My Lords, clubs and charities which handle personal data will need to comply with the general data protection regulation in the Data Protection Act 2018 because people have the right to expect organisations of all sizes to keep their data safe and secure and not to misuse it. Small clubs and charities may also process sensitive personal data, such as medical records or children’s data. It is especially important that this is kept safe and secure and used appropriately. To assist smaller organisations, which may have more limited access to legal resources, the Information Commissioner’s Office has published a range of user-friendly material on the GDPR on its website and set up a dedicated phone line for small businesses and charities.
I am grateful to my noble friend for that reply. He has confirmed that any club, however small, that keeps a record of its membership must register, and not just register but renew and pay up every year. I will not ask my noble friend to give an estimate of the numbers involved, because it must be many thousands and I do not know who on earth is going to keep track of it all. I doubt whether anybody knows the numbers. But can my noble friend tell me what these organisations are doing wrong at the moment? What ill is being done that is going to be cured by making them involve themselves in this process?
My Lords, I am glad that my noble friend realises that it is very important to pay the fee that is required, as agreed by this House last month, in order to fund the ICO. All this is clearly explained on the ICO website under the heading, “The Data Protection Fee: A Guide for Controllers”. As for ills, it is not that any organisation, or even individual, has committed any sin, or that there is an ill to be cured; this is about individual data subjects’ rights. As far as an individual data subject is concerned, if his or her sensitive personal data is misused—for example, by not being kept securely—the damage done to that person or organisation is the same whether it is by a large or a small organisation. That is why the GDPR requires all data controllers, unless they are using it just for personal or household matters, to be clearer with people how their data is going to be used, to process it where it is lawful to do so, and, very importantly, to make sure it is held securely.
Will my noble friend explain to all of us data controllers here assembled exactly what this mischief is? I think the principal mischief is that this is a piece of legislation invented in Brussels and cursed on us.
Of course, the noble Lord is entitled to his opinion but I do not agree with him. In this case, as I tried to explain, it does not matter whether it is a large or small organisation, or even an individual data controller, that misuses information. Individuals’ personal data is very important and has grown enormously since the previous Data Protection Act 20 years ago. My noble friend will of course realise that there was a Data Protection Act 20 years ago.
My Lords, does the Minister agree that small clubs perform a useful function for society generally, as do small charities? If a problem becomes apparent, will the Minister give an assurance that the Government will review it and see if there is anything there? I agree with him that data should be guarded but we do not want to damage these clubs unduly.
I am sure the noble Lord is aware that the situation for data controllers has not changed since the Data Protection Act 1998. This is not a question of problems but of protecting the data rights of everyone in this Chamber. Therefore, it applies to all organisations and to individual people, but only if they deal in personal data and are controllers of that information.
Does the Minister accept that one of the benefits of this legislation is that now people have to write and ask you whether or not you want to receive junk mail? That is fine. But with many of them, not only do you click “unsubscribe” but they ask you why you have unsubscribed. Will the Minister make sure that these issues are vigorously pursued and there is no slacking off? Frankly, my current emails have reduced by half and could be reduced by a great deal more.
I believe that when that happens, that is the end of it. If they ask, they obviously want to know why the noble Lord no longer wants to be in touch with them—I do not blame them for that. Of course, I accept that those emails have a benefit. One of the principal features of the GDPR and the Data Protection Act 2018 is that there is a much stronger measure of consent. People have to give active consent to have their personal data processed.
My Lords, are there proposals to review the impact of this measure on small organisations? Irrespective of the fact that there is continuity from the previous Data Protection Act, there is concern that small organisations, such as charities et cetera, will be disproportionately affected. It is important that we should know whether that is the case. I declare an interest as the chairman of the charity Kent Search and Rescue.
Of course, we have to comply with the GDPR while we are members of the EU. We want to continue to have a data protection regime that is in accord with the EU’s when we leave. I believe that all new legislation is reviewed after a period of time, so we will obviously keep an eye on whether there is a disproportionate effect on small organisations. Charities are obviously important but, for the reasons I set out before, individual data subjects’ rights are important so there has to be a balance.
My Lords, the recent document submitted by the Government to the EU as part of their negotiating structure talks about data protection and its importance for our economy. These are indeed important issues. It says, however, that the way forward is not just by an adequacy agreement, which is what I thought we were all expecting, but by a treaty. Can the Minister shed some light on that issue?
As in, I believe, many negotiations with the EU, what we want is frictionless trade. In terms of data it is very important that there is no gap between leaving the EU, when we become a third country, and still being able to exchange personal data between the EU 27 countries and this country. We would like to get an agreement so that we have not only adequacy, which can be achieved only after we leave the EU, but an arrangement that allows us to continue exchanging data with members of the EU. That would have to be done by a treaty.