The issue in question is the need for a lawful basis for biometric data used in the context of identity verification and authentication to increase security. Biometric data changes its status under the GDPR and becomes a new category of sensitive data. That narrows the lawful basis on which companies can collect and use biometric data, and it makes this processing of data difficult or impossible because the only lawful basis available is consent, which is not appropriate or feasible in the circumstances.
Biometrics are increasingly being used in different sectors for identity verification and authentication, both as a security measure and to provide greater identity assurance. I am sure that anybody who has used the fingerprint security aspect of an iPad will be aware of that. Employers are also increasingly using biometric access controls for premises or parts of premises that require high security levels and access audit trails. Organisations using biometrics for additional security and assurance also need to keep their mechanisms up to date, and continually test and develop ways in which to prevent bad actors from hacking or gaming their systems. That research and development activity also requires biometric data processing and can involve AI or machine learning to train and test systems.
The Bill has a fraud prevention lawful basis for processing sensitive data, under a heading of “substantial public interest”. However, even assuming that the Bill is clarified and the fraud prevention lawful basis is available to use without having to satisfy an additional “substantial public interest” test, it is not suitable for the biometric uses described. The problem is the risk that necessary and desirable processing of biometric data will not be possible. Increased security benefits everyone, and it would not be desirable for the law protecting the use of personal data to be the barrier to organisations implementing better security for individuals.
The solution is that we acknowledge that the GDPR allows additional lawful bases for processing sensitive data. Specifically, Article 9(4) allows member states to add lawful bases for processing biometric, genetic or health data. The essence is that we use the option available under that article to add a lawful basis, as set out in the amendments. The amendments may not be technically perfect, but I hope that the Minister will agree that they are heading in the right direction. The proposed additional lawful basis covers three biometric data processing activities, described above. There are already safeguards for individuals in the GDPR regarding biometric data processing, as any large-scale processing of sensitive data is subject to a data protection impact assessment, which would be the case for identity verification or authentication as an integral and ongoing security or assurance feature of the service that the individual has chosen to use. The proposed amendment would also introduce this safeguard as a requirement for employee biometric access control processing. I beg to move.
My Lords, it falls to me to speak to a sequence of amendments from Amendment 35 to Amendment 68. Whereas we have had complicated issues before us in previous discussions on the Bill, most of these are probing and of a much simpler substance. I will proceed with them as best I may.
Amendment 35 is to paragraph 5(1), which states that a condition for substantial public interest is met only when the processing is carried out by the controller, who has,
“an appropriate policy document in place”.
The amendment we propose seems sensible and simple, which is that the policy document should be,
“made available to the data subject without charge”.
We repeat that in Amendment 68 to Part 4 of Schedule 1, where there is discussion of an “appropriate” document.
Amendment 37 probes the protected characteristics of the Equality Act. Whereas in the Bill just a few are mentioned, our amendment asks why all those included in the Equality Act are not in that list. In the amendment we can see the proposed extra categories that would be placed there to complete that list. Once again it seems sensible, having started on that track, to complete that process.
We come next to preventing or detecting unlawful acts. Amendment 38 asks about “a serious” test. We have had conversations with Reuters and a number of amendments are consequent on some of the observations we made in that conversation. Thus with Amendment 39 we would ask the information commissioning officer to clarify that processing must be carried out without the consent of a data subject where,
“a data subject is unlikely to give consent”,
for example to frustrate prevention or detection, where it would involve disproportionate effort to achieve consent or where the nature of the processing means that withdrawal of consent would prejudice prevention or detection of unlawful acts. That probes the extent to which these matters might apply.
Amendment 40 is again a probing amendment on the question of dishonesty, under the heading:
“Protecting the public against dishonesty”.
Perhaps we need to work out how better to define dishonesty. We all know what telling a lie is, but in the days of fake news we can perhaps have different or varying views on this. Perhaps it needs to be tied down a bit more closely.
Amendment 41 refers to protecting members of the public. It is unclear in the schedule whether this extends to protecting businesses from doing business with other businesses that would cause them severe reputational harm because, for example, they engage in modern slavery, bribery or whatever. It might be good to frame the law so it is clear that it involves businesses and members of the public. To skip an amendment for the moment, that ties in with Amendment 44. Paragraph 12 does not expressly allow screening by private companies for the purpose of checking against non-UK terrorist financing or money-laundering laws. Nor does it allow screening to be undertaken to comply with widely recognised guidelines such as those promulgated by the Financial Action Task Force, in which the United Kingdom Government participate. It seems sensible to include that screening in the Bill. The amendment seeks to achieve that.
Amendment 43 is to paragraph 12, which says that the condition of expressing a public interest is met,
“if the processing is necessary for the purposes of making a disclosure in good faith”,
under sections of the Terrorism Act and the Proceeds of Crime Act. Again, it would be nice to tie some of that down with further clarification. That might help us all. Amendment 45 asks about counselling.
That is the rather interesting daisy chain of amendments it falls to me to present. Since this is, for me, a maiden speech on a piece of legislation, nobody would expect it to be contentious, disputational or controversial. In that sense, I offer it for the consideration of the Committee.
Last Monday there was considerable focus in our discussions on the vital need to ensure that legitimate research—especially medical research in the public interest based on the personal data of patients—was not impeded by the terms of this legislation by requiring re-consents that might well be unobtainable. The noble Lord, Lord Patel, spelled out the arguments with great cogency and I do not need to repeat them.
My amendment seeks to ensure that another category of medical activity is not prevented from continuing to give help. I refer to patient support groups. At Second Reading I spoke about Unique, a not-for-profit charity that enables research into, and offers support to, sufferers of rare chromosome disorders and their families. These disorders can and often do result in severe and even profound lifelong disability for which there is no cure.
Since I spoke, many other patient support organisations have been in touch with the same concerns. They support my amendment. They include Genetic Alliance, which comprises 190 organisations giving support to individuals with rare or incurable conditions, such as the Down’s Syndrome Association; the MPS Society, which supports individuals suffering from mucopolysaccharide disease; Alström Syndrome UK; Prader-Willi Syndrome Association; the MND Association for motor neurone disease; Action Duchenne, which supports those suffering from muscular dystrophy; Save Babies Through Screening Foundation, which focuses on infants with Krabbe disease; the Lily Foundation, which supports those with mitochondrial disease; the PCD Family Support Group, for primary ciliary dyskinesia; UKPIPS, Primary Immune-deficiency Patient Support; SMA Support for spinal muscular atrophy; Vasculitis UK; and Annabelle’s Challenge.
All these groups support the amendment I tabled. I could go on; there are others. I have listed them because I do not want it thought that there is in my amendment any suggestion of special pleading for a very small number of organisations. On the contrary, patient support groups are numerous and do unsung but irreplaceable work among individuals and families for whom life can be very hard.
What is the problem with the Bill? Schedule 1 lists a number of circumstances in which the special category of sensitive personal data can be processed without explicit consent for reasons of public interest. But patient support groups do not fall into the categories of organisations that can avail them themselves of this exemption, nor do the purposes for which they collect personal data qualify. This means that the Bill will oblige patient support groups which collect health information from their members either to re-contact everyone from their database to get renewed explicit consent, or to destroy or anonymise any data not re-consented.
On the face of it, this may seem perfectly reasonable, but it takes no account of the real-life situation of the individuals and their families which the patient support groups help. I explained at Second Reading how in reality carers, who may be the other side of the world, may not respond to communications but then, possibly years later, communicate to ask for help or get in touch to help each other. It is certainly wasteful and gratuitously harmful to require such data to be destroyed when it is the very basis on which these groups can offer relevant support. In the case of Unique, experience suggests that up to 50% of existing data would need to be destroyed, having been accumulated over 30 years, and thus lost for current and future research and sufferers. I am sure this cannot be the intended outcome of the Bill.
Anonymisation, which in some circumstances might be an acceptable answer, does not provide a solution in the case of support groups. Matching disease types enables support groups to give informed prognoses to the families of sufferers and to their clinicians, who individually may not have met such a rare condition before. They help with practical advice and put sufferers and their families in touch with each other, thus improving their prospects and relieving distress and loneliness. But to do this, they need access to names and addresses and special-category data of their members, because anonymous data are of absolutely no use in this context.
Medical research would also be the loser as the Bill stands. To take one example, the MND Association, the motor neurone support group, has more than 3,000 blood samples in its collection, cell lines and accompanying clinical information. This database has been and is used in a variety of research projects to look at potential causative genes. Samples will also be used to screen potential drugs. To all this, the personal data of the individuals concerned is essential and it is not guaranteed that they will always be capable of being re-contacted.
In this context, perhaps I may quote from a statement by Public Health England in support of the work of patient support groups:
“We are clear that patient registries, particularly for individuals with less common conditions, are one of the most valuable sources for the care, research and support of patients and their families. In many cases they are the only source of information on some disorders. Some collections stretch back many years. This historical record is essential for longitudinal studies and long term follow up … These searches can only be performed on well curated, identifiable data as people change their names and locations”.
Public Health England goes on to say that the question is about the adequacy of the consent obtained in the first place and whether it meets the enhanced rights of data subjects under the GDPR. Absolutely—there is no argument that the consent at the outset needs to be of a good standard so that subsequent use of personal data can be validly based on it.
My amendment would confine the special provision that I am proposing to members of organisations for specific purposes which I would hope we could all agree lie in the public interest. It would not open the floodgates to a collection of streams of unconsented personal data for undefined purposes. I therefore hope that the Government can agree to my amendment.
My Lords, as my noble friend Lord Clement-Jones indicated, I shall speak to Amendments 41 and 44, which were eloquently introduced by the noble Lord, Lord Griffiths. I had no idea that it was a maiden speech from the Front Bench, and it is to the discredit of the Labour Party that it has taken him so long to climb to the top of the greasy pole. Having got there, I hope that he enjoys the view.
As the noble Lord indicated, these amendments are inspired mainly by Thomson Reuters and others in the City. I attended a seminar in the City some weeks ago in which the corporation, the City of London Police and some leading companies talked about the challenges that data was bringing them. At the core of this is a concern that the Bill is loosely and poorly worded in preventing private companies doing work with data which will help them to keep best practice in line with the objectives for corporate governance and efforts to fight crime, terrorism, slavery, bribery and corruption.
I hope the Minister can give some comfort that the Bill will give cover to companies, financial institutions and others to carry out this kind of data activity and allow screening by private companies for the purposes of checking against non-UK laws on terrorist financing or money laundering. It should be amended to allow compliance with widely recognised guidelines such as those promulgated by the Financial Action Task Force. In the light of the Minister’s response and in consultation with those who have asked us to raise this matter, we would see whether we wanted to take it further. At the source of these amendments is a concern on the part of companies which I think genuinely want to help.
My Lords, I want to raise an issue which I would be grateful if it were thought about, although I would not dream of asking the Minister to give an informed reply today. I am puzzled especially by Amendment 37, spoken to by the noble Lord, Lord Griffiths, because I spent a good deal of my time developing the Equality Act 2010 and we were very concerned when doing so about issues of personal privacy and enforceability.
Obviously, one size does not fit all when it comes to equal opportunity and treatment. It is fairly easy to operate a policy measuring ethnicity, for example, without any problem about privacy; it is pretty easy to do so in respect of gender, although gender does not at the moment figure in the list for some reason, but it becomes terribly difficult when one is dealing with sexuality, religion or philosophical belief, which are for some reason in the list at the moment. I would be grateful if the Minister could reflect with people from the Government Equalities Office on whether this is an example of overlegislation, which it would be much better to prune down.
I am all in favour of affirmative action to promote equality between the sexes or people of different ethnicity, but when it comes to religion, philosophical belief and the other matters that are either there at the moment or would be there under Amendment 37, I get very worried. For example, I once represented the Church of Scientology—successfully—in establishing that scientology is a religion. I would not like these provisions to be the source of conflict and division between one kind of religion and another, or one kind of no religion and humanists, and so on. I think it is an example of overlegislation and underlegislation, and needs to be sorted.
My Lords, I am grateful to all noble Lords who have participated. I am especially grateful for the clear way in which the noble Lord, Lord Griffiths, outlined the case for all his amendments. He could have chosen an easier Bill to start on, I must say, but he did it very well. I am grateful for the opportunity to set out the purpose of various conditions included in Schedule 1, this time specifically with reference to Part 2.
As we have already discussed, for “special categories of data” to be processed lawfully, controllers must demonstrate that their processing meets one of the processing conditions set out in article 9 of the GDPR. We have already touched on several of these. Here we turn to processing which is,
“necessary for reasons of substantial public interest”.
Clause 9 requires that controllers wishing to rely on this processing condition must meet one of the conditions set out in Part 2 of Schedule 1.
Paragraph 7 of Schedule 1 allows processing of certain specified special categories of personal data for the purpose of promoting equality of opportunity. Amendment 37 seeks to expand this condition to permit the processing of additional categories of personal data. This is unnecessary because the categories of data referred to in the amendment are either not considered by the GDPR framework be special categories of data in the first place or covered by the categories already listed in paragraph 7 of Schedule 1; for example, “Personal data revealing age” need not be listed because it is not subject to additional protection to begin with.
The Government accept that the existing special categories of data are broad and in some circumstances will overlap with the categories of data suggested in the amendment; for example,
“Personal data revealing a disability”,
will fall within the special category of “Data concerning health”. But in these cases, paragraph 7 already permits the processing of such data for equality-monitoring purposes. I will read carefully the remarks of the noble Lord, Lord Lester. I suspect his point is to do with what is and what is not a special category of data, but I will read Hansard and write to him, and copy other noble Lords. I thank him for not requiring a considered answer tonight.
Amendments 38 and 39 address the condition in paragraph 8 which permits the processing of data where this is,
“necessary for the purposes of the prevention or detection of an unlawful act”.
Amendment 38 would make it clear that the condition was available only if the unlawful act in question was “serious”. I can understand the rationale behind the amendment but the Government consider that it might nevertheless be in the substantial public interest for an organisation to process data for the prevention or detection of an unlawful act that was not obviously “serious”. An offence such as driving without a licence or insurance may not be the most serious in terms of the maximum penalty available, but it could still be in the substantial public interest for it to be reported by the data controller. Paragraph 8 ensures that data controllers are empowered to make that call and be accountable for their decision.
Amendment 39 would make the condition available only,
“under circumstances in which it is reasonably clear that a data subject is unlikely to give consent”.
While similar provision is made in other conditions where required, the Government consider that it would not be appropriate in this case, given that the purpose is to process data in circumstances where seeking consent risks prejudicing the prevention or detection of an unlawful act.
Amendment 40 would remove the word “dishonesty” from paragraph 9(2)(a) so that an organisation could rely on this provision only if it were processing sensitive categories of personal data to protect the public from malpractice, other seriously improper conduct or the other listed behaviours. The Government consider that there might be situations where an organisation would also need to process data to protect the public from dishonesty that does not necessarily amount to malpractice or improper conduct. It is therefore right that the paragraph covers the full gamut. This processing condition is not new; a similarly worded provision already exists under the current Data Protection Act.
The noble Lord, Lord Griffiths, suggested that there was a need for a further definition of “dishonesty”. I am afraid we do not agree. The word has a plain English meaning, defined in the dictionary. Furthermore, to define it here would cause confusion as it is used throughout UK legislation.
Amendment 41 would extend the scope of the same processing condition so that it could also be used to protect bodies and associations, rather than just the general public, from dishonesty, malpractice and improper conduct. It is one thing to allow the processing of an individual’s personal data for the purposes of protecting the general public—that is, other individuals; there is a neat symmetry there—but quite another to suggest that it could be processed to protect organisations from reputational harm. On that basis, I cannot agree to include it.
Amendments 43 and 44 address the processing condition in paragraph 12 which allows organisations such as banks to make disclosures “in good faith” under the Terrorism Act 2000 and the Proceeds of Crime Act 2002 about third parties who are suspected of terrorist-financing offences or money laundering. This processing condition is intended to protect organisations that disclose data on the basis of a genuine suspicion, even if it turns out later not to have been well founded. Noble Lords will recall that this condition was debated and agreed to as part of the Criminal Finances Bill earlier this year. The condition is tied to the improvement of a specific statutory regime—known as the suspicious activity reports regime—and is designed to give legal clarity to encourage the sharing of information to prevent serious crime and terrorism. I know there are some in the financial sector who have suggested that these provisions should go further to permit screening by private companies for the purposes of checking against non-UK laws on terrorist financing and money laundering. As noble Lords may be aware, the relevant provisions in the Criminal Finances Act were commenced only at the end of last month. We are not convinced that there is a need to amend them at such an early stage.
Amendment 45 would amend the processing condition relating to,
“confidential counselling, advice or support”,
in paragraph 13. It would add “guidance” to the list of processing activities which are permitted under this provision. This paragraph is not new; the relevant wording is drawn directly from existing legislation. But I am happy to put on the record the Government’s view that guidance is already covered by this provision and thus there is no need to amend it.
Amendments 45A and 64 in the name of my noble friend Lady Neville-Jones seek to clarify the legal status of processing by patient support groups. The Government strongly support the varied and important work of patient support groups and I am grateful for my noble friend’s time in meeting me recently. It is important to reiterate that groups such as Unique will have access to a number of provisions already in the Bill, even in cases where consent cannot be obtained, or reobtained, from the data subject.
We discussed the provisions for scientific research last week. In addition, paragraph 13 of Schedule 1 makes provision for confidential counselling, advice and support. Taken together, the provisions I have mentioned—for consent, scientific research, and confidential counselling, advice and support—seem to cover a great deal of the vital work undertaken by patient support groups. But the Government retain an open mind on this and I will read my noble friend’s contribution in Hansard carefully.
Amendment 52 would amend the processing condition relating to occupational pensions contained in paragraph 16. At the moment, processing in relation to occupational pensions forms part of a processing condition in relation to insurance. In drafting the Bill, the Government have simply decided, in the interests of clarity, to give it a processing condition in its own right.
I turn now to Amendments 35, 67 and 68, which concern the requirement for data controllers to have an appropriate policy document in place when processing special categories of personal data and criminal convictions data in certain circumstances. The requirement for an appropriate policy document is new; there is no such requirement in the current Data Protection Act. It further enhances the Bill’s commitment on transparency and the protection of individuals’ data. Paragraph 31 requires that the data controller make the policy document available to the Information Commissioner on request and without charge. We consider that the Information Commissioner is best placed to consider whether the policy document meets the technical requirements and can take any further appropriate action, if required.
In considering whether there is value in extending a similar right to data subjects, as Amendment 35 does, it is worth noting that controllers will be obliged to provide data subjects with clear and comprehensive information on how their personal data will be processed as well as on their associated rights as data subjects. This obligation attaches to all data controllers, not just those required by the Bill to maintain an appropriate policy document. If, on the basis of the information provided, a data subject believed that there had been a breach of the law, they would be able to raise their concerns with the Information Commissioner who has powers under the Bill to investigate and take action in respect of breaches of data protection law.
Finally, I turn to recent Amendments 21A and 66A tabled by the noble Lords, Lord Clement-Jones and Lord Paddick. As we have heard, article 9(1) of the GDPR prohibits the processing of sensitive categories of data, including biometric data which can be used to identify someone, unless the conditions in article 9(2) can be satisfied. As the noble Lord, Lord Clement-Jones, explained, article 9(4) allows the UK to introduce further conditions with regard to the processing of biometric data. These amendments propose to do that by creating a new part in Schedule 1 dealing with the processing of biometric data to make it clear that biometric data can be processed where it is used as a security feature to access a service that the data subject has chosen to use. As the noble Lord explained, many of us are familiar with the verification devices on mobile phones and computers which allow the user to access the service using fingerprint recognition.
I agree. I have the same. You have to put in your numerical password every so often just to check that you have still got the same finger. Technically, you might not have.
The amendments also seek to permit the processing of such data when biometric identification devices are installed by employers to allow employees to gain access to work premises or when the controller is using the data for internal purposes to improve ID verification mechanisms. I am grateful to the noble Lord for raising this important issue because the use of biometric verification devices is likely only to increase in the coming years. At the moment, our initial view is that, given the current range of processing conditions provided in Schedule 1 to the Bill, no further provision is needed to facilitate the activities to which the noble Lord referred. However, this is a technical issue and so I am happy to write to the noble Lord to set out our reasoning on that point. Of course, this may not be the case in relation to the application of future technology, and we have already discussed the need for delegated powers in the Bill to ensure that the law can keep pace. I think we will discuss that again in a later group.
On this basis, I hope I have tackled the noble Lord’s concerns, and I would be grateful if he will withdraw the amendment.
My Lords, as usual the noble Lord, Lord Maxton, has put his finger on the problem. If we have iris recognition, he will keep his eye on the matter.
I thank the Minister for his explanation of the multifarious amendments and welcome the maiden speech from the Front Bench by the noble Lord, Lord Griffiths. I do not think I can better my noble friend Lord McNally’s description of his ascent to greatness in this matter. I suspect that in essence it means that the noble Lord, Lord Griffiths, like me, picks up all the worst technical amendments which are the most difficult to explain in a short speech.
I thought the Minister rather short-changed some of the amendments, but I will rely on Hansard at a later date, and I am sure the Opposition Front Bench will do the same when we come to it. The particular area where he was disappointing was on what you might call the Thomson Reuters perspective, and I am sure that we will want to examine very carefully what the Minister had to say because it could be of considerable significance if there is no suitable exemption to allow that kind of fraud prevention to take place. Although he said he had an open mind, I was rather surprised by his approach to Amendments 45A and 64 which were tabled by the noble Baroness, Lady Neville-Jones. One will have to unpick carefully what he said.
The bulk of what I want to respond to is what the Minister said about biometrics. I took quite a lot of comfort from what he said because he did not start quoting chapter and verse at me, which I think means that nobody has quite yet worked out where this biometric data fits and where there might be suitable exemptions. There is a general feeling that somewhere in the Bill or the schedules we will find something that will cover it. I think that may be an overoptimistic view, but I look forward to receiving the Minister’s letter. In the meantime, I beg leave to withdraw the amendment.
Amendment 21A withdrawn.
My Lords, I rise to speak to another rather wide-ranging group, in terms of numbers, although I think we will find the amendments are a theme and variation on an issue that will run through not just this Bill but a number of Bills to come. I refer to secondary legislation and powers in the future when it is necessary for the Government of the day to try to change that which has been set down in primary legislation in the past.
Amendment 22, which kicks this off, is taken very largely from the report of the Delegated Powers and Regulatory Reform Committee. I make no apology for that. I think it is a very good report, as always, from that committee which does a fantastic job on what we are doing. I think I am probably interposing in a dialogue that may be carrying on out of our direct ken since normally in this matter one would get a memorandum, which I think we have seen, and I thank the Minister and the Bill team for that. The first response from the Delegated Powers and Regulatory Reform Committee will make some comments and I think it likely that the Minister and his colleagues will respond to that. We are only in the early stages, so I suspect we are a bit previous on this point.
However, this is an issue of some substance that may well be in all the Brexit-related Bills soon to arrive in your Lordships’ House, which suggests that we might just have a quick canter around it at the moment.
In preparing for this particular area, I had thought that we would just stick with Clause 9, but I was drawn into also putting in Clause 15, because there is an interesting point here that I wanted to raise with Ministers. The noble Lord, Lord Whitty, the noble Baroness, Lady Jones, and the noble Lords, Lord Clement-Jones and Lord Paddick, have had less restraint, and therefore we are covering quite a large number of the issues raised by the DPRRC. I look forward to hearing the response and to the wider contributions from those who have tabled amendments in this group.
The main theme that seems to run through this is what the committee says in paragraph 20 of its recent report, that,
“we take the view that the memorandum does not adequately justify the breadth of the power in clause 9(6) of the Bill, and that it is inappropriate for Ministers to be given carte blanche to rewrite any or all of the conditions and safeguards in Schedule 1 by regulations in order ‘to deal with changing circumstances’ instead of bringing forward a Bill”.
The committee then slightly changes its position by recognising that currently this is under the affirmative procedure, quite a strong measure to have in play in legislation, and suggesting an alternative approach:
“It may be appropriate … for Ministers to have a more focused power enabling them to update specific paragraphs”.
Maybe that is a line the Government will take. The essence of this is Henry VIII powers—how egregious they are and how bad it would be in future to come across them. At the same time we have to balance that against the obvious need, particularly in this Bill—as we have already discussed we are talking about fast-moving technology, although it applies in other areas—for some flexibility on the part of the Government of the day to bring forward amendments and changes as and when required. It is a balance and has to be struck properly, but the first shots in this have tended to be that Ministers are too aggressive. We await further discussions, but that is the ground which we will be traipsing around.
Amendment 106A relates to Clause 15(1)(b), at line 44 on page 8, which talks about,
“the power in Article 23(1) to make a legislative measure restricting the scope of the obligations and rights mentioned in that Article where necessary and proportionate to safeguard certain objectives of general public interest.”
I take this to be a quote from the GDPR. It is therefore couched in language which I think would be unexceptional if we were transposing the GDPR into the Bill, but of course we are not, and we are not allowed to amend it. The question really is what a legislative measure is. This is not a rhetorical question, because I would like an answer. In our system, as I understand it, Secretaries of State bring forward legislation in the form of a Bill. If they are not doing that, they bring it forward in secondary regulations. But a legislative measure has no apparent meaning in terms of the work we do—maybe the Minister will confirm that this is perfectly right. But for the moment, this probing amendment not only underlines the point made by the DPRRC in relation to the power in Clause 15 but is also about the particularity of the language used. I beg to move.
I remind the Committee that if this amendment were to be agreed, I would be unable to call Amendment 22A for reason of pre-emption.
My Lords, I regret I was not able to speak to the Bill at Second Reading, but I take great delight in speaking to it this evening, on Amendments 22, 23, 107, 138 and Clauses 15 and 111. I am well aware that the Bill is extremely important. The digital age brings all sorts of opportunities for us but also lots of challenges, and it is absolutely right to keep up to date and make sure that we have legislation in place for the big questions of privacy in such rapidly changing times. When the current data protection legislation came in, most people were still getting to grips with email, and sending a text message on your mobile phone was a really fancy way of communicating. It is time that the legislation was updated.
The sheer volume and depth of personal data that are now floating around online would have been unimaginable then. We share the deepest and most personal details of ourselves quite freely these days, or at least some of us do. The Bill seeks to set important new standards for the protection of people’s data and give them more rights over how their data are used. So far, so good—for example it would allow some of us to ask the social media companies to delete any stupid comments we made a decade or so ago, which might help some MPs currently.
My problem with the Bill is twofold. Large parts of it are not about protecting people’s data or granting new rights. Significant parts of the Bill are focused on removing or reducing people’s data rights which are otherwise granted by the general data protection regulation. The noble Lord, Lord Stevenson, used the word “aggressive”, which is a very good word to use for some of these clauses. The Government are also trying to exercise too many derogations and opt-outs in the Bill. We should be aiming to protect people’s data as much as possible and restricting data rights only where absolutely necessary. This is the purpose of the amendments that I have tabled or signed.
The second problem is that this is such a power grab by the Government. We will hear a lot about this over the next few weeks and months, but the bypassing of Parliament like this by giving excessive delegated powers to Ministers is unacceptable. I can see, possibly, the need for the very occasional use of Henry VIII powers, but overall far too much power is being put into them. The Select Committee put it much better than I can:
“We draw attention to the number and breadth of the delegated powers in this Bill. This is an increasingly common feature of legislation which, as we have repeatedly stated, causes considerable concern. The Government’s desire to future-proof legislation, both in light of Brexit and the rapidly changing nature of digital technologies, must be balanced against the need for Parliament to scrutinise and, where necessary, constrain executive power”.
The privacy rights at stake in the Bill are so important that they absolutely must be properly approved by Parliament and parliamentarians. Changing these rights with delegated legislation is a nonsense. It is particularly important that Parliament remains responsible for deciding these rights, since so much of it applies to the Government’s use of personal data. We cannot allow the Government to decide what the Government are allowed. That is not a democracy; it is a dictatorship.
“revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.
Processing that sensitive data is prohibited, except in a very limited set of circumstances set out in the GDPR or in legislation passed by Parliament. Schedule 1 to the Bill sets out 28 circumstances where the sensitive data is allowed to be processed, supposedly with relevant safeguards. Clause 9(6) is the Henry VIII power which allows the Secretary of State just too much power, to,
“amend … by adding, varying or omitting conditions or safeguards, and … make consequential amendment of this section”.
The Delegated Powers and Regulatory Reform Committee also concludes that Clause 9(6) is “inappropriately wide” and should be removed from the Bill. We all understand that there will be negotiations on the Bill. It is important to get it passed, but it is also important that it is passed right, and I very much hope this is one area where the Government will see sense and take out these sweeping powers. Personally, I think we must resist, with everything we have, any attempt by the Government to wrestle power over which of these rights are protected and which are not.
Clause 9(7) is a tidying-up provision; if Clause 9(6) is removed then subsection (7) has nothing to apply to, so it should also be removed.
In Clause 15, I put my name to Amendment 107 but I should have signed Amendment 108 as well. The super-affirmative resolution procedure would be much better than the affirmative resolution procedure as it would force the Government to have regard to the opinion of Parliament, but it would still be far from perfect. We would be much better off not having these broad delegated powers in the first place.
Amendment 130 in Clause 33 is about removing the power to amend Schedule 8 using delegated legislation. That is the same as in Clause 9, and the same applies to my amendment in Clause 84. In opposing Clause 111, I would like to remove the power to make further exemptions in relation to national security.
I look forward to seeing the Bill becoming something that we can all perhaps sign up to, but at the moment the Government are being far too aggressive and greedy for power.
My Lords, like the noble Baroness, Lady Jones, I understand the issues of fast-changing technology and the fact that it is very hard for primary legislation to keep up. My noble friend Lady Neville-Rolfe has asked me to express her sadness that she is unable to be here today due to a family funeral. I shall speak to the amendments in our name which, like Amendment 24, propose the super-affirmative resolution procedure.
The report by the Delegated Powers Committee speaks eloquently for itself. The arguments have been made already by the noble Lord, Lord Stevenson, and the noble Baroness, Lady Jones, and I shall not repeat them. Our amendments would do two extra things: they would put the super-affirmative resolution process in the Bill, which would make it a bit clearer—that seems more helpful—and would add a requirement for an updated impact assessment for industry, charities and public authorities. The reason for that is that the Executive could make changes under these powers, including adding a whole new technology to the data protection regime—so an impact assessment, according to my suggestion, would be essential. My noble friend Lady Neville-Rolfe and I would support any call for discussions with the Minister so that we can identify where the super-affirmative procedure should apply.
My Lords, I have two sets of amendments in this group. The first ones are actually amendments to that of the noble Lord, Lord Arbuthnot, because, like him, I think it would be useful, given the range of delegated powers within the Bill, if we wrote the super-affirmative resolution into the Bill. If we do not succeed in greatly reducing the amount of delegated legislation that is permitted under the Bill—although I hope my noble friend Lord Stevenson and others do—we need to treat that delegated legislation when it is brought forward in a way that is more intensive, consultative and engaging than our normal simple affirmative resolutions.
So I support the principle of the amendment of the noble Lord, Lord Arbuthnot, and the noble Baroness, Lady Neville-Rolfe. My Amendments 182A to 182C would simply add an additional dimension. As I read the amendment at the moment, it is emphatic on getting the Government to identify the impact on industry, charities and public bodies. The main point that we are all concerned about is actually the impact on individuals, the data subjects, yet they are not explicitly referred to in the draft of the amendment before us. My three amendments would therefore effectively do two things: first, they would require the Minister to consult data subjects or organisations representing them, such as consumer organisations, as well as those stipulated in the amendment as it stands; and, secondly, they would ensure that the impact assessments related to the impact on individuals as well as on organisations. I hope that the noble Lord would agree to my amendments at whatever point he and the noble Baroness propose to put this to the vote, in which case I could fully support their amendment.
My Amendment 22A is a specific example of the themes that my noble friend Lord Stevenson and the noble Baroness, Lady Jones, have already spelled out. I will not repeat everything they said but it is a particularly egregious form in that it allows the Minister—the noble Baroness, Lady Jones, has already referred to this—to add, vary or omit any safeguard that is in Schedule 1. I particularly object to “omit”. That does not simply mean modifying or tinkering in order to keep up with the technology; rather, it means omitting a serious safeguard that has been put in the Bill during its passage through Parliament.
Since Schedule 1 is pretty wide ranging, this could include issues that related to legal proceedings, crime, taxation, insurance, banking, immigration, public health or indeed any aspect of the public interest. That is a huge range of potential removal of safeguards that would not be subject to the approval of this House through primary legislation. If the safeguards persist and are maintained through the Bill when it eventually emerges, the ability of Ministers to vary them so drastically should be curtailed. I understand that my amendment would be pre-empted if my noble friend Lord Stevenson’s amendments were carried—but if they are not we definitely need to alter that clause.
This is a complex Bill because of the technology and because of the juxtaposition between European legislation and the position we are currently in with regard to it. The Bill is also an exemplar of what we are going to go through in Brexit-related legislation in a much wider sense. We must get right how we deal with delegated legislation post Brexit, and we need to ensure that the Bill is an example and does not concede powers to Henry VIII or indeed to the Minister that we might regret when his successors made use of them later.
My Lords, I can be very brief. I have not yet quite got through the concept of the Minister as Henry VIII. There is a clear common theme coming through every speech in the House today. The issue is whether the Government’s arguments for the use of the powers contained in the various clauses that have been mentioned—my amendments from these Benches, Amendments 24 and 107, relate to Clauses 9 and 15, but there is a broader issue—are credible and whether their desire for flexibility is convincing. As many noble Lords have mentioned, the Delegated Powers Committee did not find them particularly credible and stated:
“We regard this is an insufficient and unconvincing explanation for such an important power”.
That applies to Clause 15, but we on these Benches believe that the power in Clause 9 should not be there in its present form, either.
We have tried to be constructive. We have put forward a suggestion, as has the noble Lord, Lord Arbuthnot, for the use of the super-affirmative power. That is extremely well known and is enshrined in legislation—so, unlike the noble Lord, we did not feel the need to spell out exactly what the procedure was because it is already contained in a piece of legislation that I will no doubt come across in my notes at some suitable moment. It is now an extremely common and useful way of giving the Government flexibility, while allowing sufficient consultation before any regulations come to the House by affirmative resolution. We recognise that this could be fast moving, so it may be appropriate that the Government have those powers, provided that they are governed by super-affirmative resolution.
I expect that the BMA has made its views known to the Government. It is particularly concerned, in the context of Clause 15, that the Bill could give the Government an inappropriate fast-track power, for instance, to change the law on how confidential health data are shared, with little scrutiny or oversight. That is but one example of why we believe that amendments should be made.
I suppose that it depends on how the parties come together after Committee to agree on the best form of action in response to these Henry VIII powers—but I suspect that, on Report, there will be a deal of contention on the matter.
I can imagine how it was when the legislative programme was discussed in the Cabinet Office, or even at No. 10: how on earth do we get all this through? I am sure that the Civil Service advice was—or at least one adviser said—“Well, you could try by Henry VIII powers and lots of secondary legislation. Looking at the present rules, that is the only way that we think you could get it through in that timetable”. And so the process started.
I know that the big problem for Ministers in this House is that there will be great impatience in No. 10 and down the Corridor at any delays or defeats—but, as has been said a number of times, they are going about it the wrong way. We are heading for a constitutional car crash unless there is intervention at the very highest level to look at this problem. It is a twin problem: how do you give flexibility to make legislation fool-proof in a rapidly changing technological situation, which is one of the central problems for the Bill; and how do you deal with Brexit legislation in such a tight timetable?
I know what cannot happen. It would be the irony of ironies if an exercise that was supposed to return sovereignty to this Parliament ended up with this Parliament accepting a whole range of precedents that diminished its sovereignty. Therefore, although it is unfair on each Minister, this debate will continue take place, and I hope that when we get to Divisions we will put a halt to this solution, so that some really hard thinking will be done about how to achieve the end of the Government getting their business through without sacrificing parliamentary sovereignty.
My Lords, I welcome this opportunity to set out the Government’s position on various delegated powers contained in the Bill, which have been the subject of recommendations by the Delegated Powers and Regulatory Reform Committee. The Government are very grateful to the committee for its usual thoroughness in examining the delegated powers in the Bill, but I should begin my remarks by saying that the committee’s report, which ran to some 20 pages, was published only on
The current Data Protection Act has stood firm for almost 20 years. This one will be in danger of lasting barely two if we start striking out the delegated powers contained within it. As the noble Lord, Lord Stevenson, and the noble Baroness, Lady Jones, said, such is the pace of change in this area that we need to keep up with what is going on. Furthermore, new forms of data processing not yet dreamed of will have been designed, developed and deployed even before the Bill reaches Royal Assent. It is essential that the law can keep up.
It is also worth reminding ourselves that the Government have taken the opportunity to include directly in the relevant schedules numerous provisions which had previously been included only in secondary legislation. The noble Lord, Lord Stevenson, has been extremely busy, and has taken the opportunity to table more than a dozen amendments to Schedule 1 alone. We will of course turn to those shortly.
That said, the Government recognise that there is tension between the need to provide for appropriate future-proofing of legislation, such provided for in Clauses 9, 15, 33, 84 and 111, and the need to ensure proper parliamentary scrutiny of the resultant delegated powers. It follows that we are open to constructive suggestions as to how provisions in the Bill can be improved and, obviously, that includes its regulation-making powers.
I have listened with care and interest to the case put forward by my noble friend Lord Arbuthnot, the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for the application of the super-affirmative procedure. I am also grateful to the noble Lord, Lord Whitty, for reminding us that data subjects, not just data controllers, have an interest in the proper application of these powers.
I am sure that noble Lords will agree that the amendments before us should be considered in the context of the broader recommendations of the Delegated Powers and Regulatory Reform Committee report. As I said earlier, the process of considering these issues is still ongoing, but I am more than confident that it will conclude in time for the Bill’s next stage.
Before I conclude, I think that the noble Lord, Lord Stevenson, asked what was meant by “legislative measure”. Clause 15(1)(b) uses the term “legislative measure” to reflect the wording used in Article 23 of the GDPR. Recital 41 makes clear that a legislative measure would include an Act or statutory instrument. I hope that that answers the question.
I therefore humbly invite the noble Lord to withdraw his amendment on the understanding that we return to this important issue on Report.
I thank all noble Lords for their contributions; we have had a very good go at this, which has raised all the big issues. The Minister made a positive response, with a sideswipe at me for being too active on the amendment front; but that is what we do, and we expect you to be able to deal with them without too much worry. We are enjoying this debate and will have lots of things to come back to on Report because of the interesting points being made.
However, on this issue, we are slightly narrower. The Government have got themselves into a bit of a hole here. I appreciate the wider context, and the point has been very well made. It seems to me that there are three options. They can tough it out and just say to the DPRRC that it has stepped too far from where they want to be and this is the only way forward. They can follow the DPRRC and find amendments that they can bring back at Report—I think the Minister was talking about Report; later than that would be too late. We are talking here about narrower powers to define down the areas within which discretion is operated. Or, to follow the point made by the noble Baroness, Lady Neville-Jones, and the noble Lord, Lord Arbuthnot—I think this is my noble friend Lord Whitty’s concern and is shared widely around the House—the most egregious issue here is when the Government seek to omit legislation which has been passed as primary legislation by secondary legislation, or legislative measures, as we now call them.
The helpful suggestion, backed up by the noble Lord, Lord Clement-Jones—that we should have a super-affirmative measure when matters are almost of the status of requiring there to be primary legislation, but for which flexibility requires a lesser measure—seems to be the way forward. A very little research shows that “super-affirmative” has many meanings. That chosen by the noble Lord and the noble Baroness, Lady Neville-Jones, is one of about seven or eight. The Public Bill Office has published a table which noble Lords can pore over at leisure and find themselves completely confused at the end about the best route forward. I am sure the clerks will guide us as we go forward down that route. However, the best seems to be the one that provides for amendments to be made to the measure that is being considered before the vote. That is the sensibility which is being assembled around the Committee, and I hope that the Government will take it away and do it.
The noble Lord, Lord McNally, is right: there is a possibility here of a constitutional car crash. It is not restricted to this Bill, and no noble Lords who have spoken in this debate would want it to be taken, sui generis, to this Bill. It has to be taken more widely, because it is a much bigger issue. On the other hand, this provides an opportunity to go forward. In the meantime, I beg leave to withdraw the amendment.
Amendment 22 withdrawn.
Amendments 22A to 24 not moved.
Clause 9 agreed.
Schedule 1: Special categories of personal data and criminal convictions etc data
My Lords, the amendments in this group are largely in my name and that of my noble friend Lord Stevenson of Balmacara and are probing in nature. We look forward to the Minister’s response, as we seek to test the provisions before the Committee.
The GDPR generally prohibits the processing of special category data, with article 9(2) of the GDPR providing for circumstances in which, on the processing of special category data, article 9(1) may not apply. Paragraph 1 of Schedule 1 states that it may not apply if,
“the processing is necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law, social security law or the law relating to social protection”.
Amendment 25 would delete paragraph 1(1)(a) on page 112 of the Bill, and I hope the Minister will be able to explain to the Committee why the provision, in the form it is written in the schedule, is necessary.
Amendment 25A in the name of the noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, changes the emphasis by deleting the word “under” and replacing it with the words “in connection with”. That probably widens the scope, but it will be useful to hear the noble Lords speak to that amendment and the Minister’s response.
Amendments 27 and 28 in my name and that of my noble friend Lord Stevenson move on to the question of health and social care purposes. Specifically, these amendments delete two conditions concerning,
“the working capacity of an employee”,
“the management of health care systems or services or social care systems or services”.
When the Minister responds, will he specifically address why paragraph 2(2)(b) of Schedule 1 is deemed necessary? Will he give the Committee some examples of the data on the working capacity of an employee that would be collected under this provision of the assessment? It would also be helpful to understand why paragraph 2(2)(f) of Schedule 1 is necessary and why it would not be covered under paragraphs 2(2)(d) and 2(2)(e).
Amendment 29 would delete paragraph 3(a). We have tabled the amendment simply to enable the Minister to state clearly and to put on the record why this sub-paragraph is necessary. Amendment 31 would strengthen the sub-paragraph by putting the words,
“who owes a duty of confidentiality”,
after “health professional”. Those words are used in paragraph 3(b)(ii) and we can see no reason why they are not used in 3(b)(i). If the Minister thinks that they are not necessary then will he say so clearly for the record and explain his reasoning carefully? Amendment 70 puts the words in the same context on the face of the Bill.
Amendments 31 and 32 concern paragraph 4 of Schedule 1. They would sharpen up and widen the definition in the Bill and make it clearer that “archiving” includes collections of physical and digital materials. The wording in the Bill at the moment is a big weakness and these amendments, and Amendments 33 and 34, help improve it.
The final amendment in this group would add to Clause 15 a subsection which puts into the Bill a clear restriction that if there is a common law duty of confidentiality it cannot be overridden by regulations under the Act. That is an important safeguard that belongs on the face of the Bill. There is a lot here for the Committee to debate. I beg to move.
I speak to Amendment 25A and declare my interests as set out in the register, particularly those in respect of the insurance industry. I thank the noble Lord, Lord Kennedy of Southwark, for a clear introduction to his thinking. I am also looking forward to hearing what the Minister says later on.
Amendment 25A is essentially a probing amendment relating to another problem of unintended consequences of the Bill’s far-reaching provisions. The impact assessment, in its section entitled “policy objectives and intended effects”, talks of setting new standards in accordance with the GDPR,
“whilst preserving existing tailored exemptions from the Data Protection Act”.
Later on, the assessment talks about ensuring that,
“the burden on business is kept minimal”.
Amendment 25A is designed to avert just such an unintended consequence which, although small in words, would be substantial in effect for insurers and therefore affect people who want to take out policies. Without this amendment, the Bill would affect insurers’ ability to process data in relation to obligations in connection with employment law. In short, they will have to redesign all their processes in what is a substantial and important area. The amendment changes the wording back to that in paragraph 2(1) of Schedule 3 to the Data Protection Act 1998, so that insurers can continue to use existing procedures. It is entirely consistent with the GDPR, in particular with article 9(2)(b), which is the bit which affects this and calls for safeguards. I can think of no better watchdogs than the Information Commissioner’s Office and the FCA. I therefore feel that this amendment should be uncontroversial and look forward to hearing the Minister’s reasoning on it. I would welcome discussions outside the Chamber should he want further detail.
My Lords, I support Amendment 108A and remind noble Lords of my entry in the register regarding my duties as a doctor and medical researcher.
The overriding duty in common law to protect medical confidentiality is vital to contemporary clinical practice. There are considerable concerns that Clause 15 might provide an opportunity for that duty to be overridden through the application of future regulations. It is important for Her Majesty’s Government to establish that that is not possible and could not be the case in the future. The provisions in common law regarding medical confidentiality provide further safeguards for healthcare data beyond those provided in current data protection regulation and statute. It would be a retrograde step if provision were made that destroyed those safeguards. That might be manifested in a greater reluctance for individual patients to share their confidential information with healthcare professionals. This may result in a poorer ability for the public interest to be satisfied and safeguarded in terms of collecting data on important public health issues. It may also result in greater reluctance for individuals to participate in medical research or to provide their data for fear that it may be shared in the wrong way. Can the Minister provide reassurance that the application of Clause 15, as drafted, would not result in undermining this common law duty, and therefore have serious unintended consequences in the future? If Her Majesty’s Government are not able to provide that reassurance, how would they go about dealing with Clause 15? Would they include in the Bill a measure such as that proposed in Amendment 108A, or what other mechanism would they provide to ensure that this vital common law duty is in no way affected in the future?
My Lords, I offer a slight contrast to that. I hope that this clause will help with a couple of sorts of problems that I have come across over the last 20 or 30 years. One concerns children at university who become suicidal and their parents are never told because everybody believes they have a duty of confidentiality and cannot communicate with the parents. A friend of mine got very close to going over the edge but fortunately one of his friends told his parents and then everything got sorted out. Suddenly regarding parents as aliens when someone is 18 and in severe psychological difficulty is an uncomfortable effect of the way that current regulations are perceived. I hope that this provision might loosen things up.
Another aspect is dealing with schoolchildren with eating disorders. Many aspects of eating disorders present as social interactions with other children. However, if there is an absolute prohibition on discussing someone’s condition with other children, even the children who share a bedroom with them in boarding school, that seems to me destructive of the interests of the child. Therefore, I would like to see—and I hoped that I was seeing—a slight broadening of the current regulations which might lead to arrangements which allowed the best interests of the patient to come into effect rather than a strict adherence to the dogma of, “We can’t tell anybody”.
My Lords, the Minister rightly signed on the face of the Bill his statement of its compatibility with the European Convention on Human Rights. I wonder whether the answer to the question of the noble Lord, Lord Kakkar, is not provided by the Human Rights Act itself, which says that all legislation, old and new, must be read—and given effect, if possible—compatibly with the convention rights. One of those convention rights is the right to privacy. The right to privacy embraces the equitable duty of confidentiality referred to by the noble Lord, Lord Kakkar. Therefore, the reassurance is given by the Human Rights Act rather than by anything else. The relevant provisions of this Bill would have to be read compatibly with that. However, I may be speaking out of turn.
My Lords, if I have understood the noble Lord, Lord Lucas, wrongly, I am sure that he will correct me. However, the impression he gave was that the confidentiality between a doctor and a patient forbids the doctor to inform a family member if the patient is likely to suffer harm, even self-inflicted harm. That is not the case. The doctor is bound to respect confidentiality, but if that is likely to result in not informing the family of the harm that may be caused to a patient, or distress to the family, it is not true that confidentiality will still hold.
My Lords, I am glad to know that. I have not dealt directly with a doctor on this at all but rather with university and school authorities. In those cases—not steadily and not, thank goodness, frequently—I have encountered a complete unwillingness to risk telling anybody anything for reasons of confidentiality. I hope that principle is misunderstood, but this certainly happens. In cases where there is a very clear principle of confidentiality, the circumstances under which it can reasonably be interpreted as being in the best interests of the patient to breach it need to be better understood by people who are not medically trained so that they feel confident in passing the information back. I am not trying to create law in an extremely difficult area. I hoped that the Bill might lead over time to universities feeling that parents were part of the solution, and to schools feeling that other children were part of the solution, and feeling confident that guidelines had been evolved which allowed them to seek support for these children beyond just their own tight resources. I am delighted to hear what the noble Lord said but that is not what gets through once it has been through the filter of university, at least on the occasions that I have dealt with it. I probably see the cases that go wrong. If something has worked out right, there is no reason why it should come to me.
It is worth recalling that, in order for special categories of data to be processed lawfully, controllers must demonstrate that their processing meets one of a defined list of processing conditions set out in article 9 of the GDPR. Many controllers will meet this requirement by seeking the explicit consent of the data subject but the reality is there will be circumstances where it would not be appropriate, or indeed possible, for a controller to seek consent. In these cases, alternative conditions include processing which is necessary for the purposes of employment and social security; for the provision of health or social care; for public health; and for archiving and research. But for UK controllers to take advantage of these particular processing conditions, the UK must make suitable provision in UK law. That is what the conditions set out in Part 1 of Schedule 1 seek to do.
Paragraph 1 of that schedule, referenced in Amendment 25, refers to the processing of sensitive personal data where necessary for exercising obligations under employment law, social security law or the law relating to social protection. This is a specific category under article 9(2)(b) of the GDPR, and paragraph 1 gives it legislative effect.
It is true that the 1998 Act did not refer to social security and social protection law, but the GDPR gives them specific emphasis in recognition of the reality that processing of special categories of data may be necessary for the purposes of calculating social security benefits or arranging interventions by social services when people are in need of support. In practice, it may not be possible to obtain consent to every measure or decision which is taken about a person when arranging benefit payments or care provisions. Amendment 25 would remove paragraph 1(1)(a) from Schedule 1, making this clause ineffective and closing off a potentially valuable processing condition to social services and other care providers.
The noble Earl, Lord Kinnoull, and the noble Lord, Lord Clement-Jones, suggested in Amendment 25A that “under” employment law should be replaced with “in connection with” employment law. I appreciate the sentiment behind the amendment, which is to ensure that the provision does not operate too restrictively. However, the Government are satisfied the term is sufficiently broad to cover processing that would have been permitted for these purposes under the Data Protection Act, while operating within the limits of the derogation provided for by the GDPR. The new condition, which permits processing that is,
“necessary for the purposes of performing or exercising obligations or rights of the controller or the data subject under employment law”,
would have the same meaning as the Data Protection Act wording, which referred to, processing necessary for the purposes of,
“exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment”.
I therefore hope the noble Lords will accept my reassurances in that regard.
I raise a simple point—that pretty big businesses look after the employment law insurance issues, and they are so incredibly important that they are often compulsory types of insurance because we feel that every business should have them. These huge businesses will have massive change in the way this operates because there is this change. We have just heard that it is not a change, but I hope that the Minister will accept that the insurance businesses—I had a sensitive briefing from the ABI—are worried about that. Accordingly, will he at least be prepared to have a meeting to go through that, otherwise there will be a lot of expense, fuss and bother and maybe some unintended damage to the process of an important type of insurance?
I said that we believe that the term is sufficiently broad to cover processing that would have been permitted hitherto, which the noble Earl refers to. However, of course, if we have got it wrong and if the insurance industry has a point it wants to bring up, it would be sensible and I would be delighted to meet him and the industry to discuss that. As I said before, we have an open mind, so I will certainly do that.
On the provisions in paragraphs 2 and 3 of Schedule 1 on health and social care, and public health respectively, which are the focus of Amendments 27 to 29, it is fair to say that the drafting here has moved on slightly from the approach taken in Schedule 3 to the 1998 Act. However, article 9(2)(h) of the GDPR refers specifically to processing which is necessary for,
“the assessment of the working capacity of an employee”,
“the management of health … care systems”.
Article 9(2)(i) refers specifically to processing which is,
“necessary for reasons of public interest in the area of public health”.
The purpose of paragraphs 2 and 3 of Schedule 1 is to give these GDPR provisions legislative effect. To remove these terms from the clause by virtue of Amendments 27 to 29 would mean that healthcare providers might have no lawful basis to process special categories of data for such purposes after
The noble Lord, Lord Kennedy, asked some questions on paragraph 2 and asked for an example of data processed under paragraph 2(b). An example would be occupational health. The wording of paragraph 2(2)(f) of Schedule 1 is imported from article 9(2)(h), and I refer the noble Lord—I am sure that he has remembered it—to the exposition given in recital 53.
Paragraph 4—the focus of Amendments 32 to 34—provides for the processing of special categories of data for purposes relating to archiving and research. The outcome of these amendments would be to name specific areas of research and types of records. The terms “scientific research” and “archiving” cover a wide range of activities. Recital 157 to the GDPR specifically refers to “social science” in the context of scientific research, and recital 159 makes it clear that,
“scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research”.
The Government are not aware of anything in the GDPR or the Bill which casts doubt on the application of these terms to social science research or digital archiving.
Finally, on the important issue of confidentiality, Amendments 31 and 70 are unnecessary, because all health professionals are subject to the common-law duty of confidentiality. The duty is generally understood to mean that, if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent. However, beyond relying on the common-law duty of confidentiality, health professionals and social work professionals are bound by the requirements in their employee contract to uphold rules on confidentiality, whether that information is held on paper, computer, visually or audio recorded, or even held in the memory of the professional. Health professionals and social work professionals as defined in Clause 183 are all regulated professionals.
I can therefore reassure the noble Lord, Lord Kakkar—I am also grateful to the noble Lord, Lord Lester, for his support with regard to the Human Rights Act—that the Government strongly agree on the importance of the common-law duty of medical confidentiality but also recognise that it is not absolute. For example, there already are, and will continue to be, instances where disclosure of personal data by a medical professional is necessary for important public interest purposes, such as certain crime prevention purposes or pursuant to a court order. I therefore cannot agree to Amendment 108A, although, as we have already said, the Government are committed to looking at the issue of delegated powers in the round. I will certainly include that in that discussion. Therefore, with that reassurance, I ask the noble Lord to withdraw his amendment.
My Lords, might I beg a meeting of the Minister to discuss the matter of suicidal students at university and how that will be handled under the new legislation as it is developed? This need not necessarily fit within the timescale of the Bill, but I would very much like to be able to understand policy on it and to involve universities in moving from the current unsatisfactory position.
My Lords, I thank all noble Lords who have spoken in the debate this evening. We have touched on a number of important topics, which I hope the noble Lord, Lord Ashton of Hyde, will reflect on as we move through the Bill and look at these issues again. I make it clear that my amendments were all probing amendments to get from the Government their position on things. I was particularly pleased that the noble Earl, Lord Kinnoull, raised the issue about the insurance industry and that the Minister will meet him and representatives of the industry.
I noticed when the Minister replied to the debate that on more than one occasion he made references to recitals. He, I and the House know that the recitals will not form part of British law, so to keep relying on them is, I contend, a little weak on the Government’s part. They will have to find something a bit stronger and more solid as we move on, because, as I said, these will not form part of British law. That is an important point for the Minister to think of when he responds to amendments. For him to keep relying on them highlights the position the Government are in, which is not very good at the moment. Having said that, I beg leave to withdraw the amendment.
Amendment 25 withdrawn.
Amendment 25A not moved.
House resumed. Committee to begin again not before 8.39 pm.