My Lords, I turn now to an issue that is pertinent to us all: parliamentary privilege. I am sure that noble Lords will agree that it is paramount that both this House and the other place continue to be safeguarded in their processing of personal data in connection with parliamentary proceedings.
This issue was raised in previous debates by the noble and learned Lord, Lord Brown of Eaton-under-Heywood, to whom I am very grateful. Those debates influenced our thinking on how the Bill currently provides for parliamentary activity, and I am pleased to announce that the amendments in this group have been tabled to ensure that privileges under the current law will not disappear when we enter the new data protection framework.
I will start with Amendments 5 to 8. Amendments 5 to 7 restrict information, assessment and enforcement notices served by the commissioner from requiring a person to comply with the notice if compliance would involve infringing the privileges of either House of Parliament. Put simply, the commissioner’s notices are “switched off” where there would be an infringement of parliamentary privilege. Amendment 8 prevents the commissioner giving the House a penalty notice with respect to the processing of personal data by or on behalf of the House. These amendments have been tabled to ensure that parliamentary proceedings will not be impeded by the commissioner and that Parliament will maintain the freedom to do its work that it currently enjoys.
Amendments 9 to 13 relate to criminal liability and seek to prevent corporate officers of either House of Parliament being liable to prosecution as a data controller. This is the current position in the Data Protection Act 1998, and our amendments seek to clarify the Government’s intention to maintain the effect of Section 63A of the 1998 Act. The amendments also make equivalent provision for government departments and data controllers for the Royal Household.
It should be noted, however, that these provisions do not prevent corporate officers being liable for their own conduct when acting as data controllers on behalf of either House, for government departments or for the Royal Household. This maintains the current position, and we believe that it is an important safeguard that allows full parliamentary privilege while balancing the rights of data subjects.
Amendments 14 and 15 revert to the current position under the Data Protection Act 1998 in relation to the processing that is necessary for the functions of the Houses of Parliament or for the administration of justice by removing the additional “substantial public interest” test. On reflection, we could not see how such processing would not be in the substantial public interest, so the test appeared redundant. On that basis, the Houses of Parliament will have to consider simply whether processing is necessary for the purposes of their functions, as is the position now.
Amendments 20 and 21 make a corresponding amendment to Schedule 8, where processing is necessary for the administration of justice under the provisions in Part 3 for law-enforcement processing, to maintain a consistent approach across the Bill.
Amendment 18 is to Schedule 2 and extends the exemptions from the GDPR relating to parliamentary privilege to include an exemption from article 34(1) and article 34(4) of the GDPR. Article 34 requires controllers to communicate a personal data breach to the data subject where the breach is likely to result in a high risk to the rights and freedoms of the subject. The amendment excludes this requirement from applying to parliamentary proceedings and also restricts the ability of the commissioner to oblige either House to comply with it.
I hope that the House will agree that these amendments, taken as a package, will ensure that there will be no chilling effect on the functions of Parliament and will restore the regime that applies under the Data Protection Act 1998. It has the approval of the House authorities. I beg to move.