her role to consider whether data processing is addressing inequalities in society or whether there are public benefits in data processing. Her role is to help us comply with the law to regulate its operation, which involves fairly handling complaints from data subjects about the processing of their personal data by controllers and processors, and to penalise those found to be in breach. The amendment that the noble Lord has tabled would extend the commissioner’s remit far beyond what is required of her as a UK supervisory authority for data protection and, given the breadth of the code set out in his amendment, would essentially require the commissioner to become a regulator on a much more significant scale than at present.
This amendment would stretch the commissioner’s resources and divert from her core functions. We need to examine the ethics of how data is used, not just personal data. However, the priority for the commissioner is helping us to implement the new law to ensure that the UK has in place the comprehensive data protection regime that we need and to help to prepare the UK for our exit from the EU. These are massive tasks and we must not distract the commissioner from them.
There is of course a future role for the commissioner to work in partnership with the new expert group on ethics that we are creating. We will explore that further once we set out our plans shortly. It is also worth noting that the Bill is equipped to future-proof the commissioner to take on this role: under Clause 124, the Secretary of State may by regulation require the commissioner to produce appropriate codes of practice. While the amendment has an arbitrary shopping list, much of which the commissioner is tasked with already, the Bill allows for a targeted code to be developed as and when the need arises.
The Government recognise the need for further credible and expert advice on the broader issues of the ethical use of data. As I mentioned last week, it is important that the new advisory body has a clearly defined role focused on the ethics of data use and gaps in the regulatory landscape. The body will as a matter of necessity have strong relationships with the Information Commissioner and other bodies that have a role in this space. For the moment, with that in mind, I would be grateful if the noble Lord withdrew his amendment. As I say, we absolutely understand the reasons behind it and we have taken on board the views of all noble Lords in this debate.
Lord Clement-Jones
My Lords, do the Minister or the Government yet have a clear idea of whether the power in the Bill to draw up a code will be invoked, or whether there will be some other mechanism?
Lord Ashton of Hyde
At the moment, I do not think there is any anticipation for using that power in the near future, but it is there if necessary in the light of the broader discussions on data ethics.
Lord Clement-Jones
So the Minister believes it is going to be the specially set-up data ethics body, not the powers under the Bill, that would actually do that?
Lord Ashton of Hyde
I do not want to be prescriptive on this because the data ethics body has not been set up. We know where we think it is going, but it is still to be announced and the Secretary of State is working on this. The legal powers are in the Bill, and the data ethics body is more likely to be an advisory body.
Lord Stevenson of Balmacara
I thank all noble Lords who have contributed to this debate. It has been a short but high-quality one that has done a lot to tease out some of the issues behind the amendment. I am grateful to the noble Lord, Lord Clement-Jones, for his kind words about what I was saying, but also for reminding me that there were other groups working on this. I absolutely agree that the IEEE is one of the best examples of thinking on this; it may come from a strange source, in the sense that it is a professional body involved more with the electronic side of things, but the wording of the report that I saw was very good and bore very firmly on the issues in this amendment.
So where are we? We seem to be sure that a body will be set up that will be at least advisory in terms of the issues that we are talking about, although I think the Minister was leaving us with the impression that the connection would be made outside the Bill, not within it. That is possibly a bit of a mistake; I think a case is now developing, along the lines set out by my noble friend Lord Puttnam, that we need to see both sides of this in the Bill. We do not need to see the firm regulatory action, the need to comply with the law and the penalties that can be applied by the regulator, the Information Commissioner, but we need to see a context in order to build trust and allow people to understand better what the future growth, change and trends in this area will be, because they are concerned about them. I do not think you can do that if these bodies are completely separate. I suspect we need to be surer about how the connections are to be made, and we will gain if there is in fact a proper connection between the two.
If the Information Commissioner is not to be a moral philosopher—who needs moral philosophers when there are so many around?—she will certainly need to have good advice, which can come only from expertise gathered around the issues that we have been talking about. That is not the same as making sure that she is robust about people applying the law; the difference there is the reason why we want to do that.
The other half of this equation is that it may well be fine for an advisory body to opine about where the moral climate is going and where ethics might take you in practice, but if the companies concerned are not practising what they are hearing, we will be no further forward. Surely a code will have to be devised, whether now or later, to make sure that the lessons learned, the information gathered and the blue sky thinking that is around actually bite on those who are affecting our individuals—whether they be young, vulnerable or adult—and that they are fully compliant with all the aspects of what they have signed up to. We will need to come back to this but, in the meantime, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for tabling these amendments. I know that the Bar Council has raised similar concerns with officials in my department and I am keen that that dialogue continue.
Before I address the amendments, I would like to say something about the overarching principles in relation to the interaction between data protection and legal professional privilege.
The right of a person to seek confidential advice from a legal adviser is indeed, as my noble friend Lord Arbuthnot said, a fundamental right of any person in the UK and a crucial part of our legal system. The Government in no way dispute that, and I reassure noble Lords that this Bill does not erode the principle of legal professional privilege.
It is true that the Data Protection Act 1998 allows the Information Commissioner to use her powers to investigate alleged data breaches by law firms, and sometimes the information she requests in order to carry out a thorough investigation may contain information which is subject to legal professional privilege. The commissioner recognises the sensitivity of material protected by legal professional privilege and has established processes in place for protecting it. Any material identified by the data controller as privileged is isolated if seized during a search and it is then sent directly to independent counsel for review. Counsel then provides an opinion on whether privilege applies. If counsel decides that the data is not privileged, the data controller can still dispute the Information Commissioner’s right to access that material and has the right to appeal to a tribunal, which will carry out a full merits review.
The Government are seeking only to replicate, as far as possible, in the current Bill the existing provisions relating to legal professional privilege in the 1998 Act. It is, for example, vital that the Information Commissioner retains the power to investigate law firms. They, like other data controllers, can make mistakes. If personal data is lost, stolen or disclosed unlawfully, that can have serious consequences for data subjects. It is right that the Information Commissioner retains the ability to investigate potential breaches by lawyers. They are not above the law.
As a final point of principle before we examine the amendments in detail, it is also worth highlighting that Clause 128 introduces a new requirement for the Information Commissioner to publish guidance on how legally privileged material obtained in the course of her investigations will be safeguarded. There was no similar requirement in the 1998 Act, so in that respect the current Bill actively strengthens protections for legal professional privilege. This has been included because historically the commissioner has found that a minority of those in the legal profession refuse to allow her access to personal data on the basis that it is privileged. The profession has not always understood that it must disclose the data and that the commissioner then has processes and procedures to protect that data. This guidance will make it clearer to the legal profession that robust safeguards are in place.
I turn to the amendments in this group. As I have said, Clause 128 provides that the Information Commissioner must publish guidance on the safeguards in relation to legally privileged communications. Amendments 161A and 161B would amend subsection (1) to clarify that any guidance published by the commissioner should cover the handling of any “confidential legal materials” as well as any communications between legal adviser and client. Amendment 161D would then introduce a wide definition of “confidential legal materials”. This, in our view, is unnecessary. I have no doubt that the Information Commissioner will interpret this to include draft communications.
Bills have grown in length over the years and, if we were to cover off permutations and combinations of processing and preparatory work such as this in every clause, we would be debating this Bill until next summer. We would also, through overdefinition, create more worrying loopholes.
Amendment 161C would make further provision about the purposes of the guidance published by the Information Commissioner. It has been suggested that the aim of the guidance should be to make it clear that nobody can access legally privileged material without the consent of the client who provided the material in the expectation that it would be treated in confidence. As I have already said, it is vital that the Information Commissioner retains the ability to investigate, and this amendment would call that into question because an investigation could not happen if the client withheld consent. I hope that the reassurances I have already given about the lengths to which the Information Commissioner will go to keep any confidential information safe are sufficient on that point. We are clear that the commissioner must have the right to investigate.
I said I would return to the issue of the Information Commissioner’s enforcement powers and the interaction with legal professional privilege. When there is a suspected breach of the data protection legislation, the commissioner has a number of tools available to aid her investigation. The commissioner can use information notices and assessment notices to request information or access filing systems, use enforcement notices to order a data controller to stop processing certain data or to correct bad practices, and issue monetary penalty notices to impose fines for breaches of the data protection legislation. However, we understand from the commissioner that the powers to issue assessment notices and information notices are rarely used because controllers tend to co-operate with her request. There are, however, a number of restrictions on the use of these enforcement powers where they relate to legally privileged information. In relation to information notices these are set out in Clause 138, and in relation to assessment notices they are set out in Clause 141. The restrictions ensure that a person is not required to provide legally privileged information. The concept of legal privilege is therefore preserved, although it may be waived by the controller or processor.
Amendments 162A, 162B, 162C, 163ZA and 163ZB intend to broaden the restrictions in Clauses 138 and 141 regarding information and assessment notices so that they apply explicitly to all legally privileged communications, not just those which concern proceedings under data protection legislation. The Government carefully considered whether these restrictions should apply to a wider range of legally privileged material when we developed the Bill. The current practice is for the ICO to appoint independent counsel to assess all potentially legally privileged material, which is not therefore passed on to the ICO if found to be privileged.
Amendment 163B seeks to apply the same restrictions that apply to assessment and information notices to enforcement notices. While we understand that this amendment derives from a concern that there may be a gap in the enforcement notice provisions, as there is currently no reference in those provisions to protecting legal professional privilege I can reassure noble Lords that such provision is unnecessary because, unlike information and assessment notices, enforcement notices cannot be used to require a person to provide the commissioner with information, only to require the controller to correct bad practice.
Finally, I turn to Amendment 164B, which aims to add to the list of matters in Clause 148 that the Information Commissioner must consider when deciding whether to give a data controller a penalty notice and determining the amount of the penalty. If a legal adviser failed to comply with an information or assessment notice because the information concerned was legally privileged, it would require the Information Commissioner to take this into account as a mitigating factor when deciding whether to issue a penalty notice and setting the level of financial penalty. Clause 126 specifically provides that the duty of confidence should not preclude a legal adviser from sharing legally privileged material with the Information Commissioner. As I have previously explained, there are strict procedures in place to protect privileged material.
We have given all these amendments careful consideration, but I hope that I have convinced the Committee that the Bill already strikes the correct balance between the right to legal professional privilege and the rights and freedoms of data subjects. With that, I hope that the noble Baroness feels able to withdraw her amendment.
Baroness Hamwee
My Lords, indeed I will. The Minister mentioned continuation of dialogue. That, of course, is the right way to address these things, but I believe the Bar Council seeks to do what he says the Bill does: replicate the current arrangements.
If it is not necessary to provide specifically for confidential material, I suspect those who drafted these amendments may want to look again at the definition of “privileged communications” to see whether it is adequate. I do not believe they would have gone down this route had they been content with it.
On the amendments that would extend protections to all legally privileged material, not just data protection items—Amendment 162A and so on refer to any material—I am not clear why there is a problem with the extension under a regime such as the one the Minister described. That would catch material and deal with it in the same way as any other. I do not know whether there is a practical problem here.
On Amendment 164B the Minister directed us to Clause 126. Again, I am not sure whether he is suggesting there might be a practical problem. It seems an important amendment, not something that should be dealt with by reading between the lines of an earlier clause. However, I will leave it to those who are much more expert than I am to consider the Minister’s careful response, for which I thank him. I beg leave to withdraw the amendment.
Lord Ashton of Hyde
My Lords, I thank the noble Lord for introducing his amendments, which touch on the fees that the Information Commissioner will be able to charge under the new regime. Noble Lords will recall that we discussed similar issues during the passage earlier this year of what became the Digital Economy Act. Perhaps I may start with some of the general points made by the noble Lord and then go on to address his specific amendments. I agree absolutely that this is a bigger issue than just the amendments; it is the question of how the Information Commissioner, to whom we have given these very important duties, will be able to sustain an effective service. I can assure the noble Lord that we are aware of and understand the specific problem he outlined about staff. In fact, I was present at a meeting three or four weeks ago at which we discussed that exact subject. Part of the issue to deal with that will, I hope, be addressed in the near future, in ways that I cannot talk about tonight.
On the noble Lord’s general question as to whether it is an adequate system, we believe that the suggested system is flexible enough to deal with the requirements of the Information Commissioner. We realise that increased burdens will be placed on her; at the moment, I believe that her office has not raised its fees for 18 years. Of course, the number of data controllers has risen, so the rate applies to a greater number of people. We will lay some statutory instruments that will deal with the fees for the Information Commissioner in the near future, so I am sure that we will come back to that.
On the specific amendments the noble Lord has tabled, Clause 129 permits the Information Commissioner to charge a “reasonable fee” when providing services to data controllers and other persons who are not data subjects or data protection officers. This is intended to cover, for example, the cost to the commissioner of providing bespoke training for a data controller. Amendment 161E would place a requirement on the commissioner to publish guidance on what constitutes a “reasonable fee” within three months of Royal Assent. We agree that data controllers and others should know what charges they should expect to pay before they incur them. However, the Government’s view is that this is already provided for through Clause 131, which requires that the commissioner produce and publish guidance about any fees that she proposes to charge for services under Clause 129. As there is already a requirement for the commissioner to publish guidance in advance of setting any fees, the Government do not consider a particular deadline necessary.
Amendment 161F would remove Clause 132(2) completely. I am concerned that the amendment would create ambiguity in an area where clarity is desirable. Clause 132 makes provision for a general charging regime in the absence of a compulsory notification regime like that provided in the 1998 Act. Clause 132(2) clarifies that the regime could require a data controller to pay a charge regardless of whether the Information Commissioner had provided, or would provide, a “service” to that controller. This maintains the approach that is currently in force under the 1998 Act—namely, that most data controllers are required to pay a fee to the commissioner whether or not a service is provided to them—and is intended to meet the costs of regulatory oversight.
The consultation on the new charging regime recently closed and the Government intend, as I said, to bring forward regulations setting out the proposed fees under the new regime early in the new year. No final decision has yet been taken in relation to those fees, but, as I committed to during the passage of what became the Digital Economy Act, charges will continue to be based on the principle of full cost recovery and, in line with the current model, fee levels will be determined by the size and turnover of an organisation but will also take account of the volume of personal data being processed by the organisation. That partly addresses the point made by the noble Lord.
Amendment 161G addresses a concern raised by the Delegated Powers and Regulatory Reform Committee that the fees regime established by Clause 132 should not raise excess funds beyond what is required to cover the costs of running the Information Commissioner’s Office. I must confess to a sense of déjà vu; we debated a very similar amendment in the Digital Economy Act. The Government are considering their response to the committee’s report, but they remain concerned that there should be sufficient flexibility within the new fees regime to cover the additional functions that the commissioner will be taking on under the new regime and any other changes that may be dictated by operational experience, once the new regime has bedded in. Indeed, if anything, the merit of having some limited flexibility in this regard is even clearer now than it was in March when we debated the Digital Economy Act.
I confirm once again that charges will be on the basis of full cost recovery. We take on board the point made by the noble Lord, Lord Stevenson, that the commissioner must be able to make sufficient charges to undertake and fulfil the requirements that we are asking of her.
Finally, on Amendment 161H, I can reassure the noble Lord that the Information Commissioner already prepares an annual financial statement, in accordance with paragraph 11 of Schedule 12 to the Bill, which is laid before Parliament. In addition, there may be occasions where the Secretary of State needs up-to-date information on the commissioner’s expenses mid-year—in order, for example, to set a fees regime that neither under-recovers nor over-recovers those costs. That is why Clause 132(5) is constructed as it is.
I hope that I have addressed the noble Lord’s concerns both in general and in particular and that he will feel able not to press his amendments.
Lord Paddick
My Lords, I do not know whether I am getting confused here. The Minister referred to Clause 132(2), about the power for the Information Commissioner to require data controllers to pay a charge regardless of whether the commissioner has provided, or proposes to provide, a service to the controller. How can that be done if there is to be no requirement for data controllers to register with her?
Lord Ashton of Hyde
There is a duty for data controllers to pay a charge to the Information Commissioner in the same way as there is a duty today for data controllers to register with the Information Commissioner. The duty applies in both circumstances. In some cases, some data controllers do not register with the Information Commissioner—they are wrong not to do so, but they do not. In the same way, it is possible that some data controllers may not pay the charge that they should. In both cases, in today’s regime and that proposed, there is a duty on data controllers to perform the correct function that they are meant to perform. Controllers do not all register with the Information Commissioner today, although they should, and may not pay their charges. Under the new regime, they should, and an enforcement penalty is able to be levied if they do not.
Lord Stevenson of Balmacara
I am grateful to the Minister for his full response to the group of amendments. I shall look at it carefully in Hansard before we come back on it. Concerns were expressed in other Committee sittings about the burden placed on charities and SMEs, many of which will find the costs they are now required to pay an additional burden—we have seen some figures suggesting that there will be quite a big drag on some smaller companies. The consultation should at least have identified that concern and the Government will be aware of it. If the three-tier system is to be capable of looking at volumes—the implication of what the Minister said is that big international companies will pay more because the volume of the data they process is much greater—there will be equity in that. We will look at how that progresses, but we seem to be on the right lines.
By and large, the thrust of what I was trying to say is that there needs to be a modern response to this system in terms of what is available out there in the marketplace. If a company is paying Ofcom for the regulatory function it provides, it should not be that different if it is also paying the Information Commissioner for what services it provides, because they are two sides of the same coin. On the DPRRC amendment, I note what the noble Lord said and look forward to his further discussion with the Committee on that point. On the broader question about the ICO, there were two points that were not responded to, but perhaps we can look at that again offline.
The great advantage of the new type of regulator exemplified by Ofcom—there are many more examples—is that it is trusted, not just by government but also by industry, to set its own fees and charges in a businesslike way. Indeed, we get responses all the time about how well Ofcom does in satisfying what is required. Of course, if there is a problem about fees—and the Minister said he is on to it—one solution is to ensure that the ICO has that freedom to set the fees and charges appropriate for the work that needs to be done. I think she is probably in a better place to do that than anyone else.
Lord Ashton of Hyde
Lord Ashton of Hyde
English Churches and Cathedrals Sustainability Review
Lord Ashton of Hyde Excerpts(8 years, 5 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Beith (LD)
My Lords, I beg leave to ask the Question standing in my name on the Order Paper and, in doing so, declare my registered interest as president of the Historic Chapels Trust.
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I understand that the chair and the panel are currently finalising the report and recommendations in consultation with key stakeholders. It is hoped that they will submit the report to the Chancellor and the Secretary of State for DCMS before the end of the year.
Lord Beith
I thank the Minister for that reply, but does he realise how much concern there has been at the ending of the Heritage Lottery Fund’s dedicated scheme for major repairs to historic places of worship? Do the Government hope that the sustainability review report to which he referred will provide some answer and will it open some doors in the Treasury? If it does, what will be the position of non-conformist and Roman Catholic historic buildings, which do not fall within the remit of that sustainability review?
Lord Ashton of Hyde
Of course, I understand the implications of the HLF’s fairly sudden decision to close the grants for the places of worship scheme. As a result, the Minister responsible has had discussions with the HLF. I am pleased to say that it has guaranteed to make available the same proportion for the next two years, so the funding will continue. As for other faiths, it is true that the review concentrates on the Church of England, but any lessons learned from that can be taken forward and applied to other faiths. The main government funding, of course, applies to other faiths.
Lord Cormack (Con)
My Lords, does my noble friend accept that some comfort will be drawn from his words, but does he also accept that the churches and cathedrals of this country, of which Lincoln is a prime example, are among the glories of the western world? Will he recognise that the generosity of the former Chancellor of the Exchequer, George Osborne, in giving £50 million towards the repair and restoration of cathedrals was most welcome but it is a tiny sum of money compared with the importance of the buildings? Can we have an assurance that the Government will repeat that largesse in the very near future?
Lord Ashton of Hyde
The Government have already committed to maintaining the funding until 2020. In fact, there is a good story to tell: over the past 40 years —so this includes Governments of both colours— £1.36 billion has been spent on historic places of worship. During the 2014-16 period, an exceptional total of £185 million per year was spent. Of course, the fund that my noble friend mentioned was just one area in which the Government have spent money. As a result of this 40 years of taxpayers’ money being spent on them, only 4% of those listed places of worship are on the at-risk register.
Lord Morgan (Lab)
My Lords, is it not the case that, in France, churches and cathedrals are admirably resourced, even in the most remote areas of the countryside? That is because the state assists with the physical problems of churches. The explanation there is that the people of France, like the people of Wales, have the benefit of a disestablished church.
Lord Ashton of Hyde
As I said, the listed places of worship grant scheme applies to all faiths. The taxpayer has spent an extra £95 million in the past two years to support places of worship. As I mentioned in the previous answer, I think that we are in a pretty good place.
The Lord Bishop of Ely
My Lords, I am very grateful to the noble Lord, Lord Cormack, for his intervention, Lincoln having recently won a favourite cathedral award—Ely is not too bad either. Of course, these churches, cathedrals and chapels are part of our shared heritage, but does the Minister agree that even more important is the work undertaken by cathedrals and churches in food banks, in supporting economic regeneration and in working with homeless people and the lonely, especially in remote parts of the country? Does he agree that the Government should endorse that work and will he encourage the way in which they can support it through the use and deployment of these buildings?
Lord Ashton of Hyde
Of course I agree with the right reverend Prelate that one way that churches can remain relevant is to involve themselves with things that go on in their community. That is exactly what the review is going to look at, among other things, including the uses of listed buildings for purposes beyond worship and what barriers prevent that happening.
Lord Shutt of Greetland (LD)
My Lords, will the Minister make it clear that there must be parity of esteem, when any state resources are being used, between churches of the established Church and nonconformist churches, chapels, meeting houses or Roman Catholic churches, which are not covered by many of the schemes that cover the established Church?
Lord Ashton of Hyde
That is precisely why the Listed Places of Worship Grant Scheme covers all faiths.
Lord Tebbit (Con)
My Lords, will my noble friend correct our noble friend Lord Cormack? The former Chancellor did not give any of his money to these projects; he merely acted as a siphon for taxpayers’ money. The Chancellor of the Exchequer does not have any money.
Lord Ashton of Hyde
I cannot comment on the former Chancellor’s personal finances, but I understand the point—I think it was implicit in what my noble friend Lord Cormack said.
Data Protection Bill [HL]
Lord Ashton of Hyde ExcerptsMonday 13th November 2017
(8 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-IV Fourth marshalled list for Committee (PDF, 151KB) - (13 Nov 2017)
The Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport (Lord Ashton of Hyde) (Con)
My Lords, I am grateful to all noble Lords who have spoken and for the opportunity to speak to Schedule 1 in relation to an industry in which I spent many years. I accept many of the things that the noble Earl, Lord Kinnoull, described and completely understand many of his points—and, indeed, many of the points that other noble Lords have made. As the noble Lord, Lord Clement-Jones, said, I have taken the noble Earl’s examples to heart, and I absolutely accept the importance of the insurance industry. The Government have worked with the Association of British Insurers and others to ensure that the Bill strikes the right balance between safeguarding the rights of data subjects and processing data without consent when necessary for carrying on insurance business—and a balance it must be. The noble Lord, Lord Stevenson, alluded to some of those issues when he took us away from the technical detail of his amendment to a higher plane, as always.
The noble Earl, Lord Kinnoull, and the noble Lords, Lord Clement-Jones and Lord Stevenson, have proposed Amendments 45B, 46A, 47, 47A, 48A and 50A, which would amend or replace paragraphs 14 and 15 of Schedule 1, relating to insurance. These amendments would have the effect of providing a broad basis for processing sensitive types of personal data for insurance-related purposes. Amendment 45B, in particular, would replace the current processing conditions for insurance business set out in paragraphs 14 and 15 with a broad condition covering the arrangement, underwriting, performance or administration of a contract of insurance or reinsurance, but the amendment does not provide any safeguards for the data subject.
Amendment 47 would amend the processing condition relating to processing for insurance purposes in paragraph 14. This processing condition was imported from paragraph 5 of the 2000 order made under the Data Protection Act 1998. Removal of the term might lessen the safeguards for data subjects, because insurers could potentially rely on the provisions even where it was reasonable to obtain consent. I shall come to the opinions of the noble Earl, Lord Erroll, on consent in a minute.
Amendments 46A, 47A, 48A and 50A are less sweeping, but would also remove safeguards and widen the range of data that insurers could process to far beyond what the current law allows. The Bill already contains specific exemptions permitting the processing of family health data to underwrite the insured’s policy and data required for insurance policies on the life of another or group contract. We debated last week a third amendment to address the challenges of automatic renewals.
These processing conditions are made under the substantial public interest derogation. When setting out the grounds for such a derogation, the Government are limited—this partly addresses the point made by the noble Lord, Lord Stevenson—by the need to meet the “substantial public interest test” in the GDPR and the need to provide appropriate safeguards for the data subject. A personal or private economic or commercial benefit is insufficient: the benefits for individuals or society need to significantly outweigh the need of the data subject to have their data protected. On this basis, the Government consider it difficult to justify a single broad exemption. Taken together, the Government remain of the view that the package of targeted exemptions in the Bill is sufficient and achieves the same effect.
Nevertheless, noble Lords have raised some important matters and the Government believe that the processing necessary for compulsory insurance products must be allowed to proceed without the barriers that have been so helpfully described. The common thread in these concerns is how consent is sought and given. The noble Earl, Lord Kinnoull, referred to that and gave several examples. The Information Commissioner has published draft guidance on consent and the Government have been in discussions with her office on how the impact on business can be better managed. We will ensure that we resolve the issues raised.
I say to the noble Earl, Lord Erroll, that consent is important and the position taken by the GDPR is valid. We do not have a choice in this: the GDPR is directly applicable and when you are dealing with data, it is obviously extremely important to get consent, if you can. The GDPR makes that a first line of defence, although it provides others when consent is not possible. As I say, consent is important and it has to be meaningful consent, because we all know that you can have a pre-tick box and that is not what most people nowadays regard as consent. Going back to the noble Earl, Lord Kinnoull—
Lord Clement-Jones
My Lords, I am sorry to interrupt. The Minister mentioned the guidance from the Information Commissioner. From what he said, I assume he knows that the insurance industry does not believe that the guidance is sufficient; it is inadequate for its purposes. Is he saying that a discussion is taking place on how that guidance might be changed to meet the purposes of the insurance industry? If it cannot be changed, will he therefore consider amendments on Report?
Lord Ashton of Hyde
Of course, it is not for us to tell the Information Commissioner what guidance to issue. The guidance that has been issued is not in all respects completely helpful to the insurance industry.
The Earl of Kinnoull
Following up the noble Lord’s point, I would like to say a couple of things. First, I sort of understand where the Information Commissioner’s Office is coming from. I have article 7 in my hands, which contains the definition of consent from the GDPR, and article 9(2)(a). My concern is that even if the Government are very nice to an Information Commissioner and persuade them to change the guidance, it could change at any time. It is important to ensure that the Bill will work for the ordinary man in the street. As for compulsory classes, it is not about looking after the insurers but every small business in Britain and every small person who wants to get motor insurance, especially those who have problems with either criminal convictions or their health.
Lord Ashton of Hyde
I agree; I think I mentioned compulsory classes before. Going back to the guidance, we are having discussions. We have already had constructive discussions with the noble Earl, and we will have more discussions on this subject with the insurance industry, in which he has indicated that he would like to take part. I am grateful to him for coming to see me last week.
Lord Clement-Jones
My Lords, I am sorry to interrupt the Minister again but he is dealing with important concepts. Right at the beginning of his speech he said he did not think this could be covered by the substantial public interest test. Surely the continuance of insurance in all those different areas, not just for small businesses but for the consumer, and right across the board in the retail market, is of substantial public interest. I do not quite understand why it does not meet that test.
Lord Ashton of Hyde
I may have misled the noble Lord. I did not say that it does not meet the substantial test but that we had to balance the need to meet the substantial public interest test in the GDPR and the need to provide appropriate safeguards for the data subject. I am not saying that those circumstances do not exist. There is clearly substantial public interest that, as we discussed last week, compulsory classes of insurance should be able to automatically renew in certain circumstances. I am sorry if I misled the noble Lord.
We realised that there are potentially some issues surrounding consent, particularly in the British way of handling insurance where you have many intermediaries, which creates a problem. That may also take place in other countries, so the Information Commissioner will also look at how they address these issues, because there is meant to be a harmonious regime across Europe. The noble Earl has agreed to come and talk to us, and I hope that on the basis of further discussions, he will withdraw his amendment.
Lord Stevenson of Balmacara
I followed the Minister quite well until the last exchange, where I got a bit confused. Is he saying in some sense that there may be a case for two types of derogation: that that which applies to compulsory insurance—there are strong public interest reasons why it should be continued—might be done under one derogation and the rest raised as more specific items, as suggested by the noble Earl?
Lord Ashton of Hyde
We can break it down simply between compulsory and non-compulsory classes. Some classes may more easily fulfil the substantial public interest test than others. In balancing the needs, it goes too far to give a broad exemption for all insurance, so we are trying to create a balance. However, we accept that compulsory classes are important.
Lord Clement-Jones
I am sure that the noble Earl, Lord Kinnoull, will come back at greater length on this. The issue that the Minister has outlined is difficult, partly because the Information Commissioner plays and will play such an important role in the interpretation of the Bill. When the Government consider the next steps and whether to table their own amendments or accept other amendments on Report, will they bring the Information Commissioner or her representative into the room? It seems that the guidance and the interaction of the guidance with the Bill—and, eventually, with the Act—will be of extreme importance.
Lord Ashton of Hyde
I agree, which is why I mentioned the guidance that the Information Commissioner has already given. I am certainly willing to talk to her but it is not our place to order her into the room. However, we are constantly talking to her, and there is absolutely no reason why we would not do so on this important matter.
The Earl of Kinnoull
I thank all noble Lords who have taken part in this short but interesting debate. Of course, the Information Commissioner reports to Parliament, so if we held a meeting here, we probably could ask her, quite properly, to come. That might be quite helpful in this complex area. As I said, when you mess around in these areas, the person who suffers is the man in the street, not the insurance companies. The noble Lord, Lord Stevenson of Balmacara, in particular made a number of interesting points in speaking to his amendment, which need to go into the mix as regards how we sort through this difficult area.
I am very grateful to the Minister for confirming that we will continue discussions in this area. I do not think for a moment that I necessarily have all the right answers, but we have started on the journey and will continue. We will certainly be talking about the same issues again in different formats on Report and I look forward to that very much. On that basis, I beg leave to withdraw the amendment.
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
Lord Ashton of Hyde
“15A(1) This condition is met if—(a) the processing is necessary for the purposes of—(i) automatically renewing a pre-GDPR insurance contract, or(ii) carrying out, or managing the expiry of, an insurance contract resulting from the automatic renewal of a pre-GDPR insurance contract,(b) the controller has taken reasonable steps to obtain the data subject’s consent to the processing of personal data necessary for those purposes in accordance with sub-paragraph (2), and(c) the controller is not aware of the data subject withholding such consent. (2) The steps described in sub-paragraph (1)(b) must have been taken—(a) in the case of a contract which automatically renews after a period of less than 10 months, on at least one automatic renewal of the contract in each period of 12 months that has ended since 25 May 2018;(b) in any other case, each time the contract has automatically renewed since 25 May 2018.(3) For the purposes of this paragraph, an insurance contract is automatically renewed if—(a) a new insurance contract between the same parties is made without the insured person taking any steps, and(b) the new contract provides cover which is the same as, or substantially similar to, the cover provided by the expired contract,and references in this paragraph to the automatic renewal of a contract include both the first automatic renewal on the expiry of that contract and subsequent automatic renewal originating with that contract.(4) For the purposes of sub-paragraph (3)(a), the new contract and the expired contract are to be treated as made with the same insurer if they are made with different insurers but arranged by the same intermediary.(5) In this paragraph—“insurance contract” means a contract of general insurance or long-term insurance;“insurer” means a person carrying on business which consists of effecting or carrying out insurance contracts;“pre-GDPR”, in relation to an insurance contract, means made before 25 May 2018.(6) Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.”
Baroness Hamwee (LD)
My Lords, the noble Lord referred to the rules as a bit grey and asked for clarity for the volunteer army. I should declare an interest as a foot soldier in that volunteer army.
The noble Lord’s request that party officials should be involved in this process is a good one—I would have thought they would have been. The Minister should be aware of my first question as I emailed him about this, over the weekend I am afraid. Has the Electoral Commission been involved in these provisions?
The noble Lord mentioned the electoral register provided by a local authority. My specific question is about the provision, acquisition and use of a marked electoral register. For those who are not foot soldiers, that document is marked up by the local authority, which administers elections, to show which electors have voted. As noble Lords will understand, this is valuable information for campaigning parties and can identify whether an individual is likely to turn out and vote and so worth concentrating a lot of effort on. I can see that this exercise could be regarded as “campaigning” under paragraph 17(4) of Schedule 1. However, it is necessary, although I do not suppose that every local party in every constituency makes use of the access it has. It is obvious to me that this information does not reveal political opinions, which is also mentioned in the provisions. I would be grateful to hear the Minister’s comments. I am happy to wait until a wider meeting takes place, but that needs to be before Report.
I want to raise a question on a paragraph that is in close geographical proximity in the Bill—I cannot see another place to raise the issue and it occurred to me only yesterday. Why are Members of the House of Lords not within the definition of “elected representatives”? We do not have the casework that MPs do, but we are often approached about individual cases and some Peers pursue those with considerable vigour. This omission—I can see a typo in the email that I sent to the Minister about this; I have typed “mission” but I meant “omission”—is obviously deliberate on the part of the Government.
Lord Ashton of Hyde
My Lords, I begin by repeating, almost word-for-word, the noble Lord, Lord Kennedy: engaging voters is important in a healthy democracy. In order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so, and this includes the proper handling of the personal data they collect and hold.
Noble Lords will be aware that the Information Commissioner recently announced that she was conducting an assessment of the data protection risks arising from the use of data analytics, including for political purposes. She recognises that this is a complex and rapidly evolving area where organisations use a person’s internet or public profile to target communications or messaging. The level of awareness among the public about how data and analytics work and how their personal data is collected, shared and used through such tools is low. What is clear is that these tools have a significant potential impact on an individual’s privacy, and the Government welcome the commissioner’s focus on this issue. It is against this backdrop that we considered the amendments of the noble Lord.
The amendments seek to amend a processing condition relating to political parties in paragraph 17. The current clause permits political parties to process data revealing political opinions, provided that it does not cause substantial damage or substantial distress. This replicates the existing wording in the Data Protection Act 1998. I have said that political campaigning is a vital democratic activity but it can also generate heated debated. Removal of the word “substantial” could mean that data processing for political purposes which caused even mild offence or irritation becomes unlawful. I am sure noble Lords would agree that it is vital that the Bill, while recognising the importance of adequate data protection standards, does not unduly chill such an important aspect of the UK’s democracy. For that reason I ask the noble Lord to withdraw the amendments.
I thank the noble Lord for allowing me to reply later to his list of questions. I found it difficult to copy them down, let alone answer them all, but I take the point. In many instances we are all in the same boat on this, as far as political parties are concerned. I shall of course be happy to meet with him, and I take the point about who should attend. I am not sure it will be next week, when we have two days in Committee, but we will arrange it as soon as possible. I will have to get a big room because my office is too small for all the people who will be coming. I take the points the noble Lord made in his questions and will address them in the meeting.
The noble Baroness, Lady Hamwee, asked whether the Electoral Commission had been consulted. It did not respond to the Government’s call for views which was published earlier this year, and we have not solicited any views explicitly from it beyond that.
The noble Baroness also asked about the provision, acquisition and use of a marked electoral register within paragraph 17 of Schedule 1. As she explained, the marked register shows who has voted at an election but does not show how they voted. As such, it does not record political views and does not contain sensitive data—called special categories of data in the GDPR —and, as the protections for sensitive data in article 9 of the GDPR are not relevant, Schedule 1 does not apply.
Lastly, the noble Baroness asked why Members of the House of Lords are not within the definition of elected representatives. Speaking as an elected Member of the House of Lords—albeit with a fairly small electorate—I am obviously interested in this. I have discovered that none of us, I am afraid, are within the definition of elected representatives in the Bill. We recognise that noble Lords may raise issues on an individual’s behalf. Most issues will not concern sensitive data but, where they do, in most cases we would expect noble Lords to rely on the explicit consent of the person concerned. This arrangement has operated for the past 20 years under the current law, and that is the position at the moment.
I hope I have tackled the specific items relating to the amendments. I accept the points made by the noble Lord, Lord Kennedy, about the electoral issues that need to be raised in general.
Lord Whitty (Lab)
I fully support my noble friend’s assertions and the Minister’s response. It is very important that registered political parties can operate effectively. I wonder whether, in the discussions he is proposing to undertake, the Minister will also address the issue of other organisations and political parties attempting to influence the political process. I do not think I need to spell it out, in view of recent news, but the use of social media by organisations that are not covered by our electoral law or by registration as a political party must not have the same provisions that registered political parties would have under the Bill or my noble friend’s amendments. I wonder if that could be addressed directly in these discussions.
Lord Lucas (Con)
My Lords, I want to pick up on the last point of the noble Lord, Lord McNally. We are getting into a situation where political parties are addressing personal messages to individual voters and saying different things to different voters. This is not apparent; there must be ways to control it. We will have to give some considerable thought to it, so I see the virtue of the amendments.
Lord Ashton of Hyde
Quickly, because I will not remember all the questions and points, I want to emphasise that they are all very good points and I will reflect on them. My main mission is to get the GDPR and law enforcement directive in place by May 2018. I absolutely accept the point made by the noble Lord, Lord McNally—that this is the tip of iceberg—but we must bear in mind that this is about data protection, both today and on Report, so I will focus on that. We have already had other avenues to raise a lot of the points the noble Lord made, but I agree that it is a huge issue. He asked when the report from the Information Commissioner will be available. I would expect it before Christmas, so it will be before the Bill becomes law.
I certainly undertake to reflect on what the noble Baroness, Lady Jay, said about the Electoral Commission. I believe that our call for views was after the election; nevertheless, I take her point. I am very sorry but I cannot remember what the point from the noble Lord, Lord Whitty, was, but I accept these things have to be taken into account. When we have our meeting—it is becoming a big meeting—it will be for people concerned specifically with the Data Protection Act, not some of the issues that lie outside that narrow area, important though they are.
I ask noble Lords not to press their amendments.
Lord Lucas
My Lords, picking up on the last point from the noble Baroness, Lady Hamwee, is this the first time the privileges of Members of this House have been reduced in relation to Members of the other House? If so, will the Government consult the Speaker of this House on whether he considers that desirable?
Lord Ashton of Hyde
My Lords, they have not been reduced. This is the position that exists today.
Lord Lucas
My Lords, privileges are being given to Members of another place—and indeed to Members of the Parliaments of Scotland and other places—that are being denied to us. Is this the first time that has been done?
Lord Ashton of Hyde
No, it is not the first time because this is the position that exists under the Data Protection Act 1998.
Lord Kennedy of Southwark
My Lords, I thank all noble Lords for speaking in this debate. As I think the noble Lord, Lord McNally, said, these amendments would delete just two words, but we have had a very important debate. We tabled the amendments to probe these issues, which are very important.
I am pleased that the noble Lord, Lord Ashton of Hyde, has agreed to meet us because we need to discuss this. It would be much better if we could get interested Peers from this House and officials from various parties together to sort this matter out, rather than leave it and let it go to the other place. We have a much better record of sitting down and sorting such issues out. I hope, if we need to amend the Bill, we do so on Report. Before we have our meeting—I accept it will be quite a big meeting—it would be useful if the noble Lord wrote to me, if he can, and to other interested Lords so we can have the Government’s position on paper before we sit down. That would help our discussions and move them on. There is a community of interest among noble Lords.
I certainly agree with the points made by the noble Lord, Lord McNally, and by my noble friends Lord Whitty and Lady Jay, but we need to focus on these issues, get them right and get proper amendments in place to protect parties and campaigners as they do their proper and lawful work. At this stage, I am happy to withdraw the amendment.
Lord Ashton of Hyde