Committee (1st Day) (Continued)
Amendments 4 and 4A not moved.
Clause 3: Processing to which this Part applies
5: Clause 3, page 3, line 27, at end insert—
“( ) does not apply in the course of an activity which falls outside the scope of EU law.”
My Lords, in moving Amendment 5, I will also speak to Amendment 6 which are both in my name. I will respond later to Amendment 115, which is in the same group but was tabled by other noble Lords. Amendments 5 and 6 are probing amendments to try to tease out what appears to be a change of definition between various parts of the Act.
Amendment 5 relates to page 3 and Clause 3(1), (2) and (3) in Chapter 1, which raise concerns about what exactly is happening with the arrangements. It is easier if I read out the two subsections concerned. Clause 3(2) states that:
“Chapter 2 of this Part … applies to the types of processing of personal data to which the GDPR applies by virtue of Article 2 of the GDPR”.
That is the question I want to peruse, because later in the Bill, on page 11, Clause 19(1)(a) refers to activities which operate. This amendment is a probing one to try to tease out an answer that we can read in Hansard, so as to know what exactly we are talking about. It may appear to be a narrow difference or nitpicking, but “an activity” is a very broad term for anything in relation to data processing and contrasts with the narrow way in which Clause 3(2)(a) talks about “types of processing”. Are these the same? If they are not, what differentiates the two? If they are different, why have we got different parts in different areas of the Bill?
Amendment 6 relates to page 3, line 31. This question of definition has come up in relation to Chapter 3 of the part. I understand this to be more of a recital, if I may use that word, than a particular piece of statute and it may not have normative effect, if that is the correct terminology. Clause 3(3)(b) says that the part to which this applies,
“makes provision for a regime broadly equivalent to the GDPR to apply to such processing”.
What is “broadly” in this context? Maybe I am obsessed with the use of English words that have common meanings, but again it would be helpful to have a bit more information on the definition from the Minister when he responds.
Perhaps more than the “quite” used in response to an earlier amendment, this has not got transatlantic resonances, but it is important in questions of adequacy in any agreement we might seek with the EU in the future. “Broadly equivalent” carries echoes of an adequacy agreement, which would assert that the arrangements in the two countries concerned—the EU on the one hand and the third country on the other—were sufficiently equivalent to allow for future reliance on the processes in the third country to be treated as appropriate for the transfer of data into and from, in relation to future industrial processes.
We are aware that an element of legal decision-making arises, which might change that “broadly equivalent” to a higher bar of requirement in the sense that the court is beginning to think in terms of “essentially equivalent”, which is very different from “broadly equivalent”. Again, I would be grateful if the Minister could respond to that. I beg to move.
I will speak to Amendment 115 in this splendidly and creatively grouped set of amendments. The Government appear to have removed some of the extraterritorial elements in the GDPR, in applying derogations in the Bill. Paragraph 9(d) of Schedule 6 removes all mention of “representative” from the Bill. This could have major consequences for data subjects.
Article 3 of the GDPR extends its provisions to the processing of personal data of data subjects in the European Union by a controller not established in the European Union. This happens when a controller is offering goods or services into the European Union. In such circumstances, article 27 requires a representative to be appointed in a member state, if a controller is not in the Union. This article is removed by paragraph 23 of Schedule 6.
Recital 80 of the GDPR explains the role of the representative:
“The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority … including cooperating with the competent supervisory authorities … to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.
Suppose a company incorporated in the USA does not have a place of permanent establishment in the UK but still falls within article 3, such a company could be established in the USA and use its USA website to offer services to UK citizens without being caught by the Bill. Can the Minister reassure us that there is a solution to this problem?
My Lords, I am glad that the noble Lord, Lord Stevenson, has raised the question of the meaning of “broadly equivalent”. It encapsulates a difficulty I have found throughout the Bill: the language of the GDPR and of the law enforcement directive is more narrative and descriptive than language to which we are accustomed in UK legislation. Though one might say we should just apply a bit of common sense, that is not always the first thing to apply in interpreting UK legislation.
In this clause, there is another issue apart from the fact that “broadly equivalent” gives a lot of scope for variation. Although Clause 3 is an introduction to the part, if there are problems of interpretation later in Part 2, one might be tempted to go back to Clause 3 to find out what the part is about and be further misled or confused.
My Lords, I am grateful to noble Lords for their comments and the opportunity, I hope, to make things clearer. Amendment 5 seeks to make it clear that the applied GDPR does not apply to processing activities which fell outside the scope of EU law. Amendment 6 examines the differences between the GDPR and the applied GDPR. The applied GDPR exists to extend the GDPR standards to personal data processing to datasets outside the scope of EU law, which may be otherwise left unregulated. This is an essential extension because, first, we believe that all personal data should be protected, irrespective of EU legal competence; and secondly, we need a complete data protection regulatory system to secure the future free flow of data.
Chapter 3 of Part 2 and Schedule 6 create the applied GDPR, which is close to, but not identical to, the GDPR. This is primarily because we have anglicised it as it sits within our domestic law, not European law. References to member states become references to the UK. As domestic regulation it is also outside the scope of the functions of the European Data Protection Board, so appropriate amendments are needed to reflect that. Otherwise the same general standards and exemptions apply to the applied GDPR as for the GDPR.
Clause 3 exists to help make the Bill easier to follow. It signposts readers to the provisions that cover either the GDPR or the applied GDPR. The language that it uses to do this has no legal effect. The applied GDPR is what it is. The extent of its similarity to the GDPR is a subjective matter. The Bill describes it as “broadly equivalent”. Amendment 6 prefers,
“identical in all major respects”.
We prefer the current drafting of the Bill because it better reflects the position.
The noble Lord, Lord Stevenson, asked about the relevance of “activity” in Clause 19. Activities should be taken to include processing of personal data. There is no special meaning. It has the meaning as in article 2 of the GDPR.
Amendment 115 seeks to reinstate the definition of “representative” into article 4 of the applied GDPR. Under the GDPR the territorial scope extends to controllers outside the EU where they are offering goods and services to persons inside the EU. Where a controller is outside the EU, subject to certain exemptions in article 27 of the GDPR, they must designate a representative inside the EU. The applied GDPR does not have the same extraterritorial application as the GDPR so does not have any requirements to designate representatives. As such, that definition is unnecessary.
The applied GDPR applies only to the processing outside the scope of the GDPR and which is not caught by any of the data being processed for law enforcement or national security purposes under Parts 3 and 4 of the Bill. The type of processing captured is primarily within the public sector, relating to areas such as defence and the UK consular services. Controllers in these situations are either in the UK or, if overseas, are not offering goods and services to those in the UK. As such, there is simply no need for the applied GDPR to have the same extraterritorial application as the GDPR.
Some people have suggested that the applied GDPR represents what the GDPR may come to look like once the UK leaves the EU. In some respects, this is a reasonable conclusion to draw. The applied GDPR anglicises the language and strips out irrelevant provision. This approaches some of the issues that the noble Baroness, Lady Hamwee, was talking about—the European language as opposed to what we are used to in UK legislation.
However, in some respects, it is not the same as what future legislation will look like, including on the question of extraterritoriality. When we leave the EU, the powers in the EU withdrawal Bill will bring the GDPR into our domestic law, anglicised—as has been done to the applied GDPR—but also with other modifications that are dependent on the future negotiations with the EU.
We have been clear, as I mentioned with the previous group of amendments, the future free flow of data is the number one priority in respect of our data protection policy and will ensure that we maintain the international high standards in this respect. I hope my clarification is sufficient and that the noble Lord will withdraw the amendment.
My Lords, I thank the Minister for that interesting exposition, which ranged from now into the future. He has given a vision of the post-Brexit shape of our data protection legislation. Extraterritoriality will apply even though the language used may be that of the applied GDPR as opposed to the GDPR itself—just to be confusing, perhaps as much as the Minister confused us.
I want to be absolutely clear that we are not derogating from the GDPR in extraterritoriality. That seems to be the nub of it. The Bill makes changes to the applied GDPR—I would like to read in Hansard exactly what the Minister said about the applied GDPR because I did not quite get the full logic of it—but there is no derogation in the GDPR on extraterritoriality. It would be helpful if he could be absolutely clear on that point.
Perhaps the Minister will respond to that because I, too, am troubled about the same point. If I am right, and I will read Hansard to make sure I am not misreading or mishearing what was said, the situation until such time as we leave through Brexit is covered by the GDPR. The extraterritorial—I cannot say it but you know what I am going to say—is still in place. Therefore, as suggested by the noble Lord, Lord Clement-Jones, a company operating out of a foreign country which was selling goods and services within the UK would have to have a representative, and that representative could be attached should there be a requirement to do so. It is strange that we are not doing that in the applied GDPR because, despite the great improvement that will come from better language, the issue is still the same. If there is someone that our laws cannot attack, there is obviously an issue. Perhaps the Minister would like to respond.
Quite apart from the get-out that Clause 3 is only a signposting, I can confirm that we are not derogating from the GDPR. We intend to apply GDPR standards when we leave the EU, so we are not derogating from the GDPR on extraterritoriality.
This concerns Amendment 115, which is to a substantial part of the Bill; it is not the issue raised by the amendment I introduced. We are talking about page 158, line 34. Perhaps it would be better if I requested a letter on this point so that—again, I cannot say the word—does not bog us down.
Isn’t he so smooth? Unfortunately, I bet Hansard does not print that. However, extraterritoriality is important because it represents a diminution of the ability of those data subjects affected by actions taken by those bodies in terms of their future redress. It is important that we get that right and I would be grateful if the Minister could write to us on that.
I am satisfied with what the Minister said on Amendments 5 and 6. I am grateful and beg leave to withdraw the amendment.
Amendment 5 withdrawn.
Amendment 6 not moved.
7: Clause 3, page 3, line 32, at end insert—
“(4) This Act does not apply to any organisation employing five employees or fewer.(5) Organisations covered by subsection (4) include, but are not limited to—(a) small businesses,(b) charities,(c) parish councils.”
My Lords, in moving Amendment 7 I shall speak also to Amendments 152 and 169, which have been grouped together. They all stand in my name and that of my noble friend Lord Arbuthnot of Edrom, who spoke so eloquently at Second Reading.
Amendment 7 explores an exemption for small organisations in the business and charity sectors and for parish councils, all of whom have expressed concerns to me about the burdens of the Bill. At Second Reading, I, like others, supported the Bill because it brings us up to date for the digital age, encourages good data practice to minimise scams and cyberattacks, and prevents abuse. It gets us up to the standards we need to get a good deal on data protection in the Brexit talks, and it provides citizens with easier access to their data. However, as presently drafted, I fear it imposes disproportionate burdens, especially on small businesses, charities and other small organisations. Luckily we have my noble friend Lord Ashton to guide us through this part of the Bill, and I congratulate him on his response to the first group of amendments today.
I come to this matter because sometimes I feel like a voice in the wilderness, fighting over-regulation and complexity. Our recent record on productivity is bad, partly because of poorly constructed and complex regulation and, in some cases, overbearing regulators. I would add that the fashion for intervention on all sides of the House could actually make things worse.
Instead of questioning regulation as we used to do, the Government are now seeking to match every EU rule as part of the Brexit project. Detailed consideration of how to ameliorate the impact on small businesses and charities, for example, seems to have gone out of the window and conversations on how to improve things once Brexit has given us greater freedom are regrettably not encouraged. In short, economics gets less attention in this House than it ought to. Those of us who have worked in business and the charitable sector know that well-meaning measures can adversely affect business by reducing competitiveness and growth, and indeed the tax take we need to build schools and pay for welfare. We are regulating more and not thinking about how we can do less. I was struck by what the noble Lord, Lord McNally, said earlier about the good but light touch that he sought in Brussels when he was dealing with data protection legislation.
Research by the Federation of Small Businesses shows that data protection regulation is one of the most salient regulations for 59% of small businesses. The federation provided me with some estimates which suggest that small businesses in the ICT sector alone, representing 6% of the business sector according to the ONS, will spend £700 million in man hours on implementing the new requirements—and that is not allowing for the cost of materials and ongoing compliance. Nor does it allow for the opportunity cost, another economic concept that is widely ignored in government. What we sorely need is a proper impact assessment, not the one provided so far, which does not address the cost to business and, oddly, suggests that there is no need to consult the Regulatory Policy Committee. If it is not needed for this sort of burden, I am not sure what it is needed for.
This House rightly always supports proper costing, as I know from some of the Bills I have been involved in. Before the Committee stage ends, we need to know the updated cost impact for business of what is coming in: first, under the GDPR, which will take direct effect and, as I understand it, continue after Brexit under the terms of the withdrawal Bill; and secondly, under what is planned in this Bill through the regulations to be made using its powers. I hope the Minister can help us with that.
It is against this background that Amendment 7 proposes an exemption from the Bill’s provisions—not, of course, from the GDPR, which has direct effect. Inevitably, the amendment is exploratory in nature. However, I trust that it will give the Minister, DCMS and the Information Commissioner the opportunity to think carefully about what we might do to reduce the burden on small businesses, charities and parish councils, which the National Association of Local Councils says are very concerned about the panoply of new rules. I cannot believe that we would see these in Greece.
The argument I have heard from the Government is that the changes are good for these organisations because they are under-compliant at present: they would deter the cyberattacks and data leaks that can harm them. I accept that responsible bodies know that good data practices are business critical, but what they do not need is the full panoply of controls, fees and penalties being introduced by this Bill. There is a risk of fines for breaches of up €20 million or 4% of worldwide turnover. My fear is that the controls are so burdensome, open-ended and threatening that at the margin, businesses will either give up or be deterred from operating overseas—at a time when we need them to export more. We need to find a way of bringing in de minimis rules and reducing the powers of the commissioner to what is reasonable. Another look at the compensation provisions with an eye to small operators could also be useful. I note that the Delegated Powers and Regulatory Reform Committee shares some of my concerns about the powers being given to the commissioner, as well as the extraordinarily wide powers being delegated to Ministers, which we will discuss later.
One practical countermeasure would be to introduce a greater emphasis in the Bill on the economic and other consequences of the commissioner’s work and to make this transparent, so that it can be considered properly by all those affected and publicly debated before she takes measures in relation to the protection of individuals’ rights and the processing of personal data.
That is the purpose of Amendment 152, which adds a third duty after subsection (1)(b). Perhaps I may give an example of why this is of practical importance. I spoke to representatives from CACI, a leading firm in mapping and data analytics, which is the sort of business we want to encourage if we are to be world-leading here in the UK. They are concerned about the technical aspects of ICO draft statutory guidance on consent. The fear is that the ICO may be adopting a needlessly restrictive interpretation of the GDPR which will benefit the large social media multinationals at the expense of British operators in retail and marketing, as well as charities. This would threaten the way that they and others run their businesses. I urge Ministers to meet representatives of the business community most at risk, not just the trade associations, as soon as possible and before the ICO finalises its vital guidance.
I believe strongly that regulators with powers as wide as those of the Information Commissioner need to engage properly on the content of draft regulations and draft guidance, which is often equally important. They must be required and of course resourced to do so; otherwise—going back to my first point—the burdens and risks will be disproportionate.
Finally, Amendment 169 would introduce a new clause after Clause 153 to give the Secretary of State a role in ensuring top-quality, comprehensive information on the changes for business. Small businesses operate under a number of constraints tied to their size, such as limited in-house expertise, owners’ limited time, a limited asset base—and, of course, knowing where to go for help. When the FSB survey asked small businesses what aspects of regulation created the biggest barriers in general, 15% cited lack of guidance. On data protection in particular, that figure rose to 35%. Even worse, when asked about data protection, 58% said that regulation was too broad and it was difficult to know how to comply, with 51% citing inconsistent or complex language.
That is the background to my proposal in Amendment 153 to require clear information at least six months before the rules come in and suitable online material, and for a report to be brought before Parliament on how this is being achieved before the provisions of the new Act come into force. Our amendment requires online information on both the new Act and on the GDPR in a simple and easily accessible form, along with the use of free online training and testing. I know from direct experience that this can be invaluable in helping businesses to actually comply.
Indeed, it can also be invaluable to charities. Proper, clear information and guidance is vital to them and their data controllers. They face the same uncertainties, costs, and commercial and reputational risk from prosecution. I therefore also support Amendment 170, which would add charities, and I am delighted that it comes from the noble Lord, Lord Clement-Jones, with whom I have had such productive dealings on intellectual property. I beg to move.
My Lords, I thank the noble Baroness for that accolade. I rise to speak to Amendment 170, which is a small contribution to perfecting Amendment 169. It struck me as rather strange that Amendment 152 has a reference to charities, but not Amendment 169. For charities, this is just as big an issue so I wanted to enlarge slightly on that. This is a huge change that is overtaking charities. How they are preparing for it and the issues that need to be addressed are of great concern to them. The Institute of Fundraising recently surveyed more than 300 charities of all sizes on how they are preparing for the GDPR, and used the results to identify a number of areas where it thought support was needed.
The majority of charities, especially the larger ones, are aware of the GDPR and are taking action to get ready for May 2018, but the survey also highlighted areas where charities need additional advice, guidance and support. Some 22% of the charities surveyed said that they have yet to do anything to prepare for the changes, and 95% of those yet to take any preparatory action are the smaller charities. Some 72% said that there was a lack of clear available guidance. Almost half the charities report that they do not feel they have the right level of skills or expertise on data protection, and 38% report that they have found limits in their administration or database systems, or the costs of upgrading these, a real challenge. That mirrors very much what small businesses are finding as well. Bodies such as the IoF have been working to increase the amount of support and guidance on offer. The IoF runs a number of events, but more support is needed.
A targeted intervention is needed to help charities as much as it is needed for small business. This needs to be supported by government—perhaps through a temporary extension of the existing subsidised fundraising skills training, including an additional training programme on how to comply with GDPR changes; or a targeted support scheme, directly funded or working with other funding bodies and foundations, to help the smallest charities most in need to upgrade their administrative or database systems. Charities welcome the recently announced telephone service from the ICO offering help on the GDPR, which they can access, but it is accessible only to organisations employing under 250 people and it is only a telephone service.
There are issues there, and I hope the Minister will be able to respond, in particular by recognising that charities are very much part of the infrastructure of smaller organisations that will certainly need support in complying with the GDPR.
My Lords, I broadly support what these interesting amendments are trying to do. I declare my interest as a member of the board of the Centre for Acceleration of Social Technology. Substantially, what it does is advise normally larger charities on how to best take advantage of digital to solve some of their problems.
Clearly, I support ensuring that small businesses, small charities and parish councils, as mentioned, are advised of the implications of this Act. If she has the opportunity, I ask the noble Baroness, Lady Neville-Rolfe, to explain why she chose staff size as the measure. I accept that hers is a probing amendment and she may think there are reasons not to go with staff size. The cliché is that when Instagram was sold to Facebook for $1 billion it had 13 members of staff. That would not come within the scope of the amendment, but there are plenty of digital businesses that can achieve an awful lot with very few staff. As it stands, my worry is this opens up a huge loophole.
I entirely agree with my noble friend. The point I was going to make is that small companies are often very wealthy. In the global digital world that is the fact: you do not need the same number of employees as in the past. Equally, would the amendment apply to five employees globally, or just in this country?
Certainly if the amendment were to have any legs in terms of using the number of employees as a parameter then that would have to be defined. However you chose to define the size of an organisation, you would need to explore how to work that out.
I chose five employees because it often denotes a small organisation or a small business. I can see that some of the businesses in that category might be fairly large. I would of course have no objection to adding an extra criterion, such as turnover, if there was a mood to write exemptions into the Bill. Other legislation has exemptions for smaller bodies. The overall objectives of the data protection legislation clearly have to be achieved but I am concerned that, in particular, some of the subsidiary provisions, such as fines and fees, which I mentioned, are demanding and worrying for smaller entities.
I am grateful for the noble Baroness’s comments. Something certainly can be done to think more about turnover than the number of employees, otherwise there would be a big loophole, particularly around marketing and being able to set up a company to harvest data, for which the Act would not apply. It could then sell the data on. It would not need very many people at all to pursue that opportunity.
The other thing these amendments allow us to do is ask the Minister to enlighten us a little on his thinking about how the Information Commissioner’s role will develop. In particular, if it is to pursue the sorts of education activities set out in these amendments, how will it be resourced to do so? I know there are some career-limiting aspects for Ministers who promise resources from the Dispatch Box, but the more he can set out how that might work, the more welcome that would be.
My Lords, I declare my interests as a chairman of a charity and of a not-for-profit organisation, and as a director of some small businesses. Having said that, I agree with every word that my noble friend Lady Neville-Rolfe said.
The Association of Accounting Technicians has said that the notion that the GDPR will lead to a €2.3 billion cost saving for the European Union is absurd. I agree. The Federation of Small Businesses has said how a sole trader might have to pay £1,500 for the work needed, and someone with 25 employees might have to pay £20,000. In the Second Reading debate my noble friend Lord Marlesford talked about his parish council rather poignantly. It might be impossible to exempt organisations such as those from European Union regulations. But if that is so, I hope that my noble friend the Minister will say, first, why it is impossible; and, secondly, what we can do to get round and to ameliorate the various different issues raised.
On the duty to advise Parliament of the consequences of the Bill, I said at Second Reading that the regulator cannot issue guidance until the European Data Protection Board issues its guidance. That may not be until spring next year. This leaves businesses, charities and parish councils very little time, first, to make representations to Parliament; secondly, to bring in new procedures; and thirdly, to train the staff they will need. In that short time, organisations will all be competing for very skilled staff. That must push the price of those skilled staff up at a time when these small businesses will find it very difficult to pay.
I look forward with interest to hearing what my noble friend says, and I hope that he will be able to agree to the meeting that my noble friend asked for.
My Lords, I declare an interest as the editor of the Good Schools Guide. We have three employees and we certainly should come under this Act in terms of the data on people and schools that we have in our charge. It is very difficult to find any measure that describes the importance of data that a business holds other than, “How important is the data that you hold?”. Therefore, I look to my noble friend to explain how the Information Commissioner will not take sledgehammers to crack nuts and how they will genuinely look at how important the data you have under your control is and, given that, what efforts you ought to have made. That seems the right criterion to get a system that operates in a human way, where there is a wide element of giving people time to get up to speed and being human in the way you approach people, rather than immediately reaching for the fine.
However, this is important. This is our data. Just because I am dealing with someone small, I do not want them to be free from this. I want to be secure in the thought that if I am dealing with a small company my data is just as safe as if I had been dealing with someone big. I want to encourage small businesses to grow and to be able to reassure their customers that they are every bit as good. They would have terrible trouble having contracts with the NHS and others if they are not up to speed on this.
I do not think that is the way, but I do think we have to understand that this will be very difficult for small businesses. We have to look at how we might construct a set of resources that small businesses can use not only to get up to speed but to stay up to speed, because this is a constant issue. I draw your Lordships’ attention again to what is going on in Plymouth, where both universities, the FE colleges, the schools and the local authority, and a lot of the big businesses, have got together to construct apprenticeships in cybersecurity tailored to small businesses. Expert cybersecurity advice has been made available to small businesses in small chunks, while young people are trained in how to take the right path in cybersecurity rather than wandering off to the point where they get arrested if they visit the United States. There is scope for extending that in areas such as social marketing but also in data protection, where expertise tends to be concentrated in large organisations and a structure is needed that enables small businesses to have ready access to it. We could greatly enhance the employment prospects of a lot of young people, and improve life for our small businesses, if we talked to BEIS and the DfE about tweaking the requirements for apprenticeships to make it rather easier to run them in small businesses.
My Lords, I refer the Committee to my registered interests: I am on the board of two small charities in the London Borough of Southwark.
I recall from Second Reading the noble Lord, Lord Marlesford, who is not in his place today, talking about the effect of the legislation on small organisations—many others have made reference to it already. He referred to parish councils, which often employ just a part-time parish clerk. The noble Lord, Lord Arbuthnot of Edrom, spoke similarly about the effect on organisations. Both noble Lords had a point at Second Reading, as does the noble Baroness, Lady Neville-Rolfe, with her amendment today.
As we have heard, the amendment limits the scope of the Act to organisations employing more than five people and specifies for exemption organisations such as small businesses, charities and parish councils which meet the employment qualification of five employees or fewer. My noble friend Lord Knight of Weymouth made a valuable point about size and turnover—I think the noble Baroness accepted that in her intervention.
The amendment also makes the useful point that the exemption is not limited to these three specific groups but seeks to cast a wider net. I certainly want to hear from the Minister that community councils would be exempted, as well as the small not-for-profit sector and small co-operatives, which I am sure is the intention behind the amendment.
The amendment needs a detailed response, as we have to be clear on what the Government think is reasonable for such organisations to have to comply with and how the Government will make it as simple as possible and not pile additional burdens on them. I hope the Minister will not say that these organisations already have to comply with the 1998 Act and that this legislation is only a very small increase in what is required. We will require a lot more reassurance than that from the Minister.
Amendment 152, also in this group, would place a duty on the Information Commissioner to advise Parliament, government and other institutions and bodies on the likely consequences, economic or otherwise, for industry, charities and public authorities of measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data. The noble Baroness again makes a valid point and there is merit to placing this duty in the Bill.
If the Minister thinks that Clause 113, and specifically Clause 113(3)(b), is sufficient to provide the Information Commissioner with the power and the duty to do what is set out in the amendment, we need him carefully to set that out today for the benefit of your Lordships’ House.
Amendments 169—and Amendment 170, which would add “and charities” to it—raises some very important issues. It would place a duty on the Secretary of State to ensure that they or the Information Commissioner had a programme in place to ensure that information on the new duties that businesses and charities will be obliged to follow is publicly available. Again, these are very important and welcome amendments. Large businesses, large corporations and large charities will more than likely have the structures in place to ensure that they comply with any new requirements, but smaller organisations do not have compliance departments or lawyers on retainer to advise them. The Government have to get that message out to them. I particularly like subsection (2) of the new clause proposed by Amendment 169, which would require this information to be placed online and the Secretary of State to have regard to the creation of online training and testing to meet the requirements of the new Act. This group of amendments raises important matters on which I hope the Minister can give the Committee some reassurance.
My Lords, I am grateful to all noble Lords who have raised the amendments and commented on them, because the Government recognise the concern behind them; namely, to protect the smallest organisations from the additional requirements established by this and future data protection legislation and to ensure that all UK businesses and organisations are properly supported through the transition.
I fully concur with my noble friend Lady Neville-Rolfe that supporting UK businesses of all sizes must be a priority. I can assure her that it is of the utmost importance both for the Government and for the Information Commissioner. However, I cannot agree with the proposal in Amendment 7 that those organisations with five or fewer employees be exempted from the requirements of the Act. We are talking in this Bill not just about businesses but about individual rights of data subjects. As my noble friend Lord Lucas mentioned, it is right that individuals enjoy the protections that will be afforded by this new regime regardless of the size of the organisation with which they are dealing. People should not be afforded a lesser degree of protection simply because they have chosen to do business with, or indeed to voluntarily support, a small organisation. After all, the fact that an organisation employs few staff does not mean that a breach of data protection law will cause a correspondingly small amount of distress. Many of the most cutting-edge financial technology firms begin life in someone’s back bedroom, but it does not make their customers’ transaction history any less worthy of protection.
Amendment 7 is unlikely to have the intended effect because the GDPR does not permit such an exemption. As an area in which our ongoing relationship with the European Union will be of the utmost importance, I do not consider that such an amendment would be in the best interests of British businesses.
However, I understand my noble friend’s concerns that the smallest organisations may be the least well equipped to deal with the changes introduced by this regime. I was therefore pleased to learn recently—the noble Lord, Lord Clement-Jones, mentioned this—that the Information Commissioner has announced the establishment of a dedicated telephone advice service for small and micro businesses to support them in implementation. The noble Lord also mentioned that the threshold was 250 employees, which represents quite a large organisation by today’s terms, with small businesses, especially in the tech field, growing up all over the place.
In respect of Amendment 152, I fully concur with my noble friend about the importance of monitoring the consequences of the Act for businesses and other organisations. I reassure her that there is already, quite rightly, a broad obligation on government to assess and report on the impact of all legislation that regulates business under the Small Business, Enterprise and Employment Act 2015. In addition, the Information Commissioner will be required to advise Parliament, government and other bodies on both legislative and administrative measures relating to the new Act and to provide opinions on any issue relating to the protection of personal data. My noble friend Lady Neville-Rolfe also asked about the impact on business. I confirm that the Government will publish a further assessment of the impact of the Bill on business very shortly.
With regard to Amendment 169, it is worth reiterating that the Information Commissioner has already provided general guidance, which is available online to all businesses, to help them understand their obligations. The commissioner is continuing to develop this guidance and has a programme in place for publication. I cannot go through it all but, in addition to the guidance the ICO has already published, it expects to develop this further between now and May into a fully comprehensive guide to the GDPR, including summaries and checklists, as well as more detailed content focused on key areas. This will also be available online from early next year. Later this year, the Information Commissioner will publish draft guidance on children’s data; on accountability, including documentation; on legitimate interests, including examples addressing universities maintaining alumni relationships; and draft guidance on security of processing, including joint work on high-level security principles. It will also provide sector-specific guidance. The Government are working with the Information Commissioner to identify appropriate areas and to work with sectors to deliver more guidance.
In respect of timing, I completely agree with my noble friend that it is desirable that up-to-date guidance about the new regime is available to businesses as soon as possible. As I have just set out, that is precisely what the commissioner is already attempting. But I fear that it may not be feasible, as the amendment requires, for final information to be published at least six months before the commencement of the provisions in the Act, not least because changes to the Bill may affect that guidance.
In respect of Amendment 170, I share the sentiment of the noble Lord, Lord Clement-Jones, in wishing to ensure that charities are provided with guidance to help them understand their obligations. I reassure him that the general guidance that the Information Commissioner has already published is designed to assist all organisations through the transition.
The noble Lord, Lord Knight, asked how the role of the Information Commissioner will develop and be resourced. My noble friend Lady Williams said at Second Reading that the Government take the adequate resourcing of the Information Commissioner very seriously and have provided for an appropriate charging regime in Part 5 of the Bill. I assure the noble Lord that we are aware that there are problems with the Information Commissioner at the moment and we are looking at that. But, possibly for the reasons that he mentioned, I am not able to make any binding commitments tonight. But I accept that there is an issue there. We are looking at it.
I assure noble Lords that the Government share the concerns raised in these amendments and are particularly pleased that the Information Commissioner is actively taking steps to provide dedicated support for small and micro enterprises, including the telephone service I mentioned earlier. With that in mind, I hope my noble friend feels able to withdraw her amendment.
The Minister mentioned guidance a few times and said that it might not be ready in time. I was reminded of our debates—which he was not involved in—on the Housing and Planning Bill. We were told about guidance and regulations, and well over a year later we have seen next to nothing. This is such an important issue that we need to hear a little more from the Minister. I and many other noble Lords mentioned parish councils. I do not think he mentioned those. For example, I know the Deeping St James Parish Council in Lincolnshire very well. It employs only a part-time clerk. I think the noble Lord, Lord Marlesford, made a similar point about parish councils at Second Reading. Perhaps the Minister could say something about that.
Yes, I think my noble friend mentioned the parish council of the noble Lord, Lord Marlesford, in her reply. I make the point again that individuals’ data rights have to be protected. Just because parish councils are small organisations does not mean that they should not take that seriously—and I am sure they do. With regard to the practicalities of how they cope with their duties, apart from the fact that the Information Commissioner is providing guidance specifically for small organisations, the parish clerk—who already often works for more than one parish council so they can share the cost—is in a good position to deal with the duties under the Bill and will be able to take the guidance relating specifically to small businesses and organisations from the Information Commissioner.
I admit that I did not follow the Housing and Planning Bill too closely. But I mentioned a lot of the guidance that will be available before the end of the year. The Information Commissioner is very aware of the need to produce this quickly. In addition, of course, she is actively involved in outlining the European guidance on which a lot of member states’ guidance will be based. Therefore, she is helping to set the tone on which her future guidance will be based.
That is fine as far it goes. The point I am making is that we have heard guidance mentioned two or three times, in relation to two or three different organisations. I know that the Minister was not involved but we heard the same comments about guidance and regulations from the Government Front Bench when we were dealing with the Housing and Planning Bill. I hope we are not having déjà vu here. We hear these things are coming forward. These things are very important. I accept entirely that people’s data are important—of course they are—but, equally, getting this guidance right is important, as is organisations being able to have the information so that they ensure that they comply with the law. I hope the Minister can take back how important this is. He said it will all be after Report, at the end of the year. The Bill will have long left this House and we will be saying, “Where is this guidance then? You promised it and nothing has arrived”. It really is not good enough for the individual data subject or for business or for anyone else involved.
I agree with the noble Lord that, if nothing did arrive, it would not be good enough.
My Lords, I was slightly disappointed when all my amendments were grouped, but bringing them together has led to an extremely useful and productive debate. I am very grateful to noble Lords right across the Committee for their support. I am also grateful to the Minister for saying that he will let us have a compliance cost assessment, which I will read with the detail and vigour that it merits, and for some of the other points he made.
I am a little disappointed about how we achieve some de minimis relief for the smaller organisations in these various sectors, including the ones mentioned by the noble Lord, Lord Kennedy, as well as on guidance—I am not sure we are quite there. We need to think a little further. I gave the Minister an example of the difficulties that the data analytics sector had had on consent. It would be good if he could look at that point and perhaps arrange for a meeting so that we could talk further. I will look in Hansard at the progress we have made in this very constructive discussion and possibly come back on Report on one or two points. I beg leave to withdraw the amendment.
Amendment 7 withdrawn.
Clause 3 agreed.
Clause 4: Definitions
8: Clause 4, page 3, line 40, at end insert “and to section 183”
My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point which has not been lost on noble Lords; nor has it been lost on organisations, business groups and others. We are grateful for all the feedback we have received through responses to the Government’s call for views and on our statement of intent, and, most recently, on the drafting of the Bill itself. Hence this large group of technical amendments seek to polish various provisions of the Bill in response to that feedback. If I may, I will save noble Lords from the tedium of going through each amendment in turn—we would be here all night—and instead focus on the small number of substantive amendments in the group.
I begin with Amendment 51, which ensures that automatic renewal insurance products purchased before 25 May 2018 can continue to function. Automatic renewal products work on the principle that, if the insured person does not respond to the renewal notice, their insurance continues uninterrupted. Without the amendment this would not be possible for products such as motor insurance, which require processing of special categories of personal data and criminal convictions and offences data, potentially leaving individuals unwittingly uninsured.
Amendment 55 responds to a request from the Welsh Government to extend an exemption on passing information about a prisoner to an elected representative to Members of the Welsh Assembly. I am very happy to give effect to that request.
Amendment 56 ensures that existing court reporting—so important for ensuring open justice—can continue. Judgments may include personal data, so this amendment will allow the courts to continue with current reporting practices.
Paragraph 9 of Schedule 2 provides a limited exemption in respect of certain regulatory activities which could otherwise be obstructed by a sufficiently determined individual. Amendment 86 adds five additional regulatory activities to that list to allow relevant existing data processing activities to continue.
Amendment 87 extends the common-sense protection provided by paragraph 22 of Schedule 2 for confidential employment references, so that it also expressly covers confidential references given for voluntary work.
Amendments 90 and 186 ensure a consistent definition of “publish” and “publication” throughout the Bill.
I conclude my brief tour—it did not seem very brief to me—of these amendments with reference to the amendments to Schedule 6. As noble Lords will recall, in creating the applied GDPR Schedule 6 anglicises its language, so as to ensure that it makes sense in a UK context. This is a mechanical process involving, for example, replacing the term “member state” with “United Kingdom”. Amendments 112 to 114, 116 to 118 and 120 to 124 refine that process further.
The remaining amendments that I have failed to mention will dot the “i”s and cross the “t”s, as detailed in the letter from my noble friends Lord Ashton and Lady Williams when the amendments were tabled on 20 October. For these reasons, I beg to move Amendment 8 and ask the House to support the other government amendments in this group.
My Lords, I will be brief on this group but I have two points to make. One is a question in respect of Amendment 51, where I congratulate the insurance industry on its lobbying. Within proposed new paragraph 15A(1)(b) it says,
“if … the controller has taken reasonable steps to obtain the data subject’s consent”.
Can the Minister clarify, or give some sense of, what “reasonable” means in this context? It would help us to understand whether that means an email, which might go into spam and not be read. Would there be a letter or a phone call to try to obtain consent? What could we as citizens reasonably expect insurance companies to do to get our consent?
Assuming that we do not have a stand part debate on Clause 4, how are the Government getting on with thinking about simplifying the language of the Bill? The noble Baroness, Lady Lane-Fox, is temporarily not in her place, but she made some good points at Second Reading about simplification. Clause 4 is quite confusing to read. It is possible to understand it once you have read it a few times, but subsection (2) says, for example, that,
“the reference to a term’s meaning in the GDPR is to its meaning in the GDPR read with any provision of Chapter 2 which modifies the term’s meaning for the purposes of the GDPR”.
That sort of sentence is quite difficult for most people to understand, and I will be interested to hear of the Government’s progress.
My Lords, I thank the noble Baroness for introducing these amendments in not too heavy a style, but this is an opportunity to ask a couple of questions in relation to them. We may have had since 20 October to digest them; nevertheless, that does not make them any more digestible. We will be able to see how they really operate only once they are incorporated into the Bill. Perhaps we might have a look at how they operate on Report.
The Bill is clearly a work in progress, and this is an extraordinary number of amendments even at this stage. It begs the question as to whether the Government are still engaged in discussions with outside bodies. Personally, I welcome that there has been dialogue with the insurance industry—a very important industry for us. We obviously have to make sure that the consumer is protected while it carries out an important part of its business. I know that the industry has raised other matters relating to third parties and so on. There have also been matters raised by those in the financial services industry who are keen to ensure that fraud is prevented. Even though they are private organisations, they are also keen to ensure that they are caught under the umbrella of the exemptions in the Bill. Can the noble Baroness tell us a little about what further discussions are taking place? It is important that we make sure that when the Bill finally hits the deck, so to speak, it is right for all the different sectors that will be subject to it.
My Lords, I thank my noble friend Lord Knight and the noble Lord, Lord Clement-Jones, for raising points that I would otherwise have made. I endorse the points they made. It is important that those points are picked up, and I look forward to having the responses.
I had picked up that the Clause 4(2) definition of terms is probably a recital rather than a normative issue, and therefore my noble friend Lord Knight’s point is probably not as worrying as it might otherwise have been. But like him, I found that it was tending towards the Alice in Wonderland side. Subsection (1) says:
“Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR”.
I sort of get that, but it seems slightly unnecessary to say that, unless there is something that we are not picking up. I may be asking a negative: “There’s nothing in here that we ought to be alerted to, is there?”. I do not expect a response, but that is what we are left with at the end of this debate.
I have one substantial point relating to government Amendment 8. In the descriptions we had—this was taken from the letter—this is a technical amendment to ensure that there is clarity and that the definition of health professional in Clause 183 applies to Part 2 of the Bill. I do not think that many noble Lords will have followed this through, but it happens to pick up on a point which we will come back to on a later amendment: the question of certain responsibilities and exceptions applying to health professionals. There was therefore a concern in the back of my mind about how these would have been defined.
My point is that the definition that appears in the Bill, and which is signposted by the way that this amendment lies, points us to a list of professionals but does not go back into what those professionals do. I had understood from the context within which this part of the Bill is framed that the purpose of having health professionals in that position was that they were the people of whom it could be said that they had a duty of care to their patients. They could therefore by definition, and by the fact of the posts they occupied, have an additional responsibility attached to them through the nature of their qualifications and work. We are not getting that out of this government amendment. Can the Minister explain why polishing that amendment does or does not affect how that approach might be taken?
I thank noble Lords for all their contributions. The noble Lord, Lord Knight, wanted to know what “reasonable” meant in this context. The Financial Conduct Authority has set requirements on insurers in relation to the steps they must take in the case of insurance contracts that are automatically renewed. In this context, our view is that those steps are likely to be reasonable. As to how they get in contact, it is by normal business procedure acceptable to the FCA. Normally emails and so on is the way they do that.
I agree that the language can be very complicated and we are certainly working to make it understandable to everyone. We are still talking to stakeholders about issues that they may have. For instance, on the insurance amendment we talked to the ABI and Lloyds and worked with them when we drew up the amendment. We will carry on doing that with anybody who wishes to be in touch with us. I think that answers the questions asked by the noble Lord, Lord Clement-Jones. We are certainly still in touch with people.
To clarify the question around insurance companies, if as technology and communications change there is a sense that the insurance companies should work a bit harder, would the first recourse be to go to the Financial Conduct Authority in order for it to regulate the insurance companies to do a better job?
Yes, it is the FCA. That would be the case.
The noble Lord, Lord Stevenson, talked about Amendment 8, the health amendment. It is to ensure that there is clarity for health professionals in Clause 183. The GDPR refers to health data being processed under the responsibility of a health professional whereas the Bill says,
“under the supervision of a health professional”,
to clarify that no intentional difference in the meaning is being conveyed. These amendments ensure that consistent language is used and so make it more understandable. I hope that has answered all noble Lords’ questions. Please come back to me if it has not.
Amendment 8 agreed.
Amendment 9 not moved.
Clause 4, as amended, agreed.
Clause 5 agreed.
Clause 6: Meaning of “public authority” and “public body”
10: Clause 6, page 4, line 35, at end insert—
“( ) A college, school or university is not a public authority or public body for the purposes of the GDPR.”
My Lords, I rise to move Amendment 10 in my name and the names of the noble Lords, Lord Pannick and Lord Macdonald of River Glaven. In doing so, I declare my interest as principal of Somerville College, Oxford.
The GDPR, which will be brought into effect in domestic law by the Data Protection Bill, will have an impact on many aspects of university business from procurement to the commercialisation of research. Universities up and down the land are therefore now making preparations to ensure that they will comply with the new requirements. It is immensely complex, and throughout the Committee stage issues will be raised which are pertinent to universities.
With this amendment I am concerned about one aspect of the life of universities, colleges and schools which will be severely impacted by the GDPR. It is our ability to fundraise and to maintain alumni relations, hence our amendment, which is probing at this stage. I have only recently become aware of the huge importance of alumni relations and fundraising and of the fact that they are inextricably linked. As a consequence of financial constraints and government encouragement, universities, colleges and schools are having to raise more and more money to provide the education and the excellent facilities rightly expected by students.
As far as universities are concerned, with potentially reduced tuition fees, Brexit and, despite what the Government may say, a reduction in the number of foreign students, the need to raise money will increase. At Oxford, the system that I now know best, the excellent tutorial system demands even greater resources. I do not complain. However, with the introduction of the GDPR our alumni relations and fundraising ability will be severely limited unless we can find a way through, for example by stating that a college, school or university is not a public authority for the purposes of the GDPR. Naturally universities, including Oxbridge colleges, are concerned to ensure that personal data is processed lawfully in the course of contacting alumni for fundraising purposes, and we want to ensure that we work in the most cost-effective way. I should stress that none of the contacts made to our former students relates to cold calling. We are talking about alumni, people who spent three or more years as students, with whom we have therefore have a long-standing relationship. With regard to a college such as Somerville, our alumni feel they belong to a community and they want us to remain in close touch with them.
As the Minister, will be aware, under the GDPR, in order for the processing of personal data to be lawful at least one of the six conditions set out in article 6 of the GDPR must apply. The most important change to the lawfulness conditions by the GDPR concerns the consent condition. The GDPR sets a high standard for consent requiring a positive opt-in, and unless opt-in consent has been obtained, or is obtained in future, current and future contact with alumni will be limited. It is clear that existing consents are unlikely to meet the GDPR standard and as a result all fundraising and alumni databases might have to be rebuilt from scratch and/or a huge exercise undertaken to secure explicit consent from all our former students if the consent condition were to be relied on by colleges to justify their processing of alumni data. This is an enormous administrative task and hugely time-consuming. At Somerville, we are already grappling with the new consent standard, and it is both difficult and detrimental.
I understand that when the Council for Advancement and Support of Education—CASE—met DCMS and the Information Commissioner in May it was suggested that the legitimate interest condition could, in appropriate circumstances, be relied on by fundraisers. However, this condition does not apply to processing by public authorities. While the GDPR contains no definition of public authority, Clause 6(1) states:
“For the purposes of the GDPR, the following (and only the following) are ‘public authorities’ and ‘public bodies’ under the law of the United Kingdom—
a public authority as defined by the Freedom of Information Act 2000”.
The Freedom of Information Act 2000 contains in Schedule 1 a list of public authorities which includes, at paragraph 53,
“the governing body of … a university receiving financial support under section 65 of the Further and Higher Education Act 1992”,
“any college, school, hall or other institution”,
of such a university. It is clear that universities, colleges and schools fall within this definition of public authority, which would mean that the legitimate interest condition could not be applied and they would have to rely on either the public interest condition or the consent condition.
I know that the Bill team recently had a meeting with UUK at which this issue was discussed. Oxford University was not present, but this was not due to lack of interest or concern; it was agreed that Cambridge should represent the interests of Oxbridge as a whole. At this meeting, the Bill team was apparently clear that it had put exemptions in the Bill to protect the position of universities. I am glad that there is no policy dispute, but I have to say that my noble friends and I have been unable to identify the exemptions.
The Minister may say that it is a matter that will be dealt with by guidance, but I regret that in my view guidance will not suffice. This is a matter of huge importance to universities as well as to colleges and schools, and there needs to be clarity in the Bill. I look forward to the Minister’s response. If, as I suspect, we do not reach agreement today, I would be grateful if the Minister’s office could arrange a meeting with interested Peers so that we might discuss this further. I beg to move.
My Lords, I declare an interest as a fellow of All Souls College, Oxford. Although All Souls has no students and therefore no alumni, it has former fellows. I endorse everything that was very eloquently said by the noble Baroness. There is a problem here. It needs to be addressed. My understanding is that the Government are sympathetic to the mischief which the noble Baroness has identified. For the reasons she has explained, the mischief is not remedied by the terms of the Bill and I very much hope that the Government will be able to indicate today that they are sympathetic and are willing to meet the noble Baroness, Lady Royall, and others to find a way in which these concerns can be addressed as they ought to be.
My Lords, I have put my name to the amendment and I declare an interest as the warden of Wadham College, Oxford.
It is important to underline, as the noble Baroness has, that fundraising is now intrinsic to the financial well-being of institutions of higher education. That is certainly true of my college. It is intrinsic and critical because, along with conference business and other means of raising money, it helps to plug the gap that exists between fee levels for students and the real cost of educating them. It is clearly in the public interest that colleges and universities be placed in the strongest possible position to raise money to plug that gap.
It is equally important to bear in mind that the sort of fundraising that we are talking about does not involve random mailshots to unsuspecting victims, but regular contact over years with individuals who overwhelmingly regard themselves as members of a close community and are much more likely to complain if they are not contacted than if they are. I have experienced that many times. Requiring colleges to rebuild their alumni databases from scratch could serve no conceivable public benefit; indeed, it would lead to a significant public disbenefit, because it would weaken our ability to fundraise in already straitened financial circumstances.
I certainly agree with the noble Baroness that guidance would be insufficient in this situation. This matter is of such importance to the economic well-being of the institutions in question that it must be dealt with in the Bill. I very much look forward to hearing the Minister’s response and would wish to attend any meeting, should one be arranged.
My Lords, I regret that this is beginning to sound like a chorus from Oxford, but I, too, am the head of an Oxford college—in my case, Mansfield College. I join noble Lords in expressing concern. I have also been the chancellor of Oxford Brookes University, a different kind of university, the president of SOAS and a visiting professor at Sheffield Hallam—very different institutions in higher education—and am now very involved in the further education world.
We have always looked across the Atlantic and said, “Isn’t it wonderful that people in America are so generous to their colleges and remember the places where they got their education? Isn’t that a wonderful thing to encourage here?”. That has been going on for some decades, but some colleges and universities are still new to this and have been working very hard to create databases and links with those who go through their institutions and connections with those who went in the past. To ask us now to revisit all that conscientious work and then try to secure all the consents necessary really is the law of unintended consequences. It is not what the Bill had in mind.
I remind people that concern was expressed that elderly persons, for example, were feeling belaboured by communications from charities wanting them to make those charities the beneficiaries of their wills, or whatever, which had unpleasant consequences for older people. One wanted a constraint on such cold calling and writing to people without invitation or connection. That is not the case here. Our students have created relationships inside their colleges. They know their universities and feel grateful to them for the experiences they have had. Their connections make them part of the community, so it is very different.
I hope that today we will not hear simply, “Let us go away and think about this”. I hope that the Minister will indicate that there will be an exemption in the Bill for colleges and higher education institutions—and schools—because fundraising is, in our current climate, part and parcel of our existence.
I happen to be the head of a college that does not have a wealthy alumni base. It has been very hard work creating the links that we have. We do not have a huge staffing capacity. To expect small colleges to go back in time to get the consents all the way down the line is expecting too much.
I hope that we will hear some very positive things from the Front Bench and that the Government will make an exemption in the Bill, rather than include something in regulations. This is very important to the quality of what we can offer our students, and it is not just the elite universities that face this—it is all universities, because fundraising is so much part and parcel of what we do.
My Lords, I suspect that if you scratched half the Members of this House, they would have to declare an interest. I will just add a bit of non-Oxford variety as chair of the council of Queen Mary University of London. I express Front Bench support for my noble friend’s amendment and that of the noble Baroness, Lady Royall.
There is no doubt about the interaction of article 6 and the unfortunate inclusion of universities in the Freedom of Information Act definition, and there is no reason that I can see—we have heard about the alumni issues and the importance of fundraising to universities—why universities should not be put on all fours with charities, which can take advantage of the exemption in article 6. I very much hope that the Minister, who was nodding vigorously throughout most of the speeches, is prepared to state that he will come forward with an amendment, or accept this one, which would be gratefully received.
My Lords, perhaps I may say a word on behalf of the victims. I very much hope that we will be given the right to ask the college to cross our name off.
I very much enjoyed my time at Oxford. It took Oxford 37 years to cotton on to the idea that, having spent three years doing physics there, perhaps I was interested in physics and it might offer me something in continued involvement other than students being pestered into asking me for money twice a year. That is not a relationship; that is not a community; that is a one-way suck. It is a Dyson vacuum cleaner designed to hoover money in on the basis of creating some sort of obligation. It was a contract 40 years ago, for goodness’ sake: create something now or keep something going.
Fundamentally, I have very little sympathy with the idea—
The noble Lord could not have gone to the colleges that we all represent.
I am absolutely content that universities should be put on a par with charities, because I know that we will be looking after the interests of those whom charities approach just as much as we look after the interests of charities. I hope that is the solution that my noble friend will afford, but it is welcome that there are limitations in the Bill on the random approaches that can be made by organisations. To the extent that we allow exemptions, we should not privilege universities in any particular way. Yes, they are often worthy causes, but they are very fond of money.
My Lords, I have no interests whatever to declare in this debate.
Amendment 10, moved by my noble friend Lady Royall of Blaisdon and signed up to by the noble Lords, Lord Pannick and Lord Macdonald of River Glaven, raises the important issue of legitimate fundraising and alumni relations undertaken by schools, colleges and universities being at risk due to the changes being brought in by GDPR. My noble friend referred to various conditions and mentioned the lawfulness condition, specifically on the issue of consent.
As we have heard, GDPR sets a very high bar in requiring a positive opt in, and it is likely that existing consents will not reach the required standard. So educational institutions would have to take on the enormous task of rebuilding their databases from scratch to meet the condition, as my noble friend referred to.
The public interest condition does not really work, for various reasons. The legitimate-interest condition may provide a route for the justification of data processing for fundraising purposes but, as we have heard in this debate, there are issues here as well. To make that a realistic solution to this unintended consequence of the new regulations—I think we all agree that it is unintended—my noble friend is seeking to put in the Bill a subsection in Clause 6 that, for the purposes of GDPR, would make it clear that schools, colleges and universities are not public bodies.
I note that Clause 6(2) provides the Secretary of State with the power to designate those public bodies that are not regarded as public bodies for GDPR. I am not sure what the general attitude of the Minister is, although he seems to have indicated that he is broadly sympathetic, but if he is going to rely on subsection (2) then he is going to have to do a bit more. As I mentioned previously, when Governments tell us it will all be sorted out in regulations, that is often not the solution and things can take a very long time. I mention the Housing and Planning Act again.
This is not something that educational institutions can wait months or years for; it would cost them considerably in terms of their fundraising plans. I hope the Minister can deliver some positive news to my noble friend, who has raised an important issue. It is fair to say that if she pressed this or a similar amendment to a vote on Report, she would be likely to win the day because it is an issue that many noble Lords are very concerned about.
My Lords, I thank noble Lords for taking part in this debate. I always feel humbled when I realise how many chancellors, presidents and fellows of universities we have in this House. I think that is why our debates and discussions are always of such high quality, because that is what noble Lords bring to this House. I congratulate the noble Baroness, Lady Royall, on her appointment. I visited Somerville College a lot because my daughter went there; she had an extremely enjoyable time and loved her three years there.
Universities are classified as public authorities under the Freedom of Information Act, and the Bill extends that classification to data protection. We recognise that universities, as complex organisations with many varying functions and interests, also carry out other functions that may not count as “public tasks” under data protection law. The conundrum raised by the noble Baroness has also been raised with the Government by the universities. I thank them for their time and help in working with both the Government and the Information Commissioner to resolve the problem.
I fully appreciate that the intention of the amendment is to protect our schools, colleges and universities by allowing them to continue pursuing their interests outside of their public tasks. I reassure noble Lords that neither the Bill nor the GDPR puts that at risk. The Information Commissioner’s Office has confirmed that it will issue detailed guidance on this matter, including the processing of personal data for the purpose of maintaining alumni relations, in order to make this clear. Representatives of the higher education sector have also indicated to the Information Commissioner’s Office that they may wish to develop further sector-level guidance, and the Information Commissioner’s Office will assist with that.
However, we are very sympathetic to everything that noble Lords have said today. It is important that we should meet again, and I am happy to agree to a meeting between myself, my noble friend Lord Ashton and all interested Peers so that we can talk about this further, in order that when we come back on Report we will have something that perhaps everyone will wish to hear. I hope my clarification on this issue is sufficient for now, and that the noble Baroness will agree to withdraw her amendment.
The Minister mentioned guidance and said that these matters would be solved then. Can she give us an assurance that we will have the guidance before the Bill becomes law?
The guidance from the Information Commissioner’s Office is ongoing. I had better go and find out whether we will have it by the time this Bill becomes law, because I do not want to say something at the Dispatch Box that turns out to be wrong. I will have to get back to the noble Lord on that point.
My Lords, I am grateful to the Minister for her semi-positive answer. I have to say that if the guidance were available before the Bill became law, that would be quite extraordinary because it is not the norm, but it would be very welcome. I am grateful for her sympathy and understanding, and I realise that there has been a meeting between the university sector and the Information Commissioner’s Office, but personally I still feel the guidance is not enough. I am therefore grateful for the offer of a meeting to discuss this further. I thank everyone who has participated in this short debate. I particularly thank my noble friend Lady Kennedy of The Shaws for quite rightly pointing out that this is a matter of importance for schools, universities and colleges up and down the land, not just the “elite”, as it were—everyone is going to suffer.
With the reassurance from the Minister that we can have a meeting to discuss this further, I beg leave to withdraw the amendment.
Amendment 10 withdrawn.
Clause 6 agreed.
Clause 7: Lawfulness of processing: public interest etc
11: Clause 7, page 5, line 6, leave out “includes” and insert “means”
My Lords, I shall also speak to Amendments 13, 15 and 21. It is slightly putting the cart before the horse to deal with Amendment 11. I will do so since it comes earlier in the order, but it covers a rather less general issue than the less general amendments.
Under the current Data Protection Act, controllers need a Schedule 2 legal basis to process personal data. Schedule 2 lists six main groupings and the controller has to select at least one from the list. If the controller does not have a legal basis for processing, then the controller cannot process the personal data. So it is surprising to discover that Clause 7, through the use of the word “includes”, can legitimise public sector processing of personal data on a ground not listed in the Bill. Such a basis might be, for instance, not necessary for the controller’s statutory functions, and that is why I seek the Minister’s reassurance.
There is all the difference between setting out the bases in an exhaustive way and a non-exhaustive way. In looking at how the position is reached, one needs to look at Clause 7, which states:
“In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for … administration of justice”,
and so on until (d),
“the exercise of a function of the Crown, a Minister of the Crown or a government department”.
It can be seen by comparison with Schedule 2 of the DPA that the only missing basis for processing is,
“the exercise of any other functions of a public nature exercised in the public interest by any person”.
The Explanatory Notes to Clause 7 state:
“Article 6(2) of the GDPR enables Member States to, amongst other things, set out more specific provisions in respect of Article 6(1)(c) and (e). This clause provides a non-exhaustive list of examples of processing under Article 6(1)(e)”.
That seems slightly paradoxical; it says it is going to be more specific than the Explanatory Notes say it is going to be non-exhaustive. The note continues:
“This includes processing of personal data that is necessary for the administration of justice”,
and so on. The section on Clause 7 concludes:
“The list is similar to that contained in paragraph 5 of Schedule 2 to the 1998 Act”.
So the intent, as explained in paragraphs 85 and 86 of the Explanatory Notes, is for the Government to use the flexibility set out in Article 6(1)(c) and (e) to take an exhaustive list of legal bases for the processing of personal data and actually create a non-exhaustive list of grounds that public bodies can use in Clause 7. How paradoxical can you get?
The difference between exhaustive and non-exhaustive is profound. An exhaustive list requires that the legal basis associated with processing be one of those listed. The non-exhaustive list says that the legal basis can be one of those listed, but there may be another legal basis that is not listed that applies to the processing of personal data. In other words, the legal basis, or the grounds in Clause 7 that allow a public sector controller to process personal data, extend beyond paragraphs (a) to (d) and include other unspecified grounds. What are these other grounds? How many are there? Who defines them? What are the Government’s intentions? Indeed, how can Clause 7 be enforced by the ICO if a public sector controller such as a local authority can argue that the processing of personal data, although not necessary for the exercise of the function conferred on it by enactment, is necessary for the exercise of a function agreed at, say, a council meeting? Who knows whether this ground is valid when the list of possible grounds in Clause 7 is non-exhaustive? I hope I have made clear the position and our bafflement as to why the list is non-exhaustive, and I very much hope that the Minister can explain the import and purpose of Clause 7.
Other amendments that we have tabled are probing in nature as well. The term “public interest” is used throughout the Data Protection Bill and is key to applying many of its provisions. These include consideration of the legal basis, condition for processing, whether the exemption applies, whether the data can be transferred, and as a defence to certain offences. In relation to special categories of personal data, the term “substantial public interest” is used in the Bill, as in the GDPR. Neither “public interest” nor “substantial public interest” are defined terms in the Bill. Concerns regarding the lack of clarity around those terms were raised during Second Reading. My noble friend Lady Ludford, in particular, raised that, and the noble Lord, Lord Patel, raised it in the context of research.
Further clarification on the scope of “public interest” and “substantial public interest” in the Bill is required. I am afraid that the noble Lord, Lord Collins, may have to put up with this, but guidance is needed on how those terms are to be interpreted when applying the Bill’s provisions. I think we will see a theme whereby the noble Lord, Lord Collins, stands up every time the word “guidance” is mentioned, asking when, how and so on.
The application of a public interest test or substantial public interest test will to an extent depend on the circumstances of the processing. However, guidance on the application of these terms from the ICO would provide clarity and greatly assist controllers and processors in carrying out their obligations, and data subjects in understanding whether their data is being processed in accordance with the terms of the legislation. It would be desirable to have a statutory code of practice requiring the commissioner to produce such guidance, and to allow it to be consulted on and scrutinised by Parliament.
Public interest, of course, is also relevant to both freedom of expression and freedom of information. Guidance should be available as to its application in both those contexts. I hope I have said enough in the hope that the Minister will untangle this particular puzzle for us over time—perhaps not at this stage, but certainly as the Bill progresses. I beg to move.
My Lords, I do not need to say very much about our amendments in this group because they overlap to a great extent with what has just been said by the noble Lord, Lord Clement-Jones. I should not really delay the House as it is anxious to get on to other business, but the noble Lord made an interesting comment about the response that might come from my noble friend sitting to my right. In our Whips’ Office we have a regular problem, because Ray Collins and Roy Kennedy are, confusingly, always called Roy Collins and Ray Kennedy. I have never actually heard them be confused when called by their surnames, so we have had a first today. It is always nice to see firsts in our rather dull and restricted life—it is time for dinner.
This is quite an important amendment, and the noble Lord, Lord Clement-Jones, has made the case very well. When I was looking through the Bill and trying to come up with a sense of narrative that we could use here, I wondered about the introduction of “substantial public interest”, which predates this Bill significantly. It appears in the 1998 Data Protection Act but it was not challenged there. It felt to me like a mistranslation—a sort of Anglicisation gone wrong, because there should not be gradations of public interest. A matter is either in the public interest or it is not: it should not have to be qualified by the word “substantial” to get it to a different level of concern or consent. In that sense, maybe “substantial” just means of greater sensitivity, rather than more important and therefore to be restricted. I should be grateful if the Minister reflected on that when responding.
I share the concern that the noble Lord, Lord Clement-Jones, raised in his first amendment. By and large, the Bill is pretty good at tying down where there is flexibility and where there is not, but here, the terminology seems very loose. We can understand what Clause 7 means, but the idea that it would be relatively easy to extend and adapt the list in subsections (a) to (d) is quite worrying. If that is to stand, and the defence says that it is reasonable in the circumstances to have such wording, we need to understand the powers under which that list could be adapted or amended. Are they to be found in the Government’s ability to seek regulatory approval, or will it be done in some other form? We ought to know the answer to that.
Since we are back on codes, as mentioned by the noble Lord, here is a code that it is really important to have before we get to Report. I would be grateful if the Minister confirmed that that will be possible. I understand that the issue is not in his hands, because the Information Commissioner will be the person responsible. However, given that the terminology in the Bill will have an impact right across our statutory provisions regarding what is or is not in the public interest, and if this is the long-awaited guidance and the substitute for a proper definition in statute, it is very important that we have it in time to discuss it on Report.
My Lords, I speak to Amendments 11 and 13, in the name of the noble Lord, Lord Clement-Jones, and Amendment 154, in the name of the noble Lord, Lord Stevenson of Balmacara, and to which I have added my name in support.
When I first read the amendments tabled by the noble Lord, Lord Clement-Jones, I was concerned because I thought them quite restrictive. Now that he has spoken to them, I can see that he intended them to be wider, so I apologise to him that I did not have the opportunity to speak with him beforehand, so that I would have had that clarification. None the less, having said that, I am concerned that the amendment would restrict the interpretation of,
“a task carried out in the public interest”,
and a narrow list is set out in Clause 7(a) to (d). That is a major concern for universities and other institutions involved in research.
It is absolutely important that universities and other public bodies that carry out research functions are able to use,
“task carried out in the public interest”,
as a legal basis for processing personal data. Restricting this clause to apply only to those functions listed in paragraphs (a) to (d) would instantly make all processing of personal data carried out for research purposes with a university illegal. That is unless it could meet the stringent requirements of GDPR-compliant consent, which I will speak to on an amendment in the group that follows.
None the less, providing further clarity through regulations would ensure that “public interest” was not used as a catch-all for public bodies, negating the incentive to restrict the definition in the Bill in the way proposed by this amendment. I have no doubt that we will have a discussion and that the amendment is not intended to be so restrictive. I look forward to the Minister’s summing up.
I support Amendment 154 in the name of the noble Lord, Lord Stevenson of Balmacara. However, under the GDPR, all users and controllers of data will need to be much clearer about the legal basis that they use to process personal data, and more explicit with data subjects about what is happening to data about them. However, this shift is also likely to generate a certain amount of confusion among researchers who process personal data as part of their studies.
An enormous amount of research using personal data is carried out by universities, which constitute public bodies. As it stands, the Bill defines “public interest” in quite a narrow way—and I shall come to that in more detail when I deal with a group of amendments in my name. But “public interest” is an underspecified notion that could be interpreted in many ways, in the absence of authoritative guidance—and it is that absence that the amendment under the name of the noble Lord, Lord Stevenson of Balmacara, deals with. Placing the requirement to produce codes of practice in the Bill will ensure that it is an undertaking that receives the urgent attention that it demands, and I support it for that reason.
My Lords, this is a rather unusual occasion, in that normally noble Lords say that they are going to read very carefully what the Minister has said in Hansard. In this case, I am certainly going to have to read carefully what the noble Lord, Lord Clement-Jones, said, in Hansard. This is a complicated matter and I thought that I was following it and then thought that I did not—and then I thought that I did again. I shall set out what I think should be the answer to his remarks, but when we have both read Hansard we may have to get together again before Report on this matter.
I am glad that we have this opportunity to set out the approach taken in the Bill to processing that is in the public interests and the substantial public interests. Both terms are not new; they appeared before 1998, as the noble Lord, Lord Stevenson, said, in the 1995 data protection directive, in the same sense as they are used in the GDPR and the Bill. That is to say, “substantial public interest” is one of the bases for the processing of special categories of personal data, and this is a stricter test than the public interest test that applies in connection with the processing of all categories of personal data. The noble Lord, Lord Clement-Jones, was wrong to suggest that the list provided in the 1998 Act in relation to public interest was genuinely exhaustive, I think. As he said himself, the effect of paragraph 5(d) of Schedule 2 was to make that list non-exhaustive.
In keeping with the approach taken under the 1998 Act, the Government have not limited the public interest general processing condition. The list in Clause 7 is therefore non-exhaustive. This is intentional, and enables organisations which undertake legitimate public interest tasks to continue to process general data. Noble Lords may recall that the Government committed after Second Reading to update the Explanatory Notes to provide reassurance that Clause 7 should be interpreted broadly. Universities, museums and many other organisations carrying out important work for the benefit of society all rely on this processing condition. For much the same reason, “public interest” has not historically been defined in statute, recognising that the public interest will change over time and according to the circumstances of each situation. This flexibility is important, and I would not wish to start down the slippery slope of attempting to define it further.
The Government have, however, chosen to set out in Part 2 of Schedule 1 an exhaustive list of types of processing which they consider constitute, or could constitute, processing in the substantial public interest. That reflects the increased risks for data subjects when their sensitive personal data is processed. Again, this approach replicates that taken in the 1998 Act. Where the Government consider that processing meeting a condition in that part will sometimes, but not necessarily, meet the substantial public interest test, a sub-condition to that effect is included. This ensures that the exemption remains targeted on those processing activities in the substantial public interest. A similar approach was taken in secondary legislation made under the 1998 Act. The Government intend to keep Part 2 of Schedule 1 under review, and have proposed a regulation-making power in Clause 9 that would allow Schedule 1 to be updated or refined in a timelier manner than would be the case if primary legislation were required. We will of course return to that issue in a later group.
Amendment 15 seeks to make clear that the public interest test referred to in Clause 7 is not restricted by the substantial public interest test referred to in Part 2 of Schedule 1. Having described the purposes of both these elements of the Bill, I hope that noble Lords can see that these are two separate tests. The different wording used would mean that these would be interpreted as different tests, and there is no need to amend the Bill to clarify that further.
Amendment 154 would require the Information Commissioner to develop a code of practice in relation to the processing of personal data in the public interest and substantial public interest. As we have already touched on, the Information Commissioner is developing relevant guidance to support the implementation of the new data protection framework. Should there later prove a need to formalise this guidance as a code of practice, Clause 124 provides the Secretary of State with the power to direct the Information Commissioner to make such a code. There is no need to make further provision.
I hope that that explanation satisfies noble Lords for tonight, and I urge the noble Lord to withdraw his amendment. However, in this complicated matter, I am certainly prepared to meet noble Lords to discuss this further, if they so require.
My Lords, I thank the Minister for that very helpful exposition. I shall return the compliment and read his contribution in Hansard with great care. I apologise to the noble Lord, Lord Kennedy, if the Bill has already had a befuddling influence on me. It comes from looking along the Labour Benches too much in profile.
With this amendment, I feel somewhat caught between the noble Lord, Lord Patel, and a very hard place. Clearly, he wants flexibility in a public interest test, and I can well understand that. But there are issues to which we shall need to return. The idea of a specific code seems the way forward; the way forward is not by granting overmighty powers to the Government to change the definitions according to the circumstances. I think that that was the phrase that the Minister used—they wish to have that flexibility so that the public interest test could be varied according to circumstances. If there is a power to change, it has to be pretty circumscribed. Obviously, we will come back to that in a later group. In the meantime, I beg leave to withdraw the amendment.
Amendment 11 withdrawn.
House resumed. Committee to begin again not before 8.47 pm.