Cookies: We use cookies to give you the best possible experience on our site. By continuing to use the site you agree to our use of cookies. Find out more
House of Lords Hansard
x
Data Protection Bill [HL]
22 November 2017
Volume 787

Committee (6th Day)

Relevant documents: 6th Report from the Delegated Powers Committee, 6th Report from the Constitution Committee

Clause 143: Enforcement notices: supplementary

Amendment 163A

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

163A: Clause 143, page 79, line 16, at end insert—

“( ) Prior to giving an enforcement notice under section 142(1) against an information society service in respect of material originating from a third party controller or processor processing personal data for one of the special purposes, the Commissioner must consult and take into account any representations made by the third party, save in circumstances where consulting the third party would result in substantial damage or substantial distress to an individual, in which case the Commissioner must take into account the special importance of the public interest in the freedom of expression and information.( ) The Commissioner must publish a summary of any enforcement notice issued against an information society service in respect of material processed by a third party controller or processor for any of the special purposes.”

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, in moving Amendment 163A I shall speak also to Amendments 164A, 170B to 170D, 172A to 172C—a number of which the noble Viscount, Lord Colville of Culross, has added his name to—and to the Question whether Clause 165 should stand part. I fear that if noble Lords are still suffering from indigestion as a result of the alphabet soup of amendments we had in Committee last week on this subject, today we have an even more indigestible alphabet banquet.

The amendments relate to media freedoms. I declare my interest as the executive director of the Telegraph Media Group and draw attention to my other media interests. As with the previous group of amendments we discussed in Committee, the implications in this area go well beyond the press and impact on online and broadcast media, along with a wide range of literary and artistic interests. They are supported by the Media Lawyers Association, the News Media Association and the Society of Editors. In the past few days, noble Lords may also have received very important representation, specifically on Clause 164, from the BBC, ITV and other broadcasters.

I highlight two points in particular to give context to this group of amendments. First, Clause 164(3)(c) gives a statutory regulator—the Information Commissioner —powers to interfere with investigations and reporting, pre-publication. Secondly, unless the defences in the Bill are augmented, Clause 161 means that a reporter vindicated as acting lawfully in the eyes of the civil courts could be convicted on the same grounds in the criminal courts. That has widespread ramifications. The exemption for special purposes covers not only the journalism of the BBC, Channel 4, ITN and all newspapers, national and local, but the deadly serious journalistic work of NGOs and campaigning organisations such as Global Witness.

The GDPR demands freedom of expression protections for academic, literary and artistic purposes as well. That means that the playwright, producer, professor, provocative cartoonist, artist, author, diarist and publisher of any book whose work at any stage uses information about living individuals, falling within the broad application of the Bill, is as vulnerable to these parts as the media. That is why the provisions deserve the most careful scrutiny and attention. Given that these powers bite pre-publication, the mere assertion of a data protection breach will be a marvellously cheap and convenient way for individuals with something to hide to stop any work that may cast them in an unwelcome light in its tracks. Indeed, there is a double jeopardy in the Bill, as under Clause 165, the Information Commissioner is empowered to provide financial support to people wanting to bring action; her written determination would also lift any stay on legal action in respect of pre-publication processing.

Let me explain, as briefly as I can, how these amendments seek to tackle that mischief. The first two of them relate to penalties. Amendment 163A to Clause 143 is intended to prevent inconvenient truths being all too conveniently covered up. Currently, the original publisher of an article de-listed from Google or other search engines, following the complainant’s appeal to the Information Commissioner to have it taken down by the content aggregator, neither knows about this virtual disappearance nor has any opportunity to put the case on the accuracy or continued relevance of the article to the ICO. This amendment introduces the option of the ICO consulting with the originating publisher prior to making a determination and then publicising the determinations made.

Amendment 164A to Clause 148 addresses the overall proportionality of penalties for infringements of the Act. As noble Lords will know, a company in breach must pay the appropriate penalty as set out under the Act, However, there is again the risk of double jeopardy as far as the media are concerned, because the standard contractual terms of content aggregators such as Google require media organisations to indemnify them in respect of journalistic material that they then disseminate to their users. Due to their huge global turnovers, such aggregators could be liable for far greater fines under the GDPR, dwarfing those that any media organisation would be liable for on its own transgression. That could result in media organisations facing financial ruin because of the indemnity they are bound to give. This amendment simply proposes that, when any fine is imposed, consideration should be given to indemnities, compensation and other penalties for which organisations are liable, if a breach arises.

The next three amendments deal with the serious risk of journalists and whistleblowers being criminalised for obtaining and retaining personal data without consent. The Bill properly provides a special purposes exemption from civil liability by providing protection where there is “reasonable belief” in the public interest in publication, but the defence to criminal offences is inconsistent with that exemption. Instead, the criminal courts would demand satisfaction of a more stringent test that is out of kilter with day-to-day reporting; namely, that obtaining, disclosing, procuring or merely retaining data,

“in the particular circumstances, was justified as being in the public interest”.

So a media organisation, a journalist or a whistleblower with reasonable belief in the public interest of their investigations would be complying with the Act, acting lawfully and the court could vindicate their actions if sued in the civil courts, but they could be convicted in the criminal courts for exactly the same behaviour and holding the same belief. This is clearly anomalous and confusing.

Amendment 170B, by adding a defence of reasonable belief in the public interest, would address this in Clause 161, and Amendment 170D would add a similar reasonable belief in the public interest defence to Clause 162, governing re-identification, since investigative journalism may involve attempts to piece together the identity of individuals involved in wrongdoing, which should not be criminalised.

Media organisations increasingly receive information from anonymous sources. At the point they do, the processing of material has begun. Amendment 170C therefore specifies that in respect of the special purposes, obtaining, procuring and retaining personal data shall not be deemed reckless simply because it was received from an anonymous source unsolicited. After all, a reporter cannot know before he or she receives any material whether it will be in the public interest. These augmented and additional defences are essential to protect investigative reporting and to deal with what is in effect an indefensible anomaly in the Bill. Reliance on decisions not to prosecute under public interest prosecution policies is not enough; it must be crystal clear in the legislation.

Clause 164 defines “the special purposes”. Amendment 172A would delete “only”, for the reasons that I explained in Committee last week and which I do not intend to go over in detail again. I fear that my noble friend’s response to me on that occasion—that this simply retains the wording of the 1998 Act—does not address the issue. This Bill is, after all, not based on the 1995 directive which underpinned that Act, and the new GDPR article 85 does not require inclusion of “only”. Its retention will simply fuel the new and increasingly frequent attempts to bring to investigation data protection claims and challenges that media organisations are now experiencing and which are intended to undermine the intended protections of the special purpose exemption. I urge my noble friend to look at this again.

Amendment 172B would amend the wording of Clause 164 to ensure that the wording of the journalist exemption throughout the Bill mirrors that of the 1998 Act. It must not be narrowed and must continue to protect not just the personal data which will be published but that which informs any publication.

Amendment 172C, which is supported by the noble Lords, Lord McNally and Lord Clement-Jones, for which I am grateful, would delete Clause 164(3)(c). This new power, which has no forebear in the Data Protection Act 1998, completely subverts the guiding policy of both that Act and this Bill, as so firmly stated by my noble friend the Minister at every stage since Second Reading, that there should be the strongest safeguards regarding interference in pre-publication journalistic activities. This new paragraph is wholly inimical to press and media freedom. It gives a state enforcement authority the power of minute examination of editorial pre-publication processes, striking at the heart of editorial independence and freedoms.

Through this paragraph, for the first time the Information Commissioner can consider and make determinations on pre-publication journalistic dealings involving personal data and determine whether the Act’s usual applications could apply, as they were not incompatible with journalism. The Information Commissioner is effectively cast as a shadow editor, second-guessing editorial decision-making and journalistic techniques. The Information Commissioner could determine that the subject of an investigation should be informed about it sooner, for instance, than an editor would judge appropriate under the codes or general law, or that consent was required where codes, law or editorial policies would not otherwise require it. She could determine that a subject’s denial of an accusation meant that any journalistic material about them should not be retained because this was now determined inaccurate or its retention unnecessary, and investigation should stop.

Therefore, if anyone has an inkling of an unwelcome investigation, it is easy to see how a prepublication subject access request or simply an allegation of fake news could regularly bring in the Information Commissioner, with profound implications for investigative reporting. It would delay, disrupt and chill investigations into and revelations such as the Paradise papers, the Panama papers, MPs’ expenses, sports scandals or long-term sexual abuse scandals. It would also affect local level inquiry investigation—perhaps local media looking at the conduct of police officers, questionable business practices or historic abuse in institutions.

The broadcast, print and online news media are united in their deep opposition to this clause, as are the book publishers and authors’ agents. I stress again that this is not a media-specific point. The same prepublication consideration for a written determination would apply to anyone processing for academic, literary or artistic purposes. It is worth pondering for a moment the implications of that. Your Lordships should listen to this. In 1968, the Theatres Act ended the Lord Chamberlain’s powers to vet plays about living individuals. In 2018, we ought to be celebrating the 50th anniversary of the abolition of theatre censorship, not its potential revival by the Information Commissioner. Will playwrights researching about future Enrons, Oslos or indeed even Inks be liable to an inquiry by the Information Commissioner to check the levels of accuracy of facts and opinion that they are amassing about individuals? How is the unauthorised biographer, docudramatist or producer of a blockbuster biopic going to fare with ICO supervision a possibility? Memoirs and diaries will always refer to people other than the author, so could bestselling reality TV stars, Alan Bennett or David Cameron be on the ICO watchlist next year? What about historians researching the recent past, or indeed even encyclopaedia compilers? As I said earlier, what of brave campaigners such as Global Witness, which exposes the economic networks behind conflict, corruption and environmental abuse, or an academic’s research into repressive regimes, whose perpetrators may be very interested in the ICO disrupting the prepublication compilation of information and opinions? All these activities would be affected in a way which has the most profound implications for free speech and would be a fundamental change to UK law.

Clause 165, which should not stand part of the Bill, unnecessarily maintains a provision of the 1998 Act, which, in almost 20 years, has never been used but which wrongly singles out for special treatment those who are processing data for academic, literary, artistic or journalistic purposes by allowing claims brought against them to be funded by the Information Commissioner’s Office. This does not apply to any other sector, whatever exemptions apply in the Bill. It makes no sense to maintain this provision. There is no justification for using public money at a time of such pressure on public expenditure to encourage and fund litigation against all those who are in fact supposed to be safeguarded for freedom of expression information purposes. Where we legislate on issues that relate to freedom of expression, we should consistently ask ourselves whether a power such as this is absolutely necessary. To simply say that it is fine because it has never been used in the past is not good enough when legislating for the future.

In conclusion, the Bill contains dangerous provisions which could give the ICO increased powers to preside over editorial judgments and journalistic investigations and consider and make determinations on prepublication journalistic activities, which would then lift any stay on legal actions that the Information Commissioner might then also choose to fund. This is not in line with the Government’s laudable intention to protect free speech. I hope that the Minister will look carefully at these proposals, consult with all those affected—there are many of them—even though time is short, and bring back proposals to deal with these various serious issues when we reach Report. I beg to move.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, it may be for the convenience of the Committee if I speak to my Amendments 170AA, 170AB and 170AC at this point. I am grateful to my noble friend for moving his amendment in the skilful way that he did. I hope that my noble friend the Minister has some good answers because my noble friend worried me somewhat.

I fear that I will have to detain the Committee for some time. I wish to make it clear that I have never been mistreated by the media and I do not think I know any celebrity who is not also a parliamentarian. My only complaint is that the general public have never heard of me. Quentin Letts once likened me to Lord Lucan, and when I accidentally appeared to cancel a mainline electrification programme from the Dispatch Box, I got three-quarters of an inch on page 2 of the Sun—at £1.6 billion it was quite an expensive way of getting some publicity.

During the passage of the Crime and Courts Act, I was in the Government with other responsibilities. I have little doubt that later, as a loyal Government Back-Bencher, I voted against the attempt made by the noble Baroness, Lady Hollins, to get Section 40 of the Crime and Courts Act commenced. Thanks to an intense media campaign, I realised that something was going badly wrong when the Government failed to commence Section 40 after the PRP was established and it had approved its first independent regulator.

At present any claims against newspaper publishers where the claimant is an ordinary member of the public is a David versus Goliath battle. The claimant is an individual with limited resources, whereas newspaper publishers are typically well resourced, with teams of lawyers. In effect, the claimant is required to mortgage their home—if they own it—to meet the costs of an action. This is unless they can get a CFA, which is not available for data protection claims—a point that I will come to later. This risk deters ordinary members of the public from ever bringing a claim. When it comes to libel, all they really want is a correction with due prominence. This principle applies to data protection claims as well. Subsequently, publishers have enjoyed impunity in relation to breaching the data rights of ordinary members of the public.

However, the reverse can also be true. Sometimes the claimant is exceptionally wealthy—such as a Russian oligarch—and even the newspapers can struggle to meet the costs of defending a claim. In such cases, censorship can occur where a litigant threatens legal action in order to prevent an article being published. What editor is going to risk hundreds of thousands of pounds in legal costs just to have a pop at a billionaire who desperately deserves it?

The Committee will recall that Lord Justice Leveson recommended a solution: newspapers join a recognised regulator which must offer arbitration, among other things. Arbitration is cheap for the defendant and the claimant, so the cost risks evaporate for both. The only losers in all this are the lawyers on both sides—which I am sure all Members of the Committee will approve of. Most newspapers, however, favour the ability to breach the rights of ordinary members of the public rather than having the free speech benefits of protection from claims by wealthy individuals. So Lord Justice Leveson recommended this ingenious cost-shifting provision.

Newspapers in a recognised regulator offering arbitration are immune from paying the claimant’s costs in cases brought against them, win or lose. Newspapers which have rejected joining a recognised regulator—and, as such, are not offering mandatory arbitration—must meet the costs of all claims brought against them, win or lose. Of course, there are the usual safeguards against frivolous and vexatious claims, even for those not signed up to an approved regulator. As well as protecting free expression and access to justice, this provision would incentivise the press to sign up to a recognised regulator, as Leveson recommended and as Parliament decided and provided for by means of the Crime and Courts Act 2013.

I recognise that in its current form the Bill cannot be used to force the commencement of Section 40 for libel and privacy claims and the like, however strong the case for doing so. However, it can apply Section 40 to data privacy claims relating to publication and commence it. That would give ordinary people whose privacy is invaded at least some protection and provide at least some incentive.

Section 40 of the Crime and Courts Act contains this provision for all media claims except data protection. This was a concession to the press at the time, when data privacy claims were rare because the 1998 Act was written in a way that would require there to be actual financial loss before bringing a claim. The Vidal-Hall v Google case in the Court of Appeal found that the 1998 Act was not compatible with the parent EU directive on this point and had to be interpreted as allowing “distress only” claims, as with other privacy claims.

The Bill, I am pleased to see, corrects that problem in terms of what claims are eligible, and my amendment completes the job by enabling access to justice for claimants with data privacy claims. At an earlier Committee sitting, my noble friend Lord Black claimed that people were bringing data privacy claims instead of defamation claims to get around the terms of the Defamation Act 2013. My understanding is that that is not the case, but he may well have better data than I.

The Government have failed to commence Section 40 of the CCA despite Parliament voting overwhelmingly for it in both Houses. This amendment would bring Section 40 into force now for data protection claims. Amendment 170AA deals with the allocation of court costs while Amendment 170AB deals with interpretation. On Report, I will table a consequential amendment dealing with commencement.

Amendment 170AC deals with conditional fee arrangements. Until Section 40 of the CCA comes into effect, victims of data protection breaches by newspapers have no access to justice, as prohibitive court costs mean that actions are rarely brought.

The Committee will be aware that CFAs are no-win no-fee agreements. They allow a claimant to bring an action without cost risks by requiring the losing defendant of any action to pay a bonus—an uplift fee—to the claimant’s lawyers if the claimant wins. If the claimant loses, an insurance firm covers the costs, whereas the law firm loses its own costs. The law firm subsidises the revenue it misses out on in the cases it loses with the bonuses it receives from the cases it wins.

The mechanism which allowed CFAs to work was effectively abolished for all cases except asbestos claims and media claims in the Legal Aid, Sentencing and Punishment of Offenders Act 2012. Most types of media claim were protected from the changes but data protection claims were not. This amendment would make CFAs available again for data protection claims. They are essential in providing access to justice for members of the public until Amendment 170AA is brought into effect. Even if the Committee agrees my Amendments 170AA and 170AC, CFAs will still be necessary to protect access to justice if there is no approved regulator.

As for the amendments in the name of the noble Baroness, Lady Hollins, I fully support them.

My noble friend Lord Black is an exceptionally competent operator and I imagine that he has already approved his organisation’s media campaign. I can remember the last one well, as it motivated me to get involved with this issue. No doubt his campaign will try to suggest that this is state regulation of the press, but at col. 1668 of Hansard on 6 November, despite being very helpful to the Committee, my noble friend appeared unable to explain how the state, or Ministers, would be able to influence the work of the press recognition panel.

We can also expect the media to express an understandable reluctance to sign up to Impress, on the grounds that its ultimate source of funding is Max Mosley. That point has been tested in the courts. However, much more important is that there is no requirement to sign up to Impress. Media operators could create another compliant regulator and on 6 November, the Committee heard the welcome announcement from my noble friend Lord Black that he believed that IPSO probably would meet the requirements. I think that we can safely and fairly translate that as, “IPSO could be made to meet the requirements”. It would be interesting to know whether there has been any independent analysis of this.

The final claim that will certainly be made is this: if Section 40 and my amendments are in force, the media operator will have to pay all court costs, win or lose, unless the claim was vexatious or trivial. What they will forget to tell us is that this will happen only if the media operator is not signed up to an approved regulator. The crucial point is that if they are signed up to an approved regulator the claimant will have to pay all court costs, win or lose. Thus, if a media operator is facing a billionaire Russian oligarch who is threatening court action with huge costs, it will be able to laugh at him and explain how Section 40 works. That sounds rather like press freedom to me.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I declare an interest as a series producer at ITN Productions. I want to talk particularly about Amendments 172A to 172C and whether Clause 165 should stand part of the Bill—all of which relate to the powers of the ICO to investigate special processing. I, too, am very concerned that Clause 164 represents a considerable and troubling extension of the power of the Information Commissioner, which will have a damaging effect on free speech. It will damage not just journalism but academia, art and literature by unleashing a torrent of complaints prior to publication or launch of a work. These amendments will ensure that the powers of the ICO in these matters remain as they are—a situation which has worked well since we have had the Data Protection Act 1998.

In Clause 164(3), paragraphs (a) and (b) indeed make no change. They allow the ICO to investigate and give a written determination on whether the processing of data is for special purposes and publication, and therefore exempt. However, my concern is that paragraph (c) seems to be an important and worrying extension of the power of the ICO. It means that even if she thinks that the data processing is journalism, literature or art she can, in addition, investigate whether the means by which the data is being collected or processed is compliant with the Act. These powers can be used prior to publication, meaning that any complainants who want to stop a journalistic or academic investigation from continuing can now call for the ICO to make a written determination on the way in which the data is being collected. This will open the door to a far greater number of complaints to the ICO. At best, dealing with these will be very time-consuming and wasteful of resources. At worst, they will result in public interest journalism being delayed or thwarted altogether by a regulator with limited expertise of the media, and who may well lack the resources for such an endeavour.

The provision for such ICO inquiries to take place before publication goes against an important principle of our law, which allows for the information to be published and then for the courts or regulators, such as Ofcom, to decide whether there has been an infringement. Clause 164(3), as drafted, suggests that the commissioner is going to make her own judgment of these questions and not simply assess whether the judgment of the data controller—for instance, the editor of the newspaper or the author—is genuine and reasonable.

My concern is that, even if the ICO does not exercise her powers, the prospect of her doing so will have a chilling effect on editors’ decisions about whether to publish. I am already finding that, in the documentaries that I am making, stories which would have been published a few years ago are now not being published for fear—among media lawyers—that there will be a breach of the legislation. In one case, I was told by the media lawyer that I could broadcast a story only if it was already in the public domain—which to me, as a journalist, seems likely to negate the whole purpose of the exercise. I am advised by media lawyers at ITN, the BBC and a number of newspapers, whose views I very much respect, that these new powers of the ICO and other proposed amendments will affect journalists’ investigations in many different ways.

Amendment 172B is intended to ensure that the scope of the exemption continues to apply not merely to information that is due to be published but to information that will inform the final publication. The failure to maintain the existing provision would have the damaging effect that, for instance, a fraudulent businessman who is being investigated could submit a subject access request on the relevant data which had been gathered as part of the story. The result would be that the businessman would be able to find out where the investigation was going and take action to close down that investigation. He would also be able put pressure on the sources of the information that would be revealed by the access request.

I work in television, and a particular concern of mine is the future of secret filming for journalism, which could be threatened by this clause. It would allow the ICO to look into whether the use of recording, without consent, was appropriate or even necessary. It is not clear from the clause what precise test the ICO will apply, but it will involve the ICO making fine editorial judgments, including whether the investigation could or should have been advanced by using less intrusive means. I have carried out many secret filming assignments in my capacity as a producer at the BBC, and I know that the activity is already very tightly controlled to stop fishing expeditions and to ensure that it is aimed directly at and focused on the suspected parties. The BBC code requires clear evidence that the subject of the filming has been involved in wrongdoing. This evidence is rigorously questioned by the lawyers before permission is given to go ahead, and the results of the filming are carefully looked at to make sure that they relate directly to supporting the story.

Unless these amendments are adopted, once the person who is the target of secret filming is told that they are the subject of the story, they could issue a claim or subject access request on the secret filming and delay, or even successfully stop, the story being published. Lawyers at the BBC advise me that some of our important investigations in the public interest would be delayed and maybe in some cases stopped by these new powers. The stories that could have been affected include public interest investigations into wrongdoing, such as those into Winterbourne View and the Rochester young offenders unit or even last week’s BBC “Panorama” on student loan fraud, in which two men were secretly filmed giving advice to prospective students about how to get through a degree by cheating and how to fraudulently collect a student loan.

Perhaps even more problematic will be other people who are not the centre of the investigation but who might get caught up in secret filming or open filming without consent. They could include family members or employees of a company being investigated. These people would not be featured in the final publication or broadcast, but their ability to complain prior to publication would allow them to call on the ICO and deliberately delay or stop an investigation because their data had been collected during the filming. An example is the BBC investigation into the payday lender Wonga, which many noble Lords will know about, whose lending practices were questionable and caused bankruptcy and despair across the country. During the secret filming of the Wonga loan agents, the journalist also filmed the receptionist. She was never going to be featured in the final programme, but her data had been collected and she tried to use it to protect her employers and stop the programme going out. Under Clause 164 she would indeed be able to call in the ICO to give a written determination on the way her data had been collected, and the film would be stopped in its tracks. For the complainant, the time and cost would be minimal—meaning that there is a very low barrier to seeking the help of the ICO.

Other investigations could be thwarted based not just on the data that might be published but on the way the data might be held by the journalist for use in later articles as part of a continuing investigation. Noble Lords may remember the Sunday Times exposure of Lance Armstrong, a man who at the time was seen as the greatest cyclist in history. He was accused by the Sunday Times of taking performance-enhancing drugs. As a result, he took the paper to court for defamation, and it was forced to settle. Under this clause, Armstrong would then be able to bring a data protection complaint in relation to any data that the Sunday Times had collected to support the original allegation that he had taken performance-enhancing drugs. He could argue that the data was inaccurate and should therefore not be held. Following the court settlement it would be open to the ICO to decide whether continuing to hold the data would be in compliance with the legislation. The Information Commissioner could require the paper to dump the data, which she might deem to be inaccurate. In fact, the ability of the journalist on this story to hold on to Armstrong’s data was crucial in allowing the Sunday Times to continue its investigation into Armstrong’s conduct. The paper subsequently published a number of articles to that effect. Eventually, Mr Armstrong confessed that he had indeed taken performance-enhancing drugs and settled the Sunday Times claim that his libel case was fraudulent after all.

I understand that there is suggestion that a code of conduct will be produced for the ICO to follow, which will ensure that only a very high threshold of data breaching will be examined. My fear is that, even if this is the case, surely the ICO would still have to carry out a preliminary investigation into a complaint of a breach of data protection law in order to ascertain whether it has reached the high threshold. I am concerned that this will delay or even chill journalism.

As to whether Clause 165 should remain part of the Bill, this has been carried over from the Data Protection Act 1998, which singled out the media for special provision of ICO funding for a complainant. Since the acceptance of the Act into law, this provision has not been used once. But, even if it were used, I would object to the clause singling out the media over any other processors of information. If an estate agent or a building contractor, or a member of any number of other industries, were to breach data protection law, the ICO would not have the ability to fund a complainant. I would ask the Minister to look again at whether Clause 165 is needed or whether it would be a threat to free speech.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I start by adding my strong support to the elegant amendments of the noble Earl, Lord Attlee, and thank him for his perceptive evaluation of the media storm about Section 40 of the Crime and Courts Act.

My Amendments 170K, 170L, 170M, 171A, 172AA, 172E and 174AA would remove the existing pre-publication staying mechanism currently available to data controllers when they may be processing data for special purposes. The old Data Protection Act required that a determination had to be made by the Information Commissioner before any data protection claim could be brought in court where data might be processed for journalism. This determination, set out in a “determination notice”, would specify whether the data was indeed being processed for the special purpose of journalism.

Any claim which might involve the special purposes could be stayed in this way. This means that someone has no way of accessing the courts to establish if such publication of their personal data was legal—for example, because it was in the public interest—until after it happened. In contrast, people can do this with a privacy claim—and the sky has not fallen in, nor has investigative journalism been affected. Data privacy claims should be no different.

The new Bill currently replicates the process that was set out in the old Bill. Unlike other areas of law, and unlike processing for other purposes, before any member of the public can bring a data protection claim in the courts against a data controller prior to publication, Clauses 164 to 166 of the Bill require the ICO to make a determination as to whether the data was being processed for journalistic purposes. This means that when an individual’s data rights are unlawfully breached for publication, without any public interest justification, they can do nothing to prevent use and publication of that data until the determination process is complete, with appeal. That data could include, for example, private medical records or financial transactions that expose deeply personal information.

In practice, this means that ordinary people are denied the right to challenge in court the legality of the data being processed prior to publication. Moreover, determination is slow. When the Information Commissioner produces the determination notice, it is then subject to appeal by the publisher. Lord Justice Leveson argued that this whole mechanism is wrong in principle, and that it should be removed. This amendment would have that effect, by removing journalism from those purposes to which the stay could apply. Publishers and the public would still have access to court action, and the courts could determine whether the material has been unlawfully processed and, if it has, whether publication is protected in the public interest under the existing exemptions in the Bill.

Journalistic exemptions in the Bill would be entirely unaffected by the amendments. Where breaches are in the public interest and undertaken for publication, journalists remain exempt from all the exemptions listed elsewhere in the Bill. That is right, and it will be protected. However, the additional stay, which prevents victims of data protection breaches by newspapers trying to prevent the damage that would be done by publication before they can argue their case in court, would be removed. In summary, nothing in the amendments will interfere with investigative journalism—that is not my intention. Because this is a complicated area, with many amendments to these clauses, I certainly stand ready to discuss with colleagues the best way forward in this area before Report.

My Amendment 179A would require the Government to proceed with a public inquiry into allegations of data protection breaches by or on behalf of newspapers. Such an inquiry would be similar to the already-agreed second half of the Leveson inquiry. In 2005 it was reported, though only in the Guardian, that thousands of individuals had had their personal data, including private phone data, stolen by or on behalf of newspaper publishers. Noble Lords will recall that Operation Motorman was the scandal that allowed phone hacking to occur, but it was far more widespread than just phone hacking. It affected tabloids and other newspapers alike. Data was illegally harvested by private investigators in the pay of newspapers and used for stories or to hack phones, often without any public interest justification. A whole industry of illegal data theft propped up the front pages and exclusives of some of our most powerful and recognisable newspapers for a decade.

The Information Commissioner published two reports on Operation Motorman, first, about this practice and, secondly, on the findings of the police investigation. These included the revelations that 58 clients or journalists working for the Daily Mail had used private investigators, and that 1,482 transactions were identified between the investigators and Mirror Group titles such as the Daily Mirror and the Sunday People. Rarely was there any public interest justification. For example, the victims of crime were targeted and their partners, their colleagues and even their painters and decorators were targeted, too. Some newspapers even rehired private investigators who had been convicted of illegal data handling.

This is not ancient history. The judge in the Mirror hacking civil trial ruled that the Daily Mirror, the Sunday Mirror and the News of the World used an entirely different set of private investigators hundreds, if not thousands, of times to steal phone billing data and “reverse phone numbers”, and that this was a precursor to hacking their phones. In a new civil action against the Sun, it is alleged that that newspaper continued to use a series of private investigators for illegal activities on an industrial scale all the way up to 2011, if not beyond.

A public inquiry, the Leveson inquiry, was established to investigate these matters, and I gave evidence to part 1. However, part 2, established to investigate the extent of breaches of data privacy and other illegality, and to investigate the cover-up of it, has still not taken place. This requirements of the amendment would be satisfied by the Government proceeding with Leveson part 2.

I believe I am not alone in your Lordships’ House in finding the Government’s positioning and repositioning on Leveson part 2 shameful. In 2011, when the scandal of hacking broke, the inquiry was established in two parts, the first to deal with regulation and the second to deal with illegality and allegations of corruption and cover-up. The Government claimed they were committed to part 2 of the inquiry once relevant trials had concluded. Those of us affected by this conduct took the Government at their word.

A few years ago, though, the Government began to revise their position following heavy lobbying from the press. After this House voted overwhelmingly in support of one of my amendments to the Investigatory Powers Bill last year, the Government faced the prospect of a Commons defeat and announced a consultation on Leveson part 2 on the day of that vote. That consultation was judicially reviewed by a victim of press abuse who had been promised by the Government that part two would happen. The Government defended that judicial review by claiming that they had an open mind on the matter of Leveson part 2, but within three months their party manifesto for the 2017 general election pledged to scrap Leveson part 2 altogether.

Today, we are no further forward. The Government have still not published the outcome of last year’s consultation. The integrity of the consultation was questioned, and the Government’s intentions were rather exposed by the manifesto commitment to scrap Leveson part 2, although I gather that Conservative Members of neither this House nor the other place were consulted. Nor were victims consulted, despite previous prime ministerial promises to them on this matter.

I see no alternative but to return to legislation and the role of Parliament to see that the Government stand firm on these matters and do not cave in to the press lobby. I hope colleagues will support this amendment. I would not of course return with it on Report should the Government proceed with Leveson part 2 with the agreed terms of reference before then.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, this debate is part of the unfinished business of Leveson in relation to both Section 40 and Leveson part 2. As the noble Baroness, Lady Hollins, explained, we are having to do this not because we are hijacking the Bill but because the Government have used various devices to avoid their commitments on those parts of Leveson. It is unfinished business because sections of the press, for which the noble Lord, Lord Black, is an eloquent spokesman in this House, have deliberately tried to frustrate the will of Parliament. The noble Baroness, with telling eloquence, has spoken for the people who were hurt and damaged by the excesses exposed by Leveson. They do not feel that they have received either closure or justice; nor is there much evidence of the press mending its ways.

I was one of the privy counsellors who signed the royal charter. The coalition Government went out of their way to defend the freedom of the press. Looking back, it is easy to forget just how much public horror, distaste and loathing there was for what was shown to be happening by the Leveson inquiry. Frankly, a Government of the day who had not been interested in the freedom of the press would have had a free hand to deal with it in the most draconian way. So I sometimes resent—not speeches in this House, of course, although they occasionally refer to this—articles in the Times and other papers that see any amendment as an immediate attack on the freedom of the press. We who are tabling these amendments want to strengthen the freedom of the press.

The Conservative Government, freed from the constraints of coalition, have gone back on their word to implement Section 40 and dragged their feet about Leveson 2. They added insult to injury by including the IPSO code in their list of approved codes but ignoring the Impress code, which had been approved by the Press Recognition Panel. The noble Earl, Lord Attlee, explained very well how the charter would have given a defence in the David v Goliath contest often faced by the ordinary citizen.

We are in Committee, so we will listen to the Government’s response to the amendments moved by the noble Baroness, Lady Hollins, the noble Earl, Lord Attlee, and the noble Lord, Lord Black. We will then make our decision on issues to vote on at Report. I listened very carefully to the noble Lord, Lord Black, and, as the noble Earl, Lord Attlee, said, he gave us food for thought, although he often sounds like the boy who murdered his parents and then asked for mercy because he was an orphan. However, there are issues there that need to be considered.

My approach, and the two amendments that I have signed, come from a person whom I know that the noble and learned Lord, Lord Keen, knows very well: the man on the Clapham omnibus. My concern, so very well expressed by the noble Lord, Lord Colville, is that it seems to me, as the man on the Clapham omnibus, that to ask investigative reporters to get prior permission is counterintuitive. Again, I would be very interested to hear the Government’s explanation, particularly of Clause 164(3)(c), which my amendment would delete, and how it would impact on investigative reporting.

The other issue that I have revived from Leveson is, again, based on the “man on the Clapham omnibus” test. The noble Baroness, Lady Hollins, referred to the Motorman scandal, when sentences open to the court for the breaches were seen almost as incidental business expenses as far as the perpetrators were concerned. Leveson’s recommendation 54, the Culture, Media and Sport Committee—twice—and the Justice Committee, under the chairmanship of my noble friend Lord Beith, all recommended bringing in stronger penalties for those breaches. As the man on the Clapham omnibus would say, “That’s right—if you’ve got a law, the penalties of which are so trivial, it actually undermines the protection that that law is supposed to give”.

I am absolutely delighted to know—with no prejudice against the other distinguished Ministers on the Front Bench—that the noble and learned Lord, Lord Keen, is going to reply to this debate. His forensic mind will fillet out the points that have been made, and we will be able to study Hansard tomorrow to find very clear reasoning for the Government’s actions, and then make a considered judgment of what we are going to do at Report.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I speak in support of the amendments tabled by the noble Baroness, Lady Hollins, those in the name of the noble Earl, Lord Attlee, and Amendments 185E and 185F, in the name of the noble Lord, Lord McNally, who has just spoken.

A range of amendments in this group relate to journalism and have different effects. It would be easy to characterise some of them as being in favour of greater press power and others in favour of reduced press power, but that would be wrong. The amendments that I am speaking to would implement and support the recommendations of the Leveson report. That report was a compromise—a split down the middle of the free speech concerns of some, and the concerns of others for the victims and wider public. Some of the other amendments in this group—not all of them—seek to undermine that compromise. When we have debates about Leveson, let us remember that they are not simply debates between the interests of the press and those of the public, but between those who have accepted the compromise and those who will not give an inch. Let us also remember that government inaction is what inspires the rejectionists to persevere.

Amendment 179A, in the name of the noble Baroness, Lady Hollins, would require the Government to proceed with a public inquiry into data protection breaches committed by or on behalf of newspaper publishers. This is long overdue. Such an inquiry is clearly merited after the scale of the abuses and breaches which were made clear in Operation Motorman and since. Court cases still being settled over the last year, with more expected, relate to this conduct. Of course, all parties agreed that such an inquiry was needed in 2011 and established the Leveson inquiry, but that part of the inquiry has still not proceeded. Instead, the Government have twisted and turned to satisfy the interests of the press, which calls for public inquiries into everything but its own scandals. I wonder why that might be. I hope that the Government will respond by beginning Leveson part 2.

The amendments of the noble Baroness, Lady Hollins, to Clauses 164 and 166 would prevent publishers accessing a staying mechanism which would in effect prevent pre-publication data protection claims ever being brought. This is anomalous, given that libel law allows such claims to be brought. There is no good reason for keeping the stay so long as the journalistic exemptions are protected. This amendment does not affect those exemptions and should be supported.

Amendments 170AA, 170AB and 170AC in the name of the noble Earl, Lord Attlee, replicate the terms of Section 40 of the Crime and Courts Act 2013, which this House voted for, as did the other place, but do so only for data protection claims. It remains a constitutional travesty that the Government have autocratically prevented Section 40 coming into force, using the executive power of non-commencement. Providing the costs protection and regulatory incentive of these amendments for data protection claims is a worthwhile objective in itself. If the relevant amendment also helps make the point to the Government that it is unacceptable to reverse a parliamentary vote in this way, then it will have served a second useful purpose. The amendments of the noble Earl, Lord Attlee, would also restore conditional fee agreements for data protection claims. Conditional fee agreements would ensure that the public are able to access justice even if Section 40 does not apply.

Amendments 185E and 185F, in the name of the noble Lord, Lord McNally, respond to five Select Committee reports, the Leveson report and multiple remarks, reports and representations from the Information Commissioner’s Office, allowing custodial penalties for the most egregious cases of data theft. It is not envisaged that many, if any, individuals would be sentenced in this way but, put simply, the mountain of evidence on the matter shows that a fine is not an adequate deterrent and is simply treated as no more than an overhead for the illegal trade in personal data. I therefore believe it important that the House should support the amendments of the noble Lord, Lord McNally.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

It might surprise the noble Lord, Lord Black, to hear that I think his amendments are important and well worth discussing and crunching out. I listened to his speech very carefully. I will check Hansard tomorrow, but I think that he used the word “reasonable” about a dozen times. However, I ask him to consider that if he wants the sympathy of the House and of Parliament, he has to accept the fact that the reasonable expectations of reasonable people for the media to behave in a reasonable way is the way to go about this. Does he believe that the man on the Clapham omnibus would regard the current policy of apology and correction as remotely reasonable? If he is prepared to reconsider that and talk to the people with whom he works, perhaps there could be real movement here. IPSO does not necessarily have to become Impress but it can look at the obligations that have been placed on Impress and begin to behave accordingly.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I rise in support of Amendment 172C, which refers to Clause 164(3)(c). I have no interest to declare but it might be helpful if I remind your Lordships that, prior to joining this House, I worked at the BBC for the best part of 10 years. For the majority of my time there, I worked in the area of governance and regulation, advising three successive chairmen.

I just want to make a couple of simple points. I have not been involved in this Bill so far but, when it was highlighted to me that it would introduce a clause that would, for the first time, bring into statutory regulation a facility for the pre-transmission involvement of regulators in broadcasting in this country, I was surprised—indeed, I was very worried. This is a very big change to our current set-up. Broadcasting is a very heavily regulated sector but it is regulated post hoc, not ex ante—I know that your Lordships like a bit of Latin.

When I worked at the BBC under the old governance regime, before Ofcom was set up and before the BBC became subject to Ofcom regulation, there was only one editor-in-chief at the BBC and he had the final say editorially. We have a former editor-in-chief sitting in his place here today. The governors, led by the chairman, were very clear that their responsibilities prevented them ever interfering in any programming pre-transmission, so even the governors did not involve themselves in programmes pre-transmission. When they had done so in the past, the result had been absolutely calamitous.

We should remember that we demand impartiality from broadcasters in this country. We set very clear and rigorous codes for them to follow and they take them very seriously. However, in order to ensure that there is impartial broadcasting in this country and to give our audiences confidence, in exchange we give broadcasters their independence. I worry that a very simple clause in the Bill, which may look quite innocuous, could put at risk something that is very important to us. I understand that the media can sometimes be arrogant and that they sometimes get things wrong, but we should make sure that we tackle them when they get things wrong rather than try to interfere and put at risk something which, as I said, is very precious to us in this country.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I simply want to speak about my noble friend’s Amendments 185E and 185F, which relate to custodial sentences. I apologise to the noble Lord, Lord Black. I missed the opening part of his speech as I was looking up the reference to which I now want to refer—the ninth report of Session 2010-12 produced by the House of Commons Justice Committee, of which I was then chairman. As noble Lords know, we took evidence from the Information Commissioner on a number of occasions. We said in the report that we shared,

“the Information Commissioner’s concern and dissatisfaction that no order has been brought before Parliament to implement section 77 of the Criminal Justice and Immigration Act 2008, which would have the effect of providing custodial sentences for breaches of section 55 of the Data Protection Act. Currently the only available penalty is a fine, which we feel is inadequate in cases where people have been endangered by the data disclosed, or where the intrusion or disclosure was particularly traumatic for the victim, or where there is no deterrent because the financial gain resulting from the crime far exceeds the possible penalty”.

The point was made earlier that in some quarters—this is not particularly a media matter; it refers to many kinds of illicit information-gathering—meeting fines, should they be imposed, can be seen as a “trade expense”. So we said:

“We accept the Information Commissioner’s argument that the issue of custodial sentences for section 55 offences is not exclusively, or even primarily, an issue relating to the media and that the issue should be dealt with by Parliament without waiting for the outcome of Lord Justice Leveson’s inquiry”.

That illustrates just how long the matter has been going on and how unsatisfactory it is, to the point of disgraceful, that what Parliament has previously enacted remains not in force because of the lack of commencement.

The Justice Committee does not lightly or frequently advocate custodial sentences. Indeed, it has taken the view that there are many offenders and some offences for which custodial sentences are notably unhelpful, inappropriate and do not change lives or benefit society. However, for some offences, if there is not the possibility of a custodial offence then there is no deterrent at all because the fines do not serve as a deterrent. As other noble Lords have said, one does not envisage that custodial sentences would often be used in these matters, but their existence as an ultimate deterrent can be defended as likely to have some effectiveness in a way that custodial sentences often do not for some other kinds of offence and for those who do not calculate when they commit their crimes what the consequence will be.

This is not a fundamental change in the nature of the offence; it is providing an appropriate ultimate penalty and a deterrent for offences of this kind. We have had recent experience of how widespread some of these offences are. I therefore hope that the Government will at last recognise their responsibility to do what in previous guises, and in coalition, they have accepted they ought to be doing and provide the custodial sentences.

I make one further comment because of the eloquent point made by the noble Lord, Lord Low, about the use of commencement powers and failing to carry out the law that Parliament has passed. This is a serious matter and it extends far beyond this Bill. We will be looking at a great deal of legislation which will depend on a variety of statutory instruments, ranging from policy issues to matters of timing. It is not a good precedent to accept that it is appropriate to leave in the hands of Ministers the ability to decide whether the law which Parliament has passed should exist in reality or not.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I apologise to the House because my voice is annoyingly masked. I urge noble Lords to put their hearing aids on because it might not last until I have said what I want to say.

Every now and then in this House, we have a debate of such importance and significance that the House behaves in a completely different manner from its normal routine. We have had that today. There is a sense of stillness, expectancy and interest that we do not always get, and it is important that we hold on to it because we are touching on some very important and deep issues. While we obviously need to deal with the narrow question of the amendments before us, I hope very much that the wider resonances of this debate might help unpick some of the difficulties that have been raised in our discussion and which are relevant in society today.

I am so taken by the debate we have had that I want first to mention to the House that our amendment in this group, which was laid as one of the first amendments, is an entirely “fake” amendment, if I may use that word. It is a probing amendment and does not mean anything. I can tell the House now that I will not be pressing it. I hope the Minister will do me the justice of not even bothering to respond to it because it has lost all relevance in the light of the issues that have been raised subsequently. My second point is a slightly cheeky one: since I am no longer involved with our amendment in this group and we do not have any names attached to any of the others, I will bring a completely new and independent view to the discussions. I hope that noble Lords will enjoy that.

I hope that the noble Lord, Lord Black, does not take this my final opening point the wrong way. I am not going to follow the line of the noble Lord, Lord McNally, and accuse him of crimes he is not going to commit, but this is so important that we need to come back to it in another place and at another time. I hope that he will understand that. I think that it probably needs a Bill of its own to get this right. We can discuss that later.

Okay. Trying to make sense of what we have in front of us—in this alphabet soup that we often have in complicated parts of Bills—I want to approach this in the following way. I said at Second Reading, and I repeated in the debate last week, that I do not think the Bill is the right place to rerun some of the long-standing arguments about Leveson. I do not think that anything said today should be withdrawn; it is really important stuff that needs to be resolved. But this is probably not the Bill to do that in and I will give some reasons for that.

The main worry that I have, and several noble Lords have mentioned this, is that we are talking about a package of measures that were the product of a particular time. For all the reasons that have been given, bits have succeeded and bits have not succeeded; bits have been implemented and bits have not been implemented, and I do not think that it is right for this Bill at this time to try to kick-start some of the bits that need to be looked at, particularly the amendments that relate to the Crime and Courts Act 2013. The speech of the noble Earl, Lord Attlee, was a very good introduction to those. He made a very good case for them. That case does need to be answered, but this is not the right place for that, so I do not support them.

I do not think that Amendment 179A works in the context that I am trying to sketch out. The case made by the noble Baroness, Lady Hollins, as always, was incredibly powerful and one’s heart reaches out to everything she says, which was also picked up by the noble Lord, Lord Low. We want to do something about this and we think that the way that the Government have treated Leveson 2 is a disgrace. It is a shameful way to behave, given the treatment of the victims. We must never forget that.

The third group of amendments here—the amendments of the noble Lord, Lord McNally—also makes very good sense. They are sensible amendments but, for the same reason, we should not continue with them today.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

The noble Lord is giving the Government a “get out of jail free” card, unless he has something else to say. There are areas in all these amendments that have massive implications for data and data protection. If they do not fit into the scope of a Data Protection Bill, where on earth will they fit?

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I would also like to have a little pop at the noble Lord. I understand his point that this is a Data Protection Bill and not something to amend the Crime and Courts Act. Of course, I experienced significant difficulties with the clerks trying to table an amendment to try to amend that Act. But if we had a suitable legislative opportunity—another criminal justice Bill—would the noble Lord’s party support an amendment to make Section 40 of the Crime and Courts Act commence forthwith?

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

To answer that last point first, we have supported that in the past and on the right occasion we would probably support it again. But my point is not about the quality of the case made or the correctness of the approach. It is just not the right time to do that. The same answer applies to the noble Lord, Lord McNally. I did not say that we would not support him if he brought this back at Report. I am simply saying that, at this particular point, I want to use this debate to focus on something else and that is why I am trying to approach the issue in this way. I hope that noble Lords will bear with me before my voice gives up finally. I hope that I can allow that to ring out so that noble Lords can be inspired by it. That is a faint hope.

Underneath the debate that we have had today are some really important questions. I will pose them quickly in the hope that we will get a response from the Minister. It is really important that the noble and learned Lord uses this opportunity to set out very clearly what the Government’s position is on a number of these key points. Is the regime that currently applies to the press, as set out in the Data Protection Act 1998, still the case in the Bill? In other words, has the regime that has worked well since 1998 been changed in any way by its transposition into this Bill? If it has not, he has to be very clear that that is the case. The case that has been made suggests that, in the rewriting and repositioning of Clause 164, something has happened that has alerted everyone to the point, which was made very well by the noble Viscount, Lord Colville, and the noble Lord, Lord Black. I do not think that that was what we understand to be the case, and certainly I and my noble friend Lord Griffiths have asked for chapter and verse on this so that we can be sure that what we are seeing is exactly what the current law is. That is a straightforward question.

Secondly, we need to be persuaded, if we have not been already, that either the technology or the working practices in print journalism in particular, but also in relation to how print journalism is now often paired up with moving image technologies, has produced such a step-change in the way they operate that the additional defences proposed by the noble Lord, Lord Black, or the additional protections that might be needed by victims, which are so important and relevant, do not need to be brought into the Bill. The case has been made, the charge is there, and the Government must come back and tell us what arrangements have been made.

Thirdly, does the fact that many, but not all, direct investigations of a journalistic type are now done jointly with an audio-visual component, so that we have combinations between major newspapers and television broadcasters or even film, mean that we now have in perpetuity dual regulation, in which case the approach taken by Ofcom has to sit with the regulations under the Data Protection Act 1998 or the Data Protection Bill when it becomes law? If that is the case, we have a problem that needs to be confronted. We have one post hoc regulatory structure and one that is mainly post hoc but has an element, albeit restricted and on a narrow basis, in print journalism. If the way the world is moving suggests that everyone doing this work will have to be involved with two regulators, the Government’s Bill does not take that trick and we will need to come back to the point.

Fourthly, what is it about print journalism which is so different that it requires there to be a predetermination capacity for the ICO compared with the situation when the same work, and possibly the same output, is done under Ofcom? My noble friend Lord Puttnam and the noble Baroness, Lady Stowell, made the point that the difference is that the media in this country are very strongly regulated. There are codes, statutory frameworks and editors who are clearly responsible for them and work to them well. However, a different situation pertains here. That does not mean to say that it should be applied across all the outputs involving investigative journalism, but it must be said that if there was in existence a robust, independent and effective press complaints system which enjoyed the confidence of victims, perhaps we would make better progress on the particular issues which have been raised today. That is the point on which we must focus as regards where we might go with this. I hope that when the noble and learned Lord comes to respond, he can bring some light to this issue.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I am obliged to all noble Lords for their contributions this afternoon. I would hope that recent debates, particularly in Committee on the Bill, have assured noble Lords that the Government are absolutely committed to preserving the freedom of the press and maintaining the necessary balance between privacy and freedom of expression in our existing law that has generally served us well over many years.

Perhaps I may take some of the amendments in turn. The first, Amendment 163A, was brought forward by my noble friend Lord Black. It asks that the Bill should require that greater consideration be given to the right to freedom of expression and information when the Information Commissioner is exercising her enforcement powers. Amendment 164A would require the commissioner to consider, for example, any other financial penalties imposed by another regulator as a result of failure—a point that was touched on tangentially by the noble Lord, Lord Stevenson, in his closing remarks.

I hope that my noble friend Lord Black agrees that it is important that any amendments in this space do not impact disproportionately on the commissioner’s resources and her ability to execute her regulatory functions in an effective manner. I will give further consideration as to whether these amendments meet that test. I will address my noble friend’s contribution on this point in Hansard and the Government will reflect upon it. I do not hesitate because I am making a concession; I am merely making an observation.

I turn from the initial amendments to those proposed by my noble friend Lord Attlee—Amendments 170AA and 170AB—which are similar to the provisions contained in Sections 40 and 42 of the Crime and Courts Act 2013 but apply to data protection offences only. As noble Lords will be aware, Section 40 remains uncommenced —that was alluded to—and this House has debated the matter of press self-regulation on many occasions, particularly over the past year. It remains a matter of very considerable importance, and I seek to reassure the Committee that the Government are firmly committed to ensuring that the behaviour that led to the Leveson inquiry being established should never happen again.

However, we cannot ignore the various concerns raised regarding Section 40, including by Members of this House, and it is only right that the Government consider those concerns fully and properly. That is why a consultation was launched in November last year that included questions on the next steps regarding Section 40. The Government are considering the responses to the consultation and intend to publish a response to the consultation by Christmas. The Government do not believe that introducing a similar provision to Section 40, but in relation to data protection only, is appropriate, given the decisions that are currently being taken on Section 40 as a whole. I therefore invite my noble friend Lord Attlee not to press his amendments.

Amendment 170AC seeks to protect the rights of individuals and others to claim damages against publishers where there has been a breach of the data protection legislation. In doing so, the amendment seeks to put in place permanently the recoverability of conditional fee agreements—“success fees”—and after-the-event insurance premiums from a losing party in such cases. The recoverability of success fees and ATE insurance premiums, as they are known, has had a chequered history since it was allowed in 2000 by a previous Government. Recoverability of those additional liabilities led to risk-free litigation for claimants and substantial additional costs for defendants. Indeed, Lord Justice Jackson, who has carried out clear and intense reviews on costs, described them as having been,

“the major contributor to disproportionate costs in civil litigation in England and Wales”.

Given those concerns, following Lord Justice Jackson’s 2009 review the coalition Government enacted significant reforms to civil litigation funding and costs, which were implemented, as has been noted, through provisions in Part 2 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012—LASPO. The principal aim of the reforms was to control the costs of litigation, especially in relation to no-win no-fee CFA-funded cases. Sections 44 and 46 of the LASPO Act abolished the recoverability of the success fee and ATE insurance premium for most civil cases, as of April 2013. However, those reforms were delayed for defamation and libel cases more generally, and the Government are considering how best to take that matter forward. With that in mind, I suggest that the amendment is inappropriate, given that the pre-LASPO CFA regime continues to apply more broadly to defamation and publication cases. We are considering the way forward more widely, having regard to our obligations under the European Convention on Human Rights, particularly with respect to Article 10.

My noble friend Lord Black also proposed Amendments 170B, 170C and 170D, which concern liability for the criminal offences contained in the Bill in the context of processing for the special purposes. I am reminded of the debates we had during passage of the Digital Economy Act on a similar subject. I am sure noble Lords would agree that its importance has hardly diminished since. It is certainly not the Government’s intention that the offences to which my noble friend refers be applied to journalists acting in the public interest, but I appreciate that the fact a prosecution could be brought is perhaps what concerns my noble friend. I will take these amendments away as well and give them further consideration.

Clauses 164, 165 and 166 establish the circumstances in which, and the processes whereby, enforcement action and legal proceedings may be taken in respect of personal data which are processed for the “special purposes”. That brings me to the amendments tabled by the noble Baroness, Lady Hollins: Amendments 170K, 170L, 170M, 171A, 172AA, 172E and 174AA—I share the observations of the noble Lord, Lord Stevenson, about the mysteries of how amendments come to be listed. The effect of the amendments would be that the relevant clauses of the Bill, which refer to “special purposes”, did not include journalistic processing. Broadly speaking, the amendments would remove “journalistic processing” from the dedicated enforcement regime that applies to data being processed for special purposes, and instead bring it within the scope of the “standard” enforcement regime.

The approach in the Bill follows that adopted in the 1998 Act; it is an approach that, in the Government’s view, has worked successfully for many years and creates a necessary balance between protecting journalists while they carry out their important work and permitting enforcement action, and legal proceedings, in situations where journalists misuse such protections or have no need to rely on them.

Removing the specialist protections that currently apply to journalistic processing would alter this balance, greatly to the detriment of freedom of expression, and would undoubtedly have a significant “chilling effect” on the vital work of journalists to inform us about the world in which we live, and effectively to hold those in power to account. In these circumstances, we do not consider these amendments appropriate, and I invite the noble Baroness, Lady Hollins, not to press them.

Amendments 172A and 172B, tabled by my noble friend Lord Black, mirror amendments to the corresponding parts of the special purposes exemption in Schedule 2, debated during the third day of Committee. These relate to the application of the exemption when the processing is done for other purposes in addition to a special purpose. As my noble friend Lady Chisholm said in the previous debate, this reflects the position under the 1998 Act and we are confident that the media will continue to be able to operate effectively under the Bill. In addition, my noble friend Lord Black raised the concern that drafting changes had narrowed the scope of the material falling into the exemption. There is no intention to narrow, or indeed expand, the scope of the exemption and such changes as can be discerned in the drafting merely reflect current drafting practice.

Amendment 172C from my noble friend Lord Black would remove the commissioner’s power, in Clause 164(3)(c), to make a determination that carrying out the processing in compliance with a provision of the data protection legislation is not incompatible with the special purposes. Amendment 172ZA, tabled by the noble Lord, Lord Stevenson—although he does not intend to move it—would remove the commissioner’s power to make a determination at all. Of course, I fully appreciate the ex post facto assertion of independence on this group by the noble Lord, Lord Stevenson, following his decision not to move his amendment: I have no reason to question his neutrality or his independence in that context.

The noble Viscount, Lord Colville of Culross, also referred to the potential chilling effect of this clause. In doing so, he referred to certain legal advice he had received on a particular matter touching on these provisions. I cannot comment on the quality of the legal advice that the noble Viscount receives, but in the event that he receives the same advice in the same circumstances in future, I politely suggest that he seek a second opinion.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

Taking up the point made by the noble Baroness, Lady Stowell, does the Minister agree that we are introducing, for the first time, vetting of material before it is broadcast, a power that even Ofcom, the regulator set up by government for broadcasting, does not have? Ofcom regulates only after the event. Surely this is a dramatic new intervention.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

The noble Lord makes a perfectly good observation about this provision. It brings me to one of the questions posed independently and neutrally by the noble Lord, Lord Stevenson, on whether the provisions of the Bill as drafted simply implement the provisions of the 1998 Act or extend its provisions. The answer is that they do not change the regime found in the 1998 Act except in respect of Clause 164(3)(c). I acknowledge the significance of that provision and I am happy to look again at that issue in light of the expressions of concern I have heard from around the Committee about it.

Some noble Lords also questioned the need for the provision of assistance in special purposes proceedings. Under Clause 165, individuals who are a party, or a prospective party, to special purposes proceedings may apply to the commissioner for assistance in those proceedings. For the application to be accepted, the commissioner must be convinced that the matter is of substantial public importance. There is, as I have implied, an equivalent provision in the 1998 Act. I understand that it has only ever been used once. In my respectful submission, that in itself indicates the effectiveness of the provision. It is not necessary because people know it is there and can be relied on, but only if that very high test of substantial public importance is met. Therefore, we consider it appropriate to retain this as a safeguard for data subjects. It is, I respectfully suggest, an important contributor to maintaining the balance between privacy and freedom of expression that has to underlie all these provisions.

Amendment 179A, spoken to by the noble Baroness, Lady Hollins, would require the Government to establish an inquiry with terms of reference similar to those contained in part 2 of the Leveson inquiry, but in relation to data protection only. As I have mentioned, a consultation was launched to look at Section 40 of the Crime and Courts Act 2013, which also asked whether proceeding with part 2 of the inquiry was still appropriate, proportionate and in the public interest. As I stated previously, it is the Government’s intention to publish a response to that consultation by Christmas; therefore, we do not believe that this amendment is appropriate, given the decisions that are currently being taken on that matter.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, the Minister stated that the response to the consultation will be published before Christmas. Can he further reassure the Committee that it will be published before Report so that noble Lords can reconsider their amendments?

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I am obliged to the noble Baroness. It is the Government’s intention that the consultation response should be published before Christmas. I cannot say that it will be published before Report but we will keep noble Lords advised of any decision with regard to a specific date for publication.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

If is not to be published before Report, would it be possible for me to meet the Minister to discuss these matters?

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I am certainly open to any meeting that the noble Baroness would wish to engage in to discuss these matters. In so far as I am able to inform her, and indeed the Committee, of developments, I will seek to do so.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

Just to be helpful to the Committee, if it was published after Report, does the Minister agree that it would be perfectly reasonable to have a Third Reading amendment to reflect whatever has come out of that response?

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

With respect to the noble Lord, I am not the litmus test of reasonableness—at least, I have been told that in the past.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

Would the Minister perhaps agree that it would be highly advantageous to the Government—it would be in the Government’s interest—for the response to the consultation to be published before Report? If it is, its contents might well incline those of us who support these amendments to think again about them, whereas if we do not have the benefit of the Government’s response, we may be obliged to carry amendments that the Government would not wish to be carried.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I quite understand the force of the noble Lord’s observations. Nevertheless, I am not in a position to say that the response will be available for publication before Report. I am afraid that we have to proceed on that basis. It may have consequences such as those set out by the noble Lord, and we will have to address those in due course. I am afraid that I cannot go further on this point.

Finally, I come to some of the observations of the noble Lord, Lord McNally, who spoke to his Amendments 185E and 185F. I begin by saying that I have no wish to disappoint either the gentleman on the Clapham omnibus or the noble Lord himself. Therefore, I will endeavour to address the questions that he raised as fully as I can. I take account of his commendable intention to peruse Hansard over breakfast and to come to a view as to whether or not I have fully responded to his points.

Amendments 185E and 185F seek to make the unlawful obtaining of personal data a criminal offence with a custodial sentence of up to two years under Clause 175. Of course we recognise the seriousness of any offence that is committed in this context. That is why it is important that proper thought is given to the introduction of any changes which would seek to put in place custodial penalties that could remove people’s liberty. Under the coalition Government, in March 2011, the noble Lord, Lord McNally, said that the Government would not commence prison sentences for Section 55 offences but would continue to keep the matter under review. At that time Ministers agreed to pursue non-custodial options, instead of a custodial option, including encouraging the use of the Proceeds of Crime Act 2002 and making the offences recordable. Indeed, it is this Government’s intention in this Bill that the offences should now be made recordable. That is addressed in Clause 178.

Again, this is one of those complex areas where we have to achieve a balance between competing rights and obligations. We believe that, for the reasons I sought to set out earlier, we are achieving the right balance with the provisions in the Bill. I hope that the noble Lord will feel open to not moving his amendment.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I will consider that point in a few moments, but I am much reassured that the noble and learned Lord has more respect for the man on the Clapham omnibus than he seems to have for BBC lawyers. That is a step forward.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

No inference can be drawn regarding the considerable respect in which I hold the legal advisers of the BBC.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

If I may put the record straight, it was not a BBC lawyer who advised me.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My respect for all lawyers remains undiminished.

As the noble Lord, Lord Stevenson, observed, some issues of fundamental importance underlie this; I refer not just to press freedom but to fundamental rights. I therefore have welcomed the contributions to this debate, but I hope that at this time the noble Lord, Lord Black, will feel it appropriate to withdraw his amendment.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

Can the noble and learned Lord tell us of any precedent for a Government undertaking a consultation exercise before commencing a provision in a recent Act of Parliament?

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I am not immediately reminded of any precedents, but principle often caps precedent.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I thank all those who have taken part in this thoughtful and important debate—despite the fact that it is the first time I have been likened to someone who has murdered his parents, thwarted the will of Parliament and, according to the noble Lord, Lord Puttnam, is the personification of all the sins of the media. I regret that, given the seriousness of the issues for the academic, literary and artistic worlds, we have yet again had a debate which has largely been dominated by press regulation. We have been round this course so many times that even Sir Mo Farah would have been exhausted by now.

I am inclined to agree with the noble Lord, Lord Stevenson, that this is not really the place to debate press regulation. We should wait to see what the consultation says. Like other noble Lords, I am grateful for confirmation from the noble and learned Lord that we will have a response by Christmas.

There were two very important speeches. The noble Baroness, Lady Stowell, talked about the profound change—I shall get my bit of Latin in again—from post hoc to ex ante. We cannot underestimate the scale of the impact of that across the media, and it is right that the noble and learned Lord should look at that. The noble Viscount, Lord Colville, also made some very powerful comments about the serious implications for investigative broadcast journalism. His point about how the Armstrong Sunday Times case would have been impacted by the Bill was a vivid example of the mischief that currently sits in it.

I am very grateful to the noble and learned Lord for saying that he will look at the issues raised, particularly by Amendments 163, 164A and 170B, and also at Clause 164(3)(c). It has caused concern around the Committee, and he confirmed that it is a change since the 1998 Act that will have profound implications. On that note, I beg leave to withdraw the amendment.

Amendment 163A withdrawn.

Clause 143 agreed.

Clause 144 agreed.

Clause 145: Enforcement notices: restrictions

Amendment 163B not moved.

Clause 145 agreed.

Clauses 146 and 147 agreed.

Schedule 15 agreed.

Clause 148: Penalty notices

Amendment 164

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

164: Clause 148, page 81, line 38, leave out paragraphs (b) and (c) and insert “or

( ) has failed to comply with an information notice, an assessment notice or an enforcement notice,”

Amendment 164 agreed.

Amendments 164A to 164C not moved.

Clause 148, as amended, agreed.

Schedule 16: Penalties

Amendments 165 to 167

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

165: Schedule 16, page 189, line 9, after first “notice” insert “to a person”

166: Schedule 16, page 189, line 11, at end insert “, subject to sub-paragraph (3).

(3) The period for giving a penalty notice to a person may be extended by agreement between the Commissioner and the person.”

167: Schedule 16, page 189, line 21, leave out paragraph (d)

Amendments 165 to 167 agreed.

Schedule 16, as amended, agreed.

Clause 149 agreed.

Clause 150: Maximum amount of penalty

Amendment 168

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

168: Clause 150, page 83, line 40, after “with” insert “an information notice, an assessment notice or”

Amendment 168 agreed.

Clause 150, as amended, agreed.

Clause 151: Fixed penalties for non-compliance with charges regulations

Amendment 168A not moved.

Clause 151 agreed.

Clause 152 agreed.

Clause 153: Guidance about regulatory action

Amendments 168B to 169D not moved.

Clause 153 agreed.

Amendment 169 not moved.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I cannot call Amendment 170, as it is an amendment to Amendment 169.

Clauses 154 to 158 agreed.

Clause 159: Compensation for contravention of the GDPR

Amendment 170A

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

170A: Clause 159, page 89, line 16, leave out “, distress and other adverse effects” and insert “and distress”

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I declare my interests as set out in the register, in particular as a partner in the global commercial law firm DAC Beachcroft LLP and as chair of the British Insurance Brokers’ Association.

In debates on the Financial Guidance and Claims Bill, yesterday and on previous days, noble Lords from all sides of the House expressed profound concern and distaste about the damage wreaked by the so-called compensation culture. What is now widely, perhaps universally, recognised is that the compensation culture is driven not by the legitimate claims of those who have been genuinely wronged and suffered damage or loss but by an utterly cynical industry that operates as a fast-moving profit-driven roadshow, exploiting every possible weakness in legislation and every loose judgment of the courts. The compensation system is like a roof that will always leak and this compensation roadshow, motivated purely by financial gain and entirely heedless of the damage it wreaks upon society, is like the relentless rain that will find every crack and gap—even the tiniest hole—and just pour in. Some years ago, I discussed this matter with a senior senator in the United States. I shall never forget his words to me: “The compensation culture is destroying the civility of civil society”.

Thus I explain Amendment 170A, which seeks to delete the words “and other adverse effects”. We all recognise, I think, that we face an inevitable increase in the volume of compensation claims and litigation for data breaches for a number of reasons. First, there is increased awareness of data security incidents as a consequence of mandatory breach notification rules under the European general data protection regulation, the GDPR. Secondly, we are seeing a new right to appoint certain entities to pursue claims on behalf of affected individuals. I must say that the right to appoint a not-for-profit body or charity to pursue claims on an individual’s behalf, with no oversight of qualification of that body, makes me somewhat uneasy. Thirdly, the unique status of privacy and data protection litigation enables a party to claim a success fee on its costs of up to 100% and also the cost of any insurance protection from a losing party.

There are no legal cost protection measures in DPA proceedings, unlike those that apply to personal injury proceedings, which have been designed to ensure effective access to justice while avoiding a disproportionate litigation cost exposure to public bodies, private businesses or individuals. There are good reasons for recent and imminent changes, and of course it is entirely appropriate that those who have suffered genuine damage, loss or distress should have an effective and expeditious route to compensation. Our responsibility as legislators, however, is to do everything within our power to ensure that this new regime remains proportionate to the genuine losses inflicted and to the wider needs of society.

While the quantum of each individual claim is relatively low in this area, the possibility of a wide pool of individuals who might be affected by a DPA breach can result in significant aggregate liability. My fear is that the inclusion of so broad and ill-defined a term as “other adverse effects” in an Act of Parliament would send all the wrong signals. The proposed words threaten to provide uncertainty rather than clarity. Potentially, they would unleash a claims free-for-all as the willingness of the courts to widen the definition came to be vigorously tested. These words do not appear in the European GDPR and raise the possibility of increased litigation, causing disproportionate financial exposure for both the public and the private sectors, a considerable additional burden on the courts and the ineluctable, cynical exploitation by claims management companies of a favourable costs regime for such claims.

I would be interested to learn from the Minister what thinking lies behind the inclusion in this Bill of so broad and nebulous a term as “other adverse effects”, and what estimates have been made of the financial consequences of the increase in litigation consequent upon such a widening of definition, should it be carried through into an Act of Parliament. I beg to move.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I entirely support my noble friend’s amendment. We have got ourselves into a complete mess in this country on insurance, and motor insurance is a pretty good example. Premiums in this country are about double what they should be. They are the highest in Europe, above even Italy, because of a level of fraud that we encourage by our legislation and by the lack of action from successive Governments to do anything about it. We can see the size of the problem that this clause will generate, if unamended, by what has happened in motor insurance. It leaves an open door to an enormous number of claims management companies, of which 500 or so were seriously active the last time I looked. It is a really big, profitable industry, and it will push into a hole like this with no difficulty at all.

We took a bit of action a while ago on whiplash injuries. Fine, whiplash injuries are down, but rocketing upwards now is, “Oh, I had this crash and now I get a buzzing in my ears”. It is wonderful—a disease which has suddenly appeared from nowhere because the claims management companies need an opportunity to push in here. We must realise what is happening. I hope we will get around to dealing with the general problem at some stage, but to open another door to these people is just foolish.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I thank the noble Lord for his eloquent disquisition, which made me much more aware of the issues than I was before. I have no problem in aligning myself with the two points of view that have just been expressed. I had come to the conclusion partly myself, but to be told that the wording is not in the equivalent article in the European GDPR just adds to my simple conclusion that the words “other adverse effects” add precisely nothing but open a potential cave of dark possibilities. The rain of the noble Lord’s eloquence has found a crack in my roof, and I am very happy to align myself with his remarks.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I also share the concerns expressed by my noble friend Lord Hunt, based on my experience, both in government and in a number of different businesses. We have the experience not only of the motor sector, which has been talked about, but obviously of PPI, where there was compensation that needed to be paid, but the whole business took years and generated not only claims management companies but also nuisance calls and lots of other harms. This is an area that one has to be very careful about, and I support looking at the drafting carefully to see what can be done, and at my noble friend’s idea of trying to estimate the economic impact—the costs—in terms of those affected. That would help one to come to a sensible conclusion on what is appropriate in this important Bill.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I thank my noble friend Lord Hunt for explaining Amendment 170A and other noble Lords who have spoken. The amendment seeks to clarify the definition of “damage” provided by Clause 159 and its relationship to the language used in article 82 of the GDPR. This is important because article 82 of the GDPR provides a right to compensation when a person has suffered damage as the result of an infringement of the rights during the processing of their personal data.

Currently, the type of damage that can be claimed is broader under article 82 than Section 13 of the 1998 Act, as article 82 expressly extends to “non-material” damage. As a result, in drafting the Bill, the Government considered that some definition of “damage” was necessary, including specifying that it extends to distress, to provide clarity and certainty for data subjects and others as to their rights under article 82.

I stress that Clause 159 does not seek to provide a wider definition of “damage” than is currently provided in the GDPR, and nor indeed could it. The intention is simply to clarify the GDPR’s meaning. My noble friend Lord Hunt asked what estimates have been made of the financial consequences of the increase in litigation, but as Clause 159 does not provide a wider definition of damage there will be no financial consequence.

The concept of “damage” included in the GDPR reflects developments in case law over a period of some years. As such, I cannot agree with my noble friend’s suggestion that the Bill or the GDPR will suddenly unleash a free-for-all of claims. However, I am happy to reflect on my noble friend’s point that the Bill’s use of the term “other adverse effects” may unintentionally provide uncertainty rather than clarity. With the reassurance that I will go away and look at that, I hope my noble friend feels able to withdraw his amendment.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I am very grateful to my noble friend Lord Lucas. Together we have been trying to ensure that real victims get justice but that we do not create a market for those who fasten on to discomfort and distress to make money themselves, often with no qualifications at all in the whole arena. That is why I believe my noble friend is so right when he says we have to scrutinise everything that we pass now to ensure that it does not open the door to further claims.

I thank the noble Lord, Lord Griffiths of Burry Port, for his very kind remarks, which I much appreciate—whether I have penetrated his roof, as he described it, I am not quite sure, but I certainly got through and I am grateful to him for acknowledging that. I also thank my noble friend Lady Neville-Rolfe, with her great experience in the private and commercial sector. It is right to remind ourselves of what has happened in the past and ensure that we do not create the same problems for ourselves in the future.

I am of course grateful to my noble friend the Minister; I believe my noble friend Lady Chisholm of Owlpen has given me all I was hoping for in the context of this debate in Committee. I would just like her to question those who drafted these words over whether they are right in saying, “All it does is clarify”. It does not. Why do we need to add words that are not there in the first place? I understand that we need to rectify Section 13 of the 1998 Act in light of the new legislation, but can we please find a better way to do so without at the same time opening the door to all these additional claims that might well arise unless we are vigilant and stop them before the legislation becomes part of an Act of Parliament? I am grateful to the Minister and beg leave to withdraw the amendment.

Amendment 170A withdrawn.

Clause 159 agreed.

Clause 160 agreed.

Amendments 170AA to 170AC not moved.

Clause 161: Unlawful obtaining etc of personal data

Amendments 170B and 170C not moved.

Clause 161 agreed.

Clause 162: Re-identification of de-identified personal data

Amendment 170CA

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

170CA: Clause 162, page 91, line 3, leave out “de-identified” and insert “anonymised”

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, this is a relatively narrow point and affects only a very small part of the Bill, but is still quite important. The amendments in the group mainly cover the question of how the Bill can reach out to the question about anonymisation and how, or not, it plays against de-identification. There are two amendments and a clause stand part Motion which relate to other slightly different issues, which we will get to in turn.

Amendment 170CA would insert into the Bill the term “anonymisation”, as there is no definition of de-identification in the Bill. I will come back to explain what that means in practice. Amendment 170CB provides an important exemption for data scientists and information security specialists dealing with a particular area, because there is a fear that the introduction of criminal sanctions might mean that they would be caught when they are trying to consider the issue for scientific and other reasons. Amendment 170CC adds a definition of identified data—after all, if it is to be criminalised, there needs to be a definition. This definition will cover cases which involve names of individuals, but will also cover those where fingerprints, for instance, are used to identify people.

The clause creates a new offence of knowingly or recklessly re-identifying information that has been de-identified without the consent of the controller. Amendment 170F asks for guidance relating to this offence. It is at the request of the Royal Society, because it wants clarity on the legal basis for processing.

Amendment 170G concerns transparency. If we are going to go into this area, it is very important that we know more about what is happening. The amendment suggests that the Information Commissioner,

“must set standards by which a data controller is required to anonymise personal data”.

There may be lots of new technologies soon to be invented or already available, and it is important that the way in which this important work goes forward can be flexed as and when new technologies come forward. We think that the Information Commissioner is in the strongest position to do that.

The other set of amendments to which our names are attached, Amendments 170E and 170H, relate to particular problems that can arise in large databases within health. There is a worry that where re-identification occurs by accident or just through the process of using the data, an offence will be created. MedConfidential suggests that some form of academic peer reviewing might be useful in trying to assess whether this was a deliberate act or just an unfortunate consequence of the work being done by those looking at the dataset concerned. The further amendment, Amendment 170H, clarifies whether an offence actually occurs when the re-identification work applies to disseminated NHS data —which of course, by its very nature, is often rather scattered and difficult to bring together. There is a particular reason for that, which we could go into.

At the heart of what I just said is a worry that certain academics have communicated to us: that the Bill is attempting to address what is in fact a fundamental mathematical problem—that there is no real way of making re-identification illegal—with a legal solution, and that this approach will have limited impact on the main privacy risks for UK citizens. If you do not define de-identification, the problem is compounded. The reference I have already made suggests that there might be advantage to the Bill if it used the terms used in the GDPR, which are anonymisation and pseudonymisation.

The irony which underlies the passion with which we have received submissions on this is that the people likely to be most affected by this part of the Bill are UK information security researchers, one of our academic strengths. It seems ironic that we should be putting into the Bill a specific criminal penalty which would stop them doing their work. Their appeal to us, which I hope will not fall on stony ground, is that we should look at this again. This is not to say in any sense that it is not an important issue, given the subsequent pain and worry that happens when datasets certified as anonymised are suddenly revealed as capable of being cracked, so people can pick up not just details of information about dates of birth or addresses but much more important stuff to do with medical health. So it is very important—and others may want to speak to the risk that it poses also to children, in particular. I hope that that is something that we might pick up.

There needs to be a proper definition in the Bill, whatever else we do about it, and that would be right in a sense. But we would like transparency about what is happening in this area, so that there is more certainty than at present about what exactly is meant by anonymous data and whether it can be achieved. That could be solved if the Information Commissioner is given responsibility for doing it. I beg to move.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

We are in the thickets here at the interface between technology, techno-speak and legality. Picking our way through Clause 162 is going to be rather important.

There are two schools of thought. The first is that we can amend this clause in fairly radical ways—and I support many of the amendments proposed by the noble Lord, Lord Stevenson. Of course, I am speaking to Amendment 170E as well, which tries to simplify the language and make it much more straightforward in terms of retroactive approval for actions taken in this respect, and I very much hope that parliamentary draftsmen will approve of our efforts to simplify the language. However, another more drastic school of thought is represented by many researchers—and the noble Lord, Lord Stevenson, has put the case very well that they have put to us, that the cause of security research will be considerably hampered. But it is not just the research community that is concerned, although it is extremely concerned by the lack of definition, the sanctions and the restrictions that the provisions appear to place on their activities. Business is also concerned, as numerous industry practices might be considered illegal and a criminal offence, including browser fingerprinting, data linkage in medicine, what they call device reconciliation or offline purchases tracking. So there is a lot of uncertainty for business as well as for the academic research community.

This is where we get into the techno-language. We are advised that modern, privacy-enhancing technologies such as differential privacy, homomorphic encryption—I am sure that the Minister is highly familiar with that—and question and answer systems are being used and further developed. There is nothing worse than putting a chill on the kind of research that we want to see by not acknowledging that there is the technology to make sure that we can do what we need to do and can keep our consumers safe in the circumstances. The fact is that quite often anonymisation, as we are advised, can never be complete. It is only by using this new technology that we can do that. I very much hope that the Minister is taking the very best legal and technology advice in the drafting and purposes of this clause. I am sure that he is fully aware that there is a great deal of concern about it.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I rise to support the noble Lords, Lord Stevenson and Lord Clement-Jones, and some of the amendments in this group on this, the final day in Committee. I congratulate my noble friends Lord Ashton and Lady Chisholm of Owlpen as well as the indefatigable Bill team for taking this gargantuan Bill through so rapidly.

The problem caused by criminalising re-identification was brought to my attention by one of our most distinguished universities and research bodies, Imperial College London. I thought that this was a research issue, which troubled me but which I thought might be easy to deal with. However, talking to the professor in the computational privacy group today, I found, as the noble Lord, Lord Clement-Jones, said, that it goes wider and could cause problems for companies as well. That leads me to think that I should probably draw attention to my relevant interests in the House of Lords register of interests.

The computational privacy group explained that the curious addition of Clause 162—which is different in character and language from other parts of the Bill, as the noble Lord, Lord Stevenson, said—draws on Australian experience, but risks halving the work of the privacy group, which is an academic body, and possibly creating costs and problems for other organisations and companies. I am not yet convinced that we should proceed with this clause at all, for two reasons. First, it will not address the real risk of unethical practice by people outside the UK. As the provision is not in the GDPR or equivalent frameworks in most other countries, only UK and Australian bodies or companies will be affected, which could lead to the migration of research teams and data entrepreneurs to Harvard, Paris and other sunny and sultry climes. Secondly, because it will become criminal in the UK to re-identify de-identified data—it is like saying “seashells on the seashore”—the clause could perversely increase the risk of data being re-identified and misused. It will limit the ability of researchers to show up the vulnerability of published datasets, which will make life easier for hackers and fraudsters—another perversity. For that reason, it may be wise to recognise the scope and value of modern privacy-enhancing technologies in ensuring the anonymous use of data somewhere in the Bill, which could perhaps be looked at.

I acknowledge that there are defences in Clause 162 —so, if a person faces prosecution, they have a defence. However, in my experience, responsible organisations do not much like to rely on defences when they are criminal prohibitions, as they can be open to dispute. I am also grateful to the noble Lord, Lord Stevenson— I am so sorry about his voice, although it seems to be getting a bit better—for proposing an exemption in cases where re-identification relates to demonstrating how personal data can be re-identified or is vulnerable to attack. However, I am not sure that the clause and its wider ramifications have been thought through. I am a strong supporter of regulation to deal with proven harm, especially in the data and digital area, where we are still learning about the externalities. But it needs to be reasonable, balanced, costed, careful and thought through—and time needs to be taken for that purpose.

I very much hope that my noble friend the Minister can find a way through these problems but, if that is not possible, I believe that the Government should consider withdrawing the clause.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I very much support what my noble friend has just said. The noble Lord, Lord Stevenson, has tried to give an exemption for researchers, but a lot of these things will happen in the course of other research. You are not spending your time solely trying to break some system; you are trying to understand what you can get from it, and suddenly you see someone you know, or you can see a single person there. It is something that you can discover as a result of using the data; you can get to the point where you understand that this is a single person, and you could find out more about them if you wanted to. If it is a criminal offence, of course, you will then tell nobody, which rather defeats the point. You ought to be going back to the data controller and saying that it is not quite right.

There are enormous uses in learning how to make a city work better by following people around with mobile phone data, for instance, but how do you anonymise it? Given greater computational power and more datasets becoming available, what can you show and use which does not have the danger of identifying people? This is ongoing technology—there will be new ways of breaking it and of maintaining privacy, and we have to have that as an active area of research and conversation. To my mind, this clause as it presently is just gets in the way.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I am grateful to all noble Lords who have spoken on this very important clause. I agree very much with the noble Lords, Lord Clement-Jones and Lord Stevenson, that these are important issues which we need to consider. The amendments seek to amend Clause 162, which introduces the offence of re-identifying data that has been de-identified. I will start by giving some background to this clause because, as noble Lords have mentioned, this is new to data protection legislation.

Pseudonymisation of datasets is increasingly commonplace in many organisations, both large and small. This is a very welcome development: where sensitive personal data is being processed in computerised files, it is important that people know that data controllers are taking cybersecurity seriously and that their records are kept confidential. Article 32 of the GDPR actively encourages controllers to implement technical and organisational measures to ensure an appropriate level of security, including, for example, through the pseudonymisation and encryption of personal data.

As noble Lords will be aware, the rapid advancement of technology has opened many doors for innovation in these sectors. However, as we continue to be able to do more with technology, the risk of its misuse also grows. Online data hackers and scammers are a much more prominent and substantial threat than was posed in 1998, when the original Data Protection Act was passed. It is appropriate, therefore, that the Bill addresses the contemporary challenges posed by today’s digital world. This clause responds to concerns raised by the National Data Guardian for Health and Care and other stakeholders regarding the security of data kept in online files, and is particularly timely following the well-documented cyberattacks on public and private businesses over the last few years.

It is important to note that the Bill recognises that there might be legitimate reasons for re-identifying data without the consent of the controller who encrypted it. The clause includes a certain number of defences, as my noble friend Lady Neville-Rolfe mentioned. These can be relied on in certain circumstances, such as where re-identification is necessary for the purpose of preventing or detecting crime, to comply with a legal obligation or is otherwise necessary in the public interest. I am aware that some academic circles, including Imperial College London, have raised concerns that this clause will prohibit researchers testing the robustness of data security systems. However, I can confidently reassure noble Lords that, if such research is carried out with the consent of the controller or the data subjects, no offence is committed. Even if the research is for legitimate purposes but carried out without the consent of the controller who de-identified the data in the first place, as long as researchers act quickly and responsibly to notify the controller, or the Information Commissioner, of the breach, they will be able to rely on the public interest defences in Clause 162. Finally, it is only an offence to knowingly or recklessly re-identify data, not to accidentally re-identify it. Clause 162(1) is clear on that point.

I turn to the specific amendments that have been tabled in this group. Amendment 170CA seeks to change the wording in line 3 from “de-identified” to “anonymised”. The current clause provides a definition of de-identification which draws upon the definition of “pseudonymisation” in article 4 of the GDPR. We see no obvious benefit in switching to “anonymised”. Indeed, it may be actively more confusing, given that recital 26 appears to use the term “anonymous information” to refer to information that cannot be re-identified, whereas here we are talking about data that can be—and, indeed, has been—re-identified.

Amendment 170CB seeks to provide an exemption for re-identification for the purpose of demonstrating how the personal data can be re-identified or is vulnerable to attacks. The Bill currently provides a defence for re-identification where the activity was consented to, was necessary for the purpose of preventing or detecting crime, was justified as being in the public interest, or where the person charged reasonably believes the activity was, or would have been, consented to. So long as those re-identifying datasets can prove that their actions satisfy any of these conditions, they will not be guilty of an offence. In addition, we need to be careful here not to create defences so wide that they become open to abuse.

Amendment 170CC seeks to add to the definition of what constitutes re-identification. I agree with the noble Lord that current techniques for re-identification involve linking datasets. However, we risk making the offence too prescriptive if we start defining exactly how re-identification will occur. As noble Lords, including the noble Lord, Lord Clement-Jones, mentioned, as technology evolves and offenders find new ways to re-identify personal data, we want the offence to keep pace.

Amendment 170E seeks to add an extra defence for persons who achieve approval for re-identifying de-identified personal data after the re-identification has taken place. The current clause provides a defence where a person acted in the reasonable belief that they would have had the consent of the controller or the data subject had they known about the circumstances of the re-identification. Retroactive approval for the re-identification could be relied on as evidence in support of that defence, so we believe that there is no need to provide a separate defence for retroactive consent.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I think that the noble Lord is misreading the amendment. As I read my own amendment, I thought it was substitutional.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

If we are talking about Amendment 170E, I am certainly prepared to look at that and address it.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

That may have been the original intention, but perhaps it was never put properly into effect.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

In which case, I will read Hansard, the noble Lord can do so and I am sure we will come to an arrangement. We can talk about that, if necessary.

Amendment 170F seeks to require the commissioner to produce a code of practice for the re-identification offence three months after Royal Assent. We can certainly explore with the commissioner what guidance is planned for this area and I would be happy to provide noble Lords with an update on that in due course. However, I would not like to tie the commissioner to providing guidance by a specific date on the face of the Bill. It is also worth mentioning here that, as we discussed on a previous day in Committee, the Secretary of State may by regulation require the commissioner to prepare additional codes of practice for the processing of personal data under Clause 124 and, given the issues that have been raised, we can certainly bear those powers in mind.

Finally, Amendments 170G and 170H would oblige the commissioner to set standards by which the controller is required to anonymise personal data and criminalise organisations which do not comply. I reassure noble Lords that much of this work is under way already and that the Information Commissioner’s Office has been working closely with government, data controllers and the National Cyber Security Centre to raise awareness about improving cybersecurity, including through the use of pseudonymisation of personal data.

It is important to point out that there is no weakening of the provisions contained in article 5 of the GDPR, which require organisations to ensure appropriate security of personal data. Failure to do so can, and will, be addressed by the Information Commissioner, including through the use of administrative penalties. Some have said that criminalising malicious re-identification would create complacency among data controllers. However, they still have every incentive to maintain security of their data. Theft is a criminal offence but I still lock my door at night. In addition, I am not convinced by the mechanism the noble Lord has chosen. In particular, criminalising failure to rely on guidance would risk uncertainty and unfairness, particularly if the guidance was wrong in law in any respect.

I accept that the issues noble Lords have raised are important but I hope that, in view of these reassurances, the amendment will be withdrawn, and that the House will accept that Clause 162 should stand part of the Bill. There are reasons for wanting to bring in this measure, and I can summarise them. These were recommendations in the review of data security, consent and opt-outs by the National Data Guardian, who called for the Government to introduce stronger sanctions to protect de-identified patient data. People are generally more willing to participate in medical research projects if they know that their data will be pseudonymised and held securely, and the Wellcome Trust, for example, is supportive of the clause. I hope that those reassurances will allow the noble Lord to withdraw his amendment and enable the clause to stand part of the Bill.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I thank the noble Baroness, Lady Neville-Rolfe, and welcome her to her first full session. I am glad that we have been able to reorganise our timings so that she has been able to attend and contribute—something that we have missed until now. I also thank the noble Lords, Lord Lucas and Lord Clement-Jones, for their comments and support for this series of amendments.

There is a whiff of Gilbert and Sullivan about this. We are talking about a technology that has not yet settled down, and about protections which I do not in any way say are wrong. The technology is still developing and still uncertain, and we are told by experts that what the Bill is trying to do cannot happen anyway. The amendments offer the Government the chance to think again about the need to find a progressive path. We set out on what is often a voluntary basis, under the Government’s approach, with a code that works. People are brought in and consulted, and eventually the crime to be committed is defined—until we have that, we really do not have anything—and we try to be respectful of the fact that people would move out of the sector if they felt that their work would be attacked because it was illegal.

I am grateful to the noble Lord for listening to the debates. I hope that we can have a meeting about this to pick up some of the points and take the matter forward from there. I beg leave to withdraw the amendment.

Amendment 170CA withdrawn.

Amendments 170CB to 170H not moved.

Debate on whether Clause 162 should stand part of the Bill.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I simply wish to associate myself with the comments of the noble Lord, Lord Stevenson, and say that a meeting on this would be helpful. As I said, I hope that we can find a solution. If we cannot, I have reservations about this measure being part of the Bill.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I make it plain to my noble friend—my predecessor in this position—that I will arrange a meeting.

Clause 162 agreed.

Clause 163: Alteration etc of personal data to prevent disclosure

Amendment 170J

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

170J: Clause 163, page 92, line 24, at end insert—

“( ) In this section, a request made by a data subject under subsection (1)(a) includes, but is not limited to, requests about reviews written by a third party about workers.”

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, Amendment 170J, which stands in my name and that of my noble friend Lord Stevenson of Balmacara, seeks to address an issue that I am not convinced is sufficiently covered in the Bill as it stands.

Freelance workers or self-employed people—whatever you want to call them—offering a range of services and seeking work through various platforms, have sprung up in recent years. In many cases, their customers are able to rate them and the work they have done. However, these individuals often find that they cannot take that rating information with them if they move on to another platform. The reviews are written by third parties, who rate the quality of the work, and understandably it is very valuable to the trades- persons if they can carry those reviews forward with them.

This is a very strange situation. Various companies often maintain that they do not have employees and that they are merely acting as a platform, a noticeboard or a portal where people can find tradespersons. However, those tradespersons then find that it is not very easy to take information about them with them when they move on. This is intended as an enabling amendment to put on the face of the Bill that data subjects have the right to take with them the information written about them by third parties when they move on to another platform.

At this stage, this is obviously a probing amendment but I am keen to hear what the noble Lord has to say about this issue. It is important for the people concerned—if you have done a good job, you want to take recognition of that with you. I look forward to the noble Lord’s response.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I am grateful to the noble Lord, Lord Kennedy, for turning the Committee’s attention to the provisions in Clause 163. The clause makes it a criminal offence for a data controller, or somebody employed by the controller, to deliberately frustrate a subject access request by altering, defacing or destroying information that a person would have been entitled to receive.

This offence is not new. A similar offence was provided for in Section 77 of the Freedom of Information Act 2000. The only difference between the offence in Clause 163 and the offence in the Act is that the latter was limited to the handling of subject access requests by public authorities and their employees and agents, whereas Clause 163 extends this to apply to all controllers.

The noble Lord’s amendment would make it clear that the offence applies where a data subject requests personal data about them contained in a review about workers written by a third party. I am grateful to the noble Lord for explaining the background to the amendment; nevertheless, I submit that it is unnecessary. Article 15 of the GDPR makes it clear that the data subject has the right to obtain from the controller confirmation as to whether data about him or her is being processed, as well as access to that data. Whether a report about the data subject was compiled by a third party or processor acting on the controller’s behalf is irrelevant, as it still amounts to personal data held by the controller.

It is always unacceptable for any controller to destroy or deface personal data with the sole intention of preventing somebody accessing what they were entitled to. That is precisely why Clause 163 creates a criminal offence targeted on that particular activity.

I hope that I have addressed the noble Lord’s concerns. If I have not, of course I will be more than happy to discuss them with him later. Therefore, I hope that he will be able to withdraw the amendment.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I thank the noble Lord for his response. He has not really addressed the point that I was making, so I will be very happy to have a discussion outside the Chamber. This is a real problem that is happening now and I am not convinced that what we have in the Bill will be enough to deal with it. It may well be that my amendment is not in the right place, but there is an issue with people not easily accessing data that is held on them, particularly for the self-employed and others seeking work through various platforms.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

If we have misunderstood the noble Lord’s intention behind the amendment, I apologise. As I said, we will be happy to discuss it with him.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I do not think that the noble Lord misunderstood; it is just that there are several issues around the gig economy that we need to look at, and I shall be happy to discuss them outside the Chamber. I beg leave to withdraw the amendment.

Amendment 170J withdrawn.

Clause 163 agreed.

Clause 164: The special purposes

Amendments 170K to 170M not moved.

Amendment 171

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

171: Clause 164, page 93, line 6, leave out from “processor” to “which” in line 7

Amendment 171 agreed.

Amendment 171A not moved.

Amendment 172

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

172: Clause 164, page 93, line 8, at end insert “and which are—

(a) proceedings under section 158 (including proceedings on an application under Article 79 of the GDPR), or(b) proceedings under Article 82 of the GDPR or section 160 .”

Amendment 172 agreed.

Amendments 172ZA to 172C not moved.

Clause 164, as amended, agreed.

Clause 165: Provision of assistance in special purposes proceedings

Amendment 172D not moved.

Clause 165 agreed.

Clause 166: Staying special purposes proceedings

Amendment 172E not moved.

Amendments 173 and 174

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

173: Clause 166, page 94, line 27, leave out “or tribunal”

174: Clause 166, page 94, line 28, leave out “or tribunal”

Amendments 173 and 174 agreed.

Amendments 174A to 174B not moved.

Amendments 175 to 179

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

175: Clause 166, page 94, line 34, leave out “or tribunal”

176: Clause 166, page 94, line 34, after “stay” insert “or, in Scotland, sist”

177: Clause 166, page 94, line 38, leave out “or tribunal”

178: Clause 166, page 94, line 38, after “stay” insert “or sist”

179: Clause 166, page 94, line 42, after “stayed” insert “or sisted”

Amendments 175 to 179 agreed.

Clause 166, as amended, agreed.

Clause 167 agreed.

Amendment 179A not moved.

Clause 168: Interpretation of Part 6

Amendment 180

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

180: Clause 168, page 95, leave out lines 23 to 26

Amendment 180 agreed.

Clause 168, as amended, agreed.

Clause 169: Regulations and consultation

Amendments 180A and 180B not moved.

Amendment 181

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

181: Clause 169, page 96, line 8, leave out “or 24”

Amendment 181 agreed.

Clause 169, as amended, agreed.

Amendments 182 to 182C not moved.

Clause 170: Power to reflect changes to the Data Protection Convention

Amendments 182D to 182G not moved.

Clause 170 agreed.

Amendment 183 not moved.

Clause 171 agreed.

Schedule 17 agreed.

Clause 172: Avoidance of certain contractual terms relating to health records

Amendment 183A

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

183A: Clause 172, page 97, line 44, after “in” insert “or associated with”

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, in moving Amendment 183A I hope to astonish the Minister with my brevity. Clause 172 deals with the avoidance of certain contractual terms related to health records so that,

“A term or condition of a contract is void in so far as it purports to require an individual to supply another person with a record which — … (a) consists of the information contained in a health record, and … (b) has been or is to be obtained by a data subject in the exercise of a data subject access right”.

The NHS has committed to informing patients how their medical records are used. The legal protections in the Bill against an enforced subject access request on a medical record should also apply to such information about that record. Does this provide the required protection? I beg to move.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I think that must be a record.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

We try.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

It is probably for the best that we are not doing a seventh day in Committee because the noble Lord, Lord Stevenson, has told us that his voice is going and I seem to have an infected eye. Slowly, we are falling by the way, so it is probably just as well that this is our last evening.

This amendment seeks to amend Clause 172, which concerns contractual terms relating to health records. As noble Lords are aware, the Bill will give people more control over use of their data, providing stronger access rights as well as new rights to move or delete personal data. Data subject access rights are intended to aid people in getting access to information held about them by organisations. While subject access provisions are present in current data protection law, the process will be simplified and streamlined under the new legal framework, reflecting the importance of data protection in today’s digital age.

There are, unfortunately, a minority of instances where service providers and employers seek to exploit the rights of data subjects, making it a condition of a contract that a person supplies to them health records obtained through use of their data subject access rights. It is with this in mind that Clause 172 was drafted, to protect data subjects from abuses of their rights. Organisations are able to use provisions in the Access to Medical Reports Act 1988 to gain access to a person’s health records for employment or insurance purposes, and so should not be unduly relying upon subject access rights to acquire such information.

Amendment 183A seeks to widen the clause to include prohibiting contractual terms from including a requirement to use subject access rights to supply a person with information “associated with” as well as “in” a health record. While I can see where the noble Lord is coming from with the amendment and appreciate the willingness further to protect data subjects from exploitation, we are not convinced that it is necessary to widen the scope of this clause. The Government believe that avoidance of contractual terms—that is to say a restriction on parties’ freedom of contract—is not something that should legislated for lightly. Our starting point must be that contractual terms are voided only where there is a known, rather than a hypothetical, abuse of them.

It is also important to point out that the clause has been carried over from the 1998 Act, which has served us well for many years and we are not aware of any issues with its scope. But I will certainly carefully read the noble Lord’s contribution in Hansard, and with this in mind I encourage the noble Lord to withdraw his amendment.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I thank the Minister. She will not need to spend very long reading my contribution in Hansard, as she will appreciate, but I pledge to read what she had to say. The interplay with the Access to Medical Reports Act may be of some importance in this, but on both sides we may need to reflect a little further. The case being made is that, because the NHS is making more information available about the use of patient records, it may be appropriate to change the legislation, which, as the Minister said, may have been fit for purpose for a period of time but now, in the light of new circumstances, may need changing. Indeed, it may not be “hypothetical” any more, to use her word. I will reflect on what the Minister said, but if there is scope for further improvement of the clause, I hope that it might be considered at a future stage. In the meantime, I beg leave to withdraw the amendment.

Amendment 183A withdrawn.

Clause 172 agreed.

Clause 173: Representation of data subjects

Amendment 184

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

184: Clause 173, page 98, line 20, at end insert—

“( ) In relation to the processing of personal data to which the GDPR applies, Article 80(2) of the GDPR (representation of data subjects) permits and this Act provides that a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate, under—(a) Article 77 (right to lodge a complaint with a supervisory body);(b) Article 78 (right to an effective judicial remedy against a supervisory authority); and(c) Article 79 (right to an effective judicial remedy against a controller or processor),of the GDPR if it considers that the rights of a data subject under the GDPR have been infringed as a result of the processing.”

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, at earlier stages of the Bill, the Minister and others have been at pains to stress the need to ensure that, whatever we finally do, the Bill should help to build trust between those who operate and accept data and those who provide it—the data subjects. It is important that we look at all aspects of that trust relationship and think about what we can do to make sure that it fructifies. Amendment 184 tries to add to the Bill something that could be there, because it is provided for in the GDPR, but is not there. Will the Minister explain when he responds why article 80(2) of the GDPR is not translated into UK legislation, as could happen? The proposed new clause would provide that,

“a body or other organisation which meets the conditions set out in that Article has the right to lodge a complaint, or exercise the rights, independently of a data subject’s mandate”.

I will largely leave the noble Lord, Lord Clement-Jones, to introduce Amendment 185 because he has a new and brief style of introduction, which we like a lot.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

It is not a new style.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

It is certainly new to me. He may have been here a lot longer than I have and there have been other occasions where he has been less than fulsome in his contributions. But I am not in any sense criticising him because everything he says has fantastic precision and clarity, as befits a mere solicitor. It is important that we give him the chance to shine on this particular issue as well.

I mentioned what a pleasure it is to have the noble Baroness, Lady Neville-Rolfe, here today, particularly because she will speak very well to the fact that only a few happy months ago we worked on the Consumer Rights Bill, which is now an Act, in which a power was given to private enforcers to take civil action in courts to protect collective consumer rights via an enforcement order. The campaigning consumer body Which? is the designated private enforcer.

Also, in the financial sector, Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland have the power to present super-complaints to the FCA. The super-complainant system is working very well; one reason why the PPI mis-selling scandal was discovered was as a result of the work of Citizens Advice. These independent enforcers of consumer rights in the traditional consumer sector and in the consumer finance sector exist. Why is there no equivalent status for digital consumer enforcers? That is the question raised by the amendment.

The powers for independent action here are important in themselves and I am sure other noble Lords will speak to that point, but they are also really important at the start of this new regime we are bringing in. With the new Data Protection Bill we have a different arrangement. Far more people are involved and a lot more people are having to think harder about how their data is being used. It makes absolute sense to have a system that does not require too much knowledge or detail, which was aided and abetted by experts who had experience in this, such as Which? and others, and would allow those who are a little fazed by the whole process of trying to raise an action and get things going to have a steady hand that they know will take it on behind them.

The Government will probably argue that by implementing article 80(1) of the GDPR they are providing effectively the same service. That is a system under which an individual can have their case taken up by much the same bodies as would be available under article 80(2). However, when an individual complainant is working with a body such as Which?, we are probably talking about redress of the individual whose rights have been breached in some way and exacting from the company or companies concerned a penalty or some sort of remuneration. One can see in that sense that the linking between the individual and the body that might take that on is important and would be very helpful.

However, there are cases—recent ones come to mind such as TalkTalk, Equifax, Cash Converters and Uber—where data has gone missing and there has been a real worry about what information has escaped and is available out there. I do not think that in those cases we are talking about people wanting redress. What they want is action, such as making sure that their credit ratings are not affected by their data having come out and that they could perhaps get out of contracts. One of the issues that was raised with EE and TalkTalk was that people had lost confidence in the companies and wanted to be able to get out of their contracts. That is not a monetary penalty but a different form of arrangement. In some senses, just ongoing monitoring of the company with which one’s data is lodged might be a process. All that plays to a need to have in law in Britain the article 80(2) version of what is in the GDPR. I beg to move.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I strongly support Amendment 184. The Minister will have noticed that Amendment 185 would simply import the same provisions into applied GDPR for this purpose. The rationale, which has been very well put forward by the noble Lord, Lord Stevenson, is precisely the same.

I do not know whether the Minister was choking over his breakfast this morning, but if he was reading the Daily Telegraph—he shakes his head. I am encouraged that he was not reading the Daily Telegraph, but he would have seen that a letter was written to his right honourable friend Matt Hancock, the Digital Minister, demanding that the legislation can and should contain the second limb that is contained in the GDPR but is not brought into the Bill. The letter was signed by Which?, Age UK, Privacy International and the Open Rights Group for all the reasons that the noble Lord, Lord Stevenson, put forward. The noble Lord mentioned a number of data breach cases, but the Uber breach came to light only last night. It was particularly egregious because Uber did not tell anybody about it for months and, as far as one can make out from the press reports, it was a pay-off. There is a very important role for such organisations to play on behalf of vulnerable consumers.

The Which? survey was particularly important in that respect because it showed that consumers have little understanding of the kind of redress that they may have following a data breach. A recent survey shows that almost one in five consumers say that they would not know how to claim redress for a data breach, and the same proportion do not know who would be responsible for helping them when data is lost. Therefore the equivalent of a super-complaint in these circumstances is very important. To add to that point, young people are often the target of advertising and analysis using their personal data. I think they would benefit particularly from having this kind of super-complaint process for a data breach.

I hope very much that the Government, who I believe are conducting some kind of review, although it is not entirely clear, will think about this again because it is definitely something we will need to bring back on Report.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I support Amendment 184. As the noble Lord, Lord Stevenson, said, the GDPR does allow not-for-profit organisations to lodge complaints about suspected breaches of data protection without needing the authorisation of the individuals concerned. I really do not understand why this has been taken out; it is such an important piece of legislation that gives teeth to data protection. Most people do not have the time or the inclination to lodge complaints against data controllers. So many organisations are now holding data about us that it is ridiculous to suggest that individuals can become data detectives responsible for finding out who holds data on them and trying to work out whether that data is being processed in accordance with data protection rules.

I went through the hassle of getting my own subject access request from the Met police. It took a lot of form filling and cost me £10, which was absolutely not money well spent because the file, when I got it, was so redacted. I did ask for my money back but was not given it. That shows me that most of us will not know that data about us is being held—so the amendment is extremely valid.

Despite my opposition to some provisions in the Bill, I accept that it is very important. However, it is equally important that we get it right and that we do not have all these derogations which mean that it has less authority and power. Personally, I think that the amendment strengthens the data protection regime without any hassle for consumers. I hope that the Government will include it in the next iteration of the Bill.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I, too, support the amendment. One thing that we can all agree on is that data regulations is a complex and highly technical area of the law. As the Bill stands, it asks members of the public to become experts on the subject, which actually creates a significant barrier to its successful implementation. My particular and declared interest in the Bill is the rights of children. It is a pervasive myth in the digital environment that all users are equal. That is a category error, because if all users are equal, children are treated in the digital environment as adults and their long-established rights and privileges do not then apply. So it is on behalf of that demographic that I want to say specifically that this amendment is very important.

Without the amendment, a child would be expected to take on the very adult responsibility of being a named complainant in a regulatory or judicial complaint for a breach of data law. In the case of a child, such a complaint is very likely to be made against a multimillion or indeed multibillion dollar corporation. That cannot be, in anybody’s mind, a fair fight. While the noble Lord’s amendment and indeed the GDPR are designed to benefit all users, I point out that the amendment usefully aligns with the recommendation made by the Children’s Commissioner and the House of Lords Communications Committee that children urgently need champions in the digital environment.

We have seen special provision being made in the Bill for libraries, archivists, the insurance industry, security and intelligence, and possibly even for journalists this evening. Given that, I am waiting for the Government to concede that, like all these other special needs groups, children are data subjects with specific needs. One of those needs is to have an informed advocate if they have a complaint. So, although I do not think that the amendment would adequately fulfil that role, because I would like to see something more formal, it would at least go some way to providing support for children should they have a complaint.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, without these amendments, I do not see how the Bill can provide an adequate remedy when a large number of people suffer a small degree of damage.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I am grateful to all noble Lords who have contributed—in particular my noble friend Lord Lucas, who was even briefer than the noble Lord, Lord Clement-Jones. He made his point very succinctly and well.

With the greatest respect to the noble Lords, Lord Stevenson and Lord Clement-Jones—and I do mean that sincerely—during the passage of the 443 amendments in Committee that we are rapidly approaching the end of, we have listened carefully to each other, but in this case I am afraid that we reject Amendments 184 and 185 as being unnecessary. We believe that they are not required because the Bill already provides sufficient recourse for data subjects by allowing them to give consent to a non-profit organisation to represent their interests.

Clause 173, in conjunction with article 80(1) of the GDPR, provides data subjects with the right to authorise a non-profit organisation which has statutory objectives in the public interest and which is active in the field of data protection to exercise the rights described in Clauses 156 to 160 of the Bill. Taken together with existing provision for collective redress, and the ability of individuals and organisations to independently complain to the Information Commissioner where they have concerns, groups of like-minded data subjects will have a variety of redress mechanisms from which to choose. It is not true that when we have large numbers of data subjects they are unable, or too ignorant of their rights, to combine. For example, it is worth noting that more than 5,000 data subjects have brought one such action which is currently proceeding through the courts.

Furthermore, we would argue that the amendment is premature. If we were to make provision for article 80(2), it would be imperative to analyse the effectiveness not only of Clause 173 and article 80(1) of the GDPR but of other similar provisions in UK law to ensure that they are operating in the interests of data subjects and not third parties. We would also need to assess, for example, how effective the existing law has been in dealing with issues such as aggregate damages, which cases brought under article 80(2) might be subject to.

More generally, the Bill seeks to empower data subjects and ensure that they receive the information they need to enforce their own rights, with assistance from non-profit organisations if they wish. The solution to a perceived lack of data subject engagement cannot be to cut them out of the enforcement process as well. Indeed, there is a real irony here. Let us consider briefly a claim against a controller who should have sought, but failed to get, proper consent for their processing. Are noble Lords really suggesting that an unrelated third party should be able to enforce a claim for not having sought consent without first seeking that same consent?

We should also remember that these not-for-profit organisations are active in the field of data subjects’ rights; indeed, the GDPR states that they have to be. While many—the noble Lord, Lord Clement-Jones, mentioned Which?—will no doubt have data subjects’ true interests at heart and will be acting in those best interests, others will have a professional interest in achieving a different outcome: raising their own profile, for example.

I know that these amendments are well intentioned and I do have some sympathy with the ambition of facilitating greater private enforcement to complement the work of the Information Commissioner. But, for the reasons I have set out, I am not convinced that they are the right solution to the problems identified by noble Lords, and I therefore urge the noble Lord to withdraw his amendment.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I am baffled by the Minister’s response. The Government have taken on board huge swathes of the GDPR; in fact, they extol the virtues of the GDPR, which is coming into effect, as are many of its articles. Yet they are baulking at a very clear statement in Article 80(2), which could not be clearer. Their prevarication is extravagant.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

The noble Lord will admit that the GDPR allows member states to do that; otherwise, it would have been made compulsory in the GDPR. The derogations are there to allow member states to decide whether or not to do it.

To summarise, we have chosen not to adopt article 80(2) because the Bill is based on the premise of getting consent—but these amendments are saying that, regardless of what the data subject wants or whether they have given consent, other organisations should be able to act on their behalf without their consent. That is the Government’s position and I hope that noble Lords will feel able not to press their amendments.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

I thank the Minister for his honesty and transparency—but not for the content. Like the noble Lord, Lord Clement-Jones, I find this very odd. Is it not true that when early consultations on the Bill were carried out, the consultation included the possibility that Article 80(2) would be implemented—in other words, that the derogation would be accepted—and responses were gathered on that basis? That is what we were told by some of those who were consulted. Therefore, the Government must have had a formal change of mind, either based on their own whim or because they received substantial contributions from very important people who felt that these things should not go forward. I would be interested to follow that up with the Minister, perhaps in another meeting.

I do think this is very strange. Here is an opportunity to win friends, get people on side and offer them something that will be really helpful. We have heard about children; and there are other vulnerable people who are not experts in these areas, for whom a little extra help was promised by the Government because they felt that that would be right. The idea that, in some senses, this would empower a whole industry of people to manufacture claims to get at data holders seems completely ridiculous.

If we look at the comparable arrangements in the consumer field that I tried to draw the Minister’s attention to, we see very strict rules about the levels at which super-complaints can be made: they must be proportionate, relevant and have evidence of support from a wider group of people that allows them to go forward. We are not talking about an open-ended commitment—that would be daft—but when we look at the best way to combat bad practice that affect particular vulnerable groups and are being practised by people who should not do it, this must be in our armoury. We will certainly come back to this—but in the interim, I beg leave to withdraw the amendment.

Amendment 184 withdrawn.

Amendment 185 not moved.

Clause 173 agreed.

Clause 174 agreed.

Amendment 185A

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

185A: After Clause 174, insert the following new Clause—

“Framework for Data Processing by GovernmentFramework for Data Processing by Government

(1) The Secretary of State may prepare a document, called the Framework for Data Processing by Government, which contains guidance about the processing of personal data in connection with the exercise of functions of—(a) the Crown, a Minister of the Crown or a United Kingdom government department, and(b) a person with functions of a public nature who is specified or described in regulations made by the Secretary of State.(2) The document may make provision relating to all of those functions or only to particular functions or persons.(3) The document may not make provision relating to, or to the functions of, a part of the Scottish Administration, the Welsh Government, a Northern Ireland Minister or a Northern Ireland department.(4) The Secretary of State may from time to time prepare amendments of the document or a replacement document.(5) Before preparing a document or amendments under this section, the Secretary of State must consult—(a) the Commissioner, and (b) any other person the Secretary of State considers it appropriate to consult.(6) Regulations under subsection (1)(b) are subject to the negative resolution procedure.(7) In this section, “Northern Ireland Minister” includes the First Minister and deputy First Minister in Northern Ireland.”

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, the Bill creates a comprehensive and modern framework for data protection in the UK. The importance of these data protection standards continues to grow—a point that has not been lost on noble Lords, nor the Government. That is why the Government have tabled Amendments 185A, 185B, 185C and 185D, which provide for a framework for data processing by government.

Inherent in the execution of the Government’s function is a requirement to process significant volumes of personal data, whether in issuing a passport or providing information on vulnerable persons to the social services departments of local authorities. The Government recognise the strong public interest in understanding better how they process that data. The framework is intended to set out the principles and processes that the Government must have regard to when processing personal data.

All government and public sector activities require some form of power to process personal data, which is derived from both statute and common law. In light of the requirements of the GDPR, such processing should be undertaken in a clear, precise and foreseeable way. The Government’s view is that the framework will serve further to improve the transparency and clarity of existing government data processing. The Government can, and should, lead by example on data protection. To that end, the proposed clauses provide the Secretary of State with the power to issue guidance in relation to the processing of personal data by government under existing powers. As I have already stated, government departments will be required to have regard to the guidance when processing personal data.

The Government have consulted the Information Commissioner in preparing the amendment and will, as required in Amendment 185A, consult the commissioner before preparing the framework. The Government are keen to benefit from the commissioner’s expertise in this area and to ensure that the framework does not conflict with the commissioner’s codes of practice. The guidance should provide reassurance to data subjects about the approach that government takes to processing data and the procedures it follows when doing so. It will also help to strengthen further the Government’s compliance with the GDPR’s principles. I beg to move.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, government Amendments 185A, 185B, 185C and 185D add four fairly substantial new clauses to the Bill on the last day of Committee. I can see the point made by the Minister when he moved the amendments, but it is disappointing that they were not included right at the start. Have the Government just thought about them as a good thing?

The Delegated Powers and Regulatory Reform Committee has not had time to look at these matters. I note that in Amendment 185A, the Government suggest that regulations be approved by Parliament under the negative procedure. I will look very carefully at anything that the committee wants to bring to the attention of the House when we look at these matters again on Report. I am sure the committee will have reported by then.

I will not oppose the amendments today, but that is not to say that I will not move some amendments on Report—particularly if the committee draws these matters to the House’s attention.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I want to echo that point. There is time for reflection on this set of amendments and I sympathise with what the noble Lord, Lord Kennedy, said.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I am grateful for those comments. We understand that the DPRRC will have to look at the powers under the clause. As usual, as we have done already, we take great note of what the committee says; no doubt it will opine soon. We will pay attention to that.

Amendment 185A agreed.

Amendments 185B to 185D

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

185B: After Clause 174, insert the following new Clause—

“Approval of the Framework

(1) Before issuing a document prepared under section (Framework for Data Processing by Government), the Secretary of State must lay it before Parliament.(2) If, within the 40-day period, either House of Parliament resolves not to approve the document, the Secretary of State must not issue it.(3) If no such resolution is made within that period—(a) the Secretary of State must issue the document, and(b) the document comes into force at the end of the period of 21 days beginning with the day on which it is issued.(4) Nothing in subsection (2) prevents another version of the document being laid before Parliament.(5) In this section, “the 40-day period” means—(a) if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or(b) if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.(6) In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.(7) This section applies in relation to amendments prepared under section (Framework for Data Processing by Government) as it applies in relation to a document prepared under that section.”

185C: After Clause 174, insert the following new Clause—

“Publication and review of the Framework

(1) The Secretary of State must publish a document issued under section (Approval of the Framework)(3).(2) Where an amendment of a document is issued under section (Approval of the Framework)(3), the Secretary of State must publish— (a) the amendment, or(b) the document as amended by it.(3) The Secretary of State must keep under review the document issued under section (Approval of the Framework)(3) for the time being in force.(4) Where the Secretary of State becomes aware that the terms of such a document could result in a breach of an international obligation of the United Kingdom, the Secretary of State must exercise the power under section (Framework for Data Processing by Government)(4) with a view to remedying the situation.”

185D: After Clause 174, insert the following new Clause—

“Effect of the Framework

(1) When carrying out processing of personal data which is the subject of a document issued under section (Approval of the Framework)(3) which is for the time being in force, a person must have regard to the document.(2) A failure to act in accordance with a provision of such a document does not of itself make a person liable to legal proceedings in a court or tribunal.(3) A document issued under section (Approval of the Framework)(3), including an amendment or replacement document, is admissible in evidence in legal proceedings.(4) In any legal proceedings before a court or tribunal, the court or tribunal must take into account a provision of any document issued under section (Approval of the Framework)(3) in determining a question arising in the proceedings if—(a) the question relates to a time when the provision was in force, and(b) the provision appears to the court or tribunal to be relevant to the question.(5) In determining a question arising in connection with the carrying out of any of the Commissioner’s functions, the Commissioner must take into account a provision of a document issued under section (Approval of the Framework)(3) if—(a) the question relates to a time when the provision was in force, and(b) the provision appears to the Commissioner to be relevant to the question.”

Amendments 185B to 185D agreed.

Clause 175: Penalties for offences

Amendments 185E and 185F not moved.

Clause 175 agreed.

Clauses 176 to 183 agreed.

Clause 184: Other definitions

Amendment 186

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

186: Clause 184, page 105, line 21, at end insert “(and related expressions are to be read accordingly)”

Amendment 186 agreed.

Clause 184, as amended, agreed.

Clause 185: Index of defined expressions

Amendment 187

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

187: Clause 185, page 106, leave out lines 8 and 9

Amendment 187 agreed.

Clause 185, as amended, agreed.

Clause 186 agreed.

Clause 187: Children in Scotland

Amendment 188 not moved.

Clause 187 agreed.

Clauses 188 to 190 agreed.

Schedule 18: Minor and consequential amendments

Amendment 188A

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

188A: Schedule 18, leave out Schedule 18 and insert the following new Schedule—

“SCHEDULE 18 MINOR AND CONSEQUENTIAL AMENDMENTSPart 1ACTS AND MEASURESParliamentary Commissioner Act 1967 (c. 13)

1_ In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Local Government Act 1974 (c. 7)

2_ The Local Government Act 1974 is amended as follows.3_ In section 33A(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or (ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”4_ In section 34O(1) (disclosure of information by Local Commissioner to Information Commissioner)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Consumer Credit Act 1974 (c. 39)

5_ The Consumer Credit Act 1974 is amended as follows.6_ In section 157(2A) (duty to disclose name etc of agency)—(a) in paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and(b) in paragraph (b), after “any” insert “other”.7_ In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers)”.8_ In section 189(1) (definitions), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.Medical Act 1983 (c. 54)

9_ The Medical Act 1983 is amended as follows.10_(1) Section 29E (evidence) is amended as follows.(2) In subsection (5), after “enactment” insert “or the GDPR”.(3) For subsection (7) substitute—“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”11_(1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.(2) In subsection (4), after “enactment” insert “or the GDPR”.(3) For subsection (5A) substitute—“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”12_ In section 55 (interpretation), at the appropriate place insert—““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”.13_(1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows. (2) In sub-paragraph (8), after “enactment” insert “or the GDPR”.(3) For sub-paragraph (8A) substitute—“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”Dentists Act 1984 (c. 24)

14_ The Dentists Act 1984 is amended as follows.15_(1) Section 33B (the General Dental Council’s power to require disclosure of information: the dental profession) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”16_(1) Section 36Y (the General Dental Council’s power to require disclosure of information: professions complementary to dentistry) is amended as follows.(2) In subsection (3), after “enactment” insert “or relevant provision of the GDPR”.(3) For subsection (4) substitute—“(4) For the purposes of subsection (3)—“relevant enactment” means any enactment other than—(a) this Act, or(b) the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2017 (exemptions to Part 4: disclosures required by law);“relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2017 (GDPR provisions to be adapted or restricted: disclosures required by law).”(4) After subsection (10) insert—“(11) In this section,“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Access to Medical Reports Act 1988 (c. 28)

17_ In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—““health professional” has the same meaning as in the Data Protection Act 2017 (see section 183 of that Act);”.Opticians Act 1989 (c. 44)

18_(1) Section 13B of the Opticians Act 1989 (the Council’s power to require disclosure of information) is amended as follows. (2) In subsection (3), after “enactment” insert “or the GDPR”.(3) For subsection (4) substitute—“(4) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (9) insert—“(10) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Human Fertilisation and Embryology Act 1990 (c. 37)

19_(1) Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)

20_(1) Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Tribunals and Inquiries Act 1992 (c. 53)

21_ In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “section 112 of the Data Protection Act 2017”.Health Service Commissioners Act 1993 (c. 46)

22_ In section 18A(1) of the Health Service Commissioners Act 1993 (power to disclose information)—(a) in paragraph (a), for sub-paragraph (i) substitute—“(i) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Data Protection Act 1998 (c. 29)

23_ The Data Protection Act 1998 is repealed.Crime and Disorder Act 1998 (c. 37)

24_ In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”. Food Standards Act 1999 (c. 28)

25_(1) Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration and Asylum Act 1999 (c. 33)

26_(1) Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported) is amended as follows.(2) For subsection (4) substitute—“(4) For the purposes of Article 49(1)(d) of the GDPR, the provision under this section of identification data is a transfer of personal data which is necessary for important reasons of public interest.”(3) After subsection (4) insert—“(4A) “The GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Financial Services and Markets Act 2000 (c. 8)

27_ The Financial Services and Markets Act 2000 is amended as follows.28_ In section 86(9) (exempt offers to the public), for “the Data Protection Act 1998 or any directly applicable EU legislation relating to data protection” substitute “—(a) the data protection legislation, or(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection”.29_ In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.30_ In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.31_ In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “the data protection legislation”.32_ In section 417 (definitions), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Terrorism Act 2000 (c. 11)

33_ In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.Freedom of Information Act 2000 (c. 36)

34_ The Freedom of Information Act 2000 is amended as follows.35_ In section 2(3) (absolute exemptions), for paragraph (f) substitute—“(f) section 40(1),(fa) section 40(2) so far as relating to cases where the first condition referred to in that subsection is satisfied,”.36_ In section 18 (the Information Commissioner) omit subsection (1). 37_(1) Section 40 (personal information) is amended as follows.(2) In subsection (2)—(a) in paragraph (a), for “do” substitute “does”, and(b) in paragraph (b), for “either the first or the second” substitute “the first, second or third”.(3) For subsection (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (4) substitute—“(4A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14, 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) For subsection (5) substitute—“(5A) The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).(5B) The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies—(a) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—(i) would (apart from this Act) contravene any of the data protection principles, or(ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(6) Omit subsection (6).(7) For subsection (7) substitute—“(7) In this section—“the data protection principles” means the principles set out in— (a)Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act).(8) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”38_ Omit section 49 (reports to be laid before Parliament).39_ For section 61 (appeal proceedings) substitute—“61 Appeal proceedings(1) Tribunal Procedure Rules may make provision for regulating the exercise of rights of appeal conferred by sections 57(1) and (2) and 60(1) and (4).(2) In relation to appeals under those provisions, Tribunal Procedure Rules may make provision about—(a) securing the production of material used for the processing of personal data, and(b) the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.(3) Subsection (4) applies where—(a) a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal on an appeal under those provisions, and(b) if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.(4) The First-tier Tribunal may certify the offence to the Upper Tribunal.(5) Where an offence is certified under subsection (4), the Upper Tribunal may—(a) inquire into the matter, and(b) deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.(6) Before exercising the power under subsection (5)(b), the Upper Tribunal must—(a) hear any witness who may be produced against or on behalf of the person charged with the offence, and(b) hear any statement that may be offered in defence.(7) In this section,“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4) and (14) of that Act).”40_ In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “the data protection legislation”.41_ After section 76A insert—“76B Disclosure of information to Commissioner or TribunalNo enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the Commissioner, the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of their functions under this Act. 76C Confidentiality of information provided to Commissioner(1) A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which—(a) has been obtained by, or provided to, the Commissioner under or for the purposes of this Act,(b) relates to an identified or identifiable individual or business, and(c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources,unless the disclosure is made with lawful authority.(2) For the purposes of subsection (1), a disclosure is made with lawful authority only if and to the extent that—(a) the disclosure was made with the consent of the individual or of the person for the time being carrying on the business,(b) the information was provided for the purpose of its being made available to the public (in whatever manner) under a provision of this Act or the data protection legislation,(c) the disclosure was made for the purposes of, and is necessary for, the discharge of a function under this Act or the data protection legislation,(d) the disclosure was made for the purposes of, and is necessary for, the discharge of an EU obligation,(e) the disclosure was made for the purposes of criminal or civil proceedings, however arising, or(f) having regard to the rights, freedoms and legitimate interests of any person, the disclosure was necessary in the public interest.(3) It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).(4) A person guilty of an offence under this section is liable—(a) on summary conviction in England and Wales, to a fine;(b) on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;(c) on conviction on indictment, to a fine.(5) No proceedings for an offence under this section may be instituted—(a) in England and Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;(b) in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.”42_ In section 77(1)(b) (offence of altering etc records with intent to prevent disclosure), omit “or section 7 of the Data Protection Act 1998,”.43_ In section 84 (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Political Parties, Elections and Referendums Act 2000 (c. 41)

44_(1) Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.(2) In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph,“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Finance and Accountability (Scotland) Act 2000 (asp 1)

45_ The Public Finance and Accountability (Scotland) Act 2000 is amended as follows.46_ In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.47_ In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.48_ In section 29(1) (interpretation), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice and Police Act 2001 (c. 16)

49_ The Criminal Justice and Police Act 2001 is amended as follows.50_ In section 57(1) (retention of seized items)—(a) omit paragraph (m), and(b) after paragraph (s) insert—“(t) paragraph 10 of Schedule 15 to the Data Protection Act 2017;”.51_ In section 65(7) (meaning of “legal privilege”)—(a) for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017”, and(b) for “paragraph 9” substitute “paragraph 11 (matters exempt from inspection and seizure: privileged communications)”.52_ In Schedule 1 (powers of seizure)—(a) omit paragraph 65, and(b) after paragraph 73R insert—“Data Protection Act 201773S_ The power of seizure conferred by paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2017 (powers of entry and inspection).”Anti-terrorism, Crime and Security Act 2001 (c.24)

53_ The Anti-terrorism, Crime and Security Act 2001 is amended as follows.54_(1) Section 19 (disclosure of information held by revenue departments) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.55_(1) Part 1 of Schedule 4 (extension of existing disclosure powers) is amended as follows.(2) Omit paragraph 42.(3) After paragraph 52 insert—“52A_ Section 76C(1) of the Freedom of Information Act 2000.”(4) After paragraph 53F insert—“53G_ Section 127(1) of the Data Protection Act 2017.”Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))

56_(1) Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.(2) In subsection (3), after “provision” insert “or the GDPR”.(3) For subsection (5) substitute— “(5) In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2017 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”(4) After subsection (7) insert—“(8) In this section, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Justice (Northern Ireland) Act 2002 (c. 26)

57_(1) Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Proceeds of Crime Act 2002 (c. 29)

58_ The Proceeds of Crime Act 2002 is amended as follows.59_ In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”.60_ In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.61_ In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.62_ In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.63_ In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.64_ After section 442 insert—“442A Data protection legislationIn this Part, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Scottish Public Services Ombudsman Act 2002 (asp 11)

65_(1) In Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (disclosure of information by the Ombudsman), the entry for the Information Commissioner is amended as follows.(2) In paragraph 1, for sub-paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”.(3) For paragraph 2 substitute—“2_ The commission of an offence under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Freedom of Information (Scotland) Act 2002 (asp 13)

66_ The Freedom of Information (Scotland) Act 2002 is amended as follows. 67_ In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection (2)(a)(i) or (b) of that section”.68_(1) Section 38 (personal information) is amended as follows.(2) In subsection (1), for paragraph (b) substitute—“(b) personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));”.(3) For subsection (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For subsection (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit subsection (4).(6) In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;“data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);“the GDPR”, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2), (4), (10), (11) and (14) of that Act);”.(7) After that subsection insert—“(5A) In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Courts Act 2003 (c. 39)

69_ Schedule 5 to the Courts Act 2003 (collection of fines) is amended as follows.70_(1) Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.(2) In sub-paragraph (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (5) insert— “(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”71_(1) Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.(2) In sub-paragraph (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In sub-paragraph (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Sexual Offences Act 2003 (c. 42)

72_(1) Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Criminal Justice Act 2003 (c. 44)

73_ The Criminal Justice Act 2003 is amended as follows.74_ In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “the data protection legislation”.75_ In section 327B (disclosure of information about convictions etc of child sex offenders to members of the public: interpretation), after subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Audit (Wales) Act 2004 (c. 23)

76_(1) Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (5), at the beginning insert “In this section—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Domestic Violence, Crime and Victims Act 2004 (c. 28)

77_(1) Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children Act 2004 (c. 31)

78_ The Children Act 2004 is amended as follows.79_(1) Section 12 (information databases) is amended as follows.(2) In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (13) insert—“(14) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”80_(1) Section 29 (information databases: Wales) is amended as follows. (2) In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (14) insert—“(15) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Constitutional Reform Act 2005 (c. 4)

81_(1) Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (9) insert—“(10) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act 2005 (c. 9)

82_ In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—““health record” has the same meaning as in the Data Protection Act 2017 (see section 184 of that Act);”.Public Services Ombudsman (Wales) Act 2005 (c. 10)

83_(1) Section 34X of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (5) substitute—“(5) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc);(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Commissioners for Revenue and Customs Act 2005 (c. 11)

84_(1) Section 22 of the Commissioners for Revenue and Customs Act 2005 (data protection, etc) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Gambling Act 2005 (c. 19)

85_(1) Section 352 of the Gambling Act 2005 (data protection) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Commissioner for Older People (Wales) Act 2006 (c. 30)

86_(1) Section 18 of the Commissioner for Older People (Wales) Act 2006 (power to disclose information) is amended as follows.(2) In subsection (7), for paragraph (a) substitute— “(a) sections 137 to 147, 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”.(3) For subsection (8) substitute—“(8) The offences are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”National Health Service Act 2006 (c. 41)

87_ The National Health Service Act 2006 is amended as follows.88_(1) Section 251 (control of patient information) is amended as follows.(2) In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “of the data protection legislation”.(3) In subsection (13), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.89_ In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.National Health Service (Wales) Act 2006 (c. 42)

90_ The National Health Service (Wales) Act 2006 is amended as follows.91_(1) Section 201C (provision of information about medical supplies: supplementary) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”92_ In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act)”.Tribunals, Courts and Enforcement Act 2007 (c. 15)

93_ The Tribunals, Courts and Enforcement Act 2007 is amended as follows.94_ In section 11(5)(b)(right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.95_ In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “section 25(3) or (5), 77(5) or (7) or 109(3) or (5) of the Data Protection Act 2017”.Statistics and Registration Service Act 2007 (c. 18)

96_ The Statistics and Registration Service Act 2007 is amended as follows.97_(1) Section 45A (information held by other public authorities) is amended as follows.(2) In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”. (3) In subsection (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(5) In subsection (12)(c), after the first “legislation” insert “(which is not part of the data protection legislation)”.98_(1) Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.(2) In paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (c), after the first “legislation” insert “(which is not part of the data protection legislation)”.99_(1) Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.(2) In paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In paragraph (d), after the first “legislation” insert “(which is not part of the data protection legislation)”.100_ In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “the data protection legislation”.101(1) Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.(2) In subsection (6), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(4) In subsection (17), for “the Data Protection Act 1998” substitute “the data protection legislation”.102(1) Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.(2) In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.(3) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) In subsection (12)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.103(1) Section 54 (Data Protection Act 1998 and Human Rights Act 1998) is amended as follows.(2) In the heading omit “Data Protection Act 1998 and”.(3) Omit paragraph (a) (together with the final “or”).104_ In section 67 (general interpretation: Part 1), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Serious Crime Act 2007 (c. 27)

105_ The Serious Crime Act 2007 is amended as follows.106(1) Section 5A (verification and disclosure of information) is amended as follows.(2) In subsection (6)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”107(1) Section 68 (disclosure of information to prevent fraud) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”. (3) In subsection (8), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”108(1) Section 85 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (9), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Legal Services Act 2007 (c. 29)

109(1) Section 169 of the Legal Services Act 2007 (disclosure of information to the Legal Services Board) is amended as follows.(2) In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Adoption and Children (Scotland) Act 2007 (asp 4)

110_ In section 74 of the Adoption and Children (Scotland) Act 2007 (disclosure of medical information about parents), for subsection (5) substitute—“(5) In subsection (4)(e), “processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act).”Criminal Justice and Immigration Act 2008 (c. 4)

111_ The Criminal Justice and Immigration Act 2008 is amended as follows.112_ Omit—(a) section 77 (power to alter penalty for unlawfully obtaining etc personal data), and(b) section 78 (new defence for obtaining etc for journalism and other special purposes).113(1) Section 114 (supply of information to Secretary of State etc) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (6) insert—“(6A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Regulatory Enforcement and Sanctions Act 2008 (c. 13)

114(1) Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2008 (c. 14)

115_ In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.Counter-Terrorism Act 2008 (c. 28)

116(1) Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows. (2) In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Health etc.(Scotland) Act 2008 (asp 5)

117(1) Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (7) insert—“(7A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Banking Act 2009 (c. 1)

118(1) Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.(2) In subsection (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Borders, Citizenship and Immigration Act 2009 (c. 11)

119(1) Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.(2) In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (4) insert—“(5) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine and Coastal Access Act 2009 (c. 23)

120_ The Marine and Coastal Access Act 2009 is amended as follows.121(1) Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”122(1) Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Broads Authority Act 2009 (c. i)

123(1) Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) In subsection (6), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”. Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))

124(1) Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.(2) In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Terrorist Asset-Freezing etc. Act 2010 (c. 38)

125(1) Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (6), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Marine (Scotland) Act 2010 (asp 5)

126(1) Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Charities Act 2011 (c. 25)

127(1) Section 59 of the Charities Act 2011 (disclosure: supplementary) is amended as follows.(2) The existing text becomes subsection (1).(3) In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Welsh Language (Wales) Measure 2011 (nawm 1)

128_ The Welsh Language (Wales) Measure 2011 is amended as follows.129(1) Section 22 (power to disclose information) is amended as follows.(2) In subsection (4)—(a) in the English language text, for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement);”, and(b) in the Welsh language text, for paragraph (a) substitute—“(a) adrannau 137 i 147, 153 i 155, neu 164 i 166 o Ddeddf Diogelu Data 2017 neu Atodlen 15 i’r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);”.(3) For subsection (5)—(a) in the English language text substitute—“(5) The offences referred to under subsection (3)(b) are those under—(a) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of exercise of warrant etc); or (b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”, and(b) in the Welsh language text substitute—“(5) Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw’r rhai—(a) o dan ddarpariaeth yn Neddf Diogelu Data 2017 ac eithrio paragraff 15 o Atodlen 15 (rhwystro gweithredu gwarant etc); neu(b) o dan adran 76C neu 77 o Ddeddf Rhyddid Gwybodaeth 2000 (troseddau o ddatgelu gwybodaeth ac altro etc cofnodion gyda’r bwriad o atal datgelu).”(4) In subsection (8)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(5) In subsection (9)—(a) at the appropriate place in the English language text insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) at the appropriate place in the Welsh language text insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.130(1) Paragraph 8 of Schedule 2 (inquiries by the Commissioner: reports) is amended as follows.(2) In sub-paragraph (7)—(a) in the English language text, for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso’r ddeddfwriaeth diogelu data”.(3) In sub-paragraph (8)—(a) in the English language text, after “paragraph” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”, and(b) in the Welsh language text, after “hwn” insert—“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation “yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno);”.Safeguarding Board Act (Northern Ireland) 2011 (c. 7 (N.I))

131(1) Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.(2) In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.(3) After subsection (3) insert—“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care Act 2012 (c. 7)

132_ The Health and Social Care Act 2012 is amended as follows.133_ In section 250(7) (power to publish information standards), for the definition of “processing” substitute— ““processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.134(1) Section 251A (consistent identifiers) is amended as follows.(2) In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”135(1) Section 251B (duty to share information) is amended as follows.(2) In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Protection of Freedoms Act 2012 (c. 9)

136_ The Protection of Freedoms Act 2012 is amended as follows.137(1) Section 27 (exceptions and further provision about consent and notification) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”138_ In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.139_ In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—““processing has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(4) and (14) of that Act);”.HGV Road User Levy Act 2013 (c. 7)

140(1) Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (5) insert—“(6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Crime and Courts Act 2013 (c. 22)

141_ The Crime and Courts Act 2013 is amended as follows.142(1) Section 42 (other interpretive provisions) is amended as follows.(2) In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “Article 82 of the GDPR or section 159 or 160 of the Data Protection Act 2017 (compensation for contravention of the data protection legislation)”.(3) After subsection (5) insert—“(5A) In subsection (5)(a), “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).” 143(1) Paragraph 1 of Schedule 7 (statutory restrictions on disclosure) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph, insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Marine Act (Northern Ireland) 2013 (c. 10 (N.I.))

144(1) Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.(2) In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (6) insert—“(7) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Local Audit and Accountability Act 2014 (c. 2)

145(1) Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.(2) In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After sub-paragraph (3) insert—“(3A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”(4) In sub-paragraph (4), for “comprise or include” substitute “comprises or includes”.Anti-social Behaviour, Crime and Policing Act 2014 (c. 12)

146(1) Paragraph 7 of Schedule 4 to the Anti-social Behaviour, Crime and Policing Act 2014 (anti-social behaviour case reviews: information) is amended as follows.(2) In sub-paragraph (4)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(3) After sub-paragraph (5) insert—“(6) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Immigration Act 2014 (c. 22)

147(1) Paragraph 6 of Schedule 6 to the Immigration Act 2014 (information: limitation on powers) is amended as follows.(2) The existing text becomes sub-paragraph (1).(3) In that sub-paragraph, in paragraph (a)—(a) for “the Data Protection Act 1998” substitute “the data protection legislation”, and(b) for “are” substitute “is”.(4) After that sub-paragraph insert—“(2) In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Care Act 2014 (c. 23)

148_ In section 67(9) of the Care Act 2014 (involvement in assessment, plans etc), for paragraph (a) substitute—“(a) a health record (within the meaning given in section 184 of the Data Protection Act 2017),”.Social Services and Well-being (Wales) Act 2014 (anaw 4)

149_ In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—(a) in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “(within the meaning of Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act))”, and(b) in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “personal data” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2017 (gweler adran 2(2) a (14) o’r Ddeddf honno))”.Counter-Terrorism and Security Act 2015 (c. 6)

150(1) Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.(2) In subsection (4)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (4) insert—“(4A) “The data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Small Business, Enterprise and Employment Act 2015 (c. 26)

151(1) Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies) is amended as follows.(2) In subsection (7)—(a) for paragraph (b) substitute—“(b) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers);”, and(b) omit paragraph (c).(3) After subsection (7) insert—“(7A) In subsection (7) “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act).”Modern Slavery Act 2015 (c. 30)

152(1) Section 54A of the Modern Slavery Act 2015 (Gangmasters and Labour Abuse Authority: information gateways) is amended as follows.(2) In subsection (5)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (9), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 (c. 2 (N.I.))

153_ The Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 is amended as follows.154_ In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “the data protection legislation”.155_ In section 25(1) (interpretation of this Act), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.156_ In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “the data protection legislation”. Justice Act (Northern Ireland) 2015 (c. 9 (N.I.))

157(1) Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.(2) In subsection (5), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Immigration Act 2016 (c. 19)

158(1) Section 7 of the Immigration Act 2016 (information gateways: supplementary) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (11), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.Investigatory Powers Act 2016 (c. 25)

159_ The Investigatory Powers Act 2016 is amended as follows.160_ In section 1(5)(b), for sub-paragraph (ii) substitute—“(ii) in section 161 of the Data Protection Act 2017 (unlawful obtaining etc of personal data),”.161_ In section 199 (bulk personal datasets: interpretation), for subsection (2) substitute—“(2) In this Part, “personal data” means—(a) personal data within the meaning of section 2(2) of the Data Protection Act 2017 which is subject to processing described in section 80 (1) of that Act, and(b) data relating to a deceased individual where the data would fall within paragraph (a) if it related to a living individual.”162_ In section 202(4) (restriction on use of class BPD warrants), in the definition of “sensitive personal data”, for “which is of a kind mentioned in section 2(a) to (f) of the Data Protection Act 1998” substitute “the processing of which would be sensitive processing for the purposes of section 84(7) of the Data Protection Act 2017”.163_ In section 206 (additional safeguards for health records), for subsection (7) substitute—“(7) In subsection (6)—“health professional” has the same meaning as in the Data Protection Act 2017 (see section 183(1) of that Act);“health service body” has the meaning given by section 183(4) of that Act.”164(1) Section 237 (information gateway) is amended as follows.(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (2) insert—“(3) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))

165(1) Section 49 of the Police Services Ombudsman Act (Northern Ireland) 2016 (disclosure of information) is amended as follows.(2) In subsection (4), for paragraph (a) substitute—“(a) sections 137 to 147 , 153 to 155 and 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017 (certain provisions relating to enforcement),”. (3) For subsection (5) substitute—“(5) The offences are those under—(a) any provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc),(b) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”(4) After subsection (6) insert—“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (c. 12 (N.I.))

166(1) Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.(2) In subsection (8), for “made by or under the Data Protection Act 1998” substitute “of the data protection legislation”.(3) After subsection (12) insert—“(12A) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Mental Capacity Act (Northern Ireland) 2016 (c. 18 (N.I.))

167_ In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—““health record” has the meaning given by section 184 of the Data Protection Act 2017;”.Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))

168_ The Justice Act (Northern Ireland) 2016 is amended as follows.169(1) Section 17 (disclosure of information) is amended as follows.(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (8), after “section” insert “—“the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.170_ In section 44(3)(disclosure of information)—(a) in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “sections 137 to 147 , 153 to 155 or 164 to 166 of, or Schedule 15 to, the Data Protection Act 2017”, and(b) for paragraph (b) substitute—“(b) the commission of an offence under—(i) a provision of the Data Protection Act 2017 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or(ii) sections 76C or 77 of the Freedom of Information Act 2000 (offences of disclosing information and altering etc records with intent to prevent disclosure).”Policing and Crime Act 2017 (c. 3)

171(1) Section 50 of the Policing and Crime Act 2017 (Freedom of Information Act etc: Police Federation for England and Wales) is amended as follows.(2) The existing text becomes subsection (1). (3) In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “the data protection legislation”.(4) After that subsection, insert—“(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Children and Social Work Act 2017 (c. 12)

172_ In Schedule 5 to the Children and Social Work Act 2017—(a) in Part 1 (general amendments to do with social workers etc in England) omit paragraph 6, and(b) in Part 2 (renaming of Health and Social Work Professions Order 2001) omit paragraph 47(g).Higher Education and Research Act 2017 (c. 29)

173_ The Higher Education and Research Act 2017 is amended as follows.174(1) Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) In subsection (7), at the appropriate place insert—““the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”.175(1) Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.(2) In subsection (6), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (6) insert —“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”Digital Economy Act 2017 (c. 30)

176_ The Digital Economy Act 2017 is amended as follows.177(1) Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”178(1) Section 43 (codes of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017”.179(1) Section 49 (further provision about disclosures under section 48) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”180(1) Section 52 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”. 181(1) Section 57 (further provision about disclosures under section 56) is amended as follows.(2) In subsection (8)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (10) insert—“(11) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”182(1) Section 60 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.183(1) Section 65 (supplementary provision about disclosures under section 64) is amended as follows.(2) In subsection (2)(a), for “the Data Protection Act 1998” substitute “the data protection legislation”.(3) After subsection (8) insert—“(9) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”184(1) Section 70 (code of practice) is amended as follows.(2) In subsection (2), for “section 52B (data-sharing code) of the Data Protection Act 1998” substitute “section 119 of the Data Protection Act 2017 (data-sharing code)”.(3) In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “section 124 of the Data Protection Act 2017 (other codes of practice)”.185_ Omit sections 108 to 110 (charges payable to the Information Commissioner).Landfill Disposals Tax (Wales) Act 2017 (anaw 3)

186(1) Section 60 of the Landfill Disposals Tax (Wales) Act 2017 (disclosure of information to the Welsh Revenue Authority) is amended as follows.(2) In subsection (4)(a)—(a) in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”, and(b) in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri’r ddeddfwriaeth diogelu data”.(3) After subsection (7)—(a) in the English language text insert—“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act).”, and(b) in the Welsh language text insert—“(8) Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2017 (gweler adran 2 o’r Ddeddf honno).”This Act

187(1) Section 183 (meaning of “health professional” and “social work professional”) is amended as follows (to reflect the arrangements for the registration of social workers in England under Part 2 of the Children and Social Work Act 2017).(2) In subsection (1)(g)—(a) omit “and Social Work”, and(b) omit “, other than the social work profession in England”.(3) In subsection (2), for paragraph (a) substitute— “(a) a person registered as a social worker in the register maintained by Social Work England under section 39(1) of the Children and Social Work Act 2017;”.Part 2SUBORDINATE LEGISLATIONChannel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)

188(1) Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.(2) In paragraph (2)—(a) for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “section 186 of the Data Protection Act 2017 (“the 2017 Act”), data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.(3) In paragraph (3)—(a) for “section 5 of the 1998 Act, data which are” substitute “section 186 of the 2017 Act, data which is”,(b) for “data controller” substitute “controller”, and(c) for “and the 1998 Act” substitute “and the 2017 Act”.Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)

189_ The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.190_ In Article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”, and(b) for “are” substitute “is”.191_ In Article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—(a) for “The Data Protection Act 1998” substitute “The Data Protection Act 2017”,(b) for “are” substitute “is”, and(c) for “section 5” substitute “section 186 ”.Environmental Information Regulations 2004 (S.I. 2004/3391)

192_ The Environmental Information Regulations 2004 are amended as follows.193(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act);”.(3) For paragraph (4) substitute—“(4A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a public authority as defined in these Regulations, and (b) the references to personal data held by such an authority were to be interpreted in accordance with regulation 3(2).”194(1) Regulation 13 (personal data) is amended as follows.(2) For paragraph (1) substitute—“(1) To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—(a) the first condition is satisfied, or(b) the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.”(3) For paragraph (2) substitute—“(2A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(2B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—(a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”(4) For paragraph (3) substitute—“(3A) The third condition is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(5) Omit paragraph (4).(6) For paragraph (5) substitute—“(5A) For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—(a) the condition in paragraph (5B)(a) is satisfied, or(b) a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.(5B) The conditions mentioned in paragraph (5A) are—(a) giving a member of the public the confirmation or denial—(i) would (apart from these Regulations) contravene any of the data protection principles, or (ii) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded;(b) giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 97 of the Data Protection Act 2017 (right to object to processing);(c) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);(d) on a request under section 43(1)(a) of the Data Protection Act 2017 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;(e) on a request under section 92(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”(7) After that paragraph insert—“(6) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”195_ In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “regulation 13(1)(b) or (5A)”.196_ In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “regulation 13(5A)”.Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)

197_ The Environmental Information (Scotland) Regulations 2004 are amended as follows.198(1) Regulation 2 (interpretation) is amended as follows.(2) In paragraph (1), at the appropriate places, insert—““the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR, and(b) section 32(1) of the Data Protection Act 2017;”;““data subject” has the same meaning as in the Data Protection Act 2017 (see section 2 of that Act);”;““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);”;““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2 (2) and (14) of that Act);”.(3) For paragraph (3) substitute—“(3A) In these Regulations, references to the Data Protection Act 2017 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—(a) the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and(b) the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.”199(1) Regulation 11 (personal data) is amended as follows.(2) For paragraph (2) substitute— “(2) To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if—(a) the first condition set out in paragraph (3A) is satisfied, or(b) the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.”(3) For paragraph (3) substitute—“(3A) The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(3B) The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the GDPR (general processing: right to object to processing).”(4) For paragraph (4) substitute—“(4A) The third condition is that any of the following applies to the information—(a) it is exempt from the obligation under Article 15(1) of the GDPR (general processing: right of access by the data subject) to provide access to, and information about, personal data by virtue of provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017, or(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.”(5) Omit paragraph (5).(6) After paragraph (6) insert—“(7) In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)

200(1) Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.(2) In paragraph (1)(d)—(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.(3) After paragraph (1) insert—“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—(a) would contravene any of the data protection principles, or(b) would do so if the exemptions in section 22(1) of the Data Protection Act 2017 (manual unstructured data held by public authorities) were disregarded.(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene— (a) Article 21 of the GDPR (general processing: right to object to processing), or(b) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).(1C) The condition in this paragraph is that—(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 14 , 15 or 24 of, or Schedule 2 , 3 or 4 to, the Data Protection Act 2017,(b) on a request under section 43(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or(c) on a request under section 92(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.(1D) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act;“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).”(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”(4) Omit paragraphs (2) to (4).INSPIRE Regulations 2009 (S.I. 2009/3157)

201(1) Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.(2) In paragraph (2)—(a) omit “or” at the end of sub-paragraph (a),(b) for sub-paragraph (b) substitute—“(b) Article 21 of the GDPR (general processing: right to object to processing), or(c) section 97 of the Data Protection Act 2017 (intelligence services processing: right to object to processing).”, and(c) omit the words following sub-paragraph (b).(3) After paragraph (7) insert—“(8) In this regulation—“the data protection principles” means the principles set out in—(a) Article 5(1) of the GDPR,(b) section 32(1) of the Data Protection Act 2017, and(c) section 83(1) of that Act; “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(10), (11) and (14) of that Act);“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see section 2(2) and (14) of that Act).(9) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)

202_ In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co- operation in criminal matters).Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (S.R.(N.I.) 2014 No. 224)

203_ In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—(a) in paragraph (9) omit sub-paragraph (b) and the word “and” before it, and(b) in paragraph (11) omit the definition of “processing” and “sensitive personal data” and the word “and” before it.Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)

204_ In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—(a) in paragraph (7) omit sub-paragraph (b) and the word “and” before it, and(b) omit paragraph (8).Provision inserted in subordinate legislation by this Schedule

205_ Provision inserted into subordinate legislation by this Schedule may be amended or revoked as if it had been inserted using the power under which the subordinate legislation was originally made.”

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, looking at the amendments and new Schedule 18 is rather like looking for a needle in a haystack, but I hope that the Minister received some notice of what I was going to raise. If not, as ever, I hope that he will helpfully write to me. In paragraph 42 of new Schedule 18, there is a reference to an amendment to Section 77 of the Freedom of Information Act. It deletes any reference to,

“section 7 of the Data Protection Act 1998”.

That is a deletion of a summary offence, which is rather baffling to many of us. It is about not keeping records. Many of us thought that, since there have been very few or no prosecutions under that section of the Freedom of Information Act, the answer would perhaps have been to ratchet up the penalty. At the moment, it is only a summary offence. Therefore, there is a six-month time limit, and it is difficult to get the information to hand in that period. If it was made a more serious offence, it would be rather more straightforward to prosecute in those circumstances. The Government, however, seem to have swept this off the statute book, buried in new Schedule 18. I hope that the Minister when he writes will elucidate clearly and perhaps say that in another part of the forest a criminal offence still lurks.

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

My Lords, I have had some help from the officials, saying, “We debated this earlier”—which was not very helpful. I am not even sure that it was me who debated it, so I am afraid that I will have to look at what the noble Lord said. I do not have the facts at my fingertips. I will certainly write to him and put a copy of the letter in the Library.

Amendment 188A agreed.

Schedule 18, as amended, agreed.

Clauses 191 and 192 agreed.

Clause 193: Extent

Amendments 188B and 188C

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

188B: Clause 193, page 111, line 27, at end insert “(ignoring extent by virtue of an Order in Council)”

188C: Clause 193, page 111, line 27, at end insert—

“( ) Where there is a power to extend a part of an Act by Order in Council to any of the Channel Islands, the Isle of Man or any of the British overseas territories, the power may be exercised in relation to an amendment or repeal of that part which is made by or under this Act.”

Amendments 188B and 188C agreed.

Clause 193, as amended, agreed.

Clause 194 agreed.

In the Title

Amendment 189

Moved by

The edit just sent has not been saved. The following error was returned:
This content has already been edited and is awaiting review.

189: In the Title, line 4, leave out “conduct” and insert “practice”

Amendment 189 agreed.

Title, as amended, agreed.

House resumed.

Bill reported with amendments.