Skip to main content

Data Protection Bill [HL]

Volume 788: debated on Wednesday 17 January 2018

Third Reading

My Lords, I have it in command from Her Majesty the Queen and His Royal Highness the Prince of Wales to acquaint the House that they, having been informed of the purport of the Data Protection Bill, have consented to place their prerogatives and interests, so far as they are affected by the Bill, at the disposal of Parliament for the purposes of the Bill.

Moved by

1: Clause 2, page 2, line 6, after “lawfully” insert “and fairly”

My Lords, when we debated the right to data protection on Report, the House decided to opt for a declaratory statement, as opposed to the creation of a new right enshrining Article 8 of the European Charter of Fundamental Rights into UK law. In that debate, my noble friend Lord Ashton committed to consider further a number of points made by noble Lords, in particular the suggestions of the noble Lord, Lord Pannick.

Government Amendments 1 and 2 are the result of our further consideration of this matter. Amendment 1 concerns fairness. Data must be processed fairly. We previously took the view that this is clear and does not need repeating. The requirement for processing to be fair can be found in article 5(1)(a) of the GDPR and Clause 35(1) of the Bill. None the less, Clause 2 is entirely declaratory and, if it helps understanding, there is little to object to in this repetition, and our amendment inserts a reference to fairness.

Amendment 2 concerns the right to rectification. The right to rectification is in article 16 of the GDPR, which will soon be part of our domestic law. It is also found in Clause 46 of the Bill. As with the previous amendment, if it helps, we have no objection to covering this matter, and the amendment inserts the reference.

The data subject rights and the controller-processor obligations set out in the Bill are subject to specific limitations, restrictions and exemptions and in this clause and these amendments to the clause we do not change that, but hope that these amendments add to the value the declaratory clause has, as we previously agreed.

It was suggested to us on Report that we should also add reference to “proportionality”. I am grateful to the noble Lord, Lord Pannick, for taking the time to discuss this with me, and to the noble Lord, Lord Stevenson, who has also had several conversations with my noble friend Lord Ashton as well as the Bill team. I am sure that the noble Lord, Lord Stevenson, will speak more fully on this point in the context of his Amendment 3 but it may help the House if I say a few words on this now.

The GDPR takes effect in May and will be part of domestic law when we leave the European Union. There are 26 references to proportionality in the GDPR. In resisting this amendment we are not saying that proportionality is irrelevant or a concept we are avoiding, but we cannot simply say that the restriction of personal data rights must be proportionate. That oversimplifies a complex issue with unintended consequences. I will sit down but I will return to this once the noble Lord has spoken to his amendment.

My Lords, I have signed up to Amendments 1 and 2 in the name of the noble Lord, Lord Ashton of Hyde, and do so in support of the position that we reached after considerable discussion and debate. The noble and learned Lord, Lord Keen, mentioned a few of the occasions on which we discussed these matters but did not refer to—perhaps it would be embarrassing to do so—the flurry of paper that accompanied those discussions, when drafts were traded back and forth as if they were some bitcoin or equivalent, and people snapped at them in excitement and feverishly opened emails when a new draft appeared. That is not overstating the case.

I jest slightly but stress that, as noble Lords will be aware, this issue was raised on day one of Committee. That signified a sense on our side of the House that this matter was so important that it needed to be addressed early on in the Bill. We have moved our position considerably during the discussions; we were wise to listen to the voices raised at that time. I look at no one in particular but the general voice to which we listened was that more time was needed to think through the implications of this amendment and try to come to an appropriate conclusion on it. That time has been well spent. We have looked at various ways of doing what we set out to do, we have thought hard about the Government’s response, and we have been happy to have meetings and discussions and, as I said, we traded possible options. The conclusion we reached—in keeping with the main thrust of the Bill, which has a large amount of detail in it that is of a signposting nature so that those who read it understand correctly where the source documentation and source principles can be found—was that it would be appropriate to have at the head of the Bill a statement around the basic rights which personal data processing involves and for which the protection and privacy issues are so important.

Therefore, in support of both the original amendment placed by the Government on Report, which was voted in after debate and discussion, and in full support of the amendments to that, which would include “fairly” and,

“and to require inaccurate personal data to be rectified”,

we are happy to sign up and support this amendment today. However, as the Minister said, a couple of other issues were raised in the context of those debates, one of which is this question of proportionality. He has given a sense of why the Government have resisted our approach, and I will spend a couple of minutes just to make sure that we have explored this properly in the context of this Third Reading.

The point about proportionality is that it can, as I think he has argued and will argue again, be brought into the very drafting of the Bill. It is suffused throughout the GDPR and exists alongside a number of other documents to which we will still be bound, both while we are in the EU and should we leave, in the light of current legislation that is going through the other place and is soon to come to this House. It is therefore possible to argue—I hope that the Minister will reflect a little on that when he speaks again—that proportionality is a matter of fact to be determined by the readings that one makes of the Bills that pass through this House. I am sure that there is a better way to express that in legal language but that is the sensibility I take from it.

However, the point made by the noble Lord, Lord Pannick, which is reflected in our amendment, is that at times in the future adjustments may be made as a result of changes in legislation itself or perhaps because of judgments made by courts that hear data protection cases, and that other strands of thinking, points and issues may come to bear on the relationship which an individual subject has to the data controller and on the relationship which the whole has to the law. In that sense, Amendment 3 in my name is an attempt to try to add to the present signposting amendment—that is all it is trying to do—that proportionality is not just fixed as of today’s date or the date the Bill receives Royal Assent but that it is to be brought forward on all fours with the Bill and the Act as that Act progresses. On Report the noble Lord, Lord Pannick, observed that Her Majesty’s Government’s amendment on Report made no mention of the principle of proportionality, despite it being an important element of the European Charter of Fundamental Rights, and noted that it featured in the wording we are putting forward. The response “We don’t need to do this because it is already well cooked into the Bill, the GDPR and the applied GDPR” may not take into account the issue I have been raising, which is about what will happen in the future. If the Minister can reassure us on that point, I would have little difficulty in not pressing the amendment, but at the moment I would like to hear his comments before I respond.

My Lords, I take this opportunity to further reassure noble Lords that proportionality is a concept that has a continuing role in the Bill. Not only will the obligations in the GDPR carry over to domestic law but they will continue to apply to the Government. If Ministers are minded to use the powers in Clauses 10 or 16, for example, that allow new processing conditions or exemptions to be created in the future, they will need to continue to be proportionate. Further, the courts will continue to apply a proportionality test where appropriate. The Human Rights Act ensures that any public body must act compatibly with the convention, and as data protection is within Article 8 —the right to privacy—the public authority must act proportionately.

Clause 6 of the EU withdrawal Bill has the effect that any question as to the validity, meaning or effect of any retained EU law, including the GDPR, is to be decided, where relevant, in accordance with any retained case law and any retained general principles of EU law. Proportionality is one of those retained principles, so it will live on for as long as this legislation is in force.

Indeed, leaving the EU will not shake proportionality out of our legal system—it has worked its way into public law. Any public body acting disproportionately must be at risk of being challenged. Whenever any public body acts, it must act compatibly with the convention rights. Where qualified rights are concerned, such as Article 8 of the convention, which has been held to encompass personal data protection, there exists a requirement for that action to be a proportionate means of achieving a legitimate aim. So to that extent it is implicit that the Executive as well as data controllers must act in a proportionate manner. With that explanation, I invite the noble Lord, Lord Stevenson, not to press his Amendment 3.

Amendment 1 agreed.

Amendment 2

Moved by

2: Clause 2, page 2, line 9, after “data” insert “and to require inaccurate personal data to be rectified”

Amendment 2 agreed.

Amendment 3 not moved.

Clause 124: Age-appropriate design code

Amendment 4

Moved by

4: Clause 124, page 69, line 7, at end insert—

““children” means people under the age of 18;”

My Lords, I am pleased to speak to my Amendment 4, which I regard as small but important for the purposes of clarification.

Last month, there was universal support from your Lordships when my noble friend Lady Kidron introduced her excellent amendment on the age-appropriate design code, which is now the subject of Clause 124. At the time, I raised a question about the intention regarding the scope of the amendment, as there is no definition of “children” either in the amendment or in the Bill. I said that, as the amendment refers to the United Nations Convention on the Rights of the Child,

“I assume that the intention is that the age-appropriate design code of practice will cover all children up to the age of 18”.—[Official Report, 11/12/17; col. 1430.]

During the debate, my noble friend Lady Kidron said:

“The code created by the amendment will apply to all services,

‘likely to be accessed by children’,

irrespective of age and of whether consent has been asked for. This particular aspect of the amendment could not have been achieved without the help of the Government. In my view it is to their great credit that they agreed to extend age-appropriate standards to all children”.—[Official Report, 11/12/17; col. 1427.]

I was reassured by this statement about the intent of the clause but I remain concerned that there is no explicit definition in the Bill to indicate that we are indeed talking about any person under the age of 18, especially as the reference to the requirement to engage with the UN Convention on the Rights of the Child in Clause 124(4) is an obligation only to “have regard to”.

The truth is that there is no clear or consistent reference to a child or children in the Data Protection Bill. Clause 9 defines the right of a child to consent to their data’s use and says that this right starts at 13. Clause 201 covers children in Scotland, suggesting that there the right commences at the age of 12. These different approaches open up the door for arguments about the age at which the rights conferred by Clause 124 are operational for children. I would hate us to find ourselves in a position where, once this Bill was passed, a debate began about the ages at which the benefits of Clause 124 applied to children. This could result in a narrowing of the definition of children benefiting from Clause 124 so that it related only to some people under 18, rather than to all those under 18, on account of the Bill not being clear.

Years of experience have taught me that it is best to be crystal clear about what we are talking about, and that is why I have tabled this amendment. If the Government do not think it necessary, I hope the Minister will clearly state in his reply that the Government intend that Clause 124 should indeed relate to all persons under the age of 18. I look forward to hearing what he has to say. I beg to move.

My Lords, I thank my noble friend for bringing this issue to the attention of the House. It is my understanding that, by invoking the UNCRC, we are talking about children being people under the age of 18. I would very much welcome the Minister’s saying that that extends beyond Clause 124, which we brought forward, to everywhere in the Bill that “children” is mentioned.

My Lords, can the Minister tell the House at what age the United Nations considers that a child ceases to be a child?

My Lords, Clause 124(4)(b) refers to the United Nations Convention on the Rights of the Child, which defines a child as a person under the age of 18, so we can assume that that is the working principle. Clause 124, introduced at a previous stage by an amendment from the noble Baroness, Lady Kidron, talks about age-appropriate design, and so presumably that means appropriate at different ages—for example, safeguards for those aged 12 will be different from those for people aged 16 and 18. Bearing in mind the United Nations convention definition, will the Minister confirm that that is the working principle for this Bill?

My Lords, I do not wish to detain the House. I thank the noble Baroness for raising the point; clarity is always important, as we have learned, and she is right to put her finger on it. However, the point made by the noble Lord, Lord Paddick, is correct.

We run the risk in this Bill of pouring fuel on an already raging fire: the more we try to focus on children as a group, the more we demonise and make difficult the Bill’s attempts—through an amendment we all supported on Report—to raise our sights and find a way of expressing how all people are dealt with in terms of internet access, with particular reference to those with developmental or other support needs to whom the word “child” could well be applied. But that does not mean that we want the more generic approach to fail because it did not mention vulnerable adults, the elderly who may be struggling with internet issues, those with special needs or others. These groups all need to be considered in the right way, and I am sure that, in time, “age appropriate” may not be the most appropriate way of dealing with it. It does get us to a particular point, however. It was a historic decision that we took on Report to do it this way, but we need to have an eye on the much wider case for a better understanding of under what conditions and with what impact those of us who wish to use the internet can do so safely and securely.

My Lords, I feel confident that I will be able to reassure the noble Baroness and other noble Lords who have spoken this afternoon.

Child online safety is an issue close to the heart of the noble Baroness, Lady Howe, and everyone in this House. It is right that children in the UK should be granted a robust data regime so that they can access online services in a way that meets their age and development needs. It was with this goal in mind that the Government, with a great deal of support from a number of Peers from all sides of the House, led by the noble Baroness, Lady Kidron, agreed and supported her amendment. It introduced a requirement on the Information Commissioner to prepare an age-appropriate design code. This amendment was the product of many hours of discussion and days of drafting and redrafting, and I am glad that it was accepted with no dissenting voices in this House. The code will contain guidance on standards of age-appropriate design for relevant online services which are likely to be accessed by children.

The aim of Amendment 4, as explained by the noble Baroness, is to add a definition to the age-appropriate design code to define “children” as those under the age of 18. We are determined to ensure that children of different ages are able to access online services in a way that is safe and takes into account their different needs. For that reason, we included in Clause 124(4) a requirement that the commissioner must have regard to the fact that children have different needs at different ages, and in Clause 124 (4)(b) that the commissioner must have regard to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child. So I maintain that it is explicitly included in the Bill.

Article 1 of the United Nations Convention on the Rights of the Child defines children as,

“every human being below the age of eighteen years unless under the law applicable to the child, majority is attained earlier”.

As such, the existing age-appropriate design code, which requires the commissioner to have regard to the convention, already addresses the point that the proposed amendment is making.

Article 2 of the convention obliges state parties to respect and ensure the rights in the convention to each child—all those under 18. By requiring the commissioner to have regard to the convention, Clause 124 ensures that in order to comply with the requirements for the code on age-appropriate design, children up to 18 would need to be considered. Therefore, the existing age-appropriate design code already ensures that the commissioner must have regard to the different needs and rights of children under the age of 18, and as a result this amendment is not necessary.

Not only is the amendment unnecessary, it is potentially unhelpful. One of the key features of the existing age-appropriate design code is that it recognises that children have different needs at different ages. The proposed amendment risks undermining this important point by presenting children as a homogenous group. The needs of a child aged 17 are very different from the needs of a child aged 10 and it is right that the requirements of the age-appropriate design code reflect that.

The noble Baroness asked—the noble Baroness, Lady Kidron, also alluded to this—whether the Bill is consistent in its approach to children. As I said, children are human beings under the age of 18. That is the consistent approach we are taking on this legislation. But the Bill works in tandem with the GDPR and we cannot amend the GDPR. Nor does the GDPR allow member states to come up with their own definitions, so we interpret the GDPR as adopting the definitions from the UN Convention on the Rights of the Child.

There are of course differences between young children and older children, and the provision needs to be age appropriate. A child who is 12 years old may consent to having their data processed in the offline world. Clause 201 ensures that is consistent in Scotland as well as England and Wales. A child who is 13 years old may consent to having their data processed online. That is provided by Clause 9. Any website or app maker providing services for children—meaning everyone under 18—will have the benefit of the code of practice on age-appropriate design provided by Clause 124. Of course, the law generally makes different provision for older children and for young children—for example, the age of sexual activity, marriage and serving in the Armed Forces.

There is a risk that the proposed amendment to the clause on age-appropriate design could also have serious unintended consequences. The Data Protection Bill contains numerous references to “children”. We cannot agree to an amendment that could have implications for issues elsewhere in the Bill.

Finally, it is worth emphasising that the existing wording of the age-appropriate design code is completely consistent with the wording of the general data protection regulation, which itself does not define children. I hope I have reassured the noble Baroness and as a result she feels able to withdraw her amendment at this late stage of the Bill.

My Lords, I thank all those who have spoken, particularly the Minister for his considerate reply, which he will appreciate I nevertheless find somewhat disappointing. I hope that when the Data Protection Bill reaches the other place the issue will be debated again—and even that the Minister might by then have changed his mind. Nevertheless, in the meantime clearly I must do as requested. Therefore, I beg leave to withdraw the amendment.

Amendment 4 withdrawn.

Clause 144: Information notices: restrictions

Amendment 5

Moved by

5: Clause 144, page 79, line 26, at end insert—

“( ) An information notice does not require a person to give the Commissioner information to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.”

My Lords, I turn now to an issue that is pertinent to us all: parliamentary privilege. I am sure that noble Lords will agree that it is paramount that both this House and the other place continue to be safeguarded in their processing of personal data in connection with parliamentary proceedings.

This issue was raised in previous debates by the noble and learned Lord, Lord Brown of Eaton-under-Heywood, to whom I am very grateful. Those debates influenced our thinking on how the Bill currently provides for parliamentary activity, and I am pleased to announce that the amendments in this group have been tabled to ensure that privileges under the current law will not disappear when we enter the new data protection framework.

I will start with Amendments 5 to 8. Amendments 5 to 7 restrict information, assessment and enforcement notices served by the commissioner from requiring a person to comply with the notice if compliance would involve infringing the privileges of either House of Parliament. Put simply, the commissioner’s notices are “switched off” where there would be an infringement of parliamentary privilege. Amendment 8 prevents the commissioner giving the House a penalty notice with respect to the processing of personal data by or on behalf of the House. These amendments have been tabled to ensure that parliamentary proceedings will not be impeded by the commissioner and that Parliament will maintain the freedom to do its work that it currently enjoys.

Amendments 9 to 13 relate to criminal liability and seek to prevent corporate officers of either House of Parliament being liable to prosecution as a data controller. This is the current position in the Data Protection Act 1998, and our amendments seek to clarify the Government’s intention to maintain the effect of Section 63A of the 1998 Act. The amendments also make equivalent provision for government departments and data controllers for the Royal Household. It should be noted, however, that these provisions do not prevent corporate officers being liable for their own conduct when acting as data controllers on behalf of either House, for government departments or for the Royal Household. This maintains the current position, and we believe that it is an important safeguard that allows full parliamentary privilege while balancing the rights of data subjects.

Amendments 14 and 15 revert to the current position under the Data Protection Act 1998 in relation to the processing that is necessary for the functions of the Houses of Parliament or for the administration of justice by removing the additional “substantial public interest” test. On reflection, we could not see how such processing would not be in the substantial public interest, so the test appeared redundant. On that basis, the Houses of Parliament will have to consider simply whether processing is necessary for the purposes of their functions, as is the position now.

Amendments 20 and 21 make a corresponding amendment to Schedule 8, where processing is necessary for the administration of justice under the provisions in Part 3 for law-enforcement processing, to maintain a consistent approach across the Bill.

Amendment 18 is to Schedule 2 and extends the exemptions from the GDPR relating to parliamentary privilege to include an exemption from article 34(1) and article 34(4) of the GDPR. Article 34 requires controllers to communicate a personal data breach to the data subject where the breach is likely to result in a high risk to the rights and freedoms of the subject. The amendment excludes this requirement from applying to parliamentary proceedings and also restricts the ability of the commissioner to oblige either House to comply with it.

I hope that the House will agree that these amendments, taken as a package, will ensure that there will be no chilling effect on the functions of Parliament and will restore the regime that applies under the Data Protection Act 1998. It has the approval of the House authorities. I beg to move.

My Lords, I strongly support this group of amendments, perhaps unsurprisingly given that they have now been brought forward in place of a series of broadly similar amendments which, as the Minister has mentioned, I tabled on Report. They achieve the same basic objective, which is to safeguard parliamentary privilege and thereby ensure that this House, along with the other place, can continue to go about its business and fulfil its vital constitutional role without inappropriate inhibitions and concerns with regard to the protection of data and privacy, which of course the Bill as a whole is rightly designed to protect.

As I made plain on Report, I was prompted to table the original amendments by and on behalf of the officials of both Houses, that is to say, the clerks and counsel, because of their concern about how, unamended as it then was, the Bill risked infringing parliamentary privilege in the various ways that the Minister has recounted. These concerns were raised and over recent months they have been discussed extensively between officials and the Bill team. Again I express my gratitude and pay tribute to the Bill team for its hugely constructive help and co-operation throughout. As now formulated, these amendments substantially and realistically meet the concerns of officials, and accordingly I welcome them.

My Lords, we should all thank the noble and learned Lord, Lord Brown, together with officials of the House, for having prompted these amendments. In thanking the Minister I want also to mention in dispatches my noble friend Lady Hamwee. She highlighted this point early on in Committee, I think to the incredulity of the House at the time because it was thought that it was only Members of Parliament who should have the exemptions in the Bill. These elegant solutions demonstrate that parliamentary privilege covers both Houses.

I too thank the noble and learned Lord, Lord Brown of Eaton-under-Heywood, for his stalwart work in bringing forward these important amendments. What he did not say but we should also recognise is that on a couple of occasions he had to stay late in order to do that, I am sure far beyond his normal bedtime.

Unfortunately, squeezed out in the second group of amendments which I also supported but which did not find favour with the Government, was an effort to try to retain the current arrangements under which noble Lords of this House who wish to speak about individual cases would be able to do so on the basis that they would be treated as elected representatives. That did not win the support of the Government and therefore will be left to the other place, which I am sure will immediately seize on it and see the injustice reversed. In due course it will come back to us. With that, I support the amendment.

My Lords, I am grateful for most of the comments. It is a pity that the noble Lord, Lord Stevenson, had to bring up the one bit that did not quite go through, but as he says, I am sure that we can rely on the other place.

Amendment 5 agreed.

Clause 147: Assessment notices: restrictions

Amendment 6

Moved by

6: Clause 147, page 81, line 37, at end insert—

“( ) An assessment notice does not require a person to do something to the extent that requiring the person to do it would involve an infringement of the privileges of either House of Parliament.”

Amendment 6 agreed.

Clause 151: Enforcement notices: restrictions

Amendment 7

Moved by

7: Clause 151, page 85, line 27, at end insert—

“( ) An enforcement notice does not require a person to do something to the extent that requiring the person to do it would involve an infringement of the privileges of either House of Parliament.”

Amendment 7 agreed.

Clause 155: Penalty notices: restrictions

Amendments 8 and 9

Moved by

8: Clause 155, page 87, line 28, at end insert—

“( ) The Commissioner may not give a controller or processor a penalty notice with respect to the processing of personal data where the purposes and manner of the processing are determined by or on behalf of either House of Parliament.”

9: Clause 155, page 87, line 31, leave out “under” and insert “by virtue of”

Amendments 8 and 9 agreed.

Clause 202: Application to the Crown

Amendments 10 and 11

Moved by

10: Clause 202, page 119, line 33, leave out from beginning to end of line 34 and insert—

“(5A) As regards criminal liability—(a) a government department is not liable to prosecution under this Act;(b) nothing in subsection (4) makes a person who is a controller by virtue of that subsection liable to prosecution under this Act;(c) a person in the service of the Crown is liable to prosecution under the provisions of this Act listed in subsection (6).(6) Those provisions are—”

11: Clause 202, page 119, line 40, leave out subsection (7)

Amendments 10 and 11 agreed.

Clause 203: Application to Parliament

Amendments 12 and 13

Moved by

12: Clause 203, page 120, line 15, leave out from beginning to end of line 16 and insert—

“(4A) As regards criminal liability—(a) nothing in subsection (2) or (3) makes the Corporate Officer of the House of Commons or the Corporate Officer of the House of Lords liable to prosecution under this Act;(b) a person acting on behalf of either House of Parliament is liable to prosecution under the provisions of this Act listed in subsection (5).“(5) Those provisions are—”

13: Clause 203, page 120, line 21, leave out subsection (6)

Amendments 12 and 13 agreed.

Schedule 1: Special categories of personal data and criminal convictions etc data

Amendments 14 and 15

Moved by

14: Schedule 1, page 123, line 30, leave out paragraphs (a) and (b)

15: Schedule 1, page 123, line 35, at end insert—

“6A_ This condition is met if the processing is necessary—(a) for the administration of justice, or(b) for the exercise of a function of either House of Parliament.”

Amendments 14 and 15 agreed.

Amendment 16

Moved by

16: Schedule 1, page 126, line 34, leave out from beginning to end of line 34 on page 128 and insert—

“13A(1) This condition is met if the processing—(a) is necessary for an insurance purpose,(b) is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health, and(c) is necessary for reasons of substantial public interest,subject to sub-paragraphs (2) and (3).(2) Sub-paragraph (3) applies where—(a) the processing is not carried out for the purposes of measures or decisions with respect to the data subject, and(b) the data subject does not have and is not expected to acquire—(i) rights against, or obligations in relation to, a person who is an insured person under an insurance contract to which the insurance purpose mentioned in sub-paragraph (1)(a) relates, or(ii) other rights or obligations in connection with such a contract.(3) Where this sub-paragraph applies, the processing does not meet the condition in sub-paragraph (1) unless, in addition to meeting the requirements in that sub-paragraph, it can reasonably be carried out without the consent of the data subject.(4) For the purposes of sub-paragraph (3), processing can reasonably be carried out without the consent of the data subject only where—(a) the controller cannot reasonably be expected to obtain the consent of the data subject, and(b) the controller is not aware of the data subject withholding consent.(5) In this paragraph—“insurance contract” means a contract of general insurance or long- term insurance;“insurance purpose” means—(a) advising on, arranging, underwriting or administering an insurance contract,(b) administering a claim under an insurance contract, or (c) exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.(6) Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.”

My Lords, I am very pleased to be able to set out the Government’s reasoning in tabling this group of amendments in response to valid concerns from the insurance industry. There are three amendments in the group; one technical matter and two addressing processing for insurance purposes. Regarding Amendments 16 and 17, I am grateful to the noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, for raising the challenges facing the insurance industry in previous stages of the Bill’s progress through the House and in discussions with me and my officials.

The Government recognise the fundamental importance of insurance products. They are vital to the public at large, who rely on insurance daily to protect them from financial loss due to an unfortunate emergency, accident or other unforeseen event. The industry is an important sector in the economy. On Report, we made clear our intention to propose an amendment addressing the noble Lords’ concerns at Third Reading. These amendments make good on that promise. Amendment 16 therefore replaces the three narrow conditions currently included in Schedule 1 with a single, more holistic condition permitting the processing of certain types of special category data where it is necessary for an insurance purpose.

There is a need to balance such processing with appropriate safeguards, and Amendment 16 provides these. First, as I have just said, processing must be necessary for a defined insurance purpose. For example, this condition will not be met if the organisation could achieve the purpose by some other reasonable means that did not require the processing of special categories of data, or if the processing was necessary only because the organisation has decided to operate its business in a particular way.

Secondly, processing must be necessary for reasons of substantial public interest. We consider that ensuring the availability of insurance at a reasonable cost to members of the public through risk-based pricing, the ability to detect and investigate fraudulent claims and the efficient administration and payment of insurance claims are matters of substantial public interest. Nevertheless, as this processing condition for insurance purposes is drawn more widely than those previously included in the Bill, we consider it reasonable to ask data controllers to consider whether, in respect of a particular processing activity they propose to undertake, it is necessary for a purpose that is in the substantial public interest.

Thirdly, the processing condition has been designed so that it affords additional safeguards to those data subjects who do not have rights or obligations in respect of the insurance contract or insured person. For example, a witness to an event giving rise to an insurance claim or a parent of a person seeking health insurance might fall into this category. Processing of data relating to these data subjects is permitted only if the data controller cannot reasonably be expected to obtain the consent of the data subject and they are not aware of the data subject withholding their consent.

Fourthly, data controllers relying on this new insurance condition will be required to have an appropriate policy document in place, as set out in Part 4 of Schedule 1 to the Bill.

Amendment 17 extends paragraph 13A so that the processing of criminal conviction and offences data is also permitted for an insurance purpose, which is clearly essential. Taken as a whole, we think that the processing condition set out in the new paragraph 13A provides the necessary balance between the rights of data subjects and the benefits that members of the public derive from the efficient and effective provision of insurance products.

Finally, Amendment 19 is a minor and technical matter. It merely deletes a reference to a provision elsewhere in the Bill that no longer exists. I am grateful to the helpful staff of the Public Bill Office who spotted this error when preparing the current print of the Bill last week. I am pleased that we have achieved what we agreed to do at the earlier stages of the Bill and I acknowledge the help of the Association of British Insurers and the Lloyd’s Market Association in reaching this solution. On that note, I beg to move.

My Lords, I strongly support this excellent group of amendments. I declare my interests as set out in the register, particularly those in respect of the insurance industry. I am enormously grateful to the Minister for being so generous with his time in the process that has led to the birth of these amendments. His Bill team has been quite outstanding—I see some of them sitting over there—and I thank them as well. I also thank three other Members of your Lordships’ House: the noble Lord, Lord Clement-Jones —who yet again was emailing me at 11 o’clock last night —and the noble Lords, Lord Hunt of Wirral and Lord Stevenson of Balmacara, who have been great supporters in trying to make sure that the ordinary man in the street can continue to buy insurance at a good price.

I have one tiny point of clarification, which will be very easy for the Minister to answer. He talked about insurance and I have talked about insurance, but it is important that reinsurance is understood, as well as retrocession and all the other words. We are talking about the whole concept of insurance and if he could confirm that reinsurance, retrocession and other things are included, that would be very helpful.

Anyway, with this change the man in the street will be able to buy personal and business insurances that involve special category personal data and yet the GDPR will have arrived. Insurers will have to improve their game somewhat—never a problem for the good, and important for the back-markers in the industry.

My Lords, I congratulate the noble Earl on the assiduous way in which he has pursued these issues on behalf of the insurance industry, and thank the Minister for his close engagement on them. We very much welcome these amendments but I have a couple of clarificatory questions for the Minister, the answers to which would be helpful in making sure that we all understand the exact position of the insurance industry relative to these new provisions.

The proposed derogation to paragraph 13A of Part 2 of Schedule 1 does not specifically address the processing of data relating to criminal convictions or offences. First, can the Minister confirm that paragraph 28 of Part 3 of Schedule 1 may be read in conjunction with paragraph 13A of Part 2 to permit the processing of data relating to criminal convictions or offences where it is necessary for an insurer to process this data for policy underwriting and claims management or related money laundering and anti-fraud activities? The reference in paragraph 13A to,

“racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health”,

would appear to preclude this, but we assume that this is not the intent.

Secondly, can the Minister confirm that the processing of special category data or data relating to criminal convictions or offences by insurance companies and related intermediaries, such as reinsurers and brokers, for the purposes of conducting insurance-related business and managing claims will be regarded by the Government as purposes that are in the “substantial public interest”?

My Lords, I welcome these amendments and it is nice to hear the story that has come through of a listening Bill team and a listening Minister, and the way in which the industry has organised itself to make sure that the perceived faults were remedied.

If it is of interest to the House, a lot of us have been doing events with professional bodies and others interested in this whole area since the Bill started. I was reflecting just before this Third Reading debate that there were really only three things that came up time and again at these sessions, after the presentations by the experts and others such as us who were trying to keep up with what they were saying. The first was Article 8 of the European Charter of Fundamental Rights—that came up time and again. People did not understand the basis on which their rights would be retained, but we have dealt with that.

The second was the—unpronounceable—re-identification of previously anonymised data. I suspect that was because there are one or two very active persons going around all these groups—I seemed to recognise their faces every time it came up—who were anxious to make sure that this point was drilled back to Ministers. We have found a way forward on that, which is good.

The third item was the insurance industry time and time again raising points similar to those raised by the noble Earl, Lord Kinnoull, by suggesting that there was a problem with efficient markets and the operation of customer good, and that the Government had to look again. We are very glad that the Government have done so. I have now ticked off all my list and it is done.

My Lords, I am grateful to the noble Earl, Lord Kinnoull, and to the noble Lords, Lord Stevenson and Lord Clement-Jones. The noble Earl is absolutely right that there are various names for different insurance contracts, including reinsurance and retrocession, but they are all contracts of indemnity. The schedule absolutely covers all types of insurance, including reinsurance and retrocession contracts.

As for the clarificatory questions asked by the noble Lord, Lord Clement-Jones, they are very reasonable because this is not an easy part of the Bill to understand—even for people who have been looking at it for many weeks, as we have. First, he asked whether the provision permits processing of data relating to criminal convictions or offences where it is necessary for an insurer to process this data for policy underwriting and claims management, and for insurance purposes. Technically speaking, paragraph 13A, introduced by Amendment 16, does not permit the processing of criminal convictions data because it exercises the derogation provided by article 9(2)(g) of the GDPR. Criminal convictions data is regulated by a separate article of the GDPR, article 10, but the noble Lord will be pleased to know that Amendment 17 extends paragraph 13A so that it also covers criminal convictions and offences data.

Secondly, as for the processing of special category data by insurance companies and related intermediaries such as reinsurers and brokers, which are important, as is managing claims, the noble Lord asked whether that will be regarded by the Government as purposes that are in the substantial public interest. The answer is that the Government have introduced paragraph 32A because they believe that the provision of core insurance products is in the substantial public interest. However, the world of insurance is an exciting and dynamic one—no, really it is—and controllers must be accountable for their own particular processing activities. I hope that answers his questions.

Amendment 16 agreed.

Amendment 17

Moved by

17: Schedule 1, page 134, line 21, at end insert—

“32A_ This condition is met if the processing—(a) would meet the condition in paragraph 13A in Part 2 of this Schedule (the “insurance condition”), or(b) would meet the condition in paragraph 32 by virtue of the insurance condition,but for the requirement for the processing to be processing of a category of personal data specified in paragraph 13A(1)(b).”

Amendment 17 agreed.

Schedule 2: Exemptions etc from the GDPR

Amendment 18

Moved by

18: Schedule 2, page 144, line 2, after “provisions” insert “and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject)”

Amendment 18 agreed.

Schedule 6: The applied GDPR and the applied Chapter 2

Amendment 19

Moved by

19: Schedule 6, page 182, line 6, leave out “and (d)”

Amendment 19 agreed.

Schedule 8: Conditions for sensitive processing under Part 3

Amendments 20 and 21

Moved by

20: Schedule 8, page 184, line 24, leave out “a purpose listed in sub-paragraph (2)” and insert “the exercise of a function conferred on a person by an enactment or rule of law”

21: Schedule 8, page 184, line 26, leave out sub-paragraph (2) and insert—

“1A_ This condition is met if the processing is necessary for the administration of justice.”

Amendments 20 and 21 agreed.

A privilege amendment was made.


Moved by

My Lords, in moving that the Bill do now pass, I shall say a few words about it. The Bill has been central to my life and the lives of a number of noble Lords for many weeks now. It was accepted right from the word go as a necessary Bill, and there was almost unanimity about the importance and necessity of getting it in place by next May, taking into account that it still has to go through the other place. I am very relieved to have got to this stage. Despite that unanimity, we have managed to deal with 692 amendments during the passage of the Bill, which is a very good indication of unanimity as far as I am concerned. I have to admit that of those 692, 255 were government amendments, but that is not necessarily a bad thing. The GDPR takes effect in May and many of the things that would have been put into secondary legislation have been dealt with in the Bill. I think most noble Lords would agree that that is a good precedent. Data protection is so pervasive that the previous Data Protection Act, passed 20 years ago in 1998, is referred to around 1,000 times in other legislation, so a lot of the amendments were to make sure that when we repeal that Act and this Bill becomes law it will be consistent with other legislation.

I am very appreciative of what we achieved and the way that we did it. One thing we managed to achieve was to accept a number of recommendations from your Lordships’ House, so we changed the way that universities, schools and colleges can process personal data in respect of alumni relations; we ensured that medical researchers can process necessary personal data they need without any chilling effect; we agreed that patient support groups can process health data; we ensured a fair balance between privacy and the right to freedom of expression when journalists process personal data; and we have talked about insurers today. The noble Baroness, Lady Kidron, one of the heroes of the Bill, helped us protect children online, which we all agreed with—in the end. We amended the way that some of the delegated powers in the Bill are effective and subject to the right parliamentary oversight.

I thank the Front Benches for their co-operation. This is meant to be the last Bill for the noble Lord, Lord Stevenson. I doubt that. Every time he says that, he comes back. He had a good team to help him: the noble Lords, Lord Kennedy and Lord Griffiths of Burry Port. It was the first Bill for the noble Lord, Lord Griffiths; if he can survive this, he can survive anything. I am sure we will see a lot of him in future. I thank the noble Lords, Lord Clement-Jones and Lord Paddick. I should have mentioned the noble Baroness, Lady Hamwee, and acknowledged her position on the privilege amendment. I must say that the way she withdrew her amendments one after the other on Report is a very good precedent for other legislation that might be coming before your Lordships’ House soon.

The Bill team has been mentioned several times, not only today but all through the passage of the Bill. The members of the team have been outstanding. They have worked incredibly hard. I should like to mention Andrew Elliot, the Bill manager, Harry Burt, who worked with him, Jagdeep Sidhu and, from the Home Office, Charles Goldie. They have all done a tremendous job and been great to work with.

Lastly, I have had a galaxy of talent to help me with large parts of the Bill. My noble friends Lady Williams, Lady Chisholm and Lord Young of Cookham and my noble and learned friend Lord Keen have made my life very easy and I am very grateful to them. I beg to move.

My Lords, I will just slip in for a couple of minutes in the light of the Minister’s very shrewd appraisal of the progress on the Bill. I had not quite realised that the Bill team were treating the Digital Economy Bill as a dress rehearsal for the Data Protection Bill, but that is really why this has gone so smoothly, with very much the same cast on the Front Benches.

We on these Benches welcomed many aspects of the Bill on its introduction last October and continue to do so. Indeed, it has improved on the way through, as the Minister pointed out. I thank my noble friends Lord Paddick, Lady Hamwee, Lord McNally, Lady Ludford and Lord Storey for helping to kick the tyres on this Bill so effectively over the last four months. I also thank the noble Lord, Lord Stevenson, and all his colleagues for a generally harmonious collaboration in so many areas of common interest.

I very much thank the Minister and all his colleagues on the Front Bench and the excellent Bill team for all their responses over time to our particular issues. The Minister mentioned a number of areas that have been significant additions to the Bill. I thank the Minister for his good humour throughout, even at late hours and on many complicated areas. We are hugely pleased with the outcome obtained by the campaign of the noble Baroness, Lady Kidron, for age-appropriate design, which many of us on these Benches think is a real game-changer.

There is just a slight sting in the tale. We are less happy with a number of aspects of the Bill, such as, first, the continuing presence of exemptions in paragraph 4 of Schedule 2 for immigration control. Solicitors need the facts to be able to represent their clients, and I am afraid these immigration exceptions will deny access to justice.

Secondly, the Minister made a pretty good fist of explaining the way the new framework for government use of personal data will operate, but I am afraid, in the light of examples given, for instance by the noble Earl, Lord Clancarty, in relation to the Department for Education’s approach to the national pupil database, and now concerns over Public Health England’s release of data on 180,000 patients to a tobacco firm, that there will be continuing concerns about that framework.

Finally, one of the triumphs of debate in this House was the passing of the amendment from the noble Baroness, Lady Hollins, calling for, in effect, Leveson 2. The response of the Secretary of State, whose appointment I very much welcomed at the time, was rather churlish:

“This vote will undermine high quality journalism, fail to resolve challenges the media face and is a hammer blow to local press”.

On Sunday he did even better, saying it could be the “death knell” of democracy, which is pretty strong and unnecessary language. I very much hope that a sensible agreement to proceed is reached before we start having to play ping-pong. I am sorry to have to end on that slightly sour note, but it is an important amendment and I very much hope that it stands.

My Lords, from this side of the House, I also thank the Bill team, as I think I can call them. What we faced when we first came across the Bill was a beast—a beast dressed up as legislation but a beast in many ways. As the Minister said, we got round most of it but then discovered there were another 250 amendments coming down the track from the Government. Although they were dressed up as being small, trivial things, you have to read them and understand them, and they add a little to one’s workload.

If we did not learn to love the Bill, we certainly at least respect it. It is a good Bill, now much better than it was before. I hope it will have the longevity of its predecessor, the 1998 Act. It has the same aspirations and aims but, because of the inclusivity of the age-appropriate design and other matters that the noble Lord, Lord Clement-Jones, mentioned, it also begins to shape the debate that we still need to have about how and under what conditions we as a mature democratic society wish to engage with those who provide information, data, statistics, facts, communications and other things in relation to the electronic world in a way that is, if not comparable to, at least as effective as what is applied in the current non-virtual world. That is not the subject of the Bill, I am afraid, but it is something that will trouble this House now and in the future. We should not shy away from it because at its heart lies the future of our society. Morality and ethics are dimensions that we have not yet touched on in the Bill; they are still to come. They may well be foreshadowed for us by the creation of a data ethics commissioner of some kind. I welcome that and hope it will come forward quickly. Without it, we really are not in a very good place, despite the strength of the Bill.

For my part I am grateful to my noble friend Lord Kennedy and to my apprentice—if I can call someone of such distinguished age and experience that—my noble friend Lord Griffiths of Burry Port, who is going to take over my responsibility here in the main, although, as the Minister said, I am not leaving the Front Bench; I am simply moving sideways to accommodate those with greater skills and abilities than I have myself.

I have enjoyed the Bill tremendously. It is the sixth Bill that I have done with DCMS, and five of those have been with the current team. With familiarity comes a certain ability both to see through the artifices as they come at you but also to recognise a true offer when it comes, and both sides have benefited from that. We understand some of the pressures a bit more, particularly the difficult time that any Bill team has when it is agreed to move forward but the processes and procedures in Whitehall are so slow that they cannot keep pace with our aspirations for doing it. That is very frustrating for all concerned.

On that point, but not related to the mechanics, there is a question that the House must address at some point in the near future. What happens when it is agreed around the House, through Second Reading and Committee and approaching Report, that a desired amendment would bring public good but it cannot be moved because it falls outwith the narrow scope of the Bill, is a frustration that we have all encountered on this Bill and the previous Bill that I was involved with. There is a solution to that which should be discussed by the Procedure Committee. I hope it will do so in the near future, and I will be writing to it to that effect.

The Bill team have been absolutely fantastic. I gave them a rousing welcome when they first arrived because they have a trick at DCMS, which I recommend to all departments, of bringing together in one place at the very beginning of the process all the documents that you need to work out what you are talking about. If only every Bill team did that, we would all have much easier lives. They did it again this time, and it was fantastic. I have enjoyed working with them; their professionalism and efficiency were wonderful and a great help to us. Our support is minuscule in comparison; effective and efficient though Nicola Jayawickreme and Dan Stevens are, there are only two of them to support all our work. I wish to ensure that our sincere appreciation is on the record.

This has been an enjoyable ride. I have had a great time, waxing lyrical on things I did not think I would ever want to talk about. I hope that the Bill passes, and that when it comes back we will be able to deal with it expeditiously and appropriately.

Bill passed and returned to the Commons with amendments.