I propose to start my remarks by addressing the Government amendments to strengthen the powers of the Information Commissioner.
The investigation of the Information Commissioner’s Office into Cambridge Analytica is unprecedented in its scale and complexity. It has, necessarily, pushed the
boundaries of what the drafters of the Data Protection Act 1998 and the parliamentarians who scrutinised it could have envisaged. Although we recognise that the Bill already expands and enhances the commissioner’s ability to enforce the requirements of the data protection legislation in such circumstances, the Government undertook to consider whether further provision was desirable in the light of the commissioner’s experience. Following extensive discussions with the commissioner and in Committee, we concluded that such provision is desirable. Our amendments will strengthen the commissioner’s ability to enforce the law, while ensuring that she operates within a clear and accountable structure. I will give a few examples.
First, amendments 27 and 28 will allow the commissioner to require any person who might have knowledge about suspected breaches of the data protection legislation to provide information. Previously, information could be sought only from a data controller or a data processor. That might be important where, for example, a former employee has information about the organisation’s processing activities.
Secondly, new clause 13 will allow the commissioner to apply to the court for an order to force compliance when a person fails to comply with a requirement to provide information. Organisations that might previously have been tempted to pay a fine for non-compliance instead of handing over the information will find themselves at risk of being in contempt of court if they do not comply.
Thirdly, amendments 30 and 45 will allow the commissioner to require controllers to comply with information or enforcement notices within 24 hours in some very urgent cases, rather than the seven days provided for in the existing law. Amendment 38 will allow the commissioner, in certain circumstances, to issue an assessment notice that can have immediate effect. Those amendments will allow the commissioner to obtain information about a suspected breach or put a stop to high-risk processing activities in a prompt and effective way. They will also allow her to carry out no-notice inspections without a warrant in certain circumstances.
Fourthly, new clause 14 will criminalise the behaviour of any person who seeks to frustrate an information or assessment notice by deliberately destroying, falsifying, blocking or concealing evidence that has been identified as relevant to the commissioner’s investigation.
Finally, we have taken this opportunity to modernise the commissioner’s powers. Storing files on an office server is rapidly becoming a thing of the past. Amendment 79 will enable the commissioner to apply for a warrant to access material that can be viewed via computers on the premises but that is held in the cloud.
When strengthening the commissioner’s enforcement powers, we have been mindful of the need to provide appropriate safeguards and remedies for those who find themselves under investigation. For example, when an information, assessment or enforcement notice containing an urgency statement is served on a person, new clause 15 will allow them to apply to the court to disapply the urgency statement. In effect, they will have a right to apply to the court to vary the timetable for compliance with the order. A court considering an application from the commissioner for an information order will be able to take into account all the relevant circumstances at
the time, including whether an application has been brought by the person concerned under new clause 15 and whether the person has brought an appeal against the notice itself in the tribunal. These amendments have been developed in close liaison with the Information Commissioner. We are confident that they will give her the powers she needs to ensure that those who flout the law in our increasingly digital age are held to account for their actions.
I now turn to the representation of data subjects. I am very grateful to Baroness Kidron for her continued engagement on this subject. In particular, we agree that children merit special protection in relation to their personal data and that the review the Government will undertake shall look accordingly at the specific barriers young people and children face in enforcing their rights. Government new clause 16, as well as amendments 61, 62, 63, 70 and 75, ensures that they will.
Government new clause 17 concerns maintaining contact with ex-regular reserve forces. This will allow Her Majesty’s Revenue and Customs to share contact detail information with the Ministry of Defence to ensure that the MOD is better able to locate and contact members of the ex-regular reserve.
New clause 12, on data sharing by health bodies, is in the name of my hon. Friend the Member for Totnes (Dr Wollaston), who chairs the Health and Social Care Committee. I know she and the Committee have significant and legitimate concerns about the operation of the memorandum of understanding between NHS Digital and the Home Office, which currently allows the sharing of non-clinical information, principally address information, for immigration purposes. The Select Committee has argued for the suspension of the MOU pending the outcome of a review into its impact by Public Health England. New clause 12 seeks to adopt a more long-term approach by narrowing the ability of NHS Digital to disclose information in connection with the investigation of criminal offences. The aim is to narrow the MOU’s scope, so that it only facilitates the exchange of personal data in cases involving serious criminality.
The Government have reflected further on the concerns put forward by my hon. friend and her Committee. As a result, and with immediate effect, the data sharing arrangements between the Home Office and the NHS have been amended. This is a new step and it supersedes the position set out in previous correspondence between the Home Office, the Department for Health and Social Care and the Select Committee.
I know my hon. Friend and her colleagues have been particularly exercised by the contents of a letter dated 23 February from both the above-mentioned Departments to her Select Committee, in which it is stated that
“a person using the NHS can have a reasonable expectation when using this taxpayer-funded service that their non-medical data, which lies at the lower end of the privacy spectrum, will not be shared securely between other officers within government in exercise of their lawful powers”.
The bar for sharing data will now be set significantly higher. By sharing, I mean sharing between the Department of Health and Social Care, the Home Office and, in future, possibly other Departments. No longer will the names of overstayers and illegal entrants be sought against health service records to find current address details. The data sharing, relying on powers under the Health and Social Care Act 2012, the National Health
Service Act 2006 and the Health and Social Care Act 2008, will only be used to trace an individual who is being considered for deportation action having been investigated for, or convicted of, a serious criminal offence that results in a minimum sentence of at least 12 months in prison.
The Government have a long-held policy on what level of serious criminality is deserving of deportation, given statutory force by the UK Borders Act 2007. When a custodial sentence of more than 12 months has been given, consideration for deportation must therefore follow. Henceforth, the Home Office will only be able to use the memorandum of understanding to trace an individual who is being considered for deportation action having been convicted of a serious criminal offence, or when their presence is considered non-conducive to the public good—for example, when they present a risk to public security but have yet to be convicted of a criminal offence.
4.30 pm