My Lords, first, like other noble Lords, I pay tribute to the noble Baroness, Lady Kidron, for her months—indeed, years—of work to ensure that the rights and safety of children are protected online. I commend her efforts to ensure that the Bill properly secures those rights. She has convinced us that it is absolutely right that children deserve their own protections in the Bill. The Government agree that these amendments do just that for the processing of a child’s personal data.
Amendment 109 would require the Information Commissioner to produce a code of practice on age-appropriate design of online services. The code will carry the force of statutory guidance and set out the standards expected of data controllers to comply with the principles and obligations on data processors as set out by the GDPR and the Bill. I am happy to undertake that the Secretary of State will work in close consultation with the Information Commissioner and the noble Baroness, Lady Kidron, to ensure that this code is robust, practical and, most importantly, meets the development needs of children in relation to the gathering, sharing, storing and commoditising of their data. I have also taken on board the recommendations of the noble Lord, Lord Clement-Jones, on the internet safety strategy. We have work to do on that and I will take his views back to the department.
The Government will support the code by providing the Information Commissioner with a list of minimum standards to be taken into account when designing it. These are similar to the standards proposed by the noble Baroness in Committee. They include default privacy settings, data minimisation standards, the presentation and language of terms and conditions and privacy notices, uses of geolocation technology, automated and semi-automated profiling, transparency of paid-for activity such as product placement and marketing, the sharing and resale of data, the strategies used to encourage extended user engagement, user reporting and resolution processes and systems, the ability to understand and activate a child’s right to erasure, rectification and restriction, the ability to access advice from independent, specialist advocates on all data rights, and any other aspect of design that the commissioner considers relevant.
7.15 pm
The new age-appropriate design code interlocks with the existing data protection enforcement mechanism found in the Bill and the GDPR. The data protection principles apply equally to children and are applied by data controllers on the basis of guidance provided by the commissioner. The GDPR makes clear that children merit specific protection with regard to their personal data as they may be less aware of the risks and consequences. The code will establish the standards required of data controllers to meet this obligation. The status of a statutory code means that any organisation that ignores it is taking a significant legal risk.
The Information Commissioner considers many factors in every regulatory decision, but non-compliance with this code will weigh particularly heavily for a non-compliant website or app maker. Organisations that wish to minimise their risk of being penalised up to £18 million or 4% of global turnover will apply the code; it would be foolhardy not to do so. I hope the noble Lords, Lord McNally and Lord Puttnam, can take some comfort from that. The new code on age-appropriate design will have the same proven enforceability as our codes on direct marketing and data sharing, issues we take extremely seriously. My noble friends Lady Harding and Lord Arbuthnot, the noble Lord, Lord Puttnam, and the noble Baroness, Lady Howe, along with many other noble Lords, have asked in effect whether the codes have teeth. We say that they do.
The principle-based regulatory approach sets few rules so the ICO produces guidance as to how those principles must be observed. Organisations may find alternative ways of meeting the requirements, but will need to demonstrate compliance. If they do nothing, they risk breaking the law. While all ICO guidance has teeth, statutory codes have sharper teeth. They can be used in evidence in any legal proceedings, not only data protection proceedings. In determining a question arising from proceedings, courts and tribunals must take into account any part of the code that appears to them relevant to that question. In carrying out her functions, the Information Commissioner must also take the code into account. When investigating a breach of data protection law, the commissioner has to decide whether the data controller acted reasonably.
In conducting this balancing test, the failure to comply with a statutory code will weigh heavily against the controller. In areas where there is competing guidance such as that produced by self-regulators—for example, the Institute of Fundraising, IPSO and so on—statutory guidance takes precedence.
It is proven to work. The new age-appropriate design code will be the commissioner’s third statutory code. The first was the data sharing code, which was originally provided for in the Coroners and Justice Act 2009 and will be re-enacted by Clause 119 of the Bill. This is a key tool to ensure that data controllers comply with the law. The commissioner asked for her guidance on direct marketing to be given the status of a statutory code to enable tough enforcement. The Government delivered the statutory code in the Digital Economy Act 2017 and it will be re-enacted by Clause 120 of this Bill.
Amendment 111 makes clear that the new code will be laid as soon as possible and no more than 18 months after the passing of the Bill. I have noted the comments of the noble Lord, Lord Stevenson, and I have said that it will be laid as soon as possible. The Information Commissioner, working with the Government, the noble Baroness, Lady Kidron, and a range of concerned stakeholders, will use that time to get it right and to ensure that they are the best possible rules to protect children while allowing them to continue to enjoy the benefits of the internet and be full citizens of the digital age. I hope the House can see that this position has been developed with a concern to ensure that children in the UK are granted a robust data regime so that they can access online services in a way that meets their age and development needs. This is and will remain a top priority for the Government. Again, I thank the noble Baroness for her amendments and, much more importantly in some ways, her leadership on this matter.
Before I leave this, the noble Baroness, Lady Kidron, and the noble Lord, Lord Stevenson, mentioned article 80(2) on representation of data subjects. This is coming up. Our view is that the Data Protection Bill provides sufficient recourse for data subjects by enabling them to give consent to non-profit organisations to represent their interests in the event that their rights have been infringed. As I said, I am sure we will have a chance to debate that on the third day of Report.
While we are very pleased to support the noble Baroness’s Amendments 109, 111, 112 and 114, we also have a number of government amendments in this group. Amendments 110, 113, 115 and 116 are technical amendments to ensure that the noble Baroness’s amendments are correctly stitched into the framework for creating and enforcing codes of practice, consistent with other statutory codes that the commissioner must produce. I will move those amendments.
Finally, we believe that Amendment 117 in the name of the noble Earl, Lord Clancarty, is unnecessary. The sharing of individual-level pupil data is already highly regulated in law, specifically in Section 537A of the Education Act 1996. The Department for Education takes its data protection responsibilities seriously. To comply with the law, it has developed a
rigorous process around data sharing of individual records. It does not share data simply because it is lawful to do so; it shares data only where it is both lawful and ethical to do so. As part of the approvals process, officials, including legal experts and senior civil servants with data expertise, assess the application for public benefit, proportionality—ensuring the minimum amount of data is used to meet the purpose—and legal underpinning, and so that the strict information security standards we enforce have been satisfied.
The Department for Education goes to great lengths to be transparent and accountable in data sharing. Since December 2013, it has provided summary information about data sharing requests that have been approved through the existing NPD Data Management Advisory Panel, providing public transparency about the sharing of individual pupil-level data.
In preparation for the GDPR coming into force, the department is actively reviewing its data-sharing processes with third parties to ensure greater security, consistency, accountability and transparency around data sharing. Before May 2018, the department will review its existing arrangements and processes for sharing sensitive personal data to date to ensure they are compliant with the incoming regulations, and review them regularly thereafter. As part of that work and to ensure citizens have even greater oversight of the department’s data, on 14 December the department is publishing an oversight of all DfE external personal-level data sharing to date and will continue to update this publication regularly. In view of this reassurance, I would be grateful if the noble Earl did not press his amendment.