Report (3rd Day) (Continued)
Clause 162: Re-identification of de-identified personal data
151A: Clause 162, page 91, line 5, at end insert “and section (Re-identification: effectiveness testing conditions)”
My Lords, I turn to the new offence of reidentifying de-identified personal data. As a new clause, with no corresponding parallel in the 1998 Act, it has been a hot topic throughout the passage of the Bill and the Government welcome the insightful debates on it that took place in Committee. Those debates have influenced our thinking on aspects of the clause and I will elaborate on the amendments we have tabled in response to concerns raised by noble Lords.
By way of background, Clause162(3) and (4) provide a number of defences for circumstances where reidentification may be lawful, including where it was necessary for the prevention or detection of crime, to comply with a legal obligation, or was otherwise justified as being in the public interest. Further defences are available where the controller responsible for de-identifying the personal data, or the data subjects themselves, consented to its reidentification.
As noble Lords will recall, concerns were raised in Committee that researchers who acted in good faith to test the robustness of an organisation’s de-identification mechanisms may not be adequately protected by the defences in the current clause. Although we continue to believe that the public interest defence would be broad enough to cover this type of activity, we recognise that the perception of a gap in the law may itself be capable of creating harm. We therefore tabled Amendments 151A, 156A and 161A to fix this. These amendments introduce a new, bespoke defence for those for whom reidentification is a product of their testing of the effectiveness of the de-identification systems used by other controllers.
A number of safeguards are included to prevent abuse. I particularly draw noble Lords’ attention to the requirement to notify either the original controller or the Information Commissioner. In addition, the researcher cannot intend to cause, or threaten to cause, damage or distress to a legal person. That means, for example, that those self-styled researchers who attempt to use their discovery to extort money from either the data controller or the data subjects they have reidentified are not protected by this new defence.
We fully appreciate the importance of the work undertaken by legitimate security researchers. I assured noble Lords in Committee that it was in no way our intention to put a halt on this activity where it is done in good faith, and the amendments I am moving today make good on that commitment. On that basis, I beg to move.
My Lords, I echo the noble Lord’s words. We also welcome these amendments. As has been said, this issue was raised by the academic community, whose primary concern was that the way the Bill had originally been phrased would make important security research illegal and weaken data protection for everyone by that process. It would also mean that good and valid research going on in our high-quality institutions might be at risk.
I do not in any sense want to question the amendments’ approach, but I have been in further correspondence with academics who have asked us to make a few points. I am looking for a sense that the issues raised are being dealt with. Either a letter or a confirmation that these will be picked up later in the process of the Bill is all that is necessary.
First, it is fairly common-sense to say that companies probably would not be very happy if a researcher picks up that they are not doing what they say on the tin—in other words, if their claim that their data has been anonymised turns out not to be the case. Therefore, proposed new subsection (2)(b) may well be used against researchers to threaten or shut down their work. The wording refers to “distress” that might be caused, but,
“without intending to cause, or threaten to cause, damage or distress to a person”,
seems a particularly weak formulation. If it is only a question of distress, I could be distressed by something quite different from what might distress the noble Lord, who may be more robust about such matters. I think that is a point to take away.
Secondly, we still do not have, despite the way the Minister introduced the amendment, definitions in the Bill that will work in law. “Re-identification”, which is used in the description and is part of the argument around it, is still not defined. Therefore, in proposed new Clause 161A(3), as mentioned by the noble Lord who introduced the amendment, the person who,
“notified the Commissioner or the controller responsible for de-identifying the personal data about the re-identification”,
has to do this,
“without undue delay, and … where feasible, not later than 72 hours after becoming aware of it”.
That is a very tight timetable. Again, I wonder if there might be a bit more elasticity around that. It does say “where feasible”, but it puts rather tight cordon around that.
We are trying to make it safe for researchers and data scientists to report improperly de-identified data, but in the present arrangements the responsibility for doing all this lies with the researcher. We are asking a researcher to go to court, perhaps, and defend themselves, including arguing that they have satisfied Clause 162(2)(a) and (b) and Clause 162(3)(a), (b) and (c), which is a fairly high burden. All in all, we just wonder whether how this has been framed does the trick satisfactorily. I would be grateful for further correspondence with the Minister on this point.
Finally, there is nothing in this amendment about industry. It may not be necessary but it raises a question that has been picked up by a couple of people who have corresponded with us. The burden, again, is on the researcher. Is there not also a need to try to inculcate a culture of transparency in the anonymisation processes which are being carried out in industry? In other words, if there is a duty on researchers to behave properly and do certain things at a certain time, should there not also be a parallel responsibility, for example, on companies to properly and transparently anonymise the data? If there is no duty for them to do it properly, what is in it for them? It may well be that that is just a natural aspect of the work they are doing, but maybe the Government should reflect on whether they are leaving this a little one-sided. I put that to the Minister and hope to get a response in due course.
I thank the noble Lord, Lord Clement-Jones, for his support on this. I accept that there may be things to look at that the noble Lord, Lord Stevenson, has mentioned. It is better to consider those things properly rather than give an answer off the top of my head at the Dispatch Box. I certainly commit to taking those points back and having a look at them. It may be that, when we correspond, something can take place in another place. In the meantime, I beg to move.
Amendment 151A agreed.
Amendments 152 to 161
152: Clause 162, page 91, line 16, after “court” insert “or tribunal”
153: Clause 162, page 91, line 20, leave out “the person acted in the reasonable belief that”
154: Clause 162, page 91, line 21, at beginning insert “the person acted in the reasonable belief that”
155: Clause 162, page 91, line 26, at beginning insert “the person acted in the reasonable belief that”
156: Clause 162, page 91, line 31, at end insert “, or
( ) the person acted—(i) for the special purposes,(ii) with a view to the publication by a person of any journalistic, academic, artistic or literary material, and(iii) in the reasonable belief that in the particular circumstances the re-identification was justified as being in the public interest.”
156A: Clause 162, page 91, line 31, at end insert “, or
( ) the effectiveness testing conditions were met (see section (Re-identification: effectiveness testing conditions)).”
157: Clause 162, page 91, line 42, after “court” insert “or tribunal”
158: Clause 162, page 91, line 46, leave out “the person acted in the reasonable belief that”
159: Clause 162, page 91, line 47, at beginning insert “the person acted in the reasonable belief that”
160: Clause 162, page 92, line 1, at beginning insert “the person acted in the reasonable belief that”
161: Clause 162, page 92, line 5, at end insert “, or
( ) the person acted—(i) for the special purposes,(ii) with a view to the publication by a person of any journalistic, academic, artistic or literary material, and(iii) in the reasonable belief that in the particular circumstances the processing was justified as being in the public interest.”
Amendments 152 to 161 agreed.
161A: After Clause 162, insert the following new Clause—
“Re-identification: effectiveness testing conditions
(1) For the purposes of section 162, in relation to a person who re-identifies information that is de-identified personal data, “the effectiveness testing conditions” means the conditions in subsections (2) and (3).(2) The first condition is that the person acted—(a) with a view to testing the effectiveness of the de-identification of personal data,(b) without intending to cause, or threaten to cause, damage or distress to a person, and(c) in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.(3) The second condition is that the person notified the Commissioner or the controller responsible for de-identifying the personal data about the re- identification—(a) without undue delay, and(b) where feasible, not later than 72 hours after becoming aware of it.(4) Where there is more than one controller responsible for de-identifying personal data, the requirement in subsection (3) is satisfied if one or more of them is notified.”
Amendment 161A agreed.
Clause 164: The special purposes
162: Clause 164, page 93, line 17, leave out paragraph (c)
Amendment 162 agreed.
Clause 165: Provision of assistance in special purposes proceedings
163: Clause 165, page 93, line 37, after second “as” insert “reasonably”
Amendment 163 agreed.
Clause 166: Staying special purposes proceedings
164: Clause 166, page 94, line 34, leave out “literary or artistic” and insert “artistic or literary”
Amendment 164 agreed.
Amendment 165 had been withdrawn from the Marshalled List.
Clause 169: Regulations and consultation
Amendments 166 to 170
166: Clause 169, page 95, line 36, leave out from beginning to second “regulations” in line 37 and insert—
“(2) Before making regulations under this Act, the Secretary of State must consult—(a) the Commissioner, and(b) such other persons as the Secretary of State considers appropriate.(2A) Subsection (2) does not apply to”
167: Clause 169, page 96, line 4, at end insert—
“( ) Subsection (2) does not apply to regulations made under section 17 where the Secretary of State has made an urgency statement in respect of them.”
168: Clause 169, page 96, line 15, at end insert—
“(5A) Where regulations under this Act are subject to “the made affirmative resolution procedure”—(a) the statutory instrument containing the regulations must be laid before Parliament after being made, together with the urgency statement in respect of them, and(b) the regulations cease to have effect at the end of the period of 120 days beginning with the day on which the instrument is made, unless within that period the instrument is approved by a resolution of each House of Parliament.(5B) In calculating the period of 120 days, no account is to be taken of any time during which—(a) Parliament is dissolved or prorogued, or(b) both Houses of Parliament are adjourned for more than 4 days.(5C) Where regulations cease to have effect as a result of subsection (5A), that does not—(a) affect anything previously done under the regulations, or(b) prevent the making of new regulations.”
169: Clause 169, page 96, line 18, at end insert “or the made affirmative resolution procedure”
170: Clause 169, page 96, line 21, at end insert—
“( ) In this section, “urgency statement” has the meaning given in section 17(4).”
Amendments 166 to 170 agreed.
Clause 170: Power to reflect changes to the Data Protection Convention
Amendments 171 and 172
171: Clause 170, page 96, line 29, leave out paragraphs (a) and (b) and insert—
“(a) to amend or replace the definition of “the Data Protection Convention” in section 2;(b) to amend Chapter 3 of Part 2 of this Act;(c) to amend Part 4 of this Act;(d) to make provision about the functions of the Commissioner, courts or tribunals in connection with processing of personal data to which Chapter 3 of Part 2 or Part 4 of this Act applies, including provision amending Parts 5 to 7 of this Act;(e) to make provision about the functions of the Commissioner in connection with the Data Protection Convention or an instrument replacing that Convention, including provision amending Parts 5 to 7 of this Act;(f) to consequentially amend this Act.”
172: Clause 170, page 96, line 32, at end insert—
“( ) Regulations under this section may not be made after the end of the period of 3 years beginning with the day on which this Act is passed.”
Amendments 171 and 172 agreed.
Clause 171: Prohibition of requirement to produce relevant records
173: Clause 171, page 97, line 8, after “court” insert “or tribunal”
Amendment 173 agreed.
Amendment 174 had been withdrawn from the Marshalled List.
Clause 173: Representation of data subjects
175: Clause 173, page 98, line 26, at end insert—
“(2A) A body or other organisation which meets the conditions in subsections (3) and (4) may also exercise some or all of the rights under subsection (2) independently of the data subject’s authority.(2B) Subsection (2A)—(a) applies in respect of infringements occurring (or alleged to have occurred) whether before or after the commencement of this section; and(b) is without prejudice to the generality of any other enactment or rule of law which permits the bringing of representative proceedings.”
My Lords, as a result of the vagaries of grouping, redrafting and so on, I am in danger of being the tail that wags the dog on this group of amendments, especially as Amendment 175 deals with the processing of personal data to which the GDPR does not apply. Amendment 175A is a much broader amendment, dealing with the implementation of not only article 82 but other aspects that are extremely desirable.
I know that the Minister will be fairly brief in response, so I will not rehearse all the arguments we put forward in Committee. The noble Lord, Lord Stevenson, led on this group of amendments and put forward many of the arguments made by a great number of organisations, such as Which?, Age UK, Privacy International and the Open Rights Group, for this kind of group representation, along the lines of the super-complaints in the Consumer Rights Act, which are highly desirable. I recommend—which shortens the job I have of introducing this amendment—that the Minister reads the blog on the Privacy International site written by the chair emeritus of PI’s board of trustees, Anna Fielder. She puts the arguments extremely well and wrestles with some of the points that the Minister made in Committee, which is extremely useful. I am certainly not going to go through all that, let alone the polling data, which I think refutes quite a lot of what the Minister said. This is extremely desirable. I support very strongly what the noble Lord, Lord Stevenson, has tabled. It is quite comprehensive in many ways. I look forward to his introduction of his amendment.
Finally, a very important factor in all of this is the support of the Information Commissioner. She has come to the conclusion, as she wrote very convincingly in her second memorandum, that we need to have this kind of right of representation where consent has not necessarily been obtained. I think we should listen very carefully to what she has to say. I beg to move.
My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for his introduction and for paving the way to the comments I want to make. He suggested further reading but I might be able to shorten the reading list for the Minister, because I am going to cite a bit of what has been sent as part of that package. We went through most of the main issues and had a full response from Ministers the last time this was raised, in Committee. But since then we have of course amended the Bill substantially to provide for a significant amount of age-appropriate design work to be done to protect children who, either lawfully or unlawfully as it might be, come into contract arrangements with processors of their data.
That data processing will almost certainly be done properly under the procedures here. We hope that, within a year of Royal Assent, we will see the fruits of that coming through. But after that, we will be in uncharted territory as far as younger persons and the internet are concerned. They will obviously be on there and using substantial quantities of data—a huge amount, as is picked up when one sees one’s bills and how much time they spend on downloading material from the internet and has to find the wherewithal to provide for them. But I am pretty certain there will also be occasions where things do not work out as planned. They may well find that their data has been misused or sold in a way they do not like, or processed in a way which is not appropriate for them. In those circumstances, what is the child to do? This is why I want to argue that the current arrangements, and the decision by the Government not to allow for the derogation provided for in the GDPR under article 82 to apply, may have unforeseen consequences.
I am grateful to the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for supporting Amendment 175A, and I look forward to her comments later on, particularly in relation to children’s use. It is important to recognise that, if there is a derogation and it is not taken up, there has to be a good reason for that. The arguments brought up last time were largely along the lines that it would be overcomplicated to have two types of approach and that, in any case, there was sufficient evidence to suggest that individual consumers would prefer to be represented when they do so—of course, that falls away when we talk about children.
In Amendment 175A, we are trying to recognise two things: first, the right of adults to seek collective redress on issues taken up on their behalf by bodies that have a particular skill or knowledge in that area and, secondly, to do this without the need to form an association with an individual or group, or a particular body that has a responsibility for it. The two parts of the amendment will provide a comprehensive regime to allow victims of data breaches to bring proceedings to vindicate rights to proper protection of their personal data, always bearing in mind that children will have the additional cover provided by theirs being a third-party involvement. We hope that there will not be serious breaches of data protection. We think that the Bill is well constructed and that in most cases it will be fine, but the possibility that it will happen cannot be ignored. This parallels other arrangements, including those in the Consumer Rights Act 2015, which apply to infringements of competition law—not a million miles away from where we are here—and for which there is a procedure in place.
To anticipate where the Government will come from on this, first, I think they will say that there is a lot going on here and no evidence to suggest that it should work. I suggest to them that we would be happy with a recognition that this issue is being applied elsewhere in Europe and that there is a discrepancy if it is not in Britain. Secondly, there may be a good case for waiting some time until we understand how the main provisions work out. But a commitment to keep this under review, perhaps within a reasonable time after the commencement of the procedures—particularly in relation to children and age-appropriate design—to carry out a formal assessment of the process and to consider its results would, I think, satisfy us. I accept the argument that doing too much too soon might make this difficult, but the principle is important and I look forward to the responses.
My Lords, I too want to speak to this amendment, to which I have added my name, and I acknowledge and welcome the support of the Information Commissioner on this issue. I support the collective redress of adults but I specifically want to support the noble Lord, Lord Stevenson, on this question of children.
At Second Reading and again in Committee I raised the problem of expecting a data subject who is a child to act on their own behalf. Paragraph (b) of proposed new subsection (4B) stipulates that,
“in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’ s own rights have been infringed".
This is an important point about the right of a child to have an advocate who may be separate from that child and whose own rights have not been abused. Children cannot take on the stress and responsibility of representing themselves and should not be expected to do so, nor should they be expected to police data compliance. Children whose data is processed unlawfully or who suffer a data breach may be unaware that something mischievous, harmful or simply incorrect has been attached to their digital identity. We know that data is not a static or benign thing and that assumptions are made on what is already captured to predict future outcomes. It creates the potential for those assumptions to act as a sort of lead boot to a child’s progress. We have to make sure that children are not left unprotected because they do not have the maturity or circumstances to protect themselves.
As the noble Lord, Lord Stevenson, said, earlier this evening, the age-appropriate design code was formally adopted as part of this Bill. It is an important and welcome step, and I thank the Minister and the new Secretary of State Matt Hancock, whose appointment I warmly welcome, for their contribution to making that happen. Children’s rights have been recognised in the Bill, but rights are not meaningful unless they can be enacted. Children make up nearly one-third of all users worldwide, but rarely do they or the vast majority of their parents have the skills necessary to access data protection.
The amendment would ensure that data controllers worked to a higher standard of data security when dealing with children’s data in the first place. Rather than feeling that the risk of a child bringing a complaint was vanishingly low, they would know that those of us who advocate for and protect the rights of children were able to make sure that their data was treated with the care, security and respect that we all believe it deserves.
My Lords, I am very grateful to noble Lords for their comments. Although I have to say at the outset that we have some reservations about these amendments, I think we might be able to find a way forward this evening. I have listened to the noble Lords, Lord Stevenson and Lord Clement-Jones, and taken their remarks on board, but I have especially listened to the noble Baroness, Lady Kidron, who spoke about children. We have some experience of her input in this Bill. I obviously take a lot of notice of what the noble Lords, Lord Stevenson and Lord Clement-Jones, say but, as you know, familiarity and all that, so I have certainly listened especially to the noble Baroness, Lady Kidron.
The Government are sympathetic to the idea of facilitating greater private enforcement, but we continue to believe that the Bill as drafted provides significant and sufficient recourse for data subjects. In our view, there is no need to invoke article 80(2) of the GDPR, with all the risks and potential pitfalls that that entails. To recap, the GDPR provides for, and the Bill allows, data subjects to mandate a suitable non-profit organisation to represent their interests following a purported infringement. The power will, in other words, be in their hands. They will have control over which organisation is best placed to represent their interests, what action to take and what remedy to seek. The GDPR also places robust obligations on the data controller to notify the data subject if there has been a breach which is likely to result in a high risk to the data subject’s rights and freedoms. This is almost unprecedented and quite different from, say, consumer law where compulsory notification of customers is rarely proportionate or achievable.
These are very significant developments from the 1998 Act and augment a rapidly growing list of enforcement options available to data subjects. That list already includes existing provisions for collective redress, such as group litigation orders, which were used so effectively in the recent Morrisons data breach case, and the ability for individuals and organisations to independently complain to the Information Commissioner where they have concerns about how personal data is being processed.
What these initiatives have in common is that they, like the GDPR as a whole, seek to empower data subjects and ensure they receive the information they need to enforce their own data rights. By comparison, Amendments 175 and 175A would go much further. I stress that, as I have already said, we are not against greater private enforcement, and I have borne in mind the points the noble Baroness made about children. We also have reservations about the drafting and purpose of these amendments, all of which I could of course go through at length, if the House wishes, but in view of what I am about to say, I hope that will not be necessary.
Since Committee, the Government have reflected on the principles at stake here and agree it would be reasonable for a review to be undertaken, two years after Royal Assent, of the effectiveness of Clause 173 as it is currently drafted. The Government are fully prepared to look again at the issue of article 80(2) in the context of that review. We are serious about this. We will therefore amend the Bill in the other place to provide for such a review and to provide the power for the Government to implement its conclusions.
In view of that, I would be very grateful if the noble Lord will withdraw his amendment this evening and other noble Lords do not press theirs.
Before the Minister sits down, can I get absolute reassurance from him that this is not pushing it into the future, where it will languish? Will the Government be looking to this review to actually solve the problem that we have put forward on behalf of children?
It absolutely will not and cannot languish, because we are going to put in the Bill—so on a statutory basis—that this has to be reviewed in two years. It will not languish. As I said, if we were just going to kick it into the long grass, I would not have said what I just said, which everyone can read. We would not have put it in the Bill and made the commitments we have made tonight.
My Lords, I thank the Minister for his response and am only sorry that I, rather than the noble Lord, Lord Stevenson, have the privilege of responding. The Minister came back, I thought, very helpfully. The noble Baroness, Lady Kidron, made a superb case for these rights to be implemented earlier rather than later. If we are creating all those new rights for children under the Bill, as she says, we must have a mechanism to enforce them. I believe the Minister said that the review would be two years after the Bill comes into effect. I hope that that is an absolute—
Let us hope that that is treated as an important timetable. I was interested that the Minister expressed his sympathy—I know that that was genuine—but then went on to talk about risks and pitfalls, and very significant developments, which all sounded a bit timid. I understand that we are in relatively novel territory, but it sounded rather timid in the circumstances, especially where the rights of children are concerned.
One point the Minister did come back on was group litigation orders. Class actions are very different from the kinds of representative action that we are talking about under these amendments. For example, they would be anonymous and the consent of the data subject would not have had to be acquired, unlike with a class action. They are very different, which is worth pointing out. There are some egregious issues in terms of the use of people’s data—the Equifax case, Uber, and so on. We need to remind ourselves that these are really important data breaches and there need to be remedies available. We, on this side of the House, and those on the Benches of the noble Baroness, Lady Kidron, will be vigilant on this aspect.
The one area of clarification that I did not receive from the Minister was whether this would apply to processing of personal data that was not under the GDPR. Will it be under the applied GDPR, and would that apply?
Amendment 175 withdrawn.
Amendment 175A not moved.
Clause 175: Framework for Data Processing by Government
176: Clause 175, leave out Clause 175 and insert the following new Clause—
“Framework for Data Processing by Government
(1) The Commissioner must prepare a document, called the Framework for Data Processing by Government, which contains guidance about the processing of personal data in connection with the exercise of functions of— (a) the Crown, a Minister of the Crown or a United Kingdom government department, and(b) a person with functions of a public nature who the Commissioner recommends is specified or described in regulations made by the Secretary of State.(2) The document may make provision relating to all of those functions or only to particular functions or persons.(3) The document may not make provision relating to, or to the functions of, a part of the Scottish Administration, the Welsh Government, a Northern Ireland Minister or a Northern Ireland department.(4) The Commissioner may from time to time prepare amendments of the document or a replacement document.(5) Before preparing a document or amendments under this section, the Commissioner must consult—(a) the Secretary of State, and(b) any other person the Commissioner considers it appropriate to consult.(6) Regulations under subsection (1)(b) are subject to the affirmative resolution procedure.(7) In this section, “Northern Ireland Minister” includes the First Minister and deputy First Minister in Northern Ireland.”
My Lords, the Government introduced quite late in the proceedings in Committee a group of amendments that set up a parallel system under which data processing undertaken by government departments could be considered to be governed. Our Amendment 176 attempts to ask some questions, and in that sense it is a probing amendment. It probably does not work as it stands, on reflection, but it raises important points. Because the Government introduced the amendments so late in the day, I feel justified in asking for a response to some of our questions around them. The scrutiny that we could have given to the amendments did not take place, and I am grateful to the noble Lord, Lord Clement-Jones, for adding his name to the amendment and look forward to his comments later.
The main purpose of the amendment is to get on record from the Secretary of State a set of answers to questions. To be clear, we are talking about the framework for data processing by government to which the original amendments apply, and to which our amendment refers, covering all data held by any public body, including the NHS. It is both outside the ICO’s jurisdiction and under the direct control of Ministers. The courts are bound by the framework, as are tribunals, and a special case exists only for international law. I am not quite sure how that works, so maybe we can get some answers on that. There may well be updates, but if there are changes, they will be applied retrospectively. It is quite a significant package in terms of powers. I understand that there may be nothing wrong with that if everything else is working. In a sense, if one wants efficient government and effectiveness, one is asking for such things to be in place. I am not criticising that.
There are questions. First, on the name, why is it a framework and not a code of practice? Codes of practice are defined in the Bill and have considerable consequences as a result. There is a standard for developing them and a process under which they take place. There are regulatory arrangements and the involvement of Parliament, but that does not apply to the framework. In other words, the Government’s own data does not go through the processes that apply to other data.
Why do the Government’s proposals exempt public sector processing from normal data protection law? Surely if the concern is about making sure that a subject’s data is always looked after properly, and data controllers, whoever they are, are doing it in accordance with the procedures set out at length by the Bill, in the GDPR and in the derived legislation that will take place—if we leave—under Brexit, all we are getting is a way of keeping people out of any consideration regarding the data that is held by government. Citizens’ data should really belong to citizens and we should not have a situation where it is looked after by Ministers on behalf of Ministers and there is no external view.
One could make a strong case—I am not necessarily doing that, but others have—that the Secretary of State has the power to create their own framework for the data protection of their own data and their own department. They can ignore completely what the Information Commissioner may say about that framework—she has no locus in that. The framework can be brought to Parliament but it is a negative procedure, not an affirmative one, so it is very difficult to scrutinise. We can vote against it; we can certainly discuss it if we see it in time, but it will not be at the same level of scrutiny as perhaps applies to other matters. Barriers can be raised, and the ICO’s enforcement mechanisms can be fettered, extended or changed.
I am sure that the Minister will have good answers to that and I am in no sense trying to attack the basic principle. I just wonder whether there is not a case here for Caesar’s wife—excuse the old-fashioned language, but it is a quotation, not a reference. Caesar’s wife was always required to be above suspicion, above any other public person in Rome of the day. I say that with detailed knowledge having just been to the RSC’s performances of the Cicero plays, as I think I already mentioned. Sorry if I am boring people.
Nevertheless, it raises in one’s mind the issues of standards and propriety in public life in a forceful way. Blood was more common then than it might be today, but the issue is right. If you are in a public position and a public responsibility is placed on you, you must not only be above reproach, you must be seen to be above reproach. I am not sure that the government amendments satisfy that. I beg to move.
My Lords, I have only two brief observations to make, one supportive and one otherwise. My supportive observation is that I am very much in favour of the use of the affirmative resolution procedure for the approval of regulations, rather than the negative one. I add in parenthesis that I have always believed that we in Parliament should be able to amend under the affirmative resolution procedure. When we come to the European Bill, that will be particularly important, but that is for another day.
Where I disagree with the noble Lord is on his proposal that the commissioner should be responsible for preparing the document. That seems to me essentially a matter for the Secretary of State, because of the principle of ministerial responsibility. Ministers can be questioned and quizzed in a way which is utterly impossible for Parliament to do with the commissioner. There is also a small technical point. If a Minister has to come to Parliament—for example, under an affirmative resolution procedure—to argue in favour of regulations which he or she has not made, but which have, rather, been made by the commissioner, that could be at least a trifle embarrassing.
My Lords, I hear what the noble Viscount said about the amendment, but the problem is that even the affirmative resolution procedure is not necessarily a good way to test the framework. The noble Lord, Lord Stevenson, was unusually kind about the Government’s framework. As he said, the Secretary of State can produce a framework that applies data protection to his own department; ignore what the Information Commissioner says about the framework; lay his own framework for Parliament through the negative procedure—I take the noble Viscount’s point about the affirmative procedure—which means it is very unlikely to get much scrutiny; and raise barriers against the ICO’s enforcement mechanism. He can then, as part and parcel of the framework, extend or introduce frameworks to include any other public sector body. Frankly, the Secretary of State can pretty much do what he or she wants. We should not be saying that the framework is essentially like a statutory code of practice; it is a very different animal.
This is our first debate on the architecture that the Government have imposed. In Committee the Minister produced a whole raft of amendments introducing the framework and we did not have a chance to scrutinise it properly. The Information Commissioner is not very happy with this architecture either. That is utterly clear. It is not just opposition parties or organisations such as medConfidential that are unhappy. The ICO has stated:
“The Commissioner understands the needs for government departments and public bodies to be clear about the legal basis for undertaking the functions and this is particularly true when processing personal data. However the provisions as drafted appear to go beyond this limited ambition and create different risks that must also be considered. She has made clear her concerns to government and these are set out below”.
I should very much like to hear what sort of dialogue the Government have had with the ICO because, frankly, at the moment they seem to be overriding any powers or involvement that she has in this framework. I am afraid that I am raising the temperature slightly at this time of night, but the framework for government data protection is not in fact data protection at all.
To regain some favour with my noble friend the Minister, may I just say a little word about affirmative orders? It is tempting to say that we should have affirmative procedure but, at the end of the day, we will have at some point to debate those affirmative orders, and they keep mounting up. In respect of negative instruments, there is a praying period and we can flag them up for debate and have them debated in the Chamber in exactly the same way as we can an affirmative order.
My Lords, I am grateful to all those who have participated. I take on board what the noble Lord, Lord Clement-Jones, said about our brief debate on the final day in Committee, so we can do a bit tonight. I hope that by the end I will be able to convince noble Lords that this is not quite as sinister as has been made out. I am going to duck, if I may, the argument about the affirmative procedure and whether it should be amendable, particularly given other Bills that are coming before this House soon. After all, I was only reappointed yesterday.
It is helpful to have this opportunity to further set out the purpose and operation of Clauses 175 to 178 and, in doing so, explain why the amendments in this group are unnecessary—except, of course, the government amendments. As noble Lords will now be aware, the Bill creates a comprehensive and modern scheme for data protection in the UK. No one is above the law, including the Government. That partly answers the point made by the noble Lord, Lord Clement-Jones. The Secretary of State cannot do whatever she or he wants because they are subject to the GDPR and the Bill, like everyone else. When I go further and explain the relationship between this framework and the ICO’s guidance, if it is issued, I hope that will further reassure noble Lords.
While we are on this subject, the reason the Bill uses the term “framework” is that it uses the term “code of practice” to refer to a number of documents produced by the Information Commissioner. As this document will be produced by the Government, we felt that it would be clearer not to use that term in this case. It is purely a question of naming conventions—nothing significant at all.
Inherent in the execution of the Government’s functions is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is therefore intended to set out the principles and processes that the Government must have regard to when processing personal data. Government departments will be required to have regard to the framework when processing personal data. This is not a novel concept. Across the country, organisations and businesses produce guidance on data processing that addresses the specific circumstances relevant to them or the sector in which they operate. This sector, or organisation-specific guidance, coexists with the overarching guidance provided by the Information Commissioner.
This framework adopts a similar approach; it is the Government producing guidance on their own processing of data. The Information Commissioner was consulted during the preparation of these clauses and will be consulted during the preparation of the framework itself to ensure that the framework complements the commissioner’s high-level national guidance when setting out more detailed provision for government.
My Lords, the Minister said that the Information Commissioner was consulted, but what was her view? Can the Minister put on record what the Information Commissioner’s view about the final architecture was? She has made it fairly clear to us that this is not satisfactory, as far as she is concerned.
When I said that she was consulted, I said what I meant. This is one of the few areas in the whole Bill, I think, where we do not have complete agreement with the Information Commissioner. I think that she is worried about complications regarding independence and the extent of her authority in this. I am not pretending that she is completely happy with this, but I hope that I will address how the two interlink and we can come back to this if the noble Lord wants. I acknowledge his point that she is not completely happy with this but, as I said before, it is one of the few areas in the whole Bill where that is the case. Certainly, we have a very good relationship with the Information Commissioner, as evidenced earlier this evening by her agreement on pay and flexibility. Importantly though, whatever she thinks of it, she will be consulted during the preparation of the framework itself to ensure that it complements the commissioner’s high-level national guidance when setting out more detailed provision for the Government.
As I explained in Committee, the Government’s view is that the framework will serve to further improve the transparency and clarity of existing government data processing. The Government can and should lead by example on data protection. Amendment 176 is designed to address concerns about the potential for confusion if the framework is produced by the Government, I respectfully suggest that these concerns are misplaced. The Secretary of State’s framework will set out principles for the specific context of data processing by government. It will, as I have set out, complement rather than supplant the commissioner’s statutory codes of practice and guidance, which will, by necessity, be high level and general as they will apply to any number of sectors and organisations.
Requiring the commissioner to dedicate time and resources to producing guidance specifically for the Government, as the noble Lord’s amendment would require, would hardly seem to the best use of her resources. Just like a sectoral representative body, it is the Government who have the experience and knowledge to devise a framework that speaks to their own context in more specific terms.
Absolutely. The framework exists like other sectoral guidance that is produced, under the overarching guidance produced by the Information Commissioner. In a minute I will provide further reassurance on how the two interlink.
As I have already set out, the Government will consult the commissioner in preparing the framework. Importantly, she is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents.
I know that we should not be intervening like this on Report, but the phrasing that the Minister just used is of interest—to the noble Lord, Lord Clement-Jones, as well, I think. What does “irrelevant” mean? Can the Minister unpick that a little? Either the Secretary of State has the power to do something, or not. If that power is conditional on the ICO having given broad agreement to it, under what conditions can the ICO intervene? Can it be because the commissioner regards it as irrelevant? What does that mean?
I think it means that, if the Information Commissioner were considering the case of a data breach committed by the Government, she would normally take the framework into account, as she would take into account the guidance that other sectors produce. If, however, there were circumstances in which she did not consider that it was relevant for her investigation into whether the law had been broken, given that she is the enforcer of the law, she would be free to disregard it. The words “must take into account” mean that she is not bound by the provision but has to take it into account. She is, after all, the regulator who sits above all data processors.
I reiterate that the guidance will provide reassurance to data subjects about the approach the Government take to processing data and the procedures that they follow when doing so. It will help further strengthen the Government’s compliance with the principles of the GDPR.
Amendments 177 and 178, in the name of the noble Lord, Lord Clement-Jones, concern the process for making the guidance. The guidance may be revised if Parliament does not approve it or if it needs adjustment to be compatible with international obligations. It would be odd and irresponsible to abandon the problem these clauses are trying to resolve if Parliament does not approve the guidance. A revised version should be prepared. Similarly, data protection rules are often international in nature and indeed this Bill is based on three international instruments, so revising the guidance to maintain compatibility must be the sensible approach.
Amendments 179 and 180 seek to limit the effect of the guidance. Persons must have regard to the guidance but there may be good reasons why processing data in a particular set of circumstances can lawfully be conducted in a manner outside the guidance. As long as regard has been had to the guidance but good reasons for departing from it or for its non-applicability have been established, it is perfectly proper and within the norm of usual public law principles to do so. Clause 178 ensures that those principles are enforced.
In our view, the existence of a framework in no way impinges upon the commissioner’s independence. Clause 178(5) simply requires the commissioner to take a provision in the Government’s framework into account if it appears to her to be relevant to the matter in hand. For example, if the commissioner were to investigate a data breach by a government department, she may consider it relevant to consider whether or not that department had applied the principles set out in the framework. It is standard practice for the Information Commissioner to take into account relevant sectoral guidance when examining issues related to the processing of personal data by a particular sector. Clause 178(5) simply reflects that practice. Furthermore, nothing in Clause 178(5) constrains the Information Commissioner in any way. She is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents, as I said.
Government Amendments 184A and 184B are technical amendments and are similarly designed to assist with the Government’s compliance with the GDPR. Most bodies falling within the Bill’s definition of government departments are Crown bodies. Such bodies cannot contract with each other as the Crown cannot contract with itself. This constitutional quirk means that the usual GDPR requirement that controllers and processors must have a contractual relationship is impossible to satisfy where one department is processing on behalf of another. These amendments resolve this situation by allowing departments to enter into a memorandum of understanding between each other instead and remain GDPR-compliant.
On the basis of my comments, I hope that the noble Lord will feel able to withdraw his amendment and support the government amendments in this group.
I thank the Minister very much indeed for his very full response. I will read it carefully in Hansard but at this stage, although it is a rather complicated issue, I understand where he is coming from and I think we can probably let it rest at this point. If there is anything else, I will write to him rather than prolong the discussion today.
I opined that negative resolutions were rarely voted down and cited 1940 as the last occasion that that happened, but I was wrong. Some 40 years ago on 24 October 1979, the Paraffin (Maximum Retail Prices) (Revocation) Order 1979 was defeated late at night during what appears to have been rather unsavoury activity by members of the Labour Party who hid in cupboards and things and then jumped out. Mr Hamish Gray, whom Members may recall, was unable to sustain the standing order and it had to be brought back later on—it was all very complicated and Hansard is wonderful about it. I beg leave to withdraw the amendment.
Amendment 176 withdrawn.
Clause 176: Approval of the Framework
Amendment 177 not moved.
Clause 177: Publication and review of the Framework
Amendment 178 not moved.
Clause 178: Effect of the Framework
Amendments 179 and 180 not moved.
181: After Clause 178, insert the following new Clause—
“Personal data ethics advisory board and ethics code of practice
(1) The Secretary of State must appoint an independent Personal Data Ethics Advisory Board (“the board”) as soon as reasonably practicable after the passing of this Act.(2) The board’s functions, in relation to the processing of personal data to which the GDPR and this Act applies, are—(a) to monitor further technical advances in the use and management of personal data and their implications for the rights of data subjects;(b) to protect the individual and collective rights and interests of data subjects in relation to their personal data;(c) to ensure that trade-offs between the rights of data subjects and the use and management of personal data are made transparently, inclusively, and with accountability;(d) to seek out good practices and learn from successes and failures in the use and management of personal data;(e) to enhance the skills of data subjects and controllers in the use and management of personal data.(3) The board must work with the Commissioner to prepare a data ethics code of practice for data controllers, which must—(a) include a duty of care on the data controller and the processor to the data subject;(b) provide best practice for data controllers and processors on measures which, in relation to the processing of personal data—(i) reduce vulnerabilities and inequalities;(ii) protect human rights;(iii) increase the security of personal data; and(iv) ensure that the access, use and sharing of personal data is transparent, and the purposes of personal data processing are communicated clearly and accessibly to data subjects.(4) The code must also include guidance in relation to the processing of personal data in the public interest and the substantial public interest.(5) Where a data controller or processor does not follow the code under this section, the data controller or processor is subject to a fine to be determined by the Commissioner.(6) The board must report annually to the Secretary of State.(7) The report in subsection (6) may contain recommendations to the Secretary of State and the Commissioner relating to how they can improve the processing of personal data and the protection of data subjects’ rights by improving methods of—(a) monitoring and evaluating the use and management of personal data;(b) sharing best practice and setting standards for data controllers; and(c) clarifying and enforcing data protection rules.(8) The Secretary of State must lay the report made under subsection (6) before both Houses of Parliament.”
My Lords, we can be quite brief on this matter. It is an open secret that both the Government and Her Majesty’s loyal Opposition, joined by others who have signed Amendment 181, were keen to try to move ahead with the idea of setting up a data ethics board or panel and giving it powers and teeth, particularly in light of the recent Budget, in which it was clear that there was money available for it to be established and start spending. We felt that it would be nice to get that going. Unfortunately, the rules of the House are so tight that it has not been possible to find a form of words for the powers that would be used to set up this advisory board which would be sufficiently broad to give a proper basis for the ambitions that we all share for it. On the basis that I think the Government may have something to say about this, I will not extend the discussion on this, because there is so much common ground. I look forward to hearing from the Minister, but to get the debate going I beg to move.
My Lords, we are at the last knockings on most of the Bill. It is rather ironic that one of the most important concepts that we need to establish is a new data ethics body—a new stewardship body—called for by the Government in their manifesto, by the Royal Society, by the British Academy and by many others. Many of those who gave evidence to our Select Committee want to see an overarching body of the kind that is set out, and with a code of ethics to go with it. We all heard what the Minister had to say last time; we hope that he can perhaps give us more of an update on the work being carried out in this area.
This should not be and I do not think it will be a matter of party contention; I think there will be a great deal of consensus on the need to have this kind of body, not just for the narrow field of data protection and the use of data but generally, for the wider application in the whole field, whether it is the internet of things or artificial intelligence, and so on. There is therefore a desire to see progress in fairly short order in this kind of area. One of the reasons for that is precisely because of the power of the tech majors. We want to see a much more muscular approach to the use of data by those tech majors. It is coming down the track in all sorts of different varieties. We have seen it in debates in this House; no doubt there will be a discussion tomorrow about social media platforms and their use of news and content and so on. This is therefore a live issue, and I very much hope that the Minister will be able to tell us that the new Secretary of State is dynamically taking this forward as one of the top items on his agenda.
My Lords, I can certainly confirm that the new Secretary of State is dynamic. In this group we are in danger of violently agreeing with each other. There is a definite consensus on the need for this; whether there will be consensus on the results is another matter. I agree with the analysis given by the noble Lord, Lord Stevenson, that the trouble is that to get this into the Bill, we have to concentrate on data. As the noble Lord, Lord Clement-Jones, outlined, many other things need to be included in this grouping, not least artificial intelligence.
I will briefly outline what we would like to do. For the record, we understand that the use of data and the data-enabled technologies is transforming our society at unprecedented speed. We should expect artificial intelligence and machine learning to inform ever more aspects of our life in increasingly important ways. These new advances have the potential to deliver enormous benefits to society and the economy but, as we are made aware on a daily basis—like the noble Lord, Lord Clement-Jones, I am sure that this will be raised tomorrow in the debate that we are all looking forward to on social media—they are also raising a host of new and profoundly important challenges that we need to consider. One of those challenges, and the focus of this Bill, is protecting people’s personal data—ensuring that it is collected, retained and used appropriately. However, the other challenges and opportunities raised by these technologies go far beyond that, and there are many examples that I could give.
Therefore, in the Autumn Budget the Government announced their intention to create a centre for data ethics and innovation to maximise the benefits of AI and data technologies to society and the economy, and to help identify and address the ethical challenges that they pose. The centre will advise the Government and regulators on how they can strengthen and improve the way that data and artificial intelligence are governed. It will also support the effective, innovative and ethical use of data and artificial intelligence so that we maximise the positive impact that these technologies can have on our economy and society.
We are in the process of working up the centre’s terms of reference in more detail and will consult on this soon. The issues it will consider are pressing, and we intend to set it up in an interim form as soon as possible, in parallel to this consultation. However, I fully share the noble Lord’s view that the centre, whatever its precise form, should be placed on a statutory footing, and I can commit that we will bring forward appropriate legislation to do so at the earliest opportunity. I accept the reasoning from the noble Lord, Lord Stevenson, on why this is not the appropriate place due to the limitations of this Bill, and I therefore hope that he will be able to withdraw his amendment.
Amendment 181 withdrawn.
Clause 184: Disclosure of information to the Tribunal
182: Clause 184, page 103, line 24, leave out from “of” to end of line 29 and insert “—
(a) its functions under the data protection legislation, or(b) its other functions relating to the Commissioner’s acts and omissions.(2) But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016. (3) Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.”
Amendment 182 agreed.
Clause 189: Index of defined expressions
Amendment 183 not moved.
184: Clause 189, page 108, line 20, at end insert— “the made affirmative resolution procedure section 169”
“the made affirmative resolution procedure
Amendment 184 agreed.
Clause 192: Application to the Crown
Amendments 184A and 184B
184A: Clause 192, page 111, line 3, after “of” insert “the GDPR and”
184B: Clause 192, page 111, line 4, at end insert “(to the extent that is not already the case).
( ) Where government departments are not able to enter into contracts with each other, a provision of the GDPR or this Act that would require relations between them to be governed by a contract (or other binding legal act) in writing is to be treated as satisfied if the relations are the subject of a memorandum of understanding between them.”
Amendments 184A and 184B agreed.
Clause 193: Application to Parliament
Amendments 185 and 186 not moved.
Schedule 18: Minor and consequential amendments
Amendments 187 to 214
187: Schedule 18, page 200, line 23, leave out “sections 76C or” and insert “section”
188: Schedule 18, page 200, line 24, leave out “offences of disclosing information and” and insert “offence of”
189: Schedule 18, page 201, line 1, leave out “sections 76C or” and insert “section”
190: Schedule 18, page 201, line 2, leave out “offences of disclosing information and” and insert “offence of”
191: Schedule 18, page 201, line 17, leave out “sections 76C or” and insert “section”
192: Schedule 18, page 201, line 18, leave out “offences of disclosing information and” and insert “offence of”
193: Schedule 18, page 204, line 41, leave out “sections 76C or” and insert “section”
194: Schedule 18, page 204, line 42, leave out “offences of disclosing information and” and insert “offence of”
195: Schedule 18, page 208, line 42, leave out “Commissioner or”
196: Schedule 18, page 208, line 44, leave out “the Commissioner,”
197: Schedule 18, page 209, line 2, leave out “under this Act” and insert “in connection with appeals under section 60 of this Act.
(2) But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.(3) Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.”
198: Schedule 18, page 209, leave out lines 4 to 45
199: Schedule 18, page 211, line 18, leave out sub-paragraph (3)
200: Schedule 18, page 211, line 21, leave out “127(1)” and insert “127(3)”
201: Schedule 18, page 213, line 4, leave out “sections 76C or” and insert “section”
202: Schedule 18, page 213, line 5, leave out “offences of disclosing information and” and insert “offence of”
203: Schedule 18, page 216, line 27, leave out “sections 76C or” and insert “section”
204: Schedule 18, page 216, line 28, leave out “offences of disclosing information and” and insert “offence of”
205: Schedule 18, page 217, line 23, leave out “sections 76C or” and insert “section”
206: Schedule 18, page 217, line 24, leave out “offences of disclosing information and” and insert “offence of”
207: Schedule 18, page 224, line 27, leave out “sections 76C or” and insert “section”
208: Schedule 18, page 224, line 28, leave out “offences of disclosing information and” and insert “offence of”
209: Schedule 18, page 224, line 36, leave out “76C neu”
210: Schedule 18, page 224, line 37, leave out “troseddau o ddatgelu gwybodaeth ac” and insert “trosedd o”
211: Schedule 18, page 231, line 30, leave out “sections 76C or” and insert “section”
212: Schedule 18, page 231, line 31, leave out “offences of disclosing information and” and insert “offence of”
213: Schedule 18, page 232, line 28, leave out “sections 76C or” and insert “section”
214: Schedule 18, page 232, line 29, leave out “offences of disclosing information and” and insert “offence of”
Amendments 187 to 214 agreed.
My Lords, I am not really allowed to do this, but I would like to express my appreciation to the noble Baroness, Lady Finlay, for her education on Amendments 209 and 210. Fortunately, I have not had to read them out.
Clause 195: Commencement
Amendment 215 not moved.
216: Clause 195, page 112, line 31, at end insert—
“( ) sections (Publishers of news-related material: damages and costs) and (Publishers of news-related material: interpretive provisions);
Amendment 216 agreed.
Amendments 216A and 217 not moved.
House adjourned at 9.54 pm.