Information Orders

Data Protection Bill [Lords] – in the House of Commons at 4:00 pm on 9 May 2018.

Alert me about debates like this

‘(1) This section applies if, on an application by the Commissioner, a court is satisfied that a person has failed to comply with a requirement of an information notice.

(2) The court may make an order requiring the person to provide to the Commissioner some or all of the following—

(a) information referred to in the information notice;

(b) other information which the court is satisfied the Commissioner requires, having regard to the statement included in the notice in accordance with section141(2)(b).

(3) The order—

(a) may specify the form in which the information must be provided,

(b) must specify the time at which, or the period within which, the information must be provided, and

(c) may specify the place where the information must be provided.’—(Margot James.)

This new clause would be inserted after Clause 143. It provides that, where a person has failed to comply with an information notice (given under Clause 141), the Information Commissioner may seek a court order requiring the person to provide the information referred to in the notice or other information which the Commissioner requires for a reason specified in the notice. See also Amendments 57, 58 and 60.

Brought up, and read the First time.

Photo of Eleanor Laing Eleanor Laing Deputy Speaker (First Deputy Chairman of Ways and Means)

With this it will be convenient to discuss the following:

Government new clause 14—Destroying or falsifying information and documents etc.

Government new clause 15—Applications in respect of urgent notices.

Government new clause 16—Post-review powers to make provision about representation of data subjects.

Government new clause 17—Reserve forces: data-sharing by HMRC.

New clause 3—Bill of Data Rights in the Digital Environment—

‘Schedule [Bill of Data Rights in the Digital Environment] shall have effect.’

This new clause would introduce a Schedule containing a Bill of Data Rights in the Digital Environment.

New clause 4—Bill of Data Rights in the Digital Environment (No. 2)—

‘(1) The Secretary of State shall, by regulations, establish a Bill of Data Rights in the Digital Environment.

(2) Before making regulations under this section, the Secretary of State shall—

(a) consult—

(i) the Commissioner,

(ii) trade associations,

(iii) data subjects, and

(iv) persons who appear to the Commissioner or the Secretary of State to represent the interests of data subjects; and

(b) publish a draft of the Bill of Data Rights.

(3) The Bill of Data Rights in the Digital Environment shall enshrine—

(a) a right for a data subject to have privacy from commercial or personal intrusion,

(b) a right for a data subject to own, curate, move, revise or review their identity as founded upon personal data (whether directly or as a result of processing of that data),

(c) a right for a data subject to have their access to their data profiles or personal data protected, and

(d) a right for a data subject to object to any decision made solely on automated decision-making, including a decision relating to education and employment of the data subject.

(4) Regulations under this section are subject to the affirmative resolution procedure.’

This new clause would empower the Secretary of State to introduce a Bill of Data Rights in the Digital Environment.

New clause 6—Targeted dissemination disclosure notice for third parties and others (No. 2)—

‘In Schedule 19B of the Political Parties, Elections and Referendums Act 2000 (Power to require disclosure), after paragraph 10 (documents in electronic form) insert—

‘10A (1) This paragraph applies to the following organisations and individuals—

(a) a recognised third party (within the meaning of Part 6);

(b) a permitted participant (within the meaning of Part 7);

(c) a regulated donee (within the meaning of Schedule 7);

(d) a regulated participant (within the meaning of Schedule 7A);

(e) a candidate at an election (other than a local government election in Scotland);

(f) the election agent for such a candidate;

(g) an organisation or individual formerly falling within any of paragraphs (a) to (f); or

(h) the treasurer, director, or another officer of an organisation to which this paragraph applies, or has been at any time in the period of five years ending with the day on which the notice is given.

(2) The Commission may under this paragraph issue at any time a targeted dissemination disclosure notice, requiring disclosure of any settings used to disseminate material which it believes were intended to have the effect, or were likely to have the effect, of influencing public opinion in any part of the United Kingdom, ahead of a specific election or referendum, where the platform for dissemination allows for targeting based on demographic or other information about individuals, including information gathered by information society services.

(3) This power shall not be available in respect of registered parties or their officers, save where they separately and independently fall into one or more of categories (a) to (h) of sub-paragraph (1).

(4) A person or organisation to whom such a targeted dissemination disclosure notice is given shall comply with it within such time as is specified in the notice.’’

This new clause would amend the Political Parties, Elections and Referendums Act 2000 to allow the Electoral Commission to require disclosure of settings used to disseminate material where the platform for dissemination allows for targeting based on demographic or other information about individuals.

New clause 10—Automated decision-making concerning a child—

‘(1) Where a data controller expects to take a significant decision based solely on automated processing which may concern a child, the controller must, before such processing is undertaken—

(a) deposit a data protection impact assessment with the Commissioner, and

(b) consult the Commissioner (within the meaning of Article 36 of the GDPR), regardless of measures taken by the controller to mitigate any risk.

(2) Where, following prior consultation, the Commissioner does not choose to prevent processing on the basis of Article 58(2)(f) of the GDPR, the Commissioner must publish the part or parts of the data protection impact assessment provided under subsection (1), relevant to the reaching of that decision.

(3) The Commissioner must produce and publish a list of safeguards to be applied by data controllers where any significant decision based solely on automated processing may concern a child.

(4) For the purposes of this section, the meaning of “child” is determined by the age of lawful processing under Article 8 of the GDPR and section 9 of this Act.’

New clause 11—Education: safe use of personal data—

‘(1) The Children and Social Work Act 2017 is amended as follows.

(2) In section 35 (other personal, social, health and economic education), after subsection (1)(b) insert—

‘(1A) In this section, “personal, social, health and economic education” shall include education relating to the safe use of personal data.’’

This new clause would enable the Secretary of State to require that personal information safety be taught as a mandatory part of the national PSHE curriculum.

New clause 12—Health bodies: disclosure of personal data—

‘(1) In section 261 of the Health and Social Care Act 2012 (Health and Social Care Information Centre: dissemination of information) after subsection (5) insert—

‘(5A) A disclosure of personal data may be made under subsection (5)(e) only if it is made—

(a) to and at the request of a member of a police force, and

(b) for the purpose of investigating a serious offence.

(5B) In subsection (5A)—

“personal data” has the meaning given by section 3 of the Data Protection Act 2018;

“police force” means—

(a) a police force within the meaning of section 101 of the Police Act 1996, and

(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and

“serious offence” means—

(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,

(b) an offence under the Offences Against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and

(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’

(2) In section 13Z3 of the National Health Service Act 2006 () at the end insert—

‘(3) A disclosure of personal data may be made under subsection (1)(g) only if it is made—

(a) to and at the request of a member of a police force, and

(b) for the purpose of investigating a serious offence.

(4) In subsection (3)—

“personal data” has the meaning given by section 3 of the Data Protection Act 2018;

“police force” means—

(a) a police force within the meaning of section 101 of the Police Act 1996, and

(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and

“serious offence” means—

(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,

(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and

(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’

(3) In section 14Z23 of the National Health Service Act 2006 (clinical commissioning groups: permitted disclosure of information) at the end insert—

‘(3) A disclosure of personal data may be made under subsection (1)(g) only if it is made—

(a) to and at the request of a member of a police force, and

(b) for the purpose of investigating a serious offence.

(4) In subsection (3)—

“personal data” has the meaning given by section 3 of the Data Protection Act 2018;

“police force” means—

(a) a police force within the meaning of section 101 of the Police Act 1996, and

(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and

“serious offence” means—

(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,

(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and

(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’

(4) In section 79 of the Health and Social Care Act 2008 (Care Quality Commission: permitted disclosures) after subsection (3) insert—

‘(3A) A disclosure of personal data may be made under subsection (3)(g) only if it is made—

(a) to and at the request of a member of a police force, and

(b) for the purpose of investigating a serious offence.

(3B) In subsection (3A)—

“personal data” has the meaning given by section 3 of the Data Protection Act 2018;

“police force” means—

(a) a police force within the meaning of section 101 of the Police Act 1996, and

(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and

“serious offence” means—

(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,

(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and

(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’’

This new clause would prevent personal data held by the NHS from being disclosed for the purpose of the investigation of a criminal offence unless the offence concerned is serious, which is consistent with the NHS Code of Confidentiality and GMC guidance on confidentiality. It would also mean that any such disclosure could only be made to the police, and not, for example, to Home Office immigration enforcement officials.

New clause 24—Safeguards on the transfer of data for lethal force operations overseas—

‘(1) A transferring controller may not make any transfer of personal data outside the United Kingdom under Part 4 of this Act where—

(a) the transferring controller knows, or should know, that the data will be used in an operation or activity that may involve the use of lethal force, and

(b) there is a real risk that the transfer would amount to a breach of domestic law or an internationally wrongful act under international law.

(2) Where the transferring controller determines that there is no real risk under subsection (1)(b), the transfer is not lawful unless—

(a) the transferring controller documents the determination, providing reasons, and

(b) the Secretary of State has approved the transfer in writing.

(3) Any documentation created under subsection (2) shall be provided to the Information Commissioner and the Investigatory Powers Commissioner within 90 days of the transfer.

(4) A “transferring controller” is a controller who makes a transfer of personal data outside the United Kingdom under Part 4 of this Act.

(5) For the purposes of subsection (1)(b),

(c) “domestic law” includes, but is not limited to,

(i) soliciting, encouraging, persuading or proposing a murder contrary to section 4 of the Offences Against the Person Act 1861,

(ii) conspiracy to commit murder contrary to section 1 or 1A of the Criminal Law Act 1977,

(iii) aiding, abetting, counselling, or procuring murder contrary to section 8 of the Accessories and Abettors Act 1861,

(iv) offences contrary to section 44, 45 and 46 of the Serious Crime Act 2007,

(v) offences under the International Criminal Court Act 2001.

(d) “International law” includes, but is not limited to, Article 16 of the 2001 Draft Articles on the Responsibility of States for Internationally Wrongful Acts.

(6) The Secretary of State must lay before Parliament, within six months of the coming into force of this Act, guidance for intelligence officers on subsections (1) and (2).

(7) The Secretary of State must lay before Parliament any subsequent changes made to the guidance reported under subsection (6) within 90 days of any changes being made.’

Amendment 18, in clause 7, page 5, line 24, after “subsections” insert “(1A),”.

Government amendment 22.

Amendment 19, page 5, line 24, at end insert—

‘(1A) A primary care service provider is not a “public authority” or “public body” for the purposes of the GDPR merely by virtue of the fact that it is defined as a public authority by either—

(a) any of paragraphs 43A to 45A or paragraph 51 of Schedule 1 to the Freedom of Information Act 2000, or

(b) any of paragraphs 33 to 35 of Schedule 1 to the Freedom of Information (Scotland) Act 2002 (asp 13).’

Government amendments 23 and 24.

Amendment 4, in clause 10, page 6, line 37, leave out subsections (6) and (7).

This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.

Amendment 5, in clause 14, page 8, line 11, at end insert—

‘(2A) A decision that engages an individual’s rights under the Human Rights Act 1998 does not fall within Article 22(2)(b) of the GDPR (exception from prohibition on taking significant decisions based solely on automated processing for decisions that are authorised by law and subject to safeguards for the data subject’s rights, freedoms and legitimate interests).

(2B) A decision is “based solely on automated processing” for the purposes of this section if, in relation to a data subject, there is no meaningful input by a natural person in the decision-making process.’

This amendment would ensure that where human rights are engaged by automated decisions these are human decisions and provides clarification that purely administrative human approval of an automated decision does make an automated decision a ‘human’ one.

Amendment 6, page 9, line 36, leave out clause 16.

This amendment would remove delegated powers that would allow the Secretary of State to add further exemptions.

Government amendment 143.

Amendment 7, in clause 35, page 22, line 14, leave out subsections (6) and (7).

This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.

Amendment 151, in clause 49, page 30, line 19, at end insert—

‘(1A) A controller may not take a significant decision based solely on automated processing if that decision affects the rights of the data subject under the Human Rights Act 1998.’

Amendment 2, in clause 50, page 30, line 28, at end insert—‘and

(c) it does not engage the rights of the data subject under the Human Rights Act 1998.’

This amendment would ensure that automated decisions should not be authorised by law if they engage an individual’s human rights.

Amendment 8, in clause 86, page 51, line 21, leave out subsections (3) and (4).

This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.

Amendment 3, in clause 96, page 56, line 38, after “law” insert—

‘unless the decision engages an individual’s rights under the Human Rights Act 1998.’

This amendment would ensure that automated decisions should not be authorised by law if they engage an individual’s human rights.

Amendment 9, page 63, line 27, leave out clause 113.

This amendment would remove delegated powers that would allow the Secretary of State to create new exemptions to Part 4 of the Bill.

Government amendments 25 to 37.

Amendment 20, in clause 144, page 81, line 11, leave out “7 days” and insert “24 hours”.

This amendment would reduce from 7 days to 24 hours the minimum period which must elapse before a controller or processor has to comply with an assessment notice which has been issued by the Commissioner and which the Commissioner has stated should be complied with urgently.

Government amendments 38 to 71.

Government new schedule 3—Transitional provision etc.

New schedule 1—Bill of Data Rights in the Digital Environment—

The UK recognises the following Data Rights:

Article 1—Equality of Treatment

Every data subject has the right to fair and equal treatment in the processing of his or her personal data.

Article 2—Security

Every data subject has the right to security and protection of their personal data and information systems.

Access requests by government must be for the purpose of combating serious crime and subject to independent authorisation.

Article 3—Free Expression

Every data subject has the right to deploy his or her personal data in pursuit of their fundamental rights to freedom of expression, thought and conscience.

Article 4—Equality of Access

Every data subject has the right to access and participate in the digital environment on equal terms.

Internet access should be open.

Article 5—Privacy

Every data subject has the right to respect for their personal data and information systems and as part of his or her fundamental right to private and family life, home and communications.

Article 6—Ownership

Every data subject has the right to own and control his or her personal data.

Every data subject is entitled to proportionate share of income or other benefit derived from his or her personal data as part of the right to own.

Article 7—Control

Every data subject is entitled to know the purpose for which personal data is being processed. Data controllers should not deliberately extend the gathering of personal data solely for their own purposes. Government, corporations, public authorities and other data controllers must obtain meaningful consent for the use of people’s personal data. Every data subject has the right to own curate, move, revise or review their personal data.

Article 8—Algorithms

Every data subject has the right to transparent and equal treatment in the processing of his or her personal data by an algorithm or automated system.

Every data subject is entitled to meaningful human control in making significant decisions – algorithms and automated systems must not be deployed to make significant decisions.

Article 9—Participation

Every data subject has the right to deploy his or her personal data and information systems to communicate in pursuit of the fundamental right to freedom of association.

Article 10—Protection

Every data subject has the right to safety and protection from harassment and other targeting through use of personal data whether sexual, social or commercial.

Article 11—Removal

Every data subject is entitled to revise and remove their personal data.

Compensation

Breach of any right in this Bill will entitle the data subject to fair and equitable compensation under existing enforcement provisions. If none apply, the Centre for Data Ethics will establish and administer a compensation scheme to ensure just remedy for any breaches.

Application to Children

The application of these rights to a person less than 18 years of age must be read in conjunction with the rights set out in the United Nations Convention on the Rights of the Child. Where an information society service processes data of persons less than 18 years of age it must do so under the age appropriate design code set out in section 123 of this Act.’

Government amendments 72 and 73.

Amendment 16, in schedule 2, page 140, line 15, at end insert—

‘(1A) The exemption in sub-paragraph (1) may not be invoked in relation to offences under—

(a) sections 24, 24A, 24B or 24C of the Immigration Act 1971,

(b) section 21 of the Immigration, Asylum and Nationality Act 2006, or

(c) sections 33A and 33B of the Immigration Act 2014.’

Amendment 15, page 141, line 17, leave out paragraph 4.

Government amendments 141 and 142.

Amendment 10, page 152, line 24, leave out paragraph 19 and insert—

‘19 The listed GDPR provisions do not apply to personal data that consists of information which is protected by legal professional privilege or the duty of confidentiality.’

This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.

Government amendments 139, 74 and 75.

Amendment 11, in schedule 11, page 196, line 39, leave out paragraph 9 and insert—

‘9 The listed provisions do not apply to personal data that consists of information which is protected by legal professional privilege or the duty of confidentiality.’

This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.

Government amendments 140 and 76 to 80.

Amendment 21, in schedule 15, page 206, line 11, at end insert—

‘(1A) A warrant issued under subparagraph (1)(b) or (1)(c) of this paragraph does not require any notice to be given to the controller or processor, or to the occupier of the premises.’

This amendment would make it clear that a judge can issue a warrant to enter premises under subparagraphs 4(1)(b) or 4(1)(c) without the Commissioner having given prior notice to the data controller, data processor or occupier of premises.

Government amendments 81 to 85.

Amendment 12, page 208, line 13, leave out

“with respect to obligations, liabilities or rights under the data protection legislation”.

This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.

Amendment 13, page 208, line 21, leave out from “proceedings” to the end of line 23.

This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.

Government amendments 86 to 138.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I shall start by addressing the Government amendments—[Interruption.]

Photo of Eleanor Laing Eleanor Laing Deputy Speaker (First Deputy Chairman of Ways and Means)

Order. Will people who are leaving the Chamber please do so quietly? The Minister is making an important speech and people want to hear it. It is just rude to make a noise—unless you happen to be in the Chair.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I propose to start my remarks by addressing the Government amendments to strengthen the powers of the Information Commissioner.

The investigation of the Information Commissioner’s Office into Cambridge Analytica is unprecedented in its scale and complexity. It has, necessarily, pushed the boundaries of what the drafters of the Data Protection Act 1998 and the parliamentarians who scrutinised it could have envisaged. Although we recognise that the Bill already expands and enhances the commissioner’s ability to enforce the requirements of the data protection legislation in such circumstances, the Government undertook to consider whether further provision was desirable in the light of the commissioner’s experience. Following extensive discussions with the commissioner and in Committee, we concluded that such provision is desirable. Our amendments will strengthen the commissioner’s ability to enforce the law, while ensuring that she operates within a clear and accountable structure. I will give a few examples.

First, amendments 27 and 28 will allow the commissioner to require any person who might have knowledge about suspected breaches of the data protection legislation to provide information. Previously, information could be sought only from a data controller or a data processor. That might be important where, for example, a former employee has information about the organisation’s processing activities.

Secondly, new clause 13 will allow the commissioner to apply to the court for an order to force compliance when a person fails to comply with a requirement to provide information. Organisations that might previously have been tempted to pay a fine for non-compliance instead of handing over the information will find themselves at risk of being in contempt of court if they do not comply.

Thirdly, amendments 30 and 45 will allow the commissioner to require controllers to comply with information or enforcement notices within 24 hours in some very urgent cases, rather than the seven days provided for in the existing law. Amendment 38 will allow the commissioner, in certain circumstances, to issue an assessment notice that can have immediate effect. Those amendments will allow the commissioner to obtain information about a suspected breach or put a stop to high-risk processing activities in a prompt and effective way. They will also allow her to carry out no-notice inspections without a warrant in certain circumstances.

Fourthly, new clause 14 will criminalise the behaviour of any person who seeks to frustrate an information or assessment notice by deliberately destroying, falsifying, blocking or concealing evidence that has been identified as relevant to the commissioner’s investigation.

Finally, we have taken this opportunity to modernise the commissioner’s powers. Storing files on an office server is rapidly becoming a thing of the past. Amendment 79 will enable the commissioner to apply for a warrant to access material that can be viewed via computers on the premises but that is held in the cloud.

When strengthening the commissioner’s enforcement powers, we have been mindful of the need to provide appropriate safeguards and remedies for those who find themselves under investigation. For example, when an information, assessment or enforcement notice containing an urgency statement is served on a person, new clause 15 will allow them to apply to the court to disapply the urgency statement. In effect, they will have a right to apply to the court to vary the timetable for compliance with the order. A court considering an application from the commissioner for an information order will be able to take into account all the relevant circumstances at the time, including whether an application has been brought by the person concerned under new clause 15 and whether the person has brought an appeal against the notice itself in the tribunal. These amendments have been developed in close liaison with the Information Commissioner. We are confident that they will give her the powers she needs to ensure that those who flout the law in our increasingly digital age are held to account for their actions.

I now turn to the representation of data subjects. I am very grateful to Baroness Kidron for her continued engagement on this subject. In particular, we agree that children merit special protection in relation to their personal data and that the review the Government will undertake shall look accordingly at the specific barriers young people and children face in enforcing their rights. Government new clause 16, as well as amendments 61, 62, 63, 70 and 75, ensures that they will.

Government new clause 17 concerns maintaining contact with ex-regular reserve forces. This will allow Her Majesty’s Revenue and Customs to share contact detail information with the Ministry of Defence to ensure that the MOD is better able to locate and contact members of the ex-regular reserve.

New clause 12, on data sharing by health bodies, is in the name of my hon. Friend Dr Wollaston, who chairs the Health and Social Care Committee. I know she and the Committee have significant and legitimate concerns about the operation of the memorandum of understanding between NHS Digital and the Home Office, which currently allows the sharing of non-clinical information, principally address information, for immigration purposes. The Select Committee has argued for the suspension of the MOU pending the outcome of a review into its impact by Public Health England. New clause 12 seeks to adopt a more long-term approach by narrowing the ability of NHS Digital to disclose information in connection with the investigation of criminal offences. The aim is to narrow the MOU’s scope, so that it only facilitates the exchange of personal data in cases involving serious criminality.

The Government have reflected further on the concerns put forward by my hon. friend and her Committee. As a result, and with immediate effect, the data sharing arrangements between the Home Office and the NHS have been amended. This is a new step and it supersedes the position set out in previous correspondence between the Home Office, the Department for Health and Social Care and the Select Committee.

I know my hon. Friend and her colleagues have been particularly exercised by the contents of a letter dated 23 February from both the above-mentioned Departments to her Select Committee, in which it is stated that

“a person using the NHS can have a reasonable expectation when using this taxpayer-funded service that their non-medical data, which lies at the lower end of the privacy spectrum, will not be shared securely between other officers within government in exercise of their lawful powers”.

The bar for sharing data will now be set significantly higher. By sharing, I mean sharing between the Department of Health and Social Care, the Home Office and, in future, possibly other Departments. No longer will the names of overstayers and illegal entrants be sought against health service records to find current address details. The data sharing, relying on powers under the Health and Social Care Act 2012, the National Health Service Act 2006 and the Health and Social Care Act 2008, will only be used to trace an individual who is being considered for deportation action having been investigated for, or convicted of, a serious criminal offence that results in a minimum sentence of at least 12 months in prison.

The Government have a long-held policy on what level of serious criminality is deserving of deportation, given statutory force by the UK Borders Act 2007. When a custodial sentence of more than 12 months has been given, consideration for deportation must therefore follow. Henceforth, the Home Office will only be able to use the memorandum of understanding to trace an individual who is being considered for deportation action having been convicted of a serious criminal offence, or when their presence is considered non-conducive to the public good—for example, when they present a risk to public security but have yet to be convicted of a criminal offence.

Photo of Alison Thewliss Alison Thewliss Shadow SNP Spokesperson (Cities), Shadow SNP Spokesperson (Treasury) 4:30, 9 May 2018

Can the Minister give me more reassurance about the Home Office and its activity in this regard? At the moment, I have constituents who, under paragraph 322(5) of the immigration rules, face being deported for making legitimate changes to their tax return through HMRC data being accessed. Will she reassure me about what the Home Office can do to make sure that this is not abused and misused for the purposes of meeting immigration targets?

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I will write to the hon. Lady and I hope to give her reassurance. This new higher bar concerns NHS data and that would obviously not catch within it errors on a tax return.

As now, the memorandum of understanding would also continue to operate when there are concerns about the welfare and safety of a missing individual—for example, vulnerable children and adults. That has always been the case. Personal information will only be disclosed to the Home Office or agencies under the purview of the Home Office. This is a significant restriction on the Home Office’s ability to use data held by the NHS. It is estimated that the change will exclude over 90% of the requests that have been satisfied to date.

Photo of Edward Davey Edward Davey Liberal Democrat Spokesperson (Home Affairs)

The Minister talks about a memorandum of understanding giving reassurance to the House. I refer her to part 2 of schedule 2, which talks about exemptions from the general data protection regulation in respect of crime and taxation. Surely, the rights of individuals to have their data protected under that provision would address all these issues, and it would potentially supersede the memorandum of understanding.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I will come on to the exemptions in terms of criminal activity and immigration in a wider context than NHS information in due course.

My right hon. Friend the Minister for Immigration is committed to sending a copy of an updated MOU to the Health and Social Care Committee shortly, but as I have indicated, the significant narrowing of the MOU will have immediate effect. This commitment is consistent with the intention underpinning new clause 12. I trust that on that basis, my hon. Friend the Member for Totnes and her colleagues will not press new clause 12. I am sure that if she has any questions, she will intervene on me, or that when she makes her remarks later, I might be invited to intervene on her. I thank my hon. Friend and all her Committee members for their work to establish higher principles in this area.

I turn to Opposition amendments 16 and 15 and Government amendments 141 and 142, on immigration. Amendment 15 would remove the provisions relating to effective immigration control in schedule 2. In responding to the amendment, I want to address some of the continued misunderstandings that have arisen around the purpose and scope of the provision, and I hope to persuade the House that this is a necessary and proportionate measure to protect the integrity of our immigration system. It has been suggested that the provisions have no basis in the GDPR, but article 23 expressly allows member states to restrict certain specified rights for the purpose of safeguarding

“other important objectives of general public interest of a…Member State”.

The maintenance of effective immigration control is one such objective.

Photo of Edward Davey Edward Davey Liberal Democrat Spokesperson (Home Affairs)

Will the Minister confirm that article 23 of the GDPR does not specify immigration?

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

It does not rule out immigration and it does allow the restriction of certain specified rights—not wholesale restrictions—for the purpose of safeguarding

“other important objectives of general public interest”.

The purpose is to provide a derogation for member states wide enough that they can pursue an overall Government policy in the general public interest. I would conclude that immigration is one such example. It has been suggested that the provisions represent a blanket carve-out of all a data subject’s rights. That is certainly not the case. I would like to reassure the right hon. Gentleman that we are being very selective about the rights that could be disapplied. The exemption will be applied only on a case-by-case basis and only where it is necessary and proportionate.

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

Has the Minister learnt nothing from the Windrush scandal? Here we have a Department of State that is not fantastic at keeping records. The idea of selectively carving out particular rights of particular people who need this information to fight tribunal cases strikes me as lunacy, given what we have learnt about the dysfunction at the Home Office.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

Perhaps if I continue my remarks, I can reassure the right hon. Gentleman that of course lessons have been learnt, not least by the Home Office itself, as both the former Home Secretary and the current Home Secretary have made abundantly clear to the House.

The exemption in the amendment is to be applied only on a case-by-case basis and only where it is necessary and proportionate. It cannot and will not be used to target any group of people. Nor does the application of the exemption set aside all a data subject’s rights; it sets aside only those expressly listed. A further limitation is that it can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of effective immigration control.

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

Effective safeguards for crime prevention are already written into the Bill, which gives the Minister the power she is seeking to fulfil the purpose she is setting out for the House. If we selectively discard rights for selected people, we come pretty close to arbitrary decision making, and it is practically impossible to do that consistently and in way defendable in a judicial review. These provisions will result in injustice and cases that the Home Office loses, so just dump them now!

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

The right hon. Gentleman should know that different structures govern crime and immigration. I reiterate that we are disapplying these rights selectively—the data subjects will hang on to the majority of their rights—but it cannot be right for the Home Office to have to furnish someone who is in contravention of immigration law with information it has been given.

Photo of Yvette Cooper Yvette Cooper Chair, Home Affairs Committee, Chair, Home Affairs Committee, Chair, Home Affairs Committee

I am shocked by what the Minister is saying. These provision were drafted before the Windrush scandal broke, and she is not learning the lessons at all. She says she wants these decisions made on an individual basis and in a way that is necessary and proportionate, but necessary and proportionate to achieve what? None of us knows what her definition of immigration control is. Does it mean meeting the net migration target, which is what we normally hear Ministers say? Necessary and proportionate to meet the net migration target could mean anything.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I understand that it is a matter of interpretation. I also understand that the Home Office is considering these matters in the fallout from the Windrush case. I am sure that, as Chair of the Home Affairs Committee, the right hon. Lady will have ample opportunity to question the new Home Secretary on exactly what he might mean by “necessary and proportionate”. When someone is seeking access to data from the Home Office to prove their immigration history, such as in the Windrush cases, there will be no basis for invoking the immigration exemption in the Bill. I trust that that provides the right hon. Lady with some comfort.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I will give way for the last time to the right hon. Lady, if the right hon. Gentleman does not mind.

Photo of Yvette Cooper Yvette Cooper Chair, Home Affairs Committee, Chair, Home Affairs Committee, Chair, Home Affairs Committee

That is not what the Bill says. That may be what the Minister intends, but if that is what she intends, she should change the Bill.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I shall have to write to the right hon. Lady once I have communicated with Home Office Ministers. According to my understanding, the Bill says that the exemption applies—

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

On a point of order, Madam Deputy Speaker. We are being invited to pass an important piece of legislation which hands important new powers to Her Majesty’s Home Office, yet there is not a Home Office Minister on the Front Bench to respond to the points that we are making about the details of that legislation. What steps can we take to summon a Home Office Minister this afternoon, so that our questions can be answered?

Photo of Eleanor Laing Eleanor Laing Deputy Speaker (First Deputy Chairman of Ways and Means)

I understand the right hon. Gentleman’s point of order, but the fact is that the Minister, who is a very capable Minister, speaks for the Government, who are seamless. The Minister who is currently at the Dispatch Box is in a position to speak for all Ministers on this matter, which is why she has this responsibility and is responding to the questions that are currently being asked of her.

Photo of Edward Davey Edward Davey Liberal Democrat Spokesperson (Home Affairs)

I am grateful to the Minister. To help other Members consider amendment 15, let me point out that one of the data protection provisions that are being exempted for immigration purposes is the right to make subject access requests. It is critical to the rule of law for people and their representatives to know on the basis of what information the Home Office has made its decisions. The Bill provides no safeguards, no balance, and no restrictions to the use of that law by Home Office officials. As we heard from Yvette Cooper, those are simply not in the Bill. It is entirely wrong for the House to be asked to pass a Bill that does not contain real safeguards for the people involved, given what happened in the Windrush cases.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I will continue to make some progress, as I feel that those points have already been made.

The application of the exemption does not set aside all data subjects’ rights, but only those expressly listed. A further limitation is that exemptions can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of effective immigration control.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

It is an established term. It is used in the Immigration Act 2014 and the Freedom of Information Act 2000 uses a similar term, namely “operation of immigration controls”.

Photo of Ranil Jayawardena Ranil Jayawardena Conservative, North East Hampshire

Without this immigration exemption, might not the Home Office have to disclose sources of tip-offs, which would not be conducive to ensuring that illegal immigration is properly controlled?

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I think it highly likely that if, for example, someone were to undertake a full data subject review of whatever information the Home Office held about them—as was posited earlier by the right hon. Member for Kingston and Surbiton—the review would contain sources of information as well as the information itself. A further limitation is that exemptions can be applied only where compliance with the relevant rights would be likely to prejudice the maintenance of immigration control. This “prejudice” test must be applied first, and as a result the situations in which the exemption can be used are limited. The Government recognise the concerns that have been expressed in this debate.

Photo of Stuart McDonald Stuart McDonald Shadow SNP Spokesperson (Immigration, Asylum and Border Control) 4:45, 9 May 2018

Can the Minister give us a couple of examples to illustrate why these additional powers are necessary, and where the other powers in the Bill—in relation to criminal offences and investigations, for example—would not already suffice to do everything that the Home Office wishes?

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

We are permitted under GDPR to make these exemptions and are doing so in a very selective way and on a case-by-case basis, so it will not result in a widespread denial of people’s data rights.

The exemption should be as limited as possible, which is why we have brought forward amendments 141 and 142. These amendments will ensure that migrants enjoy the rights afforded under all of the data protection principles, except where a restriction on those principles is a consequence of restricting one of the other rights coming within the scope of the exemption.

I now turn to Opposition amendments 18 and 19 on primary care providers and Government amendments 22 to 24 on parish councils. Parish and community councils are not exempt from the new law. None the less, by describing parish and community councils as “public authorities” the Bill gives these councils additional obligations above and beyond those placed on other small organisations, including that they must appoint a data protection officer. We have been working to minimise the impact of this requirement, and have concluded that as parish and community councils process very little personal data, the burden they would face would be disproportionate. Amendments 22, 23 and 24 therefore take these councils out of the definition of “public authorities” for data protection purposes.

Photo of Ranil Jayawardena Ranil Jayawardena Conservative, North East Hampshire

I commend my hon. Friend the Minister on amendment 24, which recognises that councils are often so tiny—indeed, some are not even parish councils, and some do not employ any staff—that it would be wholly disproportionate to treat them in the way originally intended. I commend the Minister for listening to so many Members who made these points and recognising that parish councils must be treated separately.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I thank my hon. Friend for his comments. He and other colleagues across the House made these arguments, and given that such organisations are often very small and process only small amounts of personal data, we have decided to take parish councils out of the definition of “public authorities” for data protection purposes. Their status in respect of other legislation, including the Freedom of Information Act, is unaffected, however.

Similar arguments have been advanced in respect of primary care providers, but although I have sympathy with amendments 18 and 19, primary care providers are different from parish councils in that they process sizeable quantities of sensitive health data, whether that be an individual’s mental health status, the fact that they are pregnant, or details of their prescription for a terminal illness. All of these matters are highly personal, and in the world of health, data protection is rightly paramount.

The Dean Street Express case in 2015 illustrates the potential harm that even a single data breach can cause. In that incident, the names and email addresses of almost 800 people, many living with HIV, were disclosed to other recipients. It does not seem unreasonable that bodies who process that kind of data should have a single point of contact on data protection matters.

Government amendments 139 and 140 relate to legal professional privilege. We recognise the importance of protecting legal professional privilege and that is why in the Bill we have replicated the existing measures and exemptions for legal professional privilege found in the Data Protection Act 1998, which have worked well for many years.

Amendments 10 and 11 seek to widen the legal professional privilege exemptions found in schedules 2 and 11. They offer some thoughtful changes that are intended to recognise the broader range of material covered by a lawyer’s ethical duty of confidentiality. We agree that the Bill could be clearer, and have tabled amendments 139 and 140 in response.

Photo of Mike Penning Mike Penning Conservative, Hemel Hempstead

It is interesting that we are making lots of exemptions for the Government, parish councils, lawyers and so on. I spoke to some lawyers this morning, and they were not convinced by the measures either. However, small businesses seem to be disproportionately affected, and there is real confusion out there. As I say, a lot of work has been done to protect the Government, parish councils and lawyers, but what about the little people—the people who make this country grow? There is even confusion in the Information Commissioner’s Office, which gave the wrong advice in briefings here to MPs’ staff only the other week. What are we going to do to protect the small people? They think that they are doing the right thing, but they have probably been ill advised. They are spending a lot of money trying to get things right, but there is real confusion out there.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

My right hon. Friend raises several important points. As for the effect on small businesses, he will be reassured to learn that the issues with the processing of highly personal data that I was discussing do not apply to the majority of SMEs. They will not have to appoint a data protection officer, so that is one comfort.

As for training and guidance, I am sorry that colleagues and their research staff attended courses that were put together before the Bill was even in Committee, and thus did not take numerous amendments into account—not least the amendment clarifying the rights of Members of Parliament and other elected individuals. I apologise for that confusion.

I draw businesses’ attention to the excellent ICO website, which contains good sources of guidance for SMEs, including frequently asked questions. The ICO also provides an advice line for any follow-up questions on subjects that businesses might not be clear about. Ultimately, there is a need for better data protection, and that is not just what is set out in the GDPR. Dreadful examples, such as the case of Facebook and Cambridge Analytica, have demonstrated the need for more rigorous data rights and for greater security of data.

Photo of Mike Penning Mike Penning Conservative, Hemel Hempstead

The Minister is being ever so generous in giving way not just to me, but to Members from across the House, and I thank her. Returning to the parliamentary stuff—we are only a small part of all this—some of the staff present at the briefing I mentioned left in tears, and I know that for a fact, because a member of my staff was there. Believe it or not, even though the ICO knew that the briefing was completely flawed, it has today issued certificates of attendance saying that it was the right thing for staff to have done.

More important, however, are the SMEs. Small businesses have approached me today to tell me that they have been told to delete all their data unless they get permission from the relevant people. Companies that did work for people three, four or five years ago—even last year—must get permission to hold their addresses so that they can fulfil, for example, warranty agreements. Other companies are getting completely different advice, and the lawyers are getting different advice. There seems to be a rush to protect Government agencies, local government, parish councils and lawyers, but not enough is being done to protect the small people of this country—the people who account for so much of our money.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I thank my right hon. Friend for his points. I want to reassure the small businesses that he mentions. I sympathise with businesses that are getting conflicting advice, and with those that are approached by firms of consultants who appear to be exaggerating the scale of the task of complying with the legislation. I am afraid that that always happens when there is change; people think that they can exaggerate the impact and the implications of a change and—who knows?—perhaps they will be remunerated for helping businesses to comply.

I also want to reassure my right hon. Friend about the specific case that he mentioned, in which companies were being advised that they needed to delete all the data for which they did not have consent. I want to reassure him that the vast majority of businesses will not have to delete the personal data that they hold. If they have gained the personal data lawfully, there are five, if not six, lawful bases on which they can process that personal data, of which consent is only one. I draw his attention particularly to legitimate interests, which is a lawful basis for processing data. For example, if a small firm has been supplying a much-needed service to people for a number of years, it is in the pursuit of its legitimate interests to communicate with its database of customers or new prospects, and it does not need to have consent. I would advise people not to delete their data without very careful consideration, or without consultation with the ICO website in particular.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I will give way to my right hon. Friend in a second. I want to respond to my right hon. Friend Sir Mike Penning on the alleged discrimination involved in our taking steps to protect lawyers, parliamentarians, local councillors and so on but not to protect small businesses. The reason is that small businesses are less affected, in the sense that most of them do not process huge quantities of personal data. They therefore come under the purview of the ICO to a lesser extent, and enforcement is less likely to focus on organisations that do not process highly personal data. Those organisations do not need to appoint a data protection officer. I hope that I have gone some way towards allaying my right hon. Friend’s—

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I will come back to my right hon. Friend in a moment, but I did say that I would give way to my right hon. Friend Anna Soubry.

Photo of Anna Soubry Anna Soubry Conservative, Broxtowe

I thank my hon. Friend for that information, but it was mainly complete news to me, as I suspect it was to my right hon. Friend the Member for Hemel Hempstead too. We have a really serious problem here. I just cannot underestimate the amount of concern among small businesses. Medium-sized businesses with more than 250 employees have the benefit of a team of people, but this is a real crisis for small businesses and I am afraid that the lack of information is truly troubling. There are solutions, and perhaps we should discuss them in a different debate, but as a Government we have an absolute duty to get this right. There are devices available—HMRC sends out tax returns, for example—and there are many opportunities to get this information out there. At the moment, however, there is a lot of disinformation, and as my right hon. Friend the Member for Hemel Hempstead says, these businesses are the lifeblood of our economy. They do not know what is happening, and they are worried.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I sympathise with the points that my right hon. Friend has raised. In fact, we have secured almost £500,000 to launch an information campaign to bolster what the Information Commissioner’s Office is already doing for small businesses. I also draw her attention to the need for this legislation, and to the need for businesses and all of us in public life to respect people’s data rights. The landscape has changed. We now live in a digital world, and there is so much abuse of people’s privacy and data that I must bring her attention back to the need for the Bill. Of course she is right, however, to say that people need to be properly informed, and that is what the ICO is doing and what the Government campaign that we are about to launch will also do.

Photo of Mike Penning Mike Penning Conservative, Hemel Hempstead

What the Minister said at the Dispatch Box a moment ago was also news to me. I have been campaigning and pushing on this for months—I spoke to the Secretary of State over the bank holiday weekend—and I was going to vote against the Bill this evening. Yes, we need data protection, but we do not want to destroy or frighten our businesses in the process. However, I take my hon. Friend at her word, and I will vote for the legislation this evening.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I quite agree. In fact, both the Secretary of State and I were small business owners before entering this place, so I feel what my right hon. Friend says very deeply. I must commend my hon. Friend Nigel Huddleston on the excellent advice that his office has put together on what it will be doing in this respect. For the benefit of my staff, I have set out exactly what my office will be doing to comply with the legislation. If my right hon. Friend has any concerns about his own situation—

Photo of Mike Penning Mike Penning Conservative, Hemel Hempstead

I am not worried about us; I am worried about small businesses.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

In that case, I will proceed no further down that path. I am glad that I have been able to reassure my right hon. Friend and thank him for raising those important points.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Department for Business, Energy and Industrial Strategy) (Industrial Strategy) 5:00, 9 May 2018

I thank the Minister for that clarification, but I am not sure that it is clear enough. She will undoubtedly be aware that the Windrush documents were supposedly destroyed as a result of data protection requirements. There remains a significant possibility that there will be a wholesale destruction of data, some of which might be important, useful and legitimately kept, unless the Government take further action.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

I commend the hon. Lady for that observation, because she has a fair point. I will raise her concern with the Information Commissioner. My right hon. Friend the Member for Hemel Hempstead said that some businesses have been advised that they should delete their data, so I can see where the hon. Lady is going on that. It raises the prospect that some organisations might use this as an excuse to delete data that it would be in the data subject’s interests to preserve.

I have not been able to address every amendment in the time available, but I am mindful of the number of colleagues who wish to contribute, and we have less than 60 minutes remaining. I have addressed most of the matters that came up in the Public Bill Committee, and the Government’s position will remain the same on many of them.

In short, we have enhanced the ICO’s enforcement powers, we have changed the way we share data, we have reached out to parish councils, we have narrowed the immigration exemption and we have responded to calls to better protect lawyer-client confidentiality. We have also dealt—effectively, I hope—with the concern expressed by my hon. Friend the Member for Totnes about the sharing of data between the Department of Health and Social Care and the Home Office.

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

May I start by welcoming the new powers for the Information Commissioner, which we called for in Committee? Nobody who observed the debacle of the investigation into Cambridge Analytica will have needed persuading that that those powers are necessary—it took the court five or six days to issue the requisite search warrants, and that time might well have been used by Cambridge Analytica to destroy evidence—so I am glad that the Minister has heeded our calls and introduced the proposals this afternoon. We are happy to give them our support.

I will speak to a number of new clauses and amendments in the group, particularly new clause 4, which is our enabling clause for creating a bold and imaginative Bill of data rights for the 21st century. I want to make the case for universal application of those rights, including their application to newcomers, who need rights in order to challenge bad decisions made by Governments, which is why our amendment 15 would strike out the immigration provisions that have so unwisely been put into the Bill. I will also say a few words about new measures that are needed in the Bill to defend the integrity of our democracy in the digital age.

The Minister took the time to make a comprehensive speech, which included an excellent explanation of the Government amendments, so I will be brief. Let me start with the argument for a Bill of data rights. Every so often we have to try to democratise both progress and protections. In this country we are the great writers of rights—we have been doing it since Magna Carta. Over the years, the universal declaration of human rights, the UN convention on the rights of the child, the charter of fundamental rights, the Human Rights Act 1998, the Equality Act 2010 and, indeed, the original Data Protection Act have all been good examples of how good and wise people in this country have enshrined into charters and other legal instruments a set of rights that we can all enjoy, that give us all a set of protections, and that help us to democratise progress.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Department for Business, Energy and Industrial Strategy) (Industrial Strategy)

My right hon. Friend makes an excellent point. Does he share my astonishment that the Government are not taking the opportunity to update our rights for the digital age? Does he think that that is because they are too captured by the tech giants, because they are too confused by Brexit to invest in change, or because they are too ideologically constipated regarding the free market that they can do nothing about it?

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

My hon. Friend hits the nail on the head. The answer, of course, is that it is because of all three of those reasons that we do not have before us an imaginative bill of digital rights, but the times do call for it.

In the early days, when we were writing great charters such as Magna Carta, the threats to ordinary citizens were from bad monarchs. We needed provisions such as Magna Carta and the Bill of Rights and the Glorious Revolution to protect the citizens of this country and their wealth from bad monarchs who would seek to steal things that were not theirs.

What we now confront is not a bad monarch—we have a fantastic monarch—but the risk of bad big tech. The big five companies now have a combined market capitalisation of some $2.5 trillion, and they are up to all sorts of things. They are often protected by the first amendment in the United States, but their business—their bad business—often hurts the data rights of citizens in this country.

That is why we need this new bill of rights. We have to accept that we are on the cusp of radical and rapid changes in legislation and regulation. I often make the point that over the course of the 19th century there was not one Factory Act but 17 Factory Acts. We had to legislate and re-legislate as technology, economics and methods of production changed, and that is the point we are at now. We will have to regulate and re-regulate, and legislate and re-legislate, again and again over the decades to come. Therefore, if we are to give people any certainty about what the new laws will look like, it would be a sensible precaution if we were to write down now the principles that will form the north star that guides us as we seek to keep legislation up to date.

Photo of Jim Cunningham Jim Cunningham Labour, Coventry South

I am that sure my right hon. Friend has received correspondence from constituents who are worried about the use of personal data. My constituents have a lot of sympathy with the views of Dr Wollaston about this. Does my right hon. Friend Liam Byrne agree?

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

My hon. Friend is right. We have been at the receiving end of a huge number of data breaches in this country—really serious infringements of basic 21st-century rights—which is why we need a bold declaration of those rights so that the citizens of this country know what they are entitled to. Unless we get this right, we will not be able to build the environment of trust that is the basis of trade in the digital economy. At the moment, trust in the online world is extremely weak—that trust is going down, not up—so we need to put in place measures now, as legislators, to fix this, turn it around and put in place preparations for the future.

The Government’s proposal of a digital charter is a bit like the cones hotline approach to public service reform. The contents of the charter are not really rights but guidelines. There are no good methods of redress or transparency. Frankly, if we try to introduce rights and redress mechanisms in that way, they will basically fail and will not lead to any kind of change. That is why we urge the Government to follow the approach that we are setting out.

I put on record my profound thanks to Baroness Kidron and the 5Rights movement. Her work forms the basis of the bill of rights we are proposing to the House: the right to remove data, as enshrined in the GDPR—that right is very important to children—the right to know; the right to safety and support; the right to informed and conscious use; and the right to digital literacy. Those are the kinds of rights we should now be talking about as the rights of every child and every citizen.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

The right hon. Gentleman makes some good points. I agree with the rights he is talking about, but those rights exist under the GDPR and are intrinsic to the Bill, so I see no need for his amendment.

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

There is no right to digital literacy under the Bill, which is why we propose the five rights as the core of new schedule 1 in which, as the Minister knows, we go much further. The provision sets out rights to equality of treatment, security, free expression, access, privacy, ownership and control, the right not to be discriminated against as a result of automated decision making, and rights on participation, protection and removal.

Rights are sometimes scattered through thousands and thousands of pages of legislation, which is where we are on data protection today. That is why from time to time, as a country, we decide to make bold declaratory statements of what principles should guide us. These are methods of simplification and consolidation, and we are pretty good at that in this country. When we press our proposal to enable the creation of such a bill of rights to a Division a little later, we hope that it will be the call that the Government need to begin the process of consultation, thought, argument and debate about the digital rights that we need in this century and what they need to look like. Rights should not be imposed from the top down; they should come from the grassroots up, and the process of conversation and consultation is long overdue. To help the Government, we will accelerate that debate during this year.

The second point I wish to make is about amendment 15, which would ensure that the rights set out in the GDPR would stretch to everyone in this country. It would mean that the Government would not be permitted to knock out selective rights for certain people who just happen to be newcomers to this country. The proposal to withhold data rights from migrants and newcomers is a disgrace and does not deserve to be in the Bill. In Committee, Ministers were unable to tell us why the Bill’s crime prevention provisions could not be stretched to accommodate their ambitions for immigration control. The Minister has not been able to give us a succinct definition of “immigration control” today, and we have not been able to hear about the lessons learnt from Windrush. Frankly, the debate has been left poorly informed, and we have had promises that letters will sent to hon. Members long after tonight’s vote.

Photo of Edward Davey Edward Davey Liberal Democrat Spokesperson (Home Affairs)

I totally agree with the right hon. Gentleman’s point. He says that this is about newcomers and immigrants, and I am sure he will agree that it also applies to British citizens’ ability to get their immigration file. Can he confirm that that is the case?

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

I am not sure that that is the case. British citizens have confirmed rights under the GDPR—that is safeguarded under EU legislation—but the risks I am worried about are the same ones as the right hon. Gentleman. I spent two and a half years in the Home Office. I recognised many of the errors that were made by the former Home Secretary in the situation that we inherited back in 2006, so I do not think that lessons have been learnt from Windrush, or that many lessons have been learnt from errors over the past eight to 10 years. The Home Office is a great Department of State, with tremendous strengths. It has fantastic civil servants who do an amazing job, without the resources to so it properly and very often without the level of support they need from their Ministers, but it is a human institution and such institutions make mistakes. To correct those, we have tribunals and courts through which people can test decisions made by officials without the disinfectant of sunlight. Unless we equip those individuals with everything they need to make their case effectively, we risk injustice. After our debates over the past month, we must do everything we can so that we never run that risk again.

Photo of Jim Cunningham Jim Cunningham Labour, Coventry South

To pursue those rights, people also need legal aid, and in some circumstances, they are denied legal aid. The state should not have the right to give private information about its citizens to anybody, or even to sell it to organisations.

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

Correct. In my first months at the Home Office, I spent a lot of time in immigration tribunals. I used to go to the courts up in Islington to sit, watch and listen so that I could learn the basic mechanisms of justice in this country. The thing that struck me was the inequality of arms that comes to bear in these tribunals. On the one side, there is a Home Office lawyer, who is sometimes there, sometimes not. Home Office lawyers are backed by teams and have well-constructed cases and all the information they need. On the other side of the argument are people without money or access to lawyers, but now the Government propose to deny some of them the information that they need to argue and win their cases. It is a recipe for injustice.

Photo of Caroline Lucas Caroline Lucas Co-Leader of the Green Party 5:15, 9 May 2018

I very much agree with the points that the right hon. Gentleman is making. Does he agree that we ought to consider the way in which the crime exemption in the Bill will be invoked in respect of low-level offences under immigration law? Is it really acceptable for data rights to be suspended in relation to normal activities such as driving—just being here—that are currently criminalised under immigration law?

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

Those are real risks, which is why amendment 15 would delete such an important chunk of the Bill and therefore improve it.

I know that when I was a Home Office Minister, I took decisions that sometimes were wrong, and those decisions were corrected through the tribunal system. Tribunal cases were often successfully prosecuted by those who had rights that we were seeking to deny because subject access requests had been used to get the information necessary to win the argument. If we switch off that access, injustice will follow, so I urge the Government to think again and I urge Members from all parties to support amendment 15.

The last measure to which I shall speak is new clause 6, which is our proposal for a UK version of the Honest Ads Act that is currently being debated in the United States Congress. I do not want to rehearse the background to the debate for long, because for six months now a hardy group of us has been seeking to raise and unpack the new risks that we confront from countries such as Russia that are aiming at us a new panoply of active measures, including all kinds of bad behaviour online. Right now, we do not have good measures to defend the integrity of our democracy. Indeed, the most recent edition of the national security strategy did not even include the defence of the integrity of democracy among its core strategic aims.

We have to bring our election law into the 21st century as it is hopelessly out of date. We have an Electoral Commission that is unable effectively to investigate donations and money coming from abroad. The Information Commissioner has only this afternoon been given the powers that it needs. Ofcom will not investigate videos on social media and the Advertising Standards Authority does not investigate political advertising. We have a massive lacuna in which there should be good, robust legislation to police elections in the 21st century.

If we look at what is going on throughout the west, we see that we have to wake up to this risk. Giving the Electoral Commission new powers to require information about money that is used to run campaigns that try to influence votes is now a de minimis provision for a modern democracy in the digital age. We hope that the Minister will listen to us and take our ideas on board.

Several hon. Members:

rose—

Photo of Eleanor Laing Eleanor Laing Deputy Speaker (First Deputy Chairman of Ways and Means)

Order. We have only 40 minutes left to debate this group and around 10 Members wish to speak. If everybody speaks for four to five minutes, everybody will get in; if not, some people will not get to speak at all.

Photo of Sarah Wollaston Sarah Wollaston Chair, Health and Social Care Committee, Chair, Liaison Committee (Commons), Chair, Health and Social Care Committee, Chair, Liaison Committee (Commons)

I rise to speak to new clause 12, which was tabled in my name, that of my colleague, Dr Williams, and those of other Members of the Health and Social Care Committee of and Members from all parties.

I wish to speak about the importance of medical confidentiality, because it lies at the heart of the trust between clinicians and their patients, and we mess with that at our peril. If people do not have that trust, they are less likely to come forward and seek the care that they need. There were many unintended consequences as a result of the decision enshrined in a memorandum of understanding between the Home Office, the Department of Health and NHS Digital, which allowed the sharing of addresses at a much lower crime threshold than serious crime. That was permitted under the terms of the Health and Social Care Act 2012, but patients were always protected, in effect, because the terms of the NHS constitution, the guidance from the General Medical Council and a raft of guidance from across the NHS and voluntary agencies protected the sharing of data in practice.

This shift was therefore particularly worrying. There were many unintended consequences for the individuals concerned. The Health and Social Care Committee was also deeply concerned about the wider implications that this might represent a shift to data sharing much more widely across Government Departments. There was a risk, for example, that the Department for Work and Pensions might take an interest in patients’ addresses to see whether people were co-habiting for the purpose of investigating benefit fraud. There was a really serious risk of that.

I am afraid that the letter that we received from the Department of Health and Social Care and the Home Office declining to withdraw from the memorandum of understanding made the risk quite explicit. I would just like to quote from the letter, because it is very important. I also seek further clarification from the Minister on this. The letter states that

“it is also important to consider the expectations of anybody using the NHS—a state provided national resource. We do not consider that a person using the NHS can have a reasonable expectation when using this taxpayer-funded service that their non-medical data, which lies at the lower end of the privacy spectrum, will not be shared securely between other officers within government in the exercise of their lawful powers in cases such as these.”

I profoundly object to that statement. There was no such contract in the founding principles of the NHS. As I have said, it is vital that we preserve that fundamental principle of confidentiality, including for address data. I was delighted to hear the Minister’s words at the Dispatch Box, but can she just confirm for me absolutely that that statement has now been superseded?

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

Yes, I can confirm absolutely that the statement that my hon. Friend quoted from the letter of 23 February has been superseded by today’s announcements.

Photo of Sarah Wollaston Sarah Wollaston Chair, Health and Social Care Committee, Chair, Liaison Committee (Commons), Chair, Health and Social Care Committee, Chair, Liaison Committee (Commons)

I thank the Minister for that reassurance. There is much more that I could say, but I know that there are very many other colleagues who wish to speak. With that reassurance, I am happy not to press my amendment to a vote.

I would like to make one further comment on protecting patients. At a time when confidence in data sharing is so important, especially around issues such as research, we all rely on the role of NHS Digital. Set up under the Health and Social Care Act 2012 as a non-departmental public body at arm’s length from Government, NHS Digital has the specific duty robustly to stand up for the interests of patients and for the principles of confidentiality. As a Committee, we were deeply disappointed that, despite the clear concern set out from a range of bodies, including Public Health England, all the medical royal colleges, very many voluntary agencies, the National Data Guardian and others, the organisation seemed to have just the dimmest grasp of the principles of underpinning confidentiality. I wish to put it on the record that we expect the leadership of NHS Digital to take its responsibilities seriously, to understand the ethical underpinnings and to stand up for patients. With that, I will close my remarks. I thank the Minister for the time that she has taken to listen to our concerns and for her response.

Photo of Yvette Cooper Yvette Cooper Chair, Home Affairs Committee, Chair, Home Affairs Committee, Chair, Home Affairs Committee

I wish to speak briefly to amendment 15 and to say to those on the Front Bench that this is their opportunity to actually do something as Ministers. I urge them to make a late change and not just to drift on with legislation that was drawn up before the Windrush scandal. They can go and talk to the Secretary of State—have a discussion with him—and decide now to accept amendment 15. I really urge Ministers to do that, because what the Bill is doing is immensely serious. The Bill is incredibly widely drawn. This exemption allows the Home Office to refuse subject access requests in immigration cases and to put in place data sharing without proper accountability in any case where it meets the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective control, and yet, repeatedly, we have had no explanation from Ministers as to what effective immigration control means. That is because, in truth, it is immensely broad. It could mean meeting the net migration target, sustaining the hostile environment and enabling a deportation that the Home Office thinks is justified, even if in practice it has made a mistake. It could mean decisions being taken by immigration removal centres, G4S, Serco or any of the many private companies contracted by the Home Office to deliver its so-called effective immigration control.

The Home Office has made an objective of reducing the number of appeals and removing the right to appeal in immigration cases. If a subject access request makes an appeal more likely, why does preventing that SAR in order to prevent a potential appeal not count as immigration control under the Home Office’s definition? That would be unjustified and wrong, but it is made possible by the Bill. If the Government do not want that to be the case, they should change their proposed legislation and accept amendment 15.

Ministers do not have to go ahead with this right now. An immigration Bill is going to come down the track at some future point and it will give them and the Home Secretary the opportunity to reflect on the Windrush scandal. The Immigration Minister told the Home Affairs Committee yesterday that the culture of the Home Office, including that of casework and decision making, needs to change. The Home Secretary and the former Home Secretary recognise that substantial changes need to be made. We are told that huge lessons have been learned and we have been promised inquiries that will report back and have independent oversight. None of them have yet taken place, but the Windrush scandal has had shocking and devastating consequences for individual lives, as so many Members on both sides of the House acknowledge. I therefore ask Ministers to not make future Windrush scandals more likely and to not deny people the information they need about their case in order to prove their circumstances and ensure that a Home Office mistake or error can be overturned.

Michael Braithwaite came here from Barbados in 1961. He is a special needs teacher who has lived here for more than 50 years, and yet he was sacked from his job because the Home Office got it wrong. His lawyer’s application for a subject access request formed part of the process for clearing up and sorting out his case, but the Bill will make it much more difficult to make such a request. Subject access requests are already often resisted by the Home Office. Whether inadvertently or intentionally, the Home Office has a bad record in complying swiftly and fully with subject access requests, so why on earth does this Bill make that more likely and further allow the Home Office to simply not give people the information they need to make sure that justice is done?

There are huge concerns about the way in which targets have operated. The Home Secretary and other Ministers will have to look into that in depth. In the meantime, however, they should not allow a situation to develop whereby the operation of those targets could end up with subject access requests being denied because meeting those targets is seen as part of effective immigration control.

The Home Office does get things wrong. There are huge strengths and skills within the Home Office. There are people who work immensely hard to try to get things right, but we know that a Department that size gets things wrong and we have seen the evidence, to terrible effect, in the Windrush cases. There have been 60 cases of unlawful detention in the past few years, even before the Windrush cases. Nearly half of the cases that go to appeal go against the Home Office because it got those decisions wrong. Sampling by the immigration inspectorate found that 10% of the data that the Home Office gave to banks, telling them to close people’s accounts because they were here illegally, was in fact wrong and that those people should not have had their bank accounts closed. Given that level of errors and mistakes, why on earth would we prevent the kind of transparency that subject access requests deliver? Some 39,000 people were wrongly sent texts telling them that they were here unlawfully. The Home Office makes mistakes, and we need transparency and subject access requests to be able to challenge those mistakes.

I say to Ministers: take this exemption out of the Bill. We do not need it. We did not have this kind of exemption from previous data protection Acts, so we do not need it from this one. They can revisit it in the immigration Bill once they have had time to do a proper consultation and consider all the options, but they should not do this now.

Let me give the House one final reason why amendment 15 is so important. We are storing up further problems that could prevent us from fighting crime and injustice through international security co-operation. After Brexit, we need a co-operation agreement—a data adequacy agreement—with the EU, so that our police and law enforcement agencies can continue to legally share the data they need to solve crimes, stop criminals and prevent terror attacks. However, this whopping great exemption to the GDPR lying at the heart of the Bill will, as the Home Affairs Committee has warned, make it harder for us to get the data adequacy agreement that we need.

I am immensely worried about what will happen if that data adequacy agreement is delayed, and the Government should be much more worried than they appear to be about the consequences for our security and crime fighting if that data adequacy agreement is not secured. So I say to them: do not make it harder. Do not keep this exemption in the Bill. Remove it, not just for the sake of future security and crime co-operation, but for the sake of preventing more injustices like Windrush.

Photo of Damian Collins Damian Collins Chair, Culture, Media and Sport Committee, Chair, Culture, Media and Sport Committee 5:30, 9 May 2018

The significance of the Bill and the importance of data and data protection to the economy and the whole of society is reflected in this debate. The fact that amendments have been tabled on Report through the work of three different departmental Select Committees shows how wide-ranging this issue is.

I principally want to talk about amendments 20 and 21, which stand in my name and those of other members of the Digital, Culture, Media and Sport Committee and which are addressed by Government amendments, too. Before I do so, I want to add that the Chair of the Home Affairs Committee, Yvette Cooper, made a very important point about the fact that some people—particularly those involved in immigration cases—may not have full access to the data rights enjoyed by others. If the Minister can provide any further clarification, I will be happy to give way before I move on.

Photo of Margot James Margot James The Minister of State, Department for Culture, Media and Sport

After the exchange I had with Chi Onwurah, I wanted to confirm that the Home Office will certainly not destroy any data for which there is still a legitimate and ongoing need not just for the Home Office but for data subjects.

Photo of Damian Collins Damian Collins Chair, Culture, Media and Sport Committee, Chair, Culture, Media and Sport Committee

I am grateful to the Minister for that further clarification.

Amendments 20 and 21 get to the heart of an issue that has been raised by a number of Members, which is the power of the Information Commissioner to act in data investigations. The Minister, Liam Byrne and others have referenced the Cambridge Analytica data breach scandal, which is a very good example of why these additional powers are needed. We raised that in the Select Committee with the Secretary of State. The Information Commissioner raised it with us and it was raised on the Floor of the House on Second Reading.

The ability to fine companies for being in breach of data rules is important, but what is most significant is that we get hold of the data needed by investigators, so that we understand who is doing what, how they are doing it and how wide-ranging this is. It is crucial that the Information Commissioner has the enforcement powers she needs to complete those investigations.

In the case of Cambridge Analytica, an information notice was issued by the Information Commissioner to that company to comply with requests for data and information. Not only did Cambridge Analytica not comply, but Cambridge Analytica and Facebook knew that. That information notice expired at 5 o’clock on the evening of the day when that deadline was set; it was the beginning of the week. Before the notice had expired and a warrant could even be applied for, Facebook had sent in its own lawyers and data experts to try to recover data that was relevant to the Information Commissioner’s request.

The Information Commissioner found out about that live on “Channel 4 News” and then effectively sent a cease and desist note to Facebook, telling it to withdraw its people. She might very well not have been made aware of what Facebook was doing that evening, and data vital for her investigation could have been taken out of her grasp by parties to the investigation, which would have been completely wrong. Not only did that happen—thankfully, Facebook stood down—but a further five days expired before a warrant could be issued—before the right judge in the right court had the time to grant the warrant to enable her to complete her work. We live in a fast-moving world, and data is the fuel of that fast-moving world, so we cannot have 19th or even 20th-century legal responses. We must give our investigatory authorities the powers they need to be effective, which means seizing data on demand, without notice, as part of an investigation, and having the ability to see how data is used in the workplace or wider environment.

The Government are bringing forward amendments, which I think have the support of the House, that will give us one of the most effective enforcement regimes in the world. They will give us the power to do something we have not been able to do before, which is to go behind the curtain to see what tech companies, even major tech companies, are doing and make sure they comply with our data rules and regulations. Without that or an effective power to inspect, we would largely be in the position of having to take their word for it when they said they were complying with the GDPR. Particularly with companies such as Facebook that run closed systems—they have closed algorithms and their data is not open in any way—there are very good commercial reasons for doing so, but there are also consumer safety reasons. We must have the power to go in and check what they are doing, so the amendments are absolutely vital.

There are further concerns. The shadow Minister, the right hon. Member for Birmingham, Hodge Hill, was right to raise concerns about honesty and transparency in political advertising. Both the Information Commissioner and the Electoral Commission are examining the use of data in politics, as well as looking at who places the ads. It is already a breach of the law in the UK, as it is in other countries, for people outside our jurisdiction to run political advertising during election campaigns in this country.

In the case of Facebook, it is unacceptable that its ad check teams have not spotted such advertising and stopped it happening when someone is breaking the law. If this were about the financial services sector, we would not let a company say, “Well, we thought someone was breaking the law, but we weren’t told to do anything about it, so we didn’t”. We would expect such a company to spot it and to take effective action. We need to see a lot more progress on this, particularly in relation to the placement of micro-targeting ads and dark ads. The Institute of Practitioners in Advertising has called for a moratorium on the micro-targeting of political ads, which may be seen only by the person who receives an ad and the person who places it.

When the chief technology officer of Facebook, Mike Schroepfer, gave evidence to the Select Committee, I asked him whether, if someone set up a Facebook page to run ads during a campaign and micro-targeted individual voters before taking down the page at the end of the campaign and destroying the adverts, Facebook would have any record that that advertising had ever run, he said that he did not know. We have written to him and Mark Zuckerberg saying that we need to know, because unless we know, a bad actor could run ads in huge volumes, investing a huge amount of money in breach of electoral law, and if they did not declare it, there would be no record of that advertising ever having been placed.

Photo of Liam Byrne Liam Byrne Shadow Minister (Digital, Culture, Media and Sport) (Digital Economy)

The Chair of the Select Committee is doing a brilliant job with his investigation, but the argument must stretch further than simply political advertising. For example, when Voter Consultancy Ltd ran attack ads against Conservative Members, accusing some of them of being Brexit mutineers, it was running an imprint for a company that was actually filing dormant accounts at Companies House. There are real questions not just about political ads in the narrow traditional sense, but about how to get to the bottom of who is literally writing the cheques.

Photo of Damian Collins Damian Collins Chair, Culture, Media and Sport Committee, Chair, Culture, Media and Sport Committee

The right hon. Gentleman is absolutely right and that throws up two really important points.

The first point is that the Information Commissioner is also currently investigating this, which links to the right hon. Gentleman’s point about where the money comes from and who the data controllers are in these campaigns. Although Facebook is saying that it will in future change its guidelines so that people running political ads must have their identity and location verified, we know that it is very easy for bad actors to fake those things. It would be pretty easy for anyone in the House to set up a Facebook page or account using a dummy email address they have created that is not linked to a real person, but is a fake account. This is not necessarily as robust as it seems, so we need to know who is running these ads and what their motivation is for doing so.

Secondly, the Information Commissioner is also looking at the holding of political data. It is already an offence for people to harvest and collect data about people’s political opinions or to target them using it without their consent, and it is an offence for organisations that are not registered political parties even to hold such data. If political consultancies are scraping data off social media sites such as Facebook, combining it with other data that helps them to target voters and micro-targeting them with messaging during a political campaign or at any time, there is a question as to whether that is legal now, let alone under the protection of GDPR.

As a country and a society, we have been on a journey over the past few months and we now understand much more readily how much data is collected about us, how that data is used and how vulnerable that data can be to bad actors. Many Facebook users would not have understood that Facebook not only keeps information about what they do on Facebook, but gathers evidence about what non-Facebook users do on the internet and about what Facebook users do on other sites around the internet. It cannot even tell us what proportion of internet sites around the world it gathers such data from. Developers who create games and tools that people use on Facebook harvest data about those users, and it is then largely outside the control of Facebook and there is little it can do to monitor what happens to it. It can end up in the hands of a discredited and disgraced company like Cambridge Analytica.

These are serious issues. The Bill goes a long way towards providing the sort of enforcement powers we need to act against the bad actors, but they will not stop and neither will we. No doubt there will be further challenges in the future that will require a response from this House.

Photo of Brendan O'Hara Brendan O'Hara Shadow SNP Spokesperson (Culture and Media)

I will be very brief, Madam Deputy Speaker, because we are incredibly tight for time.

There is so much in the Bill that I would like to talk about, such as effective immigration control, delegated powers and collective redress, not to mention the achievement of adequacy, but I will concentrate on amendment 5, which appears in my name and those of my hon. Friend Stuart C. McDonald and Caroline Lucas.

The amendment seeks to provide protection for individuals where automated decision making could have an adverse impact on their fundamental rights. It would require that, where human rights are or could be impacted by automated decisions, ultimately, there will always be a human decision maker at the end of the process. It would instil that vital protection of human rights in respect of the general processing of personal data. We believe strongly that automated decision making without human intervention should be subject to strict limitations to promote fairness, transparency and accountability, and to prevent discrimination. As it stands, the Bill provides insufficient safeguards.

I am talking about decisions that are made without human oversight, but that can have long-term, serious consequences for an individual’s health or financial, employment, residential or legal status. As it stands, the Bill will allow law enforcement agencies to make purely automated decisions. That is fraught with danger and we believe it to be at odds not just with the Data Protection Act 1998, but with article 22 of the GDPR, which gives individuals the right not to be subject to a purely automated decision. We understand that there is provision within the GDPR for states to opt out, but that opt-out does not apply if the data subject’s rights, freedoms or legitimate interests are undermined.

I urge the House to support amendment 5 and to make it explicit in the Bill that, where automated processing that could have long-term consequences for an individual’s health or financial, employment or legal status is carried out, a human being will have to decide whether it is reasonable and appropriate to continue. Not only will that human intervention provide transparency and accountability; it will ensure that the state does not infringe an individual’s fundamental rights and privacy—issues that are often subjective and are beyond the scope of an algorithm. We shall press the amendment to the vote this evening.

Photo of Brendan O'Hara Brendan O'Hara Shadow SNP Spokesperson (Culture and Media)

I would give way, Minister, but I am very pushed for time.

I would like to voice my support and that of the SNP for amendment 15 on effective immigration control. We believe that the exemption is fundamentally wrong, disproportionate and grossly unfair, and we call on the Government to stop it.

Photo of Colin Clark Colin Clark Conservative, Gordon

I am conscious of the time, Madam Deputy Speaker, so I will not take too long.

This country is committed to remaining a global leader on data protection. The fundamental principle behind the Bill is to bring our data protection and information laws up to speed in the digital age. If we are to keep pace with technology and restore accountability in this area, we need a strong Information Commissioner’s Office. I am therefore pleased that the Government have brought forward new clauses 13 and 14. Remarkably, 11.5% of global data flows through the UK. It is vital that the UK plays a key role in ensuring compliance.

The Bill strikes a balance between individuals’ protection and organisations. It creates a bespoke framework for law enforcement, which is vital to our security services. I welcome the Minister’s comments giving comfort to businesses. In my constituency, they were deeply concerned about some of the claims made by organisations.

New clause 13 ensures that the Information Commissioner can seek a court order to enforce an information notice, given under clause 141 of the Bill, should someone fail to comply. New clause 14 makes it an offence, as the Minister said, for someone to destroy, dispose of, conceal, block or falsify information required by the Information Commissioner. The new clauses will ensure that companies and individuals subject to an Information Commissioner’s Office assessment notice are truly accountable.

The recent scandals involving Cambridge Analytica and Facebook, mentioned by several hon. Members, shone a spotlight on this area of the law. Cambridge Analytica has been repeatedly accused of holding back data. The story is so concerning because it reached the very corridors of power in which we work. Political parties and campaigns from various countries, and even in this country, sought out Cambridge Analytica’s help. The UK Government’s new clauses and amendments will ensure that the Bill does exactly what they intend it to do.

Photo of Edward Davey Edward Davey Liberal Democrat Spokesperson (Home Affairs) 5:45, 9 May 2018

Yvette Cooper made a very powerful speech in favour of amendment 15, and I would like to associate myself and my party with all the comments she made. In particular, I underline the point she made that the Home Office powers in the Bill have no limit and are completely subjective.

The Under-Secretary of State for the Home Department, Victoria Atkins, is sitting on the Government Back Benches, talking to a colleague. She is a respected lawyer who has practised law. Imagine if she had a client who was being denied reunification with their family, was not allowed to work, was being deported from this country and was not able to have access to the information on which that decision was made. That would go against all the principles of the rule of law of which this country is proud and which this House has upheld century after century, yet she, as a Home Office Minister, is allowing that to happen.

I urge the hon. Lady to think about that and, as the right hon. Member for Normanton, Pontefract and Castleford said, go to the new Home Secretary, who said he would take a new approach and sweep away some of the past, and ask him to think again and allow amendment 15 to proceed tonight. As the right hon. Lady said, there will be another opportunity with another immigration Bill coming up soon. The Home Office Minister and the Home Secretary can rest assured that the powers under paragraph 2 in schedule 2 relating to criminal actions would cover all the examples that Ministers in Committee, on Second Reading and in the other place have given for why they think this proposed legislation is required.

Photo of Yvette Cooper Yvette Cooper Chair, Home Affairs Committee, Chair, Home Affairs Committee, Chair, Home Affairs Committee

The Secretary of State for the Department for Digital, Culture, Media and Sport is now back is in his place. Does the right hon. Gentleman agree that it would simply take a phone call between him and the Home Secretary to agree that this measure could be suspended? The whole issue could be revisited in the immigration Bill coming down the track in due course. It could be removed from this Bill now for the sake of the Windrush generation.

Photo of Edward Davey Edward Davey Liberal Democrat Spokesperson (Home Affairs)

The right hon. Lady is absolutely right, and it is the Windrush generation who should be in our minds above all.

The right hon. Lady mentioned the need—this will be dependent on the EU negotiations—to ensure that we have access to data for national security and for fighting crime. That is in the Government’s interests as they negotiate Brexit, in particular with respect to the rights of EU citizens. I am fairly convinced that when the Commission really wakes up to the implications of paragraph 4 in schedule 2, it will say that this is acting in bad faith. The Government have agreed a settlement for the 3 million EU citizens in this country and the EU citizens who may wish to come to this country in the years ahead. The Bill will take away the rights they thought they would have. I therefore say to Ministers on the Front Bench and those on the Back Benches that they have just a few minutes or so to think again before it is too late.

Photo of Daniel Zeichner Daniel Zeichner Labour, Cambridge

I want to endorse new clause 4, which was so ably set out my right hon. Friend Liam Byrne from the Opposition Front Bench. I went on the Bill Committee with a sense of optimism and excitement, perhaps naively, because it seemed that so much needed to be done at the moment. Almost every day new issues arise—I hardly need to say that for me, “Cambridge” and “analytics” is an unfortunate combination. In the past few days, there have been facial recognition issues in the Welsh police and Amnesty International has raised the issue of gang lists. I hoped that we could rise to the challenge. However, I fear that although the Bill is hundreds and hundreds of pages long—in the pre-digital age, it would probably have been described as being the size of a telephone book—as Members have observed, does anyone really know what it means? That is why we needed a simple set of rights that people could understand. The sad thing is that people in the wider world are doing such good work and we should be looking at it. Look at what Tim Berners-Lee and Nigel Shadbolt are doing to try to transfer the data away from the big tech companies to make it our data. That is key, and it is the underlying principle of the GDPR, but I am not sure that we have been able to translate it into legislation.

I make two final observations. First, the golden thread running through much of this is data adequacy, which was referred to by the Chair of the Home Affairs Committee, my right hon. Friend the Member for Normanton, Pontefract and Castleford. In too many places there are genuine concerns, not just from Opposition Members but from Members in the other place, about our being tripped up on data adequacy, which is so important.

Finally, on the Information Commissioner’s role, a huge amount is being passed to her. We can have every confidence in her, but does she really have the resources, power and expertise? Most importantly, we are outsourcing some huge, really important judgments to the Information Commissioner, but I think it should be the role of this place to make those judgements in future, and I fear that we will come back to those points later in the day.

Photo of Paul Williams Paul Williams Labour, Stockton South

It is a pleasure to follow my hon. Friend Daniel Zeichner. I also pay tribute to Dr Wollaston, who is an extremely capable Chair of the Health and Social Care Committee and has shown real resolution and persistence on new clause 12.

In the sanctity of the consulting room, patients tell doctors, nurses and NHS staff all kinds of things. I have had all kinds of private and confidential issues disclosed to me in the 22 years that I have worked as a doctor, but the protection that the NHS gives to this information is absolutely fundamental. For years, the NHS has, on request from the Home Office, been sharing the address details of some patients that have ultimately been used to deport an unknown number of people over many years.

I recently visited a clinic run by the excellent charity, Doctors of the World, in Bethnal Green. I heard stories there of vulnerable people being afraid to approach NHS services because they cannot be certain that the information that they are asked to give will be treated confidentially. I heard about pregnant women not going for antenatal care, people with HIV not getting treatment and people who are afraid to take their children to the GP. The bond of trust between the NHS and its patients relies on the truth being told in both directions. Sadly, people have been avoiding the NHS because they do not trust it. That is bad for the reputation of the NHS, bad for the health of individual patients and bad for public health.

Doctors, nurses and other health professionals do not want information that is given to the NHS by patients to be shared except in the most extreme cases, when there is a significant risk to individuals or to the public. I am pleased that the Government have found a way to assure the House this evening that NHS information will be shared only in the event of a conviction or an investigation for a serious crime. This is the only way to preserve the integrity of the NHS and the immeasurable, vital and precious bond of trust between NHS staff and their patients.

Photo of Caroline Lucas Caroline Lucas Co-Leader of the Green Party

Like others, I would like to associate myself with the very powerful arguments that have been made in favour of amendment 15, but I want to speak briefly to amendment 16 to extend the debate about the conditions under which someone’s rights can be breached. It would prevent the crime exemption in the Bill being invoked in relation to low-level offences under immigration law.

Few of us would dispute the overall principle that data might be shared in some circumstances—for example, to prevent a serious crime or to apprehend an offender—but when the crimes in question are not serious and arise simply because of someone’s immigration status, we have to question whether the grounds for suspending data protection rights really do stack up. It is clear that the majority of offences under immigration law are not serious crimes. Most result only in a custodial sentence of two years or less, or a fine. Rather, they are the mundane activities of people doing what they must to survive. The effect is already forcing undocumented migrants to avoid sending their children to school, visiting the GP, presenting to homelessness services and seeking social support, for fear they might risk detention and removal by doing so.

Last year, a woman who was five months pregnant went to report being repeatedly raped to the police but was subsequently arrested at a rape crisis centre on immigration grounds. My amendment 16 seeks to better protect her and all others like her whose data protection rights are routinely being breached just because they are undocumented migrants and who are therefore being automatically criminalised just for leading their lives. There must be a firewall between Home Office immigration control and other Departments if we are serious about ending the current hostile immigration environment.

Photo of Stuart McDonald Stuart McDonald Shadow SNP Spokesperson (Immigration, Asylum and Border Control)

I echo the criticisms of the outrageous immigration exemption in the Bill and am pleased to add my name to amendment 15.

Little has been said today about international transfers of personal data by intelligence services, despite the serious concerns raised in Committee. I will therefore speak briefly to new clause 24, which it is all the more important we debate, given the moves by the Trump Administration in the USA to roll back on safeguards on the targeting of drone strikes and the significant increase in their use of lethal force outside armed conflict zones. These developments mean an increased risk of strikes being in breach of international human rights law, and we know that UK intelligence personnel are involved in the transfer of data that could be used in such drone strikes, so it is all the more important that there be safeguards and accountability on when and how information can be transferred and that legal certainty be provided for our personnel.

As the Joint Committee on Human Rights said in its 2016 report,

“we owe it to all those involved in the chain of command for such uses of lethal force…to provide them with absolute clarity about the circumstances in which they will have a defence against any possible future criminal prosecution, including those which might originate from outside the UK.”

The Bill fails to provide those safeguards and clarity. Clause 109 places no realistic restriction on such transfers, referring simply to necessity and proportionality in pursuit of statutory goals. The new clause would provide a clear bar on transfers for use in unlawful operations and introduce accountability and transparency by requiring that written reasons be provided for any transfer thought to be lawful, that there be ministerial sign-off, that certain information be provided to the Information Commissioner and the Investigatory Powers Commissioner and that guidance on transfers be laid before Parliament. The new clause would not hinder but help our personnel working in this area and ensure that the UK is seen as complying with the rule of law and its international obligations. This is an important debate to which we will have to return in the future.

Question put and agreed to.

New clause 13 accordingly read a Second time, and added to the Bill.

New Clause 14