It is true that we do not have Government amendments to that effect, but it is a central part of the Bill that we have already debated in Committee. Making data more available to researchers is, indeed, an objective of the Bill, and I share my right hon. and learned Friend’s view that it will produce great value. If he thinks more needs to be done in specific areas, I would be very happy to talk to him further or to respond in writing.
1.45 pm
There are quite a number of technical amendments, as the hon. Member for Rhondda (Sir Chris Bryant) observed. I will start with the UK-US data access agreement, which permits telecommunications operators in the UK to share information about serious crimes with law enforcement agencies in the US, and vice versa.
Government new clause 6 makes it clear that the UK-US data access agreement, and other specified international treaties, can provide a basis for processing under several grounds in the UK GDPR. This agreement has been operational since October 2022, and disclosures made under it are not prevented by the current data protection legislation. However, the measures contained in the new clause will make it absolutely clear to telecoms operators in the UK that the data access agreement provides an appropriate legal basis for processing personal data, special category data and criminal offences data under the relevant provisions in the UK GDPR.
We have also tabled an amendment to ensure that, following the loss of the EU general principle of proportionality at the end of 2023 as a result of the Retained EU Law (Revocation and Reform) Act 2023, controllers continue to need only to carry out a reasonable and proportionate search for information when responding to a subject access request. While controllers should make the best possible efforts to locate all the information requested by a data subject, there are occasions when this might be unreasonable or disproportionate, such as when the information is of low importance or of low relevance to the data subject. In those circumstances, it is important to continue to allow controllers to limit the efforts they make when searching for information, and
this position reflects existing domestic case law. The amendment simply provides greater legal certainty for controllers.
Turning to the Information Commissioner’s Office codes of practice, we have listened to concerns about the perceived impact of the approval powers on the independence of regulators, so we are amending the Bill to remove the veto power on the contents of ICO statutory codes of practice. It was previously proposed that the power should be held by the Secretary of State. [Interruption.] I welcome the expression of enthusiasm for this amendment from the hon. Member for Rhondda.
This amendment balances regulatory independence with democratic accountability and reaffirms the Government’s commitment to the independence of our regulatory framework, and it is supported by the ICO. The amendment introduces a new process for the approval of ICO statutory codes of practice, and it provides that the Information Commissioner must consider recommendations from the Secretary of State about a code of practice prior to the code being laid before Parliament. Critically, the Information Commissioner will not be bound by the Secretary of State’s recommendations.
We are also introducing an amendment to clarify the ways in which the ICO can serve notices, and to remove the outdated requirement for the ICO to obtain consent before serving notices by email. This amendment will enable the ICO to enforce the UK’s data protection regime more effectively, particularly against overseas businesses, and it mirrors the arrangements that a number of other regulators already have.
Although most data controllers do the right thing and respond to subject access requests in a satisfactory way, some disputes end up in court, so we have tabled an amendment that will enable a court to require information from a controller to assess whether it should have been provided as part of the original response, while ensuring that the information is not disclosed to the claimant until it has been determined whether or not they are entitled to it.
The hon. Member for Brent Central (Dawn Butler) mentioned the digital identity verification schemes in part 2. The UK digital identity and attributes trust framework sets out baseline rules that organisations must follow to become a Government-approved digital verification service provider. However, in some cases where people may choose to use digital identity products, such as when applying for a mortgage or completing pre-employment checks, digital verification service providers may need to follow rules in addition to those within the trust framework in order to meet sector-specific requirements. Our amendment enables additional rules, which are described as “supplementary codes” in the Bill, to be approved by the Government, against conditions set out in the trust framework. Organisations will be able to prove that the digital verification services they offer are certified against supplementary codes, as well as the trust framework, by having a note included in the digital verification service register.
Let me turn to one or two examples, covering both the right-to-rent and right-to-work checks. It is essential that the employment and private rental sectors are provided with robust and secure processes to ensure that the identity checking parts of their onboarding processes are secure, efficient and effective. The Home Office will use the amended part 2 powers I have just
explained to make secondary legislation that means that when an employer or landlord is using the services of a digital verification service provider, they do so from the register of digital verification service providers established under part 2 of the Bill. That does not change the already established processes available to employers and landlords. In fact, 41 providers have already been certified to perform digital right-to-work and right-to-rent checks, in line with the existing version of the UK digital identity and attributes trust framework, to which I have referred. The amendments will provide confidence and security to employers and landlords that the service providers they are using are certified. Our ongoing engagement with the sector tells us that the use of digital identity service providers is a welcome development, as it represents a more cost-effective practice than manual checks of physical documents.
Providers of public electronic communications services, such as companies that provide a mobile phone contract, are currently required to report all personal data breaches to the Information Commissioner within 24 hours. Our amendment eases burdens on industry by giving more time for those data controllers to report data breaches; they will now have to be reported without undue delay and, where feasible, no later than 72 hours after the breach. This change will allow organisations to gather more detailed information about the breach before the reporting deadline and allow the ICO to focus its efforts on assessing that information once it has been achieved.
On disclosure for the purposes of archiving in the public interest, the Government recognise the importance of archives in permanently preserving Britain’s rich history for long-term social benefit. We also know that archivists currently have very little agency to dictate what lawful ground was used when obtaining personal data from a wide range of sources. We are therefore amending the Bill to ensure that a controller is able to reuse personal data for the purpose of archiving in the public interest, regardless of the lawful ground the personal data was originally collected on. That will be particularly helpful for archivists that are not public authorities and are therefore unable to use a public task lawful ground for their processing. We have worked closely with the National Archives in bringing forward our amendment.
I come to the issue of foreign convictions, particularly those relating to counter-terrorism policing. We intend to amend the Bill to ensure that counter-terrorism policing can continue to protect British citizens by retaining biometrics received from international partners in a more efficient way. Currently, the police can hold biometrics indefinitely for people who have a conviction for shoplifting in the UK but not for convicted terrorists abroad. Our amendment that will enable the indefinite retention of an individual’s fingerprints and DNA profile for national security purposes where that person has a foreign conviction that is equivalent to a conviction in England, Wales or Northern Ireland. Counter-terrorism policing can retain those biometrics without the need to apply for a national security determination. Our amendment brings the Counter-Terrorism Act 2008 into alignment with other legislation governing biometric retention.
We are making changes to the way that counter-terrorism policing can retain biometrics shared via Interpol. It will now be able to retain biometric data in national security-related cases for as long as the relevant Interpol
notice remains in force, rather than needing to submit a national security determination, which can present significant operational challenges for counter-terrorism policing. That will bring the UK into line with the rules under which all Interpol members retain and use those same biometrics. Our amendment was requested and is welcomed by counter-terrorism policing, the independent reviewer of terrorism legislation, the Office of the Biometrics Commissioner and the security services, and I thank them for their co-operation on this aspect of the Bill.