Skip to main content

Data Protection Bill [HL]

Volume 791: debated on Monday 14 May 2018

Commons Amendments

Motion on Amendments 1 to 28

Moved by

1: Clause 3, page 2, line 25, leave out “personal data” and insert “information”

2: Clause 3, page 2, line 26, leave out “personal data, or on sets of personal data” and insert “information, or on sets of information”

3: Clause 3, page 2, line 41, after “83” insert “and see also subsection (14)(c)”

4: Clause 3, page 3, line 27, at end insert —

“(aa) references to Chapter 2 of Part 2, or to a provision of that Chapter, include that Chapter or that provision as applied by Chapter 3 of Part 2;”

5: Clause 3, page 3, line 28, leave out “processing and personal data are to processing and personal data” and insert “personal data, and the processing of personal data, are to personal data and processing”

6: Clause 3, page 3, line 29, at end insert —

“(c) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies.”

7: Clause 7, page 5, line 8, leave out “a body specified” and insert “body specified or described”

8: Clause 7, page 5, line 9, after “(2)” insert “, (2A)”

9: Clause 7, page 5, line 11, after “body”” insert “for the purposes of the GDPR”

10: Clause 7, page 5, line 12, at end insert—

“(2A) The references in subsection (1)(a) and (b) to public authorities and Scottish public authorities as defined by the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 (asp 13) do not include any of the following that fall within those definitions—

(a) a parish council in England;

(b) a community council in Wales;

(c) a community council in Scotland; (d) a parish meeting constituted under section 13 of the Local Government Act 1972;

(e) a community meeting constituted under section 27 of that Act;

(f) charter trustees constituted—

(i) under section 246 of that Act,

(ii) under Part 1 of the Local Government and Public Involvement in Health Act 2007, or

(iii) by the Charter Trustees Regulations 1996 (S.I. 1996/263).”

11: Clause 7, page 5, line 13, after “specified” insert “or described”

12: Clause 8, page 5, line 29, at end insert—

“( ) an activity that supports or promotes democratic engagement.”

13: Clause 14, page 8, line 4, leave out “21 days” and insert “1 month”

14: Clause 14, page 8, leave out line 10 and insert “within the period described in Article 12(3) of the GDPR—”

15: Clause 14, page 8, line 16, at end insert—

“(5A) In connection with this section, a controller has the powers and obligations under Article 12 of the GDPR (transparency, procedure for extending time for acting on request, fees, manifestly unfounded or excessive requests etc) that apply in connection with Article 22 of the GDPR.”

16: Clause 15, page 8, line 31, after “21” insert “and 34”

17: Clause 15, page 8, line 34, after “21” insert “and 34”

18: Clause 17, page 10, line 16, leave out “authority” and insert “body”

19: Clause 19, page 12, line 2, leave out “(d)” and insert “(e)”

20: Clause 21, page 12, line 24, leave out “to which Part 3 (law enforcement processing) or” and insert “by a competent authority for any of the law enforcement purposes (as defined in Part 3) or processing to which”

21: Clause 25, age 15, line 40, leave out “individual” and insert “data subject”

22: Clause 30, page 19, line 4, after “specified” insert “or described”

23: Clause 30, page 19, line 10, leave out from “add” to end of line and insert “or remove a person or description of person”

24: Clause 41, page 23, line 33, leave out “an individual” and insert “a data subject”

25: Clause 42, page 24, line 29, leave out “with the day” and insert “when”

26: Clause 47, page 28, line 20, leave out second “data”

27: Clause 50, page 30, line 11, leave out “21 days” and insert “1 month”

28: Clause 50, page 30, line 17, leave out “21 days” and insert “1 month”

My Lords, with the leave of the House, I beg to move that this House do agree with the Commons in their Amendments 1 to 28. I will speak also to the other amendments in this group.

It is my pleasure to be able to open Lords Consideration of Commons amendments to the Data Protection Bill this afternoon. As we discussed at length when the Bill first passed through your Lordships’ House, this is a detailed and often quite technical Bill, intended to make our data protection laws fit for the digital age. It went through a period of review and revision under your Lordships’ supervision, and it has since been refined further in the other place. It now falls on us to review, and I hope agree, those refinements. I am very grateful to my noble and learned friend Lord Keen and my noble friend Lady Williams for helping me with some of these key areas today.

In setting out the reasoning behind the Commons amendments today, I will focus my remarks on the substantive changes made rather than the technical tweaks, of which there are many. This first group of amendments addresses the Commons amendments to Parts 1 and 2. I shall start with the subject of parish councils, a cause previously championed by my noble friend Lord Marlesford, and I declare an interest in that my wife is a parish councillor.

Parish and community councils are not exempt from the new law. Nonetheless, by describing parish and community councils as “public authorities”, the Bill gives these councils additional obligations above and beyond those placed on other small organisations, including that they must appoint a data protection officer. We have been working to minimise the impact of this requirement—for example, by exploring options for parish councils to share a data protection officer.

However, since the Bill left your Lordships’ House, we have concluded that as parish and community councils process very little personal data and often have few staff and small budgets, the burden that they will face may be disproportionate in some instances. I am therefore pleased to say that Commons Amendments 8, 9, and 10 would take these councils out of the definition of “public authorities” for data protection purposes. Their status in respect of other legislation, including the Freedom of Information Act, is unaffected.

Since the introduction of this Bill, it has been brought to our attention by a range of stakeholders from all sides of the political divide that there is concern about how processing for the purpose of democratic engagement should be treated for the purposes of the GDPR. I remember especially the contributions from the noble Lord, Lord Kennedy, and others on this subject, and I have met him to discuss these issues. I am grateful for his time and commitment.

As I have said before, the Government believe that there is a strong public interest in political parties and elected representatives and officials being able to engage with the public both inside and outside elections, which may sometimes include the processing of personal data. Having considered the matter further since then, the Government have concluded that it would be prudent to make provision in the Bill, to provide greater clarity to those operating in this space. Helpfully, Clause 8 already provides high-level examples of processing activities which the Government consider could be undertaken on the grounds of public interest.

As a consequence of the importance that the Government attach to the matter, Commons Amendment 12 would add,

“an activity that supports or promotes democratic engagement”,

to that list. This term has been deliberately chosen with the intention of covering a range of activities carried out with a view to encouraging the general public to get involved in the exercise of democracy. That could include activities such as communicating with electors, campaigning activities, supporting candidates and elected representatives, casework, surveying and opinion gathering, and fundraising to support such activities. We will ensure that the Explanatory Notes include such examples to assist the interpretation of what this provision means in practice.

However, any processing of personal data in connection with these activities would have to be necessary for the purpose and have a legal basis. That is why we can be clear that firms like Cambridge Analytica will not be able to claim public interest irrespective of whether Amendment 12 is agreed today. The amendment does not seek to create partisan advantage for any one side or to create new exemptions from the data protection legislation; it is intended to provide greater clarity and allow legitimate political activity to continue. The amendment is also technology neutral, given that in a short time we have moved from physical post to email, text, Twitter, Facebook, WhatsApp and Snapchat, and no doubt other means that I do not know about.

Of course, the Government are always open to suggestions of what else could be done to ensure legal and operational clarity for political parties and elected representatives. We will, for example, be undertaking further work on a cross-party basis to ensure that parties’ current activities have the sufficient legal basis required to rely on the public interest condition. Shortly we will engage with political parties via the Parliamentary Parties Panel to discuss the matter further.

Other amendments in this group, Commons Amendments 13 to 15, 27, 28, 45 and 46, relate to automated decision-making under the GDPR and the Bill. It is a broad category that includes everything from personalised music playlists to quotes for home insurance, mortgages and far beyond. While many benefits are to be had from the proper use of automated decision-making, the Government are not blind to the risks that these technologies present. Noble Lords will recall that article 22 of the GDPR provides a right not to be subject to a significant decision based solely on the automated processing of data. As set out in article 22(2)(b), this right does not apply if the decision is authorised by law as long as the data subject’s rights, freedoms and legitimate interests are safeguarded. Clause 14 provides those safeguards, including a right to be told that an automated decision has been made and the right to request the controller to take a new decision that is not based solely on automated processing.

The purpose of Commons Amendments 13, 14 and 15 is to bring Clause 14 into alignment with the directly applicable time limits in article 12 of the GDPR, thereby ensuring that both data subjects and data controllers have easily understandable rights and obligations. This includes giving the data subject longer to request that the decision be reconsidered, requiring that the controller should action the request without undue delay and permitting an extension of up to two months where necessary. In other words, the time limit has been increased from 21 days to one month, as mentioned in the GDPR. Furthermore, to ensure consistency across the different regimes in this Bill, not just between the Bill and the GDPR, Commons Amendments 27, 28, 45 and 46 would extend the time limit provisions for responding to requests in the other regimes in the Bill.

Article 34 of the GDPR requires data controllers to communicate a personal data breach to a data subject if it is likely to result in a high risk to the rights and freedoms of natural persons. Since the Bill left your Lordships’ House we have had further representations about cases where a person is the subject of an ongoing investigation. This requirement could alert that person to the investigation. To avoid this, Commons Amendments 16, 17, 173 and 192 would add article 34 to the list of GDPR provisions that may be disapplied by paragraphs 2 and 24 of Schedule 2. Importantly, data controllers will still be required to notify the Information Commissioner of breaches under article 33 and could be liable to enforcement action if they fail adequately to protect personal data. On that basis, I beg to move.

My Lords, I thank the Minister for that lucid exposition. When one has 282 amendments from the Commons, which I think is fairly unusual after the Lords have worked on a Bill, we find that the Commons have made many improvements, with one or two notable exceptions that no doubt we will come to in later groups. I welcome Amendments 8, 9 and 10 in particular, and Amendment 12. I heard what the Minister said in caveating the intended extent of the amendment. I very much hope that it will have the effect he hopes for. The automated decision-making provisions have to be in line with the GDPR, so it is clearly necessary to amend the Bill in that respect, but I generally welcome this group of amendments.

My Lords, I too welcome this group of amendments. First, on Amendments 8, 9 and 10, I recall the debate led by the noble Lord, Lord Marlesford, who is not in his place at the moment. He talked about his experience of the parish council in his area, explaining that a part-time clerk did a couple of days a week and it was impossible. He made his case well and I am happy to support him in it. I am glad to see that the Government have listened. I also believe that many Members on all sides of the House in the other place made similar points. I thank the Government very much for that.

I am very pleased with Amendment 12. We, with the Liberal Democrats, raised this issue during a debate in this House. We could not get it all agreed before it left to go to the other place but I had two very positive meetings with Matt Hancock and Margot James. The noble Lord, Lord McNally, also came along to our other meetings and the noble Lord, Lord Hayward, from the Conservative Benches, was also involved. We got to a good place. Nobody from any party thought that this issue should not be properly recognised in legislation. I am very pleased that the Minister and his colleagues have listened to us.

The Minister is of course right that technology changes all the time. We have no idea what we will be doing in four or five years’ time. Things move so fast now, so it is good that our legislation is written to take that into account. I was also pleased to hear the Minister say that the Government intend to consult and work with the Parliamentary Parties Panel, which is very important. It is a statutory body, set up in the PPERA 2000, where practitioners from all political parties can come together and talk with both the Electoral Commission and Cabinet Office officials. It really is the body where the people who know what they are talking about can come together. I sat on the body for many years and there was a lot of agreement among party officials about what needs to be done. I am glad that the Government will do it and I am pleased with what has come forward today.

My Lords, I am grateful to the noble Lords, Lord Clement-Jones and Lord Kennedy, for their positive remarks. There are a lot of amendments so, as I said before, I will try to concentrate on the substantive ones. There are a lot of consequential amendments, which make sure that the substantive amendments go through so that the Bill makes sense. I note that, having considered 692 amendments in your Lordships’ House, we are now considering a further 286; 978 amendments later, we should be in a better place.

Motion agreed.

Motion on Amendment 29

Moved by

29: Clause 51, page 31, line 2, leave out from first “the” to end of line 3 and insert “restriction imposed by the controller was lawful;”

My Lords, Amendments 29 and 30 relate to Clause 51, which enables data subjects to exercise certain rights through the Information Commissioner. Under Part 3, where a person makes a subject access request, it may be necessary for the police or another competent authority to give a “neither confirm nor deny” response; for example, to avoid tipping off that person that they are under investigation for a criminal offence.

Under the Bill as passed by this House, a data subject could exercise their rights under Clause 51 to request that the Commissioner check that the processing of their personal data complied with the provisions in Part 3. Such a request would clearly undermine a “neither confirm nor deny” response, effectively providing a back door for data subjects to find out if personal data was being held on them. To address this, the amendments replace the requirement on the Information Commissioner to check that processing complies with Part 3 with a requirement to check that a restriction imposed by the controller is lawful.

Commons Amendments 31 and 32 relate to Clause 53, which enables a controller when in receipt of a manifestly unfounded or excessive subject access request either to charge a reasonable fee before responding to the request or refuse to act on the request. The amendments extend this latitude afforded to a controller to cover requests made by a data subject under Clause 50, which requires a controller to reconsider a decision based solely on automated processing. Although the vast majority of subject access requests made by data subjects are reasonable, the amendments are necessary to ensure that controllers have a robust mechanism in place to deal with any repeated or malicious requests that they receive. I beg to move.

Motion on Amendment 29 agreed.

Motion on Amendments 30 to 50

Moved by

30: Clause 51, page 31, line 11, leave out from first “the” to end of line 12 and insert “restriction imposed by the controller was lawful;”

31: Clause 53, page 31, line 39, leave out “or 47” and insert “, 47 or 50”

32: Clause 53, page 32, line 4, leave out “or 47” and insert “, 47 or 50”

33: Clause 54, page 32, line 14, leave out “day” and insert “time”

34: Clause 54, page 32, line 15, leave out “day” and insert “time”

35: Clause 54, page 32, line 15, leave out “days”

36: Clause 54, page 32, line 16, leave out “the day on which” and insert “when”

37: Clause 54, page 32, line 17, leave out “the day on which” and insert “when”

38: Clause 54, page 32, line 19, leave out “the day on which” and insert “when”

39: Clause 94, page 55, line 8, leave out “day” and insert “time”

40: Clause 94, page 55, line 9, leave out “day” and insert “time”

41: Clause 94, page 55, line 10, leave out “days”

42: Clause 94, page 55, line 11, leave out “the day on which” and insert “when”

43: Clause 94, page 55, line 12, leave out “the day on which” and insert “when”

44: Clause 94, page 55, line 13, leave out “the day on which” and insert “when”

45: Clause 97, page 56, line 34, leave out “21 days” and insert “1 month”

46: Clause 97, page 56, line 39, leave out “21 days” and insert “1 month”

47: Clause 99, page 57, line 28, leave out “day” and insert “time”

48: Clause 99, page 58, line 3, leave out “day” and insert “time”

49: Clause 99, page 58, line 5, leave out “the day on which” and insert “when”

50: Clause 99, page 58, line 6, leave out “the day on which” and insert “when”

Motion on Amendments 30 to 50 agreed.

Motion on Amendments 51 and 52

Moved by

51: Clause 119, page 65, line 29, at end insert—

“( ) Paragraphs (b) and (c) of section 3(14) do not apply to references in this section to personal data, the processing of personal data, a controller or a processor.”

52: Clause 120, page 66, line 21, at end insert—

“( ) Section 3(14)(b) does not apply to references to personal data and the processing of personal data in this section.”

My Lords, this group of Commons amendments relates primarily to the enforcement powers available to the Information Commissioner. This is one area where, after the Bill originally left your Lordships’ House, events have influenced the Government’s thinking.

The Information Commissioner’s investigation into Cambridge Analytica is unprecedented in both its scale and its complexity. It has, necessarily, pushed the boundaries of what the drafters of the Data Protection Act 1998, and the parliamentarians who scrutinised it, could envisage.

While recognising that the Bill already expands and enhances the commissioner’s ability to enforce the requirements of the data protection legislation in such circumstances, the Government undertook to consider whether further provision was desirable in light of the commissioner’s recent experience. Following extensive conversations with the commissioner and others, we concluded that such provision was indeed desirable. The amendments made in the other place would strengthen the commissioner’s ability to enforce the law while ensuring that she operates within a clear and accountable structure. I want to give five examples in particular.

First, Commons Amendment 64 would allow the commissioner to require any person who might have knowledge of suspected breaches of the data protection legislation to provide information. Previously, information could be sought only from a data controller or data processor. This could be important where, for example, a former employee had information about the organisation’s processing activities or if an organisation had gone into administration.

Secondly, Commons Amendment 70 would allow the commissioner to apply to the court for an order to force compliance where a person failed to comply with a requirement to provide information. Organisations that might previously have been tempted to pay a fine for non-compliance instead of handing over the information will now find themselves at risk of being in contempt of court if they do not comply.

Thirdly, Commons Amendments 67 and 87 would allow the commissioner to require controllers to comply with information or enforcement notices within 24 hours in some very urgent cases, rather than the seven days the current law provides for. Amendment 79 would allow the commissioner in certain circumstances to issue an assessment notice that can have immediate effect. The amendments would allow the commissioner to obtain information about a suspected breach or put a stop to high-risk processing activities promptly and effectively. They will also allow her to carry out no-notice inspections without a warrant in certain circumstances.

Fourthly, Commons Amendment 81 criminalises the behaviour of any person who seeks to frustrate an information or assessment notice by deliberately destroying, falsifying, blocking or concealing evidence which has been identified as being relevant to the commissioner’s investigation.

Finally, we have also taken this opportunity to modernise the commissioner’s powers. Storing files on an office PC is rapidly becoming a thing of the past. Commons Amendment 210 would enable the commissioner to apply for a warrant to access material which can be viewed via computers on the premises but which is actually held elsewhere, such as in the cloud.

When strengthening the commissioner’s enforcement powers, we have been mindful of the need to provide appropriate safeguards and remedies for those who find themselves under investigation. For example, where an information, assessment or enforcement notice containing an urgency statement has been served on a person, Commons Amendment 104 would allow the person to apply to the court to disapply that urgency statement: in effect, they have a right to apply to the court to vary the timetable for compliance with the order.

These amendments were developed in close liaison with the Information Commissioner. We are confident that they will give her the powers she needs to ensure that those who flout the law in our increasingly digital age are held to account for their actions. I beg to move.

My Lords, I thank the Minister for his explanation. In many ways, when these clauses came to the House we missed a trick; I do not think we quite understood at the time that the Information Commissioner did not have adequate powers. It was rather a sorry sight to see the Information Commissioner hanging around for several days outside Cambridge Analytica waiting to be allowed to enter and inspect, so these amendments are extremely welcome—as, of course, is the new criminal offence the Minister mentioned.

I will say one thing: it is not entirely clear whether these powers are on all fours with, for instance, the Competitions and Markets Authority, Ofcom, Ofgem, and so on, in terms of the ability to make a dawn raid. I have looked at it but it is not entirely clear that that is possible. Clearly, in the current circumstances, the misuse of data is an extremely important aspect. It would be very interesting to hear from the Minister whether at the end of the day these are modelled on the other regulators. Does the Information Commissioner have very similar powers, and is a dawn raid available to her? Given that there are safeguards in the Bill—a warrant from the High Court and so on—that would be desirable. We have discovered that it is important for the Information Commissioner, as a result of the Cambridge Analytica scandal, to have all the powers necessary.

My Lords, I associate myself with what has just been said by the noble Lord, Lord Clement-Jones, and I agree with the Minister that this is a welcome step forward. I have three minor points to put to him and I shall ask a question about the powers at the end. He said several times that he had had conversations with and was in agreement with the ICO about the powers that were taken. Following up on what the noble Lord, Lord Clement-Jones, said, has the ICO agreed that these powers are what she asked for and will achieve what she aims to do in cases such as that of Cambridge Analytica?

Secondly, what are they modelled on? I have had the benefit of a conversation with the Bill team and the Minister on this and I think the answer to the question of whether they are modelled on the Competition and Markets Authority’s powers is that they are coming from slightly different directions. It is not necessary that the powers should be exactly the same, but I think the answer is that they were broadly what was envisaged for the CMA when it was set up and therefore appropriate for the powers required by the ICO. Can the Minister confirm that is the case?

My third question is one that we have explored at length in Committee and on Report. Given these new duties and responsibilities, which are substantial and will have to be exercised with great care but will add a burden to its existing work—as was laid out in the Bill when we saw it in this House some time ago—will the resources be available to the ICO to carry out that work? If not, what will the Government do about that? This bears particularly on the question of staff and staff capacity because, as the Minister says, we are talking about the cutting edge of technology.

My final point is that we are legislating in haste. There is no reason why we should be suspicious of that but it was done very quickly and there was not as much scrutiny as one would have wished, in either this House or the other place. I was not able to find this in the Bill itself, but can the Minister confirm whether, should it turn out that these powers are not as well drafted or well expressed as they could be, he has the powers to go back and amend them through the appropriate procedures in due course, should that be necessary?

My Lords, I have one question that builds on the point made by the noble Lord, Lord Stevenson. I note that the Minister said that organisations that refuse to hand over information will be in contempt of court. Can he confirm whether there will be a public interest defence built into these provisions?

Building on the point about the limited time for scrutiny here, can the Minister also explain whether there is a protection for the sources of journalism, with no obligation to disclose sources? Is there a protection for legal professional privilege and matters of that sort?

I am grateful for the contributions made by noble Lords. The first thing to acknowledge is that these amendments were made at a reasonably late stage in the Bill but not a very late stage, in the sense that it was in the second House. We considered the Bill first and the second House amended the Information Commissioner’s powers, so we are now looking at them again. However, I can confirm to the noble Lord, Lord Stevenson, that the Information Commissioner was involved in these powers. That is not to say that, in the course of those discussions, she did not put up some powers that she might like to have but, in discussion with the Government, we settled on some powers that she was content with. I can confirm that she is content with this suite of powers; in fact, she has written to the Minister for Digital confirming as such.

The noble Lord, Lord Clement-Jones, mentioned a dawn raid and asked whether we can do that and, further, whether these powers are on all fours with the Competition and Markets Authority and Ofcom. By and large the powers are on all fours but, as the noble Lord, Lord Stevenson, said, they are not exactly the same. They were modelled on them but they are slightly different, given the different roles and functions that regulators have. As for a dawn raid, the Information Commissioner has the power to ask for a warrant to be issued without notice if the judge is satisfied that giving the controller advance notice would not be appropriate. As I say, we looked closely at the powers of the CMA and Ofcom and modelled them as closely as possible.

The noble Lord, Lord Pannick, asked about protection for journalists’ sources. I can confirm that, yes, the new ICO powers continue to respect the need to protect journalistic sources and legal professional privilege.

The noble Lord, Lord Stevenson, also talked about the Information Commissioner’s resources. As he knows, we have increased the fees and made a commitment in the past that we will make sure that the Information Commissioner has the resources available to do her job properly. We understand the issues that that involves. We need the Information Commissioner to do a proper job and to be able to do so, not least because of the Brexit negotiations and the data adequacy requirements that we will want to continue for electronic commerce.

I think I have dealt with the points raised and, on that basis, I thank noble Lords for their support for these powers.

Motion on Amendments 51 and 52 agreed.

Motion on Amendment 53

Moved by

53: Clause 121, leave out Clause 121

My Lords, Commons Amendments 53 and 207 would remove from the Bill matters inserted by the noble Lord, Lord Mitchell, with the intention of protecting value in certain personal data held by the state. I am grateful to the noble Lord for again taking the time to come to see me to discuss further the intention of his original amendments to the Bill. He has been very helpful and we are in full agreement that this is an important matter. Our meeting also gave me the opportunity to explain the Government’s plans to address the issues that he raised going forward.

In this new digital information age, big data is changing the world we live in. One of the key reasons for updating our data protection laws was to ensure that the law is fit for this new age, where an ever increasing amount of personal data is being processed. We have remained conscious throughout the drafting of the Bill of the need to protect individuals’ data while also ensuring that the new law does not stifle innovation in the way that we use personal data. The Government recognise that novel ways of processing personal data could bring great technological, economic and societal benefits to the UK.

Longitudinal health and care data, in particular, has the power to fundamentally transform our lives in truly positive ways. The Government are taking a considered approach to the policy in this area in order to ensure that we get this right and fully realise the potential benefits of using health data, while ensuring that individual privacy is respected. We want to examine how we can maximise the value of the data for the benefit of the NHS and those who use and pay for it.

While we are entirely sympathetic to the aim of the noble Lord’s amendments, Commons Amendments 53 and 207 would reverse them because we firmly believe they do not help us achieve the outcome we are all seeking. A statutory code of practice risks stifling innovation, placing public authorities in a straitjacket. In an area where the thinking is still developing and the rate of technological advancement is increasing, flexibility is essential.

Moreover, maintaining a register of “data of national significance” is likely to raise a number of security concerns. The NHS has been the victim of cyberattacks and we do not want to produce a road map to assist those who want to harm us. The Information Commissioner’s Office has also stated, quite rightly,

“that even establishing and maintaining a register would still require the Commissioner to make decisions in an area where she is not best placed to advise”,

because her core function is to protect information rights.

While not developing a code and a register, the Government are none the less taking active steps to ensure we grip the issue that the noble Lord raises. We are working to connect to make the most of the distributed data that exists in the health service, identifying three to five local exemplars of integrated digital health and care records and using these to develop digital innovation hubs to support the use of data for research purposes, including in partnership with industry.

The Department of Health and Social Care is working to explore how to maximise the benefits of health and care data for patients and taxpayers. This includes exploring the different approaches taken by a range of bodies and lessons to be learned from local experiences of working with the private sector. It will look specifically at how best to capture value from products developed using NHS data.

Although Commons Amendments 53 and 207 may appear disappointing to the noble Lord, I can reassure the House that they are made with the best intentions, and that the Government are making every effort to address the concern in the right way. I beg to move.

Amendment 53A (as an amendment to the Motion on Amendment 53)

Moved by

At end insert “, and do propose Amendment 53B instead of the words left out of the Bill by this Amendment and by Amendment 207”.

53B: After Clause 120, insert the following new Clause—

“Personal data of national significance

(1) Within a year of the passing of this Act, the Secretary of State must bring forward regulations made by statutory instrument which—

(a) require the ICO to maintain a register of publicly controlled personal data of national significance;

(b) require the NAO to prepare a code of practice for data controllers which contains practical guidance on how to obtain best value in relation to the commercial exploitation of personal data of national significance;

(c) require the NAO to report annually to Parliament on the commercial exploitation of publicly controlled personal data of national significance.

(2) A statutory instrument containing regulations under subsection (1) may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.

(3) For the purposes of subsection (1), personal data controlled by public bodies is data of national significance if, in the opinion of the Commissioner—

(a) the data furthers collective economic, social or environmental well- being,

(b) the data has the potential to further collective economic, social or environmental well-being in future, and

(c) financial benefit may be derived from processing the data or the development of associated software.”

My Lords, the words in the Bill and the words on the screens above us summarise my position. This is the Data Protection Bill, and my amendment is solely about protecting data—our data; our data of national significance; and in particular, our data owned by our National Health Service. Who do I wish to protect it from? From the predatory big tech companies, which see a huge financial opportunity in developing this NHS data and creating data algorithms; they can then sell those for billions of pounds, leaving us with precious little in return. The very same companies, by the way, pay minuscule corporation tax in our country and, indeed, it is the same in their own country. They are clever, immensely well funded, and very focused—they run rings around the NHS.

I feel that I have to prevent this happening. I seek to set in motion a process which will keep the value of this data for the benefit of our NHS so that it can use these proceeds either to plug its growing budget deficit or fund significant critical medical research—or, indeed, both. If I let my imagination go even further, I would like to see the setting up of a sovereign health fund into which these proceeds could be channelled and administered, in the same way as the Norwegians set up a sovereign wealth fund. What they have done with the proceeds of their North Sea oil we can now do with our data bonanza. As many have said throughout the Bill’s proceedings, data is the new oil—and we have struck a gusher.

If I may be permitted to extend the analogy even further—like oil in the ground, this data is crude; it needs to be refined. Huge investment will need to be made to create a data refinery which will be able to synthesise the millions of records that will produce the algorithms. It should be seen as a national co-production, perhaps with private and public partnership.

At Second Reading, I stated that it was my judgment that the market value of NHS longitudinal data could be worth billions of pounds. In all honesty, as I progressed, I fully expected someone to disagree with me and tell me that I was wrong. But no such person has come forward. All the experts seem to confirm my position. I made the point that the longitudinal data owned by the NHS was unique, with tens of millions of patient records going back to 1948 and even earlier. No other country has access to such a treasure trove. Even better, our population is diverse, with the records of people whose family members come from all corners of the globe. We have a perfect dataset.

The reason big tech companies are so interested in this data is that with the combination of sophisticated software, ultra-fast data processing, artificial intelligence and machine learning capabilities, they are able to produce algorithms which are tremendously powerful. These can be used to predict organ abnormalities to the extent that clinicians can save time and money, and ultimately people’s lives. And who can disagree with that? It is wonderful for all mankind.

By way of an example, DeepMind, which is based in London—it is a subsidiary of Alphabet, which owns Google—has been working with the Royal Free in anticipating acute kidney injury. Like knights on white chargers, DeepMind has financed the digitisation of millions of patients’ data and produced algorithms that are already making a major contribution to improving difficult-to-diagnose conditions. It has cost the Royal Free next to nothing and, unsurprisingly, its staff are over the moon. What they do not realise is that the algorithms produced by DeepMind have international value and will be monetised all over the world for the benefit of Google, not of our NHS.

DeepMind and companies like it are swarming all over the NHS. For my part, to put it bluntly, I want to stop them gathering the benefits of our data on the cheap. My new amendment would water down previous amendments that your Lordships agreed to on Report—an amendment that the Commons in its infinite wisdom decided to annul. Frankly, I am still at a loss to understand why a Conservative Government would not want to maximise this goldmine; I always thought they were the party of business.

I have, however, taken on board the points made by the Information Commissioner. She said the amendments went beyond her powers. I have reduced them to a minimum. In substitution I have inserted a requirement for the Secretary of State to require the National Audit Office to prepare a code of practice for data controllers, for guidance on how to obtain best value in relation to the commercial exploitation of personal data of national significance, and for the NAO to report annually to Parliament on the commercial explication of the very same data.

The Minister and his team have listened to what I have had to say and I am very grateful for his kindness and attentiveness. Our last meeting was very helpful, and I look forward to him confirming the points that were made. I beg to move.

My Lords, I support Amendment 53A, moved by the noble Lord, Lord Mitchell. In doing so, I wish to make two specific points that follow on from his speech today. First, the amendment crucially recognises the importance of measuring what we as a nation are doing with data of significance before we take important, industrially strategic decisions on how we make the most of this vital national resource.

The noble Lord and others have made the analogy of data as the new oil. That analogy works particularly well for personal data as, like oil, it is potentially as toxic as it is valuable, and it must be carefully handled and not allowed to be released into the environment without due care. If we are to best manage, protect and distil it, we must first learn where and how it is being moved, used and commercialised. Can we as a nation easily answer the question that we are asking of Facebook or the former Cambridge Analytica: how much data are we commercialising at home and abroad, and to whom? If not, why not? Progressive and young, emerging nations are reviewing how they use their national data for national advantage, and we must make a concerted effort to do the same.

My second point is how the amendment therefore recognises that this measurement should be done centrally, not burdening already stretched government departments with developing their own approaches. While these departments must remain involved to provide domain insight into certain data types—for example, health and social care—the National Audit Office or other bodies should take charge of a cross-departmental process for measuring and tracking these flows of significant and valuable data. In this way we should be able to develop a consistent, coherent view of how we are handling our data reserves, which will give us the best possible evidence upon which to base our decisions on a secure approach to maximising their impact for our future national good. I therefore hope the Minister will be able to shed some light today on how this process is being thought through.

My Lords, I support Amendments 53A and 53B, tabled by the noble Lord, Lord Mitchell.

I must express my general frustration at the Bill. There is so much information, so much data of national significance that, it is clear, will be abused by the Government, whether or not they know that they are doing so. The Windrush scandal showed just how badly the Home Office gets things wrong, and the Bill’s provisions allow the sharing of people’s data which would further the “hostile environment” policy. I am very disappointed that the Government have not tabled amendments to curtail the broad powers in the Bill that will allow for such abuse.

There are so many cases of people who are victims of serious crime—of rape, violence and people trafficking—who are being reported by the police to the Home Office and then being arrested, detained and deported. At least 27 police forces have admitted that they do this. Ministers cannot possibly claim to be learning from those instances, just as they appear not to have learned from Windrush, while they continue to include such cruel and intrusive powers in the Bill. The fact that the Government can get things so horribly wrong is why the amendment should be included.

We have heard that data is more valuable than oil. It is more valuable than oil or gold. It is the boom industry of our times, and the temptation for government to allow its exploitation by the commercial sector—the predatory big tech organisations to which the noble Lord, Lord Mitchell, referred—will be overwhelming, especially in this age of austerity when money appears to be so short.

This is not just an issue of exploitation in a negative sense: there are lots of opportunities for government data to be used to empower communities. We can do things such as monitor air pollution and hold the Government to account by using this data. I am excited by those opportunities, but they need proper regulatory oversight to ensure that data is used for good. The control and processing of nationally important data must be properly overseen by the Information Commissioner and the National Audit Office. The Government recognised this in the Bill as drafted, and I do not understand why that has been removed—perhaps the Minister could explain.

I really hope that the Minister will support the amendments, but I rather suspect he will not.

My Lords, on these Benches, we are very sympathetic to Amendments 53A and 53B. Like the noble Lord, Lord Mitchell, we find it difficult to understand why it has been impossible to come to some sort of agreement. I hear what the Minister said: that he is sympathetic, but not so sympathetic that he agrees with the amendments. This disagreement about whether a statutory code, guidance or whatever is the right way forward seems to be dancing on the head of a pin.

I pray in aid the intervening report of the AI Select Committee on precisely this matter, which supports the contentions of the noble Lord, Lord Mitchell. In our report, we stated:

“Increasingly, public sector data has value. It is important that public organisations are aware of the commercial potential of such data. We recommend that the Information Commissioner’s Office work closely with the Centre for Data Ethics and Innovation in the establishment of data trusts, and help to prepare advice and guidance for data controllers in the public sector to enable them to estimate the value of the data they hold, in order to make best use of it and negotiate fair and evidence-based agreements with private-sector partners”.

That seems fair and square along the lines proposed by the noble Lord, Lord Mitchell.

In the course of our inquiry, we also looked carefully at the sorts of arrangements made by DeepMind—not only the benefits, which he very fairly outlined, but the issues with how sharing that data was organised, which of course led to an investigation by the Information Commissioner’s Office. Of course, NHS data is particularly important in this context. In our report, we stated:

“The data held by the NHS could be considered a unique source of value for the nation. It should not be shared lightly, but when it is, it should be done in a manner which allows for that value to be recouped”.

So, fair and square, we are with the noble Lord, Lord Mitchell.

It would be somewhat ironic if the Secretary of State, in his response to our Select Committee in three or four weeks, said, “Yes, we agree: there should be something along these lines”, but we had missed the opportunity in this Bill.

My Lords, we supported the amendments that my noble friend Lord Mitchell tabled in Committee and on Report, and we support him in his journey through this process. The issue is probably complicated by the fact that, had this Bill been delayed by a matter of months from now, we would probably find that this issue was bobbing up all over our public realm, where people are beginning to realise the value of the assets that they hold. To the extent of being a first mover, I think that my noble friend has probably suffered from that, but I hope that the Minister will show some sympathy and support for him.

My Lords, I feel a lot of sympathy for the noble Lord, Lord Mitchell, and commend what he is trying to do. I think that I shall be able to reassure the noble Lord, Lord Clement-Jones, that we are not as far apart as he might think. The noble Lord, Lord Mitchell, raised with great enthusiasm the point that we should ensure as a country that we use our rich resources wisely. We share his excitement about the huge potential of big data to improve health and care. We acknowledge that, if we leverage these data to their full potential, that will have huge positive impact in improving care, giving people greater control, enabling the system to plan better and target support and treatments to those who can benefit, and it will transform our already world-leading life sciences industry.

Nevertheless, in the judgment not just of the DCMS but also the Department of Health and Social Care—I know that the noble Lord has been speaking to my noble friend Lord O’Shaughnessy, on this subject—Amendment 53B risks undermining the work already being done in this space. NHS England, the Department of Health and Social Care and the Office for Life Sciences are already undertaking a programme of work that looks seriously at the public benefits that can be derived from NHS data. They are committed to working with representatives of the public and industry to explore how to maximise the benefits of health and care data for patients and taxpayers. In doing so, it is vital that service users and patients are involved every step of the way. They will accept and support the use of their health data only if they understand how and why their information is being used and how everyone will benefit. We must take the public with us on this journey, rather than imposing a code now.

My noble friend Lord O’Shaughnessy and his ministerial colleagues at the Department of Health and Social Care have made a written commitment to keeping the noble Lord, Lord Mitchell, involved in future discussions about this work. He will make a valuable contribution with his expertise in this matter, ensuring that we maximise the value in these datasets.

I want to answer straightaway and head-on the point about why the Government should not consider that we extract the full value of the taxpayers’ data. Of course, it is absolutely right that public sector bodies should be aware of the value of the data that they hold, but that value can be extracted in many ways, not solely through monetary means. For example, sharing health data with other companies that analyse that data may lead to a deeper understanding of diseases and potentially even to new cures. That is why we want to take some time to explore this important issue fully and try to find the most appropriate solution, should one be needed, rather than tying ourselves to one approach now. That was raised in the other place when this issue was discussed by amendments from people who are very concerned about how health data are being treated. As I said before, we have to be very careful, particularly when talking about health data, how we use datasets when people have given their information on the basis that it is anonymous and is extremely sensitive.

The noble Lord, Lord Freyberg, rightly broadened the issue a bit from just health data. He asked how much data we are commercialising, at home and abroad, and to whom. He suggested that bodies other than central government should take charge of a process for measuring and tracking these flows of significant data. The noble Lord, Lord Clement-Jones, mentioned the Centre for Data Ethics and Innovation. A body exactly such as that can, in this very fast-moving area, consider the balance between the need to protect an individual’s anonymity and the sensitivity of their data, and that data’s monetary value and use for things such as curing disease.

The noble Baroness, Lady Jones, made some interesting remarks about how information would be abused by the Government and the broad powers we have taken in the Bill. I remind her that the GDPR, which takes effect directly on 25 May, is exactly about protecting data subjects’ rights. For example, it allows data subjects the rights of rectification and erasure. The point about subject access rights is to allow individuals to have more protection than they currently do. The Bill brings some of those rights and extends them into areas which are not even covered by EU competence. I do not agree with the noble Baroness that we are abusing the powers.

I apologise for interrupting the Minister. I have not been in the House long, so have not heard the whole debate, but I was listening to a programme about this subject at lunchtime today. The impression was clearly given that lives were being put at risk because of oversensitivity about the sharing of data. Perhaps the Minister will get his advisers to check what was said on that programme and see how much sense it made.

I will find out what was said. We should deal with what the GDPR calls special categories of data very sensitively. We should take data on health, sexual orientation, ethnicity and things like that very seriously. That is what the GDPR does and we will continue to do it under the Bill.

Finally, I return to the Commons amendments. I am afraid we still cannot support Amendments 53A and 53B as, at the moment, we believe that they are fundamentally the wrong solution. However, I hope that the productive discussions, to which the noble Lord, Lord Mitchell, referred, along with what I have said today, have convinced the noble Lord that our vision is aligned and that he finds sufficient reassurance in these words, and the written assurances that he has had from my noble friend Lord O’Shaughnessy, to be able to withdraw his amendment.

I thank the noble Lord for his very helpful comments. I also thank my noble friend Lord Freyberg, who has been with me all the way on this and given me huge support, and the noble Baroness, Lady Jones, for her comments. On the Front Benches, the noble Lord, Lord Clement-Jones, has always been a supporter and, at this particular point, the noble Lord, Lord Stevenson, has guided me through the intricacies of ping-pong, which I was not aware of.

I have heard what the Minister has said, and have received a letter from the noble Lord, Lord O’Shaughnessy. It is the end of the football season. We are now in extra time; we are still at a draw and could be facing penalty shoot-outs, but I am going to decline that. I beg leave to withdraw the amendment.

Amendment 53A withdrawn.

Motion on Amendment 53 agreed.

Motion on Amendment 54

Moved by

54: Clause 124, page 68, line 24, leave out “with the day on which” and insert “when”

Motion agreed.

Motion on Amendment 55

Moved by

55: After Clause 124, insert the following new Clause—

“Data protection and journalism code

(1) The Commissioner must prepare a code of practice which contains—

(a) practical guidance in relation to the processing of personal data for the purposes of journalism in accordance with the requirements of the data protection legislation, and

(b) such other guidance as the Commissioner considers appropriate to promote good practice in the processing of personal data for the purposes of journalism.

(2) Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code.

(3) Before preparing a code or amendments under this section, the Commissioner must consult such of the following as the Commissioner considers appropriate—

(a) trade associations; (b) data subjects;

(c) persons who appear to the Commissioner to represent the interests of data subjects.

(4) A code under this section may include transitional provision or savings.

(5) In this section—

“good practice in the processing of personal data for the purposes of journalism” means such practice in the processing of personal data for those purposes as appears to the Commissioner to be desirable having regard to—

(a) the interests of data subjects and others, including compliance with the requirements of the data protection legislation, and

(b) the special importance of the public interest in the freedom of expression and information;

“trade association” includes a body representing controllers or processors.”

My Lords, the amendments in this group concern the regulation of the press and the processing of personal data for the purposes of journalism. First I will address Clauses 142, 168 and 169, which were added to the Bill by this House without the support of the Government, and which the Commons amendments now seek to remove. These clauses, and the issues they pertain to, have been subject to a great deal of passionate debate in both this place and the other. Since we previously discussed the Bill in this House, the Government have also published their response to the consultation on Section 40 and the future of the Leveson inquiry, to which these amendments relate, and have outlined their position in detail on these matters.

The Bill is about data protection and, as previously observed by the noble Lord, Lord Stevenson, during our last debate, it is therefore not the right forum for a debate on press regulation in the future. I hope to demonstrate that, even if it were, these clauses are simply not the solution to the problems faced by the press today to ensure that it is free, fair and sustainable.

Commons Amendments 106, 107 and 141 would remove Clauses 168 and 169, which were added to the Bill by this House. As they stand, these clauses would essentially introduce the provisions contained in Sections 40 and 42 of the Crime and Courts Act 2013, although they would apply only to breaches of data protection law. They would mean that any publication not regulated by Impress would be at risk of having to pay the legal costs for any complaint against them, whether they won or lost.

As I have already said, since we previously discussed the Bill in this House, the Government have published their response to the consultation on the future of Section 40. By way of update, then, I can tell the House that some 79% of direct responses favoured full repeal of Section 40, compared to just 7% which favoured full commencement. Many respondents cited concerns about the “chilling effect” that Section 40 would have on the freedom of the press. Andrew Norfolk, who uncovered the Rotherham child abuse scandal, has said that Section 40 would have made it “near impossible” to do his job. These clauses would also impose further financial burdens on already struggling local and national publishers, with 200 local newspapers having closed since 2005.

I recognise, however, that the primary motivation behind this House originally inserting these clauses was to ensure that victims of press intrusion would have access to adequate redress. I can reassure your Lordships that enormous progress has been made on this front—some of it since the Bill left this House—making these cost provisions no longer necessary or proportionate.

In 2014, the old Press Complaints Commission was replaced by the Independent Press Standards Organisation. IPSO follows many of the principles set out in Sir Brian’s report and is fundamentally different to the PCC. It has a legally binding contract with the publications it regulates, which means that, if a publication fails to comply with IPSO’s orders, such as publishing a front page correction, it can face court action.

Earlier this month, IPSO announced that it would create a compulsory low-cost arbitration scheme under which claims can be made for as little as £50, and all the major national newspapers that are IPSO members have signed up to it. This means that someone who has been wronged by a newspaper can, for the first time, ask for arbitration of their claim—and the newspaper cannot refuse. With the introduction of this scheme, IPSO has met one of the most important recommendations of the Leveson report and has ensured that ordinary people have a fair legal remedy that is quick and inexpensive. As Opposition noble Lords have previously acknowledged, once IPSO has met the majority of the standards for recognition established by the Press Recognition Panel, it is sensible to look afresh at this complex set of interrelated measures of inducements and penalties. Now is that time.

Amendments made by the other place would go even further in creating a strong data protection regime for journalists. Commons Amendment 108 would require the Information Commissioner to publish information on how people can get redress from the media. This plain-English guidance means that anyone with a complaint will know how to navigate the system. Commons Amendments 55, 56, 58 and 61 would require the Information Commissioner to create a statutory code of practice for journalists, setting out standards around data protection. When investigating a breach of data protection law, the commissioner would have to decide whether a journalist acted reasonably. When making this judgment, a failure to comply with the statutory code would weigh against the journalist. Taken together, these amendments would mean that Britain would have the most robust system of redress from press intrusion, accessible to all, that it has ever had—and it could be achieved without the chilling effect on investigative journalism that Section 40 would bring.

That brings me to Commons Amendment 62, which would remove Clause 142 from the Bill. Clause 142 requires the Government to, in effect, reopen the Leveson inquiry—but, again, only in relation to data protection. The first Leveson inquiry lasted for more than a year and heard evidence from more than 300 people, including journalists, editors and victims. It was a diligent and thorough examination of the culture, practices and ethics of our press, in response to illegal and improper press intrusion. It cost about £5.4 million of public money. An inquiry pursuant to Clause 142 could be expected to place a similar burden on the public purse.

Of course, there were far too many cases of terrible behaviour. Having heard the experiences of some noble Lords in this House—in particular, the impassioned contributions from the noble Baroness Lady Hollins—I can begin to understand the impact that they had. However, since this House last debated this clause, there have been at least four significant developments in the media regulatory landscape.

First, as I have said, IPSO has also launched a compulsory arbitration scheme to which most major national newspapers have signed up. This will ensure that victims have access to fair and affordable redress like never before. Secondly, as set out last week by my right honourable friend the Secretary of State, the Government have asked Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services to undertake a new review to look at how police forces are adhering to new media relations guidance, as recommended by Sir Brian Leveson. Thirdly, we have established the Cairncross review, which will address the challenge of how we can ensure a sustainable future for high-quality journalism that can hold the powerful to account.

The current business model of the press is facing fundamental challenges, and the rise of disinformation and fake news is putting at considerable risk the foundations on which our democratic processes lie. A series of round-table discussions with industry experts is already under way, as well as visits to specific regions of the United Kingdom.

Finally, the Government have proposed additional amendments to ensure that the press has changed its ways and can be held to account in the future. Commons Amendment 109 would require the Information Commissioner to conduct a statutory review of media compliance with the new law over the next four years.

A free and vibrant media is vital to democratic discourse, and we need to tackle the challenges that threaten it. I humbly submit that these developments embody exactly the kind of proportionate solutions that we have been seeking and that we need. High-quality news provision is vital to our society and democracy. Over many centuries our press has held the powerful to account and been free to report and investigate without fear or favour. These principles underpin our democracy and are integral to the freedoms of our nation. Clauses 142, 168 and 169 would derail this Bill and harm the vital work that we are doing to strengthen the future of high-quality journalism in this country. The elected Chamber has debated them and rejected them, and I urge noble Lords to do likewise. I beg to move.

My Lords, I rise to speak to Amendment 62A, which states:

“as an amendment to the Motion that this House do agree with the Commons in their Amendment 62, at end insert ‘, and do propose Amendment 62B instead of the words so left out of the Bill’”.

Let me explain why I have tabled this amendment after it was considered in the other place last week and narrowly defeated.

First, the need for completing this inquiry continues to grow. The illegal conduct which led to part 1 of Leveson is now known to be far more extensive and to go beyond phone hacking. More revelations emerge every week. It is an inquiry into criminality, corruption and abuse; in any other industry the press would be demanding an inquiry, and yet their opposition is uniform. We now know that the Sunday Times employed a blagger for 15 years to unlawfully access the phone accounts, utility bills and even bank accounts of ordinary people and government Ministers. The blagger, who has become a whistleblower, also said that they organised the theft of rubbish from the houses of Cabinet Ministers, published the stories they uncovered and then blamed it on a Civil Service leak. My noble friend Lord Turnbull was, it seems, moved to call in the Security Service to investigate the Cabinet Office mole, who never actually existed. This involved the personal details of the noble Lords, Lord Prescott and Lord Hague, and the noble and learned Lord, Lord Falconer, and they are among hundreds of victims. This was concealed from part 1 of the Leveson inquiry by the same executives now campaigning to stop part 2. Noble Lords may have heard of similar behaviour by other newspapers.

Secondly, firm promises were made to victims of press abuse.

Thirdly, I believe that the arguments made against completion of the inquiry were misleading, and that the other place should reconsider the matter.

Finally, I have made some adjustments to the amendment which I believe will help the other place to reconsider it, if we are to pass it today. Let me explain these adjustments, made after listening carefully to the debate in the other place. The first addresses the concerns of the Democratic Unionist Party that part 1 of the inquiry could have examined the situation in Northern Ireland more closely. Just before last week’s debate, the DUP was made a last-minute offer by the Government: a non-statutory review with no powers of evidence or witnesses into press conduct in four years. Having considered the matter, I am proposing a change that addresses the party’s proper and reasonable concerns and puts it before Parliament.

Let me clarify how my amendment relates to that offer by the Culture Secretary. Last Wednesday, in response to a question from the DUP Member for North Antrim, the right honourable Ian Paisley, the Culture Secretary said that the Government plan to have,

“a named person review the standards of the press in Northern Ireland”.—[Official Report, Commons, 9/5/18; col. 712.]

This interchange came just before the Government, backed by the DUP, narrowly defeated the amendment that would have required the second stage of the Leveson public inquiry into media ethics to be completed. The Culture Secretary’s surprise announcement was welcomed by Mr Paisley who described it—and this is important—as a “Leveson for Northern Ireland”.

The National Union of Journalists called for absolute clarity on the scope and nature of any such review. The Department for Digital, Culture, Media and Sport later explained that there is no review planned for Northern Ireland into press standards and that the Cairncross review of quality journalism is in fact UK-wide, specifically relates to examining media compliance with new data protection regulations and is to be undertaken by the Information Commissioner’s Office. The Culture Secretary referred to having a named person for Northern Ireland, but there will also be a named person appointed for Scotland and separately for England and Wales, and they will each feed into the overall review.

The other adjustment that I have made is specifically to exclude the local press from the scope of the inquiry. That will address the concerns of those who have argued, rightly or wrongly, that a public inquiry will somehow impose a burden on local newspapers.

I will not rehearse the arguments for completing this inquiry again—we know them well—and the case for the amendment makes itself. It is an amendment to complete a public inquiry, repeatedly promised, to investigate allegations of illegality, corruption and improper conduct among newspaper corporations, the police and other media organisations responsible for holding personal data. As we all know, contrary to claims made by its opponents, these issues were excluded from part 1 and have never been properly investigated.

We are also familiar with the arguments against. These are, as I understand it, that this inquiry would be too expensive, would hurt local publications, would be a chill on free speech and would not be forward-looking. The honourable Member for North East Somerset in the other place said that the promises to victims of a previous Prime Minister can be ignored. None of those arguments has any validity.

Would any of us accept an argument that investigations into mass criminality or years of concealment in, say, social work or the building trade should be abandoned because they were too expensive? Exposing the full scale of corruption in the police and press is just as vital as are recommendations to ensure that they are never repeated. Abandoning a public inquiry will damage the credibility of other inquiries. What about the Grenfell Tower inquiry?

As for the local press, they were never the main subject of part 2 of the Leveson inquiry and under this amendment they are excluded entirely. It states:

“In setting the terms of reference for the inquiry the Secretary of State must … include exemptions or limitations designed to exclude local and regional publishers from the scope of the inquiry”.

It could not be clearer.

It is also absurd to suggest that an inquiry designed to be transparent, to expose the truth and make fair and proportionate recommendations in the public interest could possibly interfere with free speech.

Finally, the inquiry is specifically designed to look forward as well as back by exposing the full extent of wrongdoing by examining the reforms that have actually been implemented since part 1. Part 2 will be able to make practical and proportionate recommendations for the next steps.

Both parts of the original inquiry were welcomed with huge cross-party support from both Houses. The relevant Select Committee in the other place, chaired by a Conservative, recommended unanimously that Leveson part 2 should proceed. The chair of the inquiry, Sir Brian Leveson, has recommended that it should proceed. I circulated his letter to some noble Lords today as a reminder. Many respected people have written to noble Lords today. I understand that Sir Harold Evans, the former editor of the Sunday Times, believes that part 2 is needed to restore integrity and public confidence in the press. Some 126 academics from 35 institutions, including former journalists and those teaching the journalists of the future, have also written, as has the mother of a victim following the Manchester Arena bombing, where press behaviour was, quite frankly, appalling.

To cancel this amendment is an act of gross censorship. The promises to the victims of press abuse still hold. This Government are breaking those promises. What is the role of this House if not to ensure that the Government act with honour and integrity and are held to their word?

My Lords, it has been a long and hard struggle to attempt to convince the Government to meet their commitments to complete the Leveson reforms and, most importantly, complete part 2 of the Leveson inquiry. During earlier debates, I claimed not to know any celebrities who were not politicians. I apologise to the House because I should have inserted the caveat, “other than a world-famous international yachtsman”.

I agree with my noble and learned friend the Minister that we should accept the Commons rejection of my Amendment 147, which sought in effect to commence Section 40 of the Crime and Courts Act 2013 in respect of data protection. I shall try to explain why in a moment, but it has nothing to do with the merits.

First, I would like unreservedly to support the noble Baroness, Lady Hollins, and her new amendment which seeks to commence the Leveson 2 inquiry. I agree with everything she has said, and I hope that she will seek the opinion of the House. If she does, I will be supporting her in the Lobby.

I am bound to say that the print media have consistently misrepresented the issues in question. For instance, it has been said that the noble Baroness and I hijacked this Bill to pursue our amendments. It is actually fair comment, but as any noble Lord who has been in opposition knows, it is a perfectly proper standard parliamentary procedure, and I am sure that my noble friend the Government Chief Whip has himself used this technique many times when he was in opposition.

It was also alleged that we cynically excluded politicians from the scope of the inquiry. This is simply not true. We did try to table an amendment that sought much wider terms of reference for the inquiry. Quite properly, the clerks advised us that we needed to restrict the scope of the amendment to data protection issues. It would, of course, be open to the Government to set wider terms to include politicians, and if a Conservative politician is alleged to have done something wrong, I am happy to see them explain themselves to the inquiry.

I turn to my amendments. When my noble and learned friend comes to reply, while he has explained the stick component of Section 40, will he remind the House of how its carrot component works, because I do not think that he mentioned it?

Although the Commons never actually divided on my amendments, they were fully debated and it is clear to me that there is no realistic prospect of the Commons changing their mind. There is no Salisbury problem with the amendment tabled by the noble Baroness, Lady Hollins, because she genuinely believes that if we send it to the Commons, we may get a different answer. However, I would suggest that this will probably be the last roll of the dice.

I feel bound to comment on the exceptionally effective campaign run, presumably, by the News Media Association. Whoever is running it knows what they are doing, although we have all been playing hardball. However, what is disturbing is that I have been silenced and skilfully suppressed nearly everywhere except in your Lordships’ Chamber, and therefore I am extremely grateful to the BBC programme, “The Big Questions”, for allowing me to contribute to yesterday’s debate. It is not clear to me why the Convenor of the Cross Bench Peers politely declined my offer to address the Peers on my amendment but nevertheless later allowed Sir Alan Moses, the chairman of IPSO, to address the Cross-Bench Peers. In the days immediately after our votes on Report, despite one national newspaper devoting three whole pages to criticising some noble Lords, my name was mentioned only once in any national newspaper, and I suspect that that was an accident. It is good that the press is supposed to be biased, opinionated and partisan.

Despite trying very hard, I was able to secure only two meetings to discuss the Leveson amendments with two Conservative MPs, and they had very good reasons to do so but nevertheless, quite understandably, they voted with the Government. Even the Leader of your Lordships’ House declined to have a meeting with me in the week preceding the vote in the Commons to discuss these problems—so much for free speech. The very same honourable Members who declined to meet me had helped to produce a majority of 530 to 13 in the vote to insert new Section 40 in the Crime and Courts Act 2013. What is going on?

I welcome the Government’s Cairncross review into the sustainability of the press. This is one of the Government’s arguments for not implementing Leveson. When I talked to my local editor, he was not worried about regulation; his problem was sustainability.

Recently, in accordance with the principal VAT directive, the appropriate tribunal decided that online publications would attract VAT at the standard rate. This is a tax on information and knowledge, when books and publications are exempt. The EU withdrawal Bill has enough difficulties without me raising another one, and I do not want to tie the Minister’s hands, but can my noble and learned friend write to me—and perhaps to my noble friend Lord Black—to assure us that the appropriate officials are aware of the risk of negotiating away our freedom to zero-rate online publications post Brexit?

Much of the debate on Section 40 has centred on state regulation of the press. At the moment, unfortunately, we have covert state regulation because anyone in government, particularly sources close to No. 10, can suggest to the media that Ministers are reconsidering commencing Section 40. This is a completely unacceptable gun, held to the press’s head, which must be deactivated at the earliest possible moment. Worse still, it could inadvertently lead to the press self-censoring in the case of a story that might, in any case, make for difficult ethical and legal decisions for the editor concerned. Can the Minister indicate when this very short Section 40 repeal Bill will be presented to Parliament?

If we are not to implement the Leveson press reforms, we need to commence part 2 of the inquiry to find out what has gone wrong in the past, ensure that it is not continuing and prevent it from recurring. As one of our briefings today put it, the past is a prologue for the future.

My Lords, I declare an interest as one of the few counsel who has acted in privacy cases for both the Daily Mail and Mr Max Mosley. I cannot support the amendment in the name of the noble Baroness, Lady Hollins. I remind your Lordships of what the Conservative Party manifesto said before the election last year:

“Given the comprehensive nature of the first stage of the Leveson Inquiry and given the lengthy investigations by the police and Crown Prosecution Service into alleged wrongdoing, we will not proceed with the second stage of the Leveson Inquiry into the culture, practices and ethics of the press”.

As your Lordships know, the Commons held a lengthy debate on this subject last Wednesday and voted not to institute a Leveson part 2. Your Lordships’ House has heard the pro and con arguments on many occasions.

I want simply to emphasise two points. Amendment 109 introduces extensive new powers on the Information Commissioner in relation to the press and, as the Minister has already indicated, it requires the commissioner to conduct a review of the press in the short term. Also, over the years, there have been not just police, and other, inquiries: a large number of civil actions—cases against the press—have been brought by phone-hacking victims. Those victims have not gone without remedy; they have received very substantial financial compensation, and rightly so. It is true that some of the claimants were celebrities, but many were not; they were victims of phone hacking because, for example, they were related to television actors or spent the night with a footballer. Reprehensibly, the press hacked their phones. They brought legal actions; the lawyers acted on a conditional fee basis. After the event, insurance ensured that there was no financial risk to the claimant, so it is simply not the case that victims of phone hacking lack, and have lacked, legal remedy. Newspapers have rightly been ordered to pay substantial sums by way of compensation. It is simply unrealistic to think, in the light of the criminal prosecutions and civil liability, that the message has not got across. I respect, of course, the views of the noble Baroness, Lady Hollins, the noble Earl, Lord Attlee, and the others who support this amendment, but it really is time for this House to give way to the views of the Commons on this matter.

My Lords, I support what the noble Lord, Lord Pannick, has just said. I also have the utmost respect for the noble Baroness, Lady Hollins. She has shown that she is a doughty campaigner; she passionately believes in her cause, and she has every right so to do.

I want to dwell on just one aspect: the relationship between the two Houses of Parliament. I hope that I have shown that I am not afraid to vote against the government line; I have done so frequently recently and I do not regret it, because I have done what I thought was right.

When we take such a line, we ask the other place to think again. However much the noble Baroness, Lady Hollins, may regret it, the other place has thought again. This is not the moment to introduce new amendments—to protract the ping-pong by bringing in a new ball. With proper deference to the elected House, we have to accept the line that it has taken. There are of course other arguments that one could deploy—it has been said that this is not the right Bill and all the rest of it—but the matter has gone to the other place; it has made its decision. We would be overemphasising our constitutional legitimacy if we sought to reject what it has said.

My Lords, I have some sympathy with what the noble Lord, Lord Cormack, has said, but equally I think that we are in danger of making this yes or no, black or white and getting ourselves boxed into corners. Something remarkable happened a couple of weeks ago. The Sun carried a story based on a report from the Resolution Foundation. I shall not go into the full details, but the Resolution Foundation had found that private renting was likely to increase by one-third over the next couple of decades and the Sun reported that there would be an 80% fall in owner occupation in that period, which it had somehow deduced from the one-third increase. That is not remarkable, but what is remarkable is that the charity Full Fact, of which I am deputy chairman, pointed out the error to it and—do you know what happened?—it apologised and corrected it.

This may just mean that the Sun has completely changed its coat and that, in future, we can expect page 3 to consist entirely of corrections of its errors, but there is another explanation, which is that the Sun realises, as does the whole press, the pressure that it is under from these Houses of Parliament and from the victims to mend its ways. The danger, however, is that that will last just so long as Section 40 has not been repealed and there is no Leveson 2, and then it will return to its old ways.

I think that there is a way through on this. In Amendment 109, the Government are introducing a requirement that the Information Commission review after four years how the press and media are getting on with data protection. If they were to widen that concept of a review after four years, it would keep the pressure on the newspapers to behave differently. I believe that they have made some progress. The institution of the arbitration scheme by IPSO, which was the glaring fault in its original constitution, was a big step forward even though it has its flaws. If we can keep the pressure on in the way that I suggest, by Ministers agreeing to extend Amendment 109 to a wider forum, we may find a solution to this mess without us having Lords versus Commons. Rather, we would meet a common need to have a better press free to report, as is its duty.

I am sorry for my earlier intervention. I thought the noble Lord, Lord Lipsey, was a Labour Member.

I declare an interest: I have twice been a victim of this. I do not have the clever words of the lawyers who constantly dominate this debate but we are talking about credibility, about a promise and about a Parliament that has agreed an action but is now about to reject it. That is a very important issue for both Houses to face. I say to the Minister that I support the noble Baroness’s amendment on a second inquiry. Indeed, I am pleased to see that Lord Leveson himself did so when the Government consulted him on it. To that extent, this is a political decision—a very political decision—that the Government have made.

I have three questions; I know that time is limited and I do not want to delay the House. My first question is based on my experience. I think that a second inquiry is necessary and should not just be into the events of the time. I do not think that things have changed, even with the so-called independent press body. We need to ask ourselves, what did the royal charter mean? When it was presented to the Commons, when I was still a Member there, we were told that the matter would be taken out of the political field—that it will be dealt with in a royal charter, we can all agree it together and there will be no division. Well, there is certainly division now, and it is still under the Queen’s charter. I ask the Minister: did they discuss this with the Privy Council or the Queen? We have actively involved her in a deliberate breach of a decision between the two Houses. We are, in that sense, divided. It is very political and on political lines, although it is all the opposition parties in the other place that have actually agreed on this. Did the Government consult the Queen on this? I was always told that you do not involve the Queen in the politics; that is why we use a royal charter. Well, by God, we have certainly involved her now, and we are divided. What is the position? Has she been advised about it and does she agree it? Is there any obligation to talk to her, and did the Government do so?

My second question concerns my interest as someone who was phone-hacked. I went to the courts and it was denied by everybody—by the press body, the police, the public prosecutor—so I had to win my case on the grounds of human rights, European human rights. I had to get it established that the hacking of my phone was a breach of my human rights. Since then, everybody has been telling me: “That is now the past; things have changed and you don’t have to worry. We can just get on with the business and not have a second enquiry”. Then, along comes the Sunday Times and Mr Witherow, its editor. We know from recent announcements in ongoing court cases that a man called John Ford was hired to commit criminal acts against individuals, including me and the Prime Minister at that time, Gordon Brown. It is clear from his statements, his bank accounts, his personal effects and the solicitors that we were all hacked and the victims of criminal acts by this Mr John Ford, who has made it absolutely clear everywhere that he was employed by Mr Witherow.

Now, of course, you might play around with the word “employed”, but he was paying him for 20 years. He might have been a separate investigator, but he was committing criminal acts and breaching the human rights of everyone involved. That has been announced in public statements by Mr John Ford. Indeed it was Mr Witherow who, when asked about the Leveson inquiry, when Gordon Brown was challenging him about things that happened then, said there was no truth in it. Well, Mr Witherow, you appear to be a liar. I know those are strong words used here, but you did not tell the truth, you did pay the money and you did commit criminal acts against people and breach their human rights. That, surely, in any democracy is wrong. Leveson showed it was wrong; he even pointed it out. We just ignored his recommendations. We are not entitled to do that, in my view. You can force the issue if you like and talk about the powers, telling us that we can disagree on day one but not on day two. You can say that as much as you like. There are very important issues involved here about the human rights of individuals. I am not talking about the real victims who have been betrayed by the Government, due to a manoeuvre with the Irish. But leave that aside—we can all have our opinions about that.

My third and final question is on something that I have never understood, although I have asked about it in every debate here. If the argument is about having these press regulations as recommended by Leveson, or most of them, why is it that they accuse us of a threat against democracy? They say that if editors are forced to register with government then that is the biggest threat to democracy. But I will ask again, although I never get an answer: why is it that every one of these newspapers registers in Ireland? The accountability in Ireland is controlled by a Minister in its Government but I think nobody is suggesting that there is no democratic accountability in Ireland. If the same newspapers can sign up for the same kind of accountability under a form of state regulation in Ireland, why can they not do it here? Perhaps they cannot do it here because of what they can get away with under a Government doing what they are at the moment.

Remember that there have been seven full inquiries into the press and they have always recommended a regulatory framework. That has always been defeated and it looks as if it will be defeated again. No doubt it will help among the press with me being just a politician. Perhaps it helps what they print if they have a Government supporting their issue. It might influence their opinion. For my mind, the issue is in the three questions that I have posed in all these debates. Why in Ireland? Why are they are at it again since Leveson, using illegal, criminal acts to breach the human rights of people? That is what the accusation was about and nothing has been done about it, except to protect them even further. As for the Queen, I would be interested to hear if it was talked over with her.

My Lords, I speak in support of the amendment tabled by the noble Baroness, Lady Hollins, and in doing so I declare my interest as chair of the Manchester Arena review. Indeed, it is on this that I would like to speak first as it was referred to in the debate in the other House. I will come back to the noble Baroness’s amendment later. If your Lordships look at the terms of reference of the review, you will find no mention of us looking into the behaviour of the press. However, both the Mayor of Greater Manchester and the review panel were clear from the outset that the experiences of the bereaved families, the injured and others directly affected should be at the heart of the review process. It was through the contributions of those directly affected that the issues of media behaviour emerged.

The panel commissioned the National Society for the Prevention of Cruelty to Children to support its work. Over 200 contributions were received via the NSPCC, most through email and a dedicated phone line. Members of the panel also met with those directly affected to hear their experiences in person. The panel itself heard from the family and friends of 11 of the 22 people who died. These contributions were made on an individual basis. They were strictly confidential apart from the need, should it arise, to share them with the coroner. I salute their enormous courage in reliving that experience in order that we might learn for the future. On a personal level, I felt truly humbled by their contributions.

Most of the participants who commented on their experiences of the media in the aftermath of the attack were negative. People talked about being hounded and bombarded; about having to force their way through scrums of reporters at hospitals who “wouldn’t take no for an answer”. Specific mention was made of photos being sneakily taken through the glass windows at the Etihad Stadium, when the families were being given news of their bereavement. Several people told of the physical presence of crews outside their homes. One mentioned the forceful attempt by a reporter to gain access through their front door by ramming a foot in the doorway. There were at least two examples of impersonation.

I personally heard from a family whose daughter was visited by a reporter at their home and given condolences on the death of her brother, while her parents were at the Etihad stadium waiting to hear the news. This took place on the morning following the attack. The families were not told that their son was likely to be among the fatalities until later that day. In another case I heard I was told of an injured member of a family being rung on her mobile by a journalist while in a hospital ward recovering from multiple operations to deal with her injuries. I could go on, but noble Lords can read the account for themselves in chapter 2 of our report.

It is important to say that a number of families spoke in praise of the sympathetic reporting, particularly by the Manchester Evening News, but also by other papers local to the bereaved. But overall, the panel were shocked and dismayed by these accounts. To have experienced such intrusive and overbearing behaviour at a time of such enormous vulnerability seemed to us to be completely unacceptable. By any measure, these actions fell well below the standards set out in the editors’ code of conduct.

The report does not name individual publications or news channels. This is because neither we nor the families concerned where in a position to confirm, when a journalist said they were from a particular publication, that this was indeed the case. Nor have there been many individual complaints to IPSO. The level of trauma experienced by these families, which they were still living with when I met them, meant that even if they were aware of the opportunity to complain to IPSO, the reality is that that was very unlikely to happen. Their focus, quite rightly, was not on press intrusion but on coping with family tragedy—something that consumes most if not all of the time and energy available to them. But I am in no doubt that a number of journalists, albeit a minority, behaved very badly towards these very vulnerable families and it is highly unlikely that they were all from foreign media.

In contrast to the fire and rescue service and Vodafone, which immediately issued full apologies on the issues we raised, the response from IPSO and other representative organisations to our media findings was very disappointing. To his credit, though, the chair of IPSO, Sir Alan Moses, has in subsequent correspondence with me acknowledged the seriousness of the issues and IPSO has produced an action plan to address our recommendations.

It was not the role of the review’s report to comment on the wider ramifications for the press. Our focus was on what specific action could be taken to prevent this happening again. But there is a real relevance to our debate because it points to the fact that, whatever improvements have been made in recent years, real issues still remain about the behaviour of the press, and in significant parts of the press there is still denial about these issues. I should say that I am a passionate believer in the independence of the press and its importance in a free society. Indeed, to the annoyance of some of my colleagues in central and local government, I argued forcefully against new proposed restrictions to the Freedom of Information Act being put forward by the then Minister for the Cabinet Office, one Matt Hancock. It is certainly the first and probably the last time I will receive a favourable comment on the front page of the Daily Mail.

This love of papers was imbued in me from an early age. One of my father’s personal treats at the weekend was to buy a couple of extra newspapers to read. He always went for papers which did not reflect his particular views so that he could get a rounded picture. My love of newspapers, inherited from him, is not conditioned by whether or not they say kind things about me or even this House. If the price of having a free press is for noble Lords to put up with being described as “ripe for the abattoir”, that is a price worth paying. However, that licence cannot and should not be extended to ordinary members of the public who are vulnerable and not in a position to respond.

I understand and share the concern about the intense financial pressure on our newspapers, particularly local ones. I also recognise the wider concerns about how we have a fact-free system working in social media. In the end, though, I support the establishment of an inquiry, as proposed in the amendment, because a promise was made by all the main political parties—not just their leaders—that there would be a second phase, and as a general rule I think promises should be kept. It is the clear recommendation of Sir Brian Leveson himself—who ought to be in a position to know whether or not the issues have been addressed—that there should be a second phase. In my view, it is perfectly possible, particularly with the amendments now made, to do this inquiry in a proportionate way that does not put at risk an independent press. Finally, I know from personal experience that, sadly, the issues that gave rise to the proposed second-phase inquiry have not yet been adequately addressed. I urge noble Lords to support the amendment.

My Lords, I do not think anybody can listen to that description without being worried about the state of the press. There is no point pretending that everything is perfect. As a former and current practising journalist, I would not. I welcome the narrowing of the scope that the noble Baroness, Lady Hollins, has suggested, particularly the exclusion of local newspapers, but I suggest that in recognising the importance of that she has also recognised the significant burden that the kind of wide-ranging inquiry she is proposing would place not only on those papers but on all the others that would be covered by the remaining scope.

The last time I had the temerity to speak in this debate, the noble Lord who spoke after me said that he had heard quite enough from journalists, thank you. Actually, there are very few journalists in this House and, I suggest, very few people who understand just how difficult the task of investigative journalism is. Although the issues we are immediately concerned with in the amendment are about the salacious nature of journalism, I fear that even this amendment would touch on some of the important issues that I, as an investigative journalist, have dealt with.

I won the Paul Foot Award for exposing miscarriages of justice in the courts. As a result of that the Labour Government changed the law, I am pleased to say. I was also involved in the exposure of the Rotherham sex-grooming scandal at the Times with Andrew Norfolk, who was referred to earlier. I believe that Andrew Norfolk’s view about Section 40, as expressed by the Minister, is very important. He is at the front line of investigative journalism and understands what that would actually mean in practice. This should not be just about revenge. If we are going to legislative effectively, we have to think about exactly what we are trying to achieve.

The noble Lord, Lord Prescott, suggested that nothing has changed since his experiences. I suggest that a great deal has changed, and other Members have referred to that. The landscape is different. IPSO is a tougher regulator. I was so disturbed by some of the events in Manchester that I contacted IPSO to find out how it had dealt with them and how many complaints had been made. In fact—I think the noble Lord, Lord Kerslake, would agree—only one complaint was made to IPSO about the Daily Star; that complaint was upheld. There may be a problem, as he suggests, in that people could not trust exactly which publication they were talking to but we need to take that into account when we are reflecting on this.

We have heard today and in subsequent readings of the Bill about the significant new powers to be given to the Information Commissioner. I asked the Minister a question, which arose out of my ignorance, and was shocked to hear the scope of the new powers that are being so rapidly extended. We need to reflect on that again. As the noble Lord, Lord Lipsey, said earlier, one of the powers the Information Commissioner will get under House of Commons Amendment 109 is to review journalistic application of data protection laws. I would rather wait and see how that pans out. I suggest to the noble Lord that that will put significant pressure on the press.

I do not like public inquiries. They tend to be a last resort for Governments who do not know what to do. They are extremely expensive and work only when they have a specific end in mind.

My real fear about the amendment is that the specific end that many of its supporters have in mind is to reopen precisely the questions and amendments we have been debating and which have been defeated in the House of Commons, in particular those relating to Section 14 of the Crime and Courts Act. If we launched yet another public inquiry, of which the public would not be greatly supportive, we would reopen a series of questions, some of which would go back over old ground. I appreciate the promise of the noble Baroness, Lady Hollins, to move forward—she is right on that—but we would open the door again to people who are keen to impose enormous costs and burdens upon the major newspaper groups. It would expose those groups to having to pay malicious damages in groundless, malicious lawsuits.

Let me remind noble Lords of the history of this House. When I arrived here I thought it was about defending free speech. I totally accept the concerns that have been raised—I do not believe that everything is perfect—but this amendment is not going to move us forward.

My Lords, standing on one leg will at least ensure my brevity. I declare an interest as deputy chairman of Telegraph Media Group.

I agree entirely with the comments of my noble friend Lord Cormack and the noble Lord, Lord Pannick, about the advisability of sending this amendment back to the House of Commons. Were we to do so, we should remember a few points on the substance of the noble Baroness’s amendment.

First, we should always bear in mind that the amendment would produce yet another inquiry covering the same ground that has been ploughed over not only by the first Leveson inquiry but by three police investigations, at least three Select Committee inquiries, a Joint Committee of this House, the US Department of Justice and, in this country on the question of corporate liability, the DPP. There is little left to uncover.

Secondly, since Leveson reported, there has been a genuine, wholesale change in press regulation. We have moved from a voluntary complaints handling service, chaired by my noble friend Lord Wakeham, to a system of tough, legally enforceable regulation with strong powers of sanction. I say to the noble Lord, Lord Lipsey, that it is those tough legal powers which IPSO possesses that mean there could be no backsliding to the standards of the past.

Thirdly—this an important point we all need to bear in mind—since IPSO introduced a mandatory arbitration scheme in the past few weeks, there are virtually no lawful recommendations of Leveson that have not been introduced. It has produced a sea change in how newspapers are run, managed and deal with complaints, and in how journalists are trained and monitored.

Fourthly, since the first Leveson inquiry, the situation facing the press has changed dramatically. I note the noble Baroness seeks to cut out the local press from this but all publishers, including national ones, are under huge and sustained commercial pressure, which will not abate. It is a struggle for survival on a day-to-day basis, which will be made all the more complicated by having to wind the clock back 10 to 15 years to rake over a world which, frankly, no longer exists.

Fifthly, the biggest threat today to the sustainability of high-quality journalism comes from Google and Facebook, which are not even mentioned in the amendment. If we go down this route, in 20 years’ time people will ask why on earth this Parliament insisted on endlessly rerunning the repeats of an ancient black and white drama rather than looking at how journalism could survive in the global digital environment.

I have always been taught that this House must try to understand that, as an unelected Chamber, it needs at least to try to understand the realities of the outside world and take note of the will of the people. During a consultation on what is, in effect, this amendment, the people spoke in huge numbers and, by an overwhelming majority, rejected it. For all the reasons that I set out today, so should we.

My Lords, I was here during the previous amendment; of course I was. I was here in relation to the whole matter concerning this amendment from the noble Baroness, Lady Hollins. I heard the references from the Front Bench to the particular part of the argument that has just been conducted, and I was here to hear the noble and learned Lord, Lord Keen, speak about what was happening with this amendment and what had happened in the Commons. I shall carry on because I do not accept the comment made by the noble Lord.

I support the position of the noble Baroness, Lady Hollins, for a number of reasons. One is that the question of ethics, and the ethics of the media, has really not been dealt with adequately so far. The other matters that really concern me are those concerning the police. So far, I am afraid, the police have got off rather lightly in the course of investigations into what took place regarding media misbehaviour. Unlike other lawyers—I know my noble friend Lord Prescott has a poor view of lawyers—I do not act for newspapers and have not done, nor do I have a column in any newspaper. However, I have acted for victims who have gone through court processes, I have acted for defendants who are on trial and I have acted in inquests, and I have to say that the story with regard to police behaviour is not good. Too often—I know this from direct experience—there have been leaks and tip-offs to the media by the police when people have been invited into police stations to be interviewed. Perhaps they are suspected or they are going to assist in an inquiry, but they end up being met at the police station doors by photographers and journalists. They are exposed to speculative pieces about why they were being seen by the police, and often they are chased and stalked by the paparazzi as a result.

You have to ask yourself why that happens. I am afraid that journalists covering criminal courts over the years have told me that often they would basically have police officers in their back pockets, and that meant the pocket that had their wallet in it. What was offered to police were bungs, pay-offs and “drinks”, as they were called euphemistically, for providing those tip-offs. They happen still, and they have happened subsequent to the Leveson inquiry: people who have been asked to come to police stations to be interviewed with regard to sexual matters but have not been charged—and no charges have, in the end, been forthcoming—have found themselves over the front pages of newspapers. At this very moment, Sir Cliff Richard is involved in litigation regarding that kind of collusion and coalition between the media and the police. I am concerned that the police still have not been looked at adequately for the role they have played in some of this particularly iniquitous conduct.

The second part of Leveson seems of real importance to the well-being of our nation. If there is corruption in our police—if they are able to do this and to supplement their incomes by doing it, and there is money available in the media to do it—we know that something is seriously wrong. I hope the House has that in mind. Sometimes the purpose of a public inquiry is to air such matters and make clear the seriousness with which such corruption and misbehaviour is viewed.

I give the horrifying example of a very distinguished television journalist who, back when paedophilia was first being investigated, became a cause for concern. She and her husband had put some photographs into Boots the chemist, in the good old days when that was how you did it. She put a reel of negatives in to be made into snaps, and the person at the Boots laboratory handed them over to the police because there were photographs of their little daughter standing up in the bath and her daddy, who was shaving at the time, had sprayed his shaving foam on to her in the shape of a bikini. The photographs were handed over to the police and the couple were asked to come to the police station. When they arrived at Holborn police station, the media were there in full throng to photograph them, with salacious accounts given of why they might be there, the inference being that they were involved in some sort of nefarious conduct.

Of course, in the end it was all dropped and apologies were made, but that was not satisfactory because of the ugliness of what that family went through. You have to ask how such things happen. The same story is told by Paul Gambaccini and many people who went through similar experiences recently, when they were never charged but were exposed to such coverage.

Lawyers will tell you that another thing that happens too often is that clients tell them that, after a case is over, suddenly, intimate photographs from their family album appear in newspapers and they cannot understand how it happened. When their home was raided, photographs were stolen from family albums by police officers and then sold to the press. Is this satisfactory? Is it not right that we should look at this to drive home its unacceptability?

I am in favour of the amendment moved by the noble Baroness, Lady Hollins, and I think we all should be. It addresses really unsatisfactory conduct, which will be properly dealt with only if there is an inquiry and the police are held to account.

My Lords, I should declare a few interests. The first is that I was the victim of a kiss and tell story in a Sunday tabloid newspaper: front page and eight inside pages. I was also, separately, the victim of phone hacking. Thirdly, I joined the noble Lord, Lord Prescott, in his civil action under the Human Rights Act. Fourthly, I am a former senior police officer.

Briefly, on the contribution of the noble Lord, Lord Pannick, and the rather rosy picture he has of civil actions being taken by victims of phone hacking, and referencing what the noble Lord, Lord Black, said about the reality of what goes on outside, my reality was that yes, I had lawyers working on a conditional fee agreement—no win, no fee. I was told at the beginning of the process that I could get insurance against losing. Three months into the action, when tens of thousands of pounds had been spent by both sets of lawyers, it was established that I could not get insurance against losing. If I had stopped the action at that point, I would have had to pay the costs not only of the newspapers’ lawyers but my lawyers, because a conditional fee agreement works only if you go through with the action and then lose. Unfortunately, it is very difficult for ordinary people to take on newspapers through the courts in the way that the noble Lord, Lord Pannick, presented it to the House earlier.

I say to the noble Lord, Lord Cormack, that, yes, the other place considered a previous amendment that we put to them. This is a different amendment. It addresses many of the concerns expressed in the other place, and the other place should have the opportunity to consider this amendment.

The noble Baroness, Lady Cavendish of Little Venice, and the noble Lord, Lord Black of Brentwood, both talked about the enormous burdens on major newspaper groups. We need to consider the enormous burdens placed on innocent victims of the media.

My Lords, the noble Baroness, Lady Cavendish, made the point that there were few journalists here. As far as I know, the noble Baroness, Lady Kidron, and I are the only remaining film-makers—and I think that we do know how to edit. I would very much like to support the amendment perfectly set out by the noble Baroness, Lady Hollins. It should not be necessary to say this in your Lordships’ House but, once again, I reiterate that I am the proud son of a journalist and would die in a ditch to protect a responsible and fearless free press. But freedom of any sort brings its own responsibilities, and the greatest of these is the sustaining of trust. This short debate is all about trust.

The Minister in another place said he was being “forward-looking”. I am sure that I speak for many in this House when I suggest that the most forward-looking ambition that we share is the possibility that we might, over time, regain the trust of the people of this country in the quality and integrity of Parliament. As I see it, this ambition trumps all others—and to judge by recent coverage in our national press we are not coming from a particularly good place in that respect.

On the evidence of the past 20 years or so, much of the national press takes the position that its role in society is so important that Parliament needs to get over itself, and understand that in the real world you cannot make omelettes without breaking eggs. The view that it appears to advance is that, to remain sustainable, injustice, distortion, deception, abuse and even at times criminality are the price that society is required to pay for a robust, unfettered press. What if the Church took a similar position with regard to misconduct in its own ranks, or our judges argued that an acceptance of illegal practice in the collection of evidence was a necessary price to pay in the pursuit of justice? At the height of the financial crisis we came close to being persuaded by the banks that their reckless behaviour was justified by the pressures placed on them by their shareholders. I would argue, as has been very well put many times during the passage of this Bill, that society cannot afford the luxury of entirely unconstrained freedoms—not in the law, the Church, the financial sector, social media and even the press.

The reasons why Leveson 2 is necessary were well explained by the noble Baroness, Lady Hollins, in setting out her amendment. Personally, I have not the slightest doubt that such a review would reveal an extensive and entirely improper set of relationships between the press, politicians and the police, with the very real possibility that significant cases of actual obstruction of justice would come to light. It seems just possible that, in making that suggestion, I have stumbled across the real reason for the Government’s desire to scrap this second and, to my mind, more important inquiry.

I have just two specific questions to put to the Minister. First, having checked, I can find no record of the former Prime Minister having expressed a view on the unprecedented repudiation of his commitment to Parliament, let alone the breach of his well-publicised personal promises to the victims of press abuse. Has he been asked about, and has he indeed endorsed, the recent decision by the Secretary of State? Is Mr Cameron prepared to meet the victims to explain what factors or new revelations encouraged him to change his mind on this matter—if he has? Possibly the Minister, or even the media, might choose to inquire. Further, does the Minister feel that the precedent set by the decision to scrap Leveson 2 is likely to enhance or diminish the likelihood of overcoming the challenge I referred to at the outset—the ambition of all responsible politicians to develop greater public belief in the honesty and integrity of Parliament in general and of the Government that he serves in particular?

My Lords, I declare an interest as a television producer who has been involved in investigative programmes for the BBC and other channels. I listened with horror to the stories of victims that my noble friend Lord Kerslake told, and I am sure that I was as appalled as the rest of the House. In previous debates, my noble friend Lady Hollins has also talked about victims’ stories, which must also have appalled us all. However, I ask the House to consider how the amendment could rebalance the relationship between the right to privacy of the individual and the right to freedom of expression, in favour of the former.

I am particularly concerned about proposed new subsection (3)(f) of the amendment, which looks innocent enough—and I think that it would help the victims of phone hacking, which of course is something I welcome. However, it might come at a terrible cost to freedom of expression. This morning I spoke to a number of representatives of the most responsible newspapers and broadcasters about their fears over this proposed new subsection. They are concerned that switching the balance between free speech and the privacy rights of the individual will raise the bar for the way in which publication in the public interest is viewed by the courts. As someone who has worked in the media for many years, I fear that even the prospect of the bar being raised will have a chilling effect on investigative journalism. Editors will be afraid to commission investigative stories for fear of not being able to publish them. Likewise, it will empower lawyers who want to defend the privacy of wealthy individuals.

I have looked at the case brought against the BBC and the Guardian newspaper for the publication of the Paradise papers, which exposed no illegality but revealed, on an industrial scale, the avoidance of paying British tax by huge corporations and wealthy individuals. The purpose of the publication was not only to expose the actions of individuals and corporations but to focus British public and political opinion on the nature of offshore investments and tax avoidance—which I would argue is definitely in the public interest. Yet the lawyers at Appleby, the offshore legal firm at the centre of the Paradise papers affair, used a breach of confidence case against the media’s use of privileged documents to target the organisations involved.

The case has been settled, but if it had gone to full trial the judge would have had to weigh up the right to privacy of the individual against the public interest in publishing the documents. In all these cases, editors must take into account the possibility of losing, even when publication is demonstrably in the public interest. An inquiry into rebalancing rights of privacy against freedom of expression will further increase that anxiety. I am concerned not just about the rebalancing of rights to the detriment of free speech; I am concerned also that this amendment will be a distraction from the implementation of a complicated series of new legal powers introduced by the Bill. Many of these will be challenged by the courts and will consume a huge amount of time on the part of media organisations, as all sides struggle to ensure that the very worthwhile measures set out in the Bill are put into full effect. The amendment is retrospective and potentially damaging to the Bill and to free speech in this country. I urge noble Lords to vote against it.

My Lords, I regret that I cannot support the amendment in the name of the noble Baroness, Lady Hollins. This has been a passionate debate so far and there is, no doubt, more to come. However, there has been a definite lack of balance. There has been no mention of the good that the press has done over the many decades that I have been a newspaper reader. We can go back to Harry Evans and thalidomide; to MPs’ expenses in the Telegraph; we can talk about phone hacking itself, which was exposed by newspapers; the noble Viscount has just brought the Paradise papers to the attention of the House.

Addressing myself to the amendment, I have spent a lifetime on both sides of the media fence, as editor-in-chief of ITV and Channel 4; as a Daily Mirror sports journalist 150 years ago, when Charlton Athletic used to win; and, too often, as the subject of media scrutiny and—putting it at its most charitable—the victim of some very painful criticism. I have several reasons for opposing the amendment. First, if there is a principle underlying the proposed new inquiry into the press et cetera, how can regional newspapers be exempt? Is it a principle or is it not? If there is a problem, pleading poverty should not excuse you.

Secondly, lumping the press and broadcasting with social media on the issue of misuse of data is to misunderstand entirely the nature of the problem we face. Newspapers and broadcasters are governed very strictly in their handling of data, not only by regulators but by the Information Commissioner’s Office, with a carefully crafted exemption for public interest data searches. The ICO is a statutory body with draconian powers which it is not afraid to exercise. We know that Facebook and its ilk are displaying scant regard for data privacy. I am sure that noble Lords all agree that the Cambridge Analytica issue is the tip of the iceberg. Traditional media offer no evidence to justify this lumping together in the amendment.

Thirdly, I suspect that lying behind the amendment is yet another attempt to exercise some statutory controls or levers over our free media. Any inquiry, not least that envisaged by this amendment, is bound to produce recommendations, with the risk to free speech of some statutory device, overt or covert, buried in them.

Fourthly, your Lordships have heard of the two relevant amendments in the other place, one of which was defeated and the other not moved. I have fought many battles in my career to keep legislation out of the media, not least at the BBC. Those pushing for some statutory levers over the free press are inclined, conveniently, to dismiss the incredible leap forward of IPSO. As a former member—I declare a former interest—of the now-defunct Press Complaints Commission, I am entirely satisfied that the PCC’s shortcomings have been rectified most effectively by IPSO. It is well resourced, beyond criticism in its independence of mind and, unlike the PCC, which was just a complaints body—which people tend to forget—IPSO is set up as a regulator. Its remit is as clear as it is effective.

In conclusion, I regret that I cannot support this amendment. I add that I do not believe, in keeping with my noble friend Lord Cormack—now listed—that it is proper for this House to cobble together a late amendment to spend public money on an ill-thought-through inquiry after the other place has clearly had its say. I see no public interest whatever in this amendment and I am certain that there are more important matters for us to spend the public’s money on.

My Lords, I too respectfully resist this amendment. I will touch on one point: the suggestion that Leveson 2 was promised and the Government are now brazenly breaking that promise. I suggest that that is not so. Were the public inquiry required by this amendment to go ahead, it would be a very different inquiry from that which was originally contemplated and promised by way of a further stage of Leveson. Consider the differences between Amendment 142 that this House originally passed, confined as that was to news publishers, and extending as it did to regional and local newspapers. That is totally different from the amendment now suggested, which is almost the same as the one that was rejected by the other place last week.

Consider the differences in the legal landscape—IPSO, about which much has been said. I should perhaps declare that I was one of the body of five who appointed IPSO, but that is hardly the point. Lord Justice Moses was a colleague of mine, as was Lord Justice Leveson, and both are of equal seniority and equally high reputation.

Consider all that has been learned from the series of cases since Leveson 1. While certainly not agreeing to the abandonment of any further inquiry, Leveson himself recognised changes in the legal landscape in the letter that has been referred to, referring on page 5 to how,

“the guidance from the College of Policing regarding Media Relations represents significant change”,

and recognised the fact that work is currently under way on a digital charter. This inquiry would also require investigation into issues which, frankly, have nothing very obviously to do with this Bill on data protection. It would require an investigation into whether suspects should be named before charge or conviction. That is a difficult, important and interesting question, but it is not something that obviously arises now.

Inquiries are sometimes compellingly necessary, but it is no good pretending that they are invariably the panacea that they are cracked up to be. Note some of the difficulties in, for example, the historical sex abuse inquiry, the inquiry into undercover policing and so on. I respectfully suggest that a further inquiry is not required here.

My noble friend Lord Pannick is not always right. You have only to read his column in last week’s Times which extolled your Lordships’ decision to maintain the European Charter of Fundamental Rights despite Brexit to realise that he is not always right. But right he is on this issue, and I suggest that your Lordships do not pass this amendment.

My Lords, I strongly support the amendment. I declare an interest: I understand that Mr John Ford has alleged that 15 years ago he went through my rubbish on a regular basis at the request of the Sunday Times. I find it impossible to believe that anyone would find my rubbish interesting. That has had no effect whatever on my opinions with regard to this issue, and I supported the continuation of Leveson 2 even before I discovered that Mr John Ford had apparently been going through my rubbish.

I am strongly of the view that this House should send the amendment back to the Commons for further consideration, for the following reasons. First, there is no doubt, despite what the noble and learned Lord, Lord Brown of Eaton-under-Heywood, just said, that there was an unequivocal promise by the House of Commons and this House that there would be part 2 of Leveson. I quote the then Prime Minister:

“One of the things that the victims have been most concerned about is that part 2 of the investigation should go ahead … and that is fully our intention”.—[Official Report, Commons, 29/11/12; col. 458.]

That was said by the Prime Minister, Mr David Cameron, after the delivery of part 1. To my mind it is incredibly important that, if you set up a public inquiry, before the public inquiry has been able to reach findings on who was responsible for what happened—probably because of pressure from the people who might be responsible—the second part of that public inquiry is not scrapped. But that is what is happening here. My experience of when the justice system fails is that the victims feel that they have nowhere to go, and that corrodes not just their view of the justice system but a large number of people’s view of it. I particularly have in mind the Hillsborough victims, who were denied justice by a coroner’s system and who felt that the whole justice system let them down.

The noble and learned Lord, Lord Brown of Eaton-under-Heywood, says, “Oh, things have changed”. Who is the best judge of that? I suggest it is Sir Brian Leveson, who said that,

“there is still a legitimate expectation on behalf of the public and, in particular, the alleged victims of phone hacking and other unlawful conduct, that there will be a full examination of the circumstances that allowed that behaviour to”,

take place. He said that when he was consulted on the question of whether part 2 should be scrubbed.

Therefore, I regard the promise as important and the reneging of it as something that will corrode justice. It will affect not only the victims but other people, and I utterly reject the complacency of the noble and listed Lord, Lord Cormack, to the effect that we should not press this any further. Yes, we sent the Bill back with a clause which the Commons took out, but the right thing for this House to do is to ask them to think again, particularly when last time there was a majority of nine. If we debate this well and give the reasons, it is worth doing.

Therefore for me, the first point is the promise. The second point is that the problem is still there. The speech given by the noble Lord, Lord Kerslake, was appalling, not in its quality but in what it told us. The noble Lord, Lord Pannick, suggested that the solution to this was “civil litigation or criminal proceedings”. Can you imagine the people that the noble Lord, Lord Kerslake, described, who have been hounded—his word—by the press, thinking of bringing civil litigation to complain that the first they heard that their loved one had died was when a representative of the press came round? Pull the other one! Get out of the courts and think about what the real world is like.

Then people said that IPSO had made a difference—the IPSO that two weeks ago, in the face of this Bill going through Parliament, in a great rush and with no explanation of why it had not done it before, suddenly introduced a low-cost arbitration scheme. Why did it do it? It did it because Parliament was breathing down its neck. If Leveson 2 is got rid of, let us be under no illusion that that will be the end of that. Things will be just as they have been in the past. I cannot remember which Peer described IPSO as absolutely marvellous. It might have been the noble and learned Lord, Lord Brown of Eaton-under-Heywood. No, I am sorry; it was another noble Lord. So far IPSO has not imposed a single fine; it has not demanded a single equal-prominence front page direction; and it has not launched a single systematic inquiry, as it has the power to do. There have been 8,000 complaints about hate crime so far and only one has been upheld. We should not accept the proposition that IPSO has solved the problem.

The fourth reason it is said that we should not have this inquiry is that, as the noble Viscount, Lord Colville of Culross, and the noble Baroness, Lady Cavendish of Little Venice, said, it would threaten to chill investigative journalism. However, what is being proposed here is not a specific provision to change the press. It is for a judge of standing to see what should be done next, and I have absolutely no doubt that a new judge would be able to do so, having no doubt heard the evidence from the people the noble Viscount, Lord Colville of Culross, was speaking to on the telephone this morning, and just as Sir Brian Leveson managed to do.

Fifthly, people ask, “What about social media?” Exactly: what about social media? Facebook and so on are a real problem, and that is why the noble Baroness, Lady Hollins, has included social media in her proposed new subsection (3)(d). Sir Brian Leveson wants to have part 2 of the inquiry and it has been amended to deal with the changes. It would be a disgrace and a betrayal of the victims if we did not go ahead with it. I strongly support the amendment.

My Lords, first, I declare former interests as the last chair of the Press Complaints Commission between 2011 and 2014, and then as the first chair of the new Independent Press Standards Organisation, IPSO, together with my other interests as set out in the register.

As the Secretary of State said in his Statement of 1 March this year, repeated here, we all owe a great debt of gratitude to Sir Brian Leveson. His inquiry and subsequent report showed rigour, diligence and a judicious balance between competing interests. When his report was published in December 2012, Lord Justice Leveson recommended a new, tougher form of voluntary self-regulation of the press. As chair of the PCC at the time, I welcomed his proposals and suggested that they should be implemented in full.

The Leveson proposals were largely implemented between 2012 and 2014, but I was not able, at that stage, to persuade the newspaper industry to embrace them in their entirety. Since then, under my successor, Sir Alan Moses, the new arrangements have bedded down and IPSO has gradually become more and more compliant with the Leveson recommendations.

I strongly welcome the introduction of the new arbitration scheme, which was introduced not in a rush, as the noble and learned Lord has just said, but after extensive consultation, and it is a major step forward. I say to a number of other speakers that illegal activity, as distinct from breaches of the editors’ code, is best dealt with by the police and the courts, and that has now largely happened—belatedly, yes, but also comprehensively.

Meanwhile, the printed press continues to decline and the increasingly dominant online media raise all sorts of questions that should trouble us as legislators and as a society. Where is trustworthy news to be found in this brave new world? How is the kind of journalist we all want to see—fearless and bold, driven by a desire to uncover the truth and serve the public good—to be identified, trained and employed on salaries that will pay their bills? How are we to sieve out the fake news from the genuine, the corrupted from the pure, and the worth while from the frivolous and irresponsible? I just do not believe that the kind of inquiry adumbrated in Amendment 62B would address any of those pressing questions, which are so vital to the future well-being of our society.

The amendment includes the words,

“to investigate the dissemination of information and news, including false news stories”.

It would have said “fake news” but the draftspeople said that that would not be the right way to term it. Therefore, I think it covers the sorts of things that the noble Lord thinks it should, or am I wrong?

I raise fake news as an issue not because it is or is not covered by the amendment but because it must concern us all, particularly as a society.

There are good reasons for rejecting the amendment. It would be an analogue inquiry in an overwhelmingly digital age. It would also—rightly, in my view—be seen as yet another attempt by politicians to meddle in the internal affairs of news media and, ultimately, to muzzle free expression.

This country, which should be a beacon of free expression in a world bedevilled by state censorship, has just fallen from 30th to 40th in the global ranking for free speech, according to a survey conducted by independent minds right across the world. Let that sink in my lords: from 30th to 40th. It is shaming. What message are we now to send out? That the free media are enemies of the state? They may be unruly and they may challenge us in ways that make us uncomfortable, but they are not our enemies.

Furthermore, it concerns me that we are playing around with the Salisbury convention. The noble and learned Lord has just spoken about promises. As the noble Lord, Lord Pannick, pointed out, this amendment flies directly in the face of last year’s Conservative Party manifesto. On page 80, that document said that,

“we will not proceed with the second stage of the Leveson Inquiry into the culture, practices and ethics of the press”.

That was pretty clear. I know that the Labour Party had a euphoric moment after the last general election, almost persuading itself that it had won, but it did not.

I take no comfort from the qualifying words that the noble Baroness has added to her amendment this time around. We are dealing here with profound matters that touch on the very basis of our society and our political philosophy, and the question of whether we truly cherish our freedom of expression and our free media. I suppose ping-pong can be an enjoyable pastime but at some point the views of the elected House must prevail. I have the utmost respect for the noble Baroness and the greatest sympathy for the unacceptable treatment that she and her family, and far too many others, have received from the press. Having said that, I sincerely hope she will not seek to divide the House again on this matter.

My Lords, as the noble Lord, Lord Grade, said, this has been a passionate and, actually, very balanced debate. A number of noble Lords have expressed concern about the amendment before us and have, sort of, made a case against it.

When the noble Lord, Lord Black, came in, struggling on his crutches, I did think: is there no end to which this man will not go to get sympathy from this House? I wish him a speedy recovery.

When introducing the debate, the Minister said first that these amendments have no place in the Bill because it is about data protection and then began to dazzle us with the number of government amendments that pertain to the media. Of course it is perfectly sensible that this matter should be in the Bill.

By the way, I say to the noble Baroness, Lady Cavendish, that I did not say I object to journalists; I object to journalists at the Times. She mentioned the growing power of the ICO in all this, which is something that the press should think hard about. The press have been so busy trying to avoid having a proper regulator for themselves that they find themselves well and truly regulated by a powerful ICO. Where the ICO does not regulate the press, the courts may with some of the judgments that are coming down the track.

As always, the perorations against, as with the noble Lord, Lord Hunt, have been about freedom and liberty, as though we on this side are not as passionate in our defence of those. Today’s debate has produced the usual press stories that crop up when either House debates the issue. They always either rubbish one or other of the more popular proponents of reform or carry, as did the Evening Standard just before the Commons debate, such headlines as that from the Commons Culture Minister, Margot James: “We will lose freedom of the press if MPs back new curbs”. It is my belief that the real defenders of press freedom are not the Ministers scrambling to close Leveson down but those of us who want to see a press that is respected and trusted, as well as free.

When the Commons debated our amendment, Mr Jacob Rees-Mogg, the new Erskine May, said rather imperiously that Parliament had every right to renege on promises made by a predecessor. Of course, he is right—we know that, Jacob. However, it is also a long and honourable convention that there is a continuity of responsibility from one Parliament and one Government to another. We saw it last week when the Prime Minister gave a full and unequivocal apology to the Libyan family for Britain’s part in their rendition and subsequent torture, although it did not happen on her watch. The long tradition of continuity of responsibility means that a promise given by one Prime Minister and one Parliament is unlikely to be abandoned by another. There is a double matter of honour when the promise in question was made by a Prime Minister of the party now in power. David Cameron gave such commitments, and the amendment from the noble Baroness, Lady Hollins, gives the House of Commons a way of redeeming that promise while taking into account the passage of time since it was made.

I often find that, when I am indignant having read in the newspaper or seen on TV some summing up or sentence by a judge, my lawyer friends will say, “Ah, but the judge who has heard all the evidence is the best placed to make a balanced judgment on the matter”. In this case, we have the balanced judgment of Sir Brian Leveson himself. Let us remember, after the speeches of the noble and learned Lord, Lord Brown, and the noble Lord, Lord Pannick, that Sir Brian had all the information they had to make their speeches but came to a different conclusion: that it should go on. As I said when the Leveson letter first came up, here is the third most senior judge in the land taking six pages in a very carefully argued letter to give his views on the inquiry on which he spent a year of his life. Some noble and learned Lords in the House should have a little modesty when challenging his judgment because it is absolutely clear that Leveson 2 should go ahead. The noble and learned Lord, Lord Falconer, has already quoted from the letter, so I will not waste time.

The amendment before us is proportionate to the task at hand in addressing issues not yet adequately addressed. It redeems a solemn promise made by our Prime Minister and our Parliament. Jodie Ginsberg, the CEO of Index on Censorship, when briefing against these proposals before the Commons debate, said that she wanted,

“a free, vibrant, independent and troublesome media”.

So do I, and so does the proposer of the amendment. The biggest threat to a free, vibrant, independent and troublesome media is one so held in public contempt because of corrupt and illegal practices that few defenders will come to its aid if press freedom is really threatened.

I say to the noble Baroness, Lady Cavendish, that, when the Leveson inquiry exposed sins and criminality, the Government of the day could at that time have done anything they liked to the press. What they did was make a strong attempt to create something as far from political control as possible—I was one of the privy counsellors who signed the royal charter. It is absolutely false to claim that the attempt was to create a state-controlled press. That was never on the table and it is not on the table now.

The noble Earl, Lord Attlee, who has been brave in carrying through on Section 40, has said that we will not press it beyond tonight. I am interested to see which bit of legislation will include its repeal and how that will be favoured when it comes back to us. I say to the Minister: this is not the end of Section 40.

Tonight, we are looking for something more. As the noble Baroness, Lady Hollins, and the noble Lord, Lord Kerslake, have shown, we are looking at something for the victims. The noble Baroness, Lady Cavendish, should note that it is also something for journalists who need protection from being bullied into illegal acts by their employers. Most of all, it is for our own self-respect in keeping a promise made. I urge support for this amendment.

My Lords, we are 90 minutes in and we have heard lots of familiar tropes rehashed and replayed, but have we achieved very much in this debate? While sitting here I have been wondering how on earth one brings together the two very different sides that are emerging in this debate. I whispered to my colleagues on my right and left asking for help and support, and all I got was, “You need the judgment of Solomon on this”, and I do not have that. However, we are going to ask noble Lords to vote on this issue, and so I want us to think very hard about what we have been doing here.

This is not about the wider context of the issues that have stemmed from the time that Leveson was set up. The only question on which we will divide today is whether or not the Government go ahead with the review which they started and has been only half completed and whether it concludes. It does not have to go in its full and present form—Sir Brian himself has said that. Maybe there is another way in which it can be done. In some ways, although I do not necessarily take this as a serious suggestion, it is more like a truth commission than a judicial inquiry. But we need to know what happened. We need to know the facts; otherwise, we will all go sadly wrong. What will we lose if Leveson 2 is scrapped? What will we gain if it goes ahead? That is the narrow question.

The Government are bringing forward three substantial measures today that, as the noble Baroness, Lady Cavendish, and others have mentioned, may well have a big effect on the way that the press is regulated going forward. Amendment 55 introduces a code for data protection and journalism. If it is to be effective, that will begin to narrow down what is in the public interest in journalism. Amendment 108 is on guidance to individuals on how to seek redress against media organisations. It will have to define what those redress mechanisms are: they have to be set out, made clear and signposted, so there will be a lot of activity in this area. Amendment 109 introduces a review after four years—which some have said could be expanded to take in some of the issues raised today—on the processing of personal data for the purposes of journalism. Does that not actually cover everything that we have been talking about?

I welcome these amendments. I will support them and they deserve support from all interested parties because they will help to define and strengthen our understanding of where we are to find the balance to be struck on privacy and free expression. They also mark a significant change in the Government’s approach to this. I acknowledge that and that they have listened to the debate and moved. I pay tribute to the current Ministers. We had a meeting at lunchtime today which I felt also made some progress.

The judgment today, in relation to the amendment in the name of the noble Baroness, Lady Hollins, is not about the overall package. The overall package is so wide: the evolution of IPSO into an effective regulator, although there is some way to go; the changes made to the Bill when it was in your Lordships’ House; the Cairncross review on how to protect quality journalism; the changes proposed in Amendments 55, 108 and 109; and the review, as has been mentioned, of the police and fire procedures. Do those, taken together, achieve what this all-party group of senior politicians who set up the Leveson inquiry wanted to see happen?

The first point has already been made and is important: everything in that list is focused on the future. Some things, indeed, are delayed by four years. Looking forward is good. I am not against that, but not at the expense of learning the lessons from the past. These measures are all very welcome, but absent the facts, will they achieve what is needed so that we can all move on together? How will we even know that we are on the right track if we do not have the facts?

In his speech on Report in the Commons last Wednesday, the Secretary of State said that in shutting down the Leveson inquiry he was not making a choice between,

“doing something and doing nothing”,—[Official Report, Commons, 9/5/18; col. 710.]

but he was choosing to “do something better”. So, is the package we have before us that I have just listed, absent the second half of the Leveson inquiry, really something better? Amendments 62A and 62B ask Parliament to deliver on the promise given in November 2012 by the then Prime Minister that he remained,

“committed to the inquiry as it was first established”.—[Official Report, Commons, 29/11/12; col. 446.]

My noble and learned friend Lord Falconer and others have stressed that going ahead with an inquiry does not compromise press freedom. It is quite the reverse. By getting all of the facts out into the open, it should reassure the public that it is known “who did what to whom” to use Sir Brian’s phrase, and no attempt has been made to hide illegality, avoid embarrassing deals or any suspicion of a political fix. It would ensure transparency and draw a line under this whole sorry chapter.

The arguments used against so far are so thin—about as thin as the reliance of the noble Lord, Lord Hunt, on the pick and mix Conservative manifesto. Is it really too expensive? The actual cost is £5.4 million, not the much larger figure which is often bandied about, which includes the changes in procedures and processes incurred by third parties such as the police. Do we really know all the facts? We did not know at the start of the inquiry that the Sun was involved in hacking or that Trinity Mirror was as complicit as News International. Sir Brian points out that, when comparing evidence of one trial to another, conflicting and irreconcilable accounts are given by different people working within the same organisation. He suggests that,

“the public interest would be served by a detailed, reasoned report which covers the whole of the … evidence, not just the evidence relevant to any specific trial”.

The Secretary of State claims that the terms of reference of the inquiry have already been met. But the amendments before us today replicate the outstanding parts of the original Leveson inquiry. They have not been met. In any case, as the noble Baroness, Lady Hollins, and my noble friend Lord Puttnam have so eloquently reminded us, underlying all this is the question of trust. Parliament should honour the promises given to the victims. It is clear from what has been said today that egregious behaviour is still happening.

I do not think that the Government have a credible reason for not accepting this amendment today. I do not think that legitimate journalism and the very many honest journalists have anything to fear from allowing work to be done establishing the facts. Everybody in public life in this country—everybody—believes that a free and fearless press is a key part of our liberties. This amendment is not a threat to the freedom of the press. It does not address the role of the Press Recognition Panel. It does not prioritise Impress over IPSO. It does not impose the proposed cost-shifting regime or commence Section 40. It does not affect local or regional press. But it will remove the barrier that meant that press activity in Northern Ireland was not reviewed in Leveson 1.

This House is composed of people with experience and diverse talents, but one thing that unites us is our ability to bring a sense of fairness and balance to the political process. In this debate today, we are doing our constitutional duty of reviewing legislation coming from another place. I hope that your Lordships’ House recognises that this is not about reviewing the wording of an amendment for accuracy or content. It is also about making judgments about fairness and delivering on what has been promised, making sure that we intend to have a free press going forward. On that score alone, we should have no concern about asking the other place to think again.

My Lords, I thank the noble Baroness, Lady Hollins, for setting out the thinking behind her Amendments 62A and 62B. As we have heard, they seek to insert an amended version of Clause 142 into the Bill, in contrast to the Commons amendments, which would remove it. I have already set out the Government’s reasons for opposing the inclusion of Clause 142 in this Bill, and I regret to say that the modest changes proposed by Amendments 62A and 62B do not change that analysis. In particular, nothing in the amendments answers the fundamental challenge that creating a further public inquiry is neither necessary nor proportionate at this point in time.

I remind noble Lords that it was this present Government, following a public consultation and in implementing a manifesto commitment, who took the present step, which was approved in the other place. My noble friend Lord Cormack alluded to the fact that the other place had already addressed this issue. The noble and learned Lord, Lord Falconer, came back with an accusation directed against my noble friend Lord Cormack of complacency. I have seen my noble friend accused of many things, but complacency is certainly not one of them. I regard that accusation as utterly misplaced and inappropriate.

Indeed, I take issue with some of the other factual assertions made by the noble and learned Lord, Lord Falconer, in particular his assertion that no front-page apology had appeared in any IPSO publication since it was founded. I think he will find that may be borne out upon a reading of the Times in the recent past.

My statement was that no front-page apology of equal prominence has been made mandated. Am I wrong about that?

I do not believe that the noble and learned Lord chose his words very carefully previously. As I understand it, IPSO did mandate a front-page apology in the Times.

All things are relative.

I appreciate that a great deal of passion has been exhibited, and indeed the noble Lord, Lord McNally, talked about a passionate and balanced debate; it has been both. It has certainly been balanced when we consider the contributions made on all sides of the House. However, I would seek to touch on one or two points that have been raised. The noble Baroness, Lady Hollins, raised the question of Northern Ireland. To clarify in respect of that matter, the commitment made last week did not relate to the Cairncross review; it related to the review that would be carried out pursuant to Commons Amendment 109, in particular paragraph 4 which refers to a review that will take into account all parts of the United Kingdom and will ensure that there is an independent named reviewer for Northern Ireland. I hope that that covers the point.

My noble friend Lord Attlee raised certain issues with regard to VAT. He is right about VAT on e-publications, which are classified as electronic services. EU VAT law specifically excludes such services from the reduced rate of VAT. Further consideration of that matter is beyond my pay grade and is one for Her Majesty’s Treasury in due course, so I shall not elaborate upon that. As regards the repeal of Section 40, the Government are committed to doing that at an appropriate time on the basis of appropriate legislation, so the noble Lord, Lord McNally, can anticipate that coming forward in due course.

I shall move on to certain points that were raised by the noble Lord, Lord Prescott. On the royal charter, the Press Recognition Panel, which was set up by the charter, remains a feature of our regulatory landscape so there is no need to intrude upon the charter or to consult further on it at the present time. On his reference to the Sunday Times and the allegations regarding John Ford, that was a matter of self-incrimination as far as I can see in respect of criminal acts that took place before 2011; they are not recent events. On the position regarding Ireland, the press may sign up to the Press Council of Ireland, but they are not obliged to do so, in order to secure the benefits of being members of that council. They may approach that by a different regulatory regime, provided that it has suitable terms, so I do not consider that we can go immediately to that.

Reference was made by the noble Lord, Lord Kerslake, to the Manchester Arena review. I appreciate his direct involvement in that, and of course we recognise that for the victims and their families, dealing with the media at such a time can be very distressing. In fact, the Government have recently published guidance for victims and their families on handling media attention in the aftermath of similar events, but diverse reports with regard to the media have come out of that. As the noble Lord observed, only one complaint was made to IPSO regarding the conduct of the regulated media at Manchester, and on 24 April 2018 at a meeting of the National Police Chiefs’ Council on media engagement, the senior press officer at Greater Manchester Police observed that after the Manchester Arena bombing, the media had been exceptional and had treated everyone involved with the utmost respect. In her view, the only qualification was in respect of certain international outlets and social media which had caused families problems. There are clearly diverse views—

I want to put a question to the Minister. Does he not accept that families experiencing this level of trauma and distress are simply not in a position to make formal complaints to IPSO? It is a failed and incorrect test of the extent of the issue.

With respect, that is not the test. Of course, families in this situation are placed in a very difficult position and we recognise that. I do not know if the noble Lord, Lord Kerslake, had an opportunity in the course of preparing his report to actually interview the senior press officer at Greater Manchester Police, although he will be aware of the view she has expressed with regard to the media’s behaviour, but he did not mention that in his earlier speech to the House. There are diverse views and interpretations of what was happening at the time.

It would be difficult for me to address all of the individual points that have been made in the course of the debate, but what I want to stress is this. While the promise was made by previous a Prime Minister, it was this Government, in implementing their manifesto commitment and following public consultation, who took the steps they did with regard to Leveson 2. Of course, Sir Brian Leveson was consulted for his views on the matter, as was appropriate and proper in accordance with statutory procedures, and they then reached a view. A question was raised as to whether the previous Prime Minister had been expressly consulted on this matter. My understanding is that the previous Prime Minister did approve the manifesto that this party took to the country at the last general election, and therefore I see no reason to doubt his position on this matter.

Let us come more closely to where we are at the present time. What is being proposed is an extensive inquiry into the past when we are addressing a Bill that is determined to look to the future and the regulation of the media in the context of data processing. As the noble Lord, Lord Stevenson, observed, very significant steps have been taken by the Government in this Bill to secure the position going forward. That is how we see the matter. In those circumstances, I invite the noble Baroness, Lady Hollins, to withdraw her amendment. The time has come for this House to acknowledge that the other place has spoken on this issue. It is one that reflects people’s diverse and passionate interests, but I would suggest that the time has come constitutionally for the amendment to be withdrawn.

Does the Minister believe that the reputation of Parliament is enhanced or diminished by the refutation of the commitment made by the former Prime Minister?

It is neither. It is a situation in which we have moved on and, as I say, the Government have, following a public consultation, implemented a manifesto commitment. It is in those circumstances that we are proceeding.

Motion agreed.

Motion on Amendments 56 to 61

Moved by

56: Clause 125, page 69, line 2, leave out “or 124” and insert “, 124 or (Data protection and journalism code)”

57: Clause 125, page 69, line 9, leave out “with the day on which” and insert “when”

58: Clause 125, page 69, line 14, leave out “or 124” and insert “, 124 or (Data protection and journalism code)”

59: Clause 125, page 69, line 21, leave out “or 124” and insert “, 124 or (Data protection and journalism code)”

60: Clause 125, page 69, line 33, leave out “and 124” and insert “, 124 and (Data protection and journalism code)”

61: Clause 126, page 70, line 3, leave out “or 124(2)” and insert “, 124(2) or (Data protection and journalism code)(2)”

Motion on Amendments 56 to 61 agreed.

Motion on Amendment 62

Moved by

62: Clause 142, leave out Clause 142

Amendment 62A (as an amendment to the Motion on Amendment 62)

Moved by

62B: After Clause 141, insert the following new Clause—

“Data protection breaches by national news publishers

(1) The Secretary of State must, within the period of three months beginning with the day on which this Act is passed, establish an inquiry under the Inquiries Act 2005 into allegations of data protection breaches committed by or on behalf of national news publishers and other media organisations.

(2) Before setting the terms of reference of and other arrangements for the inquiry the Secretary of State must—

(a) consult the Scottish Ministers with a view to ensuring, in particular, that the inquiry will consider the separate legal context and other circumstances of Scotland;

(b) consult Northern Ireland Ministers and members of the Northern Ireland Assembly with a view to ensuring, in particular, that the inquiry will consider the separate legal context and other circumstances of Northern Ireland;

(c) consult persons appearing to the Secretary of State to represent the interests of victims of data protection breaches committed by, on behalf of or in relation to, national news publishers and other media organisations; and

(d) consult persons appearing to the Secretary of State to represent the interests of national news publishers and other media organisations (having regard in particular to organisations representing journalists).

(3) The terms of reference for the inquiry must include requirements—

(a) to inquire into the extent of unlawful or improper conduct by or on behalf of national news publishers and other media organisations in respect of personal data;

(b) to inquire into the extent of corporate governance and management failures and the role, if any, of politicians, public servants and others in relation to failures to investigate wrongdoing at media organisations within the scope of the inquiry;

(c) to review the protections and provisions around media coverage of individuals subject to police inquiries, including the policy and practice of naming suspects of crime prior to any relevant charge or conviction;

(d) to investigate the dissemination of information and news, including false news stories, by social media organisations using personal data;

(e) to consider the adequacy of the current regulatory arrangements and the resources, powers and approach of the Information Commissioner and any other relevant authorities in relation to—

(i) the news publishing industry (except in relation to entities regulated by Ofcom) across all platforms and in the light of experience since 2012;

(ii) social media companies;

(f) to make such recommendations as appear to the inquiry to be appropriate for the purpose of ensuring that the privacy rights of individuals are balanced with the right to freedom of expression, while supporting the integrity and freedom of the press, and its independence (including independence from Government), and encouraging the highest ethical and professional standards.

(4) In setting the terms of reference for the inquiry the Secretary of State must—

(a) have regard to the current context of the news, publishing and general media industry;

(b) set appropriate parameters for determining which allegations are to be considered;

(c) determine the meaning and scope of references to “national news publishers” and “other media organisations” for the purposes of the inquiry under this section; and

(d) include exemptions or limitations designed to exclude local and regional publishers from the scope of the inquiry.

(5) Before complying with subsection (4) the Secretary of State must consult the judge or other person whom they intend to invite to chair the inquiry.

(6) The inquiry—

(a) may, so far as it considers appropriate, consider evidence given to previous public inquiries;

(b) may, so far as it considers appropriate, take account of the findings of and evidence given to previous public inquiries (and the inquiry must consider using this power for the purpose of avoiding the waste of public resources); and

(c) must, in particular, consider to what extent previous public inquiries have investigated, and made findings in relation to, events in connection with Northern Ireland within the inquiry‘s terms of reference, and must take such further evidence and make such further recommendations in respect of those matters as the inquiry considers appropriate.

I thank all noble Lords who have spoken and for supporting this amendment, and I should just say that I do not enjoy ping-pong. The amendment returned from the Commons was defeated by only nine votes and I have endeavoured to address the concerns raised in the three adjustments that I have made to the amendment. I want to make a couple of brief comments about those.

First, the amendment addresses the DUP’s proper and reasonable concerns in a transparent way by offering a proper inquiry into press conduct in Northern Ireland. Secondly, I have made an adjustment to exclude the local press from the scope of the inquiry altogether. Thirdly, in response to misrepresentations in some parts of the media, I have added a requirement for the inquiry’s recommendations to take full account of the need for freedom of the press to achieve a vibrant and independent media, and the importance of the independence of the press from Government.

Holding an inquiry will not restrict freedom; rather, it will support it by shining a spotlight on what has been done illegally and unethically to the detriment of hundreds of ordinary people, including my daughter and my family before I became a Member of your Lordships’ House. As explained by my noble friend Lord Kerslake regarding his findings after the Manchester Arena bombing, there is no evidence that enough lessons have been learned by all sections of the media or that there is adequate accountability. I do not consider that the review by the Information Commissioner is in any way a substitute for completing the inquiry. The job has not been done, and with respect to IPSO, I believe I am right in saying that so far only around 12 of more than 90 of Sir Brian Leveson’s recommendations have been implemented. In formally moving my amendment, I wish to test the opinion of the House.

Motion on Amendments 63 to 114

Moved by

63: Clause 143, page 77, line 37, after “notice”)” insert “— (a) ”

64: Clause 143, page 77, line 40, at end insert “, or

(b) require any person to provide the Commissioner with information that the Commissioner reasonably requires for the purposes of—

(i) investigating a suspected failure of a type described in section 148(2) or a suspected offence under this Act, or

(ii) determining whether the processing of personal data is carried out by an individual in the course of a purely personal or household activity.”

65: Clause 143, page 78, line 1, after “state” insert “—

(a) whether it is given under subsection (1)(a), (b)(i) or (b)(ii), and

(b) ”

66: Clause 143, page 78, line 11, leave out “the rights of appeal under section 161” and insert “—

(a) the consequences of failure to comply with it, and

(b) the rights under sections 161 and (Applications in respect of urgent notices) (appeals etc).”

67: Clause 143, page 78, line 22, leave out “7 days” and insert “24 hours”

68: Clause 143, page 78, line 23, leave out “with the day on which” and insert “when”

69: Clause 143, page 78, line 30, at end insert—

“( ) Section 3(14)(b) does not apply to the reference to the processing of personal data in subsection (1)(b).”

70: After Clause 145, insert the following new Clause—

“Information orders

(1) This section applies if, on an application by the Commissioner, a court is satisfied that a person has failed to comply with a requirement of an information notice.

(2) The court may make an order requiring the person to provide to the Commissioner some or all of the following—

(a) information referred to in the information notice;

(b) other information which the court is satisfied the Commissioner requires, having regard to the statement included in the notice in accordance with section 143(2)(b).

(3) The order—

(a) may specify the form in which the information must be provided,

(b) must specify the time at which, or the period within which, the information must be provided, and

(c) may specify the place where the information must be provided.”

71: Clause 146, page 80, line 14, after “for” insert “a copy (in such form as may be requested) of”

72: Clause 146, page 80, line 15, leave out “a copy of”

73: Clause 146, page 80, line 16, leave out “a copy (in such form as may be requested) of”

74: Clause 146, page 80, line 22, at end insert—

“( ) provide the Commissioner with an explanation of such documents, information, equipment or material;”

75: Clause 146, page 80, line 34, leave out “(8)” and insert “(8A)”

76: Clause 146, page 80, line 35, leave out “the rights of appeal under section 161” and insert “—

(a) the consequences of failure to comply with it, and

(b) the rights under sections 161 and (Applications in respect of urgent notices) (appeals etc).”

77: Clause 146, page 80, line 46, at end insert “, and

( ) does not meet the conditions in subsection (8A)(a) to (d),”

78: Clause 146, page 81, line 3, leave out “with the day on which” and insert “when”

79: Clause 146, page 81, line 3, at end insert—

“(8A) If an assessment notice—

(a) states that, in the Commissioner’s opinion, there are reasonable grounds for suspecting that a controller or processor has failed or is failing as described in section 148(2) or that an offence under this Act has been or is being committed,

(b) indicates the nature of the suspected failure or offence,

(c) does not specify domestic premises,

(d) states that, in the Commissioner’s opinion, it is necessary for the controller or processor to comply with a requirement in the notice in less than 7 days, and

(e) gives the Commissioner’s reasons for reaching that opinion, subsections (6) and (7) do not apply.”

80: Clause 146, page 81, line 9, after “section” insert “—

“domestic premises” means premises, or a part of premises, used as a dwelling;”

81: After Clause 147, insert the following new Clause—

“Destroying or falsifying information and documents etc

(1) This section applies where a person—

(a) has been given an information notice requiring the person to provide the Commissioner with information, or

(b) has been given an assessment notice requiring the person to direct the Commissioner to a document, equipment or other material or to assist the Commissioner to view information.

(2) It is an offence for the person—

(a) to destroy or otherwise dispose of, conceal, block or (where relevant) falsify all or part of the information, document,

(b) to cause or permit the destruction, disposal, concealment, blocking or (where relevant) falsification of all or part of the information, document, equipment or material, with the intention of preventing the Commissioner from viewing, or being provided with or directed to, all or part of the information, document, equipment or material.

(3) It is a defence for a person charged with an offence under subsection (2) to prove that the destruction, disposal, concealment, blocking or falsification would have occurred in the absence of the person being given the notice.”

82: Clause 148, page 82, line 15, after “GDPR” insert “or section 64 or 65 of this Act”

83: Clause 148, page 82, line 44, leave out “enforcement notices” and insert “an enforcement notice”

84: Clause 148, page 82, line 45, at end insert “, including by amending this section and sections 149 to 151,”

85: Clause 148, page 83, line 1, leave out paragraph (b) and insert—

“( ) may make provision about the giving of an information notice, an assessment notice or a penalty notice, or about powers of entry and inspection, in connection with the failure, including by amending sections 143, 144, 146, 147 and 154 to 156 and Schedules 15 and 16, and”

86: Clause 149, page 83, line 22, leave out “the rights of appeal under section 161” and insert “—

(a) the consequences of failure to comply with it, and

(b) the rights under sections 161 and (Applications in respect of urgent notices) (appeals etc).”

87: Clause 149, page 83, line 35, leave out “7 days” and insert “24 hours”

88: Clause 149, page 83, line 36, leave out “with the day on which” and insert “when”

89: Clause 154, Page 85, line 39, leave out from the beginning to “when” and insert “Subject to subsection (3A),”

90: Clause 154, page 86, line 10, at end insert “or distress”

91: Clause 154, page 86, line 28, at end insert—

“(3A) Subsections (2) and (3) do not apply in the case of a decision or determination relating to a failure described in section 148(5).”

92: Clause 157, page 88, line 28, leave out “Secretary of State” and insert “Commissioner”

93: Clause 159, page 89, line 5, at end insert—

“( ) information notices,”

94: Clause 159, page 89, line 11, at end insert—

“( ) In relation to information notices, the guidance must include—

(a) provision specifying factors to be considered in determining the time at which, or the period within which, information is to be required to be provided;

(b) provision about the circumstances in which the Commissioner would consider it appropriate to give an information notice to a person in reliance on section 143(7) (urgent cases);

(c) provision about how the Commissioner will determine how to proceed if a person does not comply with an information notice.”

95: Clause 159, page 89, line 14, at end insert—

“( ) provision about the circumstances in which the Commissioner would consider it appropriate to give an assessment notice in reliance on section 146(8) or (8A) (urgent cases);”

96: Clause 159, page 89, line 26, at end insert—

“( ) provision about how the Commissioner will determine how to proceed if a person does not comply with an assessment notice.”

97: Clause 159, page 89, line 32, at end insert—

“( ) In relation to enforcement notices, the guidance must include—

(a) provision specifying factors to be considered in determining whether to give an enforcement notice to a person;

(b) provision about the circumstances in which the Commissioner would consider it appropriate to give an enforcement notice to a person in reliance on section 149(8) (urgent cases);

(c) provision about how the Commissioner will determine how to proceed if a person does not comply with an enforcement notice.”

98: Clause 159, page 89, line 37, leave out from “a” to end of line 38 and insert “person to make oral representations about the Commissioner’s intention to give the person a penalty notice;”

99: Clause 159, page 89, line 40, at end insert—

“( ) provision about how the Commissioner will determine how to proceed if a person does not comply with a penalty notice.”

100: Clause 159, page 90, line 1, leave out “Secretary of State” and insert “Commissioner”

101: Clause 161, page 91, line 1, leave out subsection (2)

102: Clause 161, page 91, line 11, after “appeal” insert “to the Tribunal”

103: Clause 162, page 91, line 30, leave out subsection (5)

104: After Clause 162, insert the following new Clause—

“Applications in respect of urgent notices

(1) This section applies where an information notice, an assessment notice or an enforcement notice given to a person contains an urgency statement.

(2) The person may apply to the court for either or both of the following—

(a) the disapplication of the urgency statement in relation to some or all of the requirements of the notice;

(b) a change to the time at which, or the period within which, a requirement of the notice must be complied with.

(3) On an application under subsection (2), the court may do any of the following—

(a) direct that the notice is to have effect as if it did not contain the urgency statement;

(b) direct that the inclusion of the urgency statement is not to have effect in relation to a requirement of the notice;

(c) vary the notice by changing the time at which, or the period within which, a requirement of the notice must be complied with;

(d) vary the notice by making other changes required to give effect to a direction under paragraph (a) or (b) or in consequence of a variation under paragraph (c).

(4) The decision of the court on an application under this section is final. (5) In this section, “urgency statement” means—

(a) in relation to an information notice, a statement under section 143(7)(a),

(b) in relation to an assessment notice, a statement under section 146(8)(a) or (8A)(d), and

(c) in relation to an enforcement notice, a statement under section 149(8)(a).”

105: Clause 164, page 93, line 4, leave out “with the day on which” and insert “when”

106: Clause 168, leave out Clause 168

107: Clause 169, leave out Clause 169

108: After Clause 176, insert the following new Clause—

“Guidance about how to seek redress against media organisations

(1) The Commissioner must produce and publish guidance about the steps that may be taken where an individual considers that a media organisation is failing or has failed to comply with the data protection legislation.

(2) In this section, “media organisation” means a body or other organisation whose activities consist of or include journalism.

(3) The guidance must include provision about relevant complaints procedures, including—

(a) who runs them,

(b) what can be complained about, and

(c) how to make a complaint.

(4) For the purposes of subsection (3), relevant complaints procedures include procedures for making complaints to the Commissioner, the Office of Communications, the British Broadcasting Corporation and other persons who produce or enforce codes of practice for media organisations.

(5) The guidance must also include provision about—

(a) the powers available to the Commissioner in relation to a failure to comply with the data protection legislation,

(b) when a claim in respect of such a failure may be made before a court and how to make such a claim,

(c) alternative dispute resolution procedures,

(d) the rights of bodies and other organisations to make complaints and claims on behalf of data subjects, and

(e) the Commissioner’s power to provide assistance in special purpose proceedings.

(6) The Commissioner—

(a) may alter or replace the guidance, and

(b) must publish any altered or replacement guidance.

(7) The Commissioner must produce and publish the first guidance under this section before the end of the period of 1 year beginning when this Act is passed.”

109: Insert the following new Clause—

“Review of processing of personal data for the purposes of journalism

(1) The Commissioner must—

(a) review the extent to which the processing of personal data for the purposes of journalism complied with the data protection legislation during the review period,

(b) prepare a report of the review, and

(c) submit the report to the Secretary of State.

(2) “The review period” means the period of 4 years beginning with the day on which Chapter 2 of Part 2 of this Act comes into force.

(3) The Commissioner must—

(a) start the review within the period of 6 months beginning when the review period ends, and

(b) submit the report to the Secretary of State before the end of the period of 18 months beginning when the Commissioner started the review.

(4) The report must include consideration of the extent of compliance (as described in subsection (1)(a)) in each part of the United Kingdom.

(5) The Secretary of State must—

(a) lay the report before Parliament, and

(b) send a copy of the report to—

(i) the Scottish Ministers,

(ii) the Welsh Ministers, and

(iii) the Executive Office in Northern Ireland.”

110: Clause 177, page 102, line 4, for “subsection (3)” substitute “subsections (3) and (4)”

111: Clause 177, page 102, line 5, at end insert—

“( ) section (Information orders) (information orders);”

112: Clause 177, page 102, line 12, after “jurisdiction” insert “conferred by the provisions listed in subsection (2)”

113: Clause 177, page 102, line 13, at end insert—

“(4) In relation to an information notice which contains a statement under section 143(7), the jurisdiction conferred on a court by section (Information orders) is exercisable only by the High Court or, in Scotland, the Court of Session.

(5) The jurisdiction conferred on a court by section (Applications in respect of urgent notices) (applications in respect of urgent notices) is exercisable only by the High Court or, in Scotland, the Court of Session.”

114: Clause 179, page 103, line 35, at end insert—

“( ) If a draft of a statutory instrument containing regulations under section 7 would, apart from this subsection, be treated for the purposes of the standing orders of either House of Parliament as a hybrid instrument, it is to proceed in that House as if it were not such an instrument.”

Motion on Amendments 63 to 114 agreed.

Motion on Amendment 115

Moved by

115: Clause 183, page 105, line 42, leave out “80” and insert “80(1)”

My Lords, the main amendments in this group relate to the representation of data subjects by not-for-profit bodies. Last time we discussed this matter, the question before us was whether those bodies should have to seek the mandate—that is, the consent—of data subjects before pursuing claims on their behalf.

As I said then,

“the Government have reflected on the principles at stake here and agree it would be reasonable for a review to be undertaken, two years after Royal Assent, of the effectiveness of”—

Clause 183—

“as it is currently drafted. The Government are fully prepared to look again at the issue”,

of representation without prior mandate in the context of that review.

“We are serious about this. We will therefore amend the Bill in the other place to provide for such a review and to provide the power for the Government to implement its conclusions”.—[Official Report, 10/1/18; col. 287.]

Commons Amendments 122 and 123 duly deliver on that promise, while Commons Amendment 121 allows the Secretary of State to make regulations to ensure that, where a not-for-profit seeks to represent a large number of data subjects in court proceedings, it can file one claim and not hundreds.

I am grateful to the noble Baroness, Lady Kidron, for her continued engagement on this subject. She and I are in total agreement that children merit specific protection in relation to their personal data, and that the review should look accordingly at the specific barriers young people face in exercising their rights. Therefore, Commons Amendment 122 makes provision for that in subsections (4), (5) and (6) of the proposed new clause. Of course, as some noble Lords have mentioned previously, such provision is not to the exclusion of other vulnerable groups in our society, and the Government fully expect that review to consider their position, too.

Commons Amendment 126 would allow Her Majesty’s Revenue & Customs to share contact detail information with the Ministry of Defence to ensure that the Ministry of Defence is better able to locate and contact members of the ex-regular reserve. The amendment does not alter the liability for ex-regular reserves, nor does it affect the rules regarding the call-out or recall of ex-regular reserves; it is simply about being better able to contact them. The security of the United Kingdom is the primary responsibility of government. Commons Amendment 126 offers us the opportunity to strengthen that security.

Finally, Commons Amendment 282 would insert a schedule making transitional, transitory and saving provision in connection with the coming into force of the Bill, including provision about subject access requests, the Information Commissioner’s enforcement powers and national security certificates. This comprehensive new schedule, running to some 19 pages, is designed to ensure a seamless shift between the 1998 Act and the new data protection law we are scrutinising today. I beg to move.

I thank the Government for listening, the Bill team, the Secretary of State and the Minister, Margot James. The point is that rights are only as good as one’s ability to enact them, so I really welcome the review and I thank all concerned for the very great care and detail with which they have laid it out in the Bill.

My Lords, very briefly, we had considerable debate while the Bill was going through the House on whether we should incorporate Article 18(2) and we obviously did not prevail while the Bill was going through this House. Although this does not go as far as incorporating Article 18(2), which I regret—I would clearly like to see the whole loaf, so to speak—at least this gives the possibility of Article 18(2) being incorporated through a review. Will the Minister say when he thinks the review will be laid, in the form of a report? I am assuming that,

“within 30 months of commencement of the Bill”,

means within 30 months from 25 May this year. I am making that assumption so that we can all count the days to when the report will come back for debate in Parliament.

My Lords, the work done by the noble Baroness, Lady Kidron, in joining the dots, as it were, between the original proposal and having a proper approach to children using the internet and all the other things they use, and the way they would get redress if there is a problem, has been a joy to watch. She has stuck at it like a terrier, she has not let Ministers off the hook, she has been firing off emails and phone calls from faraway places and causing their lives to be an absolute misery, but it is a good thing because we have got to where we need to be.

As the noble Lord, Lord Clement-Jones, said, it was always a surprise that the Government did not want to include Article 18(2) as well as Article 18(1), because it completes the support for consumers of internet services, which the Bill sets out to do but for which there is a derogation and they have chosen not to exercise it. I am very glad about that, but perhaps the Minister can explain one thing that I did not quite get right in my mind as I was listening to him. The review is to check whether Article 18(2) would make it a more effective consumer measure than it is currently under the Bill as drafted—the Act, as it will be. It is not restricted to vulnerable people. The way it was expressed seemed to suggest that it would cover only other vulnerable people. In any case, children are not vulnerable: they are extremely interested, very wise and often sagacious about the internet but they are not vulnerable to it. They may well get themselves into vulnerable situations, in which case they need redress, through bodies such as child-specific agencies, but I do not think that was the intention. I would be grateful if that could be addressed.

Secondly, a moment of levity flashed through my mind when the Minister was talking about the need for the Inland Revenue to track down where reservists had got to. I cannot believe that is the only way the Ministry of Defence keeps in touch with its reserve, but I do not dissent from this being a very good measure.

My Lords, I am very grateful for the contribution of all noble Lords on this, especially the noble Baroness, Lady Kidron. It is very nice to be in her good books.

The noble Lord, Lord Clement Jones, talked about the age-appropriate design code and when the Information Commissioner will get going. As he rightly said, the Bill has not come into force yet; nevertheless, we understand that the Information Commissioner is already setting the wheels in motion for a comprehensive age-appropriate design code and will launch a call for evidence imminently. During that process she will be seeking evidence and views on the content of the code in line with the points raised in the debate in this House and elsewhere. So I confirm what he suggested was the case; indeed, work is already being done.

The noble Lord, Lord Stevenson, mentioned the focus of the code. In mentioning vulnerable people I was trying to bring him back to some of the points I think he made: I did not want anyone to get the impression that we were concentrating just on children—albeit they are very important—and their particular rights under the code. It will include vulnerable people, but also the way that it operates in general. Although children rightly have a special mention, we are also concerned with people who may have particular problems and may be vulnerable. I think this should exactly satisfy some of the things the noble Lord mentioned in previous debates.

As for the Ministry of Defence, it does try to keep in touch. In fact, it is a duty of an ex-regular reservist to keep the MoD in touch with their whereabouts. Some 49%, I believe, do not do so: we want to use this information to keep in touch with the reserve for the security of the country and that is why we are doing this. I also point out that there are protections: the commissioners of the Inland Revenue have to give permission before information is disclosed to anyone else or elsewhere.

Motion on Amendment 115 agreed.

Motion on Amendments 116 to 152

Moved by

116: Clause 183, page 105, line 44, leave out “certain rights” and insert “the data subject’s rights under Articles 77, 78 and 79 of the GDPR (rights to lodge complaints and to an effective judicial remedy)”

117: Clause 183, page 106, line 7, leave out “under the following provisions” and insert “of a data subject”

118: Clause 183, page 106, line 9, at beginning insert “rights under”

119: Clause 183, page 106, line 10, at beginning insert “rights under”

120: Clause 183, page 106, line 11, at beginning insert “rights under”

121: After Clause 183, insert the following new Clause—

“Representation of data subjects with their authority: collective proceedings

(1) The Secretary of State may by regulations make provision for representative bodies to bring proceedings before a court or tribunal in England and Wales or Northern Ireland combining two or more relevant claims.

(2) In this section, “relevant claim”, in relation to a representative body, means a claim in respect of a right of a data subject which the representative body is authorised to exercise on the data subject’s behalf under Article 80(1) of the GDPR or section 183.

(3) The power under subsection (1) includes power— (a) to make provision about the proceedings;

(b) to confer functions on a person, including functions involving the exercise of a discretion;

(c) to make different provision in relation to England and Wales and in relation to Northern Ireland.

(4) The provision mentioned in subsection (3)(a) includes provision about— (a) the effect of judgments and orders;

(b) agreements to settle claims;

(c) the assessment of the amount of compensation;

(d) the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;

(e) costs.

(5) Regulations under this section are subject to the negative resolution procedure.”

122: After Clause 183, insert the following new Clause—

“Duty to review provision for representation of data subjects

(1) Before the end of the review period, the Secretary of State must—

(a) review the matters listed in subsection (2) in relation to England and Wales and Northern Ireland,

(b) prepare a report of the review, and

(c) lay a copy of the report before Parliament.

(2) Those matters are—

(a) the operation of Article 80(1) of the GDPR,

(b) the operation of section 183,

(c) the merits of exercising the power under Article 80(2) of the GDPR (power to enable a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise some or all of a data subject’s rights under Articles 77, 78 and 79 of the GDPR without being authorised to do so by the data subject),

(d) the merits of making equivalent provision in relation to data subjects’ rights under Article 82 of the GDPR (right to compensation), and

(e) the merits of making provision for a children’s rights organisation to exercise some or all of a data subject’s rights under Articles 77, 78, 79 and 82 of the GDPR on behalf of a data subject who is a child, with or without being authorised to do so by the data subject.

(3) “The review period” is the period of 30 months beginning when section 183 comes into force.

(4) In carrying out the review, the Secretary of State must—

(a) consider the particular needs of children separately from the needs of adults,

(b) have regard to the fact that children have different needs at different stages of development,

(c) carry out an analysis of the particular challenges that children face in authorising, and deciding whether to authorise, other persons to act on their behalf under Article 80(1) of the GDPR or section 183,

(d) consider the support and advice available to children in connection with the exercise of their rights under Articles 77, 78, 79 and 82 of the GDPR by another person on their behalf and the merits of making available other support or advice, and

(e) have regard to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child.

(5) Before preparing the report under subsection (1), the Secretary of State must consult the Commissioner and such other persons as the Secretary of State considers appropriate, including—

(a) persons active in the field of protection of data subjects’ rights and freedoms with regard to the protection of their personal data,

(b) children and parents,

(c) children’s rights organisations and other persons who appear to the Secretary of State to represent the interests of children,

(d) child development experts, and

(e) trade associations.

(6) In this section—

“children’s rights organisation” means a body or other organisation which—

(a) is active in representing the interests of children, and

(b) has objectives which are in the public interest;

“trade association” includes a body representing controllers or processors;

“the United Nations Convention on the Rights of the Child” means the Convention on the Rights of the Child adopted by the General Assembly of the United Nations on 20 November 1989 (including any Protocols to that Convention which are in force in relation to the United Kingdom), subject to any reservations, objections or interpretative declarations by the United Kingdom for the time being in force.”

123: After Clause 183, insert the following new Clause—

“Post-review powers to make provision about representation of data subjects

(1) After the report under section (Duty to review provision for representation of data subjects)(1) is laid before Parliament, the Secretary of State may by regulations—

(a) exercise the powers under Article 80(2) of the GDPR in relation to England and Wales and Northern Ireland,

(b) make provision enabling a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise a data subject’s rights under Article 82 of the GDPR in England and Wales and Northern Ireland without being authorised to do so by the data subject, and

(c) make provision described in section (Duty to review provision for representation of data subjects)(2)(e) in relation to the exercise in England and Wales and Northern Ireland of the rights of a data subject who is a child.

(2) The powers under subsection (1) include power—

(a) to make provision enabling a data subject to prevent a body or other organisation from exercising, or continuing to exercise, the data subject’s rights;

(b) to make provision about proceedings before a court or tribunal where a body or organisation exercises a data subject’s rights;

(c) to make provision for bodies or other organisations to bring proceedings before a court or tribunal combining two or more claims in respect of a right of a data subject;

(d) to confer functions on a person, including functions involving the exercise of a discretion;

(e) to amend sections 164 to 166, 177, 183, 196, 198 and 199; (f) to insert new sections and Schedules into Part 6 or 7;

(g) to make different provision in relation to England and Wales and in relation to Northern Ireland.

(3) The powers under subsection (1)(a) and (b) include power to make provision in relation to data subjects who are children or data subjects who are not children or both.

(4) The provision mentioned in subsection (2)(b) and (c) includes provision about—

(a) the effect of judgments and orders; (b) agreements to settle claims;

(c) the assessment of the amount of compensation;

(d) the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;

(e) costs.

(5) Regulations under this section are subject to the affirmative resolution procedure.”

124: Clause 184, page 106, line 41, leave out “(including as applied by Chapter 3 of that Part)”

125: Transpose Clause 184 to after Clause 182

126: After Clause 188, insert the following new Clause—

“Reserve forces: data-sharing by HMRC

(1) The Reserve Forces Act 1996 is amended as follows.

(2) After section 125 insert—

“125A Supply of contact details by HMRC

(1) This subsection applies to contact details for—

(a) a member of an ex-regular reserve force, or

(b) a person to whom section 66 (officers and former servicemen liable to recall) applies, which are held by HMRC in connection with a function of HMRC.

(2) HMRC may supply contact details to which subsection (1) applies to the Secretary of State for the purpose of enabling the Secretary of State—

(a) to contact a member of an ex-regular reserve force in connection with the person’s liability, or potential liability, to be called out for service under Part 6;

(b) to contact a person to whom section 66 applies in connection with the person’s liability, or potential liability, to be recalled for service under Part 7.

(3) Where a person’s contact details are supplied under subsection (2) for a purpose described in that subsection, they may also be used for defence purposes connected with the person’s service (whether past, present or future) in the reserve forces or regular services.

(4) In this section, “HMRC” means Her Majesty’s Revenue and Customs.

125B Prohibition on disclosure of contact details supplied under section 125A

(1) A person who receives information supplied under section 125A may not disclose it except with the consent of the Commissioners for Her Majesty’s Revenue and Customs (which may be general or specific).

(2) A person who contravenes subsection (1) is guilty of an offence.

(3) It is a defence for a person charged with an offence under this section to prove that the person reasonably believed—

(a) that the disclosure was lawful, or

(b) that the information had already lawfully been made available to the public.

(4) Subsections (4) to (7) of section 19 of the Commissioners for Revenue and Customs Act 2005 apply to an offence under this section as they apply to an offence under that section.

(5) Nothing in section 107 or 108 (institution of proceedings and evidence) applies in relation to an offence under this section.

125C Data protection

(1) Nothing in section 125A or 125B authorises the making of a disclosure which contravenes the data protection legislation.

(2) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”

127: Clause 189, page 109, line 4, after “145” insert “, (Destroying or falsifying information and documents etc)”

128: Clause 192, page 110, line 33, at end insert—

“( ) section (Destroying or falsifying information and documents etc);”

129: Clause 198, page 114, line 25, at end insert “the following (except in the expression “United Kingdom government department”)”

130: Clause 198, page 115, line 8, at end insert—

“(2) References in this Act to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits, except in—

(a) section 125(4), (7) and (8);

(b) section 160(3), (5) and (6);

(c) section 176(2);

(d) section (Review of processing of personal data for the purposes of journalism)(2);

(e) section 179(8) and (9);

(f) section 180(4);

(g) section 186(3), (5) and (6);

(h) section 190(3) and (4);

(i) paragraph 18(4) and (5) of Schedule 1;

(j) paragraphs 5(4) and 6(4) of Schedule 3;

(k) Schedule 5;

(l) paragraph 11(5) of Schedule 12;

(m) Schedule 15;

(and the references in section 5 to terms used in Chapter 2 or 3 of Part 2 do not include references to a period expressed in hours, days, weeks, months or years).”

131: Clause 198, page 115, line 8, at end insert—

“( ) Section 3(14)(aa) (interpretation of references to Chapter 2 of Part 2 in Parts 5 to 7) and the amendments in Schedule 18 which make equivalent provision are not to be treated as implying a contrary intention for the purposes of section 20(2) of the Interpretation Act 1978, or any similar provision in another enactment, as it applies to other references to, or to a provision of, Chapter 2 of Part 2 of this Act.”

132: Clause 200, page 117, line 15, leave out subsections (1) to (4) and insert—

“(1) This Act applies only to processing of personal data described in subsections (2) and (3).

(2) It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom.

(3) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—

(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,

(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and

(c) the processing activities are related to—

(i) the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or

(ii) the monitoring of data subjects’ behaviour in the United Kingdom.”

133: Clause 200, page 118, line 8, leave out “(4)” and insert “(3)”

134: Clause 200, page 118, line 8, after “provision” insert “in or”

135: Clause 200, page 118, leave out line 10 and insert “processing of personal data”

136: Clause 200, page 118, line 10, at end insert—

“(5A) Section 3(14)(b) does not apply to the reference to the processing of personal data in subsection (2).

(5B) The reference in subsection (3) to Chapter 2 of Part 2 (the GDPR) does not include that Chapter as applied by Chapter 3 of Part 2 (the applied GDPR).”

137: Clause 200, page 118, line 11, leave out “established” and insert “who has an establishment”

138: Clause 200, page 118, line 21, after “to” insert “a person who has an”

139: Clause 200, page 118, line 23, leave out subsection (7)

140: Clause 204, page 120, line 12, leave out subsection (1) and insert— “(1) In Schedule 18—

(a) Part 1 contains minor and consequential amendments of primary legislation;

(b) Part 2 contains minor and consequential amendments of other legislation;

(c) Part 3 contains consequential modifications of legislation; (d) Part 4 contains supplementary provision.”

141: Clause 205, page 120, line 37, leave out paragraph (b)

142: Clause 205, page 120, line 41, for “206” substitute “206(2)”

143: Clause 205, page 121, line 4, at end insert—

“( ) Regulations under this section may make different provision for different areas.”

144: Clause 206, page 121, line 5, at end insert—

“(1) Schedule (Transitional provision etc) contains transitional, transitory and saving provision.

(2) ”

145: Clause 206, page 121, line 8, at end insert “or with the GDPR beginning to apply, including provision amending or repealing a provision of Schedule (Transitional provision etc).

( ) Regulations under this section that amend or repeal a provision of Schedule (Transitional provision etc) are subject to the negative resolution procedure.”

146: Clause 207, page 121, line 12, after “(2)” insert “, (2A)”

147: Clause 207, page 121, line 12, leave out “and (3)” and insert “, (3) and (3A)”

148: Clause 207, page 121, line 14, at end insert—

“(2A) Sections (Representation of data subjects with their authority: collective proceedings), (Duty to review provision for representation of data subjects) and (Post-review powers to make provision about representation of data subjects) extend to England and Wales and Northern Ireland only.”

149: Clause 207, page 121, line 15, after “extent” insert “in the United Kingdom”

150: Clause 207, page 121, line 16, leave out “(ignoring extent by virtue of an Order in Council)”

151: Clause 207, page 121, line 17, at end insert—

“(3A) This subsection and the following provisions also extend to the Isle of Man—

(a) paragraphs 200O and 205 of Schedule 18;

(b) sections 204(1), 205(1) and 206(2), so far as relating to those paragraphs.”

152: Clause 208, page 121, line 24, leave out subsection (2)

Motion on Amendments 116 to 152 agreed.

Motion on Amendment 153

Moved by

153: Schedule 1, page 123, line 21, at beginning insert “Except as otherwise provided,”

My Lords, this group of amendments covers issues that will be familiar to many noble Lords, as it primarily addresses concerns and issues raised in this House last autumn. The Government have remained committed to listening and to improving the Bill. I owe thanks to many noble Lords who brought these issues to our attention.

Commons Amendment 155 would help businesses and other organisations ensure that their boardrooms and senior management levels are truly representative of the workforces they manage and the communities they serve. In November 2016, Sir John Parker published a report which showed that while 14% of the population identified as black, Asian or minority ethnic, only 1.5% of directors in FTSE 100 boardrooms are UK citizens from a minority background. More than half of the FTSE 100 boards are exclusively white. While significant progress has been made in recent years to improve the gender balance in the boardrooms of such companies, the severe underrepresentation of people from minority backgrounds needs to be addressed.

Sir John’s report included a series of recommendations to improve racial and ethnic diversity in the boardroom. He encouraged companies to make better use of executive search firms to identify potential candidates and invite them to be interviewed for managerial vacancies. This amendment would therefore add a new processing condition to Schedule 1 to allow organisations to process personal data about potential candidates’ racial or ethnic origin in identifying suitable candidates for potential managerial positions.

Previously when we discussed the Bill in this House, Thomson Reuters provided a very helpful briefing note setting out how it compiles reports on persons suspected of terrorism, bribery, money laundering, modern slavery and other illegal activities. It then shares this information with the banks to help them avoid engaging with such people and allow them to comply with their regulatory obligations and other internationally recognised guidelines. In response to support for the proposal on all sides, the Government committed to work with Thomson Reuters to bring forward amendments at a later stage of the Bill’s passage. Commons Amendment 158 is the culmination of this work.

I am also pleased to introduce Commons Amendment 160, which would provide for processing by patient support groups, a concern well put by my noble friend Lady Neville-Jones. She spoke movingly on behalf of the patient support group Unique, which manages a register of patients suffering from very rare and sometimes life-limiting chromosomal disorders. Amendment 160 would add a new processing condition to Schedule 1 to provide Unique and groups like it with the legal certainty required for their vital work to continue. I am most grateful to her for her advocacy.

Commons Amendments 162 and 163 relate to data processing for safeguarding purposes. These amendments respond to one tabled on the same issue by the noble Lord, Lord Stevenson, on Report in December. In response to that amendment, I made it clear that the Government were sympathetic to the points raised. These amendments would ensure that sensitive data could be processed without consent in certain circumstances for legitimate safeguarding activities which are in the substantial public interest. The unfortunate reality is that there still exists a great deal of uncertainty under current law about which personal data can be processed for safeguarding purposes. This has resulted, for example, in some organisations withholding information from the police and other law enforcement agencies for fear of breaching data protection law. With these amendments, the Government intend to address this uncertainty by providing relevant organisations with a specific processing condition for processing the most sensitive personal data for safeguarding purposes.

Similarly, a number of other amendments in this group would extend necessary exemptions to certain regulators to ensure that data subjects cannot use data protection laws to undermine their regulatory work. Commons Amendment 178 would provide the Comptroller and Auditor-General of the United Kingdom, and his counterpart in each of the devolved nations, with an exemption from certain provisions of the GDPR where these would be likely to prejudice his statutory functions. Likewise, Amendment 179 would provide an exemption for the Bank of England from the listed GDPR provisions where these could inhibit its ability to exercise its functions. Amendment 183 would provide an exemption for the Scottish Information Commissioner, who regulates freedom of information rather than data protection. Amendment 185 would protect the work of the Financial Conduct Authority and the Prudential Regulation Authority. Amendment 186 would extend the exemptions in Schedule 2 to the Charity Commission’s functions under the Charities Acts of 1992, 2006 and 2011.

The remaining amendments in this group would address more technical issues, ensuring consistency across the Bill. I beg to move.

My Lords, I thank my noble friend the Minister for the Government having carried these provisions in the Commons. More importantly, the patient support groups for which I spoke are very gratified because they regard these amendments as absolutely vital to their ability to carry on their important work. If I might say so, it is a very satisfactory outcome.

My Lords, I welcome Commons Amendment 188 on the confidentiality of legal advice. As the Minister knows, a concern has been raised, long after the 11th hour, about the position of arbitrators. The concern is that the Bill addresses the data protection obligations of judges and lawyers but does not address the data protection position of arbitrators. Arbitration is of course an important legal service, in which this country leads and provides services to the world. All I can do at this stage is to ask the Minister and the Bill team whether they will reflect on this concern, which has been raised not just with me but with him. If he thinks that there is any basis for concern, will he consider using the very extensive powers conferred under the Bill to bring forward regulations to address the issue?

My Lords, as the Minister made clear in his lucid introduction, this is a really significant group of amendments. It is very good to see that some of the work that was done in this House has come back in the form of amendments. In particular, the Minister will remember that it was my noble friend Lord McNally who raised issues around Thomson Reuters in the first place. However, I know that there will be considerable pleasure in the financial services industry, which is very concerned about such things as money laundering, anti-corruption measures and so on, and making sure that it can process data in pursuance of achieving those important goals.

I congratulate the noble Baroness, Lady Neville-Jones, on her campaign, which has clearly borne fruit here. I had not heard what the noble Lord, Lord Pannick, had said but there seems to be a bit of a hole in the Bill if that is the case. I can certainly testify to the fact that arbitrators are an incredibly important part of our judicial system. Indeed, within it they are one of our global competitive advantages; therefore if anything is done that is to the detriment of our arbitration system, it would be really quite serious.

My Lords, I too congratulate the Government on bringing forward these amendments. They cover a wide range but, as the noble Lord, Lord Clement-Jones, said, they are an important part of the actual mechanics and workings of the system once it is going. We will certainly need a few successes where people believe that something has been done to make sure that their lives are easier, rather than more difficult, as a result of this legislation. Even your Lordships’ House will suffer quite considerably in the processing tasks that it will have to carry. I seem to remember that, after an informal chat with the Minister, we were going to get a statement from him about how he felt about that and how things might progress. Maybe I am pushing him a little too far; perhaps we will get a letter or something about it later.

I echo the congratulations to the noble Baroness, Lady Neville-Jones, who fought an understated but effective campaign on an important area, which I am glad to see was picked up. I thought the diversity amendments were the sort of thing that could easily have been dropped off for being too complicated and difficult. This is possibly not the right Bill but it is really important that we got them in here. There could have been use made of some provisions by employers and others who did not want to face up to the reality of the world today, saying that they would not be able to process data in a way that would allow us to see whether progress has been made on this.

We on the Labour Benches were also consulted by Thomson Reuters, which felt that there was a bit of a lacuna in some things it was asked to do about money laundering. I am glad that the Bill team finally came round on that and agreed that there was something there. It brought forward a measure.

I am particularly pleased about safeguarding, which was quite a late addition to Committee. We brought it back on Report. It was obviously something that needed much wider consideration. Again, I wondered whether there would be time to bring it through. It has been possible to do so. We now have a very satisfactory approach to this. It covers not just sports, which was the area we raised, but the wider consideration of vulnerable people in clubs and in health and welfare situations where there needs to be consideration of what process and steps could be taken if suspicions were raised. We do not have to read the papers today to realise how damaging that can be if it is not caught quickly. We welcome the amendments.

My Lords, I am grateful for all those comments. It is nice that in the last group I will handle on it—touch wood—I leave the Bill in a glow of good will. I am particularly pleased that I can agree with the noble Lord, Lord McNally, and that we have been able to respond to some of the concerns and points raised in this House. In many ways, the Bill has been an object lesson of discussion on a very technical Bill. We have made progress. I certainly acknowledge and am very grateful for the support and co-operation I have had from both opposition Front Benches.

As a little footnote, which might give encouragement to others, I first raised the Thomson Reuters matter because it sponsored a conference at the Guildhall well over a year ago about the coming of the GDPR. I went along to find out about it. I and the other Benches raised this from that. It has now ended up in the Bill. It is an encouragement to companies that sometimes think that legislation is a mysterious place that, by taking little bit of effort to put the case and extend it, they can have real influence.

I am grateful to the noble Lord. That brings me nicely to the point made by the noble Lord, Lord Pannick, about arbitrators. The noble Lords, Lord Clement-Jones and Lord Stevenson, mentioned the importance of arbitration to the economy of this country. I am only too well aware of it from my background in insurance. London has a very well-respected legal system, but the arbitration system is linked to that. We certainly would not wish in any way to hinder it. Contrary to what the noble Lord, Lord McNally, did, the people who brought this up seemed to do so at the last minute. I slightly wonder how they managed to miss this trick, if it is so obvious, for the two years that the GDPR has been in place, let alone—

They should have hired a lawyer. The point is that it is a perfectly valid point. We have sought to replicate in the Bill, as far as possible, the existing provisions relating to legal professional privilege. We had several discussions about that in the 1998 Act, including the relevant exemptions to rights and obligations for personal data. I cannot help but notice that the Arbitration and Mediation Service, given that we are trying to replicate as far as possible existing provisions, appears to have been operating without undue burden for the last 20 years, but I am certainly prepared to undertake to the noble Lord, Lord Pannick, that we will look at that with a view to making sure that this is not a serious problem. We certainly have not been able to do it in time. I can confirm to him that, if there is a problem, the Bill contains regulation-making powers to address this concern. The only thing I can say on that is that, quite rightly, those regulations would have to come before both Houses of Parliament. If there is a concern he will be able to address it later.

The noble Lord, Lord Stevenson, is quite correct that we talked about me making a statement or addressing concerns about the individual application of the GDPR and the Bill to Peers. I assumed I would do so if it was necessary and if the subject came up, which, luckily, it has not. Just to be clear, it is not just that Peers and other citizens of this country are suffering under the GDPR, although they might have obligations that they were not aware of before and, I agree, certain extra ones because the GDPR has direct effect; it also greatly increases individual subject rights. It makes sure that individuals’ personal data, in particular sensitive personal data, is better protected in law and by a regulator, who, thanks to your Lordships’ agreement, has real power to make sure that the data regime is obeyed. I believe that the House authorities have issued a statement to all Peers. Of course, my department is there to address this. The first avenue that Peers should use for the individual circumstances is the House authorities.

Can I press my noble friend a little further on the issue of what individual Peers and Members of Parliament should do? There was an earlier discussion on whether some arrangements might be made so that data protection rules can be followed but the burden would not be unreasonable. I also take this opportunity to thank my noble friend for these many amendments which are grouped together, on diversity through to financial services. It has been a model of good working.

I am grateful for that. When my noble friend spoke of pushing me further, I am not completely clear what she wants me to do. It is not right for me to opine on individual cases. I think we are talking about Peers in their roles as Peers. Each individual Peer has to discuss that in the light of their individual circumstances. All I would say is that if noble Lords are dealing with special categories of data and personal data, they will have to be aware of the obligations put on them by the Bill and the GDPR. The House authorities are there to advise, as is the Information Commissioner. They will have to do so. In my case, for example, I do not anticipate that in what I do as a Peer, as opposed to a Minister, I would have to pay a fee as a controller, if that helps.

Motion agreed.

Motion on Amendments 154 to 173

Moved by

154: Schedule 1, page 124, line 24, leave out from “subject” to end of line 25

155: Schedule 1, page 124, line 36, at end insert—

“Racial and ethnic diversity at senior levels of organisations 8A

(1) This condition is met if the processing—

(a) is of personal data revealing racial or ethnic origin,

(b) is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,

(c) is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and

(d) can reasonably be carried out without the consent of the data subject, subject to the exception in sub-paragraph (3).

(2) For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a) the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b) the controller is not aware of the data subject withholding consent.

(3) Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.

(4) For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—

(a) holds a position listed in sub-paragraph (5), or

(b) does not hold such a position but is a senior manager of the organisation.

(5) Those positions are—

(a) a director, secretary or other similar officer of a body corporate;

(b) a member of a limited liability partnership;

(c) a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.

(6) In this paragraph, “senior manager”, in relation to an organisation, means a person who plays a significant role in—

(a) the making of decisions about how the whole or a substantial part of the organisation’s activities are to be managed or organised, or

(b) the actual managing or organising of the whole or a substantial part of those activities.

(7) The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.”

156: Schedule 1, page 125, line 3, at end insert—

“( ) If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).”

157: Schedule 1, page 125, line 4, at end insert—

““competent authority” has the same meaning as in Part 3 of this Act (see section 30).”

158: Schedule 1, page 125, line 16, at end insert—

“Regulatory requirements relating to unlawful acts and dishonesty etc 10A

(1) This condition is met if—

(a) the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—

(i) committed an unlawful act, or

(ii) been involved in dishonesty, malpractice or other seriously improper conduct,

(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and

(c) the processing is necessary for reasons of substantial public interest.

(2) In this paragraph—

“act” includes a failure to act;

“regulatory requirement” means—

(a) a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or

(b) a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.”

159: Schedule 1, page 125, line 35, at end insert—

“( ) The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).”

160: Schedule 1, page 126, line 22, at end insert—

“Support for individuals with a particular disability or medical condition

13A (1) This condition is met if the processing—

(a) is carried out by a not-for-profit body which provides support to individuals with a particular disability or medical condition,

(b) is of a type of personal data falling within sub-paragraph (2) which relates to an individual falling within sub-paragraph (3),

(c) is necessary for the purposes of—

(i) raising awareness of the disability or medical condition, or

(ii) providing support to individuals falling within sub-paragraph (3) or enabling such individuals to provide support to each other,

(d) can reasonably be carried out without the consent of the data subject, and

(e) is necessary for reasons of substantial public interest.

(2) The following types of personal data fall within this sub-paragraph—

(a) personal data revealing racial or ethnic origin;

(b) genetic data or biometric data;

(c) data concerning health;

(d) personal data concerning an individual’s sex life or sexual orientation.

(3) An individual falls within this sub-paragraph if the individual is or has been a member of the body mentioned in sub-paragraph (1)(a) and—

(a) has the disability or condition mentioned there, has had that disability or condition or has a significant risk of developing that disability or condition, or

(b) is a relative or carer of an individual who satisfies paragraph (a) of this sub-paragraph.

(4) For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a) the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b) the controller is not aware of the data subject withholding consent.

(5) In this paragraph—

“carer” means an individual who provides or intends to provide care for another individual other than—

(a) under or by virtue of a contract, or

(b) as voluntary work;

“disability” has the same meaning as in the Equality Act 2010 (see section 6 of, and Schedule 1 to, that Act).

(6) The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.”

161: Schedule 1, page 126, line 27, leave out “a reason” and insert “one of the reasons”

162: Schedule 1, page 126, line 38, at end insert—

“Safeguarding of children and of individuals at risk

14A (1) This condition is met if—

(a) the processing is necessary for the purposes of—

(i) protecting an individual from neglect or physical, mental or emotional harm, or

(ii) protecting the physical, mental or emotional well-being of an individual,

(b) the individual is—

(i) aged under 18, or

(ii) aged 18 or over and at risk,

(c) the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d) the processing is necessary for reasons of substantial public interest.

(2) The reasons mentioned in sub-paragraph (1)(c) are—

(a) in the circumstances, consent to the processing cannot be given by the data subject;

(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3) For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—

(a) has needs for care and support,

(b) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and

(c) as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.

(4) In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.”

163: Schedule 1, page 126, line 38, at end insert—

“Safeguarding of economic well-being of certain individuals

14B (1) This condition is met if the processing—

(a) is necessary for the purposes of protecting the economic well- being of an individual at economic risk who is aged 18 or over,

(b) is of data concerning health,

(c) is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d) is necessary for reasons of substantial public interest.

(2) The reasons mentioned in sub-paragraph (1)(c) are—

(a) in the circumstances, consent to the processing cannot be given by the data subject;

(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3) In this paragraph, “individual at economic risk” means an individual who is less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability.”

164: Schedule 1, page 127, line 30, at end insert—

“( ) The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.”

165: Schedule 1, page 127, line 39, at end insert—

“( ) is of data concerning health which relates to a data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme,”

166: Schedule 1, page 128, line 6, at end insert—

“( ) The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.”

167: Schedule 1, page 129, line 23, at end insert —

“( ) a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;”

168: Schedule 1, page 129, line 31, at end insert —

“( ) a police and crime commissioner.”

169: Schedule 1, page 131, line 14, at end insert—

“( ) If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).”

170: Schedule 1, page 133, line 17, leave out from “interest” to end of line 21

171: Schedule 1, page 134, line 18, leave out “on the day” and insert “when”

172: Schedule 2, page 135, line 7, at end insert—

“( ) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);”

173: Schedule 2, page 135, line 19, after “provisions” insert “and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject)”

Motion agreed.

Motion on Amendment 174

Moved by

174: Schedule 2, page 137, line 4, leave out from “(vi)” to end of line 9

My Lords, these amendments relate to the immigration exemption in paragraph 4 of Schedule 2, which was debated at some length during the passage of the Bill through this House. It may assist the House if I briefly restate the case for this provision.

The Bill and the GDPR extend and strengthen the rights of individuals, giving them easier access to their data and greater control over its use and processing. This is something we can all welcome. However, it is necessary to balance such enhanced rights of data subjects with other competing interests. The Bill therefore provides mechanisms to ensure that data rights cannot undermine investigations by law enforcement agencies, regulators and others. For the same reasons, the Bill makes provision to protect the integrity of the immigration system; for example, to prevent the release of information which would undermine imminent enforcement action.

As I have previously explained, the immigration provision is limited in nature. It does not allow the Home Office—or, indeed, any other controller—to set aside all the safeguards in the Bill; rather, it allows a number of specific rights to be restricted on a case-by-case basis and only to the extent to which giving effect to those rights would be likely to prejudice the maintenance of effective immigration control in an individual case. Decisions will also be subject to oversight by the Information Commissioner and, ultimately, the Information Tribunal.

On Report noble Lords supported the retention of the exemption by a majority of 130. Last week the House of Commons similarly supported the inclusion of the exemption in the Bill by a clear majority of 28. None the less, it is of course right that the exemption should be as tightly drafted as possible. The Government firmly believe that unless there is a compelling reason to the contrary, data processing should always be fair and transparent and it should not be possible to collect data for one purpose and then to retrospectively apply a policy of processing for further, incompatible purposes. It was always the Government’s intention that processing for immigration purposes should have to meet both these principles. But, on reflection, we agree that the provisions in paragraph 4 of Schedule 2 left room for doubt as to the intended approach. Therefore, Commons Amendments 174 and 175 further narrow the exemption to put the matter beyond doubt.

We are also committed to reviewing the operation of the exemption in the light of experience 12 months after these provisions come into force. To inform the review we would naturally welcome the views of interested parties, such as the Immigration Law Practitioners’ Association. Clause 16 would enable us to narrow the scope of the exemption still further should the review conclude that it would be appropriate to do so.

I look forward to hearing what the noble Baroness, Lady Hamwee, has to say about her Amendment 175A, but for now I beg to move.

Amendment 175A (as an amendment to Amendment 175)

Tabled by

175A: At end insert—

“( ) Following consultation with the Commissioner and the public, the Secretary of State must, within the period of six months beginning with the day on which this paragraph comes into force, produce guidance about how, subject to sub-paragraph (2)(a)(vii) above, the provisions of Article 5 listed in paragraph 1(b) apply in relation to this paragraph.”

My Lords, I do not think I am going to surprise the Minister but I will go through my points on Amendment 175A. The short version is that among the double negatives, paragraph 4 enables the Home Office and others to refuse a subject’s access request in respect of data relating to “effective immigration control”. I will not muse on what “effective” might mean in this context this evening. There are exceptions to the exemption, as the Minister has said, but they do not go to the heart of the problem, which is that if the Home Office uses the exemption, someone challenging a Home Office decision will not be able to check that the Home Office has the correct information about him. For instance, an application may be refused and the correct information established only if the matter goes to appeal.

I discovered during the passage of the Bill that at the start of a case solicitors routinely put in a request to the Home Office to ensure that there is not a crucial error in the information it holds about their client. That must save time and effort—and, indeed, money and anxiety—on both sides. It seems a matter of common sense to be able to do so. I have been puzzled throughout as to why the Government consider this exemption necessary. If it is because there may be an issue of criminality, paragraph 3 provides for this, including “the prevention … of crime”, if the Home Office believes that someone might be about to commit an immigration offence.

I understand from a discussion with the Minister last week, for which I am grateful to her and her officials, that the Government do not want to characterise all applicants to the Home Office for immigration leave as criminals, but I really do not think that that is an answer. As the Minister knows, and the House will know, I would like to see this paragraph out of the Bill altogether or, at a poor second best, not brought into effect until work has been done with practitioners—lawyers and the relevant NGOs—as to its operation, but we all know about the procedural rules and those mean that I have to confine myself to the amendment made by the Government in the Commons.

As we have heard, the government amendment takes certain provisions of article 5 of the GDPR out of the scope of the exemption. The Minister has just explained those and that the provisions which must continue to apply are requirements for “lawfulness, fairness and transparency” in processing, and the “purpose limitation”, which precludes straying beyond,

“specified, explicit and legitimate purposes”.

I may be cynical—I think I am—but I cannot help thinking that this amendment is not a concession: it is to protect the Government. The original wording—and I admit to not having really taken this in beforehand—of this part of the paragraph is really quite dubious. My amendment is therefore necessarily narrow but in spirit applies to the whole paragraph. It calls for guidance about the application of the provisions of article 5 following consultation.

Since consultation would, I am sure, extend to the following points, I take this opportunity to ask the Minister to give a number of assurances. I have given the Government notice of these. They are: that the exemption is not going to be used in a blanket way to deny all requests for files held by the Home Office concerning immigration, and this will be the case regardless of the believed immigration status of the subject; that the exemption will not be routinely applied or applied without meaningful individual assessment in circumstances where the Home Office seeks to acquire data collected by essential public services from other government departments, such as the Department for Education; that the exemption will not be routinely applied or applied without meaningful individual assessment in circumstances where a person or his legal representative is requesting data held by the Home Office so that he can regularise his immigration status or progress an immigration claim; that the exemption will be applied solely by the Home Office and not by government contractors carrying out immigration control functions; that the exemption will be used only in cases where the Government have a clear and specific reason to believe that the release of data would undermine immigration control in relation to that specific person; that undermining immigration control does not include an individual accessing data which may show why he may have reason to be allowed to stay in the UK and, for those reasons, that it is anticipated to be used in only a very small number of cases; and, finally, that the exemption will not be applied to British citizens or migrants who are lawfully resident in the UK.

The Minister has told us that the operation of the paragraph will be reviewed after a year and she has mentioned the Immigration Law Practitioners’ Association. I am grateful because I think it is those who have to apply a provision or are on the wrong end of its application whose experience will be important. Having made my requests for assurances, I do not intend to press my amendment but I will be grateful for assistance from the Minister in responding to these very real concerns. They are not ones that I composed: they are a compilation of points that I was given by practitioners this morning.

I thank the noble Baroness for setting out the rationale for Amendment 175A. I wholeheartedly endorse the sentiment behind it— namely, that the data protection principles must underpin the processing of personal data held by the Home Office for immigration purposes. I also unreservedly support the notion that the Home Office needs to abide by the highest standards required by the GDPR and the Bill and to ensure that its staff are properly equipped, including through the appropriate training and guidance, to ensure that the department collectively fulfils its statutory responsibilities when it comes to processing people’s personal data. We want our staff to recognise that new data rights should be seen as an opportunity to improve how we collect, process and use other people’s data and respond to customers’ requests.

I am grateful to the noble Baroness for giving me foresight of her specific questions. The first concerned the exemption not being used in a blanket way to deny all requests for files concerning immigration held by the Home Office. This will be the case regardless of the believed immigration status of the client. We have been clear, and guidance will be clear, that the exemption can be used only on an individual basis and on a right-by-right basis—that is, a controller can exclude only those rights that would cause the prejudice test to be satisfied. Further, we will withhold only the information that could be likely to cause the prejudice. All other data is currently—and will carry on being—released.

The noble Baroness’s second question concerned the exemption not being routinely applied or applied without meaningful individual assessment in circumstances where the Home Office seeks to acquire data collected by essential public services from other government departments, such as the Department for Education. Where a right is to be restricted, there has to be evidence which a data controller can identify that has satisfied the likely-to-prejudice effective immigration control test and the test that it is still a live concern. That is irrespective of where or from whom the data was gathered.

The noble Baroness’s third question concerned the exemption not being routinely applied or applied without meaningful individual assessment in circumstances where a person or their legal representative is requesting data held by the Home Office so that they can regularise their immigration status or progress an immigration claim. We have been clear—and our guidance will be clear—that a right can be restricted only where there is a risk to the maintenance of effective immigration control. If a person is seeking to regularise their status, it is incumbent upon us to facilitate their efforts, and we strive to do so.

The noble Baroness’s next question was about the exemption being applied solely by the Home Office and not by government contractors carrying out immigration control functions. The exemption may be used and applied by those who work with us. However, the same checks and balances would be applicable in all instances.

The noble Baroness also asked for the exemption to be used only in cases where the Government have a clear and specific reason to believe that the release of data would undermine immigration control in relation to that specific person. That is correct—and it is what paragraph 4 of Schedule 2 provides for.

The next question the noble Baroness asked was about undermining immigration control not including an individual accessing data that may show why they may have reason to be allowed to stay in the UK. We have been clear that, where a person is seeking to regularise their status or appeal a decision, we will disclose all the data we hold to assist them in that and always give the full basis of why a decision has been made to facilitate any appeal.

The noble Baroness rightly asked, for the above reasons, whether it would be used only in a very small number of cases. The answer is yes. We anticipate that it will be a minority of cases and it is a rebuttable assumption that all rights apply to all data subjects.

The noble Baroness’s final question was about the exemption not being applied to British citizens or migrants who are lawfully resident in the UK. The exemption is not designed to apply to those here lawfully. It could, however, be used if a lawful UK resident was involved in an attempt to cause prejudice to the maintenance of effective immigration control—for example, by sponsoring someone in the knowledge that they did not qualify to be here.

I hope that I have answered in full the noble Baroness’s questions. I thank her again for providing me with sight of her questions.

Motion agreed.

Motion on Amendment 175

Moved by

175: Schedule 2, page 137, line 11, at end insert “and, subject to sub-paragraph (2)(vii) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)”

Amendment 175A, as an amendment to Amendment 175, not moved.

Motion on Amendment 175 agreed.

Motion on Amendments 176 to 282

Moved by

176: Schedule 2, page 138, line 15, at end insert—

“( ) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);”

177: Schedule 2, page 139, leave out lines 17 to 27 and insert—

“2. The function is designed to protect members of the public against—

(a) dishonesty, malpractice or other seriously improper conduct, or

(b) unfitness or incompetence.

The function is—

(a) conferred on a person by an enactment,

(b) a function of the Crown, a Minister of the Crown or a government department, or

(c) of a public nature, and is exercised in the public interest.”

178: Schedule 2, page 140, line 42, at end insert—

“Audit functions

7A (1) The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

(2) The functions are any function that is conferred by an enactment on—

(a) the Comptroller and Auditor General;

(b) the Auditor General for Scotland;

(c) the Auditor General for Wales;

(d) the Comptroller and Auditor General for Northern Ireland.”

179: Page 140, line 42, at end insert—

“Functions of the Bank of England

7B (1) The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

(2) “Relevant function of the Bank of England” means—

(a) a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);

(b) a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;

(c) a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.”

180: Schedule 2, page 141, line 18, leave out “body” and insert “person”

181: Schedule 2, page 141, line 19, leave out “body” and insert “person”

182: Schedule 2, page 142, line 7, column 2, at end insert—

“( ) section 244 of the Investigatory Powers Act 2016;”

183: Schedule 2, page 142, line 37, at end insert—

“1A. The Scottish Information Commissioner.

By or under—

(a) the Freedom of Information (Scotland) Act 2002 (asp 13);

(b) the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520);

(c) the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440).”

184: Schedule 2, page 143, line 7, leave out “or under any” and insert “an”

185: Schedule 2, page 143, line 7, at end insert—

“5A. The Financial Conduct Authority.

By or under the Financial Services and Markets Act 2000 or by another enactment.”

186: Schedule 2, page 143, line 22, at end insert—

“12. The Charity Commission.

By or under—

(a) the Charities Act 1992;

(b) the Charities Act 2006;

(c) the Charities Act 2011.”

187: Schedule 2, page 146, line 22, leave out “16(4)(a) or (b)” and insert “16(4)(a), (b) or (c)”

188: Schedule 2, page 146, line 44, at end insert “, or

(b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.”

189: Schedule 2, page 149, line 23, leave out “with the date on which” and insert “when”

190: Schedule 2, page 149, line 25, leave out “the date of”

191: Schedule 2, page 150, line 45, at end insert—

“( ) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);”

192: Schedule 2, page 151, line 1, after “processor)” insert “—

(i) Article 34(1) and (4) (communication of personal data breach to the data subject);

(ii) ”

193: Schedule 2, pchedule 3, page 160, line 21, leave out “with the day on which” and insert “when”

194: Schedule 2, page 162, line 3, leave out paragraph 16 and insert—

“16 (1) This paragraph applies to a record of information which—

(a) is processed by or on behalf of the Board of Governors, proprietor or trustees of, or a teacher at, a school in Northern Ireland specified in sub-paragraph (3),

(b) relates to an individual who is or has been a pupil at the school, and

(c) originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).

(2) But this paragraph does not apply to information which is processed by a teacher solely for the teacher’s own use.

(3) The schools referred to in sub-paragraph (1)(a) are—

(a) a grant-aided school;

(b) an independent school.

(4) The persons referred to in sub-paragraph (1)(c) are—

(a) a teacher at the school;

(b) an employee of the Education Authority, other than a teacher at the school;

(c) an employee of the Council for Catholic Maintained Schools, other than a teacher at the school;

(d) the pupil to whom the record relates;

(e) a parent, as defined by Article 2(2) of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).

(5) In this paragraph, “grant-aided school”, “independent school”, “proprietor” and “trustees” have the same meaning as in the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).”

195: Schedule 2, page 164, line 7, leave out “with the day on which” and insert “when”

196: Schedule 5, page 170, line 21, leave out “In this paragraph” and insert—

“Meaning of “working day”

7 In this Schedule”

197: Schedule 6, page 172, line 4, leave out from beginning to end of line 14 and insert— “Subsections (1), (2) and (6) of section 200 of the 2018 Act have effect for the purposes of this Regulation as they have effect for the purposes of that Act but as if the following were omitted—

(a) in subsection (1), the reference to subsection (3), and

(b) in subsection (6), the words following paragraph (d).””

198: Schedule 6, page 180, line 2, leave out sub-paragraph (b) and insert—

“(b) in paragraph 2, for “Member States” substitute “The Secretary of State”;

(c) after that paragraph insert—

“3 The power under paragraph 2 may only be exercised by making regulations under section (Post-review powers to make provision about representation of data subjects) of the 2018 Act.”

199: Schedule 8, page 184, line 32, at end insert—

“Safeguarding of children and of individuals at risk

3A (1) This condition is met if—

(a) the processing is necessary for the purposes of—

(i) protecting an individual from neglect or physical, mental or emotional harm, or

(ii) protecting the physical, mental or emotional well-being of an individual,

(b) the individual is—

(i) aged under 18, or

(ii) aged 18 or over and at risk,

(c) the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d) the processing is necessary for reasons of substantial public interest.

(2) The reasons mentioned in sub-paragraph (1)(c) are—

(a) in the circumstances, consent to the processing cannot be given by the data subject;

(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3) For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—

(a) has needs for care and support,

(b) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and

(c) as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.

(4) In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.”

200: Schedule 10, page 187, line 5, at end insert—

“Safeguarding of children and of individuals at risk

3A (1) This condition is met if—

(a) the processing is necessary for the purposes of—

(i) protecting an individual from neglect or physical, mental or emotional harm, or

(ii) protecting the physical, mental or emotional well-being of an individual,

(b) the individual is—

(i) aged under 18, or

(ii) aged 18 or over and at risk,

(c) the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d) the processing is necessary for reasons of substantial public interest.

(2) The reasons mentioned in sub-paragraph (1)(c) are—

(a) in the circumstances, consent to the processing cannot be given by the data subject;

(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3) For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—

(a) has needs for care and support,

(b) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and

(c) as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.

(4) In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.”

201: Schedule 11, page 189, line 20, at end insert “, or

(b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.”

202: Schedule 11, page 190, line 4, leave out “day falls before the day on which” and insert “time falls before”

203: Schedule 11, page 190, line 7, leave out “day” and insert “time”

204: Schedule 11, page 190, line 9, leave out “the date of”

205: Schedule 11, page 190, line 17, leave out “day” and insert “time”

206: Schedule 12, page 193, line 16, after “fees” insert “, charges, penalties”

207: Schedule 13, page 194, line 36, leave out from beginning to end of line 4 on page 195

208: Schedule 13, page 195, line 4, at end insert—

“(2) Section 3(14)(b) does not apply to the reference to personal data in sub- paragraph (1)(h).”

209: Schedule 15, page 198, line 13, after “if” insert “a judge of the High Court,”

210: Schedule 15, page 198, line 22, at end insert “or is capable of being viewed using equipment on such premises”

211: Schedule 15, page 198, line 25, after “if” insert “a judge of the High Court,”

212: Schedule 15, page 199, line 34, at end insert—

“( ) to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may be evidence of that failure or offence,”

213: Schedule 15, page 199, line 36, after “premises” insert “and of any information capable of being viewed using equipment on the premises”

214: Schedule 15, page 199, line 46, at end insert—

“( ) to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may enable the Commissioner to make such a determination,”

215: Schedule 15, page 200, line 2, after “premises” insert “and of any information capable of being viewed using equipment on the premises”

216: Schedule 15, page 200, line 10, at end insert—

“( ) For the purposes of this paragraph, a copy of information is in an “appropriate form” if —

(a) it can be taken away, and

(b) it is visible and legible or it can readily be made visible and legible.”

217: Schedule 15, page 203, line 4, at end insert—

“( ) references to a judge of the High Court have effect as if they were references to a judge of the Court of Session,”

218: Schedule 16, page 203, line 26, leave out “with the day after” and insert “when”

219: Schedule 16, page 204, line 10, leave out “with the day on which” and insert “when”

220: Schedule 16, page 205, line 5, leave out “with the day after the day on which” and insert “when”

221: Schedule 16, page 205, line 37, leave out “controller or processor” and insert “person to whom the penalty notice was given”

222: Schedule 17, page 206, line 15, leave out paragraph (a) and insert—

“(a) a relevant health record (see paragraph 1A),”

223: Schedule 17, page 206, line 21, at end insert—

“Relevant health records

1A “Relevant health record” means a health record which has been or is to be obtained by a data subject in the exercise of a data subject access right.”

224: Schedule 17, page 207, line 12, at end insert—

“( ) the Department of Justice in Northern Ireland;”

225: Schedule 17, page 207, line 22, leave out sub-paragraph (iii) and insert—

“(iii) Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (S.I. 1998/1504 (N.I. 9));”

226: Schedule 17, page 207, line 32, at end insert—

“( ) Part 5 of the Police Act 1997,”

227: Schedule 17, page 207, line 42, at end insert—

“( ) In relation to the Department of Justice in Northern Ireland, the “relevant functions” are its functions under Part 5 of the Police Act 1997.”

228: Schedule 17, page 207, line 44, after “under” insert “—

(a) Part 5 of the Police Act 1997, or

(b) ”

229: Schedule 17, page 208, line 2, at end insert—

“( ) Part 5 of the Police Act 1997,”

230: Schedule 18, page 208, line 25, at end insert—

“Registration Service Act 1953 (c. 37)

A1 (1) Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.

(2) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

(3) In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.

Veterinary Surgeons Act 1966 (c. 36)

A2 (1) Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.

(2) In subsection (8)—

(a) omit “personal data protection legislation in the United Kingdom that implements”,

(b) for paragraph (a) substitute—

“(a) the GDPR; and”, and

(c) in paragraph (b), at the beginning insert “legislation in the United Kingdom that implements”.

(3) In subsection (9), after “section” insert “—

“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”

231: Schedule 18, page 208, line 31, leave out “162” and insert “(Applications in respect of urgent notices)”

232: Schedule 18, page 209, line 9, leave out “162” and insert “(Applications in respect of urgent notices)”

233: Schedule 18, page 209, line 24, leave out “162” and insert “(Applications in respect of urgent notices)”

234: Schedule 18, page 210, line 4, at end insert—

“Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22))

8A The Pharmacy (Northern Ireland) Order 1976 is amended as follows.

8B In article 2(2) (interpretation), omit the definition of “Directive 95/46/ EC”.

8C In article 8D (European professional card), after paragraph (3) insert—

“(4) In Schedule 2C, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”

8D In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.), before sub-paragraph (a) insert—

“(za) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

8E (1) Schedule 2C (Directive 2005/36/EC: European professional card) is amended as follows.

(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC” substitute “the GDPR”.

(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).

8F (1) The table in Schedule 2D (functions of the Society under Directive 2005/36/EC) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

8G (1) Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.

(2) In sub-paragraph (2)(a), after “provision” insert “or the GDPR”. (3) For sub-paragraph (3) substitute—

“(3) In determining for the purposes of sub-paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”

(4) After sub-paragraph (4) insert—

“(5) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

Representation of the People Act 1983 (c. 2)

8H (1) Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.

(2) In paragraph 1A(5), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.

(3) In paragraph 8C(2), for “the Data Protection Act 1998” substitute “Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act)”.

(4) In paragraph 11A—

(a) in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “to supply information”, and

(b) omit sub-paragraph (2).”

235: Schedule 18, page 210, leave out lines 5 to 39 and insert—

“Medical Act 1983 (c. 54)

9 The Medical Act 1983 is amended as follows.

10 (1) Section 29E (evidence) is amended as follows.

(2) In subsection (5), after “enactment” insert “or the GDPR”. (3) For subsection (7) substitute—

“(7) In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”

(4) In subsection (9), at the end insert—

““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

11 (1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.

(2) In subsection (4), after “enactment” insert “or the GDPR”. (3) For subsection (5A) substitute—

“(5A) In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.”

(4) In subsection (7), at the end insert—

““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

12 In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert “—

“the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

13 In section 55(1) (interpretation), omit the definition of “Directive 95/46/ EC”.

13A (1) Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.

(2) In sub-paragraph (2)(a), after “enactment” insert “or the GPDR”. (3) After sub-paragraph (3) insert—

“(4) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

13B (1) Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.

(2) In sub-paragraph (8), after “enactment” insert “or the GDPR”. (3) For sub-paragraph (8A) substitute—

“(8A) In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.”

(4) After sub-paragraph (13) insert—

“(14) In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

13C (1) The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.”

236: Schedule 18, page 211, line 18, leave out from “GDPR”” to “(see” in line 19 and insert “and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

237: Schedule 18, page 211, line 20, at end insert—

“15A In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.”

238: Schedule 18, page 211, line 39, leave out from “GDPR”” to “(see” in line 40 and insert “and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

239: Schedule 18, page 211, line 41, at the end insert—

“16A In section 53(1) (interpretation), omit the definition of “Directive 95/46/ EC”.

16B (1) The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

Companies Act 1985 (c. 6)

16C In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “the data protection legislation”.”

240: Schedule 18, page 212, line 16, leave out from “GDPR”” to “(see” in line 17 and insert “and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

241: Schedule 18, page 212, line 18, at end insert—

“Access to Health Records Act 1990 (c. 23)

18A The Access to Health Records Act 1990 is amended as follows.

18B For section 2 substitute—

“2 Health professionals

In this Act, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”

18C (1) Section 3 (right of access to health records) is amended as follows. (2) In subsection (2), omit “Subject to subsection (4) below,”.

(3) In subsection (4), omit from “other than the following” to the end.”

242: Schedule 18, page 213, line 2, at end insert—

“Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))

21A (1) Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.

(2) In paragraph (3), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3) After paragraph (6) insert—

“(7) In this Article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

243: Schedule 18, page 213, line 7, leave out “162” and insert “(Applications in respect of urgent notices)”

244: Schedule 18, page 213, line 20, at end insert “, with the exception of section 62 and paragraphs 13, 15, 16, 18 and 19 of Schedule 15 (which amend other enactments)”

245: Schedule 18, page 216, line 10, leave out from “data”” to “(see” in line 11 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

246: Schedule 18, page 219, line 15, leave out from “GDPR”” to “(see” in line 16 and insert “and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

247: Schedule 18, page 220, line 7, at end insert—

“Enterprise Act 2002 (c. 40)

64A (1) Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.

(2) In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.

(3) After subsection (6) insert—

“(7) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

248: Schedule 18, page 220, line 13, leave out “162” and insert “(Applications in respect of urgent notices)”

249: Schedule 18, page 221, line 21, leave out from “data”” to “(see” in line 22 and insert “, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

250: Schedule 18, page 222, line 21, at end insert—

“Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13)

75A (1) Section 279 of the Mental Health Care and Treatment (Scotland) Act 2003 (information for research) is amended as follows.

(2) In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”.

(3) After subsection (9) insert—

“(10) In this section, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).””

251: Schedule 18, page 222, line 29, at end insert—

“Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27)

76A The Companies (Audit, Investigations and Community Enterprise) Act 2004 is amended as follows.

76B (1) Section 15A (disclosure of information by tax authorities) is amended as follows.

(2) In subsection (2)—

(a) omit “within the meaning of the Data Protection Act 1998”, and

(b) for “that Act” substitute “the data protection legislation”. (3) After subsection (7) insert—

“(8) In this section—

“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act); “personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”

76C (1) Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows.

(2) In subsection (7), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3) After subsection (7) insert—

“(8) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

252: Schedule 18, page 223, line 35, leave out “162” and insert “(Applications in respect of urgent notices)”

253: Schedule 18, page 224, line 32, leave out “162” and insert “(Applications in respect of urgent notices)”

254: Schedule 18, page 225, line 10, at end insert—

“88A(1) Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.

(2) In subsection (2), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3) After subsection (3) insert—

“(4) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

255: Schedule 18, page 225, line 28, at end insert—

“Companies Act 2006 (c. 46)

92A The Companies Act 2006 is amended as follows.

92B In section 458(2) (disclosure of information by tax authorities)—

(a) for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)”, and

(b) for “that Act” substitute “the data protection legislation”.

92C In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.

92D In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “the data protection legislation”.

92E In section 1173(1) (minor definitions: general), at the appropriate place insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.

92F In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “the data protection legislation”.

92G In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “the data protection legislation”.

92H In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”.

92I In section 1262 (index of defined expressions: Part 42), at the appropriate place insert—

“the data protection legislation

section 1261(1)”.

92J In Schedule 8 (index of defined expressions: general), at the appropriate place insert—

“the data protection legislation

section 1173(1)”.”

256: Schedule 18, page 225, line 38, at end insert—

“96A(1) Section 45 (information held by HMRC) is amended as follows.

(2) In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “section 128 of the Data Protection Act 2018”.

(3) In subsection (4B), for “the Data Protection Act 1998” substitute “the Data Protection Act 2018”.”

257: Schedule 18, page 226, line 27, leave out sub-paragraph (2) and insert —

“( ) In subsection (6), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

258: Schedule 18, page 230, line 16, at end insert—

“Coroners and Justice Act 2009 (c. 25)

122A In Schedule 21 of the Coroners and Justice Act 2009 (minor and consequential amendments), omit paragraph 29(3).”

259: Schedule 18, page 231, line 29, leave out “162” and insert “(Applications in respect of urgent notices)”

260: Schedule 18, page 231, line 33, leave out “162” and insert “(Applications in respect of urgent notices)”

261: Schedule 18, page 232, line 39, after “after “” insert “this”

262: Schedule 18, page 238, line 40, leave out “162” and insert “(Applications in respect of urgent notices)”

263: Schedule 18, page 239, line 38, leave out “162” and insert “(Applications in respect of urgent notices)”

264: Schedule 18, page 241, line 12, leave out sub-paragraph (2) and insert —

“( ) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

265: Schedule 18, page 241, line 26, leave out sub-paragraph (2) and insert —

“( ) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

266: Schedule 18, page 242, line 1, leave out sub-paragraph (2) and insert —

“( ) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

267: Schedule 18, page 242, line 16, leave out sub-paragraph (2) and insert —

“( ) In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “prepared under section 122 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act”.”

268: Schedule 18, page 242, line 40, at end insert—

“Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2)

186A(1) Section 4 of the Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (additional learning needs code) is amended as follows.

(2) In the English language text—

(a) in subsection (9), omit from “and in this subsection” to the end, and

(b) after subsection (9) insert—

“(9A) In subsection (9)—

“data subject” (“testun y data”) has the meaning given by section 3(5) of the Data Protection Act 2018;

“personal data” (“data personol”) has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”

(3) In the Welsh language text—

(a) in subsection (9), omit from “ac yn yr is-adran hon” to the end, and

(b) after subsection (9) insert—

“(9A) Yn is-adran (9)—

mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o’r Ddeddf honno);

mae i “testun y data” yr ystyr a roddir i “data subject” gan adran 3(5) o’r Ddeddf honno.”

269: Schedule 18, page 243, line 14, at end insert—

“Estate Agents (Specific Offences) (No. 2) Order 1991 (S.I. 1991/1091)

187A In the table in the Schedule to the Estate Agents (Specified Offences) (No.2) Order 1991 (specified offences), at the end insert—

“Data Protection Act 2018

Section 145

Section (Destroying or falsifying information and documents etc)

False statements made in response to an information notice

Destroying or falsifying information and documents etc””

270: Schedule 18, page 243, line 22, after “controller”,” insert—

“(ba) after “in the context of” insert “the activities of”,”

271: Schedule 18, page 243, line 27, after “controller”,” insert—

“(ba) after “in the context of” insert “the activities of”,”

272: Schedule 18, page 243, line 28, at end insert—

“Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))

188A The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.

188B In Article 4 (health professionals), for paragraph (1) substitute—

“(1) In this Order, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 197 of that Act).”

188C In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “made by the Department”.

Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)

188D In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—

“(2) For the purposes of section 200 of the Data Protection Act 2018 (“the 2018 Act”), data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the United Kingdom is to be treated as processed by a controller established in the United Kingdom in the context of the activities of that establishment (and accordingly the 2018 Act applies in respect of such data).

(3) For the purposes of section 200 of the 2018 Act, data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the Kingdom of Belgium is to be treated as processed by a controller established in the Kingdom of Belgium in the context of the activities of that establishment (and accordingly the 2018 Act does not apply in respect of such data).”

European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)

188E The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.

188F(1) Regulation 2(1) (interpretation) is amended as follows. (2) Omit the definition of “Directive 95/46/EC”.

(3) At the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

188G(1) The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)

188H For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—

“7 Data Protection Act 2018

(1) The Parliamentary corporation is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2) The Parliamentary corporation is to be treated as a government department for the purposes of the following provisions—

(a) section 8(d) (lawfulness of processing under the GDPR: public interest etc),

(b) section 202 (application to the Crown),

(c) paragraph 6 of Schedule 1 (statutory etc and government purposes),

(d) paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e) paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).

(3) In the provisions mentioned in paragraph (4)—

(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Parliamentary corporation, and

(b) references to a person in the service of the Crown are to be treated as including a person so employed.

(4) The provisions are—

(a) section 24(3) (exemption for certain data relating to employment under the Crown), and

(b) section 202(6) (application of certain provisions to a person in the service of the Crown).

(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)

188I For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—

“9 Data Protection Act 2018

(1) The Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2) The Commission is to be treated as a government department for the purposes of the following provisions—

(a) section 8(d) (lawfulness of processing under the GDPR: public interest etc),

(b) section 202 (application to the Crown),

(c) paragraph 6 of Schedule 1 (statutory etc and government purposes),

(d) paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e) paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).

(3) In the provisions mentioned in paragraph (4)—

(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Commission, and

(b) references to a person in the service of the Crown are to be treated as including a person so employed.

(4) The provisions are—

(a) section 24(3) (exemption for certain data relating to employment under the Crown), and

(b) section 202(6) (application of certain provisions to a person in the service of the Crown).

(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184)

188J The Data Protection (Corporate Finance Exemption) Order 2000 is revoked.

Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 (S.I.2000/185)

188K The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 is revoked.

Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186)

188L The Data Protection (Functions of Designated Authority) Order 2000 is revoked.

Data Protection (International Co-operation) Order 2000 (S.I. 2000/190)

188M The Data Protection (International Co-operation) Order 2000 is revoked.

Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191)

188N The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 are revoked.

Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290)

188O In the Consumer Credit (Credit Reference Agency) Regulations 2000, regulation 4(1) and Schedule 1 (statement of rights under section 9(3) of the Data Protection Act 1998) are revoked.

Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413)

188P The Data Protection (Subject Access Modification) (Health) Order 2000 is revoked.

Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414)

188Q The Data Protection (Subject Access Modification) (Education) Order 2000 is revoked.

Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415)

188R The Data Protection (Subject Access Modification) (Social Work) Order 2000 is revoked.

Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416)

188S The Data Protection (Crown Appointments) Order 2000 is revoked.

Data Protection (Processing of Sensitive Personal Data) Order 2000 (S.I. 2000/417)

188T The Data Protection (Processing of Sensitive Personal Data) Order 2000 is revoked.

Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419)

188U The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 is revoked.

Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864)

188V The Data Protection (Designated Codes of Practice) (No. 2) Order 2000 is revoked.

Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)

188W The Representation of the People (England and Wales) Regulations 2001 are amended as follows.

188X In regulation 3(1) (interpretation), at the appropriate places insert— ““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

188Y In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188Z In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188AA In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188AB In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—

“(a) Article 89 GDPR purposes;”.

188AC(1)Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.

(2) After sub-paragraph (b) insert—

“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”

(3) Omit sub-paragraphs (c) and (d).

188AD In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section 123(5) of the Data Protection Act 2018”.

188AE In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188AF In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188AG In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188AH In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188AI In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—

“(i) Article 89 GDPR purposes;”.

Representation of the People (Scotland) Regulations 2001 (S.I. 2001/497)

188AJ The Representation of the People (Scotland) Regulations 2001 are amended as follows.

188AK In regulation 3(1) (interpretation), at the appropriate places, insert— ““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

188AL In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188AM In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188AN In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “the data protection legislation”.

188AO In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—

“(a) Article 89 GDPR purposes;”.

188AP In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—

“(a) Article 89 GDPR purposes;”.

188AQ(1)Regulation 92(2) (interpretation of Part VI etc) is amended as follows. (2) After sub-paragraph (b) insert—

“(ba) “relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.”

(3) Omit sub-paragraphs (c) and (d).

188AR In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “section 123(5) of the Data Protection Act 2018”.

188AS In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188AT In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188AU In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

188AV In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—

“(i) Article 89 GDPR purposes;”.

Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)

188AW(1)Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.

(2) In paragraph (2B), for sub-paragraph (a) substitute—

“(a) the disclosure is made in accordance with Chapter V of the GDPR;”.

(3) After paragraph (5) insert—

“(6) In this article, “the GDPR” has the same meaning as in Parts 5 to

7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

Nursing and Midwifery Order 2001 (S.I. 2002/253)

188AX The Nursing and Midwifery Order 2001 is amended as follows.

188AY(1)Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.

(2) In paragraph (18), after “enactment” insert “or the GDPR”. (3) After paragraph (18) insert—

“(19) In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

188AZ(1)Article 25 (the Council’s power to require disclosure of information) is amended as follows.

(2) In paragraph (3), after “enactment” insert “or the GDPR”. (3) In paragraph (6)—

(a) for “paragraph (5),” substitute “paragraph (3)—”, and

(b) at the appropriate place insert—

““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

188BA In article 39B (European professional card), after paragraph (2) insert— “(3) For the purposes of Schedule 2B, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”

188BB In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

188BC(1)Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.

(2) In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “the GDPR”.

(3) In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).

188BD(1)The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

188BE In Schedule 4 (interpretation), omit the definition of “Directive 95/46/ EC”.

Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)

188BF Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.

188BG In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “the GDPR”.

188BH In paragraph (3)—

(a) omit the definitions of “Data Protection Directive” and

“Telecommunications Data Protection Directive”, and

(b) at the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 (S.I. 2002/2905)

188BI The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 is revoked.

Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426)

188BJ The Privacy and Electronic Communications (EC Directive) Regulations 2003 are amended as follows.

188BK In regulation 2(1) (interpretation), in the definition of “the Information Commissioner” and “the Commissioner”, for “section 6 of the Data Protection Act 1998” substitute “the Data Protection Act 2018”.

188BL(1)Regulation 4 (relationship between these Regulations and the Data Protection Act 1998) is amended as follows.

(2) The existing text becomes sub-paragraph (1).

(3) In that sub-paragraph, for “the Data Protection Act 1998” substitute “the data protection legislation”.

(4) After that sub-paragraph insert— “(2) In this regulation—

“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act); “personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act).”

(3) Regulation 2(2) and (3) (meaning of certain expressions) do not apply for the purposes of this regulation.”

(5) In the heading of that regulation, for “the Data Protection Act 1998” substitute “the data protection legislation”.”

273: Schedule 18, page 244, line 1, at end insert—

“(d) for “data controller” substitute “controller”, and

(e) after “in the context of” insert “the activities of”.

Pupils’ Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)

191A The Pupils’ Educational Records (Scotland) Regulations 2003 are amended as follows.

191B(1) Regulation 2 (interpretation) is amended as follows. (2) Omit the definition of “the 1998 Act”.

(3) At the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

191C(1) Regulation 6 (circumstances where information should not be disclosed) is amended as follows.

(2) After “any information” insert “to the extent that any of the following conditions are satisfied”.

(3) For paragraphs (a) to (c) substitute—

“(aa) the pupil to whom the information relates would have no right of access to the information under the GDPR;

(ab) the information is personal data described in Article

9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences);”.

(4) In paragraph (d), for “to the extent that its disclosure” substitute “the disclosure of the information”.

(5) In paragraph (e), for “that” substitute “the information”.

191D In regulation 9 (fees), for paragraph (1) substitute—

“(1A) In complying with a request made under regulation 5(2), the responsible body may only charge a fee where Article 12(5) or Article 15(3) of the GDPR would permit the charging of a fee if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.

(1B) Where paragraph (1A) permits the charging of a fee, the responsible body may not charge a fee that—

(a) exceeds the cost of supply, or

(b) exceeds any limit in regulations made under section 12 of the Data Protection Act 2018 that would apply if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.”

European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)

191E Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.

191F(1) Paragraph 74(1) (interpretation) is amended as follows.

(2) Omit the definitions of “relevant conditions” and “research purposes”.

(3) At the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

191G In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.

Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244)

191H In regulation 3(1) of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, omit “the appropriate limit referred to in section 9A(3) and (4) of the 1998 Act and”.”

274: Schedule 18, page 244, line 13, leave out from “GDPR”” to “(see” in line 14 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

275: Schedule 18, page 246, line 31, leave out from “GDPR”” to “(see” in line 32 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

276: Schedule 18, page 247, line 40, at end insert—

“Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)

199A(1) Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.

(2) In paragraph (1)(b)—

(a) for paragraph (iii) (but not the final “, and”) substitute—

“(iii) the results of a request made under Article 15 of the GDPR or section 45 of the Data Protection Act 2018 (rights of access by the data subject) to the National Identification Service for information contained in the Police National Computer”, and

(b) in the words following paragraph (iii), omit “search”. (3) After paragraph (2) insert—

“(3) In this regulation, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).”

Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)

199B The Education (Pupil Information) (England) Regulations 2005 are amended as follows.

199C In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “section 3(4) of the Data Protection Act 2018”.

199D(1) Regulation 5 (disclosure of curricular and educational records) is amended as follows.

(2) In paragraph (4)—

(a) in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the GDPR”, and

(b) in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “the GDPR”.

(3) After paragraph (6) insert—

“(7) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.””

277: Schedule 18, page 248, line 37, leave out from “GDPR”” to “(see” in line 38 and insert “and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act”

278: Schedule 18, page 249, line 1, at end insert—

“Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)

200A In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—

(a) for the definition of “data protection principles” substitute— ““data protection principles” means the principles set out in Article 5(1) of the GDPR;”, and

(b) at the appropriate place insert—

““the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);”.

Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)

200B The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.

200C(1) Regulation 39 (sensitive information) is amended as follows. (2) In paragraph (1)(d)—

(a) omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b) for “(2) or (3)” substitute “(1A), (1B) or (1C)”.

(3) After paragraph (1) insert—

“(1A) The condition in this paragraph is that the disclosure of the information to a member of the public—

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(1B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a) Article 21 of the GDPR (general processing: right to object to processing), or

(b) section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).

(1C) The condition in this paragraph is that—

(a) on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,

(b) on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or

(c) on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.

(1D) In this regulation—

“the data protection principles” means the principles set out in—

(a) Article 5(1) of the GDPR,

(b) section 34(1) of the Data Protection Act 2018, and

(c) section 85(1) of that Act;

“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);

“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(1E) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”

(4) Omit paragraphs (2) to (4).

Data Protection (Processing of Sensitive Personal Data) Order 2006 (S.I. 2006/2068)

200D The Data Protection (Processing of Sensitive Personal Data) Order 2006 is revoked.

National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)

200E(1) Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows.

(2) The existing text becomes sub-paragraph (1).

(3) For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—

“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.

(4) After that sub-paragraph insert—

“(2) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)

200F In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity), for paragraph (b) substitute—

“(b) any material used consists of or includes human cells or human DNA,”.

National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)

200G For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—

“5 Data Protection Act 2018

(1) The Assembly Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2) The Assembly Commission is to be treated as a government department for the purposes of the following provisions—

(a) section 8(d) (lawfulness of processing under the GDPR: public interest etc),

(b) section 202 (application to the Crown),

(c) paragraph 6 of Schedule 1 (statutory etc and government purposes),

(d) paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e) paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).

(3) In the provisions mentioned in paragraph (4)—

(a) references to employment by or under the Crown are to be treated as including employment as a member of staff of the Assembly Commission, and

(b) references to a person in the service of the Crown are to be treated as including a person so employed.

(4) The provisions are—

(a) section 24(3) (exemption for certain data relating to employment under the Crown), and

(b) section 202(6) (application of certain provisions to a person in the service of the Crown).

(5) In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))

200H In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant’s loss of capacity)—

(a) in the English language text, for paragraph (c) substitute—

“(c) any material used consists of or includes human cells or human DNA; and”, and

(b) in the Welsh language text, for paragraph (c) substitute—

“(c) os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu’n DNA dynol neu yn eu cynnwys; ac”.

Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)

200I (1) Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows.

(2) In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—

“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”.

(3) After paragraph (1) insert—

“(2) In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)

200J In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—

(a) in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—

“(i) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b) after paragraph (3) insert—

“(4) In this regulation, “the GDPR” means Regulation (EU)

2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)

200K The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 is amended as follows.

200L In regulation 2 (interpretation), at the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

200M In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “information to which the pupil to whom the information relates would have no right of access under the GDPR”.

Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)

200N In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—

(a) in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics)”, and

(b) after paragraph (3) insert—

“(4) In this regulation, “the GDPR” means Regulation (EU)

2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)

200O In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “the data protection legislation”.

Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))

200P The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.

200Q In regulation 2(1) (interpretation)—

(a) at the appropriate place in the English language text insert— ““the GDPR” (“y GDPR”) and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”, and

(b) at the appropriate place in the Welsh language text insert—

“mae i “y GDPR” a chyfeiriadau at Atodlen 2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o’r Ddeddf honno (gweler adran

3(10), (11) a (14) o’r Ddeddf honno);”.

200R(1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.

(2) In paragraph (7)—

(a) in the English language text, at the end insert “or the GDPR”, and

(b) in the Welsh language text, at the end insert “neu’r GDPR”.

(3) For paragraph (8)—

(a) in the English language text substitute—

“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and

(b) in the Welsh language text substitute—

“(8) Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”

200S (1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.

(2) In paragraph (6)—

(a) in the English language text, at the end insert “or the GDPR”, and

(b) in the Welsh language text, at the end insert “neu’r GDPR”.

(3) For paragraph (7)—

(a) in the English language text substitute—

“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and

(b) in the Welsh language text substitute—

“(7) Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”

200T(1) Regulation 29 (occurrence reports) is amended as follows. (2) In paragraph (3)—

(a) in the English language text, at the end insert “or the GDPR”, and

(b) in the Welsh language text, at the end insert “neu’r GDPR”.

(3) For paragraph (4)—

(a) in the English language text substitute—

“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”, and

(b) in the Welsh language text substitute—

“(4) Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi’i wahardd, mae i’w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i’r Ddeddf honno (esemptiadau rhag darpariaethau penodol o’r ddeddfwriaeth diogelu data: datgeliadau sy’n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.”

Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)

200U(1) Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.

(2) In paragraph (3)—

(a) omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b) for the words from “where” to the end substitute “if the condition in paragraph (3A) or (3B) is satisfied”.

(3) After paragraph (3) insert—

“(3A) The condition in this paragraph is that the disclosure of the information to a member of the public—

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(3B) The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a) Article 21 of the GDPR (general processing: right to object to processing), or

(b) section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”

(4) After paragraph (4) insert— “(5) In this regulation—

“the data protection principles” means the principles set out in—

(a) Article 5(1) of the GDPR,

(b) section 34(1) of the Data Protection Act 2018, and

(c) section 85(1) of that Act;

“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);

“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”

Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)

200V(1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.

(2) The existing text becomes sub-paragraph (1).

(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

“(ii) for the purposes of ensuring that it complies with its data protection obligations;”.

(4) In paragraph (c) of that sub-paragraph—

(a) omit “or” at the end of sub-paragraph (i), and

(b) at the end insert “; or

(iii) section 145 of the Data Protection Act 2018 (false statements made in response to an information notice) or section (Destroying or falsifying information and documents etc) of that Act (destroying or falsifying information and documents etc);”.

(5) After paragraph (c) of that sub-paragraph insert—

“(d) has not been given a penalty notice under section 154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”

(6) After sub-paragraph (1) insert—

“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i) the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii) legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”

Overseas Companies Regulations 2009 (S.I. 2009/1801)

200W(1) Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.

(2) The existing text becomes sub-paragraph (1).

(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

“(ii) for the purposes of ensuring that it complies with its data protection obligations;”.

(4) In paragraph (c) of that sub-paragraph—

(a) omit “or” at the end of sub-paragraph (i), and

(b) at the end insert “; or

(iii) section 145 of the Data Protection Act 2018 (false statements made in response to an information notice) or section

(Destroying or falsifying information and documents etc) of that Act (destroying or falsifying information and documents etc);”.

(5) After paragraph (c) of that sub-paragraph insert—

“(d) has not been given a penalty notice under section 154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”

(6) After sub-paragraph (1) insert—

“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i) the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii) legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”

Data Protection (Processing of Sensitive Personal Data) Order 2009 (S.I. 2009/1811)

200X The Data Protection (Processing of Sensitive Personal Data) Order 2009 is revoked.

Provision of Services Regulations 2009 (S.I. 2009/2999)

200Y In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—

“(d) matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.”

279: Schedule 18, page 249, line 32, at end insert—

“INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)

201A(1) Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.

(2) In paragraph (2)—

(a) omit “or” at the end of sub-paragraph (a), (b) for sub-paragraph (b) substitute—

“(b) Article 21 of the GDPR (general processing: right to object to processing), or

(c) section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”, and

(c) omit the words following sub-paragraph (b). (3) After paragraph (6) insert—

“(7) In this regulation—

“the data protection principles” means the principles set out in—

(a) Article 5(1) of the GDPR,

(b) section 34(1) of the Data Protection Act 2018, and

(c) section 85(1) of that Act;

“the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);

“personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(8) In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”

Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)

201B The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.

201C In regulation 2(2) (interpretation), at the appropriate place insert—

““the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”.”

201D(1) Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.

(2) In paragraph (7), at the end insert “or the GDPR”.

(3) For paragraph (8) substitute—

“(8) In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”

201E(1) Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.

(2) In paragraph (6), at the end insert “or the GDPR”. (3) For paragraph (7) substitute—

“(7) In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”

201F(1) Regulation 29 (occurrence reports) is amended as follows. (2) In paragraph (3), at the end insert “or the GDPR”.

(3) For paragraph (4) substitute—

“(4) In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”

Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31)

201G The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 are revoked.

Pharmacy Order 2010 (S.I. 2010/231)

201H The Pharmacy Order 2010 is amended as follows.

201I In article 3(1) (interpretation), omit the definition of “Directive 95/46/ EC”.

201J (1) Article 9 (inspection and enforcement) is amended as follows.

(2) For paragraph (4) substitute—

“(4) If a report that the Council proposes to publish pursuant to paragraph (3) includes personal data, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure of the personal data is required by paragraph (3) of this article.”

(3) After paragraph (4) insert—

“(5) In this article, “personal data” and references to Schedule 2 to the

Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”

201K In article 33A (European professional card), after paragraph (2) insert— “(3) In Schedule 2A, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.”

201L(1) Article 49 (disclosure of information: general) is amended as follows. (2) In paragraph (2)(a), after “enactment” insert “or the GDPR”.

(3) For paragraph (3) substitute—

“(3) In determining for the purposes of paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (1) of this article.”

(4) After paragraph (5) insert—

“(6) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

201M(1) Article 55 (professional performance assessments) is amended as follows.

(2) In paragraph (5)(a), after “enactment” insert “or the GDPR”. (3) For paragraph (6) substitute—

“(6) In determining for the purposes of paragraph (5)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (4) of this article.”

(4) After paragraph (8) insert—

“(9) In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).”

201N In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—

“(aa) “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

201O(1) Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.

(2) In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “the GDPR”.

(3) In paragraph 9 (processing data)—

(a) omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and

(b) after sub-paragraph (2) insert—

“(3) In this paragraph, “personal data” has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).”

201P(1) The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.

(2) In the entry for Article 56(2), in the second column, for “Directive 95/46/ EC” substitute “the GDPR”.

(3) In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “the GDPR”.

Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910)

201Q The Data Protection (Monetary Penalties) Order 2010 is revoked.

National Employment Savings Trust Order 2010 (S.I. 2010/917)

201R The National Employment Savings Trust Order 2010 is amended as follows.

201S In article 2 (interpretation)—

(a) omit the definition of “data” and “personal data”, and

(b) at the appropriate place insert—

““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”

201T(1) Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.

(2) In paragraph (1)—

(a) for “disclosure of data” substitute “disclosure of information”, and

(b) for “requested data” substitute “requested information”.

(3) In paragraph (2)—

(a) for “requested data” substitute “requested information”, (b) for “those data are” substitute “the information is”, and

(c) for “receive those data” substitute “receive that information”.

(4) In paragraph (3), for “requested data” substitute “requested information”.

(5) In paragraph (4), for “requested data” substitute “requested information”.

Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)

201U(1) Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.

(2) In paragraph 1(1) (interpretation and general)—

(a) omit the definition of “research purposes”, and

(b) at the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

(3) In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “Article 89 GDPR purposes”.

Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))

201V(1) Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.

(2) In paragraph (5)—

(a) in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute “information—

(a) which the head teacher could not lawfully disclose to the pupil under the GDPR, or

(b) to which the pupil would have no right of access under the GDPR.”, and

(b) in the Welsh language text, for “ddogfennau sy’n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute “wybodaeth—

(a) na allai’r pennaeth ei datgelu’n gyfreithlon i’r disgybl o dan y GDPR, neu

(b) na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.”

(3) After paragraph (5)—

(a) in the English language text insert—

“(6) In this regulation, “the GDPR” (“y GDPR”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part

2 of the Data Protection Act 2018.”, and

(b) in the Welsh language text insert—

“(6) Yn y rheoliad hwn, ystyr “y GDPR” (“the GDPR”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a’r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o’r fath (y Rheoliad Diogelu Data Cyffredinol), fel y’i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.”

Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)

201W In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.

Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)

201X The Police and Crime Commissioner Elections Order 2012 is amended as follows.

201Y(1) Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.

(2) In paragraph 20 (absent voter lists: supply of copies etc)—

(a) in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—

“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b) after sub-paragraph (10) insert—

“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

(3) In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—

(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and

(b) after that sub-paragraph insert—

“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

201Z(1) Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.

(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).

(3) In paragraph 5 (restriction on use of documents or of information contained in them)—

(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),”, and

(b) after sub-paragraph (4) insert—

“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Data Protection (Processing of Sensitive Personal Data) Order 2012 (S.I. 2012/1978)

201AA The Data Protection (Processing of Sensitive Personal Data) Order 2012 is revoked.

Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)

201AB Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.

201AC(1)Paragraph 29(1) (interpretation of Part 8) is amended as follows.

(2) At the appropriate places insert—

““Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”;

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);”.

(3) For the definition of “relevant conditions” substitute—

““relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;”.

(4) Omit the definition of “research purposes”.

201AD In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “section 123(5) of the Data Protection Act 2018”.

201AE In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

201AF In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

201AG In paragraph 39(8) and (9) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “Article 89 GDPR purposes in accordance with the relevant requirement”.

201AH In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—

“(a) Article 89 GDPR purposes (as defined in paragraph 29),”.

Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)

201AI(1)Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows.

(2) For paragraph (4) substitute—

“(4) Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.”

(3) In paragraph (5), after “enactment” insert “or the GDPR”. (4) After paragraph (6) insert—

“(7) In this regulation, “the GDPR”, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (10), (11) and (14) of that Act).”

Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)

201AJ(1)Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.

(2) The existing text becomes paragraph (1).

(3) In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(4) After that paragraph insert—

“(2) In this article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).””

280: Schedule 18, page 249, line 36, at end insert—

“Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282)

202A The Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 is revoked.”

281: Schedule 18, page 250, line 7, at end insert—

“Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)

204A(1) Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.

(2) The existing text becomes sub-paragraph (1).

(3) In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

“(ii) for the purposes of ensuring that it complies with its data protection obligations;”.

(4) In paragraph (c) of that sub-paragraph—

(a) omit “or” at the end of sub-paragraph (i), and

(b) at the end insert “; or

(iii) section 145 of the Data Protection Act 2018 (false statements made in response to an information notice) or section (Destroying or falsifying information and documents etc) of that Act (destroying or falsifying information and documents etc);”.

(5) After paragraph (c) of that sub-paragraph insert—

“(d) has not been given a penalty notice under section 154 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.”

(6) After sub-paragraph (1) insert—

“(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a) where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b) where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i) the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii) legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”

Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)

204B The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.

204C(1) Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.

(2) In paragraph (1)(b), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3) After paragraph (2) insert—

“(3) In this regulation, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”

204D(1) Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.

(2) For paragraph (1) substitute—

“(1) Section 13 of the Data Protection Act 2018 (rights of the data subject under the GDPR: obligations of credit reference agencies) applies in respect of a designated credit reference agency which is not a credit reference agency within the meaning of section 145(8) of the Consumer Credit Act 1974 as if it were such an agency.”

(3) After paragraph (3) insert—

“(4) In this regulation, the reference to section 13 of the Data Protection Act 2018 has the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).”

European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)

204E The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.

204F(1) Regulation 2(1) (interpretation) is amended as follows. (2) Omit the definition of “Directive 95/46/EC”.

(3) At the appropriate place insert—

““the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;”.

204G In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “the GDPR and Directive”.

204H In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.

204I In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “the GDPR”.

204J In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).

204K In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “the GDPR and Directive”.

Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)

204L The Scottish Parliament (Elections etc) Order 2015 is amended as follows.

204M(1) Schedule 3 (absent voting) is amended as follows.

(2) In paragraph 16 (absent voting lists: supply of copies etc)—

(a) in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—

“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b) after sub-paragraph (10) insert—

“(11) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

(3) In paragraph 20 (restriction on use of absent voting lists)—

(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b) after that sub-paragraph insert—

“(4) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

204N(1) Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.

(2) In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).

(3) In paragraph 5 (restriction on use of documents or of information contained in them)—

(a) in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

“(a) purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);”, and

(b) after sub-paragraph (4) insert—

“(5) In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)

204O In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.

Register of People with Significant Control Regulations 2016 (S.I. 2016/339)

204P Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.

204Q(1) Paragraph 6 (disclosure to a credit reference agency) is amended as follows.

(2) In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—

“(ii) for the purposes of ensuring that it complies with its data protection obligations;”.

(3) In sub-paragraph (c)—

(a) omit “or” at the end of paragraph (ii), and

(b) at the end insert—

“(iv) section 145 of the Data Protection Act 2018 (false statements made in response to an information notice); or

(v) section (Destroying or falsifying information and documents etc) of that Act (destroying or falsifying information and documents etc);”

(4) After sub-paragraph (c) insert—

“(d) has not been given a penalty notice under section 154 of the Data Protection Act 2018 in circumstances described in sub-paragraph (c)(iii), other than a penalty notice that has been cancelled.”

204R In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—

“(b) for the purposes of ensuring that it complies with its data protection obligations.”

204S (1) In Part 3 (interpretation), after paragraph 13 insert—

“14 In this Schedule, “data protection obligations”, in relation to a credit reference agency, a credit institution or a financial institution, means—

(a) where the agency or institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b) where the agency or institution carries on business in a EEA State other than the United Kingdom, obligations under—

(i) the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii) legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).”

Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)

204T The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.

204U In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.

204V In regulation 3(3) (supervision), omit “under the 1998 Act”.

204W For Schedule 2 substitute—

“SCHEDULE 2

INFORMATION COMMISSIONER’S ENFORCEMENT POWERS

Provisions applied for enforcement purposes

1 For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 24—

(a) section 140 (publication by the Commissioner); (b) section 141 (notices from the Commissioner); (c) section 143 (information notices);

(d) section 144 (information notices: restrictions);

(e) section 145 (false statements made in response to an information notice);

(f) section (Information orders) (information orders); (g) section 146 (assessment notices);

(h) section (Destroying or falsifying information and documents etc) (destroying or falsifying information and documents etc);

(i) section 147 (assessment notices: restrictions); (j) section 148 (enforcement notices);

(k) section 149 (enforcement notices: supplementary); (l) section 151 (enforcement notices: restrictions);

(m) section 152 (enforcement notices: cancellation and variation);

(n) section 153 and Schedule 15 (powers of entry and inspection);

(o) section 154 and Schedule 16 (penalty notices); (p) section 155(4)(a) (penalty notices: restrictions); (q) section 156 (maximum amount of penalty);

(r) section 158 (amount of penalties: supplementary);

(s) section 159 (guidance about regulatory action);

(t) section 160 (approval of first guidance about regulatory action);

(u) section (Applications in respect of urgent notices) (applications in respect of urgent notices);

(v) section 177 (jurisdiction);”

(w) section 161 (rights of appeal);

(x) section 162 (determination of appeals);

(y) section 179(1), (2), (5), (7) and (12) (regulations and consultation);

(z) section 189 (penalties for offences);

(z1) section 190 (prosecution);

(z2) section 195 (proceedings in the First-tier Tribunal: contempt);

(z3) section 196 (Tribunal Procedure Rules).

General modification of references to the Data Protection Act 2018

2 The provisions listed in paragraph 1 have effect as if—

(a) references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;

(b) references to a particular provision of that Act were references to that provision as applied by these Regulations.

Modification of section 143 (information notices)

3 (1) Section 143 has effect as if subsections (9) and (10) were omitted.

(2) In that section, subsection (1) has effect as if— (a) in paragraph (a)—

(i) for “controller or processor” there were substituted “trust service provider”;

(ii) for “the data protection legislation” there were substituted “the eIDAS Regulation and the EITSET Regulations”;

(b) paragraph (b) were omitted.

(3) In that section, subsection (2) has effect as if paragraph (a) were omitted.

Modification of section 144 (information notices: restrictions)

4 (1) Section 144 has effect as if subsections (1) and (9) were omitted. (2) In that section—

(a) subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”;

(b) subsection (7)(a) has effect as if for “this Act” there were substituted “section 145 or (Destroying or falsifying information and documents etc) or paragraph 15 of Schedule 15”;

(c) subsection (8) has effect as if for “this Act (other than an offence under section 145)” there were substituted “section (Destroying or falsifying information and documents etc) or paragraph 15 of Schedule 15”.

Modification of section (Information orders) (information orders)

5 Section (Information orders)(2)(b) has effect as if for “section 143(2)(b)” there were substituted “section 143(2)”.

Modification of section 146 (assessment notices)

6 (1) Section 146 has effect as if subsection (10) were omitted. (2) In that section—

(a) subsection (1) has effect as if—

(i) for “controller or processor” (in both places) there were substituted “trust service provider”;

(ii) for “the data protection legislation” there were substituted “the eIDAS requirements”;

(b) subsection (2) has effect as if paragraphs (g) and (h) were omitted;

(c) subsections (7), (8), (8A) and (9) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider;

(d) subsection (8A)(a) has effect as if for “as described in section 148(2) or that an offence under this Act” there were substituted “to comply with the eIDAS requirements or that an offence under section 145 or (Destroying or falsifying information and documents etc) or paragraph 15 of Schedule 15”.

Modification of section 147(assessment notices: restrictions)

7 (1) Section 147 has effect as if subsections (5) and (6) were omitted. (2) In that section, subsections (2)(b) and (3)(b) have effect as if for

“the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.

Modification of section 148 (enforcement notices)

8 (1) Section 148 has effect as if subsections (2) to (5) and (7) to (9) were omitted.

(2) In that section—

(a) subsection (1) has effect as if—

(i) for “as described in subsection (2), (3), (4) or (5)” there were substituted “to comply with the eIDAS requirements”;

(ii) for “sections 149 and 150” there were substituted “section 149”;

(b) subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.

Modification of section 149 (enforcement notices: supplementary)

9 (1) Section 149 has effect as if subsection (3) were omitted.

(2) In that section, subsection (2) has effect as if the words “in reliance on section 148(2)” and “or distress” were omitted.

Modification of section 151 (enforcement notices: restrictions)

10 Section 151 has effect as if subsections (1), (2) and (4) were omitted.

Withdrawal notices

11 The provisions listed in paragraph 1 have effect as if after section 152 there were inserted—

“Withdrawal notices

152A Withdrawal notices

(1) The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—

(a) the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and

(b) the condition in subsection (2) or (3) is met.

(2) The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.

(3) The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—

(a) the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and

(b) the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.

(4) A withdrawal notice must—

(a) state when the withdrawal takes effect, and

(b) provide information about the rights of appeal under section 161.”

Modification of Schedule 15 (powers of entry and inspection)

12 (1) Schedule 15 has effect as if paragraph 3 were omitted.

(2) Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—

“(a) there are reasonable grounds for suspecting that—

(i) a trust service provider has failed or is failing to comply with the eIDAS requirements, or

(ii) an offence under section 145 or (Destroying or falsifying information and documents etc) or paragraph 15 of Schedule 15 has been or is being committed,”.

(3) Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—

(a) in sub-paragraph (1) and (2), for “controller or processor” there were substituted “trust service provider”;

(b) in sub-paragraph (2), for “the data protection legislation” there were substituted “the eIDAS requirements”.

(4) Paragraph 5 of that Schedule (content of warrants) has effect as if—

(a) in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “the provision of trust services”;

(b) in sub-paragraph (2)(c)—

(i) for “controller or processor” there were substituted “trust service provider”;

(ii) for “as described in section 148(2)” there were substituted “to comply with the eIDAS requirements”;

(c) in sub-paragraph (3)(a) and (c)—

(i) for “controller or processor” there were substituted “trust service provider”;

(ii) for “the data protection legislation” there were substituted “the eIDAS requirements”.

(5) Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”.

Modification of section 154 (penalty notices)

13 (1) Section 154 has effect as if subsections (1)(a), (2)(a), (3)(g), (3A) and (5) to (7) were omitted.

(2) Subsection (2) of that section has effect as if—

(a) the words “Subject to subsection (3A),” were omitted; (b) in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.

(3) Subsection (3) of that section has effect as if—

(a) for “controller or processor”, in each place, there were substituted “trust services provider”;

(b) in paragraph (c), the words “or distress” were omitted; (c) in paragraph (c), for “data subjects” there were substituted “relying parties”;

(d) in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “Article 19(1) of the eIDAS Regulation”.

Modification of Schedule 16 (penalties)

14 Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.

Modification of section 156 (maximum amount of penalty)

15 Section 156 has effect as if subsections (1) to (3) and (6) were omitted.

Modification of section 158 (amount of penalties: supplementary)

16 Section 158 has effect as if—

(a) in subsection (1), the words “Article 83 of the GDPR

and” were omitted;

(b) in subsection (2), the words “Article 83 of the GDPR”

and “and section 157” were omitted.

Modification of section 159 (guidance about regulatory action)

17 (1) Section 159 has effect as if subsections (4) and (10) were omitted.

(2) In that section, subsection (3)(e) has effect as if for “controllers and processors” there were substituted “trust service providers”.

Modification of section 161 (rights of appeal)

18 (1) Section 161 has effect as if subsection (5) were omitted.

(2) In that section, subsection (1) has effect as if, after paragraph

(c), there were inserted—

“(ca) a withdrawal notice;”.

Modification of section 162 (determination of appeals)

19 Section 162 has effect as if subsection (7) were omitted.

Modification of section 177 (jurisdiction)

20 (1) Section 177 has effect as if subsections (2)(c) and (d) and (3) were omitted.

(2) Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “subsection (4)”.

Modification of section 179 (regulations and consultation)

21 Section 179 has effect as if subsections (3), (4), (6), (8) to (11) and (13) were omitted.

Modification of section 189 (penalties for offences)

22 (1) Section 189 has effect as if subsections (3) to (5) were omitted. (2) In that section—

(a) subsection (1) has effect as if the words “section 119 or 173 or” were omitted;

(b) subsection (2) has effect as if for “section 132, 145, (Destroying or falsifying information and documents etc), 170, 171 or 181” there were substituted “section 145 or (Destroying or falsifying information and documents etc)”.

Modification of section 190 (prosecution)

23 Section 190 has effect as if subsections (3) to (6) were omitted.

Modification of section 195 (proceedings in the First-tier Tribunal: contempt)

24 Section 195 has effect as if in subsection (1)(a), for sub- paragraphs (i) and (ii) there were substituted “on an appeal under section 161”.

Modification of section 196 (Tribunal Procedure Rules)

25 Section 196 has effect as if—

(a) in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 161”;

(b) in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “the provision of trust services”.

Approval of first guidance about regulatory action

26 (1) This paragraph applies if the first guidance produced under section 159(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).

(2) Section 160 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).

(3) Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.

(4) Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.

Interpretation

27 In this Schedule—

“the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;

“the EITSET Regulations” means these Regulations; “withdrawal notice” has the meaning given in section 146A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).”

Court Files Privileged Access Rules (Northern Ireland) 2016 (S.R. (N.I.) 2016 No. 123)

204X The Court Files Privileged Access Rules (Northern Ireland) 2016 are amended as follows.

204Y In rule 5 (information that may released) for “Schedule 1 of the Data Protection Act 1998” substitute “—

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018.”

204Z In rule 7(2) (provision of information) for “Schedule 1 of the Data Protection Act 1998” substitute “—

(a) Article 5(1) of the GDPR, and

(b) section 34(1) of the Data Protection Act 2018.”

Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692)

204AA The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.

204AB In regulation 3(1) (interpretation), at the appropriate places insert— ““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of thatAct);”;

““the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);”.

204AC In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute “— (a) the Data Protection Act 2018 or any other enactment, or

(b) the GDPR.”

204AD In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute “—

(a) the Data Protection Act 2018 or any other enactment, or

(b) the GDPR.”

204AE For regulation 40(9)(c) (record keeping) substitute—

“(c) “data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

(d) “personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).”

204AF(1)Regulation 41 (data protection) is amended as follows. (2) Omit paragraph (2).

(3) In paragraph (3)(a), after “Regulations” insert “or the GDPR”. (4) Omit paragraphs (4) and (5).

(5) After those paragraphs insert—

“(6) Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—

(a) for the purposes of preventing money laundering or terrorist financing, or

(b) as permitted under paragraph (3).

(7) In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.

(8) In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 9, 10 and 10A of that Schedule).

(9) In this regulation—

“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act);

“sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).”

204AG(1)Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.

(2) In paragraph (10), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3) For paragraph (11) substitute—

“(11) For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”

204AH(1)Regulation 85 (publication: the Commissioners) is amended as follows.

(2) In paragraph (9), for “the Data Protection Act 1998” substitute “the data protection legislation”.

(3) For paragraph (10) substitute—

“(10) For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).”

204AI For regulation 106(a) (general restrictions) substitute—

“(a) a disclosure in contravention of the data protection legislation; or”.

204AJ After paragraph 27 of Schedule 3 (relevant offences) insert—

“27A An offence under the Data Protection Act 2018, apart from an offence under section 173 of that Act.”

Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (S.I.2017/694)

204AK(1)Paragraph 6 of Schedule 5 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (conditions for permitted disclosure to a credit institution or a financial institution) is amended as follows.

(2) The existing text becomes sub-paragraph (1).

(3) For paragraph (b) of that sub-paragraph substitute—

“(b) for the purposes of ensuring that it complies with its data protection obligations.”

(4) After sub-paragraph (1) insert—

“(2) In this paragraph, “data protection obligations”, in relation to a relevant institution, means—

(a) where the institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b) where the institution carries on business in a EEA State other than the United Kingdom, obligations under—

(i) the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii) legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii) legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).

Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480)

204AL In regulation 1(2) of the Data Protection (Charges and Information) Regulations 2018 (interpretation), at the appropriate places insert—

““data controller” means a person who is a controller for the purposes of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);”;

““personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);”.

National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (S.S.I. 2018/66)

204AM The National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 are amended as follows.

204AN(1)Regulation 1 (citation and commencement) is amended as follows. (2) In paragraph (2), omit “Subject to paragraph (3),”.

(3) Omit paragraph (3).

204AO In regulation 3(1) (interpretation)—

(a) omit the definition of “the 1998 Act”, (b) at the appropriate place insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and

(c) omit the definition of “GDPR”.

204AP(1)Schedule 6 (other contractual terms) is amended as follows.

(2) In paragraph 63(2) (interpretation: general), for “the 1998 Act or any directly applicable EU instrument relating to data protection” substitute “—

(a) the data protection legislation, or

(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”

(3) For paragraph 64 (meaning of data controller etc.) substitute—

“Meaning of controller etc.

64A For the purposes of this Part—

“controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);

“data protection officer” means a person designated as a data protection officer under the data protection legislation;

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”

(4) In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “controllers”.

(5) In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—

(i) the data protection legislation, and

(ii) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.

(6) In paragraph 94(4) (variation of a contract: general)— (a) omit paragraph (b), and

(b) after paragraph (d) (but before the final “and”) insert—

“(da) the data protection legislation;

(db) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.

National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 (S.S.I. 2018/67)

204AQ The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 are amended as follows.

204AR(1)Regulation 1 (citation and commencement) is amended as follows. (2) In paragraph (2), omit “Subject to paragraph (3),”.

(3) Omit paragraph (3).

204AS In regulation 3(1) (interpretation)—

(a) omit the definition of “the 1998 Act”, and

(b) at the appropriate place insert—

““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”, and

(c) omit the definition of “GDPR”.

204AT(1)Schedule 1 (content of agreements) is amended as follows. (2) In paragraph 34 (interpretation)—

(a) in sub-paragraph (1)—

(i) omit “Subject to sub-paragraph (3),”, (ii) before paragraph (a) insert—

“(za) “controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act

2018 (see section 3(6) and (14) of that Act);

(zb) “data protection officer” means a person designated as a data protection officer under the data protection legislation;”, and

(iii) for paragraph (d) substitute—

“(e) “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).”,

(b) omit sub-paragraphs (2) and (3),

(c) in sub-paragraph (4), for “the 1998 Act and any directly applicable EU instrument relating to data protection” substitute “—

(a) the data protection legislation, or

(b) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.”, and

(d) in sub-paragraph (6)(b), for “data controllers” substitute “controllers”.

(3) In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute “—

(i) the data protection legislation, and

(ii) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.

(4) In paragraph 61(3) (variation of agreement: general)— (a) omit paragraph (b), and

(b) after paragraph (d) (but before the final “and”) insert—

“(da) the data protection legislation;

(db) any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;”.

PART 3

MODIFICATIONS

Introduction

204AU(1)Unless the context otherwise requires, legislation described in sub- paragraph (2) has effect on and after the day on which this Part of this Schedule comes into force as if it were modified in accordance with this Part of this Schedule.

(2) That legislation is—

(a) subordinate legislation made before the day on which this Part of this Schedule comes into force;

(b) primary legislation that is passed or made before the end of the Session in which this Act is passed.

(3) In this Part of this Schedule—

“primary legislation” has the meaning given in section 204(7); “references” includes any references, however expressed.

General modifications

204AV(1)References to a particular provision of, or made under, the Data Protection Act 1998 have effect as references to the equivalent provision or provisions of, or made under, the data protection legislation.

(2) Other references to the Data Protection Act 1998 have effect as references to the data protection legislation.

(3) References to disclosure, use or other processing of information that is prohibited or restricted by an enactment which include disclosure, use or other processing of information that is prohibited or restricted by the Data Protection Act 1998 have effect as if they included disclosure, use or other processing of information that is prohibited or restricted by the GDPR or the applied GDPR.

Specific modification of references to terms used in the Data Protection Act 1998

204AW(1)References to personal data, and to the processing of such data, as defined in the Data Protection Act 1998, have effect as references to personal data, and to the processing of such data, as defined for the purposes of Parts 5 to 7 of this Act (see section 3(2), (4) and (14)).

(2) References to processing as defined in the Data Protection Act 1998, in relation to information, have effect as references to processing as defined in section 3(4).

(3) References to a data subject as defined in the Data Protection Act 1998 have effect as references to a data subject as defined in section 3(5).

(4) References to a data controller as defined in the Data Protection Act 1998 have effect as references to a controller as defined for the purposes of Parts 5 to 7 of this Act (see section 3(6) and (14)).

(5) References to the data protection principles set out in the Data Protection Act 1998 have effect as references to the principles set out in—

(a) Article 5(1) of the GDPR and the applied GDPR, and

(b) sections 34(1) and 85(1) of this Act.

(6) References to direct marketing as defined in section 11 of the Data Protection Act 1998 have effect as references to direct marketing as defined in section 123 of this Act.

(7) References to a health professional within the meaning of section 69(1) of the Data Protection Act 1998 have effect as references to a health professional within the meaning of section 197 of this Act.

(8) References to a health record within the meaning of section 68(2) of the Data Protection Act 1998 have effect as references to a health record within the meaning of section 198 of this Act.

PART 4

SUPPLEMENTARY

Definitions

204AX Section 3(14) does not apply to this Schedule.”

282: After Schedule 18, insert the following new Schedule—

“TRANSITIONAL PROVISION ETC

PART 1

GENERAL

Interpretation

1 (1) In this Schedule—

“the 1984 Act” means the Data Protection Act 1984; “the 1998 Act” means the Data Protection Act 1998;

“the 2014 Regulations” means the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141);

“data controller” has the same meaning as in the 1998 Act (see section 1 of that Act);

“the old data protection principles” means the principles set out in—

(a) Part 1 of Schedule 1 to the 1998 Act, and

(b) regulation 30 of the 2014 Regulations.

(2) A provision of the 1998 Act that has effect by virtue of this Schedule is not, by virtue of that, part of the data protection legislation (as defined in section 3).

PART 2

RIGHTS OF DATA SUBJECTS

Right of access to personal data under the 1998 Act

2 (1) The repeal of sections 7 to 9A of the 1998 Act (right of access to personal data) does not affect the application of those sections after the relevant time in a case in which a data controller received a request under section 7 of that Act (right of access to personal data) before the relevant time.

(2) The repeal of sections 7 and 8 of the 1998 Act and the revocation of regulation 44 of the 2014 Regulations (which applies those sections with modifications) do not affect the application of those sections and that regulation after the relevant time in a case in which a UK competent authority received a request under section 7 of the 1998 Act (as applied by that regulation) before the relevant time.

(3) The revocation of the relevant regulations, or their amendment by Schedule 18 to this Act, and the repeals and revocation mentioned in sub-paragraphs (1) and (2), do not affect the application of the relevant regulations after the relevant time in a case described in those sub- paragraphs.

(4) In this paragraph—

“the relevant regulations” means—

(a) the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191);

(b) regulation 4 of, and Schedule 1 to, the Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290);

(c) regulation 3 of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244);

“the relevant time” means the time when the repeal of section 7 of the 1998 Act comes into force;

“UK competent authority” has the same meaning as in Part 4 of the 2014 Regulations (see regulation 27 of those Regulations).

Right to prevent processing likely to cause damage or distress under the 1998 Act

3 (1) The repeal of section 10 of the 1998 Act (right to prevent processing likely to cause damage or distress) does not affect the application of that section after the relevant time in a case in which an individual gave notice in writing to a data controller under that section before the relevant time.

(2) In this paragraph, “the relevant time” means the time when the repeal of section 10 of the 1998 Act comes into force.

Right to prevent processing for purposes of direct marketing under the 1998 Act

4 (1) The repeal of section 11 of the 1998 Act (right to prevent processing for purposes of direct marketing) does not affect the application of that section after the relevant time in a case in which an individual gave notice in writing to a data controller under that section before the relevant time.

(2) In this paragraph, “the relevant time” means the time when the repeal of section 11 of the 1998 Act comes into force.

Automated processing under the 1998 Act

5 (1) The repeal of section 12 of the 1998 Act (rights in relation to automated decision-taking) does not affect the application of that section after the relevant time in relation to a decision taken by a person before that time if—

(a) in taking the decision the person failed to comply with section 12(1) of the 1998 Act, or

(b) at the relevant time—

(i) the person had not taken all of the steps required under section 12(2) or (3) of the 1998 Act, or

(ii) the period specified in section 12(2)(b) of the 1998 Act (for an individual to require a person to reconsider a decision) had not expired.

(2) In this paragraph, “the relevant time” means the time when the repeal of section 12 of the 1998 Act comes into force.

Compensation for contravention of the 1998 Act or Part 4 of the 2014 Regulations

6 (1) The repeal of section 13 of the 1998 Act (compensation for failure to comply with certain requirements) does not affect the application of that section after the relevant time in relation to damage or distress suffered at any time by reason of an act or omission before the relevant time.

(2) The revocation of regulation 45 of the 2014 Regulations (right to compensation) does not affect the application of that regulation after the relevant time in relation to damage or distress suffered at any time by reason of an act or omission before the relevant time.

(3) “The relevant time” means—

(a) in sub-paragraph (1), the time when the repeal of section 13 of the

1998 Act comes into force;

(b) in sub-paragraph (2), the time when the revocation of regulation 45 of the 2014 Regulation comes into force.

Rectification, blocking, erasure and destruction under the 1998 Act

7 (1) The repeal of section 14(1) to (3) and (6) of the 1998 Act (rectification, blocking, erasure and destruction of inaccurate personal data) does not affect the application of those provisions after the relevant time in a case in which an application was made under subsection (1) of that section before the relevant time.

(2) The repeal of section 14(4) to (6) of the 1998 Act (rectification, blocking, erasure and destruction: risk of further contravention in circumstances entitling data subject to compensation under section 13 of the 1998 Act) does not affect the application of those provisions after the relevant time in a case in which an application was made under subsection (4) of that section before the relevant time.

(3) In this paragraph, “the relevant time” means the time when the repeal of section 14 of the 1998 Act comes into force.

Jurisdiction and procedure under the 1998 Act

8 The repeal of section 15 of the 1998 Act (jurisdiction and procedure) does not affect the application of that section in connection with sections 7 to 14 of the 1998 Act as they have effect by virtue of this Schedule.

Exemptions under the 1998 Act

9 (1) The repeal of Part 4 of the 1998 Act (exemptions) does not affect the application of that Part after the relevant time in connection with a provision of Part 2 of the 1998 Act as it has effect after that time by virtue of paragraphs 2 to 7 of this Schedule.

(2) The revocation of the relevant Orders, and the repeal mentioned in sub- paragraph (1), do not affect the application of the relevant Orders after the relevant time in connection with a provision of Part 2 of the 1998 Act as it has effect as described in sub-paragraph (1).

(3) In this paragraph—

“the relevant Orders” means—

(a) the Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184);

(b) the Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413);

(c) the Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414);

(d) the Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415);

(e) the Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416);

(f) Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419);

(g) Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864);

“the relevant time” means the time when the repeal of the provision of Part 2 of the 1998 Act in question comes into force.

(4) As regards certificates issued under section 28(2) of the 1998 Act, see Part 5 of this Schedule.

Prohibition by this Act of requirement to produce relevant records

10 (1) In Schedule 17 to this Act, references to a record obtained in the exercise of a data subject access right include a record obtained at any time in the exercise of a right under section 7 of the 1998 Act.

(2) In section 177 of this Act, references to a “relevant record” include a record which does not fall within the definition in Schedule 17 to this Act (read with sub-paragraph (1)) but which, immediately before the relevant time, was a “relevant record” for the purposes of section 56 of the 1998 Act.

(3) In this paragraph, “the relevant time” means the time when the repeal of section 56 of the 1998 Act comes into force.

Avoidance under this Act of certain contractual terms relating to health records

11 In section 178 of this Act, references to a record obtained in the exercise of a data subject access right include a record obtained at any time in the exercise of a right under section 7 of the 1998 Act.

PART 3

THE GDPR AND PART 2 OF THIS ACT

Exemptions from the GDPR: restrictions of rules in Articles 13 to 15 of the GDPR

12 In paragraph 20(2) of Schedule 2 to this Act (self-incrimination), the reference to an offence under this Act includes an offence under the 1998 Act or the 1984 Act.

Manual unstructured data held by FOI public authorities

13 Until the first regulations under section 24(8) of this Act come into force, “the appropriate maximum” for the purposes of that section is—

(a) where the controller is a public authority listed in Part 1 of Schedule 1 to the Freedom of Information Act 2000, £600, and

(b) otherwise, £450.

PART 4

LAW ENFORCEMENT AND INTELLIGENCE SERVICES PROCESSING

Logging

14 (1) In relation to an automated processing system set up before 6 May 2016, subsections (1) to (3) of section 62 of this Act do not apply if and to the extent that compliance with them would involve disproportionate effort.

(2) Sub-paragraph (1) ceases to have effect at the beginning of 6 May 2023.

Regulation 50 of the 2014 Regulations (disapplication of the 1998 Act)

15 Nothing in this Schedule, read with the revocation of regulation 50 of the 2014 Regulations, has the effect of applying a provision of the 1998 Act to the processing of personal data to which Part 4 of the 2014 Regulations applies in a case in which that provision did not apply before the revocation of that regulation.

Maximum fee for data subject access requests to intelligence services

16 Until the first regulations under section 94(4)(b) of this Act come into force, the maximum amount of a fee that may be required by a controller under that section is £10.

PART 5

NATIONAL SECURITY CERTIFICATES

National security certificates: processing of personal data under the 1998 Act

17 (1) The repeal of section 28(2) to (12) of the 1998 Act does not affect the application of those provisions after the relevant time with respect to the processing of personal data to which the 1998 Act (including as it has effect by virtue of this Schedule) applies.

(2) A certificate issued under section 28(2) of the 1998 Act continues to have effect after the relevant time with respect to the processing of personal data to which the 1998 Act (including as it has effect by virtue of this Schedule) applies.

(3) Where a certificate continues to have effect under sub-paragraph (2) after the relevant time, it may be revoked or quashed in accordance with section 28 of the 1998 Act after the relevant time.

(4) In this paragraph, “the relevant time” means the time when the repeal of section 28 of the 1998 Act comes into force.

National security certificates: processing of personal data under the 2018 Act

18 (1) This paragraph applies to a certificate issued under section 28(2) of the1998 Act (an “old certificate”) which has effect immediately before the relevant time.

(2) If and to the extent that the old certificate provides protection with respect to personal data which corresponds to protection that could be provided by a certificate issued under section 27, 79 or 111 of this Act, the old certificate also has effect to that extent after the relevant time as if—

(a) it were a certificate issued under one or more of sections 27, 79 and 111 (as the case may be),

(b) it provided protection in respect of that personal data in relation to the corresponding provisions of this Act or the applied GDPR, and

(c) where it has effect as a certificate issued under section 79, it certified that each restriction in question is a necessary and proportionate measure to protect national security.

(3) Where an old certificate also has effect as if it were a certificate issued under one or more of sections 27, 79 and 111, that section has, or those sections have, effect accordingly in relation to the certificate.

(4) Where an old certificate has an extended effect because of sub-paragraph

(2), section 129 of this Act does not apply in relation to it.

(5) An old certificate that has an extended effect because of sub-paragraph (2) provides protection only with respect to the processing of personal data that occurs during the period of 1 year beginning with the relevant time (and a Minister of the Crown may curtail that protection by wholly or partly revoking the old certificate).

(6) For the purposes of this paragraph—

(a) a reference to the protection provided by a certificate issued under—

(i) section 28(2) of the 1998 Act, or

(ii) section 27, 79 or 111 of this Act,

is a reference to the effect of the evidence that is provided by the certificate;

(b) protection provided by a certificate under section 28(2) of the 1998 Act is to be regarded as corresponding to protection that could be provided by a certificate under section 27, 79 or 111 of this Act where, in respect of provision in the 1998 Act to which the certificate under section 28(2) relates, there is corresponding provision in this Act or the applied GDPR to which a certificate under section 27, 79 or 111 could relate.

(7) In this paragraph, “the relevant time” means the time when the repeal of section 28 of the 1998 Act comes into force.

PART 6

THE INFORMATION COMMISSIONER

Appointment etc

19 (1) On and after the relevant day, the individual who was the Commissioner immediately before that day—

(a) continues to be the Commissioner,

(b) is to be treated as having been appointed under Schedule 12 to this Act, and

(c) holds office for the period—

(i) beginning with the relevant day, and

(ii) lasting for 7 years less a period equal to the individual’s pre-commencement term.

(2) On and after the relevant day, a resolution passed by the House of Commons for the purposes of paragraph 3 of Schedule 5 to the 1998 Act (salary and pension of Commissioner), and not superseded before that day, is to be treated as having been passed for the purposes of paragraph

4 of Schedule 12 to this Act.

(3) In this paragraph—

“pre-commencement term”, in relation to an individual, means the period during which the individual was the Commissioner before the relevant day;

“the relevant day” means the day on which Schedule 12 to this Act comes into force.

Accounts

20 (1) The repeal of paragraph 10 of Schedule 5 to the 1998 Act does not affect the duties of the Commissioner and the Comptroller and Auditor General under that paragraph in respect of the Commissioner’s statement of account for the financial year beginning with 1 April 2017.

(2) The Commissioner’s duty under paragraph 11 of Schedule 12 to this Act to prepare a statement of account for each financial year includes a duty to do so for the financial year beginning with 1 April 2018.

Annual report

21 (1) The repeal of section 52(1) of the 1998 Act (annual report) does not affect the Commissioner’s duty under that subsection to produce a general report on the exercise of the Commissioner’s functions under the 1998 Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.

(2) The repeal of section 49 of the Freedom of Information Act 2000 (annual report) does not affect the Commissioner’s duty under that section to produce a general report on the exercise of the Commissioner’s functions under that Act during the period of 1 year beginning with 1 April 2017 and to lay it before Parliament.

(3) The first report produced by the Commissioner under section 138 of this Act must relate to the period of 1 year beginning with 1 April 2018.

Fees etc received by the Commissioner

22 (1) The repeal of Schedule 5 to the 1998 Act (Information Commissioner) does not affect the application of paragraph 9 of that Schedule after the relevant time to amounts received by the Commissioner before the relevant time.

(2) In this paragraph, “the relevant time” means the time when the repeal of Schedule 5 to the 1998 Act comes into force.

23 Paragraph 10 of Schedule 12 to this Act applies only to amounts received by the Commissioner after the time when that Schedule comes into force.

Functions in connection with the Data Protection Convention

24 (1) The repeal of section 54(2) of the 1998 Act (functions to be discharged by the Commissioner for the purposes of Article 13 of the Data Protection Convention), and the revocation of the Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186), do not affect the application of articles 1 to 5 of that Order after the relevant time in relation to a request described in those articles which was made before that time.

(2) The references in paragraph 9 of Schedule 13 to this Act (Data Protection Convention: restrictions on use of information) to requests made or received by the Commissioner under paragraph 6 or 7 of that Schedule include a request made or received by the Commissioner under article 3 or 4 of the Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186).

(3) The repeal of section 54(7) of the 1998 Act (duty to notify the European Commission of certain approvals and authorisations) does not affect the application of that provision after the relevant time in relation to an approval or authorisation granted before the relevant time.

(4) In this paragraph, “the relevant time” means the time when the repeal of section 54 of the 1998 Act comes into force.

Co-operation with the European Commission: transfers of personal data outside the EEA

25 (1) The repeal of section 54(3) of the 1998 Act (co-operation by the Commissioner with the European Commission etc), and the revocation of the Data Protection (International Co-operation) Order 2000 (S.I. 2000/190), do not affect the application of articles 1 to 4 of that Order after the relevant time in relation to transfers that took place before the relevant time.

(2) In this paragraph—

“the relevant time” means the time when the repeal of section 54 of the 1998 Act comes into force;

“transfer” has the meaning given in article 2 of the Data Protection (International Co-operation) Order 2000 (S.I. 2000/190).

Charges payable to the Commissioner by controllers

26 (1) The Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480) have effect after the relevant time (until revoked) as if they were made under section 136 of this Act.

(2) In this paragraph, “the relevant time” means the time when section 136 of this Act comes into force.

Requests for assessment

27 (1) The repeal of section 42 of the 1998 Act (requests for assessment) does not affect the application of that section after the relevant time in a case in which the Commissioner received a request under that section before the relevant time, subject to sub-paragraph (2).

(2) The Commissioner is only required to make an assessment of acts and omissions that took place before the relevant time.

(3) In this paragraph, “the relevant time” means the time when the repeal of section 42 of the 1998 Act comes into force.

Codes of practice

28 (1) The repeal of section 52E of the 1998 Act (effect of codes of practice) does not affect the application of that section after the relevant time in relation to legal proceedings or to the exercise of the Commissioner’s functions under the 1998 Act as it has effect by virtue of this Schedule.

(2) In section 52E of the 1998 Act, as it has effect by virtue of this paragraph, the references to the 1998 Act include that Act as it has effect by virtue of this Schedule.

(3) For the purposes of subsection (3) of that section, as it has effect by virtue of this paragraph, the data-sharing code and direct marketing code in force immediately before the relevant time are to be treated as having continued in force after that time.

(4) In this paragraph—

“the data-sharing code” and “the direct marketing code” mean the codes respectively prepared under sections 52A and 52AA of the

1998 Act and issued under section 52B(5) of that Act;

“the relevant time” means the time when the repeal of section 52E of the 1998 Act comes into force.

PART 7

ENFORCEMENT ETC UNDER THE 1998 ACT

Interpretation of this Part

29 (1) In this Part of this Schedule, references to contravention of the sixth data protection principle sections are to relevant contravention of any of sections 7, 10, 11 or 12 of the 1998 Act, as they continue to have effect by virtue of this Schedule after their repeal (and references to compliance with the sixth data protection principle sections are to be read accordingly).

(2) In sub-paragraph (1), “relevant contravention” means contravention in a manner described in paragraph 8 of Part 2 of Schedule 1 to the 1998 Act (sixth data protection principle).

Information notices

30 (1) The repeal of section 43 of the 1998 Act (information notices) does not affect the application of that section after the relevant time in a case in which—

(a) the Commissioner served a notice under that section before the relevant time (and did not cancel it before that time), or

(b) the Commissioner requires information after the relevant time for the purposes of—

(i) responding to a request made under section 42 of the 1998 Act before that time,

(ii) determining whether a data controller complied with the old data protection principles before that time, or

(iii) determining whether a data controller complied with the sixth data protection principle sections after that time.

(2) In section 43 of the 1998 Act, as it has effect by virtue of this paragraph— (a) the reference to an offence under section 47 of the 1998 Act includes an offence under section 143 of this Act, and

(b) the references to an offence under the 1998 Act include an offence under this Act.

(3) In this paragraph, “the relevant time” means the time when the repeal of section 43 of the 1998 Act comes into force.

Special information notices

31 (1) The repeal of section 44 of the 1998 Act (special information notices) does not affect the application of that section after the relevant time in a case in which—

(a) the Commissioner served a notice under that section before the relevant time (and did not cancel it before that time), or

(b) the Commissioner requires information after the relevant time for the purposes of—

(i) responding to a request made under section 42 of the 1998 Act before that time, or

(ii) ascertaining whether section 44(2)(a) or (b) of the 1998 Act was satisfied before that time.

(2) In section 44 of the 1998 Act, as it has effect by virtue of this paragraph— (a) the reference to an offence under section 47 of the 1998 Act includes an offence under section 143 of this Act, and

(b) the references to an offence under the 1998 Act include an offence under this Act.

(3) In this paragraph, “the relevant time” means the time when the repeal of section 44 of the 1998 Act comes into force.

Assessment notices

32 (1) The repeal of sections 41A and 41B of the 1998 Act (assessment notices) does not affect the application of those sections after the relevant time in a case in which—

(a) the Commissioner served a notice under section 41A of the 1998 Act before the relevant time (and did not cancel it before that time), or

(b) the Commissioner considers it appropriate, after the relevant time, to investigate—

(i) whether a data controller complied with the old data protection principles before that time, or

(ii) whether a data controller complied with the sixth data protection principle sections after that time.

(2) The revocation of the Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282), and the repeals mentioned in sub-paragraph (1), do not affect the application of that Order in a case described in sub-paragraph (1).

(3) Sub-paragraph (1) does not enable the Secretary of State, after the relevant time, to make an order under section 41A(2)(b) or (c) of the 1998 Act (data controllers on whom an assessment notice may be served) designating a public authority or person for the purposes of that section.

(4) Section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1), has effect as if subsections (8) and (11) (duty to review designation orders) were omitted.

(5) The repeal of section 41C of the 1998 Act (code of practice about assessment notice) does not affect the application, after the relevant time, of the code issued under that section and in force immediately before the relevant time in relation to the exercise of the Commissioner’s functions under and in connection with section 41A of the 1998 Act, as it has effect by virtue of sub-paragraph (1).

(6) In this paragraph, “the relevant time” means the time when the repeal of section 41A of the 1998 Act comes into force.

Enforcement notices

33 (1) The repeal of sections 40 and 41 of the 1998 Act (enforcement notices) does not affect the application of those sections after the relevant time in a case in which—

(a) the Commissioner served a notice under section 40 of the 1998 Act before the relevant time (and did not cancel it before that time), or

(b) the Commissioner is satisfied, after that time, that a data controller —

(i) contravened the old data protection principles before that time, or

(ii) contravened the sixth data protection principle sections after that time.

(2) In this paragraph, “the relevant time” means the time when the repeal of section 40 of the 1998 Act comes into force.

Determination by Commissioner as to the special purposes

34 (1) The repeal of section 45 of the 1998 Act (determination by Commissioner as to the special purposes) does not affect the application of that section after the relevant time in a case in which—

(a) the Commissioner made a determination under that section before the relevant time, or

(b) the Commissioner considers it appropriate, after the relevant time, to make a determination under that section.

(2) In this paragraph, “the relevant time” means the time when the repeal of section 45 of the 1998 Act comes into force.

Restriction on enforcement in case of processing for the special purposes

35 (1) The repeal of section 46 of the 1998 Act (restriction on enforcement in case of processing for the special purposes) does not affect the application of that section after the relevant time in relation to an enforcement notice or information notice served under the 1998 Act—

(a) before the relevant time, or

(b) after the relevant time in reliance on this Schedule.

(2) In this paragraph, “the relevant time” means the time when the repeal of section 46 of the 1998 Act comes into force.

Offences

36 (1) The repeal of sections 47, 60 and 61 of the 1998 Act (offences of failing to comply with certain notices and of providing false information etc in response to a notice) does not affect the application of those sections after the relevant time in connection with an information notice, special information notice or enforcement notice served under Part 5 of the 1998

Act—

(a) before the relevant time, or

(b) after that time in reliance on this Schedule.

(2) In this paragraph, “the relevant time” means the time when the repeal of section 47 of the 1998 Act comes into force.

Powers of entry

37 (1) The repeal of sections 50, 60 and 61 of, and Schedule 9 to, the 1998 Act (powers of entry) does not affect the application of those provisions after the relevant time in a case in which—

(a) a warrant issued under that Schedule was in force immediately before the relevant time,

(b) before the relevant time, the Commissioner supplied information on oath for the purposes of obtaining a warrant under that Schedule but that had not been considered by a circuit judge or a District Judge (Magistrates’ Courts), or

(c) after the relevant time, the Commissioner supplies information on oath to a circuit judge or a District Judge (Magistrates’ Courts) in respect of—

(i) a contravention of the old data protection principles before the relevant time;

(ii) a contravention of the sixth data protection principle sections after the relevant time;

(iii) the commission of an offence under a provision of the

1998 Act (including as the provision has effect by virtue of this Schedule);

(iv) a failure to comply with a requirement imposed by an assessment notice issued under section 41A the 1998 Act (including as it has effect by virtue of this Schedule).

(2) In paragraph 16 of Schedule 9 to the 1998 Act, as it has effect by virtue of this paragraph, the reference to an offence under paragraph 12 of that Schedule includes an offence under paragraph 15 of Schedule 15 to this Act.

(3) In this paragraph, “the relevant time” means the time when the repeal of Schedule 9 to the 1998 Act comes into force.

(4) Paragraphs 14 and 15 of Schedule 9 to the 1998 Act (application of that Schedule to Scotland and Northern Ireland) apply for the purposes of this paragraph as they apply for the purposes of that Schedule.

Monetary penalties

38 (1) The repeal of sections 55A, 55B, 55D and 55E of the 1998 Act (monetary penalties) does not affect the application of those provisions after the relevant time in a case in which—

(a) the Commissioner served a monetary penalty notice under section 55A of the 1998 Act before the relevant time,

(b) the Commissioner served a notice of intent under section 55B of the 1998 Act before the relevant time, or

(c) the Commissioner considers it appropriate, after the relevant time, to serve a notice mentioned in paragraph (a) or (b) in respect of—

(i) a contravention of section 4(4) of the 1998 Act before the relevant time, or

(ii) a contravention of the sixth data protection principle sections after the relevant time.

(2) The revocation of the relevant subordinate legislation, and the repeals mentioned in sub-paragraph (1), do not affect the application of the relevant subordinate legislation (or of provisions of the 1998 Act applied by them) after the relevant time in a case described in sub-paragraph (1).

(3) Guidance issued under section 55C of the 1998 Act (guidance about monetary penalty notices) which is in force immediately before the relevant time continues in force after that time for the purposes of the Commissioner’s exercise of functions under sections 55A and 55B of the 1998 Act as they have effect by virtue of this paragraph.

(4) In this paragraph—

“the relevant subordinate legislation” means—

(a) the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31);

(b) the Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910);

“the relevant time” means the time when the repeal of section 55A of the 1998 Act comes into force.

Appeals

39 (1) The repeal of sections 48 and 49 of the 1998 Act (appeals) does not affect the application of those sections after the relevant time in relation to a notice served under the 1998 Act or a determination made under section 45 of that Act—

(a) before the relevant time, or

(b) after that time in reliance on this Schedule.

(2) In this paragraph, “the relevant time” means the time when the repeal of section 48 of the 1998 Act comes into force.

Exemptions

40 (1) The repeal of section 28 of the 1998 Act (national security) does not affect the application of that section after the relevant time for the purposes of a provision of Part 5 of the 1998 Act as it has effect after that time by virtue of the preceding paragraphs of this Part of this Schedule.

(2) In this paragraph, “the relevant time” means the time when the repeal of the provision of Part 5 of the 1998 Act in question comes into force.

(3) As regards certificates issued under section 28(2) of the 1998 Act, see Part 5 of this Schedule.

Tribunal Procedure Rules

41 (1) The repeal of paragraph 7 of Schedule 6 to the 1998 Act (Tribunal Procedure Rules) does not affect the application of that paragraph, or of rules made under that paragraph, after the relevant time in relation to the exercise of rights of appeal conferred by section 28 or 48 of the 1998 Act, as they have effect by virtue of this Schedule.

(2) Part 3 of Schedule 18 to this Act does not apply for the purposes of Tribunal Procedure Rules made under paragraph 7(1)(a) of Schedule 6 to the 1998 Act as they apply, after the relevant time, in relation to the exercise of rights of appeal described in sub-paragraph (1).

(3) In this paragraph, “the relevant time” means the time when the repeal of paragraph 7 of Schedule 6 to the 1998 Act comes into force.

Obstruction etc

42 (1) The repeal of paragraph 8 of Schedule 6 to the 1998 Act (obstruction etc in proceedings before the Tribunal) does not affect the application of that paragraph after the relevant time in relation to an act or omission in relation to proceedings under the 1998 Act (including as it has effect by virtue of this Schedule).

(2) In this paragraph, “the relevant time” means the time when the repeal of paragraph 8 of Schedule 6 to the 1998 Act comes into force.

Enforcement etc under the 2014 Regulations

43 (1) The references in the preceding paragraphs of this Part of this Schedule to provisions of the 1998 Act include those provisions as applied, with modifications, by regulation 51 of the 2014 Regulations (other functions of the Commissioner).

(2) The revocation of regulation 51 of the 2014 Regulations does not affect the application of those provisions of the 1998 Act (as so applied) as described in those paragraphs.

PART 8

ENFORCEMENT ETC UNDER THIS ACT

Information notices

44 In section 142 of this Act—

(a) the reference to an offence under section 143 of this Act includes an offence under section 47 of the 1998 Act (including as it has effect by virtue of this Schedule), and

(b) the references to an offence under this Act include an offence under the 1998 Act (including as it has effect by virtue of this Schedule) or the 1984 Act.

Powers of entry

45 In paragraph 16 of Schedule 15 to this Act (powers of entry: self- incrimination), the reference to an offence under paragraph 15 of that Schedule includes an offence under paragraph 12 of Schedule 9 to the 1998 Act (including as it has effect by virtue of this Schedule).

Tribunal Procedure Rules

46 (1) Tribunal Procedure Rules made under paragraph 7(1)(a) of Schedule 6 to the 1998 Act (appeal rights under the 1998 Act) and in force immediately before the relevant time have effect after that time as if they were also made under section 194 of this Act.

(2) In this paragraph, “the relevant time” means the time when the repeal of paragraph 7(1)(a) of Schedule 6 to the 1998 Act comes into force.

PART 9

OTHER ENACTMENTS

Powers to disclose information to the Commissioner

47 (1) The following provisions (as amended by Schedule 18 to this Act) have effect after the relevant time as if the matters they refer to included a matter in respect of which the Commissioner could exercise a power conferred by a provision of Part 5 of the 1998 Act, as it has effect by virtue of this Schedule—

(a) section 11AA(1)(a) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner);

(b) sections 33A(1)(a) and 34O(1)(a) of the Local Government Act

1974 (disclosure of information by Local Commissioner);

(c) section 18A(1)(a) of the Health Service Commissioners Act 1993 (disclosure of information by Health Service Commissioner);

(d) paragraph 1 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (asp 11) (disclosure of information by the Ombudsman);

(e) section 34X(3)(a) of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information by the Ombudsman);

(f) section 18(6)(a) of the Commissioner for Older People (Wales) Act 2006 (disclosure of information by the Commissioner);

(g) section 22(3)(a) of the Welsh Language (Wales) Measure 2011 (nawm 1) (disclosure of information by the Welsh Language Commissioner);

(h) section 49(3)(a) of the Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.)) (disclosure of information by the Ombudsman);

(i) section 44(3)(a) of the Justice Act (Northern Ireland) 2016 (c. 21 (N.I.)) (disclosure of information by the Prison Ombudsman for Northern Ireland).

(2) The following provisions (as amended by Schedule 18 to this Act) have effect after the relevant time as if the offences they refer to included an offence under any provision of the 1998 Act other than paragraph 12 of Schedule 9 to that Act (obstruction of execution of warrant)—

(a) section 11AA(1)(b) of the Parliamentary Commissioner Act 1967; (b) sections 33A(1)(b) and 34O(1)(b) of the Local Government Act 1974;

(c) section 18A(1)(b) of the Health Service Commissioners Act 1993; (d) paragraph 2 of the entry for the Information Commissioner in Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (asp 11);

(e) section 34X(5) of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information by the Ombudsman);

(f) section 18(8) of the Commissioner for Older People (Wales) Act 2006;

(g) section 22(5) of the Welsh Language (Wales) Measure 2011 (nawm 1);

(h) section 49(5) of the Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.));

(i) section 44(3)(b) of the Justice Act (Northern Ireland) 2016 (c. 21 (N.I.)).

(3) In this paragraph, “the relevant time”, in relation to a provision of a section or Schedule listed in sub-paragraph (1) or (2), means the time when the amendment of the section or Schedule by Schedule 18 to this Act comes into force.

Codes etc required to be consistent with the Commissioner’s data-sharing code

48 (1) This paragraph applies in relation to the code of practice issued under each of the following provisions—

(a) section 19AC of the Registration Service Act 1953 (code of practice about disclosure of information by civil registration officials);

(b) section 43 of the Digital Economy Act 2017 (code of practice about disclosure of information to improve public service delivery);

(c) section 52 of that Act (code of practice about disclosure of information to reduce debt owed to the public sector);

(d) section 60 of that Act (code of practice about disclosure of information to combat fraud against the public sector);

(e) section 70 of that Act (code of practice about disclosure of information for research purposes).

(2) During the relevant period, the code of practice does not have effect to the extent that it is inconsistent with the code of practice prepared under section 121 of this Act (data-sharing code) and issued under section 124(4) of this Act (as altered or replaced from time to time).

(3) In this paragraph, “the relevant period”, in relation to a code issued under a section mentioned in sub-paragraph (1), means the period—

(a) beginning when the amendments of that section in Schedule 18 to this Act come into force, and

(b) ending when the code is first reissued under that section.

49 (1) This paragraph applies in relation to the original statement published under section 45E of the Statistics and Registration Service Act 2007 (statement of principles and procedures in connection with access to information by the Statistics Board).

(2) During the relevant period, the statement does not have effect to the extent that it is inconsistent with the code of practice prepared under section 121 of this Act (data-sharing code) and issued under section 124(4) of this Act (as altered or replaced from time to time).

(3) In this paragraph, “the relevant period” means the period—

(a) beginning when the amendments of section 45E of the Statistics and Registration Service Act 2007 in Schedule 18 to this Act come into force, and

(b) ending when the first revised statement is published under that section.

Consumer Credit Act 1974

50 In section 159(1)(a) of the Consumer Credit Act 1974 (correction of wrong information) (as amended by Schedule 18 to this Act), the reference to information given under Article 15(1) to (3) of the GDPR includes information given at any time under section 7 of the 1998 Act.

Freedom of Information Act 2000

51 Paragraphs 52 to 55 make provision about the Freedom of Information Act 2000 (“the 2000 Act”).

52 (1) This paragraph applies where a request for information was made to a public authority under the 2000 Act before the relevant time.

(2) To the extent that the request is dealt with after the relevant time, the amendments of sections 2 and 40 of the 2000 Act in Schedule 18 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2000 Act.

(3) To the extent that the request was dealt with before the relevant time— (a) the amendments of sections 2 and 40 of the 2000 Act in Schedule 18 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Part 1 of the 2000 Act, but

(b) the powers of the Commissioner and the Tribunal, on an application or appeal under the 2000 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2000 Act as amended by Schedule 18 to this Act.

(4) In this paragraph—

“public authority” has the same meaning as in the 2000 Act;

“the relevant time” means the time when the amendments of sections 2 and 40 of the 2000 Act in Schedule 18 to this Act come into force.

53 (1) Tribunal Procedure Rules made under paragraph 7(1)(b) of Schedule 6 to the 1998 Act (appeal rights under the 2000 Act) and in force immediately before the relevant time have effect after that time as if they were also made under section 61 of the 2000 Act (as inserted by Schedule 18 to this Act).

(2) In this paragraph, “the relevant time” means the time when the repeal of paragraph 7(1)(b) of Schedule 6 to the 1998 Act comes into force.

54 (1) The repeal of paragraph 8 of Schedule 6 to the 1998 Act (obstruction etc in proceedings before the Tribunal) does not affect the application of that paragraph after the relevant time in relation to an act or omission before that time in relation to an appeal under the 2000 Act.

(2) In this paragraph, “the relevant time” means the time when the repeal of paragraph 8 of Schedule 6 to the 1998 Act comes into force.

55 (1) The amendment of section 77 of the 2000 Act in Schedule 18 to this Act (offence of altering etc record with intent to prevent disclosure: omission of reference to section 7 of the 1998 Act) does not affect the application of that section after the relevant time in relation to a case in which—

(a) the request for information mentioned in section 77(1) of the 2000 Act was made before the relevant time, and

(b) when the request was made, section 77(1)(b) of the 2000 Act was satisfied by virtue of section 7 of the 1998 Act.

(2) In this paragraph, “the relevant time” means the time when the repeal of section 7 of the 1998 Act comes into force.

Freedom of Information (Scotland) Act 2002

56 (1) This paragraph applies where a request for information was made to a Scottish public authority under the Freedom of Information (Scotland) Act 2002 (“the 2002 Act”) before the relevant time.

(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2002 Act in Schedule 18 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Part 1 of the 2002 Act.

(3) To the extent that the request was dealt with before the relevant time— (a) the amendments of the 2002 Act in Schedule 18 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Part 1 of the 2002 Act, but

(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act, do not include power to require the authority to take steps which it would not be required to take in order to comply with Part 1 of the 2002 Act as amended by Schedule 18 to this Act.

(4) In this paragraph—

“Scottish public authority” has the same meaning as in the 2002 Act; “the relevant time” means the time when the amendments of the 2002 Act in Schedule 18 to this Act come into force.

Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))

57 Until the first regulations under Article 5(4)(a) of the Access to Health Records (Northern Ireland) Order 1993 (as amended by Schedule 18 to this Act) come into force, the maximum amount of a fee that may be required for giving access under that Article is £10.

Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2450)

58 (1) The repeal of a provision of the 1998 Act does not affect its operation for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“the PECR 2003”) (see regulations 2, 31 and 31B of, and Schedule 1 to, those Regulations).

(2) Where subordinate legislation made under a provision of the 1998 Act is in force immediately before the repeal of that provision, neither the revocation of the subordinate legislation nor the repeal of the provision of the 1998 Act affect the application of the subordinate legislation for the purposes of the PECR 2003 after that time.

(3) Part 3 of Schedule 18 to this Act (modifications) does not have effect in relation to the PECR 2003.

(4) Part 7 of this Schedule does not have effect in relation to the provisions of the 1998 Act as applied by the PECR 2003.

Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003 (S.I. 2003/431 (N.I. 9))

59 Part 3 of Schedule 18 to this Act (modifications) does not have effect in relation to the reference to an accessible record within the meaning of section 68 of the 1998 Act in regulation 43 of the Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003.

Environmental Information Regulations 2004 (S.I. 2004/3391)

60 (1) This paragraph applies where a request for information was made to a public authority under the Environmental Information Regulations 2004 (“the 2004 Regulations”) before the relevant time.

(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2004 Regulations in Schedule 18 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with Parts 2 and 3 of those Regulations.

(3) To the extent that the request was dealt with before the relevant time— (a) the amendments of the 2004 Regulations in Schedule 18 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with Parts 2 and 3 of those Regulations, but

(b) the powers of the Commissioner and the Tribunal, on an application or appeal under the 2000 Act (as applied by the 2004 Regulations), do not include power to require the authority to take steps which it would not be required to take in order to comply with Parts 2 and 3 of those Regulations as amended by Schedule 18 to this Act.

(4) In this paragraph—

“public authority” has the same meaning as in the 2004 Regulations; “the relevant time” means the time when the amendments of the 2004 Regulations in Schedule 18 to this Act come into force.

Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)

61 (1) This paragraph applies where a request for information was made to a Scottish public authority under the Environmental Information (Scotland) Regulations 2004 (“the 2004 Regulations”) before the relevant time.

(2) To the extent that the request is dealt with after the relevant time, the amendments of the 2004 Regulations in Schedule 18 to this Act have effect for the purposes of determining whether the authority deals with the request in accordance with those Regulations.

(3) To the extent that the request was dealt with before the relevant time— (a) the amendments of the 2004 Regulations in Schedule 18 to this Act do not have effect for the purposes of determining whether the authority dealt with the request in accordance with those Regulations, but

(b) the powers of the Scottish Information Commissioner and the Court of Session, on an application or appeal under the 2002 Act (as applied by the 2004 Regulations), do not include power to require the authority to take steps which it would not be required to take in order to comply with those Regulations as amended by Schedule 18 to this Act.

(4) In this paragraph—

“Scottish public authority” has the same meaning as in the 2004 Regulations;

“the relevant time” means the time when the amendments of the 2004 Regulations in Schedule 18 to this Act come into force.”

Motion on Amendments 176 to 282 agreed.