Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Lord Kennedy of Southwark
Main Page: Lord Kennedy of Southwark (Labour - Life peer)Department Debates - View all Lord Kennedy of Southwark's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Lord Kennedy of Southwark Excerpts(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Kennedy of Southwark (Lab)
My Lords, I refer the Committee to my registered interests: I am on the board of two small charities in the London Borough of Southwark.
I recall from Second Reading the noble Lord, Lord Marlesford, who is not in his place today, talking about the effect of the legislation on small organisations—many others have made reference to it already. He referred to parish councils, which often employ just a part-time parish clerk. The noble Lord, Lord Arbuthnot of Edrom, spoke similarly about the effect on organisations. Both noble Lords had a point at Second Reading, as does the noble Baroness, Lady Neville-Rolfe, with her amendment today.
As we have heard, the amendment limits the scope of the Act to organisations employing more than five people and specifies for exemption organisations such as small businesses, charities and parish councils which meet the employment qualification of five employees or fewer. My noble friend Lord Knight of Weymouth made a valuable point about size and turnover—I think the noble Baroness accepted that in her intervention.
The amendment also makes the useful point that the exemption is not limited to these three specific groups but seeks to cast a wider net. I certainly want to hear from the Minister that community councils would be exempted, as well as the small not-for-profit sector and small co-operatives, which I am sure is the intention behind the amendment.
The amendment needs a detailed response, as we have to be clear on what the Government think is reasonable for such organisations to have to comply with and how the Government will make it as simple as possible and not pile additional burdens on them. I hope the Minister will not say that these organisations already have to comply with the 1998 Act and that this legislation is only a very small increase in what is required. We will require a lot more reassurance than that from the Minister.
Amendment 152, also in this group, would place a duty on the Information Commissioner to advise Parliament, government and other institutions and bodies on the likely consequences, economic or otherwise, for industry, charities and public authorities of measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data. The noble Baroness again makes a valid point and there is merit to placing this duty in the Bill.
If the Minister thinks that Clause 113, and specifically Clause 113(3)(b), is sufficient to provide the Information Commissioner with the power and the duty to do what is set out in the amendment, we need him carefully to set that out today for the benefit of your Lordships’ House.
Amendments 169—and Amendment 170, which would add “and charities” to it—raises some very important issues. It would place a duty on the Secretary of State to ensure that they or the Information Commissioner had a programme in place to ensure that information on the new duties that businesses and charities will be obliged to follow is publicly available. Again, these are very important and welcome amendments. Large businesses, large corporations and large charities will more than likely have the structures in place to ensure that they comply with any new requirements, but smaller organisations do not have compliance departments or lawyers on retainer to advise them. The Government have to get that message out to them. I particularly like subsection (2) of the new clause proposed by Amendment 169, which would require this information to be placed online and the Secretary of State to have regard to the creation of online training and testing to meet the requirements of the new Act. This group of amendments raises important matters on which I hope the Minister can give the Committee some reassurance.
Lord Ashton of Hyde
My Lords, I am grateful to all noble Lords who have raised the amendments and commented on them, because the Government recognise the concern behind them; namely, to protect the smallest organisations from the additional requirements established by this and future data protection legislation and to ensure that all UK businesses and organisations are properly supported through the transition.
I fully concur with my noble friend Lady Neville-Rolfe that supporting UK businesses of all sizes must be a priority. I can assure her that it is of the utmost importance both for the Government and for the Information Commissioner. However, I cannot agree with the proposal in Amendment 7 that those organisations with five or fewer employees be exempted from the requirements of the Act. We are talking in this Bill not just about businesses but about individual rights of data subjects. As my noble friend Lord Lucas mentioned, it is right that individuals enjoy the protections that will be afforded by this new regime regardless of the size of the organisation with which they are dealing. People should not be afforded a lesser degree of protection simply because they have chosen to do business with, or indeed to voluntarily support, a small organisation. After all, the fact that an organisation employs few staff does not mean that a breach of data protection law will cause a correspondingly small amount of distress. Many of the most cutting-edge financial technology firms begin life in someone’s back bedroom, but it does not make their customers’ transaction history any less worthy of protection.
Amendment 7 is unlikely to have the intended effect because the GDPR does not permit such an exemption. As an area in which our ongoing relationship with the European Union will be of the utmost importance, I do not consider that such an amendment would be in the best interests of British businesses.
However, I understand my noble friend’s concerns that the smallest organisations may be the least well equipped to deal with the changes introduced by this regime. I was therefore pleased to learn recently—the noble Lord, Lord Clement-Jones, mentioned this—that the Information Commissioner has announced the establishment of a dedicated telephone advice service for small and micro businesses to support them in implementation. The noble Lord also mentioned that the threshold was 250 employees, which represents quite a large organisation by today’s terms, with small businesses, especially in the tech field, growing up all over the place.
In respect of Amendment 152, I fully concur with my noble friend about the importance of monitoring the consequences of the Act for businesses and other organisations. I reassure her that there is already, quite rightly, a broad obligation on government to assess and report on the impact of all legislation that regulates business under the Small Business, Enterprise and Employment Act 2015. In addition, the Information Commissioner will be required to advise Parliament, government and other bodies on both legislative and administrative measures relating to the new Act and to provide opinions on any issue relating to the protection of personal data. My noble friend Lady Neville-Rolfe also asked about the impact on business. I confirm that the Government will publish a further assessment of the impact of the Bill on business very shortly.
With regard to Amendment 169, it is worth reiterating that the Information Commissioner has already provided general guidance, which is available online to all businesses, to help them understand their obligations. The commissioner is continuing to develop this guidance and has a programme in place for publication. I cannot go through it all but, in addition to the guidance the ICO has already published, it expects to develop this further between now and May into a fully comprehensive guide to the GDPR, including summaries and checklists, as well as more detailed content focused on key areas. This will also be available online from early next year. Later this year, the Information Commissioner will publish draft guidance on children’s data; on accountability, including documentation; on legitimate interests, including examples addressing universities maintaining alumni relationships; and draft guidance on security of processing, including joint work on high-level security principles. It will also provide sector-specific guidance. The Government are working with the Information Commissioner to identify appropriate areas and to work with sectors to deliver more guidance.
In respect of timing, I completely agree with my noble friend that it is desirable that up-to-date guidance about the new regime is available to businesses as soon as possible. As I have just set out, that is precisely what the commissioner is already attempting. But I fear that it may not be feasible, as the amendment requires, for final information to be published at least six months before the commencement of the provisions in the Act, not least because changes to the Bill may affect that guidance.
In respect of Amendment 170, I share the sentiment of the noble Lord, Lord Clement-Jones, in wishing to ensure that charities are provided with guidance to help them understand their obligations. I reassure him that the general guidance that the Information Commissioner has already published is designed to assist all organisations through the transition.
The noble Lord, Lord Knight, asked how the role of the Information Commissioner will develop and be resourced. My noble friend Lady Williams said at Second Reading that the Government take the adequate resourcing of the Information Commissioner very seriously and have provided for an appropriate charging regime in Part 5 of the Bill. I assure the noble Lord that we are aware that there are problems with the Information Commissioner at the moment and we are looking at that. But, possibly for the reasons that he mentioned, I am not able to make any binding commitments tonight. But I accept that there is an issue there. We are looking at it.
I assure noble Lords that the Government share the concerns raised in these amendments and are particularly pleased that the Information Commissioner is actively taking steps to provide dedicated support for small and micro enterprises, including the telephone service I mentioned earlier. With that in mind, I hope my noble friend feels able to withdraw her amendment.
Lord Kennedy of Southwark
The Minister mentioned guidance a few times and said that it might not be ready in time. I was reminded of our debates—which he was not involved in—on the Housing and Planning Bill. We were told about guidance and regulations, and well over a year later we have seen next to nothing. This is such an important issue that we need to hear a little more from the Minister. I and many other noble Lords mentioned parish councils. I do not think he mentioned those. For example, I know the Deeping St James Parish Council in Lincolnshire very well. It employs only a part-time clerk. I think the noble Lord, Lord Marlesford, made a similar point about parish councils at Second Reading. Perhaps the Minister could say something about that.
Lord Ashton of Hyde
Yes, I think my noble friend mentioned the parish council of the noble Lord, Lord Marlesford, in her reply. I make the point again that individuals’ data rights have to be protected. Just because parish councils are small organisations does not mean that they should not take that seriously—and I am sure they do. With regard to the practicalities of how they cope with their duties, apart from the fact that the Information Commissioner is providing guidance specifically for small organisations, the parish clerk—who already often works for more than one parish council so they can share the cost—is in a good position to deal with the duties under the Bill and will be able to take the guidance relating specifically to small businesses and organisations from the Information Commissioner.
I admit that I did not follow the Housing and Planning Bill too closely. But I mentioned a lot of the guidance that will be available before the end of the year. The Information Commissioner is very aware of the need to produce this quickly. In addition, of course, she is actively involved in outlining the European guidance on which a lot of member states’ guidance will be based. Therefore, she is helping to set the tone on which her future guidance will be based.
Lord Kennedy of Southwark
That is fine as far it goes. The point I am making is that we have heard guidance mentioned two or three times, in relation to two or three different organisations. I know that the Minister was not involved but we heard the same comments about guidance and regulations from the Government Front Bench when we were dealing with the Housing and Planning Bill. I hope we are not having déjà vu here. We hear these things are coming forward. These things are very important. I accept entirely that people’s data are important—of course they are—but, equally, getting this guidance right is important, as is organisations being able to have the information so that they ensure that they comply with the law. I hope the Minister can take back how important this is. He said it will all be after Report, at the end of the year. The Bill will have long left this House and we will be saying, “Where is this guidance then? You promised it and nothing has arrived”. It really is not good enough for the individual data subject or for business or for anyone else involved.
Lord Ashton of Hyde
I agree with the noble Lord that, if nothing did arrive, it would not be good enough.
Lord Lucas
I am absolutely content that universities should be put on a par with charities, because I know that we will be looking after the interests of those whom charities approach just as much as we look after the interests of charities. I hope that is the solution that my noble friend will afford, but it is welcome that there are limitations in the Bill on the random approaches that can be made by organisations. To the extent that we allow exemptions, we should not privilege universities in any particular way. Yes, they are often worthy causes, but they are very fond of money.
Lord Kennedy of Southwark
My Lords, I have no interests whatever to declare in this debate.
Amendment 10, moved by my noble friend Lady Royall of Blaisdon and signed up to by the noble Lords, Lord Pannick and Lord Macdonald of River Glaven, raises the important issue of legitimate fundraising and alumni relations undertaken by schools, colleges and universities being at risk due to the changes being brought in by GDPR. My noble friend referred to various conditions and mentioned the lawfulness condition, specifically on the issue of consent.
As we have heard, GDPR sets a very high bar in requiring a positive opt in, and it is likely that existing consents will not reach the required standard. So educational institutions would have to take on the enormous task of rebuilding their databases from scratch to meet the condition, as my noble friend referred to.
The public interest condition does not really work, for various reasons. The legitimate-interest condition may provide a route for the justification of data processing for fundraising purposes but, as we have heard in this debate, there are issues here as well. To make that a realistic solution to this unintended consequence of the new regulations—I think we all agree that it is unintended—my noble friend is seeking to put in the Bill a subsection in Clause 6 that, for the purposes of GDPR, would make it clear that schools, colleges and universities are not public bodies.
I note that Clause 6(2) provides the Secretary of State with the power to designate those public bodies that are not regarded as public bodies for GDPR. I am not sure what the general attitude of the Minister is, although he seems to have indicated that he is broadly sympathetic, but if he is going to rely on subsection (2) then he is going to have to do a bit more. As I mentioned previously, when Governments tell us it will all be sorted out in regulations, that is often not the solution and things can take a very long time. I mention the Housing and Planning Act again.
This is not something that educational institutions can wait months or years for; it would cost them considerably in terms of their fundraising plans. I hope the Minister can deliver some positive news to my noble friend, who has raised an important issue. It is fair to say that if she pressed this or a similar amendment to a vote on Report, she would be likely to win the day because it is an issue that many noble Lords are very concerned about.
Baroness Chisholm of Owlpen
My Lords, I thank noble Lords for taking part in this debate. I always feel humbled when I realise how many chancellors, presidents and fellows of universities we have in this House. I think that is why our debates and discussions are always of such high quality, because that is what noble Lords bring to this House. I congratulate the noble Baroness, Lady Royall, on her appointment. I visited Somerville College a lot because my daughter went there; she had an extremely enjoyable time and loved her three years there.
Universities are classified as public authorities under the Freedom of Information Act, and the Bill extends that classification to data protection. We recognise that universities, as complex organisations with many varying functions and interests, also carry out other functions that may not count as “public tasks” under data protection law. The conundrum raised by the noble Baroness has also been raised with the Government by the universities. I thank them for their time and help in working with both the Government and the Information Commissioner to resolve the problem.
I fully appreciate that the intention of the amendment is to protect our schools, colleges and universities by allowing them to continue pursuing their interests outside of their public tasks. I reassure noble Lords that neither the Bill nor the GDPR puts that at risk. The Information Commissioner’s Office has confirmed that it will issue detailed guidance on this matter, including the processing of personal data for the purpose of maintaining alumni relations, in order to make this clear. Representatives of the higher education sector have also indicated to the Information Commissioner’s Office that they may wish to develop further sector-level guidance, and the Information Commissioner’s Office will assist with that.
However, we are very sympathetic to everything that noble Lords have said today. It is important that we should meet again, and I am happy to agree to a meeting between myself, my noble friend Lord Ashton and all interested Peers so that we can talk about this further, in order that when we come back on Report we will have something that perhaps everyone will wish to hear. I hope my clarification on this issue is sufficient for now, and that the noble Baroness will agree to withdraw her amendment.
Lord Kennedy of Southwark
The Minister mentioned guidance and said that these matters would be solved then. Can she give us an assurance that we will have the guidance before the Bill becomes law?
Baroness Chisholm of Owlpen
The guidance from the Information Commissioner’s Office is ongoing. I had better go and find out whether we will have it by the time this Bill becomes law, because I do not want to say something at the Dispatch Box that turns out to be wrong. I will have to get back to the noble Lord on that point.