Moved by
Lord Stevenson of Balmacara
157A: After Clause 124, insert the following new Clause—
“Personal data ethics code of practice
(1) Within six months of the passing of this Act, the Commissioner must prepare an ethics code of practice for data controllers.
(2) The code must include a duty of care from the data controller and the processor to the data subject.
(3) The code must provide best practice for data controllers and processors on measures which, in relation to the processing of personal data—
(a) reduce vulnerabilities and inequalities;
(b) protect human rights;
(c) increase the security of personal data;
(d) ensure that the access, use and sharing of personal data is transparent, and the purposes of personal data processing are communicated clearly and accessibly to data subjects.
(4) The code must consider—
(a) how to support data processing which has clear benefits for users and members of the public;
(b) the effectiveness of measures to seek the consent of users to the collection and use of their personal data;
(c) the risks and limitations of new technologies, ensuring that there is sufficient human oversight.
(5) The code must also provide guidance on—
(a) default privacy settings;
(b) data minimisation standards;
(c) presentation and language of terms and conditions;
(d) transparency of paid for activity, such as product placement and marketing;
(e) sharing and resale of data;
(f) veracity and accuracy of information;
(g) strategies used to encourage extended user engagement;
(h) user reporting and resolution processes and systems;
(i) responses to unintended consequences of technological advances in the processing of personal data; and
(j) any other aspect of design that the Commissioner considers relevant.
(6) Where a data controller or processor does not follow the code under this section, the data controller or processor is subject to a fine to be determined by the Commissioner.
(7) Before preparing the code of practice and prior to every revision, the Commissioner must consult the Secretary of State and relevant stakeholders.
(8) The Secretary of State must bring the code of practice into force by regulations made by statutory instrument.
(9) A statutory instrument containing regulations under this section may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”