Amendment proposed (this day): 161, in clause 27, page 17, line 2, leave out subsection (1) and insert—
“A Minister of the Crown must apply to a Judicial Commissioner for a certificate, if exemptions are sought from specified provisions in relation to any personal data for the purpose of safeguarding national security.”.—
This amendment would introduce a procedure for a Minister of the Crown to apply to a Judicial Commissioner for a National Security Certificate.
I remind the Committee that with this we are discussing the following:
“(1A) The decision to issue the certificate must be—
(a) approved by a Judicial Commissioner,
(b) laid before Parliament,
(c) published and publicly accessible on the Information Commissioner’s Office website.
(1B) In deciding whether to approve an application under subsection (1), a Judicial Commissioner must review the Minister’s conclusions as to the following matters—
(a) whether the certificate is necessary on relevant grounds,
(b) whether the conduct that would be authorised by the certificate is proportionate to what it sought to be achieved by that conduct, and
(c) whether it is necessary and proportionate to exempt all provisions specified in the certificate.”.
This amendment would ensure that oversight and safeguarding in the application for a National Security Certificate are effective, requiring sufficient detail in the application process.
Amendment 163, in clause 27, page 17, leave out lines 6 to 8 and insert—
“(2) An application for a certificate under subsection (1)—
(a) must identify the personal data to which it applies by means of a detailed description, and”.
This amendment would require a National Security Certificate to identify the personal data to which the Certificate applies by means of a detailed description.
Amendment 164, in clause 27, page 17, line 9, leave out subsection (2)(b).
This amendment would ensure that a National Security Certificate cannot be expressed to have prospective effect.
Amendment 165, in clause 27, page 17, line 9, at end insert—
“(c) must specify each provision of this Act which it seeks to exempt, and
(d) must provide a justification for both (a) and (b).”.
This amendment would ensure effective oversight of exemptions of this Act from the application for a National Security Certificate.
Amendment 166, in clause 27, page 17, line 10, leave out “directly” and insert
“who believes they are directly or indirectly”.
This amendment would broaden the application of subsection (3) so that any person who believes they are directly affected by a National Security Certificate may appeal to the Tribunal against the Certificate.
Amendment 167, in clause 27, page 17, line 12, leave out
“, applying the principles applied by a court on an application for judicial review,”.
This amendment removes the application to the appeal against a National Security Certificate of the principles applied by a court on an application for judicial review.
Amendment 168, in clause 27, page 17, line 13, leave out
“the Minister did not have reasonable grounds for issuing” and insert
“it was not necessary or proportionate to issue”.
These amendments would reflect that the Minister would not be the only authority involved in the process of applying for a National Security Certificate.
Amendment 169, in clause 27, page 17, line 16, at end insert—
“(4A) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Judicial Commissioner must give the Minister of the Crown reasons in writing for the refusal.
(4B) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Minister may apply to the Information Commissioner for a review of the decision.
(4C) It is not permissible for exemptions to be specified in relation to—
(i) Article 5 (lawful, fair and transparent processing),
(ii) Article 6 (lawfulness of processing),
(iii) Article 9 (processing of special categories of personal data),
(b) Chapter IV of the applied GDPR—
(i) GDPR Articles 24 – 32 inclusive,
(ii) GDPR Articles 35 – 43 inclusive,
(c) Chapter VIII of the applied GDPR (remedies, liabilities and penalties)—
(i) GDPR Article 83 (general conditions for imposing administrative fines),
(ii) GDPR Article 84 (penalties),
(d) Part 5 of this Act, or
(e) Part 7 of this Act.”.
This amendment would require a Judicial Commissioner to intimate in writing to the Minister reasons for refusing the Minister’s application for a National Security Certificate and allows the Minister to apply for a review by the Information Commissioner of such a refusal.
Thank you, Mr Hanson. It is a pleasure to serve under your chairmanship again.
I will first provide some context for this part of the Bill. The provisions in the Bill relating to national security exemptions and certificates are wholly in line with the provisions in the Data Protection Act 1998 and its predecessor, the Data Protection Act 1984. What we are doing in the Bill is preserving an arrangement that has been on the statute book for more than 30 years and has been operated by successive Governments.
The national security exemption is no different in principle from the other exemptions provided for in the Bill. If it is right that certain provisions of data protection legislation can be disapplied for reasons of, for example, crime prevention or taxation purposes, or in pursuit of various regulatory functions, without external approval, surely it is difficult to take issue with the need for an exemption on the grounds of national security on the same basis.
The Minister is absolutely right that the provisions mirror those in the DPA. That is exactly why we take issue with them. They mirror unacceptable preventions of rights in the tribunal appeal process, but do not mirror the rights in the Investigatory Powers Act 2016. Why were safeguards put in place in that Act, but will not apply in this Bill?
If I understand the hon. Lady’s argument correctly, she has presented the judicial commissioners as permitting, for example, warrant to be granted. Having sat through the Joint Committee on the Draft Investigatory Powers Bill and then the Public Bill Committee, I can tell her that I am afraid that is not how that Act works. What happens is that the Secretary of State grants the warrant and then that decision is overseen by the judicial commissioner. I will come on to the difference between the Investigatory Powers Act and this Bill in due course, because the terminology used draws on that in the Investigatory Powers Act, but that Act is very different from this Bill, which is about the processing of data, in its engagement with people and their rights.
If I may, I will make some progress. Along with existing provisions in section 28 of the 1998 Act, clause 27 provides for a certificate signed by a Minister of the Crown certifying that exemption from specified data protection requirements is required for the purposes of safeguarding national security. There are equivalent provisions in parts 3 and 4 of the Bill. Such a certificate is conclusive evidence of that fact, for example in any legal proceedings. That is the point about the certificates—they only come into play if the exemption or restriction is actually applied.
The certificate provides evidence that the exemption or restriction is required for the purpose of safeguarding national security. It therefore has relevance only in the event that, first, the exemption or restriction is applied to the data in question and, secondly, there is a need to rely on the certificate as conclusive evidence in proceedings to establish that the exemption or restriction is required for the statutory purpose.
But what the national security certificate does not require is a statement of what data is being processed or the exemptions under which the Ministry of Defence or the intelligence services require it. That is what our amendments seek to introduce. If the Bill proceeds unamended, national security certificates would require only very broad details and no information on what data was being processed. It would therefore not be very likely that a tribunal would be able to oppose the decision on the basis of a judicial review.
I have a copy of a live certificate granted by the then Secretary of State, David Blunkett, on
“The work of the security and intelligence agencies of the Crown requires secrecy.”
I assume hon. Members do not disagree with that. Another reason is:
“The general principle of neither confirming nor denying whether the Security Service processes data about an individual, or whether others are processing personal data for, on behalf of with a view to assist or in relation to the functions of the Security Service, is an essential part of that secrecy.”
Again, I assume that hon. Members do not disagree with that. As I said, this is a live certificate that has been given to the Information Commissioner, and is in the public domain for people to see and to check should they so wish. Those reasons are given in that certificate.
That is wonderful, but the Bill does not require that. It is great that my noble Friend Lord Blunkett put that on his national security application, but the Bill does not require that in law, so I am afraid that it is not a sufficient argument against the amendments that we have tabled.
What we are doing is transposing the requirements of the Data Protection Act 1998 into the Bill. It is difficult to see a situation in which a national security certificate will be granted on the basis that the work of the security and intelligence agencies of the Crown does not require secrecy.
Is there not a bigger, more general overall point here, which is that we should not be considering doing anything in Committee that risks making it more difficult for the security services to protect us? This week of all weeks, surely that should be uppermost in our minds.
Very much so—indeed, this debate ran through the passage of the Investigatory Powers Act 2016, which was one of the most scrutinised pieces of legislation. Senior parliamentarians who served on the Committee on that Act during long careers in this House, including the then Minister, my right hon. Friend Mr Hayes, said that it was an incredibly well scrutinised Bill. There was constant debate about the battle, or tension, between ensuring the national security of our country in the most transparent way possible, and the fact that by definition there has to be some secrecy and confidentiality about the ways in which the security agencies work.
What was important in the debates on that Act, as it is in those on the current Bill, was making it clear that the idea that rogue civil servants or security agents can run around with people’s information with no checks is very wrong. We are replicating in the Bill the system that has been used for the past 30 years, because we consider that that system has the appropriate and necessary safeguards in the often very fast-moving context of a national security situation.
I will make a little progress, then I will take more interventions.
To be absolutely clear, a national security exemption is applied not by a Minister but by a data controller. Data controllers—be they the intelligence services, the Ministry of Defence or any other body—are well placed to make the determination, given that they will have a detailed understanding of the operational context and the extent to which departure from the requirement of the general data protection regulation—or parts 3 or 4 of the Bill as the case may be—is necessary to safeguard national security. In short, a data controller decides whether the national security exemption should be applied in a particular case, and the certificate is the evidence of the need for such an exemption in the event that someone challenges it.
I will give an example first, because I think it is so important. I fear that a bit of misunderstanding has crept in. Let us take the example of a subject access request. Mr Smith asks an intelligence service whether it is processing personal data concerning him and, if so, for information about that data under clause 94. The intelligence service considers whether it is processing personal data, which it will have obtained under its other statutory powers, such as the Regulation of Investigatory Powers Act 2000 or the Investigatory Powers Act 2016.
If the agency determines that it is processing personal data relating to Mr Smith, it then considers whether it is able to disclose the data, or whether a relevant exemption is engaged. For the agency, the key consideration will be whether disclosing the data would damage national security, for example by disclosing sensitive capabilities or alerting Mr Smith to the fact that he is a subject of investigation. If disclosure does not undermine national security and no other exemption is relevant, the intelligence service must disclose the information. However, if national security would be undermined by disclosure, the agency will need to use the national security exemption in relation to processing any personal data relating to Mr Smith.
If the intelligence service does not process any personal data relating to Mr Smith, it will again have to consider whether disclosing that fact would undermine national security, for example by revealing a lack of capability, which could be exploited by subjects of investigation. That is why, on occasion, when such requests are made, a “neither confirm nor deny” response may be necessary, because either confirming or denying may in itself have ramifications, not only in relation to Mr Smith but in relation to other aspects of national security.
Mr Smith may complain to the Information Commissioner about the response to his request for information. The intelligence service may then be required to demonstrate to the commissioner that the processing of personal data complies with the requirements of part four of the Bill, as set out in clause 102, and that it has responded to the request for information appropriately.
If, in legal proceedings, Mr Smith sought to argue that the national security exemption had been improperly relied upon, a national security certificate could be used as conclusive evidence that the national security exemption was required to safeguard national security. Any person who believed they were directly affected by the certificate could of course appeal against it to the upper tribunal, as set out in clause 111.
The Minister is setting out the mechanics of the system with admirable clarity. The point in dispute, though, is not the mechanics of the process but whether the data controller is able—unilaterally, unchecked and unfettered—to seek a national security exemption. Anyone who has worked with the intelligence agencies, either as a Minister or not, knows that they take parliamentary oversight and the defence of parliamentary supremacy extremely seriously.
What we are seeking with this amendment is to ensure that a data controller does not issue a national security certificate unchecked, and that instead there is an element of judicial oversight. The rule of law is important. It should be defended, protected and enhanced, especially when the data collection powers of the intelligence services are so much greater than they were 30 years ago when data protection legislation was first written.
The Government fully accept that national security certificates should be capable of being subject to judicial oversight. Indeed, the current scheme—both under the 1998 Act and this Bill—provides for just that. However, the amendments would radically change the national security certificate regime, because they would replace the existing scheme with one that required a Minister of the Crown to apply to a judicial commissioner for a certificate if an exemption was sought for the purposes of safeguarding national security, and for a decision to issue a certificate to be approved by a judicial commissioner.
This, again, is the debate that we had when we were considering the Investigatory Powers Act 2016. There were some who would have preferred a judicial commissioner to make the decision about warrantry before the Secretary of State. However, Parliament decided that it was not comfortable with that, because it would have meant a great change. For a member of the judiciary to certify on national security issues, rather than a member of the Executive—namely the Prime Minister or a Secretary of State—would have great constitutional implications.
There were great debates about the issue and the House decided, in its wisdom, that it would maintain the constitutional tradition, which is that a member of the Executive has the ultimate responsibility for national security, with, of course, judicial oversight by judicial commissioners and by the various tribunals that all these powers are subject to. The House decided that the decision itself must be a matter for a Minister of the Crown, because in the event—God forbid—that there is a national security incident, the House will rightly and properly demand answers from the Government of the day. With the greatest respect, a judicial commissioner cannot come to the Dispatch Box to explain how the Government and those assisting them in national security matters have responded to that situation. That is why we have this fine constitutional balance, and why we have adopted in the Bill the regime that has been in place for 30 years.
We are keen to deal with the point about the Investigatory Powers Act and the obtaining of information. The nature of the conduct carried out in the case of an authorised warrant under the IPA is entirely different from the operation of the national security exemption and the use of national security certificates. Warrants authorise operational activity, which may have an impact on the right to respect for a private life when that is necessary and proportionate for a statutory purpose. They are about obtaining information, not processing it. In the context of the Bill, the application of an exemption would prevent an individual from ascertaining what personal data is being processed by a data controller.
The hon. Member for Sheffield, Heeley mentioned equipment interference, but there are other types of warrantry in the Investigatory Powers Act, such as for interception of communications. That is about the obtaining of information—that can be quite intrusive, which is why Parliament has placed a number of judicial and other oversights on it—but this Bill is about the processing of personal data. It is quite a different thing.
In the impact on the data subject, the national security exemption is similar in kind to the other exemptions in the Bill, which have been approved in the other place and in this Committee’s debates thus far.
Does the Minister accept that in response to the case of Watson and others against the Government, the Government conceded that additional safeguards, including a far more robust system of independent oversight, were necessary? That test of judicial review is simply not sufficient as oversight. It cannot contest the merits of the case and applies only to the very limited, narrow appeal right of judicial review. It is just not sufficient.
I am happy to help the Minister. She keeps referring to the framework that has been in place for the last 30 years. That has been a time when we have been a member of the European Union. In reviewing this situation, the House of Lords European Union Committee made the point that under the treaty on the functioning of the European Union, there is absolute jurisdiction for national member states to take decisions on national security. That is not an EU area of jurisdiction. The treaty says that we are protected as a member of the EU, but if we leave the European Union we are not protected by that exemption under the treaty. That is why, for third countries, the European Commission looks at the whole legislative framework. Do we not risk the adequacy decision by taking this approach? In the future, we will not have the answer of saying that it is an issue of exemption from the European Commission.
National security must always be a matter for any member state in the EU, but also once we leave the EU. Sorry, I may have misunderstood the hon. Gentleman, but how we deal with national security is, of course, a matter for the state.
I am happy to clarify for the Minister. The status quo is that the European Union will not look at areas of national security because they are the jurisdiction of member states. When we leave the European Union, the Commission will look at the entirety of legislation around data protection and privacy rights, because there are no exemptions that it needs to take into account. The noble Lords made the point that our
“data protection standards would be assessed without the benefit of the protection afforded by the national security exemption” under the treaty. Do we not risk our adequacy by taking these exemptions?
No, because those who have drafted the Bill have sought, at all times, to comply with the law enforcement directive and with the modernised, draft Council of Europe convention 108. The Bill very much meets those standards, not just on law enforcement but across parts 3 and 4.
I have spoken to the outgoing Council of Europe information commissioner about the issue, and he has put on the record his grave reservations about the regime that we have in place, because we simply do not have the right kind of judicial oversight of the information gathering powers that are now available to our intelligence services. Our intelligence services are very good, and they need to be allowed to do their job, but they will be allowed to do that job more effectively—and without additional risks to our adequacy—if there is some kind of judicial oversight in the right timeframe of the decisions that are taken.
That is where the distinction between obtaining information and processing it is so important. The gathering that the right hon. Gentleman refers to falls under the Investigatory Powers Act 2016. Retaining it and processing it in the ways that the Bill seeks to provide for is the data protection element. The 2016 Act has all the extra judicial oversights that have been passed by the House.
Quite helpfully, we are coming to the nub of the question. It is now incumbent on the Minister to lay out for the Committee why the oversight regime for obtaining information should be so remarkably different from the regime for processing it.
The obtaining of information is potentially intrusive and often extremely time-sensitive. For the processing of information, particularly in the case of a subject access request, once we have met the criteria for obtaining it, separate judicial oversight through the upper tribunal is set out in the Bill, as well as ministerial oversight. They are two separate regimes.
There is extra oversight in the 2016 Act because obtaining information can be so intrusive. The right hon. Gentleman will appreciate that I cannot go into the methodology—I am not sure I am security-cleared enough to know, to be honest—but obtaining information has the potential to be particularly intrusive, in a way that processing information gathered by security service officials may not be.
I reassure the Minister that I went through the methodologies during my time at the Home Office. The justification that she still needs to lay out for the Committee—she is perhaps struggling to do so—is why there should be one set of judicial oversight arrangements for obtaining information and another for processing it. Why are they not the same?
There might be many reasons why we process information. The end result of processing might be for national security reasons or law enforcement reasons—my officials are scribbling away furiously, so I do not want to take away their glory when they provide me with the answer.
I have an answer on the Watson case, raised by the hon. Member for Sheffield, Heeley, which dealt with the retention of communications by communications service providers. Again, that is an entirely different scenario from the one we are talking about, where the material is held by the security services.
Amendment 161 goes further than the 2016 Act, because it places the decision to issue a certificate with the judicial commissioner. As I have said, national security certificates come into play only to serve in legal proceedings as conclusive evidence that an exemption from specified data protection requirements is necessary to protect national security—for example, to prevent disclosure of personal data to an individual under investigation, when such disclosure would damage national security. The certificate does not authorise the required use of the national security exemption, which is properly a matter for the data controller to determine.
Amendments 163 and 164 relate to the form of a national security certificate. Amendment 163 would require a detailed rather than general description of the data identified on a national security certificate, but we believe this change to be unnecessary and unhelpful, given that much data can be adequately described in a general way. Amendment 164, which would prevent a certificate from having prospective effect, appears to be dependent on the prior judicial authorisation scheme proposed in amendments 161 and 162, and again contrasts with the prospective nature of certificates currently under the Data Protection Act 1998.
Prospective certificates of the type issued under the 1998 Act are the best way of ensuring that the use of the national security exemption by the intelligence services and others is both sufficiently foreseeable for the purposes of article 8 of the European convention on human rights, and accountable. The accountability is ensured by the power to challenge certificates when they are issued, and that is something that has real teeth. The accountability is strengthened by the provision in clause 130 for the publication of certificates. The documents we are discussing will therefore be in the public domain—indeed, many of them are already. But it will now be set out in statute that they should be in the public domain.
Amendments 166 to 168 relate to the appeals process. Amendment 166 would broaden the scope for appealing a national security certificate from a person “directly affected” by it to someone who
“believes they are directly or indirectly affected” by it. I wonder whether the Opposition did any work on the scope of the provision when drafting it, because the words “indirectly affected” have the potential to cause an extraordinary number of claims. How on earth could that phrase be defined in a way that does not swamp the security services with applications from people who consider that they might be indirectly affected by a decision relating to a national security matter? I do not see how that can be considered practicable.
As I have already said, the issue is that the judicial review process for appeal is incredibly narrow and limited. Under section 28 of the DPA, where an individual requests to access his or her data that is subject to a certificate, they will merely be informed that they have been given all the information that is required under the Act. They would not be informed that their data is being withheld on the grounds of a national security certificate. That means that it is impossible for them to know whether they even have the right to appeal under a judicial review, and they do not have the information available to allow them to take that judicial review case forward. That is why the amendment is drafted in this way. If the Minister would like, she can suggest some alternative wording that would solve the problem.
We get to the nub of the problem. Is the hon. Lady seriously suggesting that the security services should notify someone who puts in an access request that they are the subject of an investigation? That is the tension facing the security services. That is why we have internationally met standards, with regard to article 108 of the convention, which the Bill complies with. That is why we have to build in all these safeguards, to try to ensure that those people who intend ill will to this country do not benefit from our natural wish to be as transparent as possible when dealing with people’s personal data.
I have already explained that there would of course be an exemption for not informing individuals if they were under surveillance or being processed, but there are not sufficient oversights, safeguards or appeals. In the absence of any of those three, the Minister has to accept that there are absolutely no checks and balances on the exemptions listed under the clause.
Yes. The upper tribunal reviews the material and applies the judicial review test. Again, we had this debate in relation to the Investigatory Powers Act 2016, which Parliament passed, in relation to the test that applied in the later appeal stages, following the grant of a warrant. This Bill has been drafted to comply with the modernised convention 108 of the Council of Europe. This is why it is in this way. It reflects the past 30 years’-worth of practice but meets international standards as they exist at the moment, which I hope reassures the hon. Member for Bristol North West.
If someone is the subject of investigation or suspicion, and the security services neither confirm nor deny, when someone who is not under suspicion puts in an application, the great tension for the security services is whether they answer differently in one case from another. In such circumstances that would have ramifications, because people will work out that this answer has been given or this answer has not been given. Of course there is a tension. That is why the exemptions exist and why so much emphasis is placed on the data controller, and that is why it meets the international standard as expected by the modernised Council of Europe convention.
On the specific narrow point, is it not the case that clause 130 already provides for the publication of certificates, so the amendment is simply not necessary? On the wider point—at the risk of repeating my earlier one—I fear that we are at risk of stumbling into a law of unintended consequences where we will make it more difficult for our security services to do the job that we want them to do. While we have been sitting here, I saw on my phone that the international community has recognised that what happened in Salisbury is the first recorded attack using a nerve agent on a European country since 1945. Let us remember that.
That is a particularly sobering development. I know that we all feel the gravity of our responsibilities when considering the Bill in the context of national security today. I am grateful to my hon. Friend.
The Minister and I served on the Draft Investigatory Powers Bill Joint Committee and we had many debates on this subject. It struck me that the House was at its best when we passed the Investigatory Powers Bill on Third Reading, with the support of the Labour party, having had these debates. It is frustrating that today of all days, as my hon. Friend says, we should go over that ground again having already reached a useful consensus.
On the judicial review point, the test was debated at length in the Joint Committee, in the Public Bill Committee and on the Floor of the House. The House passed that Act with cross-party consensus, as my hon. Friend has said, so I do not understand why we are having the same debate.
Anyone who has spent time working with our intelligence agencies knows that they see their mission as the defence of parliamentary democracy. They believe in scrutiny and oversight, which is what we are trying to insert in the Bill. The reason the Investigatory Powers Bill was passed in that way was because we were successful in ensuring that there were stronger safeguards. The Minister has been unable to explain today why the safeguarding regime should be different for the processing of data as opposed to the obtaining of data. We have heard no convincing arguments on that front today. All that we are seeking to do is protect the ability of the intelligence agencies to do their job by ensuring that a guard against the misuse of their much broader powers is subject to effective judicial oversight, and not in public but in a court.
For the security services to have obtained data under the Investigatory Powers Act, they will have passed through the various safeguards that Parliament set out in that Act. Once that data is obtained, it follows that the permission that the judicial commissioner will have reviewed will still flow through to the processing of that information. Our concern here is certain requirements of the data protection regime. The decision to disseminate information under that regime must rest with the intelligence agencies, with oversight. The Bill provides for those decisions to be appealed. That is as it should be. It should not be for a judicial commissioner to take over the decision of the data controller, who is processing applications and information in real time, often in situations that require them to act quickly. Likewise, whether to grant a certificate, which will be in the public domain, must be a decision for a member of the Executive, not the judiciary.
I assume that no work has been done to measure the scope of amendment 166, but allowing the clause to cover people indirectly affected could have enormous consequences for the security services, which already face great pressures and responsibilities.
Amendments 167 and 168 would remove the application of judicial review principles by the upper tribunal when considering an appeal against a certificate. They would replace the “reasonable grounds for issuing” test with a requirement to consider whether issuing a certificate was necessary and proportionate. Again, that would be an unnecessary departure from the existing scheme, which applies the judicial review test and has worked very well for the past 30 years.
In applying judicial review principles, the upper tribunal can consider a range of issues, including necessity, proportionality and lawfulness. As we set out in our response to the report of the House of Lords Constitution Committee, that enables the upper tribunal to consider matters such as whether the decision to issue the certificate was reasonable, having regard to the impact on the rights of the data subject and the need to safeguard national security. The Bill makes it clear that the upper tribunal has the power to quash the certificate if it concludes that the decision to issue it was unreasonable.
I hope that I have answered the concerns of the right hon. Member for Birmingham, Hodge Hill about how certificates are granted and about the review process when a subject access request is made and the certificate is applied. We must recognise that the Bill does not weaken a data subject’s rights or the requirements that must be met if an exemption is to be relied on; it reflects the past 30 years of law. Perhaps I missed it, but I do not think that any hon. Member has argued that the Data Protection Act 1998 has significant failings.
As the Minister well knows, the debate internationally is a result of the radical transformation of intelligence agencies’ ability to collect and process data. There is an argument, which has been well recognised in the Council of Europe and elsewhere, that where powers are greater, oversight should be stronger.
Order. I realise that the right hon. Gentleman feels strongly about the issue, but if he wishes to intervene, he must stand. If not, he must remain quiet and take it on the chin.
The Government have listened to the concerns of the House of Lords. We added clause 130 in the Lords to provide for the publication of national security certificates by the Information Commissioner, so that they would be easily accessible to anyone who wished to mount a subject access request, and could be tested accordingly. In her briefing to noble Lords about the Bill, the Information Commissioner said that the clause was
“very welcome as it should improve regulatory scrutiny and foster greater public trust and confidence in the use of national security certificate process.”
It will also ensure that any person who believes that they are directly affected by a certificate will be better placed to exercise their appeal rights.
The Bill’s approach to national security certificates is tried and tested. We rely on those 30 years of experience of the regime being in place. In her written submission to the Committee, the Information Commission has not raised any issues in respect of the provisions in clause 27.
I hope that I have reassured the hon. Member for Sheffield, Heeley. I suspect from the interventions that she may well press the amendment to a vote, but I invite her to withdraw it. We have scrutinised this matter, and the Government are clear that the Bill reflects the past 30 years of the regime. It has worked and the Information Commissioner has not raised any concerns about clause 27.
I am afraid that the Minister is correct; she has not reassured Opposition Members. The amendment is not about putting obstacles in the way of our intelligence agencies going about their operational capabilities—that is the last thing we want to do—but the Minister has been unable to give us a clear argument as to why there should be stronger safeguards on the collection of data than on processing. That the Home Office would like to have the data is not a sufficient argument.
Please do not trivialise the matter. It is not the case that the Home Office would like the data; this is national security. This is the regime that our security services use at the moment. It is the regime they need. That is why the Government are pressing the issue. Again, I would have thought that this week of all weeks is the week to back our security services, not to put more barriers in their way.
The intelligence agencies, as my right hon. Friend the Member for Birmingham, Hodge Hill has said, take parliamentary oversight and scrutiny seriously. The safeguards and oversights are not built into the Bill in the way they were in the Investigatory Powers Act 2016. There is no clear argument why those safeguards should be in place for collection, but not for processing. The Minister has constantly relayed that that decision is based on 30 years’-worth of data but, as has already been said, the scope for the collection and processing of data is so far transformed, even from when the Data Protection Act was written in 1998, that the oversights and safeguards need to be transformed as well. That is why we are proposing these amendments.
The Joint Committee on Human Rights has suggested that the exemptions put forward in the Bill are not legal and introduce arbitrary interferences into people’s privacy rights. It is this Committee’s responsibility to ensure that the amendments pass. That is not trivialising the issue, but ensuring that there is a proper debate about security and the individual’s data subject rights. That is why we will press the amendment to a vote.
Division number 7 - 7 yes, 10 no
Members will note that there are a number of clauses on the selection list to which no amendments have been tabled. I propose to start grouping such clauses together in order to speed progress. However, Members still have the right to tell me that they wish to speak to, or vote on, an individual clause.