Data Protection Bill [HL] - Commons Amendments

Part of the debate – in the House of Lords at 7:00 pm on 14th May 2018.

Alert me about debates like this

Moved by Lord Ashton of Hyde

That this House do agree with the Commons in their Amendments 154 to 173.

154: Schedule 1, page 124, line 24, leave out from “subject” to end of line 25

155: Schedule 1, page 124, line 36, at end insert—“Racial and ethnic diversity at senior levels of organisations 8A (1) This condition is met if the processing—(a) is of personal data revealing racial or ethnic origin,(b) is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,(c) is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and(d) can reasonably be carried out without the consent of the data subject, subject to the exception in sub-paragraph (3). (2) For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—(a) the controller cannot reasonably be expected to obtain the consent of the data subject, and(b) the controller is not aware of the data subject withholding consent.(3) Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.(4) For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—(a) holds a position listed in sub-paragraph (5), or(b) does not hold such a position but is a senior manager of the organisation.(5) Those positions are—(a) a director, secretary or other similar officer of a body corporate; (b) a member of a limited liability partnership;(c) a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.(6) In this paragraph, “senior manager”, in relation to an organisation, means a person who plays a significant role in—(a) the making of decisions about how the whole or a substantial part of the organisation’s activities are to be managed or organised, or(b) the actual managing or organising of the whole or a substantial part of those activities.(7) The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.”

156: Schedule 1, page 125, line 3, at end insert—“( ) If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).”

157: Schedule 1, page 125, line 4, at end insert—““competent authority” has the same meaning as in Part 3 of this Act (see section 30).”

158: Schedule 1, page 125, line 16, at end insert—“Regulatory requirements relating to unlawful acts and dishonesty etc 10A (1) This condition is met if—(a) the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—(i) committed an unlawful act, or(ii) been involved in dishonesty, malpractice or other seriously improper conduct,(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and(c) the processing is necessary for reasons of substantial public interest.(2) In this paragraph—“act” includes a failure to act; “regulatory requirement” means—(a) a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or(b) a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.”

159: Schedule 1, page 125, line 35, at end insert—“( ) The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).”

160: Schedule 1, page 126, line 22, at end insert—“Support for individuals with a particular disability or medical condition13A (1) This condition is met if the processing—(a) is carried out by a not-for-profit body which provides support to individuals with a particular disability or medical condition,(b) is of a type of personal data falling within sub-paragraph (2) which relates to an individual falling within sub-paragraph (3),(c) is necessary for the purposes of—(i) raising awareness of the disability or medical condition, or(ii) providing support to individuals falling within sub-paragraph (3) or enabling such individuals to provide support to each other,(d) can reasonably be carried out without the consent of the data subject, and(e) is necessary for reasons of substantial public interest.(2) The following types of personal data fall within this sub-paragraph— (a) personal data revealing racial or ethnic origin;(b) genetic data or biometric data;(c) data concerning health;(d) personal data concerning an individual’s sex life or sexual orientation.(3) An individual falls within this sub-paragraph if the individual is or has been a member of the body mentioned in sub-paragraph (1)(a) and—(a) has the disability or condition mentioned there, has had that disability or condition or has a significant risk of developing that disability or condition, or(b) is a relative or carer of an individual who satisfies paragraph (a) of this sub-paragraph.(4) For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—(a) the controller cannot reasonably be expected to obtain the consent of the data subject, and(b) the controller is not aware of the data subject withholding consent.(5) In this paragraph—“carer” means an individual who provides or intends to provide care for another individual other than—(a) under or by virtue of a contract, or(b) as voluntary work;“disability” has the same meaning as in the Equality Act 2010 (see section 6 of, and Schedule 1 to, that Act).(6) The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.”

161: Schedule 1, page 126, line 27, leave out “a reason” and insert “one of the reasons”

162: Schedule 1, page 126, line 38, at end insert—“Safeguarding of children and of individuals at risk14A (1) This condition is met if—(a) the processing is necessary for the purposes of—(i) protecting an individual from neglect or physical, mental or emotional harm, or(ii) protecting the physical, mental or emotional well-being of an individual,(b) the individual is— (i) aged under 18, or(ii) aged 18 or over and at risk,(c) the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and(d) the processing is necessary for reasons of substantial public interest.(2) The reasons mentioned in sub-paragraph (1)(c) are—(a) in the circumstances, consent to the processing cannot be given by the data subject;(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;(c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).(3) For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—(a) has needs for care and support,(b) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and(c) as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.(4) In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.”

163: Schedule 1, page 126, line 38, at end insert—“Safeguarding of economic well-being of certain individuals14B (1) This condition is met if the processing—(a) is necessary for the purposes of protecting the economic well- being of an individual at economic risk who is aged 18 or over,(b) is of data concerning health,(c) is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and(d) is necessary for reasons of substantial public interest.(2) The reasons mentioned in sub-paragraph (1)(c) are—(a) in the circumstances, consent to the processing cannot be given by the data subject;(b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;(c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).(3) In this paragraph, “individual at economic risk” means an individual who is less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability.”

164: Schedule 1, page 127, line 30, at end insert—“( ) The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.”

165: Schedule 1, page 127, line 39, at end insert—“( ) is of data concerning health which relates to a data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme,”

166: Schedule 1, page 128, line 6, at end insert—“( ) The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.”

167: Schedule 1, page 129, line 23, at end insert —“( ) a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;”

168: Schedule 1, page 129, line 31, at end insert —“( ) a police and crime commissioner.”

169: Schedule 1, page 131, line 14, at end insert—“( ) If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).”

170: Schedule 1, page 133, line 17, leave out from “interest” to end of line 21

171: Schedule 1, page 134, line 18, leave out “on the day” and insert “when”

172: Schedule 2, page 135, line 7, at end insert—“( ) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);”

173: Schedule 2, page 135, line 19, after “provisions” insert “and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject)”

Motion agreed.