My Lords, we have a number of amendments in this group which fit very well with what has just been said by the noble Baroness, Lady Hamwee. I hope she will take it from that that we support broadly where she is coming from and hope to extend it slightly in a couple of areas.
Amendment 130—which is a DPRRC recommendation —affects Schedule 8. This was touched on in earlier groups and I will not delay the Committee by repeating the points now. They will be covered in the Minister’s response, which we confidently expect to be that this is under consideration, that a further air travel bulletin will be emerging shortly and that we should not worry too much about it at this stage. However, I am prepared to argue for it if necessary, and if the noble Lord challenges me I will do so.
The government amendments have not yet been introduced. However, in anticipation, we welcome them. They take out one or two of the points I will be making later. Once they have been introduced and looked at we will be able to rely on them. They cover a particular gap in the Bill in terms of the need to rely on a function conferred on a person by rule of law as well as simply by an enactment.
Amendment 133ZA is a probing amendment to quite an important clause that we would like to see retained. The reason for putting down the amendment in this form is to probe further into what is going on here. The terms of Clause 39 apply only,
“in relation to the processing of personal data for a law enforcement purpose”,
and would be conferred by rule of law as well. It repeats other areas that cover,
“archiving purposes in the public interest … scientific or historical research purposes, or … statistical purposes”.
I am not clear why these are linked to law enforcement purposes. Why would archiving be necessary for such a purpose? Perhaps the Minister can respond on that particular point. It is a narrow one, but I should like to know the answer.
Clause 33(5) deals with processing without the consent of the data subject, of which this is a part, and makes the point that it is permissible only for the purposes listed in Schedule 8. However, Clause 33(6) permits amendment to this derogation, so purposes could be added or indeed lost. There is of course a wide research exception in Schedule 8 with no specific safeguards. So it is important to understand why the framing of this is so open-ended, and I would be grateful for a response.
When we check the GDPR, the antecedent impulse for this is present in the wording of article 4(3). That goes on to say that the processing has to be subject to appropriate safeguards for the rights and freedoms of data subjects, yet we do not see these in either Clause 33 or Clause 39—or indeed at any point in between. Why is that? Is there a reason why it should not be part of the processing conditions? If so, can we have an example of why that would be necessary?
Amendment 133ZC relates to quite an important area, which is a derogation to allow personal data to be processed for different law enforcement purposes other than when it is initially processed, as long as it is a lawful purpose and is proportionate and necessary. That is quite open-ended, so it would be helpful if in his response the Minister could speculate a little about where the boundaries there exist. We have no objection to the provision in principle, but it is important to ensure that the scope is not so impossibly broad that anything can be hung on one particular issue. If that was coming forward, I am sure that it would be possible to do that. The scope seems to be too broad to be considered proportionate—which, as I said, is what the directive requires.
Amendment 133ZE builds on Amendment 133ZD to which the noble Baroness, Lady Hamwee, has already spoken. This is about what happens to data that is found to be inaccurate and the requirement that it should not be disclosed for any law enforcement purpose. This is a slightly different wording and I am looking for confirmation that the Government do not see a difference in the two possibilities. The original requirement was that data should not be “transmitted or made available” if it is inaccurate, but this would say that it should not be “disclosed”, which is an active rather than a passive expression of that—but is it different? The amendment tries to broaden the provision so that reasonable steps are taken to make sure that data is not made available for any purpose, which I think would be a more satisfactory approach.
I turn to Amendment 133ZG. I think I am right in saying that the GDPR envisages that inaccurate personal data should be corrected or deleted at the initiative of the controller, but that provision does not appear in the Bill. I wonder whether there is an explanation
for that. If there is not, who will be responsible for correcting data that is found to be inaccurate or needs to be corrected or deleted?
Finally in this group, Amendment 133ZH relates to Clause 37, which requires that personal data should be kept for no longer than necessary. To comply with this principle, the data controller should establish time limits for erasure or for a periodic review. The current drafting seems to suggest that all that is required to be done by controllers is that from time to time they should review their procedures; it does not say that they have to do it. Perhaps the Minister could respond on this point. Surely what we want here is a clear requirement for both reviews and action. You can review the data, but if it is no longer required and should be deleted, there should be an appropriate follow-up. Time limits are not enough: you do it within the time limits but then you have to follow up. We do not think it currently makes sense. I look forward to the Minister’s responses.
5.45 pm