My Lords, I cannot be quite so quick but I will be fairly quick. Amendment 142B concerns Clause 91(3), which states:
“The controller is not required … to give a data subject information that the data subject already has”.
When I read that, I wondered how the controller would know that the data subject had the information. Therefore, my alternative wording would refer to information which the,
“controller has previously provided to the data subject”.
There can therefore be no doubt about that.
Amendment 143A concerns Clause 92, which deals with a right of access within a time limit of a month of the relevant day, as that is defined, or a longer period specified in regulations. What is anticipated here? Why is there the possibility of an extension? This cannot, I believe, be dealt with on a case-by-case basis as that would be completely impracticable and, I think, improper. Is it to see whether experience shows that it is a struggle to provide information within a month, and therefore a time limit of more than a month would benefit the controller, which at the same time would be likely to disbenefit the data subject, given the importance of the information? I hope the Minister can explain why this slightly curious power for the Secretary of State is included in the Bill.
Amendment 146B concerns Clause 97, which deals with the right to object to processing. I might have misunderstood this but I believe that the controller is obliged to comply only if he needs to be informed of the location of data. I do not know whether I have that right, so Amendment 146B proposes the wording,
“if its location is known to the data subject”,
so that the amendment flows through in terms of language, if not in sense. The second limb of Clause 97(2), whereby the data subject is told that the controller needs to know this, suggests this. That enables me to make the point that this puts quite a heavy burden on the data subject.
Amendment 148A concerns Clause 101. I, of course, support the requirement that the controller should implement measures to minimise the risks to rights and freedoms. However, I question the term “minimise”. The Bill is generally demanding in regard to this protection, so to root the requirement in the detail of the Bill the amendment would add,
“in accordance with this Act”.
As regards the test of whether a personal data breach seriously interferes with rights, I suggest this is not as high a threshold as that required by the term “significantly” proposed in Amendment 148B.
Following the noble Lord’s co-piloting analogy, I now say, “Over and out”.