My Lords, right from the outset, I had better declare that this is a probing amendment. I shudder to think of another chastisement from the noble Lord, Lord Ashton —that would be too terrible to contemplate. Chastisement from the noble Baroness? Even better.
The amendment is about whether we should put the Bill on all fours with the Data Protection Act 1998. Personal data is defined in Clause 2(2), and then Clause 2(4) goes on to talk about “processing” of data, in terms of requiring the personal data to be recorded in order that it can be subject to,
“an operation … performed on personal data”.
It follows that, if the information is not recorded, it is not capable of being processed under the Bill as it cannot be subject to an operation.
Where I am slightly confused is looking at article 5(1)(f) of the GDPR, which talks about personal data being,
“processed in a manner that ensures appropriate security”,
which means that security obligations apply to recorded information about an individual and perhaps not to unrecorded information, which may be, for instance, disclosed in a conversation. If a controller fails to control his staff and a staff member discloses information in an unrecorded form, is that controller in breach of the security principle?
It would have been crystal clear in the Data Protection Act 1998 because Section 1(2) of the DPA closes that kind of loophole. That is exactly the wording that has been adopted in the amendment. Perhaps the Minister can explain whether we are incapable of using that definition because it is the GDPR or simply because we have failed to incorporate and bring forward equivalent provisions from the 1998 Act. I beg to move.