Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Lord Knight of Weymouth
Main Page: Lord Knight of Weymouth (Labour - Life peer)Department Debates - View all Lord Knight of Weymouth's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Lord Knight of Weymouth Excerpts(6 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Clement-Jones
My Lords, I thank the noble Baroness for that accolade. I rise to speak to Amendment 170, which is a small contribution to perfecting Amendment 169. It struck me as rather strange that Amendment 152 has a reference to charities, but not Amendment 169. For charities, this is just as big an issue so I wanted to enlarge slightly on that. This is a huge change that is overtaking charities. How they are preparing for it and the issues that need to be addressed are of great concern to them. The Institute of Fundraising recently surveyed more than 300 charities of all sizes on how they are preparing for the GDPR, and used the results to identify a number of areas where it thought support was needed.
The majority of charities, especially the larger ones, are aware of the GDPR and are taking action to get ready for May 2018, but the survey also highlighted areas where charities need additional advice, guidance and support. Some 22% of the charities surveyed said that they have yet to do anything to prepare for the changes, and 95% of those yet to take any preparatory action are the smaller charities. Some 72% said that there was a lack of clear available guidance. Almost half the charities report that they do not feel they have the right level of skills or expertise on data protection, and 38% report that they have found limits in their administration or database systems, or the costs of upgrading these, a real challenge. That mirrors very much what small businesses are finding as well. Bodies such as the IoF have been working to increase the amount of support and guidance on offer. The IoF runs a number of events, but more support is needed.
A targeted intervention is needed to help charities as much as it is needed for small business. This needs to be supported by government—perhaps through a temporary extension of the existing subsidised fundraising skills training, including an additional training programme on how to comply with GDPR changes; or a targeted support scheme, directly funded or working with other funding bodies and foundations, to help the smallest charities most in need to upgrade their administrative or database systems. Charities welcome the recently announced telephone service from the ICO offering help on the GDPR, which they can access, but it is accessible only to organisations employing under 250 people and it is only a telephone service.
There are issues there, and I hope the Minister will be able to respond, in particular by recognising that charities are very much part of the infrastructure of smaller organisations that will certainly need support in complying with the GDPR.
Lord Knight of Weymouth (Lab)
My Lords, I broadly support what these interesting amendments are trying to do. I declare my interest as a member of the board of the Centre for Acceleration of Social Technology. Substantially, what it does is advise normally larger charities on how to best take advantage of digital to solve some of their problems.
Clearly, I support ensuring that small businesses, small charities and parish councils, as mentioned, are advised of the implications of this Act. If she has the opportunity, I ask the noble Baroness, Lady Neville-Rolfe, to explain why she chose staff size as the measure. I accept that hers is a probing amendment and she may think there are reasons not to go with staff size. The cliché is that when Instagram was sold to Facebook for $1 billion it had 13 members of staff. That would not come within the scope of the amendment, but there are plenty of digital businesses that can achieve an awful lot with very few staff. As it stands, my worry is this opens up a huge loophole.
Lord Maxton (Lab)
I entirely agree with my noble friend. The point I was going to make is that small companies are often very wealthy. In the global digital world that is the fact: you do not need the same number of employees as in the past. Equally, would the amendment apply to five employees globally, or just in this country?
Lord Knight of Weymouth
Certainly if the amendment were to have any legs in terms of using the number of employees as a parameter then that would have to be defined. However you chose to define the size of an organisation, you would need to explore how to work that out.
Baroness Neville-Rolfe
I chose five employees because it often denotes a small organisation or a small business. I can see that some of the businesses in that category might be fairly large. I would of course have no objection to adding an extra criterion, such as turnover, if there was a mood to write exemptions into the Bill. Other legislation has exemptions for smaller bodies. The overall objectives of the data protection legislation clearly have to be achieved but I am concerned that, in particular, some of the subsidiary provisions, such as fines and fees, which I mentioned, are demanding and worrying for smaller entities.
Lord Knight of Weymouth
I am grateful for the noble Baroness’s comments. Something certainly can be done to think more about turnover than the number of employees, otherwise there would be a big loophole, particularly around marketing and being able to set up a company to harvest data, for which the Act would not apply. It could then sell the data on. It would not need very many people at all to pursue that opportunity.
The other thing these amendments allow us to do is ask the Minister to enlighten us a little on his thinking about how the Information Commissioner’s role will develop. In particular, if it is to pursue the sorts of education activities set out in these amendments, how will it be resourced to do so? I know there are some career-limiting aspects for Ministers who promise resources from the Dispatch Box, but the more he can set out how that might work, the more welcome that would be.
Lord Arbuthnot of Edrom (Con)
My Lords, I declare my interests as a chairman of a charity and of a not-for-profit organisation, and as a director of some small businesses. Having said that, I agree with every word that my noble friend Lady Neville-Rolfe said.
The Association of Accounting Technicians has said that the notion that the GDPR will lead to a €2.3 billion cost saving for the European Union is absurd. I agree. The Federation of Small Businesses has said how a sole trader might have to pay £1,500 for the work needed, and someone with 25 employees might have to pay £20,000. In the Second Reading debate my noble friend Lord Marlesford talked about his parish council rather poignantly. It might be impossible to exempt organisations such as those from European Union regulations. But if that is so, I hope that my noble friend the Minister will say, first, why it is impossible; and, secondly, what we can do to get round and to ameliorate the various different issues raised.
On the duty to advise Parliament of the consequences of the Bill, I said at Second Reading that the regulator cannot issue guidance until the European Data Protection Board issues its guidance. That may not be until spring next year. This leaves businesses, charities and parish councils very little time, first, to make representations to Parliament; secondly, to bring in new procedures; and thirdly, to train the staff they will need. In that short time, organisations will all be competing for very skilled staff. That must push the price of those skilled staff up at a time when these small businesses will find it very difficult to pay.
I look forward with interest to hearing what my noble friend says, and I hope that he will be able to agree to the meeting that my noble friend asked for.
Baroness Chisholm of Owlpen (Con)
My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point which has not been lost on noble Lords; nor has it been lost on organisations, business groups and others. We are grateful for all the feedback we have received through responses to the Government’s call for views and on our statement of intent, and, most recently, on the drafting of the Bill itself. Hence this large group of technical amendments seek to polish various provisions of the Bill in response to that feedback. If I may, I will save noble Lords from the tedium of going through each amendment in turn—we would be here all night—and instead focus on the small number of substantive amendments in the group.
I begin with Amendment 51, which ensures that automatic renewal insurance products purchased before 25 May 2018 can continue to function. Automatic renewal products work on the principle that, if the insured person does not respond to the renewal notice, their insurance continues uninterrupted. Without the amendment this would not be possible for products such as motor insurance, which require processing of special categories of personal data and criminal convictions and offences data, potentially leaving individuals unwittingly uninsured.
Amendment 55 responds to a request from the Welsh Government to extend an exemption on passing information about a prisoner to an elected representative to Members of the Welsh Assembly. I am very happy to give effect to that request.
Amendment 56 ensures that existing court reporting—so important for ensuring open justice—can continue. Judgments may include personal data, so this amendment will allow the courts to continue with current reporting practices.
Paragraph 9 of Schedule 2 provides a limited exemption in respect of certain regulatory activities which could otherwise be obstructed by a sufficiently determined individual. Amendment 86 adds five additional regulatory activities to that list to allow relevant existing data processing activities to continue.
Amendment 87 extends the common-sense protection provided by paragraph 22 of Schedule 2 for confidential employment references, so that it also expressly covers confidential references given for voluntary work.
Amendments 90 and 186 ensure a consistent definition of “publish” and “publication” throughout the Bill.
I conclude my brief tour—it did not seem very brief to me—of these amendments with reference to the amendments to Schedule 6. As noble Lords will recall, in creating the applied GDPR Schedule 6 anglicises its language, so as to ensure that it makes sense in a UK context. This is a mechanical process involving, for example, replacing the term “member state” with “United Kingdom”. Amendments 112 to 114, 116 to 118 and 120 to 124 refine that process further.
The remaining amendments that I have failed to mention will dot the “i”s and cross the “t”s, as detailed in the letter from my noble friends Lord Ashton and Lady Williams when the amendments were tabled on 20 October. For these reasons, I beg to move Amendment 8 and ask the House to support the other government amendments in this group.
Lord Knight of Weymouth
My Lords, I will be brief on this group but I have two points to make. One is a question in respect of Amendment 51, where I congratulate the insurance industry on its lobbying. Within proposed new paragraph 15A(1)(b) it says,
“if … the controller has taken reasonable steps to obtain the data subject’s consent”.
Can the Minister clarify, or give some sense of, what “reasonable” means in this context? It would help us to understand whether that means an email, which might go into spam and not be read. Would there be a letter or a phone call to try to obtain consent? What could we as citizens reasonably expect insurance companies to do to get our consent?
Assuming that we do not have a stand part debate on Clause 4, how are the Government getting on with thinking about simplifying the language of the Bill? The noble Baroness, Lady Lane-Fox, is temporarily not in her place, but she made some good points at Second Reading about simplification. Clause 4 is quite confusing to read. It is possible to understand it once you have read it a few times, but subsection (2) says, for example, that,
“the reference to a term’s meaning in the GDPR is to its meaning in the GDPR read with any provision of Chapter 2 which modifies the term’s meaning for the purposes of the GDPR”.
That sort of sentence is quite difficult for most people to understand, and I will be interested to hear of the Government’s progress.
Lord Clement-Jones
My Lords, I thank the noble Baroness for introducing these amendments in not too heavy a style, but this is an opportunity to ask a couple of questions in relation to them. We may have had since 20 October to digest them; nevertheless, that does not make them any more digestible. We will be able to see how they really operate only once they are incorporated into the Bill. Perhaps we might have a look at how they operate on Report.
The Bill is clearly a work in progress, and this is an extraordinary number of amendments even at this stage. It begs the question as to whether the Government are still engaged in discussions with outside bodies. Personally, I welcome that there has been dialogue with the insurance industry—a very important industry for us. We obviously have to make sure that the consumer is protected while it carries out an important part of its business. I know that the industry has raised other matters relating to third parties and so on. There have also been matters raised by those in the financial services industry who are keen to ensure that fraud is prevented. Even though they are private organisations, they are also keen to ensure that they are caught under the umbrella of the exemptions in the Bill. Can the noble Baroness tell us a little about what further discussions are taking place? It is important that we make sure that when the Bill finally hits the deck, so to speak, it is right for all the different sectors that will be subject to it.
Lord Knight of Weymouth
To clarify the question around insurance companies, if as technology and communications change there is a sense that the insurance companies should work a bit harder, would the first recourse be to go to the Financial Conduct Authority in order for it to regulate the insurance companies to do a better job?