The Bishop of St Albans spoke in a debate at the second reading of the Data Protection and Digital Information Bill on 19th December 2023, raising concerns about the expansion of police access to and use of personal data:
The Lord Bishop of St Albans: My Lords, I too welcome the noble Lord, Lord de Clifford, and look forward to his maiden speech. We on these Benches appreciate that there is a need for updated data protection legislation in order to keep up with the many technological advances that are taking place and, wherever possible, to simplify the processes for data processing. From this perspective, we welcome the Government’s ambition to remove unnecessary red tape and to support British businesses and our economy. However, as ever, these priorities need to be balanced alongside appropriate security of new legislation and we must ensure that there are appropriate safeguards in the Bill to protect human rights that are fundamental to our democracy.
I have been struck by just how many briefing papers I have received from the most extraordinarily diverse group of organisations. One thing that many of them highlight is the fact that, for many businesses that operate between the UK and the EU, this new legislation is no guarantee of simplified data processing. In fact, with the increased divergence between UK and EU data protection that this Bill will bring, it is worrying that we may struggle to work more closely with the EU. Working to two different standards and trying to marry two frameworks that are far less aligned does not sound like less red tape, nor does it sound particularly pro-business.
However, there is an important point in respect of the stated aims of the Bill. There are serious concerns from businesses, organisations and civil society groups across a wide range of sectors about the weakening of data protection law under this new Bill. Clause 1(2) tightens the definition of personal data, meaning that only data that could allow a processor or another party to identify the individual by
“reasonable means at the time of processing”
would count as personal data and be protected by law. As many others have drawn attention to, the use of the phrase “reasonable means” is imprecise and troubling. This will need to be more clearly defined as a minimum or the clause revoked altogether. “Reasonable means” would include the cost of identifying the individual, as well as the time, effort and other factors besides. This would allow organisations to assess whether they have the resources to identify an individual, which would be an extremely subjective test, to say the least, and puts the power firmly in the hands of data processors when it comes to defining what is or is not personal data.
As an example, GeneWatch has highlighted that, under the new Bill, some genetic information will no longer be classed as “personal data” and safeguarded as such, allowing the police and security services to access huge amounts of the public’s genetic information without needing to go to court or to justify the requirement for this data. Crucially, data protection legislation should define what is or is not personal data by the type of data it is, not by how easy or feasible it may be for an organisation or third party to use that data to identify an individual at every given point. Personal data rights must continue to be protected in this country and in our law.
The new Bill also provides vastly expanded powers to the police and security services via Clause 19 and Clauses 28 to 30. As I read them, on the surface they do not look as though they provide proper accountability; perhaps the Minister can reassure me on that. Clause 19 would review the requirement in the Data Protection Act 2018 for the police to justify why they have accessed an individual’s personal data. Clauses 28 to 30 allow the Home Secretary to authorise the police so that they do not need to comply with certain data protection laws via a national security certificate; this would give the police immunity even if they commit what would otherwise be a crime.
Taken together, these two measures give an extraordinary amount of unchecked power to the police and security services. With the amended approach to national security certificates, the police could not be challenged before the courts for how and why they had accessed data, so there would be no way to review what the Government are doing here or ensure that abuses of these powers do not take place. Can the Minister explain how such measures align with the democratic values on which this country and government are based?
The National AIDS Trust has been involved in cases where people living with HIV have had their HIV status shared, without their consent, by police officers, with a huge impact on the life of the individual in question. This is a serious breach of current data protection law. We must ensure that police officers are still required to justify why they have accessed specific personal data, as this evidence is vital in cases of police misconduct.
I am aware that there are many other concerns about this Bill. Noble Lords have touched on some of them, not least around online pornography, gambling and other matters that I hope other noble Lords will pick up on. In particular, there are doubts around the Bill’s compliance with the European Convention on Human Rights. We in this House must do our duty to properly scrutinise and, wherever necessary, amend this Bill to ensure that we have the proper legislation in place to protect and safeguard our data. I look forward to working with Ministers and Members of this House when we move into Committee on this Bill.
Extracts from the speeches that followed:
Lord McNally (LD): The right reverend Prelate the Bishop of St Albans referred to the benefits of the wide-ranging briefings that we received prior to today’s debate. Let me assure the authors that none of them will go to waste as we move into Committee. As well as dealing with the mundane and the practical, we have to take seriously the advice contained in one briefing, which read:
“At a time of advancing AI-driven surveillance, and when public concerns over measures such as facial recognition technology are heightened, removing oversight and accountability could have serious implications for public trust in policing”.
This warning could apply to almost any sector, service or industry covered by the Bill. Two quotes leap out to me from the excellent Lords Library briefing on the Bill, which has been referred to. One comes from the Information Commissioner, who calls for a regulator that is “trusted, fair and independent”, and the other comes from techUK, which calls for a Bill that will
“help spur competition and innovation in the market, whilst empowering consumers and delivering better outcomes”.
Riding those two horses at once is now the task before us.
Baroness Uddin (Non-Afl): The Bill removes the reporting obligations of the Biometric and Surveillance Camera Commissioner’s role on appropriate surveillance use, as has been stated to Parliament and the public, which endangers visibility and the accountability of police activities. This gives extensive powers in relation to the causes raised by the right reverend Prelate the Bishop of St Albans. The Bill must therefore retain the surveillance camera code of practice, which is essential for public trust.
The Bill gives the Secretary of State broad powers to amend our data protection laws via statutory instrument without adequate scrutiny by Parliament. Many fear that such extensive powers cannot possibly be for the public good, given the records of all Governments, be it with regard to the manipulation of facts or institutional profiling of black and other minoritised communities adversely used in the name of national security. This will simply not be accepted by today’s digitalised generation, and the proposition that such information can be held indefinitely without remedy or recourse to justice cannot bode well for our nations.
At a glance, the UK GDPR sets out seven principles, including integrity and accountability. These fundamental rights for citizens cannot be guaranteed under the Bill as it is now. I look forward to all of us making the necessary changes to make better laws for public good.
Lord Clement-Jones (LD): As we have heard from all around the House, the Bill dilutes where it should strengthen the rights of data subjects. We can then all agree on the benefits of data sharing without the risks involved. The Equality and Human Rights Commission is clearly of that view, alongside numerous others, such as the Ada Lovelace Institute and as many as 26 privacy advocacy groups. Even on the Government’s own estimates, the Bill will have a minimal positive impact on compliance costs—in fact, it will simply lead to companies doing business in Europe having to comply with two sets of regulations.
I will be specific. The noble Lord, Lord Davies of Brixton, set out the catalogue, and I will go through a number of areas where I believe those rights are being diluted. The amended and more subjective definition of “personal data” will narrow the scope of what is considered personal data, as the right reverend Prelate the Bishop of St Albans pointed out. Schedule 1 sets out a new annexe to the GDPR, with the types of processing activities that the Government have determined have a recognised legitimate interest and will not require a legitimate interest human rights balancing test to be carried out. Future Secretaries of State can amend or add to this list of recognised legitimate interests through secondary legislation. As a result, as the noble Baroness, Lady Bennett, pointed out, it will become easier for political parties to target children as young as 14 during election campaigns, even though they cannot vote until they are 16 or 18, depending on the jurisdiction.
Lord Bassam of Brighton (Lab): The Bill fails to build on the important safeguards and protections that have been hard won by others in other fields of legislation covering the digital world, in particular, about the use of personal data that we want to see upheld and strengthened. The noble Baroness, Lady Kidron, made an inspired speech, pleading with us to hold the Government’s feet to the fire on this issue and others.
The Bill also fails to provide the simplicity and certainty that businesses desire, given that it is vital that we retain our data adequacy status with the EU. Therefore, businesses will find themselves navigating two similar but, as others have said, divergent sets of rules, a point well made by the right reverend Prelate the Bishop of St Albans and the noble Lords, Lord Vaux and Lord Kirkhope. In short, it feels like a temporary holding position rather than a blueprint for reform, and I suspect that, all too soon, we will be back here with a new Bill—perhaps a data protection (No. 3) Bill—which will address the more profound issues at the frontier of data use.
Viscount Camrose (Con): I also hear the concerns of the right reverend Prelate the Bishop of St Albans, the noble Lord, Lord Vaux, and the noble Baroness, Lady Young, on surveillance, police powers and police access to data. Abolishing the Surveillance Camera Commissioner will not reduce data protection. The role overlaps with other oversight bodies, which is inefficient and confusing for police and the public. The Bill addresses the duplication, which means that the ICO will continue to regulate data processing across all sectors, including policing. The aim is to improve effective independent oversight, which is key to public confidence. Simplification through consolidation improves consistency and guidance on oversight, makes the most of the available expertise, improves organisational resilience, and ends confusing and inefficient duplication.
The Church of England in Parliament 
You must be logged in to post a comment.