My Lords, Amendments 29 and 30 relate to Clause 51, which enables data subjects to exercise certain rights through the Information Commissioner. Under Part 3, where a person makes a subject access request, it may be necessary for the police or another competent authority to give a “neither confirm nor deny” response; for example, to avoid tipping off that person that they are under investigation for a criminal offence.
Under the Bill as passed by this House, a data subject could exercise their rights under Clause 51 to request that the Commissioner check that the processing of their personal data complied with the provisions in Part 3. Such a request would clearly undermine a “neither confirm nor deny” response, effectively providing a back door for data subjects to find out if personal data was being held on them. To address this, the amendments replace the requirement on the Information Commissioner to check that processing complies with Part 3 with a requirement to check that a restriction imposed by the controller is lawful.
Commons Amendments 31 and 32 relate to Clause 53, which enables a controller when in receipt of a manifestly unfounded or excessive subject access request either to charge a reasonable fee before responding to the request or refuse to act on the request. The amendments extend this latitude afforded to a controller to cover requests made by a data subject under Clause 50, which requires a controller to reconsider a decision based solely on automated processing. Although the vast majority of subject access requests made by data subjects are reasonable, the amendments are necessary to ensure that controllers have a robust mechanism in place to deal with any repeated or malicious requests that they receive. I beg to move.
Motion on Amendment 29 agreed.