Committee (4th Day)
Relevant documents: 6th Report from the Delegated Powers Committee, 6th Report from the Constitution Committee
Schedule 3: Exemptions etc from the GDPR: health, social work, education and child abuse data
93A: Schedule 3, page 140, line 16, leave out “or another individual”
My Lords, Amendment 93A in my name and that of my noble friend Lord Stevenson of Balmacara is the first amendment in a small group before the Committee this afternoon. They are probing amendments to allow us to begin to debate the issues around Schedule 3, specifically Part 2 and matters concerning health data and social work data.
Amendment 93A would delete the words “or another individual”. I want to understand clearly what the Government mean when they refer to the “serious harm test” for the data subject and to this very wide catch-all phrase, “or another individual”. Amendment 94A would delete specific wording as detailed in the Bill and replace it with the wording in my amendment.
I can see the point of paragraph 4(1)(c) of Schedule 3, but do not see why the Government would not wish to rely on the definition of lacking mental capacity, as defined by the Mental Capacity Act 2005. Can the Minister explain, if my amendment is not going to be accepted, why the Government appear to be relying on weaker words in this section?
Amendment 94B would delete paragraph 4(2)(a) of Schedule 3. Again, I stress that this is a probing amendment to give the Minister the opportunity to set out clearly how this is going to work so that it does not cause problems for research but respects people’s privacy regarding the data that they have been provided with.
On the other amendments in the group, Amendment 94C looks to broaden the definition of social work data to include education data and data concerning health, by probing what the Government mean by their definition of social work data in the Bill. Amendment 94D probes, regarding paragraph 8, the details on data processed by local authorities, by the regional health and social care boards, by health and social care trusts and by education authorities.
With Amendments 95A and 95B, I am looking for a greater understanding of what the Government mean. The wording in the Bill which these amendments would delete is quite vague. We want to understand much more what the Government are talking about here. I beg to move.
My Lords, the Bill sets new standards for protecting general data, in accordance with the GDPR, which will give people more control over use of their data and provide new rights to move or delete personal data. However, there will be occasions when it is not in the best interests of the data subject for these rights to be exercised, or where exercising them might impinge on the rights and freedoms of others. Schedule 3 considers this issue in the specific context of health, social work, education and child abuse data. It provides organisations operating in these fields with targeted exemptions where it is necessary for the protection of the data subject or the rights and freedoms of others. Importantly, much of Schedule 3 is directly imported from existing legislation.
The amendments which the noble Lords, Lord Stevenson and Lord Kennedy, have tabled focus on exemptions available for healthcare and social services providers. Let me deal first with the amendments relating to the healthcare exemptions. Amendment 93A would amend the serious harm test, in paragraph 2 of Schedule 3, by removing the reference to harm caused to other individuals. This is an important safeguard. For example, if a child informed a healthcare provider that they had been abused by a relative and then that person made a subject access request, it is obvious that disclosure could have serious consequences for the child. I am sure that this is not what the noble Lords envisage through their amendment; we consider there are good reasons for retaining the current wording. As I said earlier, these provisions are not new: they have been imported from paragraph 5 of the Data Protection (Subject Access Modification) (Health) Order 2000.
Amendments 94A and 94B would amend the exemption in paragraph 4 which allows health professionals to withhold personal data from parents or carers where the data in question has been provided by the data subject on the basis that it would not be disclosed to the persons making the request. Again, neither of these provisions is new. They too were provided for in paragraph 5 of the 2000 order and we think they remain appropriate.
Amendment 94A relates to situations where the personal data is withheld from a person acting on behalf of somebody who cannot manage their own affairs. It would make it clear that this provision applies only in relation to persons who are adjudged to lack capacity under the Mental Capacity Act 2005. The important thing here is not the status of the data subject per se, but the requester’s relationship to the data subject: this paragraph addresses cases where the requester is not the data subject, but is in a position to make subject access requests on the data subject’s behalf. That is why it is framed as it is. We do not feel this amendment is necessary as the Bill already provides that the carer should have been appointed by a court to manage the person’s affairs. I also note in passing that these provisions of the 2005 Act apply to England and Wales only.
Amendment 94B would delete sub-paragraph 2(a) which provides that the data should not be disclosed to the parent or carer if it were provided by the patient in the expectation that it would not be disclosed to that person. Removing this provision could reduce the protection that is available for children and ultimately make them less willing to tell healthcare professionals about things they would not want their parents or carers to hear—for example, complications suffered following female genital mutilation or details about a pregnancy.
Amendments 94C, 94D, 95A and 95B relate to social work exemptions. It is worth recalling that social services records will often contain information from a wide range of sources—for example, schools, doctors, the police or the probation service. Social services are likely to have similar considerations to healthcare professionals when deciding whether to disclose personal data in response to subject access requests. Disclosures to individuals purporting to act on behalf of data subjects could have particularly damaging effects in cases of domestic abuse.
Paragraphs 7 and 8 of Schedule 3 define the meaning of “social work data” and list various social work functions for the purposes of these provisions. Amendment 94C would amend the definition of “social work data” by deleting paragraph 7(1)(b). This paragraph confirms that social work data does not include education data or data concerning health which are dealt with in other parts of the schedule. Given the separate provision in this schedule for the processing of health and education data, we think this provides helpful clarification.
Amendments 94D, 95A and 95B would amend the list of social services functions in paragraph 8 of the schedule. Amendment 94D would amend paragraph 8(1)(a) by removing references to functions conferred on social services providers under the Local Authority Social Services Act 1970 or the Social Work (Scotland) Act 1968. These Acts list a wide range of social services functions, including protecting the welfare of young people, the elderly, the disabled and those suffering from mental health difficulties. Again, there are strong arguments for including them.
Amendment 95A would amend paragraph 8(1)(k) by removing the ability of the Secretary of State or the Department of Health in Northern Ireland to designate voluntary organisations which can carry out social services functions similar to those carried out by a local authority. Amendment 95B would amend paragraph 8(1)(m) by removing the reference to NHS bodies that exercise functions similar to those carried out by the local authority. However, I stress that none of these provisions is new and that they were imported from paragraph 1 of the schedule to the Data Protection (Subject Access Modification) (Social Work) Order 2000. Given current trends in health and social care delivery, we believe that they are still necessary requirements and can see no benefit in their removal. I urge the noble Lord to withdraw his amendment.
My Lords, I thank the noble Baroness, Lady Chisholm of Owlpen, for that full response to this group of amendments. As I said, they were only probing amendments to get the response that we have received from the Minister this afternoon, just so that we could see what is behind the Government’s proposals. I accept that in large part they are carried forward from existing legislation and I am therefore happy to withdraw my amendment.
Amendment 93A withdrawn.
94: Schedule 3, page 140, line 35, at end insert—
“(ea) the Sheriff Court Adoption Rules 2009;”
Amendment 94 agreed.
Amendments 94A to 94D not moved.
95: Schedule 3, page 142, line 43, after “1970” insert “or the Social Services and Well-being (Wales) Act 2014”
Amendment 95 agreed.
Amendments 95A and 95B not moved.
Amendments 96 to 102
96: Schedule 3, page 146, line 4, at end insert—
“(ea) the Sheriff Court Adoption Rules 2009;”
97: Schedule 3, page 147, line 19, leave out “governing body” and insert “proprietor”
98: Schedule 3, page 147, line 28, leave out paragraph (b) and insert—
“(b) an Academy school;(c) an alternative provision Academy;(d) an independent school that is not an Academy school or an alternative provision Academy;(e) a non-maintained special school.”
99: Schedule 3, page 147, line 35, leave out from “1998),” to end of line 36 and insert—
“(ii) an Academy school,(iii) an alternative provision Academy,(iv) an independent school that is not an Academy school or an alternative provision Academy, or(v) a non-maintained special school,”
100: Schedule 3, page 147, line 38, leave out “governing body” and insert “proprietor”
101: Schedule 3, page 147, line 43, leave out from “paragraph” to end of line 44 and insert “—
“independent school” has the meaning given by section 463 of the Education Act 1996;“local authority” has the same meaning as in that Act (see sections 579(1) and 581 of that Act);“non-maintained special school” has the meaning given by section 337A of that Act;“proprietor” has the meaning given by section 579(1) of that Act.”
102: Schedule 3, page 149, line 43, at end insert—
“(ea) the Sheriff Court Adoption Rules 2009;”
Amendments 96 to 102 agreed.
Schedule 3, as amended, agreed.
Schedule 4: Exemptions etc from the GDPR: disclosure prohibited or restricted by an enactment
Amendments 103 to 106
103: Schedule 4, page 152, line 6, leave out paragraph (d)
104: Schedule 4, page 153, line 31, leave out “, or rules with equivalent effect replacing those rules”
105: Schedule 4, page 153, line 44, leave out “, or rules with equivalent effect replacing those rules”
106: Schedule 4, page 153, line 47, leave out “, or rules with equivalent effect replacing those rules”
Amendments 103 to 106 agreed.
Schedule 4, as amended, agreed.
Clause 15: Power to make further exemptions etc by regulations
Amendments 106A to 107 not moved.
Amendment 108 had been retabled as Amendment 106B
Amendment 108A not moved.
108B: Clause 15, page 9, line 14, at end insert—
“( ) Regulations made under this section may not amend, repeal or revoke the GDPR after the United Kingdom leaves the EU.”
I am delighted to move Amendment 108A, which is an extremely important amendment. No, it is not—Amendment 108B is. If noble Lords want to know, this has not been a good day so far. I attended a wonderful memorial service for Lord Joffe, at which many noble Lords were present, and which was a moving and grand experience—so moving that I left the church without my bag, which contained all my possessions: my keys, wallet and everything else. I then spent most of the time until about five minutes ago worrying about that and not concentrating as I should have done on the important business of the House. This has a happy ending. Somebody found the bag, did not hand it in, took it home, thought it belonged to the other Lord Stevenson, the noble Lord, Lord Stevenson of Coddenham, spent four hours trying to find him, and eventually decided that it belonged not to him but to me. I now have my bag back and I feel much better.
I thank your Lordships.
Amendment 108B would prevent regulations under this section being used to amend, repeal or revoke the GDPR after Brexit. This may seem a rather tough charge to lay at the Government’s door. However, concerns about adequacy after Brexit will be so important that it may be in the Government’s best interest to ensure that the Bill contains no hint that the GDPR after Brexit, which will be the responsibility of this Parliament and this Parliament alone, could be amended simply by secondary legislation. If the Government follow this argument they will see that it has a symmetry behind it that encourages the approach taken here, in that when we are a third party and need to rely on an adequacy agreement the GDPR will be seen to be especially ring-fenced.
I will also speak to the other amendments in this group, two of which come from recommendations on delegated legislation made by your Lordships’ House. Amendment 110B is about replacing the current requirement for a negative procedure with a requirement for an affirmative one. In order to explain that, it is probably best if I quote from the report itself. The DPRRC took the view that the framework for the transfer of personal data to third countries should be provided on a test greater than just simply the negative procedure. This is a major issue. One possible example is if the Government were to use the argument that it was in the public interest to transfer bulk personal data held by a UK government department to the agencies of a foreign power—a remote possibility, I know. That would be of interest to the House and probably would need to be debated. The recommendation is that a change should be made from a negative to an affirmative procedure, and that is what this amendment seeks to do.
In a similar vein, the proposal to delete Clause 21 comes from the DPRRC report. The report says that the committee was,
“puzzled by the inclusion of … a suite of delegated powers … to provide by regulations for various exemptions and derogations from the obligations and rights contained in the GDPR which, as noted above, may … be exercised in respect of ‘the applied GDPR’. The memorandum fails to explain why those powers are considered inadequate, or why the Government might need to have recourse to the distinct powers in section 2(2) of the 1972 Act—which allows Ministers to make regulations”,
around EU obligations. The point is that there will be a period after Royal Assent to the Bill and when the country leaves—if it does—the EU in which it is possible that the Government will wish to make regulations. The committee assumes that this clause has been included just in case the Government decide that these powers are required. But the committee goes on to say:
“We consider it unsatisfactory that the Government should seek to take this widely drafted power without explaining properly what it might be used for”.
I therefore call on the Government to do so if it is appropriate at this time.
The final two amendments in the group, Amendments 180A and 180B, play to the same issue: that the powers, however they are finally settled, will still be wide ranging and grant the Government of the day a considerable amount of power to introduce rules by secondary legislation. In a sense, that is inevitable given the way that things are going, and we are not attacking the main principle. The question is around what safeguards would be appropriate. On these powers we think it would be appropriate for the Government to consult not only the commissioner, for which there is a provision, but the data subjects affected by the regulations. This is not a power that is currently there and we recommend that the Government consider it. I beg to move.
My Lords, I hope I will not add to the troubles of the noble Lord, Lord Stevenson, when I say that I am troubled by a couple of his amendments, Amendments 108B and 180A. The former suggests that the Government should not be permitted to,
“amend, repeal or revoke the GDPR”.
I know the Government will have responsibility for the provisions of the GDPR, but these are surely provisions for which the regulations either are or are not. They are European Union regulations, and I would not have thought the Government would have the power to amend or repeal them.
I am also confused, as so often, by the fact that we have already discussed whether Clause 15 should stand part of the Bill but are now considering an amendment to it. No doubt that is just one of the usual vagaries that leads to my confusion about the procedures of this House.
I move on to Amendment 180A, which suggests that the Secretary of State must consult not only the commissioner but data subjects. I am not sure how on earth he could find out who those data subjects were in order to consult them. Therefore, due to practical concerns, I hope the noble Lord will not press the amendment to a Division.
My Lords, I will briefly comment on Amendment 108B. Taking up the position of the noble Lord, Lord Arbuthnot of Edrom, is it not the case that if we leave the European Union, the GDPR will then become, by means of the repeal Bill, part of UK law and therefore could be changed, which is why the amendment makes sense?
However, while I agree with the argument of the noble Lord, Lord Stevenson of Balmacara, that if parts of the GDPR were amended, repealed or revoked after we have left the EU, this may affect the adequacy decision of the European Union. Presumably, if the European Union makes changes to the GDPR it would be advantageous for the Government to be able to respond quickly by means of secondary legislation to those changes to ensure that we can continue to have adequacy—that is, when the change is on the EU side rather than on the UK side. Perhaps the Minister will clarify that.
My Lords, I am thrilled that the day of the noble Lord, Lord Stevenson, has got better, and I hope that at the end of my speech it will get better still. Things are definitely looking up for the noble Lord, I hope.
I will be reasonably brief on this because we have debated other delegated powers before and much of what my noble friend Lady Chisholm said on day two of Committee holds here.
On Amendment 108B, I agree with much of what my noble friend Lord Arbuthnot said. I shall answer the noble Lord, Lord Paddick, in a different way which will address his point. The amendment would prevent the Secretary of State using the delegated power contained in Clause 15 to,
“amend, repeal or revoke the GDPR”.
I am happy to reassure the noble Lord not only that the Government do not intend to use the power in Clause 15 to amend, repeal or revoke the GDPR but that they actively cannot. As the opening line of Clause 15 describes, the power contained in it permits the Secretary of State only to,
“make provision altering the application of the GDPR”.
The noble Lord’s amendment is therefore unnecessary.
Clause 17(1)(a) would allow the Secretary of State to specify in regulations circumstances in which a transfer of personal data to a third country is necessary for an important reason of public interest not already recognised in law. Public interest is one of a number legal bases on which a controller can rely when justifying such a transfer. This is very much a backstop power. In many cases, reasons of public interest will already be recognised in law, so the power is likely to be needed only when there is a pressing need to recognise a particular but novel reason for transferring personal data as being one of public interest. We are wary of any change such as that proposed in Amendment 110B, which may hamper its exercise in emergency situations such as financial crises.
Amendment 180B seeks to amend Part 7 of the Bill to ensure that the power contained in Clause 21 cannot be exercised without consulting the Information Commissioner. The clause is a backstop power which allows the Secretary of State to amend Part 2 of Chapter 3 of the Bill—that is, the applied GDPR and associated provisions—to mirror changes made using Section 2(2) of the European Communities Act 1972 in relation to the GDPR. As I am sure we are all aware, a Bill is being considered in another place that would repeal the European Communities Act, so this power is already specific and time-limited. We are not sure what consulting the Information Commissioner before exercising it would add. However, these points notwithstanding, we are happy to consider the role of Clause 21 and Amendments 110B and 180B in the context of the Government’s response to the Delegated Powers and Regulatory Reform Committee’s recent report on the Bill.
The Government have previously committed to considering amendments substantively similar to Amendment 180A and I am happy to consider that amendment as well. However, I echo what my noble friend Lady Chisholm said about the importance of the law being able to keep up with a fast-moving field.
With those reassurances, I hope the noble Lord will feel able to withdraw the amendment.
It certainly is turning out to be my day. I am grateful to the Minister for his comments. We are perhaps anticipating a further debate that we may have to have on the basis of what the Government intend to take back to the DPRRC, but it is good to have a sense of where the thinking is going, which I am sure we will look at in a sympathetic light. Where he ended up will be an appropriate way of progressing on this point.
On the Minister’s first point in relation to Clause 15, I hesitate to ask because I know he is already burdened, but it would be helpful if he can write to me about subsection (1) because our reading of the line:
“The following powers to make provision altering the application of the GDPR”,
could not, according to what he has said, change the GDPR itself, only the way that it is applied. We may be talking only about nuances of language. Interpretations from the far north, where the noble Lord resides, down to the metropolitan south may well not survive the discussion, so I would be grateful to have something in writing. With that, I beg leave to withdraw the amendment.
Amendment 108B withdrawn.
Clause 15 agreed.
Clause 16 agreed.
Schedule 5: Accreditation of certification providers: reviews and appeals
108C: Schedule 5, page 154, line 29, after “by” insert “any relevant”
My Lords, we turn to Schedule 5, which deals with an issue covered in the Data Protection Act 1998 and comes forward again in this Bill. It relates to how the accreditation of certification providers is carried out in practice and, for a primary piece of legislation, goes into rather a lot of detail about the way reviews are carried out and appeals are heard. These are probing amendments to try to put on the record some of the issues.
Amendments 108C and 110A would ensure that documentation submitted by the applicant must be relevant to the matter to be considered by the commissioner. This is quite a widely drafted power and it would be otiose if the applicant raises issues that are not narrowly to the point.
Amendment 108D is a probing amendment into the grounds on which an applicant can bring an appeal. At the moment, all the applicant appears to have to show is that they are “dissatisfied”, which seems a rather broad way of opening up a discussion on an important issue. The word “dissatisfied” does not sound as though it will restrict the ability of people to put in submissions on this point.
Amendment 108E deals with the timing. There is a two-stage review process, each stage lasting 28 days, so it is odd that we have different timings. I would be grateful for a comment on that. I do not think there is a particular issue; perhaps the problem is the way it is expressed.
Amendment 108F deals with the very wide powers specified for the grounds to appeal against those appointed members of an appeal panel. Again, I do not see anything wrong with that, but it would be helpful to know the Government’s thinking on why the grounds are so wide: someone can simply put in an appeal and it must be heard. That would probably be rather open-ended, but it may be that there is a history of this and issues that we are not aware of.
Finally, on Amendment 110A, the arrangements for the appeal panel hearings also seem heavily specified. I wonder whether there may be a case for a slightly lighter touch and leaving it more open to the ACAS body, if that is the one concerned, to carry them through.
There are no particular issues here and we are not looking for major changes, but I would be grateful for a response. I beg to move.
If Amendment 108F is agreed to, I cannot call Amendment 109 due to pre-emption.
My Lords, I am grateful to the noble Lord for turning the attention of the Committee to the accreditation process. I recognise the intention behind his detailed amendments; namely, to reduce the administrative burden associated with requests for accreditation decisions to be reviewed and, subsequently, for the review process to be appealed. Under the new regime, both the Information Commissioner and the United Kingdom Accreditation Service will be able to accredit organisations that wish to offer a certification service for compliance with data protection legislation. Many organisations may wish to make use of certification services to support their compliance with the new law, and the accreditation process is intended to support them in choosing a provider of certification.
Schedule 5 establishes a mechanism for organisations that have applied for accreditation to seek redress against a decision made by UKAS or the Information Commissioner. The mechanism process has two elements. In the first instance, organisations can seek a review of the accreditation decision. Then, if they are unhappy with that review process, they can lodge an appeal. I share the noble Lord’s desire to minimise the administrative burden created by that review and appeal mechanism. Amendments 108C and 110A limit the documents that may be submitted when appealing. Amendment 108E reduces the time to lodge an appeal. Amendment 108F removes the ability of the appellant to object to members of the appeal panel.
I assure noble Lords that we want a fair and straightforward review and appeals mechanism. Our choice of process, time limits and other restrictions mirrors the appeals process that UKAS currently operates. That process is as provided for by the Accreditation Regulations 2009. Maintaining a consistent appeals process creates administrative simplicity and efficiency. The Government consider that the process in Schedule 5 strikes the right balance between limiting the administrative burden on the accrediting bodies, while also providing applicants with sufficient means of redress.
To add them up, there are four reasons why we feel that what is in there now works well: our choice of process, time limits and other restrictions limits the appeals process that UKAS currently operates; it maintains a consistent appeals process, which creates administrative simplicity and efficiency; it strikes the right balance between limiting the administrative burden but provides applicants with sufficient means of redress; and the accreditation process will give organisations confidence that they are choosing the right provider of certification. I hope I have addressed the noble Lord’s concerns and urge him to withdraw the amendment.
I am grateful to the Minister for her response. I think I may have slightly misled the Committee: I think I am right in saying that this is a new process, brought in by the Bill. It was not in the Data Protection Act 1998. I should have said that there is an additional reason for wanting to scrutinise it, to make sure we are looking at the right things.
I should have asked one question, to which I do not expect a response now, unless the Minister has it to hand. I notice that the national accreditation body, which has to be set up by member states because of the GDPR, is set up under another EU instrument because it is the designated body under the Accreditation Regulations 2009. I take it that they will be brought forward in the withdrawal Bill as necessary regulations for that to be provided.
As the noble Lord said, the process is new to the GDPR and not in the 1995 directive or the DPA. The GDPR requires member states to ensure that certification bodies are accredited by the ICO and/or the national accreditation body. As such, the UK Government will need to demonstrate their compliance with that requirement, which Clause 16 and Schedule 5 fulfil.
Amendment 108C withdrawn.
Amendments 108D to 108F not moved.
Amendments 109 and 110
109: Schedule 5, page 155, line 39, at end insert “appointed under sub-paragraph (3) or (4)”
110: Schedule 5, page 156, line 2, leave out “(7)” and insert “(8)”
Amendments 109 and 110 agreed.
Amendment 110A not moved.
Schedule 5, as amended, agreed.
Clause 17: Transfers of personal data to third countries etc
Amendment 110B not moved.
Clause 17 agreed.
Clause 18: Processing for archiving, research and statistical purposes: safeguards
Amendment 111 not moved.
Amendment 111A had been withdrawn from the Marshalled List.
Clause 18 agreed.
Clauses 19 and 20 agreed.
Schedule 6: The applied GDPR and the applied Chapter 2
112: Schedule 6, page 157, leave out lines 11 to 14 and insert—
“(2) But sub-paragraph (1) does not have effect—(a) in the case of the references which are modified or inserted by paragraphs 9(f)(ii), 15(b), 16(a)(ii), 35, 36(a) and (e)(ii) and 38(a)(i);(b) in relation to the references in points (a) and (b) of paragraph 2 of Article 61, as inserted by paragraph 49.”
Amendment 112 agreed.
Amendment 112A had been withdrawn from the Marshalled List.
113: Schedule 6, page 157, line 20, leave out from beginning to ““domestic” and insert “In this paragraph,”
Amendment 113 agreed.
113A: Schedule 6, page 157, line 25, leave out paragraph 4
My Lords, in moving Amendment 113A I will speak to Amendments 114A, 118A, 119A and 121A. Schedule 6 changes references to “the Union” to “the United Kingdom” and deals with the transposition between the GDPR and the applied GDPR as and when we move beyond Brexit.
The paragraphs to which these amendments relate may be a bit confusing unless we understand the timescale under which they operate. We think that the GDPR, as originally drafted, aims to say that there should be a free flow of information between member states, creating a single market for data flows across the whole of the EU, applied irrespective of the concerns of the various national regimes. Once we leave the EU it hardly seems necessary to have such a provision because it would seem to imply we need to provide powers for data to flow within the United Kingdom. Therefore, the heart of the amendment and of part of this group is the suggestion that this is otiose. Will the Government explain what they are trying to do if it is not about the flow of data within the United Kingdom? If it is, it surely is not needed because we should not have that situation arising.
The concern is not really about whether the Bill refers to Union or domestic law, but which space we are talking about. Are we talking about the United Kingdom or parts of the United Kingdom? Will different rules apply in Jersey, Guernsey and the Isle of Man? These are all the issues that regularly come up about the United Kingdom. By focusing too narrowly on this we raise a danger that we might be overcomplicating what should be a relatively straightforward issue. I beg to move.
My Lords, it is a great pleasure to speak on these amendments, which cover the applied GDPR. Before I address them directly, it is worth recalling that the purpose of the applied GDPR is to extend GDPR standards to those additional areas of processing that are outside the scope of EU law and not covered separately in Parts 3 and 4 of the Bill. The benefit of taking this approach is that it avoids relevant controllers and processors needing to adapt their systems to two different sets of standards, or even needing to know which set of standards they should be applying. However, if the need for such analysis arises, it is crucial that the data subjects and controllers and processors are clear about their respective rights and obligations.
In such circumstances, reference to text that contains concepts that have no meaning or practical application for processing out of scope of EU law will result in confusion and uncertainty. So, while the intention of the applied GDPR is to align as closely as possible with the GDPR, Schedule 6 adapts the GDPR’s wording where necessary so that it is clear and meaningful. It is important to remember that the GDPR does not apply to such processing, so the creation of equivalent standards under UK law is a voluntary measure we are making in the Bill.
In particular, paragraph 4 of Schedule 6—the subject of Amendment 113A—replaces references to such terms as “the Union” and “member state” with reference to the UK. This simply clarifies that, unlike the GDPR itself, the applied GDPR is a UK-only document and should be read in that context. References to “the Union” et cetera are at best confusing and at worst create uncertainty for the small number of controllers whose processing is captured by the applied GDPR. Paragraph 4 provides important legal clarity to them and, of course, to the Information Commissioner. The United Kingdom in this context refers to England, Wales, Scotland and Northern Ireland only, in accordance with Clause 193.
Paragraph 8, the subject of Amendment 114A, limits the territorial application of the applied GDPR so that it is consistent with that for Parts 3 and 4 of the Bill, as set out in Clause 186, without the EU-wide, and indeed extraterritorial, application of the GDPR itself. As we have touched on in a previous debate, the applied GDPR will apply almost exclusively to processing by UK public bodies relating to areas such as defence and the UK consular services. Controllers in these situations either are in the UK or, if overseas, are not offering goods and services to those in the UK. As such, there is simply no need for the applied GDPR to have the same EU-wide or extraterritorial application as the GDPR.
Article 9.2(j) of the GDPR provides for a derogation for processing of special categories of personal data for archiving and research purposes, and references the need to comply with the safeguards set out in Article 89 when conducting such processing. The Bill makes full use of this derogation, so paragraph 12(f) of Schedule 6, the subject of Amendment 118A, tidies up the drafting of Article 9.2(j) for the purposes of the applied GDPR so that, rather than setting out the need for derogation, it refers directly to the relevant provisions in the Bill.
Paragraph 27, the subject of Amendment 119A, removes certain requirements on the Information Commissioner relating to data protection impact assessments on the grounds that those provisions exist mainly or wholly to assist the European Data Protection Board in ensuring consistent application among member states. There is clearly no need for such consistency in respect of the applied GDPR—a document which exists only in UK law—and the Information Commissioner will in any case undertake very comparable activities in respect of the GDPR itself. Paragraph 46(d), the subject of Amendment 121A, simply makes further provision to the same end, both specifically in relation to data protection impact assessments and more broadly. I hope that, with those reassurances, the noble Lord will feel able to withdraw his amendment.
I am grateful to the Minister for that very full response. I shall read it in Hansard, because there is a lot of detail in it, but I want to make sure that I have got the essence of it to help in subsequent discussions.
On Amendment 113A, I think the Minister’s argument was that the provision was mainly a tidying-up and voluntary measure which was not required by the GDPR but was being done by the Government as a matter of good practice to make sure that data controllers in particular—I suppose it would apply also to data subjects—do not have to keep worrying about how the rules might change once we get to Brexit or later. I understand that point. I think he also clarified that this was a UK mainland rather than a total-UK situation —again, it is helpful to have that clarification.
Perhaps I may ask the Minister about extraterritoriality —our second favourite word. The implication from discussion on a previous set of amendments was that the requirements under the GDPR for extraterritorial application—so that when companies are not established in the EU, they need to have a representative here—will be dropped once we leave the EU. I worry that that would make it harder for data subjects in particular to gain access to data held by data controllers from extraterritorial companies—we have one or two in mind —if a representative is not required to be in the UK. I wonder whether the Minister might reflect on that.
On Amendment 119A, I think that the Minister said that the reason for the original requirement for data protection impact assessments was to satisfy any concern that the European Data Protection Board might have that the same standards were not being applied equally in all EU countries. That is fine, and if we leave the EU, it would not apply. Am I right in assuming that the ICO effectively takes the place of the European Data Protection Board in that respect and that to some extent the question of whether comparability is operating throughout the EU is also true of the United Kingdom? Would there not be a case for maintaining the board in that case? I do not know whether the Minister wants to respond in writing or today.
Amendment 113A withdrawn.
Amendment 114 agreed.
Amendments 114A and 115 not moved.
Amendments 116 to 118
116: Schedule 6, page 158, line 38, at end insert—
“(ii) for “Article 51” substitute “Article 51 of the GDPR”;”
117: Schedule 6, page 159, line 3, at end insert—
“(28) “domestic law” has the meaning given in paragraph 3(3) of Schedule 6 to the 2017 Act.””
118: Schedule 6, page 159, line 33, after “9” insert “of the 2017 Act”
Amendments 116 to 118 agreed.
Amendments 118A to 119A not moved.
Amendments 120 and 121
120: Schedule 6, page 163, line 13, at end insert—
“(d) in paragraph 9, for “of this Article” substitute “of Article 45 of the GDPR”.”
121: Schedule 6, page 163, line 40, after “Act” insert “which makes certain provision about the public interest”
Amendments 120 and 121 agreed.
Amendment 121A not moved.
Amendments 122 to 124
122: Schedule 6, page 165, line 2, at end insert—
“(ba) in paragraph 3, in point (b), for “the Member State government” substitute “the Secretary of State”;”
123: Schedule 6, page 166, line 12, at end insert—
“(za) in paragraph 5, in point (d), for “pursuant to Member State law adopted under Chapter IX” substitute “under Part 5 or 6 of Schedule 2 to the 2017 Act or under regulations made under section 15 of that Act”;”
124: Schedule 6, page 166, line 14, at end insert—
“(ii) for “that Member State” substitute “the United Kingdom”;”
Amendments 122 to 124 agreed.
Schedule 6, as amended, agreed.
Clauses 21 to 23 agreed.
Clause 24: National security and defence exemption
124A: Clause 24, page 14, line 40, at end insert “where the provision is likely to prejudice the combat effectiveness of the armed forces.”
Amendment 124A, in my name and that of my noble friend Lord Stevenson of Balmacara, would amend Clause 24, which concerns national security and defence exemptions. Comparing the Bill to the 1998 Act, it appears to us that what is proposed is of a much wider scope. I would like to hear a justification from the noble Baroness, Lady Williams of Trafford, as to why we need this wider definition. If it is the noble Baroness’s contention that this is not the case, will she tell the Committee why the Government have not merely taken the words directly from the 1998 Act?
Amendment 124N does the same thing in respect of Clause 26. Amendments 124K and 148J are the same and seek to put into the Bill matters raised by the Constitution Committee. These amendments require the Secretary of State to,
“specify in regulations the grounds of appeal for proceedings under subsection (3)”.
This seems to me perfectly reasonable, giving much-needed clarity, so I hope that the noble Baroness can accept my amendments in this regard, or at least agree to reflect on them before Report. I feel that the clause as presently worded is too vague, and that cannot be a good thing when dealing with these serious matters. The amendments also require that these regulations be subject to scrutiny by both Houses of Parliament through the affirmative resolution procedure, which is an important further layer of parliamentary scrutiny.
The final amendment in my name in this group is another probing amendment. It would delete the measures which limit the power of the Information Commissioner to satisfy themselves that the obligations under Part 4 are being observed. In addition, there are amendments in the group in the names of the noble Baroness, Lady Hamwee, and the noble Lords, Lord Clement-Jones and Lord Paddick. I look forward to them explaining those further to the Committee during the debate. I beg to move.
My Lords, from these Benches we also have some concerns about the national security and defence exemption. My noble friends Lord Clement-Jones and Lord Paddick have their names to a clutch of amendments to Clauses 24 and 26, and to a replacement for Clause 25—these are Amendment 124C and so on. These amendments essentially probe what Clause 24 means and question whether the requirements for national security certificates are adequate.
My first question is: what processing is outside the scope of EU law, and so would fall within Part 2 and not within Parts 3 and 4, the parts of the Bill on law enforcement and the intelligence services? Many of these amendments were suggested to us by Privacy International and one or two by Big Brother Watch. Those who know about these things say that they do not know what certificates exist under the current regime, so they do not know what entities may benefit from Clauses 24 to 26. However, Privacy International says that in their current form certificates are timeless in nature, lack transparency, are near impossible to challenge and offer overly broad exemptions from data protection principles, and all the rights of the data subject.
My second question is: what are “defence purposes”? That phrase does not feature in the interpretation clause of the Bill. The Explanatory Notes, in referring to the 1998 Act, refer to the section about national security. Is defence not a national security matter? There are very broad exemptions in Clause 24 and Privacy International even says that the clause has the potential to undermine an adequacy decision. For us, we are not convinced that the clause does not undermine the data protection principles—fairness, transparency, and so on—and the remedies, such as notification to the commissioner and penalties.
I note that under Clause 25(2)(a), a certificate may identify data,
“by means of a general description”.
A certificate from a Minister is conclusive evidence that the exemption is, or was, required for a purpose of safeguarding national security, so is “general description” adequate in this context?
Amendment 124L proposes a new Clause 25 and is put forward against the background that national security certificates have not been subject to immediate, direct oversight. When parliamentary committees consider them, they are possibly tangential and post hoc. Crucially, certificates are open-ended in time. There may be an appeal but the proposed new clause would allow for an application to a judicial commissioner, who must consider the Minister’s request as to necessity and proportionality—words that I am sure we will use quite a bit in the next few hours—applying these to each and every provision from which exemption is sought. The Committee may spot that this could owe something to the Investigatory Powers Act.
Amendment 137P takes us forward to Part 3, the law enforcement part of the Bill. Clause 77(5) gives individuals the right to appeal against a national security certificate, but individuals will not know that they have been subject to such a national security certificate if the certificate itself takes away the specific rights which would require a controller or a processor to inform individuals that there was such a restriction in effect against them. The whole point of a right to access personal information and, on the basis of that, the right to appeal against a restriction, does not seem to us to work. The amendment provides for informing the data subject that he is a subject to a certificate.
Amendment 148C is an amendment to Part 4, which is the intelligence services part of the Bill. Clause 108 refers to an exemption being “required” for the purposes of national security. Our amendment would substitute “necessary”, which is a more objective test. I might require something to be done, but it might not be necessary. It is more subjective. Amendment 148D would—I note the irony here—require a certificate because Clause 109 seems not to require it, although the certificate itself would be conclusive. Finally, Amendment 148H is our response to the Constitution Committee, which recommended that the Government clarify the grounds of appeal for proceedings relating to ministerial certificates under Clause 109, other than judicial review. We have set out some provisions which I hope will enable the Minister to respond to the committee’s recommendation.
My Lords, I thank all noble Lords who have spoken to these amendments on the scope of the national security and defence exemptions in Parts 2 and 4 and the provisions in respect of national security certificates.
Amendments 124A, 124M and 124N relate to the exemption in Clause 24 for defence purposes. Amendments 124A and 124N seek to reinstate wording used in the Data Protection Act 1998 which used the term “combat effectiveness”. While it may have been appropriate for the 1998 Act to refer to “combat effectiveness”, the term no longer adequately captures the wide range of vital activities that the Armed Forces now undertake in support of the longer-term security of the British islands and their interests abroad and the central role of personal data, sometimes special categories of personal data, in those activities. I think that is what the noble Lord was requiring me to explain.
Such a limitation would not cover wider defence activities which defence staff are engaged in, for example, defence diplomacy, intelligence handling or sensitive administration activities. Indeed, the purpose of many of these activities is precisely to avoid traditional forms of combat. Yet without adequate provision in the Bill, each of the activities I have listed could be compromised or obstructed by a sufficiently determined data subject, putting the security, capability and effectiveness of British service personnel and the civilian staff who support them at risk.
Let me be absolutely clear at this stage: these provisions do not give carte blanche to defence controllers. Rights and obligations must be considered on a case-by-case basis. Only where a specific right or obligation is found to be incompatible with a specific processing activity being undertaken for defence purposes can that right or obligation be set aside. In every other circumstance, personal data will be processed in accordance with GDPR standards.
Amendment 124M probes the necessity of the applied GDPR’s article 9 exemption for defence purposes. Article 9 provides for a prohibition on processing of special categories of personal data. If we did not modify the application of article 9 for defence purposes, we would be hampering the ability of the Armed Forces to process certain personal data, for example, biometric data. This could have a detrimental impact on operations and other activities carried out by the Armed Forces.
I firmly believe that it is in the UK’s national interest to recognise that there may sometimes be a conflict between the individual’s right to have their personal data protected and the defence of the realm, and to make appropriate provision in the Bill to this end. I think that the noble Baroness, Lady Hamwee, asked about the publication of security certificates. National security certificates are public in nature, given that they may be subject to legal challenge. They are not secret and in the past they have been supplied if requested. A number are already published online and we will explore how we can make information about national security certificates issued under the Bill more accessible in future. She also asked about the timelessness of these certificates. They are general and prospective in nature, and arguably no purpose would be served by a requirement that they be subject to a time limitation. For example, in so far as a ministerial certificate allows the intelligence services to apply a “neither confirm nor deny” response to a subject access request, any certificate will inevitably require such a provision.
Amendments 124C, 124D, 124E, 124F, 124P and 148E seek to restrict the scope of the national security exemption provided for in Parts 2 and 4 of the Bill. I remind the Committee that Section 28 of the Data Protection Act 1998 contains a broad exemption from the provisions of that Act if the exemption is required for the purpose of safeguarding national security. Indeed, Section 28 provides for an exemption on such grounds from, among other things, all the data protection principles, all the rights of data subjects and all the enforcement provisions. Although we have adopted a more nuanced approach in the Bill, it none the less broadly replicates the provisions in the 1998 Act, which have stood the test of time. Crucially, under the Bill—as under the 1998 Act—the exception can be relied upon only when it is necessary to do so to protect national security; it is not a blanket exception.
It may assist the Committee if I provide a couple of examples, first in the context of Part 4, of why the exemption needs to be drawn as widely as it is. Clause 108 includes an exemption from Clauses 137 to 147 relating to information, assessment and enforcement notices issued by the Information Commissioner. It may be necessary for an intelligence service to apply this exemption in cases of extreme sensitivity or where the commissioner requested sensitive data but was unable to provide sufficient assurances that it would be held securely enough to protect the information.
In relation to the offence of unlawfully obtaining personal data, much intelligence work involves obtaining and then disclosing personal data without the consent of the controller. For example, if GCHQ intercepts personal data held on a foreign terrorist group’s computer, the data controller is the terrorist group. Without the national security exemption, the operation, although authorised by law, would be unlawful as the data controller has not consented. Similarly, reidentification of deidentified personal data may be a valuable source of intelligence if it can be reidentified. For example, an intelligence service may obtain from a computer a copy of a list of members of a terrorist group who are identified using code names, and from other sources the service believes that it can tie the code names to real identities.
The need for a wide-ranging exemption applies equally under Part 2 of the Bill. Again, a couple of examples will serve to illustrate this. Amendment 124C would mean that a controller processing data under the applied GDPR scheme could not be exempted from the first data protection principle as it relates to transparency. This principle goes hand in hand with the rights of data subjects. It cannot be right that a data subject should be made aware of a controller providing information to, say, the Security Service where there are national security concerns, for example because the individual is the subject of a covert investigation.
To take another example which touches on Amendment 124D, it is wholly appropriate to be able to limit the obligation on controllers under article 33 of the applied GDPR to disclose information to the Information Commissioner where the disclosure would be damaging to national security because, say, it would reveal the identity of a covert human intelligence source. As is the case under Part 4, this exemption would be applied so as to restrict the information provided to the commissioner, not to remove entirely the obligation to report appropriate details of the breach.
I hope that this has given the Committee a flavour of why the national security exemption has been framed in the way that it has. As I have indicated, the Bill’s provisions clearly derive from a similar provision in the existing Data Protection Act and are subject to the same important qualification: namely, that an exemption may be applied in a given case only where it is required for the purpose of safeguarding national security.
Amendment 137P would make publicly available national security certificates issued under Clause 77 by ensuring that everyone who is directly affected by the issuing of a certificate is informed about it. The intended effect is to make it easier for data subjects to challenge a certificate and to provide for greater transparency. As I said to the noble Baroness earlier, a number of national security certificates issued under the Data Protection Act are already publicly available—albeit that the 1998 Act provides for no formal process for this to happen. Also, anyone who believes that they are directly affected can challenge a certificate. That remains the case under the Bill.
I have some concerns about the approach taken in Amendment 137P. Where a certificate was limited to specific data in respect of one or more data subjects, the effect of the amendment could well be to alert a terrorist to the fact that they are under investigation, thereby run counter to the operation of the “neither confirm nor deny” principle and therefore undermine intelligence service operations. That said, I recognise that more can be done to publicise the existence of such certificates and will consider this further before Report.
Amendment 124L would radically change the national security certificate regime provided for in Clause 25, which is consistent with that contained in other parts of the Bill and of course with that currently provided for in the Data Protection Act 1998. It would replace the existing scheme with one which requires a Minister of the Crown to apply to a judicial commissioner for a certificate if an exemption is sought for the purposes of safeguarding national security, and for a decision to issue a certificate to be approved by a judicial commissioner.
This amendment is a wholly unnecessary, unjustified and disproportionate departure from a scheme which has been relied on under the Data Protection Act 1998 for many years and which works well. That is why it is entirely appropriate to replicate it in the Bill. In addition to creating an inconsistency within the current scheme, it would create huge inconsistency with national security certificates in the rest of the Bill. Moreover, it is important to recognise that these certificates are already subject to judicial oversight, given that they may be appealed to the Upper Tribunal.
I hope that noble Lords will recognise and accept that the national security exemption and certification provisions provided for in Clauses 24 and 25 maintain precisely the same safeguards that currently apply, which are clearly understood and work well. There is no weakening of a data subject’s rights or of the requirements that must be met before an exemption can be relied on.
Amendment 148C would require an exemption from a provision in Part 4 of the Bill to be “necessary” rather than “required”— the noble Baroness, Lady Hamwee, made that point. Although this does not appear to alter the threshold for relying on the national security exemption, it would be a change from the language used in the equivalent Section 28 of the Data Protection Act 1998, which the Bill is seeking to replicate in Clause 108. I might add that Clause 25 adopts the same language as in Clause 109. This amendment would create an unnecessary inconsistency which might only cause confusion and reduce clarity.
Amendment 148D would provide that the national security exemption provided for in Clause 108, which allows exemption from specified provision in Part 4 of the Bill, can be relied on only if a Minister of the Crown has signed a certificate under Clause 109. A certificate signed by a Minister certifies that the need for reliance on an exemption is conclusive evidence of that fact. It is not a prerequisite for the reliance on an exemption; to make it so would be operationally damaging. It would introduce delays that would be likely to significantly hamper, if not wholly frustrate, proper processing. Clearly, if processing was dependent on the issuing of a ministerial certificate, it could not proceed without one—by which time a threat that could have been identified by the processing may have crystallised into actual damage to national security.
I hope that the noble Baroness recognises that the national security exemption provisions in the Bill maintain precisely the same safeguards that currently apply and work well. They represent no weakening of a data subject’s rights or of the requirements that must be met before an exemption can be relied on.
Finally, Amendments 124K, 148H and 148J seek to clarify the grounds for an appeal against a certificate—a point raised by the Constitution Committee in its report on the Bill. I hope that I can persuade noble Lords that these amendments are similarly unnecessary. In applying judicial review principles when considering an appeal under Clause 109, the tribunal would already be able to consider a wide range of issues, including necessity, proportionality and lawfulness—enabling, for example, the tribunal to consider whether the decision to issue the certificate was reasonable, having regard to the impact on the rights of data subjects and balancing against the need to safeguard national security. As a result, the matters mentioned in Amendment 148H would already be covered by the existing drafting of Clause 109.
I apologise for the lengthy explanation of the Government’s views on these amendments, but I hope noble Lords will feel free not to press them.
My Lords, the Minister has just proved a point that I made to a colleague who asked me whether I could explain all my amendments, and I said, “If I don’t, the Minister will”. Let us see what the Constitution Committee has to say, as I take its concerns seriously. To dispose of one small point, I accept what she says about the “timelessness”, which I think was the word she used, of certificates. I accept that some must always apply, but perhaps it is a point that the Government can take into account when thinking about publication of certificates whose relevance has—“expired” is probably the wrong term—passed.
I am still concerned about what is meant by “defence purposes”. The Minister referred to civilian staff. I cannot remember what the object was in the sentence, but we all know what she means by civilian staff. To take a trite example, can the Minister confirm that in “defence purposes”, we are not talking about records of holiday leave taken by cleaners, secretaries and so on working in the Ministry of Defence? “Defence purposes” could be read as something very broad. I will not ask the Minister to reply to that now, but perhaps I can leave the thought in her head.
Finally, I do not think that the right of appeal provides the same protection as applying oversight from the very start of the process. We have had that debate many times, but I shall leave it there for now. There is quite a lot to read, so I am grateful to the Minister for replying at such length.
My Lords, I thank the Minister for her response, which was very detailed. It was helpful to the House to get it on record. These are serious matters. The rights of the data subject must be protected, but equally there are issues of national security, and we must get that balance right. The House has been assured that we will get the balance right, which is an important part of our work here today. I am very pleased with the detailed response, and I have no issue with it whatever.
I shall read Hansard again tomorrow, as these are very serious matters, to fully take in all that the Minister has said. At this stage, I am happy to withdraw my amendment.
Amendment 124A withdrawn.
Amendment 124B had been withdrawn from the Marshalled List.
Amendments 124C to 124F not moved.
Amendments 124G to 124J had been withdrawn from the Marshalled List.
Clause 24 agreed.
Clause 25: National security: certificate
Amendments 124K and 124L not moved.
Clause 25 agreed.
Clause 26: National security and defence: modifications to Articles 9 and 32 of the applied GDPR
Amendments 124M to 124P not moved.
Clause 26 agreed.
Clause 27 agreed.
Clause 28: Meaning of “competent authority”
124Q: Clause 28, page 17, line 27, after “Schedule 7” insert “to the extent that the person has functions for any of the law enforcement purposes”
I shall speak to Amendment 124Q and to a number of amendments in this group. I start with a general point. The number of amendments that we have tabled to Part 3 in particular, but also to Part 4, might suggest considerable opposition to the Bill, but I reassure the Committee that that is not the case. We are on a probing mission generally. We have some serious objections but, in general, we support where the Bill is going.
The probing in many cases is because of the language used. It is about the different uses of language in EU and UK legislation, and how language is used when something is transposed, to use the term non-technically, into UK law. There are different traditions; laws develop in different ways. I might sum it up by saying that it is a matter of style, but the style may have an impact on the meaning. That is why we are using the fact that the Bill has started in this House, where we have a tradition of reading every word and questioning every other word, to get on the record some of the things that we have identified as being helped by explanation.
This group is about definitions. Amendment 124Q would limit “competent authorities”, as they are defined and listed, to the extent of their law enforcement functions. I mentioned just now staff who work at the Ministry of Defence but do not have jobs that come remotely close, in themselves, to defending the country, although they support those who do. It occurred to me that police forces similarly, even if it is above that kind of administrative level, deal with more than law enforcement, if there are still enough coppers around. Prevention work in schools is one example. Then there is dealing with internal human rights—I beg noble Lords’ pardon, I mean human resources—records. I use the acronym HR too often.
The parties to a collaboration agreement are not necessarily policing bodies or even public sector bodies, which fall within these provisions. Criticising my own amendment, I wondered if it would be confusing to have different regimes applying to different activities—the law enforcement ones on one hand and the others on the other—but there are similar distinctions elsewhere in the Bill.
Amendment 124R would make the same point about law enforcement purposes applying to persons added by the Secretary of State to the list. Amendment 124S amends Schedule 7, which lists competent authorities including UK government departments, Scottish Ministers—and Welsh, once one has taken into account amendments which will no doubt be moved formally shortly—and Northern Ireland departments. The point is the same, really: to probe why this is not confined to law enforcement purposes, because clearly those authorities deal with much wider matters.
Amendment 127A would add police and crime commissioners as competent authorities. They have no operational powers, but they have responsibility for crime prevention. They might want to undertake research into the effectiveness of various measures, including individual cases of offending and disposal—is this covered elsewhere?
Amendment 129A would remove from the list of competent authorities contractors in the prison system, youth offending institutions and secure training centres, contractors who undertake prisoner escort arrangement, and persons responsible for electronic monitoring. I am not sure whether the last is within the same category, I suppose it depends how we interpret “responsible”, but the thrust of this amendment is to ask whether contractors’ data fall or should fall within Part 3 of the Bill.
We will all be aware of—let me put it very gently—doubts over the competence and security of and quality of the work done by some contractors; there have been some very bad experiences. In some cases, depending on the corporate structure of the contractor, a number of its arms may fall within these paragraphs. I suppose it depends whether they have several separate subsidiaries or whether different activities are within a single company.
Amendments 129B to 129F take us back to Clause 31. The definition of “profiling” refers to the use of data to evaluate,
“certain personal aspects … in particular … aspects concerning”,
individuals. These all seem to raise issues, hence our list of amendments, although I realise that they largely reflect the wording of the law enforcement directive, which takes me back to the points I made in opening. Profiling is very sensitive, so its definition needs to be very precise. That is why we are suggesting leaving out “certain”, which suggests that there are more things than are listed, especially when the purposes are “in particular”, indicating that this is not an exhaustive list. I thought that the term “attributes” was narrower than “aspects”.
The last of the group is a converse argument—I am probing of course. Behaviour, location and movement may be relevant to crime prevention and detection, but are performance at work, reliability and so on relevant? Not obviously so to me. I beg to move.
My Lords, the noble Baroness’s clarification of these probing amendments is very helpful. As we have heard, a competent authority in this context of the Bill means a person as specified in Schedule 7, to the extent that the person has functions for law enforcement purposes.
Amendments 124Q and 124R would add useful clarifications that the persons listed in Schedule 7 come under the same classification as “any other person” referred to in Clause 28(1)(b) and the persons listed in Clause 28(3)(b). That would be a useful clarification in the Bill.
I do not support Amendment 124S in the name of the noble Baroness, Lady Hamwee, but support the three government amendments in the name of the noble Lord, Lord Ashton of Hyde. As I say, I do not support Amendment 124S, which makes the case for Amendments 124Q and 124R even more important.
I support the amendment that would add police and crime commissioners to the schedule, and the other amendments in the group which would widen the definitions, as that would be very useful. I look forward to the noble Baroness’s response to the points that have been raised.
The co-pilot is in charge of this leg of the legislative journey, so there may be some turbulence.
I am very grateful to the noble Baroness for her explanation of these amendments. I particularly welcome what she said at the beginning of her remarks—namely, that these were probing amendments designed to improve the style. We are all in favour of improving style. Having read previous Hansards, I know that there has been broad cross-party support for the Bill’s provisions, particularly this part of it. I know that the Liberal Democrat Benches are particular enthusiasts for enshrining in UK law the provisions of the EU law enforcement directive.
As the noble Baroness has indicated, this group of amendments relates to the definition of various terms used in Part 3, including that of a competent authority and the meaning of “profiling”. I also welcome the contribution of the noble Lord, Lord Kennedy, in support of some of the amendments.
The scope of the law enforcement processing regime is provided for in Part 3 of the Bill. Unlike Part 4, which applies to all processing of personal data by the intelligence services, the scheme in Part 3 is purpose-driven. The Part 3 scheme applies to processing by competent authorities, as defined in Clause 28, for any of the law enforcement purposes, as defined in Clause 29. This approach is clear from a reading of Part 3 as a whole. For example, each of the data protection principles in Clauses 33 to 38 refers to processing for any of the law enforcement purposes.
The definition of a competent authority needs to be viewed in that context. Competent authorities will process personal data under the scheme in Part 3 only where such processing is for one of the law enforcement purposes. If they process data for another purpose, as the noble Baroness indicated—for example, for HR management purposes—the processing would be undertaken under either the GDPR or applied GDPR scheme, as the case may be. That would be the default regime. I am not sure there is a case for yet another regime on top of the two we already have. As paragraph 167 of the Explanatory Notes to the Bill makes clear, a government department will be a competent authority for the purposes of Part 3 only to the extent that it processes personal data for a law enforcement purpose. For example, where DWP processes data in the course of investigating criminal offences linked to benefit fraud, it will do so as a competent authority.
The approach we have taken in Schedule 7 is to list all the principal law enforcement agencies, including police forces, prosecutors and those responsible for offender management, but also to list other office holders and organisations that have law enforcement functions supplementary to their primary function. For example, the list in Schedule 7 includes some significant regulators. We should remember that the definition of “law enforcement purposes” includes the “execution of criminal penalties”, as set out in Clause 29. That being the case, it is entirely appropriate to list contractors providing offender management services. I hope this explanation deals with Amendment 129A. As I explained a moment ago, where such contractors process data for a non-law enforcement purpose—again, an example given by the noble Baroness—they will do so under the GDPR or applied GDPR scheme.
Schedule 7 is not, and is not intended to be, a wholly exhaustive list, and other organisations with incidental law enforcement functions will come within the scope of the definition of a competent authority by virtue of Clause 28(1)(b). Police and crime commissioners, to which Amendment 127A relates, may be a case in point, but if they process personal data for a law enforcement purpose, they will do so as a competent authority by virtue of Clause 28(1)(b). The government amendments in this group should be viewed against that backdrop.
Since the Bill was introduced, we have identified a number of other organisations that it would be appropriate to add to the list in Schedule 7, and Amendments 125, 126, 128 and 129 are directed to that end. Government Amendment 127 modifies the existing entry in respect of the independent office for police conduct in recognition of the fact that under the reforms we are making to the Independent Police Complaints Commission, the director-general will be the data controller of the reformed organisation.
The amendments to Clause 31 all seek to amend the definition of profiling. First, Amendment 129C seeks to include “attributes” in the definition of profiling, which currently refers to “aspects”. The existing wording reflects the terminology used in the LED, which is clear. In any event, the two words do not differ much in substance, so little is gained by the proposed addition.
In Amendment 129B and Amendments 129D to 129F the noble Baroness seeks to widen the definition of profiling so that it is not restricted to “certain” areas of profiling or to the aspects listed. However, the personal aspects itemised in the definition are not intended to act as an exhaustive list, and the inclusion of the words “certain” and “in particular” do not have this effect. The list refers to those aspects considered of most importance to profiling. Again, for these reasons, these amendments are not necessary. I think the noble Baroness conceded that we were simply replicating the existing terminology.
I hope I have been able to reassure her on these points and that she will be content to withdraw her Amendment 124Q and support the government amendments.
My Lords, to take that last point about certain areas of profiling first, obviously I did not make myself clear, as I want the opposite of what the Minister read me as wanting. I want to be clear that I do not want to leave areas for doubt, so I sought to restrict rather than to extend.
On police and crime commissioners, I am a little baffled as to why, if so many other organisations which have some functions that are about law enforcement are included, police and crime commissioners should be left to rely on Clause 28(1)(b) rather than being included specifically.
Finally, yes, we are enthusiasts for incorporating the directive. We want to be clear that the incorporation works. Should I talk for another moment or two in case a message is coming? There was a thumbs up to that suggestion. We are great enthusiasts for certain things that the EU is proposing—I am being a little flippant and this will read terribly badly in Hansard. As I said at the start, all this is so that we may be assured—and this is the stage at which to do it—that what is being incorporated works in the way that reading the words as a sort of narrative suggests.
Amendment 124Q withdrawn.
Amendment 124R not moved.
Clause 28 agreed.
Schedule 7: Competent authorities
Amendment 124S not moved.
Amendments 125 to 127
125: Schedule 7, page 168, line 13, leave out paragraph 3 and insert—
“3_ Any Northern Ireland department.”
126: Schedule 7, page 168, line 13, at end insert—
“3A_ The Welsh Ministers.”
127: Schedule 7, page 168, line 36, after “The” insert “Director General of the”
Amendments 125 to 127 agreed.
Amendment 127A not moved.
Amendments 128 and 129
128: Schedule 7, page 169, line 4, at end insert—
“20A_ The Welsh Revenue Authority.20B_ Revenue Scotland.”
129: Schedule 7, page 169, line 9, at end insert—
“25A_ The Competition and Markets Authority.25B_ The Gas and Electricity Markets Authority.25C_ The Food Standards Agency.25D_ Food Standards Scotland.25E_ Her Majesty’s Land Registry.”
Amendments 128 and 129 agreed.
Amendment 129A not moved.
Schedule 7, as amended, agreed.
Clauses 29 and 30 agreed.
Clause 31: Other definitions
Amendments 129B to 129F not moved.
Clause 31 agreed.
Clause 32: Overview and general duty of controller
129G: Clause 32, page 19, line 17, leave out “and fair” and insert “, fair and transparent”
My Lords, this group of amendments is about data protection principles. Our Amendments 129G and 129H would add transparency to the requirements of lawfulness and fairness for processing. Here, the directive is again being reflected, but why, since transparency is a requirement in the case of the intelligence services? I confess that I found this counterintuitive. I might have expected the services to have an argument against transparency because of the very nature of what they do, but not so law enforcement—at least, not so much.
Amendment 129J enables me to ask, as I did at Second Reading, why some activities are “strictly necessary” and others merely “necessary”. This arises in several places and this is the first example, although for good measure my Amendment 133ZJ seeks to add “strictly” to another of these—I am not sure that it was my best choice, but there you go. The point is that “strictly” calls into question just how necessary something that does not attract the term is. This may be an example of adopting language used in other legislation and directives without it having been considered in the context of UK legislation.
The Minister used the example of our seeking in the first group of amendments on these parts to change a term used in current legislation. I take that point, because it opens up a question as to whether there is any distinction. The point I am making about terminology is not a million miles away from that.
Amendment 130A concerns the scope for the Secretary of State to amend Schedule 8 by regulations. That schedule sets out the conditions for “sensitive processing”—in other words, when that processing is permitted. Should the Secretary of State be able to add circumstances when it is permitted, or to vary the schedule, omitting items from the schedule by regulations would fulfil the objective of protecting the data subject. That is very different from “adding” or “varying”.
Amendment 133ZB deals with another instance of different legislative styles. In Clause 34(1), the law enforcement purpose must be “legitimate”—an interesting term when applied to law enforcement. I suggest as an alternative “authorised by law”, a term used later in the clause, in order to probe this. In not very technical language “legitimate” suggests something wider than legal. It has elements of logic and justification and might import the notion of balance. The term comes from not only the GDPR but the 1995 directive—so there is a history to this—and there are many examples of the accepted meaning of “legitimate” in EU law. However, I am concerned about how we interpret the term and apply it in the UK. Looking to the future, what will happen when we are cut adrift from the European Court of Justice? Presumably we will have to rely on the development of case law in the UK and the different UK jurisdictions. It is worth thinking about how this may be dealt with as we go forward.
On Amendment 133ZD, under Clause 36(3) a clear distinction needs to be made “where relevant”—the amendment would delete this—as far as possible between data relating to different categories of data subject. I do not see what “where relevant” means in this context. It begs the question of whether or not something is relevant and whether the provision is applicable.
Amendment 133ZE applies to Clause 36(4), which deals what must be done—or, rather, not done—with inaccurate, incomplete or out-of-date data, which must not be “transmitted or made available”. That is the phrase used and my amendment probes the question of why the term “disclosed” is not used. There is a definition of “processing” in Clause 2, which includes,
“disclosure by transmission, dissemination or otherwise making available”.
In other words, “disclosed” would cover everything.
Amendment 133ZK relates to Clause 40, which deals with the controller having an appropriate policy document. Under that clause, the controller must make the document available to the Information Commissioner. Is it not a public document? Should it not be published? The amendment proposes that it should be. I beg to move.
My Lords, we have a number of amendments in this group which fit very well with what has just been said by the noble Baroness, Lady Hamwee. I hope she will take it from that that we support broadly where she is coming from and hope to extend it slightly in a couple of areas.
Amendment 130—which is a DPRRC recommendation —affects Schedule 8. This was touched on in earlier groups and I will not delay the Committee by repeating the points now. They will be covered in the Minister’s response, which we confidently expect to be that this is under consideration, that a further air travel bulletin will be emerging shortly and that we should not worry too much about it at this stage. However, I am prepared to argue for it if necessary, and if the noble Lord challenges me I will do so.
The government amendments have not yet been introduced. However, in anticipation, we welcome them. They take out one or two of the points I will be making later. Once they have been introduced and looked at we will be able to rely on them. They cover a particular gap in the Bill in terms of the need to rely on a function conferred on a person by rule of law as well as simply by an enactment.
Amendment 133ZA is a probing amendment to quite an important clause that we would like to see retained. The reason for putting down the amendment in this form is to probe further into what is going on here. The terms of Clause 39 apply only,
“in relation to the processing of personal data for a law enforcement purpose”,
and would be conferred by rule of law as well. It repeats other areas that cover,
“archiving purposes in the public interest … scientific or historical research purposes, or … statistical purposes”.
I am not clear why these are linked to law enforcement purposes. Why would archiving be necessary for such a purpose? Perhaps the Minister can respond on that particular point. It is a narrow one, but I should like to know the answer.
Clause 33(5) deals with processing without the consent of the data subject, of which this is a part, and makes the point that it is permissible only for the purposes listed in Schedule 8. However, Clause 33(6) permits amendment to this derogation, so purposes could be added or indeed lost. There is of course a wide research exception in Schedule 8 with no specific safeguards. So it is important to understand why the framing of this is so open-ended, and I would be grateful for a response.
When we check the GDPR, the antecedent impulse for this is present in the wording of article 4(3). That goes on to say that the processing has to be subject to appropriate safeguards for the rights and freedoms of data subjects, yet we do not see these in either Clause 33 or Clause 39—or indeed at any point in between. Why is that? Is there a reason why it should not be part of the processing conditions? If so, can we have an example of why that would be necessary?
Amendment 133ZC relates to quite an important area, which is a derogation to allow personal data to be processed for different law enforcement purposes other than when it is initially processed, as long as it is a lawful purpose and is proportionate and necessary. That is quite open-ended, so it would be helpful if in his response the Minister could speculate a little about where the boundaries there exist. We have no objection to the provision in principle, but it is important to ensure that the scope is not so impossibly broad that anything can be hung on one particular issue. If that was coming forward, I am sure that it would be possible to do that. The scope seems to be too broad to be considered proportionate—which, as I said, is what the directive requires.
Amendment 133ZE builds on Amendment 133ZD to which the noble Baroness, Lady Hamwee, has already spoken. This is about what happens to data that is found to be inaccurate and the requirement that it should not be disclosed for any law enforcement purpose. This is a slightly different wording and I am looking for confirmation that the Government do not see a difference in the two possibilities. The original requirement was that data should not be “transmitted or made available” if it is inaccurate, but this would say that it should not be “disclosed”, which is an active rather than a passive expression of that—but is it different? The amendment tries to broaden the provision so that reasonable steps are taken to make sure that data is not made available for any purpose, which I think would be a more satisfactory approach.
I turn to Amendment 133ZG. I think I am right in saying that the GDPR envisages that inaccurate personal data should be corrected or deleted at the initiative of the controller, but that provision does not appear in the Bill. I wonder whether there is an explanation for that. If there is not, who will be responsible for correcting data that is found to be inaccurate or needs to be corrected or deleted?
Finally in this group, Amendment 133ZH relates to Clause 37, which requires that personal data should be kept for no longer than necessary. To comply with this principle, the data controller should establish time limits for erasure or for a periodic review. The current drafting seems to suggest that all that is required to be done by controllers is that from time to time they should review their procedures; it does not say that they have to do it. Perhaps the Minister could respond on this point. Surely what we want here is a clear requirement for both reviews and action. You can review the data, but if it is no longer required and should be deleted, there should be an appropriate follow-up. Time limits are not enough: you do it within the time limits but then you have to follow up. We do not think it currently makes sense. I look forward to the Minister’s responses.
My Lords, as the noble Baroness, Lady Hamwee, said in her opening remarks, the amendments in this group relate to the data protection principles as they apply to law enforcement processing.
I will deal first with the amendments in the name of the noble Baroness, Lady Hamwee, before moving on to the others. Amendments 129G and 129H would add a requirement that processing under Part 3 be transparent as well as lawful and fair, thus mirroring the data protection principles set out in Parts 2 and 4 of the Bill. There is a very simple explanation for the difference of approach. The GDPR and the Council of Europe Convention 108, on which the provisions of Parts 2 and 4 are based, are designed for general processing. Therefore, it is wholly appropriate in that context that the processing of personal data should be transparent. Of course, that data protection principle, as with certain others, will apply subject to the application of the exceptions provided for in Parts 2 and 4, including where necessary to safeguard national security. At first glance, I accept that it might seem odd that Part 4 of the Bill, which relates to processing by the intelligence services, contains a requirement for transparency, but the provisions in Part 4 must be compliant with the modernised Convention 108. As I have said, that data protection principle will operate subject to the application of the exceptions provided for in that part.
In contrast, Part 3 of the Bill reflects the provisions of the law enforcement directive, which is designed to govern law enforcement processing; in this context, it is appropriate that the transparency requirement should not apply. A requirement that all such processing be transparent would, for example, undermine police investigations and operation capabilities. That is not to say that controllers under Part 3 will not process data transparently where they can, and Chapter 3 of this part imposes significant duties on controllers to provide information to data subjects.
Amendments 129J and 133ZJ are not about a popular Saturday night television programme, but about the significance of the word “strictly” in the context of Clause 33(5). Our approach here, and elsewhere, has been to copy out the language of the law enforcement directive wherever possible. Article 10 of the LED uses the phrase “strictly necessary”. The noble Baroness asked whether references in Part 3 to “necessary” and “strictly necessary” should be interpreted differently. That must be the case: “strictly necessary” is a higher threshold than “necessary” on its own.
Amendment 130A brings us back to the report of the Delegated Powers and Regulatory Reform Committee, which was the subject of some debate on day two of Committee. As the noble Baroness, Lady Chisholm, indicated in response to that debate, we are carefully considering the Delegated Powers Committee’s report and will respond before the next stage of the Bill.
Amendment 133ZB would replace the term “legitimate” in Clause 34—which establishes the second data protection principle—with the phrase “authorised by law”. I do not believe that there is any material difference between the two terms. Moreover, “legitimate” is used in both the GDPR and the LED, so for that reason we should retain the language used in those instruments to avoid creating legal uncertainty.
The noble Baroness asked about ECJ case law, post Brexit. The European Union (Withdrawal) Bill sets out how judgments of the Court of Justice of the European Union are to be treated by domestic courts and tribunals after exit day. Clause 6 of that Bill draws a distinction between pre-exit and post-exit CJEU case law. Domestic courts and tribunals are not bound by post-exit case law but may have regard to it if they consider it appropriate. In contrast, pre-exit case law is binding on most domestic courts and tribunals in so far as it is relevant to questions pertaining to retained EU law. The Supreme Court and, in some circumstances, the High Court of Justiciary are, however, not bound. They may depart from pre-exit CJEU case law by reference to the same test that applies when they decide whether to depart from their own case law.
Amendment 133ZD seeks to strike out the reference to “where relevant” in Clause 36(3), which requires a controller to make a distinction between different categories of data subjects, such as suspects, convicted offenders and victims. There may well be a case where it simply would not be relevant for a controller to draw such a distinction. If a controller processes data in respect of only one of the categories of data subject, there is evidently no need for this provision.
Amendment 133ZE seeks to simplify the drafting of Clause 36(4). I do not believe the definitions in Clause 2 support the case for this amendment. Clause 2 defines processing, which includes disclosure, but it does not provide a general definition of disclosure, so it is preferable to retain the language in Clause 36(4).
Amendment 133ZK would introduce a requirement on controllers to publish their policy documents relating to sensitive processing. Such policy documents may contain operationally sensitive information that could well be damaging if published. Given this, scrutiny of such documents by the Information Commissioner, where necessary, provides an appropriate safeguard.
I turn to the amendments tabled by the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson. Amendment 133ZA would remove archiving from the list of conditions for processing sensitive data. Law enforcement agencies often archive data for public protection purposes. However, it is right that sufficient safeguards should be in place, particularly concerning sensitive data. The Bill achieves this by permitting archiving only where it is necessary.
The noble Lord asked in what circumstances archiving would be carried out for a purpose connected with law enforcement processing. It may be necessary where, for example, a law enforcement agency needs to review historical offences, such as allegations of child sexual exploitation. On this occasion, data have been processed for the purposes of reviewing the approach taken in child abuse cases investigated decades previously.
I am grateful to the noble Baroness for that example. I could have used scientific or historical research. Again, I am not entirely clear why these are law enforcement categories. The general ability to take a derogation relating to either of the items listed is well spelled out in the schedule, but I was trying to address the narrow formulation of that in a law enforcement category. The particular example is fine and it is possible that could be right, but I do not think it applies across science, historical or statistical research. Does it?
It may do if it pertains to law enforcement purposes, but we may be dancing on the head of a very small pin. Perhaps I could come back to the noble Lord, but where it overlaps into the law enforcement sphere I would think it relevant. However, I will write to him to clarify and confirm my thoughts on that.
The noble Lord also asked about retention of data. I am not sure that was on this amendment, but he is right that it is not—
Okay, I will carry on to Amendment 133ZC, which seeks to require that further processing for law enforcement purposes must have a statutory basis. This would prevent further processing in circumstances that are lawful but not provided in statute. It cannot be in the public interest to unduly restrict the use of data that could assist law enforcement to carry out its legitimate functions.
Amendment 133ZF would remove the law enforcement qualification from Clause 36(4). Its purpose appears to be to ensure that inaccurate data cannot be processed irrespective of whether it is for a law enforcement purpose. For processing other than for a law enforcement purpose, the controller must apply Part 2 of the Bill. Also with reference to Clause 36, Amendment 133ZG would insert a requirement that inaccurate data must be erased if it is not corrected. I understand exactly why this might be a fitting addition. However, it will not always be appropriate for law enforcement where data may form part of a criminal case. For instance, it may be important for evidential reasons for data to be kept unaltered. Inaccurate information could also be evidence of perjury or perverting the course of justice.
Amendment 133ZH would require the controller to have in place a document outlining their retention policy, which would have to be made available to the Information Commissioner on request. Clause 42 already provides safeguards, including a duty to inform the subject about the period for which the data will be stored or the criteria used to determine the period. Moreover, in the policing context, there are policy documents already published that cover this ground, such as the College of Policing manual on the management of police information.
Finally, I will deal briefly with the three government amendments in this group, Amendments 131, 139 and 140, for which the noble Lord has stated his support. They relate to Schedules 8, 9 and 10, which set out a number of conditions, at least one of which must be met, where a law enforcement agency processes sensitive personal data, or one of the intelligence services processes any personal data. They clarify that any processing is lawful for the purposes of the exercise of a function conferred on a person by a rule of law as well as by an enactment. This is consistent with the existing scheme under the Data Protection Act 1998.
In the case of the police, the processing of personal data is, in some instances, undertaken utilising common-law powers in pursuit of their function to prevent crime. One such example is the operation of the domestic violence disclosure scheme, or Clare’s law. Under that scheme, a police force may disclose information to a person about a previous violent and abusive offending behaviour of their partner when he or she was in a previous relationship. It is vital that the police can continue to protect people by disclosing sensitive personal information using their common-law powers.
Amendments 139 and 140 to Schedules 9 and 10 respectively ensure consistency of approach across Parts 3 and 4 of the Bill.
To go back to the point about retention of data and the noble Lord’s point about reviewing whether data are still required, appropriate action should follow such a review. The fifth data protection principle makes this clear. If data are no longer required they should be deleted. I am not entirely sure which amendment that refers to, but I hope some of the explanations I have given will ensure that noble Lords and the noble Baroness are content not to press their amendments.
I am very grateful for the late intelligence that came across on the point about withdrawal. The issue was not that there is not sufficient power in the Bill—there is, we accept that—but just that there seems to be an unfortunate separation between the need periodically to review the length of time for which the data is held and the fact that, when a decision has been arrived at, the data is no longer required. There seems to be no prod to remove the data that should be removed. I understand the point made earlier by the Minister that some data, although wrong, should be kept, but that was not the point I was making. However, I think we can deal with this outside the Chamber.
My Lords, without wanting to appear ungrateful, I am very troubled by some of what we have heard about the incorporation of language used in the law enforcement directive and in the modernised 108. Simply to reflect that language, incorporate it into our primary legislation and cause confusion thereby does not seem to be a very good way to proceed. My questions about the difference between “strictly necessary” and “necessary” illustrate this well. To be told that “necessary” is a lower threshold than “strictly necessary”—which is certainly how I would read it—calls into question how necessary something which is necessary really is.
We will have to come back to this—it may be something that we can discuss outside the Chamber before Report. I wonder whether I should threaten to unleash my noble friend Lord Lester of Herne Hill—that might be enough to lead us to a resolution, but I have not consulted him yet. However, I am troubled, because we are in danger of doing a disservice to the application of these important provisions. For the moment, of course, I beg leave to withdraw the amendment.
Amendment 129G withdrawn.
Clause 32 agreed.
Clause 33: The first data protection principle
Amendments 129H to 130A not moved.
Clause 33 agreed.
Schedule 8: Conditions for sensitive processing under Part 3
Amendments 131 to 133
131: Schedule 8, page 170, line 20, at end insert “or rule of law”
132: Schedule 8, page 170, line 28, leave out from “processing” to end of line 30 and insert “—
(a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),(b) is necessary for the purpose of obtaining legal advice, or(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.”
133: Schedule 8, page 170, line 30, at end insert—
“4A_ This condition is met if the processing is necessary when a court or other judicial authority is acting in its judicial capacity.”
Amendments 131 to 133 agreed.
Amendment 133ZA not moved.
Schedule 8, as amended, agreed.
Clause 34: The second data protection principle
Amendments 133ZB and 133ZC not moved.
Clause 34 agreed.
Clause 35 agreed.
Clause 36: The fourth data protection principle
Amendments 133ZD to 133ZG not moved.
Clause 36 agreed.
Clause 37: The fifth data protection principle
Amendment 133ZH not moved.
Clause 37 agreed.
Clause 38 agreed.
Clause 39: Safeguards: archiving
Amendment 133ZJ not moved.
Clause 39 agreed.
Clause 40: Safeguards: sensitive processing
Amendment 133ZK not moved.
Clause 40 agreed.
Clause 41 agreed.
Clause 42: Information: controller’s general duties
133ZL: Clause 42, page 24, line 12, at end insert—
“( ) The controller must without undue delay inform each data subject that he is (or, as the case may be, is again) a data subject.”
My Lords, Amendment 133ZL is an amendment to Clause 42. Clause 43 deals with a data subject’s right of access. The onus is on the data subject to ask whether their personal data is being processed. If so, they have a right of access, although there are provisions about restrictions and the controller must tell them.
We have already touched on how you know that you are a data subject. The amendment would place an obligation on the controller to tell you. I appreciate that there would be considerable practical considerations. However, in a different context, time and again during the passage of the Bill we have heard noble Lords express surprise about what organisations know about each of us. It is irritating when it is a commercial organisation; it is a different matter when it is a law enforcement body.
Amendment 133ZM is a way of asking why the information to be given to a data subject under Clause 42(2) is limited to “specific cases”. Is this is a bit of the narrative style that I referred to earlier? Restrictions are set out later in the clause. What are the specific cases to which the controller’s duties are restricted? Should there be a cross-reference somewhere? The term suggests something more—or maybe something less—than the clause provides.
Amendment 133ZN takes us to Clause 42(4), which refers to the data subject’s “fundamental rights”— this phrase is used also in a number of other clauses. My amendment would insert references to the Human Rights Act and the European Charter of Fundamental Rights, seeking not to reopen the argument about the retention of the charter but to probe how fundamental rights are identified in UK law. It is not an expression that I recognise other than as a narrative term. This is fundamental—if noble Lords will forgive the pun—to my questioning and the workability of all this.
On Amendment 133ZP, the same subsection refers to an “official” inquiry. I know what that means in common sense—in human speak, if you like—but what does it mean in legislative speak?
Amendment 133ZQ is a cross-reference. I queried what was in the clause and have had exchanges with officials about it. I thought that the Minister’s name would be added to the amendment. I would have been very happy if the correction had been made quietly, but apparently that was not possible. So the drafting is not mine, but it corrects a mis-drafting—would that be a gentle term for it? At any rate, that is what the amendment is about. I beg to move.
My Lords, the five amendments in this group are all in the name of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Paddick. I should say at the start that I am not convinced by Amendment 133ZL and I look forward to the response of the Government. I am not sure that it is proportionate in respect of law enforcement processing. I had concerns about it before the debate and I have heard nothing to change my mind.
Amendment 133ZM widens the scope of the provisions and I am content with that. I am interested to hear from the Government why the three words to be deleted are so important: perhaps they can convince me of the merits of having them in the Bill.
Amendment 133ZN is proportionate and I happy to support it. I do not support Amendment 133ZP and, again, I have heard nothing yet to convince me otherwise. I await a response from the Government. Amendment 133ZQ seems proportionate to me in respect of the data controller being able to record reasons to restrict provision of information to a data subject and the reasons for refusing requests.
I thank the noble Baroness, Lady Hamwee, for explaining her amendments in relation to the rights of data subjects. Having disappointed her so much in the last group of amendments, I have some very good news: the Government are content to agree to her Amendment 133ZQ. Perhaps it is right that I did not put my name to it, because she can claim full credit for the amendment, which corrects an erroneous cross-reference in Clause 46(6).
I turn to the other amendments in the group, which have a little more substance. Amendment 133ZL seeks to place a duty on controllers to inform individuals without undue delay that they are a data subject. The right of access conferred on data subjects by Clause 43 largely replicates the existing provision in Section 7 of the Data Protection Act 1998, as I think the noble Lord, Lord Kennedy, pointed out. Clause 42 already includes obligations on the controller to provide individuals with information in general terms and in specific cases to enable a data subject to access their rights. We consider that this is the right approach and one which reflects the terms of the LED. We welcome the enhanced rights for data subjects provided for in Part 3, but it is important that such rights are proportionate and that we take account of the resource implications for police forces and other competent authorities. Placing a duty on controllers proactively to notify individuals that they are data subjects would, we believe, place an unnecessary burden on competent authorities. In practice, many individuals will know that their personal data is being processed by a particular controller; where they are unsure they can submit a subject access request. It is important to note that under the new regime subject access requests will generally be free of charge.
Amendment 133ZM seeks to probe the need for the phrase “in specific cases” in Clause 42(2). This phrase, which appears in article 13(2) of the law enforcement directive, is simply designed to distinguish between the duty on a controller, under Clause 42(1), to provide certain general information to data subjects which might be discharged by posting the information on the controller’s website, and the separate duty, in Clause 42(2), to provide certain additional information directly to a data subject to enable them to exercise their rights. Moreover, the information which must be provided under Clause 42(2) may be person-specific and the drafting makes this clear.
Amendment 133ZN seeks to define the term “fundamental rights” as used in Clause 42(4) and elsewhere in this part. This is not the occasion to reopen the debate we had at the start of Committee on article 8 of the European Charter of Fundamental Rights. The Committee will be aware that it is not the Government’s intention to enshrine the charter into UK law. That being the case, and recognising that Part 3 of the Bill provides for a scheme for law enforcement processing which is enshrined in our domestic law, the reference to fundamental rights should be interpreted in accordance with UK law by the UK courts, rather than seeking to enshrine the charter.
In Amendment 133ZP to Clause 42(4)(a), the noble Baroness seeks clarification of what constitutes an “official inquiry”, as opposed to a “legal inquiry”. I start by pointing out that the law enforcement directive uses both terms, and we have followed our usual practice of copying the directive wherever possible. There are, of course, legally constituted inquiries established under the Inquiries Act 2005, but not all official inquiries are formally constituted under that Act. The use of both terms recognises that formally constituted inquiries may take different forms and be conducted by different entities. It is important to emphasise that a controller is subject to the limitations in the opening words of Clause 42(4) and cannot restrict the provision of information simply by virtue of the fact that the information pertains to an inquiry.
I hope that I have been able to reassure the noble Baroness—she certainly looks happier than on the previous group of amendments—and that she will be content to withdraw her Amendment 133ZL. As I have indicated, I will be happy to endorse Amendment 133ZQ when she comes to move it formally.
My Lords, the noble Lord, Lord Kennedy, need not have been apologetic: it is perfectly fair to make the point that he did not think the amendment was proportionate. I will not claim the credit for Amendment 133ZQ because it is not my drafting, but much more importantly, yes, fundamental rights should be interpreted by the UK courts, but on what basis? It really is a matter of “New readers start here” with that, and the same applies to “official inquiry”: the very fact that there is an Inquiries Act was in my mind in asking what an official inquiry is. It is all the same argument—the same discussion, would be a better way of putting it—as on earlier groups. I said then that I was troubled; I am troubled in this connection. I think I made it clear that I was not trying to reopen the question of the European Charter of Fundamental Rights now; there will be other occasions to do that. I beg leave to withdraw the amendment.
Amendment 133ZL withdrawn.
Amendments 133ZM to 133ZP not moved.
Clause 42 agreed.
Clauses 43 to 45 agreed.
Clause 46: Rights under section 44 or 45: supplementary
133ZQ: Clause 46, page 27, line 45, leave out “(4)” and insert “(1)(b)(i)”
Amendment 133ZQ agreed.
Clause 46, as amended, agreed.
Clause 47: Right not to be subject to automated decision-making
Amendments 133A and 134 not moved.
Clause 47 agreed.
Clause 48: Automated decision-making authorised by law: safeguards
134A: Clause 48, page 28, line 28, leave out paragraph (b)
My Lords, we debated automated decision-making under Part 2 on Monday. Clause 48 provides for automated decision-making in the case of law enforcement. No doubt we will return to the issues raised on Monday in this connection, but for now, Clause 48(1) provides that a “qualifying significant decision” must be,
“required or authorised by law”.
This is perhaps a slightly frivolous probe, but may a controller take a decision that is not required or authorised by law? If it is not authorised, how is the data subject protected?
Amendment 135 refers to not engaging the rights of the data subject under the Human Rights Act. Again, we had a debate on this on Monday and it is a subject to which we may return. I simply ask: does the Minister have anything to add to what her noble friend Lord Ashton of Hyde had to say then? He told us that human rights are always engaged—indeed they are—and that the amendment therefore did not really work but that there are, as he said in col. 1871, “appropriate safeguards”. Are the Government satisfied that the balance between processing and protection is the right one? As I say, I am sure we will come back to this issue.
Amendment 135A is to Clause 48(2), which deals with decisions based solely on automated processing. Article 11 of the directive, which I believe is the basis for this, provides for automated processing, including profiling. Profiling is a defined term, so I merely want to check that there is no significance in omitting the reference to it. I doubt there is but the language is reproduced exactly elsewhere, so this is a simple check.
Clause 48(2)(a) provides that notification of a decision must be given “as soon as … practicable”. Amendment 135B would limit this to a maximum of 72 hours. I do not want to describe what is in the Bill as open-ended but I think the Minister would accept that it is less certain than it could be, which is a pity as the requirement under this clause to notify the right to ask for reconsideration is important. I note that at another point close to this, the data subject has an exact limit of 21 days. That may not be practicable for the data subject but perhaps the Minister can confirm whether that means within 21 days of actual receipt, not 21 days of delivery, as the means of serving that notification.
Amendment 136A would insert a new provision. We have been considering some form of independent oversight of automated decision-making. That would not be quite right because we have the commissioner, who is independent, but the amendment proposes more assistance and advice in this connection and the publication of reports on the subject.
Amendment 137 proposes a new clause. We debated a more elaborate amendment on the right to information about decisions based on algorithmic profiling on Monday. The proposed new clause would allow the data subject to obtain an understanding of the reasoning underlying the processes, when the results of it are applied to him. The wording might seem familiar to noble Lords, which would show that they have read on in the Bill. The amendment would reproduce in the law enforcement part a right that is included in Clause 96 in Part 4, which deals with the intelligence services. If they can do it, why not law enforcement? I was quite surprised that they could do it and were expected to provide the underlying reasoning, but that is a good thing. I am not arguing that this would be a silver bullet for all the issues around algorithms but it would be significant. Perhaps it would be courteous and appropriate to say I understand that as regards the intelligence services exemptions, the UK is proposing one of the most advanced explanation rights in the world—tick.
Amendment 144 raises the human rights point again, in the context of the intelligence services’ automated decision-making. Amendments 145 and 146 are to ask the Government to justify decisions based solely on automated processing which significantly affects the data subject when it relates to a contract. Clause 94(2)(c) refers to,
“considering whether to enter into a contract with the data subject”,
“with a view to entering into … a contract”,
with them. There must be a fine distinction between those two provisions but they are dealt with differently. These are all in Part 4, on the intelligence services. Finally, Amendment 146A is to ask whether the commissioner should have a role in the process, because there is a bit more scope for people doing their own thing in this part of the Bill than under Part 3. I beg to move.
My Lords, I support the amendments that have just been moved and spoken to by the noble Baroness, Lady Hamwee. We should perhaps have signed up to them but I do not think we had the time to do so. However, they all bear on important issues that need to be addressed and I look forward to hearing the responses from the Minister.
Our amendments in this group are also about automated processing but they attach to a slightly different arrangement. In Clause 92, on page 52, the right of access provisions are largely copied from earlier parts of the Bill and are extensive. Like the noble Baroness, Lady Hamwee, we appreciate that. The Government have moved a long way to try to reassure everyone that the intelligence services, as well as the defence services, are trying to operate in a manner that could be taken almost directly from the GDPR. While this may be gold-plating, it is a good way of making progress. Having said that, halfway down page 52 are two things that our amendments address. In Amendment 142C, we suggest that there should be a,
“right to object to automated-decision making”,
within automatic processing, because at the end of Clause 92(2) all the other rights are there but the one present in other parts of the Bill on the right to object is not. I wonder why it has been missed out. It would be interesting to hear from the Minister about that.
In Amendment 143B, we also wish to challenge why the fee has to be paid for this. The Government have tried hard to make an equality of approach right the way across but fees suddenly appear here, in a way which seems rather strange. It cannot be that the information services of Her Majesty’s Government are so starved of cash that they have to charge money to get their services completed for those who just want reasonable information, which should specifically be made available. It seems a double bind to have a situation where these rights and obligations are tantalisingly included in the Bill, but are then removed from reasonable access because of the costs that might be charged. I know that the Secretary of State would have to do it by regulations, which would be subject to further scrutiny, but perhaps this could be looked at again.
My Lords, these amendments return us to the issue of automated decision-making, which we debated on Monday, albeit principally in the context of Part 2.
The noble Baroness, Lady Hamwee, has indicated that the purpose of Amendment 134A is to probe why Clause 48(1)(b) is required. Clauses 47 and 48 should be read together. Clause 47 essentially operates to prohibit the controller making a significant decision based solely on automated processing, unless such a decision is required or authorised by law. Where automated decision-making is authorised or required by law, Clause 48 permits the controller to make a qualifying significant decision, subject to the specified safeguards.
A significant decision based solely on automated processing which is not required or authorised by law is an unlawful decision and therefore null and void. That being the case, we should not seek to legitimise an unlawful decision by conferring a right on a data subject to request that such a decision be reconsidered. Should such a decision be made contrary to Clause 47(1), the proper way to deal with it is through enforcement action by the Information Commissioner, not through the provisions of Clause 48.
Amendments 135 and 144 seek to prevent any decision being taken on the basis of automated decision-making where the decision would engage the rights of the data subject under the Human Rights Act. As my noble friend Lord Ashton indicated on Monday when the Committee debated Amendment 75, which was framed in similar terms, such a restriction would arguably wholly negate the provisions in respect of automated decision-making as it would be possible to argue that any decision based on automated decision-making would, at the very least, engage the data subject’s right to respect for privacy under Article 8 of the European Convention on Human Rights.
At the same time, the unintended consequences of this could be very damaging. For example, any intelligence work by the intelligence services relating to an individual would almost certainly engage the right to respect for private life. The effect of the amendment on Part 4 would therefore be to prevent the intelligence services taking any further action based on automated processing, even if that further action was necessary, proportionate, authorised under the law and fully compliant with the Human Rights Act. Where a decision will have legal or similarly significant effects for a data subject, data controllers will be required to notify data subjects to ensure that they can seek the remaking of that decision with human intervention. We believe that this affords sufficient safeguards.
Turning to Amendment 135A, I can assure the noble Baroness, Lady Hamwee, that automated processing does indeed include profiling. This is clear from the definition of profiling in Clause 31 which refers to,
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual”.
Given that, I do not believe more is needed, but I confirm that there is no significance in omitting the word “profiling”. We did not include a reference to profiling as an example of automated decision-making on the grounds that it is just that, an example, and therefore an express reference to including profiling would add nothing.
Amendment 135B would require controllers to notify data subjects within 72 hours where a qualifying significant decision has been made based solely on automated processing. While it is appropriate elsewhere in the Bill to require controllers to report data breaches to the Information Commissioner, where feasible, within 72 hours, we consider that the existing requirement to notify data subjects of what is a lawful qualifying significant decision as soon as reasonably practicable establishes the need for prompt notification while recognising that there needs to be some flexibility to reflect the operational environment.
Amendment 136A seeks to require the Information Commissioner to appoint an independent person to oversee the operation of automated decision-making under Part 3. I am unpersuaded of the case for this amendment. The Information Commissioner is, of course, already an independent regulator with express statutory duties to, among other things, monitor and enforce the provisions in Part 3, so it is unclear to me why the commissioner should be obliged to, in effect, subcontract her functions in so far as they relate to automated decision-making. Such processing is subject to the commissioner’s oversight functions as much as any other processing, so I do not see why we need to single it out for special treatment. If the argument is that automated processing can have a more acute impact on data subjects than any other forms of processing, then it is open to the commissioner to reflect this in how she undertakes her regulatory functions and to monitor compliance with Clauses 47 and 48 more closely than other aspects of Part 3, but this should be left to the good judgment of the commissioner rather than adding a new layer of regulation.
The noble Baroness asked whether it is 21 days from receipt of notification or another time. Clause 48(2)(b) makes it clear that it is 21 days from receipt.
I have some sympathy for Amendment 137, which requires controllers subject to Part 3, on request, to provide data subjects with the reasons behind the processing of their personal data. I agree that data subjects should, in general, have the right to information about decision-making which affects them, whether or not that decision-making derives from automated processing. However, this is not straightforward. For example, as with the rights to information under Clauses 42 and 43, this cannot be an absolute right otherwise we risk compromising ongoing criminal investigations. If the noble Baroness will agree not to move Amendment 137, I undertake to consider the matter further ahead of Report.
Amendments 142C and 143B in the name of the noble Lord, Lord Stevenson, seek to confer a new duty on controllers to inform data subjects of their right to intervene in automated decision-making. I believe the Bill already effectively provides for this. Clause 95(3) already places a duty on a controller to notify a data subject that a decision about them based solely on automated processing has been made.
Amendments 145 and 146 seek to strike out the provisions in Part 4 that enable automated decision-making in relation to the consideration of contracts. The briefing issued by Liberty suggested that there was no like provision under the GDPR, but recital 71 to the GDPR expressly refers to processing,
“necessary for the entering or performance of a contract between the data subject and a controller”,
as one example of automated processing which is allowed when authorised by law. Moreover, we envisage the intelligence services making use of this provision—for example, considering whether to enter into a contract may initially require a national security assessment whereby an individual’s name is run through a computer program to determine potential threats.
Finally, Amendment 146A would place a duty on the intelligence services to inform the Information Commissioner of the outcome of their consideration of a request by a data subject to review a decision based solely on automated processing. We are not persuaded that a routine notification of this kind is necessary. The Information Commissioner has a general function in relation to the monitoring and enforcement of Part 4 and in pursuance of that function can seek necessary information from the intelligence services, including in respect of automated processing.
I hope again that my detailed explanation in response to these amendments has satisfied noble Lords, and as I have indicated, I am ready to consider Amendment 137 further ahead of Report. I hope that on that note, the noble Baroness will withdraw the amendment.
My Lords, I am grateful for the long response and for the Minister agreeing to consider Amendment 137. As regards oversight of automated processing, which is not quite where I would be coming to as something that was suggested to us, it would be fair to say that the commissioner has a resource issue covering all these developments. Maybe it is something that we will think about further in order to approach it from a different direction, perhaps by requiring some regular reporting about how the development of automated processing is controlled and affecting data subjects. I will consider that, but for the moment I beg leave to withdraw the amendment.
Amendment 134A withdrawn.
Amendments 135 to 136A not moved.
Clause 48 agreed.
Amendment 137 not moved.
Clauses 49 to 55 agreed.
Clause 56: Joint controllers
137A: Clause 56, page 32, line 30, at end insert—
“( ) Notwithstanding any determination under subsection (2), joint controllers are each liable for any failure to comply with the obligations of a controller under this Part.”
My Lords, Clause 56 anticipates that competent law enforcement authorities may work together, and designates them as “joint controllers”. Clause 56(2) allows them to “determine their respective responsibilities”, although there is an exception when the responsibility is,
“determined under or by virtue of an enactment”.
Amendment 137A would, I suggest, take us a step further by providing that, in any event, if there is a failure to comply with a controller’s statutory obligations, each joint controller is liable—or does this not need to be spelled out? I beg to move.
My Lords, these are narrow but important amendments relating to the liability of joint controllers. I agree with the noble Baroness that there should be clarity as to where liability rests when a controller contravenes the provisions of the Bill. The concept of joint data controllers is not new; indeed, it is recognised in the Data Protection Act 1998. In a similar vein, Clause 56 makes provision for joint controllers under Part 3—the shared responsibility for the police national computer by chief officers is a case in point. Upholding the rights of data subjects is dependent on the clear understanding of responsibilities. Clause 56 requires joint controllers to determine transparently their respective responsibilities so that data subjects know who to look to in order to access their rights or to seek redress. There should be no ambiguity as to who is responsible for compliance with the provisions of Part 3.
The issue of liability is dealt with elsewhere in the Bill. For example, Clause 160 provides that an individual has the right to compensation from a controller if they suffer damage because of a contravention of this legislation. Subsection (4) makes specific provision for joint controllers: it provides that liability for damages flows from the legal responsibility for compliance as determined by an arrangement made under Clause 56. These types of arrangement already exist, and this is as it should be. What matters to the data subject is that the legal position in relation to joint controllers is clear, and Clause 160, read with Clause 56, provides such clarity. I also refer the noble Baroness to Clauses 145, 149 and 158, which make like provision in respect of enforcement notices, penalty notices and compliance orders.
The government amendments in this group, which are technical, address much the same point. As I have indicated, the Bill adopts the principle that a court order in relation to controllers operating under a joint controller arrangement may be made only against the controller responsible for compliance with the relevant provision of data protection legislation. That has to be right, whereas under the noble Baroness’s amendment, they would all be liable, whether or not they were responsible for compliance with the relevant provision. Amendments 143, 147 and 148 are needed to ensure that the principle is carried through when joint controllers are operating under Clause 102 and that the liability of such controllers is clear. Providing such clarity is in everyone’s interests, including data subjects.
I hope I have been able to satisfy the noble Baroness that the position on the liability of joint controllers is clear and that she will be content to withdraw her amendment and support the government amendments.
Amendment 137A withdrawn.
Clause 56 agreed.
Clauses 57 and 58 agreed.
Clause 59: Records of processing activities
137B: Clause 59, page 34, line 13, leave out “where applicable,”
My Lords, under Clause 59, the controller must record certain information, including, according to subsection (2)(g),
“where applicable, details of the use of profiling”.
The purpose of Amendment 137B is to ask whether, if profiling is used, this is not applicable. My amendment would delete the words, but the Minister will understand that I am probing.
I am afraid this is quite a big group of amendments. Clause 62 provides for data protection impact assessments when there is a “high risk” to “rights and freedoms”. In assessing the risk, the controller,
“must take into account the nature, scope, context and purposes of the processing”.
Amendment 137C would insert a reference to,
“new technologies, mechanisms and procedures”,
picking up wording which is in articles 27 and 28 of the law enforcement directive.
Clause 63 requires consultation with the commissioner where there is a “high risk” to “rights and freedoms”. Article 28(3) of the directive allows for the “supervisory authority”—the commissioner, in our case—to,
“establish a list of the processing operations which are to be subject to prior consultation”.
Amendment 137D would allow the commissioner to “specify other conditions” where consultation is required. I am not sure I would defend the approach of having regulations under a negative resolution. The amendment was tabled following a certain amount of toing and froing—aka consultation with me—because my original amendment did not quite work, or at any rate I was not clear enough about it. I was not at Westminster at the time and I think I did not take in properly over the phone what was being proposed. I am sure the Minister will not take me too much to task for that, but focus instead on the nub of this.
Under Clause 63, the commissioner is required to give advice to the controller and the processor when she thinks that the intended processing would infringe Part 3. Amendment 137E set outs what advice would be included “to mitigate the risk” and would be a reminder of the commissioner’s powers in the event of non-compliance. The amendment builds on rather fuller provisions in article 28 of the directive, which provides for the use of powers.
Amendment 137F would amend Clause 64, which deals with the security of processing and refers to,
“appropriate measures … to ensure a level of security appropriate to the risks”.
The amendment proposes what “appropriate measures” might be, in particular whether cost is a criterion. Article 29(1) seems to envisage this—are we envisaging it in the Bill?
As for Amendment 137G, there is a duty in Clause 66 to inform the data subject when there is a breach, but not when the controller has implemented protection measures. In seeking to change “has” to “had” implemented, I just seek confirmation that the measures in question were applied before the breach. One might read the clause as meaning that, subsequently, steps had been taken and protection measures implemented. That will be good for the future, but would not address the specific breach.
On Amendment 137H, Clause 66(7) gives a wide exemption, setting out the reasons for restricting the provision of information to a data subject. I assume from the words “so long as necessary” that, once a specific security threat has passed or a court case is over, the right to that information would revive. Can the Minister confirm this? Again, I am not sure what the role of the commissioner would be here.
On Amendment 137J, Clause 69 sets out the tasks of the data protection officer. Chapter 5 of this part deals with transfers to third countries. By requiring the updating of controllers on the development of standards of third countries, my amendment suggests that the data protection officer should keep on top of international issues.
Amendment 137K is an amendment to Clause 71 in Chapter 5, on the principles for the transfer of data to a third country or international organisation. It would insert an explicit requirement that the rights of the data subject be protected. Article 44 provides:
“All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
That is broad and overarching. My amendment probes how that protection is covered: is it in the detail of the subsequent clauses? It is spelled out in the article; does that imply that the clauses might not always properly provide protection if we do not spell it out in the same way, given the reflections that the Bill provides?
On Amendments 137L and 137M, authorisation under Clause 71(1)(b) from another member state from which the data originated is not required if the transfer is necessary for the prevention of a threat to the essential interests of a member state and authorisation cannot be obtained in good time. The amendments probe whether “essential interests” are more than law enforcement purposes—the first condition for transfer. Will the interests be clear? Is there a confusing element of subjectivity here? The person who wants the data might see things quite differently from the person who is being asked to transfer it. It is open to us to provide higher safeguards, which is what I am working towards. “Obtaining in good time” perhaps suggests a slightly more relaxed attitude than the subject matter should demand. I would substitute a reference to urgency.
On Amendment 137N—noble Lords will be relieved to know that I am on the last of our amendments in this group—there can be a transfer on the basis of special circumstances under Clause 74. I welcome the fact that, in some cases, the controller can refuse a transfer because fundamental rights and freedoms override the public interest in the transfer. Presumably, the controller’s determination must be reasonable. This seems to give some discretion to the commissioner; I wonder whether the commissioner might give guidance rather than leaving it entirely up to the controller. I beg to move.
My Lords, we have one amendment in this group, and I will speak to it. It affects what appears to be a lacuna—if that is not too technical a term for Hansard—in relation to the storage and retention of data collected by local police forces under the automatic number plate recognition system. Each local police force has an ANPR system. There are thousands of cameras, which we are all too aware of. Anyone who drives past one and has a picture of their number plate taken has a momentary shudder in case they are doing something wrong. When you add them all together, it is one of the biggest surveillance systems in the world—probably the world’s biggest non-military system—and it is growing every day. At the moment, there are probably about 1 billion shots of people cars in circulation. It is of course personal data, as it tracks people’s journeys, or can be read to do so.
There are two problems. First, the ANPR system has grown and grown but does not have proper governance or structure. Attention needs to be paid to that. This is not the Bill for that, but the noble Baroness might wish to take that point back with her. Secondly, an FOI request revealed in 2015 that the police had no systematic retention or disposal policy; they simply just kept the data because it might come in useful at some time. I do not think that works under the Data Protection Act 1998 and does not seem appropriate, given the way the Bill is framed.
In case there is any doubt whether those systems fall within the scope of the Act or whether there should be a change of policy, we have tabled the amendment to probe what is going on. There has been a recent change—I hope that the noble Baroness will update us about it—and several billion deletions, but there is still a question about the appropriate retention system. Our amendment is an attempt to move forward on that issue.
The problem is that the ANPR is not covered anywhere in statute. Despite the fact that it is very large, it is simply run. The Home Office does not see it as an espionage system—that is fair enough—so it is not covered in the Investigatory Powers Act. There is a case, however, for using the Bill to get this issue back into scope. The proposal here is simple. These particular words need not be used, but I hope the noble Baroness will accept that something should be done. We propose that the approach should be in accordance with the arrangements currently adopted in surveillance systems elsewhere.
My Lords, this quite extensive group of amendments relates to the obligations on controllers and processors and the transfer of personal data to third countries. As the noble Baroness, Lady Hamwee, explained, Amendment 137B seeks to probe the necessity for the words “where applicable” in Clause 59(2)(g), which places a duty on a controller to record details of the use of profiling in the course of processing. This wording is transposed directly from Article 24 of the LED—and. to be clear, we are not excluding types of profiling from being recorded. Rather, the clause provides that all profiling is recorded where profiling has taken place. The wording acknowledges that some processing may not involve profiling.
Amendment 137C seeks to add a definition of the word “nature” as used in Clause 62(4). References to the,
“nature, scope, context, and purposes of the processing”,
are found throughout the LED and we have faithfully transposed this. We accept that the nature of the processing does include the aspects set out in the noble Baroness’s amendment, but we do not believe it necessary to set that out on the face of the Bill, and there is a danger that doing so in these terms could unwittingly narrow the scope of this provision. I might add that the Information Commissioner’s Office already publishes guidance on conducting privacy impact assessments and will be issuing further guidance on issues related to the Bill in due course.
Amendment 137D to Clause 63 would confer on the Information Commissioner a power to make regulations specifying further circumstances in which a controller must consult the commissioner before undertaking processing activities. Currently the requirement is for controllers to consult the commissioner when a data protection impact assessment indicates that processing would pose a high risk to the rights and freedoms of data subjects. Clause 63 reflects the provisions in Article 28 of the LED and sets an appropriate threshold for mandatory consultation with the Information Commissioner. This is not to preclude consultation in other cases, but I am unpersuaded that we should go down the rather unusual road of conferring regulation-making powers on the commissioner. Instead, we should leave this to the co-operative relationship we expect to see between the commissioner and controllers and, if appropriate, to any guidance issued by the commissioner.
Amendment 137E seeks to specify the content of the written advice which the Information Commissioner must provide to a controller in the event that she considers that a proposed processing operation would contravene the provisions of Part 3. I do not disagree with the point that the amendment is seeking to make—indeed, it echoes some of what is said at paragraph 209 of the Explanatory Notes—but we believe that we can sensibly leave it to the good judgment of the commissioner to determine on a case-by-case basis what needs to be covered in her advice.
Amendment 137F would expressly require controllers to account for the cost of implementation when putting in place appropriate organisational and technical measures to keep data safe. I entirely agree with the spirit of this amendment; there needs to be a proportionate approach to data protection. However, I refer the noble Baroness to Clause 53(3), which already includes a provision to this effect. On Amendment 137G, we believe the use of the present tense is correct in Clause 66(3)(a) in that the implementation of the measures is ongoing and not set in the past.
Amendment 137H would require a controller to inform the commissioner when they have restricted the information available to data subjects in the event of a data breach. Clause 66(7) is one of four instances in Part 3 where a controller may restrict the rights of data subjects. I do not believe that there is a case for singling out this provision as one where a duty to report the exercise of the restriction should apply. If the commissioner wants information about the exercise of the power in Clause 66(7), she can ask for it.
Amendment 137J seeks to add to the role of data protection officers by requiring them to update the controller on relevant developments in the data protection standards of third countries. I do not deny that awareness of such standards by police forces and others is important for the purposes of the operation of the safeguards in Chapter 5 of Part 3. However, Clause 69 properly reflects the terms of the LED. It does not preclude data protection officers exercising other functions such as the one described in Amendment 137J.
Amendments 137K, 137L and 137M relate to Clause 71, which sets out the general principles for transfers of personal data to a third country or international organisation. The whole purpose of Chapter 5 of Part 3 is to provide safeguards where personal data is transferred across borders. Given that, I am not sure what Amendment 137K would add. Amendment 137L would narrow the circumstances in which onward transfers of personal data may take place with express authorisation from the originator of the data. In contrast, Amendment 137M, in seeking to remove Clause 71(5)(b), would expand those circumstances —which I am not sure is the noble Baroness’s intention. Subsection (5) is a direct transposition of article 35(2) of the LED, so we should remain faithful to its provisions. What constitutes the essential interests of a member state must be for the controller to determine in the circumstances of a particular case—but, here as elsewhere, they are open to challenge, including enforcement action by the commissioner if they were to abuse such provisions.
Amendment 137N would require a controller to pay due regard to any ICO guidance before coming to a decision under Clause 74(2), which relates to the transfer of data on the basis of special circumstances. The Bill already caters for this. Clause 119 places a duty on the commissioner to prepare a data-sharing code of practice and, under the general principles of public law, controllers will be required to consider the code—or for that matter any other guidance issued by the commissioner.
Finally, Amendment 137EA in the name of the noble Lord, Lord Kennedy, and articulated by the noble Lord, Lord Stevenson, seeks to set in statute the retention period for personal data derived from ANPR cameras. ANPR is an important tool used by the police and others for the prevention and detection of crime. I understand that the National Police Chiefs’ Council has recently changed its policy on the retention of ANPR records, reducing the retention period from two years to 12 months. The new policy requires all data not related to a specific case to be deleted after 12 months. This will be reflected in revised national ANPR standards. We know that the Information Commissioner had concerns about the retention of ANPR records and we welcome the decision by the NPCC in this regard.
Given this, I have no difficulty with the spirit of the noble Lord’s amendment, but the detail is too prescriptive and we are not persuaded that we should be writing into the Bill the retention period for one category of personal data processed by competent authorities. The amendment is unduly prescriptive as it takes no account of the fact that there will be operational circumstances where the data needs to be retained for longer than 12 months—in particular, where it is necessary to do so for investigative or evidential purposes.
More generally, I remind the noble Lord that the fifth data protection principle—the requirement that personal data be kept no longer than is necessary—will regulate the retention policies of controllers for all classes of personal data. In addition, Clause 37(2) requires controllers to undertake a periodic review of the need for the continued retention of data. Given these provisions, I am not persuaded that we should single out ANPR-related data for special treatment on the face of the Bill.
I apologise again for the extensive explanation of the amendments, and I hope that noble Lords will be happy not to press them.
Certainly. I feel that I ought perhaps to apologise to the House for the speed at which we have been going; it has caused a bit of a flurry. I know that I have been quite telegraphic in speaking to the amendments. I have possibly been too telegraphic, but I will read the detail of the response, and beg leave to withdraw my amendment.
Amendment 137B withdrawn.
Clause 59 agreed.
Clauses 60 and 61 agreed.
Clause 62: Data protection impact assessment
Amendment 137C not moved.
Clause 62 agreed.
Clause 63: Prior consultation with the Commissioner
Amendments 137D and 137E not moved.
Clause 63 agreed.
Amendment 137EA not moved.
Clause 64: Security of processing
Amendment 137F not moved.
Clause 64 agreed.
Clause 65 agreed.
Clause 66: Communication of a personal data breach to the data subject
Amendments 137G and 137H not moved.
Clause 66 agreed.
Clauses 67 and 68 agreed.
Clause 69: Tasks of data protection officer
Amendment 137J not moved.
Clause 69 agreed.
Clause 70 agreed.
Clause 71: General principles for transfers of personal data
Amendments 137K to 137M not moved.
Clause 71 agreed.
Clauses 72 and 73 agreed.
Clause 74: Transfers on the basis of special circumstances
Amendment 137N not moved.
Clause 74 agreed.
Clauses 75 and 76 agreed.
Clause 77: National security: certificates by the Minister
Amendment 137P not moved.
Amendment 137Q had been withdrawn from the Marshalled List.
Clause 77 agreed.
Clauses 78 to 83 agreed.
Clause 84: The first data protection principle
137R: Clause 84, page 49, line 15, after “conditions” insert “, other than a condition which is also a condition in Schedule 9,”
My Lords, sensitive processing requires meeting at least one condition from the menu in Schedule 9 and one in Schedule 10. This could be achieved, for instance, because the processing is necessary to protect someone’s vital interests under Schedule 9, and for the same reason under Schedule 10 when consent cannot be given. I wondered whether the repetition amounted to there being only one condition to be met, rather than two or perhaps one and a half—hence Amendment 137R.
Amendment 138A is another amendment suggesting that the Secretary of State’s regulation-making power is too wide under the Bill. In our view, the Secretary of State should be able to add conditions—in other words, protections—but not vary or omit them. That is a thread that runs through the whole of the Bill.
Amendments 139A and 139B probe the condition in Schedule 9 that processing is necessary for the purposes of legitimate interests pursued by the controller or a third party to whom the data is disclosed. Again, “legitimate interest” made me pause. It is made lawful by Clause 84 because it meets one of the lawfulness conditions, so there is a circularity here. The schedule then applies a condition to the condition—it is not lawful if it prejudices rights and freedoms or legitimate interests of data subjects, or rather is unwarranted because of prejudice to the rights and freedoms or interests of the data subject. Does that allow for the risk of prejudice? It struck me as quite a clumsy phrase—“unwarranted … because of prejudice”. I realise that the person who drafted it—I do not want to say “draftsman”—must have had some very particular thoughts in mind.
Schedule 10 lists the conditions for sensitive processing in the case of the intelligence services. Amendment 139C suggests that, in the case of processing to protect vital interests when there is no consent—one might argue that that is what the services do all the time—it should be reported to the commissioner. Amendment 139D refers to another condition where it is necessary, in connection with legal proceedings, advice or legal rights. We wondered whether it should be restricted to offences—for instance, to exclude an employment dispute between a service and an employee. I confess that I realised this morning that I had not thought through the implications for legal professional privilege, but my focus here is on whether we are giving the services an advantage which, in the example that I have used, is not available to another employer, including law enforcement, under Part 3. That might not be the best example, but I am curious as to how extensive the provision is.
Amendment 140A excludes the condition relating to medical services and is tabled to enable the Minister to tell us how it would apply in the case of the intelligence services. My imagination is inadequate.
Finally, on Amendment 140B, the second data principle requires the manner of processing to be compatible with the purpose of collection, and then gives what I read as examples of compatible processing. Amending,
“if the processing … consists of … and … is subject to”,
what is set out to “only if” would change this to an exhaustive list of criteria. The short question about this clause is whether “if” means “only if”. I beg to move.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for explaining these amendments, which relate to intelligence services processing.
Amendment 137R would provide that sensitive processing for a condition under Schedule 10 was lawful when the condition was not also a condition in Schedule 9. Clause 84 provides that processing is lawful only as long as one of the conditions in Schedule 9 is met, and for sensitive processing one of the conditions in Schedule 10 must also be met. We consider that the two-stage consideration process when processing sensitive personal data is important, as it requires the controller to ensure that conditions in both schedules can be satisfied.
We accept that there is a degree of overlap between some of the conditions provided for in the schedules, but that is necessary. For example, consent is a condition for processing in both schedules, but that reflects the fact that consent may often be the most appropriate grounds for processing personal data, such as when people consent to their sensitive personal data being processed for medical purposes. That position is not new: Schedules 9 and 10 reflect the equivalent Schedules 2 and 3 to the Data Protection Act, both of which provide that consent is a condition for processing. The amendment adds nothing, but has the potential to reduce clarity and is likely to confuse by departing from a well-established, two-stage consideration process.
Amendment 138A, which the noble Baroness said was probing, would restrict the power of the Secretary of State to amend the conditions for sensitive processing set out in Schedule 10 to adding conditions rather than also varying or omitting. The issue was debated in the context of other parts of the Bill last Monday, and I repeat the commitment given by my noble friend to take account of the noble Baroness’s amendment as part of our consideration of the report from the Delegated Powers Committee.
Amendment 139A would remove as a condition for lawful processing under Schedule 9 processing that is necessary for the purposes of legitimate interests pursued by the data controller. In the case of the intelligence services, their legitimate interests are dictated by their statutory functions, including safeguarding national security and preventing and detecting serious crime. I should also add that this is a condition currently provided for in Schedule 2 to the Data Protection Act 1998, so it may not surprise noble Lords that we could not support an amendment that would preclude the intelligence services from processing personal data in pursuance of their vital functions.
Amendment 139B would preclude the processing of personal data by the intelligence agencies in pursuit of their legitimate interests—that is, their statutory functions—whenever the processing prejudices the rights and freedoms or legitimate interests of the data subjects, rather than the current drafting, which prevents such processing in circumstances where it would be unwarranted in any particular case because of prejudice to those rights or interests. This more restrictive approach would mean that the intelligence services would be unable to process personal data in pursuit of their legitimate interests—for example, safeguarding national security—since it could be argued that such processing is likely to engage such rights, in particular the right to respect private life. It would prevent data processing that was otherwise lawful, necessary and proportionate and carried out in full compliance with the Human Rights Act. The ECHR provides that some rights, including the right to private life, are qualified rights, recognising the fact that while a right may be engaged, lawful interference with that right should be permissible in certain circumstances. As a result, this amendment would appear to go further than that required by the ECHR as, whenever a right was engaged, interference would not be possible, even if such interference were lawful, proportionate and necessary. Again, the condition in the Bill replicates the existing condition in Schedule 2 to the Data Protection Act 1998. Given this, I am not aware of any powerful reasons for changing the existing established approach.
Amendment 139C would require the Information Commissioner to be informed when processing is necessary to protect the vital interests of the data subject in circumstances, for instance, where consent cannot be given by or on behalf of the data subject or the controller cannot reasonably be expected to obtain the consent of the data subject. Such processing is a condition for sensitive processing under Schedule 10 and it mirrors precisely the equivalent provisions in Schedule 3 to the Data Protection Act 1998. The amendment does not add to a data subject’s rights nor does it strengthen protections. The processing of personal data in these circumstances already attracts the protections and safeguards provided for in the Bill, including the general oversight of the Information Commissioner. It is therefore in our view unnecessary and, I might add, I am not aware that the Information Commissioner has asked for such a provision.
Amendment 139D—which the noble Baroness was gracious enough to concede that she had not thought through—would limit the processing of personal data in connection with legal proceedings related to an offence or alleged offence. This amendment would have an extremely damaging effect, preventing processing in connection with all other legal proceedings, such as court or tribunal proceedings under this Bill, complaints to the Investigatory Powers Tribunal about unlawful conduct by the intelligence services and assistance with other civil proceedings and inquiries. I am sure that this was not the noble Baroness’s intention. Furthermore, the wording at paragraph 5 of Schedule 10 reflects that currently provided for at paragraph 6 of Schedule 3 to the Data Protection Act, so the Bill goes no further than existing legislation in this respect.
Amendment 140A would remove from Schedule 10 processing personal data necessary for medical purposes as a condition for sensitive processing. However, this is relevant for the intelligence services for straightforward processing of medical data by medical professionals processing the services’ data. An example would be an intelligence service’s occupational health services carrying out fitness for work assessments and providing medical advice. In such circumstances the intelligence service would likely rely on this condition as a lawful basis for the processing. This is to the benefit of both the services as employers and to their employees.
Finally, Amendment 140B relates to Clause 85, which provides for the second data protection principle: the requirement that the purposes of processing be specified, explicit and not excessive. Subsection (4) of the clause provides that processing is to be regarded as compatible with the purpose for which it is collected if the processing is for purposes such as archiving and scientific or historical research. This amendment has the effect of rendering processing compatible only if it was for those specific purposes. I am sure that was not the noble Baroness’s intention given that the amendment would prevent the intelligence services processing personal data in pursuance of their vital statutory functions.
I hope that noble Lords will agree that in relation to these amendments the Bill, with possibly one exception, adopts the right approach. In relation to the possible exception, namely the delegated power in Clause 84, I have reiterated the commitment that we will take account of Amendment 138A when we respond to the report from the Delegated Powers Committee. I therefore ask the noble Baroness to withdraw her amendment.
My Lords, almost all these amendments were probing, except for Amendment 138A, which is how the noble Lord described it—it was distinctly not probing, so I am glad to have had his assurance in that regard. I commented on an earlier group about either the intelligence services or law enforcement—I cannot remember which—being advantaged as against other employers outside their immediate job. It seemed to me from the noble Lord’s comments about medical data that the services would be advantaged as against employers in completely different fields. He gave a long answer, and I am grateful for that; it of course deserves reading and I will do so. I thank him for this comments on Amendment 138A and beg leave to withdraw the amendment.
Amendment 137R withdrawn.
Amendments 138 and 138A not moved.
Clause 84 agreed.
Schedule 9: Conditions for processing under Part 4
139: Schedule 9, page 171, line 34, at end insert “or rule of law”
Amendment 139 agreed.
Amendments 139A and 139B not moved.
Schedule 9, as amended, agreed.
Schedule 10: Conditions for sensitive processing under Part 4
Amendments 139C and 139D not moved.
140: Schedule 10, page 173, line 6, after “enactment” insert “or rule of law”
Amendment 140 agreed.
Amendment 140A not moved.
Schedule 10, as amended, agreed.
Clause 85: The second data protection principle
Amendment 140B not moved.
Clause 85 agreed.
Clauses 86 to 89 agreed.
Clause 90: Overview
141: Clause 90, page 51, line 9, leave out “to 96” and insert “and 95”
My Lords, government Amendments 141 and 142 to Clause 90 are technical in nature and simply ensure that the summary description of the rights conferred on data subjects by Chapter 3 of Part 4, as set out in subsection (1), fully itemises each of the relevant rights. I look forward to hearing from the noble Lord, Lord Kennedy, and the noble Baroness, Lady Hamwee, about their amendments in this group and I will respond to them when winding up.
My Lords, I can be very brief. We had intended to withdraw Amendment 142A in this group but, unfortunately, we could not do so in time so I will not speak to it. To complete the icing on the cake, I have already spoken, rather stupidly, to Amendment 142D, and therefore I do not need to repeat myself. I simply await the noble Baroness’s response on it.
My Lords, I cannot be quite so quick but I will be fairly quick. Amendment 142B concerns Clause 91(3), which states:
“The controller is not required … to give a data subject information that the data subject already has”.
When I read that, I wondered how the controller would know that the data subject had the information. Therefore, my alternative wording would refer to information which the,
“controller has previously provided to the data subject”.
There can therefore be no doubt about that.
Amendment 143A concerns Clause 92, which deals with a right of access within a time limit of a month of the relevant day, as that is defined, or a longer period specified in regulations. What is anticipated here? Why is there the possibility of an extension? This cannot, I believe, be dealt with on a case-by-case basis as that would be completely impracticable and, I think, improper. Is it to see whether experience shows that it is a struggle to provide information within a month, and therefore a time limit of more than a month would benefit the controller, which at the same time would be likely to disbenefit the data subject, given the importance of the information? I hope the Minister can explain why this slightly curious power for the Secretary of State is included in the Bill.
Amendment 146B concerns Clause 97, which deals with the right to object to processing. I might have misunderstood this but I believe that the controller is obliged to comply only if he needs to be informed of the location of data. I do not know whether I have that right, so Amendment 146B proposes the wording,
“if its location is known to the data subject”,
so that the amendment flows through in terms of language, if not in sense. The second limb of Clause 97(2), whereby the data subject is told that the controller needs to know this, suggests this. That enables me to make the point that this puts quite a heavy burden on the data subject.
Amendment 148A concerns Clause 101. I, of course, support the requirement that the controller should implement measures to minimise the risks to rights and freedoms. However, I question the term “minimise”. The Bill is generally demanding in regard to this protection, so to root the requirement in the detail of the Bill the amendment would add,
“in accordance with this Act”.
As regards the test of whether a personal data breach seriously interferes with rights, I suggest this is not as high a threshold as that required by the term “significantly” proposed in Amendment 148B.
Following the noble Lord’s co-piloting analogy, I now say, “Over and out”.
My Lords, I thank the noble Baroness, Lady Hamwee, and the noble Lord, Lord Stevenson, who negated the need for me to speak to Amendment 142A, so I shall not do so.
I turn straight to Amendment 142B. This requires the controller to provide a data subject with specified information about the processing of their personal data unless the controller has previously provided the data subject with that information. This contrasts with the existing approach in Clause 91(3), which provides that the controller is not required to give the data subject information that the data subject already has. Although similar, the shift in emphasis of this amendment could undermine Clause 91(2) by requiring the data controller to provide information directly to the data subject rather than to generally provide it. The effect of this could be to place an undue burden on the controller by preventing them providing such information generally, such as by means of their website.
Clause 92 provides for an individual to obtain confirmation from a controller of whether the controller is processing personal data concerning them and, if so, to be provided with that data and information relating to it. It sets out how an individual would request such information and places certain restrictions and obligations on meeting such requests.
Amendment 142C would add to the information that must be provided to a data subject. I do not believe this amendment is necessary. Clause 91 already provides that the general information that must be provided by a controller is information about how to exercise rights under Chapter 3 of Part 4 and I am sure that the Information Commissioner will put out further information about data subjects’ rights under each of the schemes covered by the Bill.
The purpose of Amendment 142D is to remove the ability of the intelligence services to charge a fee for providing information in response to a request by a data subject in any circumstances. The noble Lord, Lord Stevenson, or the noble Lord, Lord Kennedy—I am not quite sure who it was; I think it was the noble Lord, Lord Stevenson—has contrasted the position in Part 4 with that in Parts 2 and 3 of the Bill, whereby a controller may charge a fee only where the subject access request is manifestly unfounded or excessive. The fact remains, however, that the modernised Convention 108, on which Part 4 is based, continues to allow for the charging of a reasonable fee for subject access requests and we are retaining the power to specify a maximum fee, which currently stands at £10.
It is entirely right that the intelligence services should be required to respond to subject access requests, but we believe it is appropriate to retain the ability to charge because we do not want the intelligence services to be exposed to vexatious or frivolous requests that could impose a significant burden upon Part 4 controllers. As I have said, the modernised Convention 108 allows for the charging of a fee and there is a power in Clause 92 not just to place a cap on the amount of the fee but to provide that, in specified cases, no fee may be charged. I think this is the right approach and we should therefore retain Clause 92(3) and (4).
Amendment 143A would require every subject access request under Clause 92 to be fulfilled within one month and would remove the Secretary of State’s ability to extend the applicable time period to up to three months for any cases. The Delegated Powers and Regulatory Reform Committee has considered this Bill and made no comment on this regulation-making power. In our delegated powers memorandum we explained the need for this provision, and the equivalent power in Part 3 of the Bill, as follows:
“Meeting the default one month time limit for responding to subject access requests or to requests to rectify or erase personal data may, in some cases, prove to be challenging, particularly where the data controller holds a significant volume of data in relation to the data subject. A power to extend the applicable time period to up to three months will afford the flexibility to take into account the operational experience of police forces, the CPS, prisons and others in responding to requests from data subjects under the new regime”.
I hope the noble Baroness would agree that this is a prudent regulation-making power which affords us limited flexibility to take into account the operational experience of the intelligence services in operating under the new scheme.
Before the Minister moves on, I asked whether the power would be used on a case-by-case basis, which I thought was what she was saying, or as a result of overall experience—and then she went on to talk about overall experience. So is it the latter, extending to all cases in the light of experience gathered over a period?
Yes, that is the point I made.
One of the rights afforded by Part 4 is that a data subject can require a controller not to process their personal data if that processing is an unwarranted interference with their interests or rights. If such a request is received, the controller may require further information in order to comply with the request. This includes information so as to be satisfied of the identity of the requesting individual or information so that they can locate the data in question.
Amendment 146B would require the requesting individual to provide information to help the controller locate the data in question only if the individual themselves knows where the data is located. I think we can agree that it is very unlikely that a data subject would know the exact location of data processed by a controller. As such, this change could make it more difficult for a controller to locate the data in question, as the data subject could refuse to provide any information to aid in the locating of their data. This could make it impossible for the controller to comply with the request and would in turn deprive the data subject of having their request fulfilled.
Chapter 4 of Part 4 deals with the obligations of the controller and processor. Controllers must consider the impact of any proposed processing on the rights of data subjects and implement appropriate measures to ensure those rights. In particular, Clause 101(2)(b) requires that risks to the rights and freedoms of data subjects be minimised. Amendment 148A would require that those risks be also dealt with in accordance with the Bill. If I understand the purpose of this amendment correctly and the noble Baroness’s intention is that the broader requirements of Part 4 should apply to any new type of processing, I can concur with the sentiments behind this amendment. However, it is not necessary to state this requirement in Clause 101; all processing by the intelligence services must be in accordance with the relevant provisions of the Bill.
Finally, Clause 106 requires that the controller notify the Information Commissioner if the controller becomes aware of a serious personal breach of data for which it is responsible. A data breach is deemed serious if it seriously interferes with the rights and freedoms of a data subject. Amendment 148B seeks to alter the level at which a data breach must be notified to the commissioner by lowering the threshold from a serious interference with the rights and freedoms of a data subject to a significant interference. The threshold is set purposely at serious so that the focus and resources of the controller and commissioner are spent on breaches above a reasonable threshold. We also draw the noble Baroness’s attention to the draft modernised Convention 108, which uses the phrase “seriously interfere”.
I am mindful that some noble Lords in this Chamber will be utterly perplexed by the subject matter to which we have been referring, so I hope that, with those words, the noble Lord will be sufficiently reassured and will withdraw his amendment.
The answer to that question is that we are not happy with what the Minister said about the ability of the intelligence services, uniquely in this whole area, to charge a fee to discourage people from getting access to the rights which they certainly have under the Act. I sensed that the Minister understands that; perhaps it is a little unfair to say that, as most other noble Lords were not able to see her smile, gently, as she tried to put substance and seriousness into the argument she was using, which was clearly very thin indeed. To make the point, we are relying on a convention which has yet to be signed. That is the fig leaf under which we will be smuggling these ridiculous fees. I urge the Minister to take this back and think again, and I look forward to a further discussion with her if she feels that any more information could be provided.
Amendment 141 agreed.
142: Clause 90, page 51, line 9, at end insert—
“( ) section 96 deals with the right to information about decision-making;”
Amendment 142 agreed.
Clause 90, as amended, agreed.
Amendment 142A not moved.
Clause 91: Right to information
Amendment 142B not moved.
Clause 91 agreed.
Clause 92: Right of access
Amendments 142C and 142D not moved.
143: Clause 92, page 53, line 18, at end insert—
“( ) A court may make an order under subsection (11) in relation to a joint controller whose responsibilities are determined in an arrangement under section 102 only if the controller is responsible for compliance with the obligation to which the order relates.”
Amendment 143 agreed.
Amendment 143A not moved.
Clause 92, as amended, agreed.
Clause 93 agreed.
Clause 94: Right not to be subject to automated decision-making
Amendments 143B to 145 not moved.
Clause 94 agreed.
Clause 95: Right to intervene in automated decision-making
Amendments 146 and 146A not moved.
Clause 95 agreed.
Clause 96 agreed.
Clause 97: Right to object to processing
Amendment 146B not moved.
147: Clause 97, page 56, line 14, at end insert—
“( ) A court may make an order under subsection (5) in relation to a joint controller whose responsibilities are determined in an arrangement under section 102 only if the controller is responsible for compliance with the obligation to which the order relates.”
Amendment 147 agreed.
Clause 97, as amended, agreed.
Clause 98: Rights to rectification and erasure
148: Clause 98, page 56, line 38, at end insert—
“( ) A court may make an order under this section in relation to a joint controller whose responsibilities are determined in an arrangement under section 102 only if the controller is responsible for carrying out the rectification, erasure or restriction of processing that the court proposes to order.”
Amendment 148 agreed.
Clause 98, as amended, agreed.
Clauses 99 to 100 agreed.
Clause 101: Data protection by design
Amendment 148A not moved.
Clause 101 agreed.
Clauses 102 to 105 agreed.
Clause 106: Communication of a personal data breach
Amendment 148B not moved.
Clause 106 agreed.
Clause 107 agreed.
Clause 108: National security
Amendments 148C to 148E not moved.
Amendments 148F and 148G had been withdrawn from the Marshalled List.
Clause 108 agreed.
Clause 109: National security: certificate
Amendments 148H and 148J not moved.
Clause 109 agreed.
Clause 110 agreed.
Schedule 11: Other exemptions under Part 4
Amendments 149 to 151
149: Schedule 11, page 174, line 18, leave out “is necessary”
150: Schedule 11, page 174, line 19, at beginning insert “is necessary”
151: Schedule 11, page 174, line 20, leave out from “proceedings),” to “establishing” in line 21 and insert—
“( ) is necessary for the purpose of obtaining legal advice, or( ) is otherwise necessary for the purposes of”
Amendments 149 to 151 agreed.
Schedule 11, as amended, agreed.
Clauses 111 and 112 agreed.
Clause 113: General functions under the GDPR and safeguards
Amendment 152 not moved.
Clause 113 agreed.
Clause 114 agreed.