Skip to main content

Data Protection Bill [HL]

Volume 785: debated on Monday 30 October 2017

Committee (1st Day) (Continued)

Amendment 12

Moved by

12: Clause 7, page 5, line 6, after “includes” insert “, without prejudice to the generality of the expression “necessary for the performance of a task carried out in the public interest”,”

My Lords, I shall speak also to my Amendments 14 and 111. Perhaps I may first thank the Minister and his team, who kindly agreed to see me and others to discuss what amendments I might have following my Second Reading speech. I am not sure that we resolved any issues, but I at least thank him for his courtesy and hope that, after today, we will resolve those issues.

I will speak first to Amendments 12 and 14. I beg the Committee’s indulgence for taking slightly more time than your Lordships might expect for a group of amendments, partly because I think this is the only time we are dealing with the major sector issues—the sector being the universities and other research institutions on which we are about to rely a lot for our economic growth; I will come to that. I am supported enthusiastically by the Wellcome Trust, the MRC, Cancer Research UK, the AMRC, the Sanger Institute, the Academy of Medical Sciences, the ESRC and many others. They are extremely anxious that what we do with the Bill does not in any way counter their ability to use data for productive research—and I do mean productive research. I declare an interest: I am a fellow of the Academy of Medical Sciences and of the Royal Society of Edinburgh, and I have a strong association with Dundee University. I cannot miss the opportunity to say that last week Dundee University was ranked number one globally for science innovation, beating every university in the United States. That is a fantastic achievement in science research. It beat all the so-called elite universities in England that we hear about, as well.

Clause 7 sets out a legal basis for processing personal data in the public interest. This reflects article 6(1)(e) of the GDPR. It is incredibly important to get the clause right as it will be the only legal gateway available for many research purposes. Why is this the case? Most research purposes rely on informed consent as a legal basis for processing. Consent is the basis of article 6(1)(a) of the GDPR. However, GDPR-compliant consent for the use of personal data is not always a feasible option as a legal basis. Consent is often important in the interests of fairness and transparency but will not be the appropriate legal basis for much research.

I will highlight two relevant sets of circumstances to illustrate why public interest is a necessary legal basis for many valuable research purposes. The first is where consent is not possible. There are a number of situations in which it is problematic to seek consent. Seeking consent may be impracticable where health data have been collected in the past and the time and expense seeking and approaching individuals for consent would be prohibitive. It may compromise effective population coverage; for example, requiring consent has been shown to have a negative impact on the quality of data for cancer registries. It may cause distress or harm in situations where patients may be inconvenienced or upset by being contacted for their consent to use their data for a research project, even if they do not subsequently object to the research going ahead; for example, contacting people about a study examining unexplained child deaths could cause serious distress. It may lead to bias because of self-selection bias among data subjects when asked a question. It may prevent studies large enough to produce meaningful results because the cost of seeking consent across a large number of people can be very high.

I will give one or two examples pertaining to the five issues that I have described. A study of more than 40,000 people demonstrated a highly significant association between the use of minor tranquillisers such as Diazepam and the risk of serious road traffic accidents. This was done through linking prescriptions issued by GPs and data on hospital admissions and deaths. By the way, this study had considerable implications for the safety of patients prescribed Diazepam, and their treatment, and of course also for other road users, but would not have been possible if data could not be processed on a consent basis. A study of the incidence of breast cancer in women was used to show that affluent women have a higher incidence than socially deprived women, but that socially deprived women had poorer survival statistics. This study used identifiable data without consent; it used hospital and GP records to look at a number of factors involved in cancer treatment.

Access to patient records also helps researchers to identify suitable participants to be invited to take part in studies. This is essential for evaluating new medicines, technologies and interventions for the prevention, diagnosis and treatment of disease. For example, in my own field, when the UK collaborative trial of ovarian cancer screening was set up to investigate different ovarian cancer screening methods, 1.2 million patients were invited to take part by post, leading to 200,000 women consenting to take part. It is a world-renowned study whose results have benefited the whole world. If consent were the only available legal basis, that recruitment strategy would not have been possible as these women had not given consent to the initial contact. Of the 1.2 million women contacted, only 32 women raised any concerns about being contacted.

These are just some of the many examples of vital research that, although very much in the public interest, cannot be done on the basis of consent. The research community has developed a system of robust and proportionate safeguards for these situations, to ensure that research on important topics can be undertaken using personal data where consent is not possible while protecting the research subjects. The use of personal data in these circumstances is controlled through safeguards. Studies using health data are reviewed by the Health Research Authority’s confidentiality advisory group; they must also receive a positive opinion from a research ethics committee to be eligible. The use of this data must be considered to be in the public interest, so we have safeguards.

In this country, we also have the benefit of a National Data Guardian for health and social care—a position I very much hope will be placed on a statutory footing through a Private Member’s Bill that is progressing through the other place. This guardian’s role is to protect patients’ rights and interests over data about them, within and beyond health and care services. The reason for this exposition into the governance of personal data in health research is to illustrate that the UK has a robust, well-established system of safeguards and oversight for processing personal data in the public interest when it comes to health and medical research.

I turn to the second issue: where consent cannot meet GDPR standards. Even with the most rigorous standards and through engagement with participants, consent may not meet the new, stricter standards specified by the GDPR as a basis for processing under article 6(a). The working party of EU data protection regulators—the article 29 working party—produced an opinion in 2011 on the definition of consent that ran to 38 pages. It is not a straightforward legal basis for researchers to use. Furthermore, data collected for research purposes often has significant value beyond the limited, original purpose of its collection. Research can proceed in unanticipated ways, with different teams using the data and processing it in such a way that the data subjects could not feasibly be informed at the outset of the full extent of how their data could be used, for what purposes or by whom.

My own unit started collecting data in 1958, before I even started as a junior doctor, and carried on collecting information manually for over 50 years. The consent we had from the pregnant women who had had babies was to us using the data to improve the services. Subsequently, 45 years later this was the only data available—in this country or worldwide—to prove that the intrauterine environment and the effect on that environment produces adult diseases. That is now well established. That information would never have been available if we did not have that data. We are proud that we have collected it.

Another example is UK Biobank. It relies on broad consent where the participants give consent for pseudonymised data to be used for a variety of research studies under certain conditions. This broad consent approach is approved by an ethics committee and reduces the burden on participants because they do not need to be contacted for consent for each new study. I have no doubt that my noble friend Lady Manningham-Buller will have something to say about this as she is the chairman of the Wellcome Trust, which is the holder of the data.

UK Biobank is a major national and international health resource with the aim of improving the prevention, diagnosis and treatment of a wide range of serious and life-threatening diseases. UK Biobank recruited 500,000 people across the country to take part in the project. Some Members of this House might well have been contacted. Participants have provided measurements, blood, urine and saliva samples for future analysis and detailed information about themselves and agreed to have their health followed. Genetic and imaging data is now also being collected. It is a resource unique in the world. No one else will have data for 500,000 people.

Even with a broad-ranging and detailed consent process, the nature of the resource is such that the data will be used in ways that cannot yet be foreseen. It might even be used when some of the subjects are long gone. It will also be made available to bona fide researchers from all over the world. It would be prohibitively burdensome to researchers and, more importantly, to the participants if each and every use of personal data required a re-consent process. The research would grind to a halt.

Let me now express my support for the GDPR. It clearly supports alternatives to consent for research and makes clear provisions for it, with safeguards. A significant Europe-wide advocacy campaign, “Data saves lives”, which had widespread support from patient groups, strongly made the case for this during the passage of the GDPR. This coalition lobbied the European Parliament for these provisions for research. Patient groups understand the value of and support medical research that cannot reach the high bar of GDPR-compliant consent. The UK Government were also instrumental in securing this outcome for the GDPR through shaping the position of the Council of Ministers. For these reasons, the Bill has to contain an alternative legal basis to consent for such research purposes.

My amendment, Amendment 12, seeks to ensure that the functions listed in Clause 7(a) to (d) are not read as exhaustive. I recognise that the Explanatory Notes state this much, but this goes against the general principle of interpretation of a UK statute that where a law lists specific items general statements then apply only to the same kind of items. This suggests that public interest should be interpreted as a narrow concept confined to public and judicial administration. Amendment 12 overrides the general principle of interpretation to ensure unequivocally that public interest can be interpreted more broadly than the narrow list of functions implies.

Amendment 14 builds on this provision by seeking regulations to provide further clarification regarding what the Government consider to be tasks in the public interest. This would allow scope to provide much greater clarity for public bodies without placing an undue burden on the Bill to provide this much-needed detail. The Government have strongly advocated the potential of data to drive better public services, better health and a stronger economy, for example through the Digital Economy Act and the recent publication of the life sciences industrial strategy, without which the economy will suffer. It would be a great irony if this push to better realise and unlock the value of data held and controlled by public bodies were to come unstuck as a result of data protection law in setting out clearly enough which organisations could process personal data in the public interest, or what types of processing legitimately fall under this category.

I know I have been talking for a long time, but I still have to deal with Amendment 111, which is mostly about safeguards where the other two were about the public interest. Amendment 111 concerns Clause 18 and the provisional safeguards where special categories of personal data are being processed. Clause 18 has a dual role in the Bill. It serves to set out the criteria under which research purposes are exempt from the usual data subjects’ rights set out in Part 6 of Schedule 2. This reflects the safeguarding role of Section 33 in the current Data Protection Act. However, Clause 18 also sets out the requirements for processing special categories of personal data under paragraph 4 of Part 1 of Schedule 1. This gives effect to the GDPR article 89(1) safeguards that legitimise the processing under article 9(2)(j).

Under the Data Protection Act as it stands, medical research often uses “medical purposes”, which includes medical research, for special category processing. This allows medical research as a legal basis with no need for additional safeguards. Under the GDPR, however, “medical purposes” no longer includes medical research. This means that, for research purposes that do not fall within the provision of healthcare, the only legal route for processing special categories of personal data will require fulfilling the demands of Clause 18.

The subsection of concern is Clause 18(2), which reads:

“Such processing does not satisfy the requirement in Article 89(1) of the GDPR … if … it is carried out for the purposes of measures or decisions with respect to a particular data subject”.

Most research purposes will be unaffected by this provision. However, interventional research studies such as clinical trials inherently involve processing data in order to make decisions with respect to particular data subjects as part of the research protocol.

Interventional research is vital to investigate the following: risks and causes—how genetics, lifestyle and other factors can increase people’s risk of disease; prevention—trialling drugs or lifestyle changes to reduce risk; diagnosis—developing new tests or scans for disease; safety—establishing whether a potential new treatment is safe for patients and at what dosage; treatments—investigating new drugs or combinations of drugs and new ways of giving treatment, and whether these are effective; and controlling the symptoms of disease or side-effects of medication—testing new drugs or complementary therapies. All these activities necessitate the processing of special categories of personal data, such as health data, to make decisions about that data subject in terms of their participation in a recent study.

The clause is well intentioned, seeking to protect the rights of data subjects when data about them is being processed in such a way that it will have a direct impact on them. This is laudable. However, for interventional research it is not a workable provision. In all cases of interventional research, data subjects will undergo an informed-consent process and so will be aware of how data about them are being processed for the purposes of the study. All such studies are also subject to approval from the relevant ethics committee, such as those approved by the Health Research Authority. While consent is sought in these cases, it will not necessarily be feasible for this to meet the standards of GDPR consent, as I have already explained.

Clinical trials are a vital part of health research and the life sciences industry. More than 650,000 people in the UK participated in such studies in the past year alone, with over 2,000 studies supported by the National Institute for Health Research. It therefore cannot be understated how important it will be to ensure that such trials have a firm legal footing on which to process personal data.

My amendment would enable interventional research to work around the provisions of Clause 18, while ensuring that robust safeguards are in place. My amendment would permit studies that have been approved by a relevant ethics body to substitute the requirements of Clause 18(2) with ethics committee approval, so that interventional research continues to have access to an appropriate legal issue, through paragraph 4 in Part 1 of Schedule 1.

A legal precedent for requiring ethics committee approval has been set in legislation, in paragraph 4 of Schedule 2 to the Psychoactive Substances Act 2016, which exempts “approved scientific research” from the prohibitions on the use of psychoactive substances set out in the Act, and defines a “relevant ethics review body”. The same definition would, I believe, be suitable for the purposes of this amendment. I beg to move.

My Lords, it is late and I have little to add to what my noble friend Lord Patel said. I declare an interest as chair of the Wellcome Trust, and I was also closely involved with Imperial until conflicts of interest preventing my going on. I have a lot of sympathy with those who spoke earlier on the issue of fundraising for universities. I speak tonight briefly about the concern I raised on Second Reading: the Bill as drafted just does not offer the clarity we need for people dealing with medical research in universities and other institutions, such as the Crick Institute.

The noble Lord, Lord Patel, amply illustrated the value of such research in understanding fundamental disease, the efficacy of treatment, and following on and learning from big datasets which give us the power to do things in medical research that were once not possible. We are not looking for medical researchers to be given particularly special treatment—there are quite a lot of exceptions here anyway—but to clarify what they are doing and how, so they can do it safely and with confidence.

I come back to where the noble Lord, Lord Patel, started. Researchers need to be able to do this work to improve global health—the health of everyone. Health does not stop at boundaries. Results are shared and we all learn from each other. We heard examples from the noble Lord. In a more parochial sense, this is a critical part of the industrial strategy we need to implement to deal with the economy post-Brexit. That document said that we have to streamline our legal and ethical approvals for medical research. This is one of the ways to get economic growth, so over and above the health aspects, there are strong economic reasons for being sure we can provide absolute clarity for people doing this sort of work. The consent issues are not straightforward but provided there are other safeguards—proper ethical committees and proper supervision—I think we can get there. However, we need to say a bit more in the Bill so that people are confident that they can do this.

I am conscious that we have had had a full and interesting introduction to this group of amendments from the noble Lord, Lord Patel, which builds on earlier discussions. It was difficult to get into this debate without having a little more than he was able to give us—and I do not want to push him too hard on this, but it would be helpful to hear a bit more about ethical committees.

As I understand it, the argument is a three-pronged one. An additional point was made about the need to think about the industrial strategy and not to hold back the research that will be influential in driving forward our brilliant life sciences. But the issue here is whether we could have a parallel system, changing the nature of the public interest test as described by the noble Lord, Lord Patel, and relying on an agency basis. We are calling that an ethics committee, which will basically take on the burden of determining what is appropriately done outside the narrow scope of the Bill as drafted. It would provide the measures of assurance that the Bill seeks, because it deals with a particular type of operation that would not fit naturally into the GDPR more generally. That is the main burden of the argument. I need a bit more information on how the noble Lord sees ethics committees more generally taking on that burden; perhaps he could share that with us.

My Lords, that provokes me to add something. I am not entirely clear whether we are talking about something that is too narrow within the GDPR, or whether it is a lack of a suitably wide derogation on the part of the Government as part of the Bill. For all the reasons that the two noble Lords have mentioned, it seems extraordinary that the beneficial activities that they are discussing are not included as exemptions, whether explicitly or implicitly. It may be that the Minister can give us greater comfort on that, but I am not clear what is giving rise to the problems. As we heard in earlier groupings, I am a fan of having something more explicit, if anything, in the Bill, which is particular perhaps to medical research and other forms of research in that sort of area. But it is not clear whether that is going to be permissible under the GDPR or whether the Government can actually derogate from it in those circumstances.

I shall respond to some of the points raised. First, on the research ethics committee, we established through legislation—and I remember the debates that we had—a national Research Ethics Committee to deal with all applications for biomedical research, but particularly research involving patient data and transfer of data. If I as a clinician want to do a trial, I have to apply to that committee with a full protocol as to what consent procedures and actual research there will be, and what will be the closing time of that consent. If I subsequently found the information that I had could lead to further research, or that the research that I had carried out had suddenly thrown up a next phase of research, I would have to go back to the committee and it would have to say, “Yes, that’s part of the original consent, which is satisfactory to progress with the further research”. It is a robust, nationally driven, independently chaired national ethics committee, apart from the local ethics committee that each trust will run. So the national ethics committee is the guardian.

Furthermore, there is a separate ethics committee for the 500,000 genomes project, run by the Wellcome Trust and other researchers; it is specifically for that project, for the consent issues that it obtains, the information given at the time when the subject gives the consent and how the data can be used in future. The genomes project aims to sequence all the 500,000 genomes, and to link that genome sequence data with the lifestyles that people had and diseases that they developed to identify the genes that we can subsequently use for future diagnosis and treatment—and to develop diagnostic tests that will provide early diagnosis of cancers, for instance. The future is in the diagnostic tests. Eventually we will find them for diseases which have not developed but which have a likelihood of developing. Those diagnostic tests will identify the early expression of a protein from a gene and then find a treatment to suppress that expression well before the diseases develop, rather than waiting until the cancer develops and then treating it.

All this is based on the data originally collected. At this stage, it is impossible to know where that research will lead—that is the history—apart from the clinical trials which are much more specific and you get consent for them. I realise that there is a limit to how much the text of the Bill can deviate from the GDPR, unless it is dealing with specific issues which the GDPR permits member states to provide derogations for. I realise that, post exit, the UK will need an adequacy agreement and some equivalent, neutral recognition of data protection regimes between the UK and the EU. We need that for the transfer of data. For instance, the noble Baroness, Lady Neville-Jones, has talked about extremely rare diseases, which require the exchange of data across many countries because their incidence is low and no one country could possibly have enough information on that group of patients.

The research exemption does not undermine agreement on Clause 7—which is what the noble Lord, Lord Clement-Jones, was leading up to when he asked about the ethics committee. The noble Baroness, Lady Neville-Rolfe, suggested that medical research should be possible through the research exemption, but that has to be wide enough yet not specific enough to encompass wider exemptions. I hope that the Minister will come up with that trick in an amendment which he might bring forward. It will not be restrictive, yet protect the patient’s personal interest.

There is a research exemption for processing specific categories of data, including health data. The legal basis for this is through article 9 of the GDPR, referred to in Part 1 of Schedule 1 to the Bill. However, all processing of personal data also needs an article 6 legal basis: research is not exempt from needing this. I am arguing today that research needs that exemption, defined in wide enough terms. For processing special categories, you need both an article 6 and an article 9 legal basis. We need to have provision for both in the Bill. One of the article 6 legal bases is consent and I have explained why this is not suitable for much research. The other feasible route for universities and other public bodies processing personal data for research is public interest. This is why it is so important to be clear on what processes can use this legal basis.

There was serious concern about the likely impact of the GDPR on research as it was being drafted. However, this was successfully resolved and it provides the necessary flexibility for the UK to create a data protection regime that is supportive of research in the public interest. The Government, and other UK organisations, worked hard to make sure that this was the case. The provision is there: it is now for the Government to act on it. It is also important to seek an adequacy agreement post Brexit: we will have to have one. It will be vital to consider the need to retain, post Brexit, cross-border transfers of data for research. I give the same example of rare diseases as the noble Baroness, Lady Neville-Jones, used. The Government have recognised the value of retaining a data protection regime consistent with the EU, but the research community would welcome knowing whether it will seek a status of adequacy as a third country or an equivalent agreement.

The plea I make is that unless we include a provision, and there are exemptions which can be written in the Bill in the format that is required, we will not be able to carry out much of the research. A question was asked about the life sciences industrial strategy. It is the key pillar of the Government’s industrial strategy Green Paper. It relies on data that the NHS collects and the data that the science community collects and marrying up the two to produce, and lead the world in, treatments and developing technologies. If we are not able to do this, the whole thing will be unworkable.

I am very grateful to the noble Lord for a very full response. It was quite a narrow question. I did not need all of that response but I have learned a lot more in the last few minutes—

It might have been. The noble Lord has exposed a much greater issue than we thought we were grappling with. The case has now been well made that there are four pillars rather than the three that I adumbrated before. We seem to have a case for special treatment. I am sure that the noble Lord, Lord Patel, with his assiduous workload and high work rate will have made this point several times to officials and Ministers. However, if he is not getting the answers he needs, we have a bit of a problem here, so I hope that the Minister will be able to help us on that.

This goes back to an earlier debate about the public interest. It again worries me—I think the noble Lord, Lord Clement-Jones, touched on this—that “public interest” is becoming an overworked term for rather too many issues. In other words, the argument here is not about the public interest at all; it is about the public good that would come from a differential approach, safeguarded by the ethics approach—I said that was new to me and I am grateful to hear about it—and about reinforcing the contribution that would make to an industrial strategy covering a much broader range of understanding about what we are doing, thus making this country a world centre for all that. So there is a power behind this that I had not appreciated and I am grateful to the noble Lord for explaining it. It is easy to analyse it in this way and come up with the answer that he might want, but is it the right way forward on this?

The noble Lord was wise to point out that there are constraints within the GDPR and limits on what the Government can do, but it must be possible to think more creatively about the problem that has come forward. If, as the noble Lord said, the GDPR opens up the question of not requiring consent in that very formal sense, and we are looking for an evidence-led policy initiative which addresses the public good, it behoves Ministers to think very carefully about how one might take it forward.

This may or may not be the only issue that requires this sort of approach, but the case has been made on its merits that more needs to be done. Listing existing bodies that are not included, to put it in the positive, in a list of issues—for example, the administration of justice is a function of the Houses of Parliament—is not the way into this issue. I appeal to the Minister to think creatively about this because it seems to me that we need a new approach here. I am very convinced by that and look forward to hearing what the Minister says.

My Lords, first, I thank the noble Lord, Lord Patel, for his insightful remarks and for providing us with evidence of his knowledge of this subject, and of the Bill’s potential implications for pioneering medical research. I am grateful to him for sharing his expertise on these issues. I am also grateful to the noble Baroness, Lady Manningham-Buller, who speaks on behalf of the Wellcome Trust. Other reputable medical research organisations and universities have also expressed concern about this issue. I understand about the issue of consent and whether it is GDPR-compliant.

On the concerns the noble Lord raised in relation to Clause 7, I mentioned at Second Reading, and on a previous group of amendments, that the list of tasks in Clause 7 is deliberately designed to be indicative and non-exhaustive. When I wrote to noble Lords after that debate, I committed to make this clearer in the Explanatory Notes and the Government will honour that commitment.

The noble Lord, Lord Stevenson, mentioned that we might have to have a new approach to this problem. We are happy to think about these issues. At the moment we find that it is difficult to expand Clause 7 to cover every scenario where personal data has been processed in the public interest. Each addition to the list, however justified on its own merits, would cast greater uncertainty on the public interest tasks that continue to be omitted. However, I can reassure universities and research groups carrying out legitimate medical research, that, in the Government’s view, such tasks are in the public interest for these purposes. I will come later to how we take this forward.

On Amendment 111, once again I thank the noble Lord, Lord Patel, for his helpful suggestions. He explained that the safeguard in Clause 18(2)(a)—on page 10 of the Bill—could impede certain types of medical research, such as clinical trials and interventional research, which sometimes involve decisions being made about data subjects without their explicit consent. Incidentally, the provisions in Clause 18 were copied from the Data Protection Act on the basis of responses to the Government’s call for views in May. These more technical issues have emerged recently, and we certainly will consider them further.

It is absolutely not the Government’s intention to impede pioneering medical research, which can have tangible benefits for society as a whole. The noble Lord’s suggestion of disapplying the safeguards if the research project has been approved by a relevant medical ethics review body is certainly worthy of further consideration. I am happy to work with him and other noble Lords to explore it further in the coming weeks. On that basis, I invite the noble Lord to withdraw his amendments. However, once again, I am grateful to him for raising these important points and I hope we will reach a solution which works for everyone.

My Lords, the Minister gave the impression that medical research of the type described by the noble Lord, Lord Patel, was encompassed, or allowable, by the GDPR. Can he give chapter and verse on where in the mixture of article 6 and article 9 that occurs? That would be extremely helpful. I understand that obviously the Minister was also agreeing to look further in case those articles did not cover the situation, but it would be good to know which articles he is referring to.

I re-emphasise to the noble Lord that we think these tasks are in the public interest. However, I understand his desire for even more clarity than that. It would be sensible if I wrote to him and to other noble Lords taking part in the debate. I want to make sure that I get the legal basis right rather than just doing it on the hoof, so I agree to write to him and to all noble Lords who have spoken tonight. Again, as I say, we will work towards what I hope will be a more acceptable solution for everyone. Fundamentally, we do not want to impede medical research that is for the public good.

May I correct an impression that medical research does not seek consent? It seeks consent whenever possible, and extensively. However, there are categories where something else is needed. I would not want to leave the House with the impression that there is a substitute for that. In some circumstances we need an additional safeguard.

I believe also that even when consent is obtained, the worry is that it may not be subject to GDPR compliance, even if consent was acceptable before.

I think we have already made the point and we do not need to come back to it. What I took from the noble Lord’s earlier contribution was that one way in which medical research is developed and carried out involves a consent process, and we would not want to change anything in that sense. However, for lots of reasons—the noble Lord gave three or four—you cannot always use consent. You may not want to go to the patient, or perhaps you cannot go to or find the patient. Alternatively, the noble Lord made the more general point that you often collect data without any real sense of where it might go in the future. We are not saying that any of that is good, bad or indifferent—one is no better than the other—but they all need to be considered in a broader understanding of the public good being best served by having the least restrictive system concomitant with appropriate procedures being in place. That is the line, with the ethics committee sitting at the top, that gets you to the point where that would be a fruitful conversation to have with Ministers.

I must make the issue absolutely clear. If I did not do so before, I will set it out again slowly and carefully. Medical researchers are not asking to be allowed to do research without consent. They are asking for consent to be interpreted not in a narrow sense but in a sense that will allow research to continue with consent having been obtained. I shall give an example. When I chaired the UK Stem Cell Bank, we made it clear that consent would have to be obtained from those who donated stem cell material, including embryonic stem cells. Consent was given on the basis that the embryonic stem cells would be used for research to improve healthcare, but at that time it was not possible to say which healthcare.

Embryonic stem cells, properly kept, are immortal: they can survive for generations. There is a classic example of this. Most of your Lordships are familiar with the lady whose tissue was taken in 1950. Her name was Henrietta Lacks—hence the cells are called HeLa cells. These aggressive cervical cancer cells were taken from her in the United States without consent, but they still exist in every laboratory in the world. A billion dollars-worth of drugs have been developed and marketed using HeLa cells. If consent had been obtained, what would that consent have been for? Exactly the same applies to consent for stem cells—it is for the development of drugs.

Researchers are not saying that we should not have consent. They are saying that there ought to be an authority like the ethics committee that gives consent and to which you can go back and say, “By the way, I have that material and I have found more. I am still developing drugs but this is not the same”. I hope I have been clear about that. We are looking for exemptions that are wide enough.

Perhaps I may come back to the matters raised by the Minister and refer, first, to the public interest issues. I understand that the Government do not intend the functions listed in Clause 7 to be exhaustive and to allow, for example, research conducted by universities or NHS trusts to use the public interest legal basis. It would provide much needed clarity and assurance for the research community if that could be made explicit in the Bill. That, basically, is all we are saying on the public interest. There is currently a highly risk-averse culture in data protection, driven in part because people are unclear about the rules and about what they can or cannot do with that data and for what purposes. If it is made clear what they can do or where they have to go to make it clear, that will be helpful. This is why the public interest legal basis matters so much for research. The Data Protection Bill is an opportunity to set out very clearly the legitimate basis for processing personal data, setting out a clear public interest function for research that will give researchers the confidence to know when they are operating within the law.

I will now make a comment about what the Minister said about the safeguards. My Amendment 111 is to Clause 18, which prohibits the processing of personal data to support measures or decisions with respect to particular individuals. This is clearly problematic for any research that involves an intervention for an individual, which forms the bedrock of our understanding of a vast range of treatment of diseases. The range of law covering the use of personal data for research is complex, governed both by data protection law and common law, where duties of confidentiality toward the data subject exist. In my view, the implementation of GDPR through the Bill is an opportunity to provide clear information to researchers about the legal basis for processing personal data and the requirements of accountability, transparency and safeguards.

It is therefore essential that authoritative, comprehensive and unambiguous guidance is created to assist with this transition to a new data protection law. The Health Research Authority is working on guidance for health research, but researchers are urgently in need of this advice to ensure they are compliant by May 2018.

Those are my comments in response to the Minister. I am labouring these points today because this is the only opportunity I will have in Committee to debate these issues at length. I do not wish to rehearse this at Third Reading if we can resolve these issues by communication and find a way out.

Amendment 12 withdrawn.

Amendments 13 to 15 not moved.

Clause 7 agreed.

Clause 8: Child's consent in relation to information society services

Amendment 16

Moved by

16: Clause 8, page 5, line 15, leave out from “as” to “and” and insert “an age between 13 and 16 years, to be decided by the Commissioner based on relevant evidence and consultation,”

My Lords, there are a series of amendments to Clause 8 that we are debating today. I hope your Lordships will allow me to give some background to set the context. Clause 8 sets the age at which children can first provide their personal data online in relation to information society services, without the permission of a parent or guardian. Given that the provision of such personal data is in exchange for online products or services, this age of consent is effectively the age at which companies can begin making money from young people online without a parent or guardian’s involvement. Article 8(1) of the GDPR states that the age of so-called digital consent should be 16, but allows member states to lower the age as long as it does not go below 13. The UK Government have set the age at 13, the minimum age possible in Clause 8.

Amendment 16 is a probing amendment to explore the evidence for whether the UK should be opting for 13. As was mentioned at Second Reading, there is concern that the Government have sleepwalked into this position without having provided much in the way of evidence for the decision to this House or the public. Such evidence is needed, not least because a recent YouGov survey for BCS, the Chartered Institute for IT, has suggested that the Government’s thinking is a long way from where public opinion sits. In the survey, the public were asked what the most appropriate age of consent for providing personal data online should be. The findings were rather stark. A mere 2% believed 13 was the most appropriate age. The vast majority, 81%, believed it should be set to either age 16 or 18, with non-parents tending to favour 16 and parents favouring 18. These findings indicate that, even if 13 is the most appropriate age, the Government have some way to go in convincing the public that this is the case.

There is little evidence provided by the Bill’s Explanatory Notes, which simply note that the age of 13,

“is in line with the minimum age set as a matter of contract by some of the most popular information society services which currently offer services to children (e.g. Facebook, Whatsapp, Instagram)”.

Given that these are the very companies that stand to profit the most from children providing their personal data to them, it seems counterintuitive that they have effectively been allowed to set a de facto standard age of consent for them doing so. This was recognised in the Children’s Charities’ Coalition on Internet Safety’s open letter to the Information Commissioner’s Office earlier this year.

If the Bill is to set into law the age at which online companies can start profiting directly from our children and grandchildren, would it not be better for that age to be set deliberately and consciously and based on more than the status quo established by the companies? I am not saying that 13 is the right or wrong age at which children can give information away online, but this should be decided based on evidence from industry and the public. That would allow the decision to be clearly explained and, importantly, justified to a public who are apparently uncomfortable with it currently.

At Second Reading, the Minister told your Lordships that the Government had consulted on the GDPR and that 13 was in line with the responses they had received. However, the relevant page on GOV.UK does not clearly set out further justification for using the age of 13, nor is there any referral to support from children’s charities and parents for 13 over one of the other choices The noble Lord, Lord Ashton, in his letter of 19 October to Peers after the debate did not set out any reference to the evidence on which the Government had based their decision.

My amendment is simple: it would amend Clause 8(a), where the age of 13 is established, and would instead transfer responsibility for setting that age to the Information Commissioner. It would crucially add a requirement for the commissioner to have based her decision on relevant evidence and consultation. This would demonstrate a conscious process to the public, providing an important first step to bringing public opinion in line with the new legislation—an evidence-based process that should take into account the issues around social media and online safety raised in the Internet Safety Strategy Green Paper, a document published since the Bill’s Second Reading.

This is an important issue for children, young people and parents. I look forward to the debate on the other amendments in this group and to the Minister’s response. I beg to move.

My Lords, I shall speak only to Amendment 188, and I do so because, as so often, I am confused. In Scotland, a person aged 12 is presumed to have capacity to exercise rights under the Data Protection Act 1998, and that position is perpetuated in the Bill. How does that mesh with the general data protection regulations, which provide that consent to process personal data is lawful below the age of 13 only if given by a parent? I think that is the position and that is why I have tabled my probing amendment. Perhaps my noble friend could explain why Scottish children are so much more mature than English children.

I was persuaded by the view expressed by the noble Baroness, Lady Lane-Fox, at Second Reading when she said that we do not want to bring in lots of new and different laws for 13 year-olds and we need to recognise the reality that children will wish to do what their peers are doing. We do not want to incentivise them to tell lies online. So I am perfectly happy with the Government’s position on the age of 13 and just a bit bewildered about Scotland.

As a Scot I can hardly complain, and I am always bewildered, too—not only about this but about many other things. Our Amendment 17 in this group is also one of bewilderment. Clause 8 is headed:

“Child’s consent in relation to information society services”,

and refers to “preventive or counselling services” not being included. This goes back to an earlier amendment, when we established that these references are actually recitals and not part of the substantive GDPR, so we are back in what is not normative language and issues that we cannot possibly talk about in relation to the wider context because we are talking about the law that will apply.

There are three points that need to be made and I would be grateful if the noble Lord would either respond today or write to me about them. The first is to be clear that the reference to “information society services”, which is defined, has nothing in it that would suggest that it is a problem in relation to the lack of inclusion of preventive or counselling services. The answer is probably a straightforward yes. Secondly, what are the preventive or counselling services that we are talking about? I think the context is that these are meant to exclude any data processing relating to a data subject if the data subject concerned—with parental consent if the subject is younger than 13 and on their own if they are older than 13—who is taking a form of counselling that may be related to health or sexual issues would not be allowed to be included. Is my understanding of that right? I am sure that it is.

Thirdly, could we have a better definition of preventive or counselling services because those are very wide-ranging terms? Yes, they come from a recital and perhaps in that sense they can be tracked back to earlier discussions around the formation of the GDPR, but they have to be applied in this country to situations in real life. I am not sure what a preventive service is and I should like to have it explained. Counselling services I probably do get, but do they include face-to-face counselling or is this about only online counselling services? Is it the same if the child is being accompanied by a parent or guardian? There are other issues that come into this and there is a need for clarity on the point.

While I am on my feet I should like to respond to the amendment moved by the noble Baroness, Lady Howe, who has campaigned long and hard on these issues. We would be bereft if she did not enter into this Bill with all its implications for children, given the wisdom and experience that she brings to the table. The point she makes is one of simple clarity. There is a need to be very careful about the evidence gathering on this issue and it is probably not appropriate for it to be left to Ministers in regulations. There needs to be a wider discussion and debate on the matter, perhaps involving the Children’s Commissioner and other persons with expertise. She has made her point very well and I should like to support it.

My Lords, I associate myself with the amendment in the name of the noble Baroness, Lady Howe. We are in Committee and it is a probing amendment. When we discussed it with colleagues the feeling was that 13 might be the right age but, as the noble Baroness indicated, it needs probing and some thinking about.

There is a danger, particularly in a House with our age group, that we assume these technologies are understood by the young—even the very young. We all hear anecdotes of parents or grandparents who have to consult their eight year-olds on how to make various gadgets work, but that misses the point. A frightening amount of information is being freely given. I mentioned at Second Reading that my generation and my parents’ generation had thoughts of personal privacy that my daughter and her contemporaries seem to have no thought of. They are very happy to exchange information about themselves, what they do and where they are with gay abandon.

When we get to the very young it is very important to make sure—we will discuss this in later amendments, if not tonight—that there is sufficient understanding and information to make informed choices, otherwise we get into very dangerous territory indeed. Therefore we are, not for the first time, in the noble Baroness’s debt for raising these questions. Late as it is, it is right that we put on record that these things, along with the amendments that will follow in the next couple of groupings, need to be taken as a whole before we make a final judgment as to the right age.

My Lords, I echo the comments of the noble Lord, Lord McNally, to say we are grateful to the noble Baroness, Lady Howe. I acknowledge, particularly after her Second Reading speech, that she has not immediately demanded that the age be put back up to 16, which I thought she might. She has produced an interesting amendment.

Amendment 16 would give the Information Commissioner the power to determine the age threshold at which children can consent to their data being processed by online information services. This would be based on consultation and evidence. While it is certainly a preferable proposal to a blanket increase to 16, I am afraid I still cannot agree.

First, the Information Commissioner’s role as an independent regulatory authority is to administer and enforce the application of data protection legislation. As part of that role the Commissioner provides advice to businesses, organisations and individuals on the proper implementation of the legislation and on their rights under that legislation, and provides redress for breaches of individuals’ personal data. It also has an advisory function in relation to Parliament, the Government and other institutions. By contrast, the question of affixing the age below which parental consent is required has much broader-ranging considerations and implications, including an important moral dimension. Requiring the Information Commissioner to be the one to answer it would place on the officeholder an extra demand for which the office is neither designed nor resourced.

Secondly, the GDPR specifies that it is member states that should make this important decision. It does not give the power for states to delegate this choice to another regulatory body. Therefore, this amendment would make the Bill as a whole non-compliant with the GDPR. It is for those reasons that the Government consider that the question should be decided by this House and the other place rather than by a regulatory body. I realise that, in saying that, we leave ourselves open to further discussions on this matter.

Amendment 17 tests the meaning of the exception to the requirement of parental consent for children to share their personal data to access counselling services. Children, whatever their age, should be able to obtain support from professional services such as ChildLine and that is the purpose of the exemption. The noble Lord, Lord Stevenson, asked me several questions, including on the definition of “preventive” and “counselling”. We suggest that “preventive” could refer to the prevention of any form of serious harm to which a child might be exposed—for example, physical or sexual abuse, trafficking or forced marriage; “counselling” would likely encompass at least the giving of advice to children on a range of personal, social or psychological matters. The Government recognise that there is a public interest in ensuring that the definition is not drawn too broadly to prevent children’s exposure to commercial or criminal entities masquerading as these services.

We have already debated the legal applicability of the recitals of the GDPR. The Government consider excluding preventive and counselling services from the scope of article 8 to be consistent with the purposes of the GDPR in light of the 38th recital, which states:

“The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child”.

I accept that recitals do not have the same normative effect—I think that that is the expression—but they are useful. Courts take them into account when looking at how the articles should be interpreted. The GDPR contains 31 pages of them—173 recitals. The European Parliament has spent a lot of time considering them, so we should be able to bear them in mind to help us illustrate what the Parliament was thinking when it passed the articles themselves, in the same way that the courts in this country can look at Explanatory Memoranda and what a Minister says from the Dispatch Box.

This exception is also appropriate in light of the UK’s status as a signatory to the UN Convention on the Rights of the Child, in particular Articles 13, 16 and 19. For those reasons, we consider it important to make this exception clear in the Bill.

I turn to Amendment 188, tabled by my noble friend Lord Arbuthnot. The request here is that the age at which children may exercise their rights under this Bill and consent to data sharing in Scotland is altered from 12 to 13. The Government understand that the intention behind this is to bring parity between the online and offline regulation in Scotland. In England and Wales when considering whether a child has the capacity to consent the common law “Gillick test” is applied. It is generally taken that a child of 12 years old and above will have the maturity and understanding to give consent. Additionally, the GDPR states that, notwithstanding that a child of 12 or younger may have the maturity and understanding to give consent in their own right, they may not do so in relation to data sharing with online services until they are 13 years old.

In Scotland, capacity is governed by statute. Unless a child falls into one of the exceptions under which they may consent for themselves, a child does not have capacity to consent until they are 16 years old. This clause creates an exception to this so that children in Scotland are presumed to have the maturity and understanding to exercise rights and give consent under this Bill at age 12 and above. This means that children in Scotland are in the same position as children in England and Wales: they can consent where they have the maturity and understanding to do so, usually at 12, but in relation to online services only, they cannot do so until they turn 13.

If we were to accept the amendment, sufficiently mature 12 year-olds in England and Wales could consent to their data being processed—except in relation to the provision of online services—and exercise rights such as the right to be forgotten, but children in Scotland could not. Therefore, while the amendment would create consistency between the online and offline approaches in Scotland, it would risk creating disparity between the rights of Scottish children and those in the rest of the UK.

The Government recognise the need for consistency in regulation but we believe that the priority should be to provide consistency for all UK children. For this reason, it is essential that the age in Scotland be set at 12 to, in effect, match that in England and Wales. This prevents Scottish children being at a disadvantage compared to their English and Welsh counterparts—it is as simple as that. I therefore ask the noble Baroness to withdraw her amendment.

My Lords, I am most grateful to the Minister for his explanation, even though he cannot agree with my amendment. I think quite a number of my colleagues are still not just confused as regards Scotland and England, but concerned about how this is going to be interpreted in real life. We have time to think about it before Report. In the meantime, I am not pleased but I will withdraw my amendment and hope that there may be opportunities between now and Report to get a little more clarity on this subject.

Amendment 16 withdrawn.

Amendment 17 not moved.

House resumed.

House adjourned at 10.07 pm.