My Lords, the noble Lord, Lord Collins, should make no apology for revisiting the issues of transparency and public confidence because they lie at the heart of what this Bill is attempting to achieve and are contained in Part 5. It may be déjà vu again but that is perfectly justified by the circumstances. We are all concerned to ensure that there is such transparency within these provisions as to maintain, and perhaps even restore, public confidence in the use and sharing of data.
Amendment 82ZA proposes that, within six months of the Act coming into force, an independent review of the collection and use of data by the Government and commercial organisations is conducted. With respect, the scope of the review appears extremely broad and goes much further than the provisions of Part 5. The Royal Society and the British Academy are undertaking a review to consider the ethical and legal frameworks needed in the United Kingdom as data technologies advance. We intend to consider the findings of that review when it is published. In addition, I mentioned that the general data protection regulation will come
into effect in the United Kingdom in May 2018. The implementation of that regulation will represent a significant change to the data protection legal framework for both the public and private sectors, including strengthening rights for individuals so that they have more control over their personal data. We intend to work with the Information Commissioner to explore how we can best meet these requirements, as well as to improve transparency in this space. As such, we do not see the value in commissioning a further major review of data ahead of preparing to implement the new data protection framework when the regulation comes into force in May 2018.
Amendment 103 also seeks to improve the transparency of data sharing under the powers in Part 5. As I have indicated, we support this intention as transparency, along with the protection of personal data, is clearly at the heart of all these proposals. There are, however, a number of real problems with the proposed new clause. Setting the requirement and contents in primary legislation would significantly restrict our ability to explore and consider the benefits and consequences of publishing a register. For example, there may be a need to exempt the inclusion of certain types of data sharing for reasons such as national security or commercial confidentiality.
Ahead of the 2018 regulation coming into force, we will work with the Information Commissioner’s Office and other interested parties to explore how we can best meet its requirements and improve transparency. In our view, the statutory codes of practice in the Bill are a more appropriate vehicle for setting out requirements to support greater transparency. We will run a public consultation on the codes of practice as well as the required statutory consultations and we propose, as part of that, to gather views on the type of information about data sharing that should be captured and made public, as well as the risks and benefits. In addition, the draft codes already contain requirements for privacy impact assessments to be prepared and published. Further, we are continuing to explore with the Information Commissioner whether more can be done in this Bill to ensure that his codes of practices on privacy impact assessments and privacy are fully considered when data are shared under Part 5. I hope to return to this point later in the proceedings.
Amendment 104 proposes an obligation for organisations to report data breaches and submit associated audit returns to the Information Commissioner’s Office. As I have indicated, the EU general data protection regulation will apply in the United Kingdom from May 2018. The new regime will introduce tough measures on breach notification, making it a requirement for all data controllers and data processors to report breaches to the Information Commissioner’s Office if they are likely to result in a risk to the rights and freedoms of individuals, and the individuals affected must also be notified where there is a high risk. The new regime will also allow tougher penalties to be imposed on organisations in breach of the rules. I believe these will be penalties of up to 4% of the organisations’ total global annual turnover, or €20 million.
Under current arrangements, the Information Commissioner’s civil monetary penalties guidance says that he can take into account what steps, if any, the
person or organisation had taken once they became aware of the contravention, when determining the amount of the monetary penalty to be issued, so there is provision for those who delay or defer the reporting of data breaches. At this stage, we are confident that the Information Commissioner has the necessary powers to take action against those organisations that are in breach of the rules so, while I accept the spirit of the amendment and understand the need for transparency, I do not believe it is necessary as the new tougher rules under the EU regulations will apply from May 2018. As I stated, under the current regime, the commissioner can and does take into account what steps, if any, an organisation has taken in addressing breaches and in deciding penalties under the Data Protection Act.
Amendment 111 would require a secure audit record to be compiled specifying the personal information shared under the public service delivery power. This well-intentioned amendment is also considered unnecessary. The code of practice that has been drafted in support of the public service delivery provisions already requires an audit to be kept by data controllers of information shared under this power, and the Information Commissioner’s data-sharing code of practice similarly requires organisations to keep records of information shared. In addition, the EU general data protection regulation will apply to Part 5 and place further specific legal obligations on organisations to maintain records of personal data shared and of processing activities. Organisations will now make the necessary preparations to comply with that regulation.
For the benefit of the noble Baroness, Lady Finlay, I emphasise that the processing of personal data under the public service delivery power must already be in accordance with the Data Protection Act. The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act. The commissioner undertakes a programme of consensual audits across the public and private sector to assess their processing of personal information. The commissioner also has the power to conduct compulsory audits of public sector entities to evaluate compliance with the data protection principles. The commissioner has powers to obtain access to the information she may need to conduct those assessments.
7.30 pm
I turn to Amendments 213A, 213B, and 213C. Amendment 213A would require that any agreement to share data under Part 5 be listed in a register of data-sharing agreements published in digital form. Our position on this amendment is similar to that with respect to Amendment 103. The statutory codes of practice under the Bill are a more appropriate vehicle to develop and set out requirements to support greater transparency. A public consultation on the codes of practice as well as the required statutory consultations will allow us to gather views on the type of information about data sharing that should be captured and made public, as well as the risks and benefits. Amendment 213C relates to the way in which given data sharing ought to be described in any public register. Again, this is a matter to which further thought can be given when a view is taken as to the nature of any such register.
Amendments 213B and 213C seek to confer additional rights on data subjects, not just in respect of these data-sharing powers but more generally, to exercise their rights via digital means, and to object to processing undertaken by a data controller, with an accompanying provision enabling the data controller to disclose certain information in respect of these objections. Again, I remind the noble Baroness, Lady Finlay, of the provisions of the Data Protection Act 1998, which already provides sufficient protections in all these areas, providing mechanisms and remedies for perceived mishandling of personal data, complaints and access to personal data, among other things. These provisions would cut across the existing data protection regime and would be potentially confusing. Such fragmentation could discourage appropriate data sharing for the public benefit.
We are committed to making it as easy as possible for citizens to understand what data are held about them and the purposes for which they are processed. The codes of practice rather than further primary legislation are the appropriate means for doing this. We are working with the Information Commissioner to ensure that our codes provide sufficient guidance to ensure that this approach is effective, and that there will be compliance with the data processing regulation when it comes into force in May 2018. We are aiming for that. That will be reflected in the approach we take to the codes of practice and consultation. For these reasons, we suggest that these amendments are unnecessary and I invite noble Lords not to press them.