Moved by
Lord Bethell
135: After Clause 27, insert the following new Clause—
“Access to data for vetted researchers
(1) Upon a reasoned request from the Information Commissioner, a data controller or processor that meets the requirements in subsection (9) must, within a reasonable period, as specified in the request, provide access to data to vetted researchers who meet the requirements in subsection (7), for the sole purpose of conducting research that contributes to the detection, identification and understanding of systemic risks of non-compliance with United Kingdom law that is upheld by one or more of the regulatory bodies, the Information Commissioner, the Competition and Markets Authority (CMA), the Office of Communications (Ofcom) and the Financial Conduct Authority (FCA).
(2) Within 15 days following receipt of a request as referred to in subsection (1), the data controller or processor may request the Information Commissioner amend the request, where they consider that they are unable to give access to the data requested because one of the following two reasons—
(a) they do not have access to the data;
(b) giving access to the data would lead to significant vulnerabilities in the security of their service or the protection of confidential information, in particular trade secrets.
(3) Requests for amendment under subsection (2) must contain proposals for one or more alternative means through which access may be provided to the requested data or other data which are appropriate and sufficient for the purpose of the request.
(4) The Information Commissioner must decide on the request for amendment within 15 days and communicate to the data controller or processor its decision and, where relevant, the amended request and the new period to comply with the request.
(5) Where the research request relates to United Kingdom law that is upheld by a different regulator, the Information Commissioner will notify the relevant regulator.
(6) The data controller or processor must facilitate and provide access to data pursuant to subsections (1) and (4) through appropriate interfaces specified in the request, including online databases or application programming interfaces.
(7) Upon a duly substantiated application from researchers, the Information Commissioner will grant such researchers the status of “vetted researchers” for the specific research referred to in the application and issue a reasoned request for data access to the data controller or processor pursuant to subsection (4), where the researchers demonstrate that they meet all of the following conditions—
(a) they are affiliated to a research organisation;
(b) they are independent from commercial interests;
(c) their application discloses the funding of the research;
(d) the intended research has demonstrated public interest and benefit;
(e) they are capable of fulfilling the specific data security and confidentiality requirements corresponding to each request and to protect personal data, and they describe in their request the appropriate technical and organisational measures that they have put in place to this end;
(f) their application demonstrates that their access to the data and the time frames requested are necessary for, and proportionate to, the purposes of their research, and that the expected results of that research will contribute to the purposes laid down in subsection (1);
(g) the planned research activities will be carried out for the purposes laid down in subsection (1);
(h) they have committed themselves to making their research results publicly available free of charge, within reasonable period after the completion of the research.
(8) Data controllers and processors must give access without undue delay to data, including, where technically possible, to real-time data, provided that the data is publicly accessible in their online interface by researchers, including those affiliated to not for profit bodies, organisations and associations, who comply with the conditions set out in subsection (7)(b), (c), (d) and (e), and who use the data solely for performing research to advance the purposes set out in subsection (1) above.
(9) A data controller or processor falls within the scope of subsection (1) if it has over 1 million service users or customers in the United Kingdom, if there is a large concentration of children on the service or if the researchers provide compelling evidence that the service is high risk.
(10) The Information Commissioner must publish the technical conditions under which a data controller or processor must share data pursuant to subsections (1) and (4), including the application of data protection by design and default, and the purposes for which the data may be used.
(11) The technical conditions under subsection (10) include the specific conditions under which such sharing of data with researchers may take place, as well as relevant objective indicators, procedures and, where necessary, independent advisory mechanisms in support of sharing of data, taking into account the rights and interests of the providers of data controllers and processors and the data subjects who use the service, including the protection of confidential information, in particular trade secrets, and maintaining the security of their service.”
Member’s explanatory statement
This amendment mirrors the research provisions in the European Commission’s Digital Services Act and ensures that UK-based academic researchers are not put at a disadvantage when it comes to researching matters of public interest regarding whether the largest online services - including services most used by children - are safe, private and comply with UK law.