My Lords, I will speak to Amendment 153 in my name and that of my noble friend Lord Clement-Jones. Section 17(1) of the Data Protection Act 1998 states that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Information Commissioner. Effectively, processing personal data without registering and without paying a fee is, at the moment, a strict liability criminal offence. This ensures that all data controllers are aware of their most basic obligations and that a central register of who is processing personal data is maintained. It also provides a simple means of collecting notification fee income.
We have been made acutely aware during the debates on the passage of the Bill of the increased responsibilities that will be placed on the Information Commissioner and the need for her to have additional resources. This is one way of ensuring that she has those resources, provided she is able to keep the fees raised and does not have to hand over large amounts of those fees to the Treasury.
This is an important protection for data subjects, and the Government have asserted that they are strengthening the law to protect data subjects. If the requirement to register is removed, as will happen without this amendment, this will weaken those protections. In addition to protections provided by registration and the increased awareness of the other requirements around data protection as a result of registering, it allows for the Proceeds of Crime Act to be used to confiscate money generated by the unlawful processing of personal data by those who are not registered. This would be lost if this amendment is not adopted.
The amendment seeks to maintain the current position by requiring the Information Commissioner to register all data controllers. However, unlike the current requirement for more detailed information, the amendment requires that the data controller provides only the minimum of information—such as his name and address; if he has nominated a representative for the purposes of the Act, their name and address; and the principal activity or activities undertaken by the data controller.
The Minister may wish to pray in aid article 57(3) of the GDPR, which states:
“The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, for the data protection officer”.
We argue that this is a notification fee, not a task performed by the Information Commissioner, and a fee that would be levied on the data controller and not the data protection officer. I beg to move.
My Lords, I shall speak to Amendment 153ZA in my name and that of my noble friend Lord Kennedy of Southwark. I support the amendment tabled by the noble Lords, Lord Clement-Jones and Lord Paddick, which is important. We look forward to hearing what the Minister says in response.
Our amendment is in two halves. The first probes the question of what happens in cases where the data controller relies on derogations or limitations provided for under the GDPR that have been brought, directly or indirectly, into UK law through the existence of the GDPR after 25 May 2018 or through secondary legislation, whichever is appropriate. It asks whether there is a need for a bit more guidance on the commissioner’s duties, in that she may wish to look at the proportionality of such reliance by the data controller—in other words, whether it is appropriate relative to the overall aims and objectives placed on the data by the data controller—and whether it is appropriate under the GDPR or its subsequent limitation or derogation. Secondly, it asks whether adequate systems are in place to make sure the rights of data subjects are safeguarded. This may seem to be gold-plating, but it is important to understand better how the mechanics of this works in practice. These are very important issues.
The second part returns to an issue we touched on earlier in Committee, but about which there is still concern. We have again had representations on this issue. The amendment is framed as a probing amendment, but it comes back to familiar territory: what will happen in later stages of the life of the Bill as we leave the EU and are required to make sure our own legislative arrangements are in place? At present, the GDPR has an extraterritorial application so that even when companies are not established in the EU they are bound by the GDPR where they offer goods or services to EU citizens or monitor their behaviour. As well as requiring that lawful processing of data is not excessive, data controllers are required to keep data secure.
So far, so good. The important point is that under the GDPR at present—there is no derogation on this—it is necessary for such companies to make sure they have what is called a representative in the EU. This would be a physical office or body, staffed so that where EU citizens wish to take up issues that affect them, such as whether the data is being properly controlled or whether it has been processed legally, contact can be made directly. But under the Bill as I understand it, and I would be grateful if the Minister could confirm what exactly the situation is, after the applied GDPR comes in the requirement for a company to make sure it has a representative in the UK—in the GDPR, it is for a company to have a representative in the EU—will be dropped. If that is right, even if the operating company is well-respected for its data protection laws or is in good standing as far as the EU is concerned, any individual based in the UK would obviously have much more difficulty if there is no representative, such as in a situation with different foreign laws, where an individual would probably rely on an intermediary who may not see non-nationals as a sufficiently high priority. If things do not work out, the individual may have to have recourse to law in a foreign court. This will make it very difficult to enforce new rights.
Is it right that the Government will not require foreign companies operating in the UK after Brexit to have a representative? If it is, how will they get round these problems? I look forward to hearing what the Minister says on these points.
My Lords, I have a question about proposed new subsection (2) in Amendment 153, which says that,
“personal data must not be processed unless an entry in respect of the data controller is included in the register”.
That goes a certain distance, but since enormous amounts of personal data in the public domain are not in the control of any data controller, it is perhaps ambiguous as drafted. Surely it should read, “Personal data must not be processed by a data controller unless an entry in respect of the data controller is included in the register”. If that is the intention, the proposed new clause should say that. If it is not, we should recognise that controlling data controllers does not achieve the privacy protections we seek.
Could I ask the noble Baroness to repeat which provision she is referring to?
“Subject to subsection (3), personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner”.
That would be an adequate formulation if all the personal data being processed was within the control of some data controller. Since much of it is not, the drafting does not quite meet the purpose.
My Lords, I am grateful to the noble Lord for introducing these amendments. Perhaps I may begin by referring to Amendment 153. The requirement set out in the Data Protection Act 1998 for the Information Commissioner to maintain a register of data controllers, and for those controllers to register with the commissioner, was introduced to support the proper implementation of data protection law in the UK and to facilitate the commissioner’s enforcement activity. At the time when it was introduced, it was a feasible and effective measure. However, in the intervening 20 years, the use of data in our society has changed beyond all recognition. In today’s digital age, in which an ever-increasing amount of data is being processed, there has been a correspondingly vast increase in the number of data controllers and the data processing activities they undertake. There are now more than 400,000 data controllers registered with the Information Commissioner, a number which is growing rapidly. The ever-increasing amount and variety of data processing means that it is increasingly difficult and time consuming for her to maintain an accurate central register giving details on the wide range of processing activities they undertake.
The Government believe that the maintenance of such an ever-growing register of the kind required by the 1998 Act would not be a proportionate use of the Information Commissioner’s resources. Rather, as I am sure noble Lords will agree, the commissioner’s efforts are best focused on addressing breaches of individuals’ personal data, seeking redress for the distress this causes and preventing the recurrence of such breaches. The GDPR does not require that a register similar to that created by the 1998 Act be maintained, but that does not mean there is a corresponding absence of transparency. Under articles 13 and 14 of the GDPR and Clauses 42 and 91 of the Bill, controllers must provide data subjects with a wide range of information about their processing activities or proposed processing activities at the point at which they obtain their data.
Nor will there be absence of oversight by the commissioner. Indeed, data controllers will be required to keep records of their processing activities and make those records available to the Information Commissioner on request. In the event of non-compliance with such a request, the commissioner can pursue enforcement action. The only material change from the 1998 Act is that the Information Commissioner will no longer have the burden of maintaining a detailed central register that includes controllers’ processing activities.
I turn now to Amendment 153ZA which would give the Information Commissioner two new duties. The Government believe that both are unnecessary. The first new duty, to verify the proportionality of a controller’s reliance on a derogation and ensure that the controller has adequate systems in place to safeguard the rights of data subjects, is unnecessary because proportionality and adequate safeguards are core concepts of both the GDPR and the Bill. For example, processing is permissible only under a condition listed in Schedule 1 if it is necessary for a reason of substantial public interest. Any provision to require the commissioner to enforce the law is at best otiose and at worst risks skewing the commissioner’s incentives to undertake enforcement action. Of course, if the noble Lord feels that the Bill would benefit from additional safeguards or proportionality requirements, I would be happy to consider them.
The second new duty, to consult on how to support claims taken by UK residents against a data controller based in another territory who has breached their data protection rights, is in our view also unnecessary. As made clear in her international strategy, which was published in June, the Information Commissioner is very aware of the need for international co-operation on data protection issues, including enforcement. For example, she is an active member of the Article 29 Working Party and the Global Privacy Enforcement Network, and her office provides the secretariat for the Common Thread Network, which brings together Commonwealth countries’ supervisory authorities. Only last month, her office led an international sweep of major consumer websites, in which 23 other data protection regulators from around the world participated. Clause 118 of the Bill and article 50 of the GDPR require her to continue that important work, including through engaging relevant stakeholders in discussion and activities for the purpose of furthering international enforcement. Against this background, the Government do not feel that additional prescriptive requirements would add value.
My Lords, I want to come back to an issue relating to the situation post Brexit: companies operating in the UK, for which a representative will not be required. I listened to the Minister very carefully and I understand what he is saying, but I take it that, post Brexit, he is basically relying on the force of the Information Commissioner’s personality and her ability to maintain her current relationships and build on them. As such, when taking issues abroad, individuals in the UK will not have any statutory provision, as they currently do, but will have to rely on the informal mechanisms the Minister mentioned and their own resources. He has failed to answer the question whether that is a good situation to be in as we progress through the Bill, but I will read what he said more carefully and come back to him later.
My Lords, I thank the noble Baroness, Lady O’Neill of Bengarve, for her contribution—we will look at that should we bring back the amendment on Report. I also thank the noble Lord, Lord Stevenson of Balmacara, for his support for the amendment.
The Minister said that provision in the 1998 Act requiring all data controllers to be registered was an important part of data protection, yet his argument for not continuing with that seemed to be that it would be difficult to maintain a register with the numbers now involved. Either the register is an important contribution to data protection or it is not. In any event, we should bear in mind that a charge could be levied. The Minister suggested that a register would not be a proportionate use of the Information Commissioner’s resources, but those resources could significantly increase. If the existing law were enforced, it is estimated that an additional £1 billion in income would be possible.
On a detailed central register, I said when introducing the amendment that the detail suggested would be far less than is currently the case. However, we will reflect on what the Minister said. For the moment, I beg leave to withdraw the amendment.
My Lords, the amendment is in my name and that of my noble friend Lord Kennedy. Clause 117 allows the commissioner to inspect personal data held on any automated or structured system where the inspection is necessary,
“to discharge an international obligation of the United Kingdom”.
Before exercising the power, the commissioner under subsection (4) must by written notice inform a controller of her intention. However, this does not apply if the case is “urgent”. Since in every other aspect of the Bill phrases such as “urgent” are usually defined, uniquely in this case it is not, so the amendment is merely to allow the Minister to read into record those cases that he might consider to be urgent. I beg to move.
My Lords, I am grateful to the noble Lord. I am just looking through my notes to find the bit that states what determines whether a case is urgent—but, before that, I thought he might like to hear the other things that I have to say.
In addition to the essential role of enforcing data protection law in the UK, the Information Commissioner has a role to play where personal data is processed in accordance with international obligations. We are aware of three cases where the commissioner’s oversight is currently required: the Schengen Information System, the Europol Information System and the Customs Information System. The conventions that establish these systems require the supervisory authority to have free access to national sections.
Clause 117 provides that the commissioner may inspect personal data to fulfil an international obligation, as long as the commissioner notifies the controller and any processor in any case where there is sufficient time to do so. The clause is very similar to Section 54A of the 1998 Act, with one slight change: namely, we have made a general power, which the noble Lord will be pleased to see in the Bill. This is intended simply to eliminate the need to legislate for every system the UK joins or leaves, thereby future-proofing the legislation. The amendment would remove the commissioner’s ability to make such an inspection without prior written notice in cases that the commissioner considers urgent. We certainly expect that the commissioner will not normally need to do that and that it will be the exception rather than the rule. The amendment would therefore be a retrograde step since it changes the position that currently pertains in the 1998 Act.
As to what is and is not urgent—I hasten to add that this has never actually been applied by the Information Commissioner—it is for the Information Commissioner to determine. That is consistent with the existing position, as I mentioned, and it remains appropriate, so that each case can be assessed on its own merits. Of course, if the decision of the Information Commissioner were unreasonable, it would be amenable to judicial review. As I said, there is only one example that we know of when the Information Commissioner has needed to make use of the section at all, which was a routine audit that was not deemed urgent. A hypothetical example might be if the commissioner needed to urgently inspect a system if the need arose in the context of a request for extradition. I hope that the noble Lord is satisfied with my explanation and will feel able to withdraw his amendment.
I thank the Minister; he adequately covered the points and I am happy to withdraw the amendment.
My Lords, the amendments in this small group are probing in nature. Amendment 153C is in my name and that of my noble friend Lord Kennedy. Clause 119 places an obligation on the commissioner to publish and keep under review a data-sharing code of practice that would contain guidance on data sharing and good practice, as the name suggests. This is good, we talked about it in some detail in earlier sittings of the Committee and we have no problems with it. It continues a practice that we are well aware of and there are no particular issues arising from it, provided that it continues to be comprehensive and to provide the sort of advice that data controllers and data subjects will need as we go forward.
Amendment 153D raises the question of whether a 40-day approval process for codes should apply, in order to make it clear that codes under Clauses 119 and 120 are subject to parliamentary scrutiny and that the 40-day approval period would fit in with the procedures of Parliament. As I said, this is a probing amendment and I would be grateful to have the comments of the Minister in due course.
Amendment 154A concerns the statement that the commissioner will review and revise the codes regularly, or keep each code under review. There is no specification of the timescale or the frequency of that. I suspect that the answer will be that it will be as seen fit by the Information Commissioner—but if the Minister can shed some light on this, it would be helpful.
Finally, Amendment 154B draws attention to Clause 119(2), which says, at the top of page 65:
“Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code”.
We have already touched on this, and the procedure is not explained. I would like to confirm that, since this matter may be of interest to Parliament, it will be by the affirmative procedure. I look forward to hearing a response and I beg to move.
My Lords, as my noble friend and I have mentioned previously, one of the Government’s primary concerns is to ensure that organisations of all sizes are supported in the transition to the new regime. To that end, the Bill maintains the requirement in the Data Protection Act 1998 for the Information Commissioner to publish codes of practice on data sharing and direct marketing.
When these codes are first published, they will rightly be subject to parliamentary scrutiny, although of course “first published” is slightly misleading as almost identical codes have been, or will have been, published under the 1998 Act before the Bill reaches Royal Assent. Either way, Amendments 153C and 153D seek to ensure that any future amendments to the data-sharing code of practice or the direct marketing code of practice are also subject to parliamentary scrutiny. I understand and appreciate the sentiment behind the amendments. I am happy to reassure the noble Lord that under Clause 121(8) it is already the case that amendments to the code are subject to parliamentary scrutiny.
Amendment 154A would require the commissioner to review the codes of practice at least once every three years. However, I point out to the noble Lord that the Bill already requires the commissioner to keep the codes of practice under review while they are in force and the Government do not consider that specifying a three-year timeframe between reviews would add any benefit. Indeed, it might create the misleading impression that the code should be reviewed only once every three years, when in fact it is a continuous process.
Finally, I turn to Amendment 154B. The Bill makes provision for the Information Commissioner to publish additional codes of practice beyond the two codes on data sharing and direct marketing. The noble Lord’s amendment would require any such additional codes to be subject to the affirmative resolution procedure. When preparing such codes, the commissioner must first consult trade associations, data subjects and other stakeholders the commissioner deems appropriate. The Government’s view is that, given the requirement for advance consultation with interested parties, and the fact that any regulations would simply place the commissioner under a duty to issue a code of practice providing practical guidance on the processing of specified classes of personal data of action, the negative resolution procedure remains appropriate.
To sum up, first, the purpose of the two codes of practice is to provide practical guidance to data controllers on the proper application of the data protection legislation; as such, they do not alter the law. Secondly, the procedure used to approve codes and amendments to codes is the same as found in Sections 52A and 52AA of the current Data Protection Act, the latter of which was inserted only earlier this year by the Digital Economy Act. That also means that the Delegated Powers and Regulatory Reform Committee of your Lordships’ House has considered this matter twice in the past year, and we are not aware that it had any concerns. I hope that has reassured the noble Lord and he feels able to withdraw his amendment.
My Lords, I am grateful to the Minister for her comments. She always sounds so reassuring, it is very hard to be critical. She did a rather better job of summarising what my amendments are about than I did—and I say that without any rancour or any concern. I am very grateful to her on all these counts. I beg leave to withdraw the amendment.
My Lords, with so many codes of practice flying around it would not be hard to lose one in the crowd, but this one stands out. With this amendment, we are suggesting to the Government that there is a need at the top of the pyramid for a code of practice which looks at the whole question of data ethics and morality. We discussed this topic in earlier sittings of the Committee and I think we were of one mind that there was a gap in the overall architecture of the organisations supporting data processing, which concerned us, in the sense that there was a need for an expert body.
The body could be some sort of combination along the lines of the HFEA or the Committee on Climate Change. It would have a duty to look at the moral and ethical issues affecting data collection and use, and be able to do some blue-sky thinking and to provide a supervisory approach to the way in which thinking on these matters would have to go. We are all aware, as has been mentioned many times, that this is a fast-moving technology in an area full of change where people feel a bit concerned about where their data is and how it is being looked at. They are worried that they do not have sufficient control or understanding of the processes involved.
The amendment suggests to the Government a data ethics code of practice which I hope they will look at with some care. It would begin to provide a hand of support to individuals who are concerned about their data and how it has been processed. Under this code of practice the commissioner could set out the moral and ethical issues, rather than the practical day-to-day stuff. It would focus on duties of care and need to provide examples of where best practice can be found. It would increase the security of personal data and ensure that the access to its use and sharing was transparent, and that the purposes of data processing were communicated to data subjects.
Some codes of this type already exist. I think that the Royal Statistical Society has been behind a number of codes on the use of our overall statistics, such as that operated within the OSS. Having read that code, I was struck by how apposite it was to some of the issues faced in the data-processing community. Some of the wording of this amendment comes from that, while other wording comes from think tanks and others who are working in this field. It will also come as no surprise to the Committee that some of the detail in the code’s latter subsections about privacy settings, minimisation standards and the language of terms and conditions also featured in the proposed code recommended to the Committee by the noble Baroness, Lady Kidron, in relation to children’s use of the internet and how their data is treated. The amendment meets other interests and examples of activity. It seems to fulfil a need, which is becoming more pressing every day, and is ambitious in its attempt to try to make sure that whatever regulatory and statutory provisions are in place, there will also be a wider dimension employed, which I think we will increasingly be part of.
I do not expect the Government to accept the amendment tout court, because it needs a lot more work. I fully accept that the drafting is a bit rough at the edges, despite the fact that we spent a lot of time in the Public Bill Office trying to get it right. I have already explained that I am not very good at synthesising in the way that the Bill team obviously is. I have no doubt that when he responds the Minister will be able to encapsulate in a few choice words what I have been struggling to say over the past three or four sentences—he nods, so it is clearly going to hit me again. I hope that he will take away from this short debate that this is an issue that will not go away. It is an issue that we need to address, and it may be that the new body, which was, I think, generally accepted by the Committee as something that we should move to in short order, might take on this as its first task. I beg to move.
My Lords, the noble Lord, Lord Stevenson, is too modest about his drafting—I think that this is one of the most important amendments to the Bill that we have seen to date. I am just sorry that we were not quick enough off the mark to put our name to it. I do not know which hand the noble Lord, Lord Stevenson, is using—there seem to be a certain number of hands involved in this—but anybody who has read Jonathan Taplin’s Move Fast and Break Things, as I did over the weekend, would be utterly convinced of the need for a code of ethics in these circumstances. The increasing use of data in artificial intelligence and algorithms means that we need to be absolutely clear about the ethics involved in that application. The noble Lord, Lord Stevenson, mentioned a number of codes that he has based this amendment on, but what I like about it is that it does not predicate any particular code at this stage. It just talks about the desirable architecture of the code. That makes it a very robust amendment.
Like the noble Lord, I have looked at various other codes of ethics. For instance, the IEEE has rather a good code of ethics. This is all of a piece with the stewardship council, the data ethics body that we debated in the previous day in Committee. As the Royal Society said, the two go together. A code of ethics goes together with a stewardship council, data ethics committee or whatever one calls it. You cannot have one without the other. Going forward, whether or not we agree today on this amendment, it is very clear that we need to keep coming back to this issue because this is the future. We have to get it right, and we cannot prejudice the future by not having the right ethical framework.
My Lords, I support this amendment and identify myself totally with the remarks of the noble Lord, Lord Clement-Jones. I am trying to be practical, and I am possibly even pushing at an open door here. I have a facsimile of the 1931 Highway Code. The introduction by the then Minister says:
“By Section 45 of the Road Traffic Act, 1930, the Minister of Transport is directed to prepare a code of directions for the guidance of road users … During the passage of the Act through Parliament, the opinion was expressed almost universally … that much more could be done to ensure safety by the instruction and education of all road users as to their duties and obligations to one another and to the community as a whole”.
Those last few words are very important. This must be, in a sense, a citizens’ charter for users—a constantly updated notion—of the digital environment to be sure of their rights and of their rights of appeal against misuse. This is exactly where the Government have a duty of care to protect people from things they do not know about as we move into a very difficult, almost unknown digital environment. That was the thinking behind the 1931 Highway Code, and we could do a lot worse than do something similar. That is probably enough for now, but I will undoubtedly return to this on Report.
My Lords, I support the spirit of this amendment. I think it is the right thing and that we ultimately might aspire to a code. In the meantime, I suspect that there is a lot of work to be done because the field is changing extremely fast. The stewardship body which the noble Lord referred to, a deliberative body, may be the right prelude to identifying the shape that a code should now take, so perhaps this has to be taken in a number of steps and not in one bound.
My Lords, I too support the amendment. Picking up this last point, I am looking to see whether the draft clause contains provisions for keeping the code under review. A citizens’ charter is a very good way of describing the objective of such a code. I speak as a citizen who has very frequently, I am sure, given uninformed consent to the use of my data, and the whole issue of informed consent would be at the centre of such a code.
My Lords, I am very grateful to the noble Lord, Lord Stevenson, for tabling this amendment, which allows us to return to our discussions on data ethics, which were unfortunately curtailed on the last occasion. The noble Lord invited me to give him a few choice words to summarise his amendments. I can think of a few choice words for some of his other amendments, but today I agree with a lot of the sentiment behind this one. It is useful to discuss this very important issue, and I am sure we will return to it. The noble Lord, Lord Puttnam, brought the 1931 Highway Code into the discussion, which was apposite, as I think the present Highway Code is about to have a rewrite due to autonomous vehicles—it is absolutely right, as he mentioned, that these codes have to be future-proofed. If there is one thing we are certain of, it is that these issues are changing almost by the day and the week.
The noble Lord, Lord Stevenson, has rightly highlighted a number of times during our consideration of the Bill that the key issue is the need for trust between individuals and data controllers. If there is no trust in what is set up under the Bill, then there will not be any buy-in from the general public. The noble Lord is absolutely right on that. That is reason that the Government are committed to setting up an expert advisory body on data ethics. The noble Lord mentioned the HFEA and the Committee on Climate Change, which are interesting prior examples that we are considering. I mentioned during our last discussion that the Secretary of State was personally leading on this important matter. He is committed to ensuring that just such a body is set up, and in a timely manner.
However, although I agree with and share the intentions that the noble Lord has expressed through this amendment, which other noble Lords have agreed with, I cannot agree with the mechanism through which he has chosen to express them. When we previously debated this topic, I was clear that we needed to draw the line between the function of an advisory ethics body and the Information Commissioner. The proposed ethics code in this amendment is again straddling this boundary.
Our new data protection law as found in this Bill and the GDPR will already require data controllers to do many of the things found in this amendment. Securing personal data, transparency of processing, clear consent, and lawful sharing and use are all matters set out in the new law. The commissioner will produce guidance, for that is already one of her statutory functions and, where the law is broken, the commissioner will be well equipped with enforcement powers. The law will be clear in this area, so all this amendment will do is add a layer of complexity.
The Information Commissioner’s remit is to provide expert advice on applying data protection law. She is not a moral philosopher. It is not her role to consider whether data processing is addressing inequalities in society or whether there are public benefits in data processing. Her role is to help us comply with the law to regulate its operation, which involves fairly handling complaints from data subjects about the processing of their personal data by controllers and processors, and to penalise those found to be in breach. The amendment that the noble Lord has tabled would extend the commissioner’s remit far beyond what is required of her as a UK supervisory authority for data protection and, given the breadth of the code set out in his amendment, would essentially require the commissioner to become a regulator on a much more significant scale than at present.
This amendment would stretch the commissioner’s resources and divert from her core functions. We need to examine the ethics of how data is used, not just personal data. However, the priority for the commissioner is helping us to implement the new law to ensure that the UK has in place the comprehensive data protection regime that we need and to help to prepare the UK for our exit from the EU. These are massive tasks and we must not distract the commissioner from them.
There is of course a future role for the commissioner to work in partnership with the new expert group on ethics that we are creating. We will explore that further once we set out our plans shortly. It is also worth noting that the Bill is equipped to future-proof the commissioner to take on this role: under Clause 124, the Secretary of State may by regulation require the commissioner to produce appropriate codes of practice. While the amendment has an arbitrary shopping list, much of which the commissioner is tasked with already, the Bill allows for a targeted code to be developed as and when the need arises.
The Government recognise the need for further credible and expert advice on the broader issues of the ethical use of data. As I mentioned last week, it is important that the new advisory body has a clearly defined role focused on the ethics of data use and gaps in the regulatory landscape. The body will as a matter of necessity have strong relationships with the Information Commissioner and other bodies that have a role in this space. For the moment, with that in mind, I would be grateful if the noble Lord withdrew his amendment. As I say, we absolutely understand the reasons behind it and we have taken on board the views of all noble Lords in this debate.
My Lords, do the Minister or the Government yet have a clear idea of whether the power in the Bill to draw up a code will be invoked, or whether there will be some other mechanism?
At the moment, I do not think there is any anticipation for using that power in the near future, but it is there if necessary in the light of the broader discussions on data ethics.
So the Minister believes it is going to be the specially set-up data ethics body, not the powers under the Bill, that would actually do that?
I do not want to be prescriptive on this because the data ethics body has not been set up. We know where we think it is going, but it is still to be announced and the Secretary of State is working on this. The legal powers are in the Bill, and the data ethics body is more likely to be an advisory body.
I thank all noble Lords who have contributed to this debate. It has been a short but high-quality one that has done a lot to tease out some of the issues behind the amendment. I am grateful to the noble Lord, Lord Clement-Jones, for his kind words about what I was saying, but also for reminding me that there were other groups working on this. I absolutely agree that the IEEE is one of the best examples of thinking on this; it may come from a strange source, in the sense that it is a professional body involved more with the electronic side of things, but the wording of the report that I saw was very good and bore very firmly on the issues in this amendment.
So where are we? We seem to be sure that a body will be set up that will be at least advisory in terms of the issues that we are talking about, although I think the Minister was leaving us with the impression that the connection would be made outside the Bill, not within it. That is possibly a bit of a mistake; I think a case is now developing, along the lines set out by my noble friend Lord Puttnam, that we need to see both sides of this in the Bill. We do not need to see the firm regulatory action, the need to comply with the law and the penalties that can be applied by the regulator, the Information Commissioner, but we need to see a context in order to build trust and allow people to understand better what the future growth, change and trends in this area will be, because they are concerned about them. I do not think you can do that if these bodies are completely separate. I suspect we need to be surer about how the connections are to be made, and we will gain if there is in fact a proper connection between the two.
If the Information Commissioner is not to be a moral philosopher—who needs moral philosophers when there are so many around?—she will certainly need to have good advice, which can come only from expertise gathered around the issues that we have been talking about. That is not the same as making sure that she is robust about people applying the law; the difference there is the reason why we want to do that.
The other half of this equation is that it may well be fine for an advisory body to opine about where the moral climate is going and where ethics might take you in practice, but if the companies concerned are not practising what they are hearing, we will be no further forward. Surely a code will have to be devised, whether now or later, to make sure that the lessons learned, the information gathered and the blue sky thinking that is around actually bite on those who are affecting our individuals—whether they be young, vulnerable or adult—and that they are fully compliant with all the aspects of what they have signed up to. We will need to come back to this but, in the meantime, I beg leave to withdraw the amendment.
My Lords, I shall speak briefly about the Government’s motives in tabling this group of amendments. There are 27 amendments in the group, but fear not: I shall avoid the temptation to talk through them all, instead focusing on only a few which may be of interest. Also, noble Lords received letters from my noble friend on 20 October and 14 November addressing the issues in the amendments.
I start with Amendments 163, 164 and 168. Clause 139 provides a criminal offence of failure to comply with an information notice. This is a hangover from the 1998 Act but, on reflection, the Government consider that it is no longer required, as the Information Commissioner will now have access to a much broader range of administrative penalties. Removing the criminal offence would also align the maximum penalty with that for failure to comply with an enforcement notice, ensuring that the commissioner is not disincentivised from serving an enforcement notice if she considers that that is the most appropriate course of action.
Amendments 165, 166 and 167 amend Schedule 16. Where the commissioner intends to give an administrative penalty, she must give a notice of intent, to which the data controller may make representations. The commissioner has six months from the point at which the notice of intent is given to issue a penalty notice. In some complex cases, the data controller may need more than six months to make their initial representations, or there may be a continuing technical dialogue between the parties. These amendments allow—but, importantly, do not compel—the commissioner and the controller to mutually agree to extend the six-month deadline to allow the process to reach its natural conclusion.
Finally among the many amendments in this group, Amendment 188A provides a list of consequential amendments. I mention it here for two reasons. First, as noble Lords will have noticed, it is a long list: references to the Data Protection Act appear in more than 50 other pieces of primary legislation. Secondly—this is a response to a point made by the noble Lord, Lord McNally, on a previous day in Committee—it is testament to the importance that the Government attach to having a regime that is fully operational in time for 25 May 2018. Such a tight turnaround means that there is no time to take through secondary legislation after Royal Assent, which is the Government’s usual approach to consequential amendments. Instead, we must put everything that we need for 25 May in the Bill. Amendment 188A is another step towards that goal.
On that note, my Lords, I beg to move.
My Lords, it is an extraordinary list of amendments that address things in great detail; they are all about tidying up and working things out as we go along. Since that is what we try to do as often as we can, it is nice to see the effort that has been made and hours that have been spent. Much of it is logical and needs no further discussion, but we have in respect of amendments in the range of Amendment 171, and so on, a bit of a worry about the notion that personal data is processed for special purposes—journalism, academic, artistic or literary purposes—and that there are exemptions in place so that the commissioner must first determine whether processing is for a special purpose before taking further enforcement action.
We have always understood that the provisions at this point are only asking in this Bill to replicate the conditions obtaining in such cases in the 1998 legislation. This particular detail makes it seem as if that might not be the case, because we have submissions from various people in the media to suggest that, while they understand the regulations, to step in before the material is put together to make this determination feels a bit threatening. Can the Minister guarantee that the provisions in this Bill are identical with those in the 1998 Act?
There is not an adequate mention, again, according to people in the field, of the relation of photography and photojournalism to written journalism. Could that be thought about, too? If everything is the same, we have no further questions but, if not, could the Minister tell us exactly what the differences are and whether she can write to us so that we may know what they are?
As the noble Lord said, this particular group of amendments is where personal data is processed for special purposes for journalism, academic, artistic or literary purposes. There are certain exemptions in place, so the commissioner must first determine whether processing is for special purposes before taking further enforcement action. A special purposes determination can be appealed to a court, not a tribunal; these amendments correct the Bill as only a court, not tribunals, are relevant. They also make technical corrections to ensure compatibility with Scots law. The definition of special purposes proceedings is also widened slightly so that special purposes can be asserted in a wider range of situations.
I think that I have inspiration coming from my right hand side. The noble Lord mentioned photojournalism, which is included in the data—I think that that is what he meant.
I sympathise with the Minister, who sought inspiration from behind, because it is what I do all the time. Those who have expressed anxiety to us are worried that pressure will be put on them as programme makers and investigative journalists prior to publication and issuing their material in edited form, whereas currently they are subject to the regulation once that material has been put together. That is the area where anxieties have been expressed, and we need some reassurance on that point.
The best thing that I can do is to have a look and get back to the noble Lord on those points, if that is okay.
My Lords, I speak also to the other amendments in this group. All these amendments are suggested by the Bar Council and stand in my name and those of the noble Lord, Lord Arbuthnot of Edrom, and the noble Baroness, Lady Neville-Rolfe. All concern legal professional privilege, a subject which the Committee and the House have frequently debated. I know I do not need to stress its importance or remind noble Lords—but obviously, I am just about to—that the confidentiality and privilege are those of the client, not the lawyer.
The Bar Council comments that the powers of the commissioner to have access to the information and systems of data controllers should be limited where the data controller is a legal professional or anyone subject to the requirements of client confidentiality and legal professional privilege. It reminded us that there are exceptions in the 1998 Act which deal with this. Legal professional privilege cannot be waived by the lawyer but is subject to contractual or other legal restrictions. In the clauses in question, legal professional privilege seems to be overridden in circumstances where the commissioner considers that she needs to look at the data to perform her functions. Clause 128(1) refers to use or disclosure,
“only so far as necessary for carrying out those functions”—
that is, the commissioner’s functions. I suggest that this is inappropriate given the provisions elsewhere in the Bill which we now seek to amend.
Amendments 161A, 161B, 161C and 161D deal with confidential legal materials which it is proposed should be inserted and covered. These are defined in the last of these four amendments as “materials brought into being”, as distinct from documents which are communicated between an adviser and a client, and thus would be wider, and include materials brought into being,
“for the purpose of establishing, exercising or defending legal rights”,
which is wider than the Bill provides.
The Bill does not contain directions as to the purpose of the guidance on protection of privileged material. Amendment 161C would give a direction to the commissioner as to the purpose. Amendments 162A, 162B, 163ZA and 163ZB would again extend the protection. Clauses 138 and 141 are limited to documents that relate to data protection legislation. These amendments would widen the protection to all documents protected by legal professional privilege.
Clause 138(5) does not cover the right of self-incrimination of other persons, such as the client of a legal representative or a family member of a client, who would not be entitled to rely on privilege. Amendment 162C would widen the class of persons to others. Since the client may well be seeking advice or representation in relation to a matter which might incriminate him, the Bar Council asks us to point out that this is particularly important.
Amendment 163B reflects provisions in Clause 138, on information notices, and in Clause 141, on assessment notices, and extends the restrictions to enforcement notices. The clauses I have mentioned provide that a person is not required to give the commissioner privileged material—I beg your Lordships’ pardon; a bracket has been opened and I am seeking where it closes—in response to such a notice. As I say, this would extend that restriction to enforcement notices.
Finally, on Amendment 164B, professionals may be restricted in providing information to the commissioner in respect of their processing, because of privilege or an obligation of confidentiality, compliance with the Bar code of conduct, or rules or orders of the court. The Bar Council wishes the Committee to be aware that a barrister,
“may wish to disclose information in mitigation or explanation for a breach of the GDPR provisions, but be unable to do so because disclosure would place”,
“in breach of professional conduct rules or other confidentiality obligations, or in breach of data protection obligations because it is not possible to obtain consent for”,
Compliance with the profession’s rules might have the result of exposing a barrister to a higher penalty to be imposed by the commissioner as a result of that inability, which does not seem fair. The amendment would provide that circumstances of this kind may be taken into account by the commissioner when assessing the penalty by adding a paragraph to the mitigating circumstances in the list. As the Bar Council points out, none of these points would prevent the commissioner effectively carrying out her duties. Even if she were,
“prevented from seeing privileged and confidential material, this … would be a justified and necessary consequence of … proper weight being given to the citizen’s fundamental right to consult a lawyer and to maintain the confidentiality”.
However, if unamended, there could be a conflict between the legal regulators and the commissioner. I beg to move.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, and to the Bar Council for the help it has given us on these amendments. I declare an interest—at least, I suppose I do—in that my wife is a judge and I used to practice as a Chancery barrister long ago.
It is an essential part of our legal system that people should have access to the justice system without communications between the client and the lawyer being disclosed—or, at any rate, that those disclosures should have only the rarest occurrence, such as, for example, if a communication is to be used to facilitate a crime. In those circumstances alone can legal professional privilege be waived. I suggest that the Bill should recognise the value of legal professional privilege but that it does not put that recognition into full effect. I hope that our amendments would achieve that.
My Lords, I am grateful to the noble Baroness, Lady Hamwee, for tabling these amendments. I know that the Bar Council has raised similar concerns with officials in my department and I am keen that that dialogue continue.
Before I address the amendments, I would like to say something about the overarching principles in relation to the interaction between data protection and legal professional privilege.
The right of a person to seek confidential advice from a legal adviser is indeed, as my noble friend Lord Arbuthnot said, a fundamental right of any person in the UK and a crucial part of our legal system. The Government in no way dispute that, and I reassure noble Lords that this Bill does not erode the principle of legal professional privilege.
It is true that the Data Protection Act 1998 allows the Information Commissioner to use her powers to investigate alleged data breaches by law firms, and sometimes the information she requests in order to carry out a thorough investigation may contain information which is subject to legal professional privilege. The commissioner recognises the sensitivity of material protected by legal professional privilege and has established processes in place for protecting it. Any material identified by the data controller as privileged is isolated if seized during a search and it is then sent directly to independent counsel for review. Counsel then provides an opinion on whether privilege applies. If counsel decides that the data is not privileged, the data controller can still dispute the Information Commissioner’s right to access that material and has the right to appeal to a tribunal, which will carry out a full merits review.
The Government are seeking only to replicate, as far as possible, in the current Bill the existing provisions relating to legal professional privilege in the 1998 Act. It is, for example, vital that the Information Commissioner retain the power to investigate law firms. They, like other data controllers, can make mistakes. If personal data is lost, stolen or disclosed unlawfully, that can have serious consequences for data subjects. It is right that the Information Commissioner retain the ability to investigate potential breaches by lawyers. They are not above the law.
As a final point of principle before we examine the amendments in detail, it is also worth highlighting that Clause 128 introduces a new requirement for the Information Commissioner to publish guidance on how legally privileged material obtained in the course of her investigations will be safeguarded. There was no similar requirement in the 1998 Act, so in that respect the current Bill actively strengthens protections for legal professional privilege. This has been included because historically the commissioner has found that a minority of those in the legal profession refuse to allow her access to personal data on the basis that it is privileged. The profession has not always understood that it must disclose the data and that the commissioner then has processes and procedures to protect that data. This guidance will make it clearer to the legal profession that robust safeguards are in place.
I turn to the amendments in this group. As I have said, Clause 128 provides that the Information Commissioner must publish guidance on the safeguards in relation to legally privileged communications. Amendments 161A and 161B would amend subsection (1) to clarify that any guidance published by the commissioner should cover the handling of any “confidential legal materials” as well as any communications between legal adviser and client. Amendment 161D would then introduce a wide definition of “confidential legal materials”. This, in our view, is unnecessary. I have no doubt that the Information Commissioner will interpret this to include draft communications.
Bills have grown in length over the years and, if we were to cover off permutations and combinations of processing and preparatory work such as this in every clause, we would be debating this Bill until next summer. We would also, through overdefinition, create more worrying loopholes.
Amendment 161C would make further provision about the purposes of the guidance published by the Information Commissioner. It has been suggested that the aim of the guidance should be to make it clear that nobody can access legally privileged material without the consent of the client who provided the material in the expectation that it would be treated in confidence. As I have already said, it is vital that the Information Commissioner retain the ability to investigate, and this amendment would call that into question because an investigation could not happen if the client withheld consent. I hope that the reassurances I have already given about the lengths to which the Information Commissioner will go to keep any confidential information safe are sufficient on that point. We are clear that the commissioner must have the right to investigate.
I said I would return to the issue of the Information Commissioner’s enforcement powers and the interaction with legal professional privilege. When there is a suspected breach of the data protection legislation, the commissioner has a number of tools available to aid her investigation. The commissioner can use information notices and assessment notices to request information or access filing systems, use enforcement notices to order a data controller to stop processing certain data or to correct bad practices, and issue monetary penalty notices to impose fines for breaches of the data protection legislation. However, we understand from the commissioner that the powers to issue assessment notices and information notices are rarely used because controllers tend to co-operate with her request. There are, however, a number of restrictions on the use of these enforcement powers where they relate to legally privileged information. In relation to information notices these are set out in Clause 138, and in relation to assessment notices they are set out in Clause 141. The restrictions ensure that a person is not required to provide legally privileged information. The concept of legal privilege is therefore preserved, although it may be waived by the controller or processor.
Amendments 162A, 162B, 162C, 163ZA and 163ZB intend to broaden the restrictions in Clauses 138 and 141 regarding information and assessment notices so that they apply explicitly to all legally privileged communications, not just those which concern proceedings under data protection legislation. The Government carefully considered whether these restrictions should apply to a wider range of legally privileged material when we developed the Bill. The current practice is for the ICO to appoint independent counsel to assess all potentially legally privileged material, which is not therefore passed on to the ICO if found to be privileged.
Amendment 163B seeks to apply the same restrictions that apply to assessment and information notices to enforcement notices. While we understand that this amendment derives from a concern that there may be a gap in the enforcement notice provisions, as there is currently no reference in those provisions to protecting legal professional privilege I can reassure noble Lords that such provision is unnecessary because, unlike information and assessment notices, enforcement notices cannot be used to require a person to provide the commissioner with information, only to require the controller to correct bad practice.
Finally, I turn to Amendment 164B, which aims to add to the list of matters in Clause 148 that the Information Commissioner must consider when deciding whether to give a data controller a penalty notice and determining the amount of the penalty. If a legal adviser failed to comply with an information or assessment notice because the information concerned was legally privileged, it would require the Information Commissioner to take this into account as a mitigating factor when deciding whether to issue a penalty notice and setting the level of financial penalty. Clause 126 specifically provides that the duty of confidence should not preclude a legal adviser from sharing legally privileged material with the Information Commissioner. As I have previously explained, there are strict procedures in place to protect privileged material.
We have given all these amendments careful consideration, but I hope that I have convinced the Committee that the Bill already strikes the correct balance between the right to legal professional privilege and the rights and freedoms of data subjects. With that, I hope that the noble Baroness feels able to withdraw her amendment.
My Lords, indeed I will. The Minister mentioned continuation of dialogue. That, of course, is the right way to address these things, but I believe the Bar Council seeks to do what he says the Bill does: replicate the current arrangements.
If it is not necessary to provide specifically for confidential material, I suspect those who drafted these amendments may want to look again at the definition of “privileged communications” to see whether it is adequate. I do not believe they would have gone down this route had they been content with it.
On the amendments that would extend protections to all legally privileged material, not just data protection items—Amendment 162A and so on refer to any material—I am not clear why there is a problem with the extension under a regime such as the one the Minister described. That would catch material and deal with it in the same way as any other. I do not know whether there is a practical problem here.
On Amendment 164B the Minister directed us to Clause 126. Again, I am not sure whether he is suggesting there might be practical problem. It seems an important amendment, not something that should be dealt with by reading between the lines of an earlier clause. However, I will leave it to those who are much more expert than I am to consider the Minister’s careful response, for which I thank him. I beg leave to withdraw the amendment.
My Lords, although the amendment’s wording is narrow, it is very much a probing amendment. I hope we will be able to range a bit further on the funding and the structure of the Information Commissioner’s Office, which depends on its ability to raise funding to survive. I will make various points on that.
In some senses the Information Commissioner’s Office is a rather strange regulator, in terms not of its functions, but of the way it has survived a number of possibilities for change and development that have been applied to other sectors of British industry, particularly those relating in some senses to data processing. If noble Lords compare Oftel, the IBM, to some extent the BBC and what has now emerged as Ofcom, they will see a change from the original structure of regulators, which were very largely bodies set up to make sure the previously public sector nature of an activity that had been privatised was done in a way that did not exclude the public interest. These regulators were largely economic in origin and have only gradually added social regulation to their parts.
In a sense the ICO’s journey is different. First, the way these other regulators have moved has not been followed, so the change from a one-off individual dealing with economic and a limited amount of social regulation to being partnerships or boards with a range of individuals appointed to take over various functions—Ofcom is perhaps the easiest example to use—has not been followed. We still have a single regulator which is independent and reports to Parliament, and I understand the structure to be that of a corporation sole, which is an issue that we might want to reflect on.
My Lords, I thank the noble Lord for introducing his amendments, which touch on the fees that the Information Commissioner will be able to charge under the new regime. Noble Lords will recall that we discussed similar issues during the passage earlier this year of what became the Digital Economy Act. Perhaps I may start with some of the general points made by the noble Lord and then go on to address his specific amendments. I agree absolutely that this is a bigger issue than just the amendments; it is the question of how the Information Commissioner, to whom we have given these very important duties, will be able to sustain an effective service. I can assure the noble Lord that we are aware of and understand the specific problem he outlined about staff. In fact, I was present at a meeting three or four weeks ago at which we discussed that exact subject. Part of the issue to deal with that will, I hope, be addressed in the near future, in ways that I cannot talk about tonight.
On the noble Lord’s general question as to whether it is an adequate system, we believe that the suggested system is flexible enough to deal with the requirements of the Information Commissioner. We realise that increased burdens will be placed on her; at the moment, I believe that her office has not raised its fees for 18 years. Of course, the number of data controllers has risen, so the rate applies to a greater number of people. We will lay some statutory instruments that will deal with the fees for the Information Commissioner in the near future, so I am sure that we will come back to that.
On the specific amendments the noble Lord has tabled, Clause 129 permits the Information Commissioner to charge a “reasonable fee” when providing services to data controllers and other persons who are not data subjects or data protection officers. This is intended to cover, for example, the cost to the commissioner of providing bespoke training for a data controller. Amendment 161E would place a requirement on the commissioner to publish guidance on what constitutes a “reasonable fee” within three months of Royal Assent. We agree that data controllers and others should know what charges they should expect to pay before they incur them. However, the Government’s view is that this is already provided for through Clause 131, which requires that the commissioner produce and publish guidance about any fees that she proposes to charge for services under Clause 129. As there is already a requirement for the commissioner to publish guidance in advance of setting any fees, the Government do not consider a particular deadline necessary.
Amendment 161F would remove Clause 132(2) completely. I am concerned that the amendment would create ambiguity in an area where clarity is desirable. Clause 132 makes provision for a general charging regime in the absence of a compulsory notification regime like that provided in the 1998 Act. Clause 132(2) clarifies that the regime could require a data controller to pay a charge regardless of whether the Information Commissioner had provided, or would provide, a “service” to that controller. This maintains the approach that is currently in force under the 1998 Act—namely, that most data controllers are required to pay a fee to the commissioner whether or not a service is provided to them—and is intended to meet the costs of regulatory oversight.
The consultation on the new charging regime recently closed and the Government intend, as I said, to bring forward regulations setting out the proposed fees under the new regime early in the new year. No final decision has yet been taken in relation to those fees, but, as I committed to during passage of what became the Digital Economy Act, charges will continue to be based on the principle of full cost recovery and, in line with the current model, fee levels will be determined by the size and turnover of an organisation but will also take account of the volume of personal data being processed by the organisation. That partly addresses the point made by the noble Lord.
Amendment 161G addresses a concern raised by the Delegated Powers and Regulatory Reform Committee that the fees regime established by Clause 132 should not raise excess funds beyond what is required to cover the costs of running the Information Commissioner’s Office. I must confess to a sense of déjà vu; we debated a very similar amendment in the Digital Economy Act. The Government are considering their response to the committee’s report, but they remain concerned that there should be sufficient flexibility within the new fees regime to cover the additional functions that the commissioner will be taking on under the new regime and any other changes that may be dictated by operational experience, once the new regime has bedded in. Indeed, if anything, the merit of having some limited flexibility in this regard is even clearer now than it was in March when we debated the Digital Economy Act.
I confirm once again that charges will be on the basis of full cost recovery. We take on board the point made by the noble Lord, Lord Stevenson, that the commissioner must be able to make sufficient charges to undertake and fulfil the requirements that we are asking of her.
Finally, on Amendment 161H, I can reassure the noble Lord that the Information Commissioner already prepares an annual financial statement, in accordance with paragraph 11 of Schedule 12 to the Bill, which is laid before Parliament. In addition, there may be occasions where the Secretary of State needs up-to-date information on the commissioner’s expenses mid-year—in order, for example, to set a fees regime that neither under-recovers nor over-recovers those costs. That is why Clause 132(5) is constructed as it is.
I hope that I have addressed the noble Lord’s concerns both in general and in particular and that he will feel able not to press his amendments.
My Lords, I do not know whether I am getting confused here. The Minister referred to Clause 132(2), about the power for the Information Commissioner to require data controllers to pay a charge regardless of whether the commissioner has provided, or proposes to provide, a service to the controller. How can that be done if there is to be no requirement for data controllers to register with her?
There is a duty for data controllers to pay a charge to the Information Commissioner in the same way as there is a duty today for data controllers to register with the Information Commissioner. The duty applies in both circumstances. In some cases, some data controllers do not register with the Information Commissioner—they are wrong not to do so, but they do not. In the same way, it is possible that some data controllers may not pay the charge that they should. In both cases, in today’s regime and that proposed, there is a duty on data controllers to perform the correct function that they are meant to perform. Controllers do not all register with the Information Commissioner today, although they should, and may not pay their charges. Under the new regime, they should, and an enforcement penalty is able to be levied if they do not.
I am grateful to the Minister for his full response to the group of amendments. I shall look at it carefully in Hansard before we come back on it. Concerns were expressed in other Committee sittings about the burden placed on charities and SMEs, many of which will find the costs they are now required to pay an additional burden—we have seen some figures suggesting that there will be quite a big drag on some smaller companies. The consultation should at least have identified that concern and the Government will be aware of it. If the three-tier system is to be capable of looking at volumes—the implication of what the Minister said is that big international companies will pay more because the volume of the data they process is much greater—there will be equity in that. We will look at how that progresses, but we seem to be on the right lines.
By and large, the thrust of what I was trying to say is that there needs to be a modern response to this system in terms of what is available out there in the marketplace. If a company is paying Ofcom for the regulatory function it provides, it should be not be that different if it is also paying the Information Commissioner for what services it provides, because they are two sides of the same coin. On the DPRRC amendment, I note what the noble Lord said and look forward to his further discussion with the Committee on that point. On the broader question about the ICO, there were two points that were not responded to, but perhaps we can look at that again offline.
The great advantage of the new type of regulator exemplified by Ofcom—there are many more examples—is that it is trusted, not just by government but also by industry, to set its own fees and charges in a businesslike way. Indeed, we get responses all the time about how well Ofcom does in satisfying what is required. Of course, if there is a problem about fees—and the Minister said he is on to it—one solution is to ensure that the ICO has that freedom to set the fees and charges appropriate for the work that needs to be done. I think she is probably in a better place to do that than anyone else.
My Lords, the amendments in this group, in my name and that of my noble friend Lord Stevenson of Balmacara, take up a number of issues raised by the Delegated Powers and Regulatory Reform Committee in its report on the Data Protection Act. Our Amendment 163ZC adds a requirement on the commissioner to specify in guidance what constitutes “other failures” under subsection (8). Amendment 164C adds a requirement on the commissioner to specify, within three months of the Act coming into force, what constitutes “other failures”. I think it is important that we are clear, at least in guidance, what these “other failures” are.
Amendment 168A concerns the regulations for non-compliance with the charges regulations, deleting all the subsections and inserting new ones. The new subsections make provision for proper consultation with the commissioner and other persons that the Secretary of State considers appropriate, and state that any regulations made must be subject to the affirmative resolution procedure. The amendment sets a maximum penalty and the amount of penalty for different types of failure.
Amendment 168B seeks to replace “produce and publish” with “prepare”, which we think is better in this context. Amendment 168C seeks to put in the Bill a procedure that was recommended in the report of the Delegated Powers and Regulatory Reform Committee, which suggested that the guidance should be subject to some form of parliamentary scrutiny. Amendment 168D seeks to set out how the guidance can be amended or altered with the new procedures outlined in Amendment 168C.
The final four amendments in the group—Amendments 182D to 182G—take up the issue of the power in the Bill to make Henry VIII changes to reflect changes to the data protection convention. We are seeking to delete “or appropriate” from Clause 170(1) to make it only,
“as the Secretary of State considers necessary”.
We think that presently the subsection is worded too broadly. We also seek to delete “includes” and insert “is limited to” in respect of the powers. Then we make it clear that the power is in respect only of Part 4. Finally, as highlighted by the committee, we time-limit the period for changes to three years. I beg to move.
My Lords, the amendments tabled by the noble Lords, Lord Stevenson and Lord Kennedy, reflect the recommendations made by the Delegated Powers and Regulatory Reform Committee in its report on the Bill. As noble Lords will be aware, the Government hold the committee in high regard and, as always, we are grateful for its consideration of the delegated powers in the Bill. As set out in our previous discussions on delegated powers, the Government are considering the committee’s recommendations with a view to bringing forward amendments on Report. For that reason, I will keep my remarks brief but noble Lords should be reassured that I have listened to and will reflect on our discussions today.
As noble Lords know only too well, delegated powers are inserted into legislation to allow a degree of adaptability in law. As we have touched on in our earlier discussions of delegated powers, and as I am sure noble Lords will agree, no other sector or industry is evolving as quickly as the digital and data economy. The pace at which new forms of data processing are being developed, and the sophistication and complexity with which new data systems are being designed, will render any current governance obsolete in a very short time. It is for this reason that we consider it necessary to be able to adapt and update the Information Commissioner’s enforcement powers.
However, the Government recognise the need to provide certainty through clauses on the statute book. I therefore thank the noble Lord for his suggestions in Amendments 163ZC and 164C for how regulation-making powers relating to the commissioner’s enforcement and penalty notices in Clauses 142 and 148 could be more appropriately defined; this is certainly something that I will reflect upon. In Amendments 168A to 168D, I recognise other recommendations of the DPRRC relating to the Information Commissioner’s guidance and penalties.
As I have already set out, it is important that the Information Commissioner’s powers are subject to a degree of flexibility. She must be able not only to identify new areas of concern but to tackle them with proportionate but effective enforcement measures. In an ideal world, we would have a crystal ball that could tell us all but the reality is that we do not. We do not have one now and the Information Commissioner will not have one three months after Royal Assent. We must preserve the ability of the regulatory toolkit to constantly adapt to changing circumstances and keep data subjects’ rights protected.
I note the proposals in Amendments 182D to 182G, which would limit the scope of the regulation-making power in Clause 170. Clause 170 is intended to allow the Government to update the Bill to reflect amendments to convention 108.
As with previous amendments based on the Delegated Powers and Regulatory Reform Committee’s report, it is important that we consider these amendments alongside the broader recommendations given by that committee. The Government are keen to give proper consideration to these recommendations and, while this is ongoing, I am confident that we will have concluded our position on these amendments before we come to the next stage of the Bill. I am grateful for the informative discussion we have had today, which forms the final part of our reflection upon the committee’s report. I hope that the noble Lord will feel able to withdraw his amendment and I look forward to returning to these issues on Report.
My Lords, the Delegated Powers and Regulatory Reform Committee is one which the Opposition hold in high regard, as the Government do. It does an important job for the Government by going through legislation and looking at whether the powers the Government seek to take are applied appropriately. I thank the noble Baroness, Lady Chisholm, for that very much and I am pleased that she confirmed that the Government were looking at the matters in the report carefully. When they come back on Report, I hope that they will address the issues I have raised and others in that report. On that basis, I am happy at this stage to withdraw my amendment.
Committee (5th Day)
Relevant documents: 6th Report from the Delegated Powers Committee, 6th Report from the Constitution Committee
153: After Clause 114, insert the following new Clause—
“Function of the Commissioner to maintain a register of data controllers
(1) The Commissioner must maintain a register of all data controllers.(2) Subject to subsection (3), personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under subsection (1).(3) Subsections (1) and (2) do not apply in relation to any processing whose sole purpose is the maintenance of a public register.”
The noble Lord talked about co-operation with EU member states after the UK has left the EU. As he noted, the Information Commissioner works closely with other EU regulators and is well-regarded among her EU and international counterparts. But of course, the detail, such as representatives, on how the UK and EU systems interact post exit is a matter for negotiations, and the Government are keen for this co-operation to continue and do not see any reason why it should not. We believe that regulatory co-operation between the UK and the EU on a range of issues, including data protection, will be essential, not least because the GDPR will continue to apply to UK businesses, offering goods and services to individuals in the EEA. We want to build a new, deep and special partnership with the EU; that relationship could enable an ongoing role for the Information Commissioner in EU regulatory forums, preserving the existing valuable regulatory co-operation and building a productive partnership to tackle future challenges.
While we are on the subject of the Information Commissioner’s role, I want to comment on a matter that the House authorities have raised with the Bill team. There are some concerns about the potential role of the commissioner in relation to proceedings in Parliament. For example, it may arguably be a breach of the GDPR for a corporate officer of the House to continue to process inaccurate personal data contained in privileged material, such as an Early Day Motion containing names of individuals, which in theory could be enforceable by action taken by the Information Commissioner. Let me put on record that there is no intention that the Information Commissioner be involved in the proceedings of Parliament. Article 6 of the GDPR sets out the function of the commissioner and we have included in the Bill provision to supplement that where we can. While the commissioner must be independent, she also reports to, and respects, Parliament and will not interfere with proceedings or undermine parliamentary privilege.
I hope that provides some reassurance to the House authorities. I also hope that, in the light of my response to the proposed amendments, noble Lords feel able not to press them today. Before I finish, I should mention the intervention of the noble Baroness, Lady O’Neill. I asked her for the paragraph she mentioned; I looked at it, but I am afraid I was not quick enough to catch up with her. If I may, I will read her comments in Hansard and reply by letter.
Amendment 153 withdrawn.
Amendment 153ZA not moved.
Schedule 13: Other general functions of the Commissioner
Amendment 153A not moved.
Schedule 13 agreed.
Clauses 115 and 116 agreed.
Schedule 14 agreed.
Clause 117: Inspection of personal data in accordance with international obligations
153B: Clause 117, page 63, line 35, leave out subsection (5)
Amendment 153B withdrawn.
Clauses 117 and 118 agreed.
Clause 119: Data-sharing code
153C: Clause 119, page 65, line 2, at end insert “subject to the process under section 121”
Amendment 153C withdrawn.
Clause 119 agreed.
Clause 120: Direct marketing code
Amendment 153D not moved.
Clause 120 agreed.
Amendment 154 not moved.
Clause 121 agreed.
Clause 122: Publication and review of data-sharing and direct marketing codes
Amendment 154A not moved.
Clause 122 agreed.
Clause 123 agreed.
Clause 124: Other codes of practice
Amendment 154B not moved.
Clause 124 agreed.
Amendments 155 to 157 not moved.
157A: After Clause 124, insert the following new Clause—
“Personal data ethics code of practice
(1) Within six months of the passing of this Act, the Commissioner must prepare an ethics code of practice for data controllers.(2) The code must include a duty of care from the data controller and the processor to the data subject.(3) The code must provide best practice for data controllers and processors on measures which, in relation to the processing of personal data—(a) reduce vulnerabilities and inequalities;(b) protect human rights;(c) increase the security of personal data;(d) ensure that the access, use and sharing of personal data is transparent, and the purposes of personal data processing are communicated clearly and accessibly to data subjects.(4) The code must consider—(a) how to support data processing which has clear benefits for users and members of the public;(b) the effectiveness of measures to seek the consent of users to the collection and use of their personal data;(c) the risks and limitations of new technologies, ensuring that there is sufficient human oversight.(5) The code must also provide guidance on—(a) default privacy settings;(b) data minimisation standards;(c) presentation and language of terms and conditions;(d) transparency of paid for activity, such as product placement and marketing;(e) sharing and resale of data;(f) veracity and accuracy of information;(g) strategies used to encourage extended user engagement;(h) user reporting and resolution processes and systems;(i) responses to unintended consequences of technological advances in the processing of personal data; and(j) any other aspect of design that the Commissioner considers relevant.(6) Where a data controller or processor does not follow the code under this section, the data controller or processor is subject to a fine to be determined by the Commissioner.(7) Before preparing the code of practice and prior to every revision, the Commissioner must consult the Secretary of State and relevant stakeholders.(8) The Secretary of State must bring the code of practice into force by regulations made by statutory instrument. (9) A statutory instrument containing regulations under this section may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”
Amendment 157A withdrawn.
Clauses 125 and 126 agreed.
Clause 127: Confidentiality of information
158: Clause 127, page 68, line 31, leave out “It is an offence for”
Amendment 158 agreed.
Amendments 159 to 161
159: Clause 127, page 68, line 32, leave out “knowingly or recklessly to” and insert “must not”
160: Clause 127, page 68, line 37, leave out “living”
161: Clause 127, page 69, line 17, at end insert—
“( ) It is an offence for a person knowingly or recklessly to disclose information in contravention of subsection (1).”
Amendments 159 to 161 agreed.
Clause 127, as amended, agreed.
Clause 128: Guidance about privileged communications
161A: Clause 128, page 69, line 23, after “communications” insert “and confidential legal materials”
Amendment 161A withdrawn.
Amendments 161B to 161D not moved.
Clause 128 agreed.
Clause 129: Fees for services
161E: Clause 129, page 70, line 14, at end insert—
“( ) Within the period of three months, beginning with the day on which this Act is passed, the Commissioner must specify in guidance the amounts that constitute a reasonable fee in relation to subsection (1).”
In saying this, I make no criticism of the ICO and its work. Indeed, we are seeing a golden age of activity with the present Information Commissioner. A wide range of documents is being produced, the response from industry is constantly good and it believes that she and her team are doing a great job. There is a sense that the office has been able to move forward in this complicated area in an efficient way.
However, there is a worry. We need to be sure in agreeing the Bill that the regulator the Bill creates and continues will be capable of doing the job not just in terms of structure but also of funding. Our amendment looks at one issue of the funding, but there are wider issues as well. Clause 132(4) shows that the commissioner is expected to recover and recoup her costs under four separate pieces of legislation and, as I understand the wording, it is to be done on a cost recovery basis. One needs to consider the common usage of other regulators that I have been talking about, whereby those affected by the regulation put up the funding for it. The ICO has moved from having a small amount of public funding with a great deal of grant-in-aid to one that is now largely cost recovery with the costs largely resting with the industry, but on a very restricted basis. Until recently we found that massive internet companies and government departments were paying £500 each towards to the costs of the ICO. The current consultation would suggest that the biggest companies will have to dig deep into their pockets and raise that £500 to nearly £1,000. That does not compare well with the size of these mega-corporations whose turnovers are often larger than the GDPs of many small countries. It certainly does not give me confidence that we have a financial basis on which the work of the ICO will prosper. When the Minister comes to respond, will he give us some information on whether he thinks that the structure now in place is the right one and whether it is likely to be efficient and effective in the long run?
The second point that goes with this, although it is slightly different and not raised specifically by the amendment—again, I would be interested in the Government’s response either now or later—is how the Information Commissioner’s Office will be able to attract staff to its operations if those staff are treated, as I understand it, as effectively a non-department public body in terms of the salary scales available. Other regulators, of which Ofcom is a good example, are funded by the industry which they work to. They are thus able to set fees at levels which mean that their staff are not constantly being poached, but we find that the ICO is regularly losing members of staff to competitors because they are well trained, efficient and effective and, of course, underpaid. They can be attracted away by additional funding. It would be wrong for the Government to set up a structure in which they are willing the ends of policy but not providing the means to operate it. I look forward to the Minister’s response and I beg to move.
As an example, because I do not think we can read too much into individual letters, Ofcom currently has 795 staff on core business and its core costs are just over £116 million, whereas the ICO has 434 staff and costs of £23 million. We are talking about quite a big gap in terms of what can be done. Of course money does not mean everything, but I think there is a difference in scale which we may need to come back to. In the meantime, I beg leave to withdraw the amendment.
Amendment 161E withdrawn.
Clause 129 agreed.
Clauses 130 and 131 agreed.
Clause 132: Charges payable to the Commissioner by controllers
Amendments 161F to 161H not moved.
Clause 132 agreed.
Clause 133: Regulations under section 132: supplementary
162: Clause 133, page 72, line 33, leave out from beginning to “regulations” in line 34
Amendment 162 agreed.
Clause 133, as amended, agreed.
Clauses 134 to 137 agreed.
Clause 138: Information notices: restrictions
Amendments 162A to 162C not moved.
Clause 138 agreed.
Clause 139: Failure to comply with an information notice
163: Clause 139, page 76, line 2, leave out subsections (1) and (2)
Amendment 163 agreed.
Clause 139, as amended, agreed.
Clause 140 agreed.
Clause 141: Assessment notices: restrictions
Amendments 163ZA and 163ZB not moved.
Clause 141 agreed.
Clause 142: Enforcement notices
163ZC: Clause 142, page 79, line 2, at end insert—
“( ) Within three months of this Act coming into force, the Commissioner must specify in guidance what constitutes “other failures” under subsection (8).”
Amendment 163ZC withdrawn.
Clause 142 agreed.