With this it will be convenient to discuss the following:
Government new clause 14—Destroying or falsifying information and documents etc.
Government new clause 15—Applications in respect of urgent notices.
Government new clause 16—Post-review powers to make provision about representation of data subjects.
Government new clause 17—Reserve forces: data-sharing by HMRC.
New clause 3—Bill of Data Rights in the Digital Environment—
‘Schedule [Bill of Data Rights in the Digital Environment] shall have effect.’
This new clause would introduce a Schedule containing a Bill of Data Rights in the Digital Environment.
New clause 4—Bill of Data Rights in the Digital Environment (No. 2)—
‘(1) The Secretary of State shall, by regulations, establish a Bill of Data Rights in the Digital Environment.
(2) Before making regulations under this section, the Secretary of State shall—
(a) consult—
(i) the Commissioner,
(ii) trade associations,
(iii) data subjects, and
(iv) persons who appear to the Commissioner or the Secretary of State to represent the interests of data subjects; and
(b) publish a draft of the Bill of Data Rights.
(3) The Bill of Data Rights in the Digital Environment shall enshrine—
(a) a right for a data subject to have privacy from commercial or personal intrusion,
(b) a right for a data subject to own, curate, move, revise or review their identity as founded upon personal data (whether directly or as a result of processing of that data),
(c) a right for a data subject to have their access to their data profiles or personal data protected, and
(d) a right for a data subject to object to any decision made solely on automated decision-making, including a decision relating to education and employment of the data subject.
(4) Regulations under this section are subject to the affirmative resolution procedure.’
This new clause would empower the Secretary of State to introduce a Bill of Data Rights in the Digital Environment.
New clause 6—Targeted dissemination disclosure notice for third parties and others (No. 2)—
‘In Schedule 19B of the Political Parties, Elections and Referendums Act 2000 (Power to require disclosure), after paragraph 10 (documents in electronic form) insert—
‘10A (1) This paragraph applies to the following organisations and individuals—
(a) a recognised third party (within the meaning of Part 6);
(b) a permitted participant (within the meaning of Part 7);
(c) a regulated donee (within the meaning of Schedule 7);
(d) a regulated participant (within the meaning of Schedule 7A);
(e) a candidate at an election (other than a local government election in Scotland);
(f) the election agent for such a candidate;
(g) an organisation or individual formerly falling within any of paragraphs (a) to (f); or
(h) the treasurer, director, or another officer of an organisation to which this paragraph applies, or has been at any time in the period of five years ending with the day on which the notice is given.
(2) The Commission may under this paragraph issue at any time a targeted dissemination disclosure notice, requiring disclosure of any settings used to disseminate material which it believes were intended to have the effect, or were likely to have the effect, of influencing public opinion in any part of the United Kingdom, ahead of a specific election or referendum, where the platform for dissemination allows for targeting based on demographic or other information about individuals, including information gathered by information society services.
(3) This power shall not be available in respect of registered parties or their officers, save where they separately and independently fall into one or more of categories (a) to (h) of sub-paragraph (1).
(4) A person or organisation to whom such a targeted dissemination disclosure notice is given shall comply with it within such time as is specified in the notice.’’
This new clause would amend the Political Parties, Elections and Referendums Act 2000 to allow the Electoral Commission to require disclosure of settings used to disseminate material where the platform for dissemination allows for targeting based on demographic or other information about individuals.
New clause 10—Automated decision-making concerning a child—
‘(1) Where a data controller expects to take a significant decision based solely on automated processing which may concern a child, the controller must, before such processing is undertaken—
(a) deposit a data protection impact assessment with the Commissioner, and
(b) consult the Commissioner (within the meaning of Article 36 of the GDPR), regardless of measures taken by the controller to mitigate any risk.
(2) Where, following prior consultation, the Commissioner does not choose to prevent processing on the basis of Article 58(2)(f) of the GDPR, the Commissioner must publish the part or parts of the data protection impact assessment provided under subsection (1), relevant to the reaching of that decision.
(3) The Commissioner must produce and publish a list of safeguards to be applied by data controllers where any significant decision based solely on automated processing may concern a child.
(4) For the purposes of this section, the meaning of “child” is determined by the age of lawful processing under Article 8 of the GDPR and section 9 of this Act.’
New clause 11—Education: safe use of personal data—
‘(1) The Children and Social Work Act 2017 is amended as follows.
(2) In section 35 (other personal, social, health and economic education), after subsection (1)(b) insert—
‘(1A) In this section, “personal, social, health and economic education” shall include education relating to the safe use of personal data.’’
This new clause would enable the Secretary of State to require that personal information safety be taught as a mandatory part of the national PSHE curriculum.
New clause 12—Health bodies: disclosure of personal data—
‘(1) In section 261 of the Health and Social Care Act 2012 (Health and Social Care Information Centre: dissemination of information) after subsection (5) insert—
‘(5A) A disclosure of personal data may be made under subsection (5)(e) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(5B) In subsection (5A)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences Against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’
(2) In section 13Z3 of the National Health Service Act 2006 () at the end insert—
‘(3) A disclosure of personal data may be made under subsection (1)(g) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(4) In subsection (3)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’
(3) In section 14Z23 of the National Health Service Act 2006 (clinical commissioning groups: permitted disclosure of information) at the end insert—
‘(3) A disclosure of personal data may be made under subsection (1)(g) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(4) In subsection (3)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’
(4) In section 79 of the Health and Social Care Act 2008 (Care Quality Commission: permitted disclosures) after subsection (3) insert—
‘(3A) A disclosure of personal data may be made under subsection (3)(g) only if it is made—
(a) to and at the request of a member of a police force, and
(b) for the purpose of investigating a serious offence.
(3B) In subsection (3A)—
“personal data” has the meaning given by section 3 of the Data Protection Act 2018;
“police force” means—
(a) a police force within the meaning of section 101 of the Police Act 1996, and
(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and
“serious offence” means—
(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,
(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and
(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’’
This new clause would prevent personal data held by the NHS from being disclosed for the purpose of the investigation of a criminal offence unless the offence concerned is serious, which is consistent with the NHS Code of Confidentiality and GMC guidance on confidentiality. It would also mean that any such disclosure could only be made to the police, and not, for example, to Home Office immigration enforcement officials.
New clause 24—Safeguards on the transfer of data for lethal force operations overseas—
‘(1) A transferring controller may not make any transfer of personal data outside the United Kingdom under Part 4 of this Act where—
(a) the transferring controller knows, or should know, that the data will be used in an operation or activity that may involve the use of lethal force, and
(b) there is a real risk that the transfer would amount to a breach of domestic law or an internationally wrongful act under international law.
(2) Where the transferring controller determines that there is no real risk under subsection (1)(b), the transfer is not lawful unless—
(a) the transferring controller documents the determination, providing reasons, and
(b) the Secretary of State has approved the transfer in writing.
(3) Any documentation created under subsection (2) shall be provided to the Information Commissioner and the Investigatory Powers Commissioner within 90 days of the transfer.
(4) A “transferring controller” is a controller who makes a transfer of personal data outside the United Kingdom under Part 4 of this Act.
(5) For the purposes of subsection (1)(b),
(c) “domestic law” includes, but is not limited to,
(i) soliciting, encouraging, persuading or proposing a murder contrary to section 4 of the Offences Against the Person Act 1861,
(ii) conspiracy to commit murder contrary to section 1 or 1A of the Criminal Law Act 1977,
(iii) aiding, abetting, counselling, or procuring murder contrary to section 8 of the Accessories and Abettors Act 1861,
(iv) offences contrary to section 44, 45 and 46 of the Serious Crime Act 2007,
(v) offences under the International Criminal Court Act 2001.
(d) “International law” includes, but is not limited to, Article 16 of the 2001 Draft Articles on the Responsibility of States for Internationally Wrongful Acts.
(6) The Secretary of State must lay before Parliament, within six months of the coming into force of this Act, guidance for intelligence officers on subsections (1) and (2).
(7) The Secretary of State must lay before Parliament any subsequent changes made to the guidance reported under subsection (6) within 90 days of any changes being made.’
Amendment 18, in clause 7, page 5, line 24, after “subsections” insert “(1A),”.
Government amendment 22.
Amendment 19, page 5, line 24, at end insert—
‘(1A) A primary care service provider is not a “public authority” or “public body” for the purposes of the GDPR merely by virtue of the fact that it is defined as a public authority by either—
(a) any of paragraphs 43A to 45A or paragraph 51 of Schedule 1 to the Freedom of Information Act 2000, or
(b) any of paragraphs 33 to 35 of Schedule 1 to the Freedom of Information (Scotland) Act 2002 (asp 13).’
Government amendments 23 and 24.
Amendment 4, in clause 10, page 6, line 37, leave out subsections (6) and (7).
This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.
Amendment 5, in clause 14, page 8, line 11, at end insert—
‘(2A) A decision that engages an individual’s rights under the Human Rights Act 1998 does not fall within Article 22(2)(b) of the GDPR (exception from prohibition on taking significant decisions based solely on automated processing for decisions that are authorised by law and subject to safeguards for the data subject’s rights, freedoms and legitimate interests).
(2B) A decision is “based solely on automated processing” for the purposes of this section if, in relation to a data subject, there is no meaningful input by a natural person in the decision-making process.’
This amendment would ensure that where human rights are engaged by automated decisions these are human decisions and provides clarification that purely administrative human approval of an automated decision does make an automated decision a ‘human’ one.
Amendment 6, page 9, line 36, leave out clause 16.
This amendment would remove delegated powers that would allow the Secretary of State to add further exemptions.
Government amendment 143.
Amendment 7, in clause 35, page 22, line 14, leave out subsections (6) and (7).
This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.
Amendment 151, in clause 49, page 30, line 19, at end insert—
‘(1A) A controller may not take a significant decision based solely on automated processing if that decision affects the rights of the data subject under the Human Rights Act 1998.’
Amendment 2, in clause 50, page 30, line 28, at end insert—‘and
(c) it does not engage the rights of the data subject under the Human Rights Act 1998.’
This amendment would ensure that automated decisions should not be authorised by law if they engage an individual’s human rights.
Amendment 8, in clause 86, page 51, line 21, leave out subsections (3) and (4).
This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.
Amendment 3, in clause 96, page 56, line 38, after “law” insert—
‘unless the decision engages an individual’s rights under the Human Rights Act 1998.’
This amendment would ensure that automated decisions should not be authorised by law if they engage an individual’s human rights.
Amendment 9, page 63, line 27, leave out clause 113.
This amendment would remove delegated powers that would allow the Secretary of State to create new exemptions to Part 4 of the Bill.
Government amendments 25 to 37.
Amendment 20, in clause 144, page 81, line 11, leave out “7 days” and insert “24 hours”.
This amendment would reduce from 7 days to 24 hours the minimum period which must elapse before a controller or processor has to comply with an assessment notice which has been issued by the Commissioner and which the Commissioner has stated should be complied with urgently.
Government amendments 38 to 71.
Government new schedule 3—Transitional provision etc.
New schedule 1—Bill of Data Rights in the Digital Environment—
‘The UK recognises the following Data Rights:
Article 1—Equality of Treatment
Every data subject has the right to fair and equal treatment in the processing of his or her personal data.
Article 2—Security
Every data subject has the right to security and protection of their personal data and information systems.
Access requests by government must be for the purpose of combating serious crime and subject to independent authorisation.
Article 3—Free Expression
Every data subject has the right to deploy his or her personal data in pursuit of their fundamental rights to freedom of expression, thought and conscience.
Article 4—Equality of Access
Every data subject has the right to access and participate in the digital environment on equal terms.
Internet access should be open.
Article 5—Privacy
Every data subject has the right to respect for their personal data and information systems and as part of his or her fundamental right to private and family life, home and communications.
Article 6—Ownership
Every data subject has the right to own and control his or her personal data.
Every data subject is entitled to proportionate share of income or other benefit derived from his or her personal data as part of the right to own.
Article 7—Control
Every data subject is entitled to know the purpose for which personal data is being processed. Data controllers should not deliberately extend the gathering of personal data solely for their own purposes. Government, corporations, public authorities and other data controllers must obtain meaningful consent for the use of people’s personal data. Every data subject has the right to own curate, move, revise or review their personal data.
Article 8—Algorithms
Every data subject has the right to transparent and equal treatment in the processing of his or her personal data by an algorithm or automated system.
Every data subject is entitled to meaningful human control in making significant decisions – algorithms and automated systems must not be deployed to make significant decisions.
Article 9—Participation
Every data subject has the right to deploy his or her personal data and information systems to communicate in pursuit of the fundamental right to freedom of association.
Article 10—Protection
Every data subject has the right to safety and protection from harassment and other targeting through use of personal data whether sexual, social or commercial.
Article 11—Removal
Every data subject is entitled to revise and remove their personal data.
Compensation
Breach of any right in this Bill will entitle the data subject to fair and equitable compensation under existing enforcement provisions. If none apply, the Centre for Data Ethics will establish and administer a compensation scheme to ensure just remedy for any breaches.
Application to Children
The application of these rights to a person less than 18 years of age must be read in conjunction with the rights set out in the United Nations Convention on the Rights of the Child. Where an information society service processes data of persons less than 18 years of age it must do so under the age appropriate design code set out in section 123 of this Act.’
Government amendments 72 and 73.
Amendment 16, in schedule 2, page 140, line 15, at end insert—
‘(1A) The exemption in sub-paragraph (1) may not be invoked in relation to offences under—
(a) sections 24, 24A, 24B or 24C of the Immigration Act 1971,
(b) section 21 of the Immigration, Asylum and Nationality Act 2006, or
(c) sections 33A and 33B of the Immigration Act 2014.’
Amendment 15, page 141, line 17, leave out paragraph 4.
Government amendments 141 and 142.
Amendment 10, page 152, line 24, leave out paragraph 19 and insert—
‘19 The listed GDPR provisions do not apply to personal data that consists of information which is protected by legal professional privilege or the duty of confidentiality.’
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Government amendments 139, 74 and 75.
Amendment 11, in schedule 11, page 196, line 39, leave out paragraph 9 and insert—
‘9 The listed provisions do not apply to personal data that consists of information which is protected by legal professional privilege or the duty of confidentiality.’
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Government amendments 140 and 76 to 80.
Amendment 21, in schedule 15, page 206, line 11, at end insert—
‘(1A) A warrant issued under subparagraph (1)(b) or (1)(c) of this paragraph does not require any notice to be given to the controller or processor, or to the occupier of the premises.’
This amendment would make it clear that a judge can issue a warrant to enter premises under subparagraphs 4(1)(b) or 4(1)(c) without the Commissioner having given prior notice to the data controller, data processor or occupier of premises.
Government amendments 81 to 85.
Amendment 12, page 208, line 13, leave out
“with respect to obligations, liabilities or rights under the data protection legislation”.
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Amendment 13, page 208, line 21, leave out from “proceedings” to the end of line 23.
This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.
Government amendments 86 to 138.