My Lords, as a non-lawyer, I am delighted to find myself in the same company as the noble and learned Lord, Lord Hope of Craighead, as this has also introduced me to an area of trust law which I am not familiar with. I thank noble Lords for their amendments, which concern the exemptions from data rights in the GDPR that the Bill creates. Two weeks ago we debated amendments that sought to create an absolute right to data protection. Today we will further debate why, in some circumstances, it is essential to place limitations on those rights.
The exemptions from data rights in the GDPR are found in Schedules 2 to 4 to the Bill. Part 6 of Schedule 2 deals with exemptions for scientific or historical research and archiving. Without these exemptions, scientific research which involves working on large datasets would be crippled by the administration of dealing with requests from individuals for their data and the need to give notice and service other data rights. This data provides the fuel for scientific breakthroughs, which the noble Lord, Lord Patel, and others have told us so much about in recent debates.
Amendment 79 seeks to remove “scientific or historical” processing from the signposting provision in Clause 14. Article 89 of the GDPR is clear that we may derogate only in relation to specifically historical or scientific research. We believe that Clause 14 needs to correctly describe the available exemption, although I reassure noble Lords that, as we have discussed previously, these terms are to be interpreted broadly, as outlined in the recitals.
Part 1 of Schedule 2 deals with exemptions relating to crime, tax and immigration. For example, where the tax authorities assess whether tax has been correctly paid or criminally evaded, that assessment must not be undermined by individuals accessing the data being processed by the authority. Amendments 79A and 79B, spoken to by the noble Lord, Lord Griffiths of Burry Port, would limit the available exemptions by removing from the list of GDPR rights that can be disapplied the right to restrict processing and the right to object to processing. In my example, persons subject to a tax investigation would be able to restrict and object to the processing by a tax authority. Clearly that is not desirable.
Amendments 80A and 83A seek to widen the exemption in paragraph 5(3) of Schedule 2 which exempts data controllers from complying with certain data rights where that data is to be disclosed for the purposes of legal proceedings. Without this provision, which mirrors the 1998 Act, individuals may be able to unfairly disrupt legal proceedings by blocking the processing of data. We are aware that the Bar Council has suggested that the exemption be widened as the amendments propose. This would enable data controllers to be wholly exempt from the relevant data rights. We believe that this is too wide and that the exemption should apply only where the data is, or will be, subject to a disclosure exercise, which is a process managed through court procedure rules. At paragraph 17 of Schedule 2, the Bill makes separate provision for exemptions to protect legal professional privilege. We think that the Bill continues to strike the right balance between the rights of data subjects and controllers processing personal data for the purposes of exercising their legal rights.
Amendment 83B seeks to remove paragraph 7 of Schedule 2 from the Bill. This paragraph sets out the conditions for restricting data subjects’ rights in respect of personal data processed for the purposes of protecting the public. Those carrying out functions to protect the public would include bodies and watchdogs concerned with protecting the public from incompetence, malpractice, dishonesty or seriously improper conduct, securing the health and safety of persons at work, and protecting charities and fair competition in business. Paragraph 7, which is based on the current Section 31 of the 1998 Act, ensures that important investigations can continue without interference. Without this paragraph, persons would have to be given notice that they were being investigated and, on receipt of notice, they could require their data to be deleted, frustrating the investigation.
Paragraph 14 of Schedule 2 allows a data controller to refuse to disclose information to the data subject where doing so would involve disclosing information relating to a third party. Amendment 86A would remove the circumstances set out in sub-paragraph (3) to which a data controller must have regard when determining whether it is reasonable to disclose information relating to a third party without their consent. These considerations mirror those in the 1998 Act and we think that they remain important matters to be considered when determining reasonableness. They also allow for any duty of confidentiality to be respected.
Paragraph 15 of Schedule 2 ensures that an individual’s health, education or social work records cannot be withheld simply because they make reference to the health, education and social work professionals who contributed to them. Amendment 86B would allow a controller to refuse to disclose an individual’s health records to that individual on the grounds that they would identify the relevant health professionals who authored them. We believe that individuals should be able to access their health records in these circumstances.
9.15 pm
I come now to Amendment 86BA tabled by the noble Lord, Lord Pannick, which concerns the confidentiality of trust information. I confess that, in this, I am relying on advice even more than usual, and
so I will put forward our initial analysis, which we might then have to discuss later. However, I am grateful to the noble Lord for letting us have his counsel and opinion and for giving that to the Bill team before the debate.
The noble Lord’s amendment seeks to ensure that beneficiaries of a trust are not entitled to obtain through a subject access request information about decisions taken by the trustee that they would not be entitled to have under trust law. In the recent case of Dawson-Damer, which the noble Lord referred to, an offshore trustee was found not to be entitled to the full benefit of exemptions in the 1998 Act, which would have applied if the trust had been based in the UK. I understand that the noble Lord, Lord Pannick, has been informed to the contrary, but in our initial analysis we believe that trusts have adequate protections.
The Bill replicates the position under the existing 1998 Act. Where the data comes within legal professional privilege, it is already exempted, including for enforcement of civil proceedings. Article 15(4) of the GDPR directly protects against disclosure where it would adversely affect the rights and freedoms of others, including any rights or freedoms of trustees. The court also has power to withhold disclosure of information where there is an overriding need to do so, for instance where subject access is being used for an improper purpose. We believe that any gap between what can be withheld under trust law and data protection law is narrow, and no more than is appropriate to protect the rights that the beneficiaries of a trust have in their data. In this regard, we are simply continuing the existing position.
We have considered whether any further protection is possible and do not believe that the Bill needs to be used to protect offshore trusts further. We do not believe that it will drive trusts into less transparent jurisdictions or impact on the international competition of UK-based legal advice in respect of trusts. The possible application of data protection law is just one possible risk to consider when deciding where to do business. Indeed, the tailored exemptions we have provided in this Bill may make the UK an attractive destination.
I am of course happy to discuss this technical legal matter further with the noble Lord and the noble and learned Lord if they so desire—and with my officials, which is the important bit. I take on board what the noble and learned Lord said about the Jersey and Guernsey rules and the risks that that might pose. I will take that back and read carefully in Hansard what the noble and learned Lord has said.
Amendment 86C seeks to remove paragraph 19, which protects personal data processed for corporate finance services. The exemption is only available to the extent to which the subject information provisions could, or in the reasonable belief of the data controller could, affect the price or value of particular instruments of a price-sensitive nature—for example, company shares. This restriction replicates the exemption for this purpose under paragraph 6 of Schedule 7 to the 1998 Act and the Data Protection (Corporate Finance Exemption) Order 2000. We think it remains an important exemption to underpin the integrity of the markets.
Amendment 86D would remove the exemption available to businesses to protect the confidentiality of personal data processed for the purposes of management forecasting or management planning to the extent that the application of those provisions would be prejudicial to that business or other activity. An example of this might be plans relating to potential future redundancies which have yet to be made public. We think that these exemptions are useful for UK business.
I hope I have given sufficient explanations in response to the amendments in this group and persuaded noble Lords that there are good reasons why the exemptions are required. In the light of the comments I have made, I invite the noble Lord to withdraw his amendment.