Data Protection Bill: Summary of government amendments for House of Commons Public Bill Committee tabled on 6 March 2018

Similar documents
Data Protection Bill [HL]

Data Protection Bill: Summary of government amendments for Lords Committee tabled on 20 October 2017

Data Protection Bill [HL]

Data Protection Bill [HL]

Annex - Summary of GDPR derogations in the Data Protection Bill

Data Protection Bill [HL]

Digital Economy Bill: Parts 5 7

Data Protection Bill, House of Commons Second Reading Information Commissioner s briefing

Data Protection Act 1998

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

SAFEGUARDING VULNERABLE GROUPS ACT 2006

Policing and Crime Bill

closer look at Rights & remedies

Guidance on making referrals to Disclosure Scotland

Victims of Crime (Rights, Entitlements, and Notification of Child Sexual Abuse) Bill [HL]

Wales Bill House of Lords Bill [HL] Lobbying (Transparency) Bill [HL] Register of Arms Brokers Bill [HL] Renters Rights Bill [HL]

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

IMMIGRATION BILL DELEGATED POWERS MEMORANDUM BY THE HOME OFFICE

Data protection. Guide to the Law Enforcement Provisions

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

HAULAGE PERMITS AND TRAILER REGISTRATION BILL [HL] EXPLANATORY NOTES

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

Consolidated Practice Committee Rules

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

Information exempt from the subject access right (section 40(4) and

CONSOLIDATED PRACTICE COMMITTEE RULES

House of Commons NOTICES OF AMENDMENTS. given up to and including. Thursday 25 January 2018

EXECUTIVE SUMMARY. 3 P a g e

Victims of Crime Etc (Rights, Entitlements and Related Matters) Bill

European Union (Withdrawal) Bill

HAULAGE PERMITS AND TRAILER REGISTRATION BILL [HL] EXPLANATORY NOTES

ARTICLE 29 Data Protection Working Party

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

FINANCIAL GUIDANCE AND CLAIMS BILL [HL] EXPLANATORY NOTES ON COMMONS AMENDMENTS

Protection of Freedoms Bill. Delegated Powers - Memorandum by the Home Office. Introduction

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

Children, Schools and Families Act 2010

Safeguarding Vulnerable Groups Bill [HL]

How we use Personal Information

European Union (Withdrawal) Bill

The Data Protection (Commencement, Amendment and. Transitional) (Bailiwick of Guernsey) Ordinance, 2018

SUPPLEMENTARY MEMORANDUM CONCERNING THE DELEGATED POWERS IN THE BILL FOR THE DELEGATED POWERS AND REGULATORY REFORM COMMITTEE

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

EDUCATION AND SKILLS BILL

Trade Bill EXPLANATORY NOTES

BILL. Repeal the European Communities Act 1972 and make other provision in connection with the withdrawal of the United Kingdom from the EU.

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

European Union (Withdrawal) Bill

These notes relate to the Lords Amendments to the Welfare Reform Bill, as brought from the House of Lords on 31 January 2012 [Bill 302].

DATA PROTECTION (JERSEY) LAW 2005

BORDERS, CITIZENSHIP AND IMMIGRATION BILL [HL] EXPLANATORY NOTES

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Access to Personal Information Procedure

BERMUDA CHARITIES ACT : 2

Sharing information with the police and with social services

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Scottish Trades Union Congress Response Justice Committee s Call for Evidence on Human Trafficking and Exploitation (Scotland) Bill

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

DISABLED PERSONS PARKING BADGES BILL EXPLANATORY NOTES

POLICE, PUBLIC ORDER AND CRIMINAL JUSTICE (SCOTLAND) BILL [AS AMENDED AT STAGE 2]

Asylum Support Partnership response to Oversight of the Immigration Advice Sector consultation

Standard GMS Contract Variation Notice March 2006 STANDARD GENERAL MEDICAL SERVICES CONTRACT VARIATION NOTICE MARCH 2006

APPRENTICESHIPS, SKILLS, CHILDREN AND LEARNING BILL

Criminal Finances Bill

How we use Personal Information

HAULAGE PERMITS AND TRAILER REGISTRATION BILL DELEGATED POWERS IN THE BILL MEMORANDUM BY THE DEPARTMENT FOR TRANSPORT

A guide to Welsh public audit legislation. Originally prepared: November 2006 Last updated: February 2016 Document reference: 134A2009

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

POLICING AND CRIME BILL DELEGATED POWERS MEMORANDUM MEMORANDUM BY THE HOME OFFICE

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Assembly Acts the Welsh Government Claim Could Not Be Made Under the New Reserved Powers Model: UK Government Analysis

ADULT SUPPORT AND PROTECTION (SCOTLAND) ACT 2007

Wales Bill [AS AMENDED IN COMMITTEE] CONTENTS PART 1

Investigatory Powers Bill

SOCIAL CARE WALES (INVESTIGATION) RULES 2017 INTERNAL VERSION

Data Protection Bill [HL]

Data Protection Act 1998 Policy

Treasury Laws Amendment (Putting Consumers First Establishment of the Australian Financial Complaints Authority) Bill 2017 No.

Written evidence from the Law Society of England and Wales. House of Commons Public Bill Committee considering the Data Protection Bill [HL]

Covert Human Intelligence Sources Code of Practice

DATA PROTECTION (JERSEY) LAW 2018

NATIONAL VETTING BUREAU BILL 2011 PRESENTED BY THE MINISTER FOR JUSTICE, EQUALITY AND DEFENCE

Sanctions and Anti-Money Laundering Bill [HL]

Law Enforcement processing (Part 3 of the DPA 2018)

Charities and Trustee Investment (Scotland) Bill [AS INTRODUCED]

Prisons and Courts Bill

Apprenticeships, Skills, Children and Learning Bill

SANCTIONS AND ANTI-MONEY LAUNDERING BILL AMENDMENT TO BE MOVED IN COMMITTEE

FINANCIAL GUIDANCE AND CLAIMS BILL [HL] EXPLANATORY NOTES

Digital Economy Bill: Parts 1 4

BANK OF ENGLAND AND FINANCIAL SERVICES BILL [HL] EXPLANATORY NOTES

The course of justice and inquiries exception (regulation 12(5)(b))

Education Workforce Council

Data Protection Policy. Malta Gaming Authority

Ireland passes Data Protection Act 2018 GDPR. Key provisions and amendments

Irish Government Publishes Data Protection Bill 2018

LOBBYING (SCOTLAND) BILL

Police Act 1997 and the Protection of Vulnerable Groups (Scotland) Act 2007 Remedial Order 2015 (SSI 2015/330)

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Transcription:

Data Protection Bill: Summary of government amendments for House of Commons Public Bill Committee tabled on 6 March 2018 Amendment Part 1 - Preliminary 1 2 3 4 5 6 Clause 3 69 Clause 184 Part 2 - General processing 7 8 18 19 Clause 7 Clause 30 Referencing corrections (technical amendments) Chapter 2 of Part 2 applies to processing to which the GDPR applies. Chapter 3 of Part 2 applies the GDPR to certain processing to which the GDPR does not automatically apply. Clause 3(14) of the Bill provides that references to the GDPR in Parts 5-7 include the GDPR as applied by Chapter 3 of Part 2. These technical amendments ensure that there is consistency in language and meaning in way this operates. Defining public authorities (technical amendments) The Bill adopts the definition of public authorities in the Freedom of Information Act, though there is also a power to allow bodies included for the purpose of Freedom of Information to be discounted for the purpose of data protection. 62 Clause 179 In addition to specifying bodies, 1 to the Freedom of Information Act includes descriptions of persons, eg. a government department, different types of authority (eg. a local authority, a fire and rescue authority, an NHS foundation trust), a body corporate established pursuant to a particular provision of legislation, a person providing particular services (eg. local pharmaceutical services). The Bill allows certain bodies to be specified to take out of the public authority definition, but it does not allow the to be described. These technical amendments address this omission. The amendments to clause 30 are for consistency. 9 Clause 8 It has been identified that the power in clause 7 that allows persons to be added to the list of bodies may adversely affect a particular member or members of a class but not the whole of the class. Consequently a dehybridising amendment is required to clause 179. Democratic engagement This amendment ensures that it clear that processing for the purposes of promoting democratic engagement is in the public interest, one of the requirements for personal data to be processed under Article 6(1)(e) of the GDPR. 1

Amendment 10 11 12 23 24 41 42 13 14 94 110 Clause 14 Clause 50 Clause 97 Clause 15 15 Clause 17 16 Clause 19 17 20 22 Clause 25 Clause 41 Clause 47 Time limit consistency with GDPR (technical amendments) The Bill gives controllers 21 days to respond to requests to reconsider automated decisions. This is less than the minimum time limit set by GDPR. Article 12(3) of the GDPR allows up to a month, extendable in exceptional cases. Amendments will bring the Bill into line with the GDPR. To maintain consistency similar amendments will be made to Parts 3 and 4 of the Bill (clauses 50 and 97). Exemptions from requirement to give notice of breaches to protect integrity of investigations. Article 34 of the GDPR requires data controllers to communicate personal data breaches if it is likely to give risk to a high risk to the rights and freedoms of natural persons. Where a person is subject of a criminal or media investigation, this requirement could notify that person about the investigation. This would undermine the continuing effectiveness of any such investigation. These amendments add Article 34 to the list of GDPR provisions that may be disapplied by paragraph 2(1) (crime and taxation) and paragraph 24(9) (special purposes) of. Data controllers will still be required to notify the Information Commissioner of breaches and may face appropriate enforcement action if they fail to adequately protect personal data. The national accreditation body (technical amendment) Clause 17 refers to the national accreditation authority which is undefined. This amendment corrects this to refer to "the national accreditation body, which is already defined in subsection (8). Medical research (technical amendment) Article 89 of the GDPR creates certain requirements for data controllers to satisfy when conducting research. Clause 19 imposes additional conditions with an exception for processing for approved medical research. This technical amendment ensures that the exception applies for research approved by a special health and social care agency established under Article 3 of the Health and Personal Social Services (Special Agencies) (Northern Ireland) Order 1990. Consistency of language (technical amendments) Amendments 17 and 20 substitute individual with data subject in clauses 25 and 41. These are technical amendment for consistency with references elsewhere in the Bill. Amendment 22 is a drafting amendment to change a reference to a data controller into a reference to a controller to reflect the approach elsewhere in the Bill. 2

Amendment 21 29 30 31 32 33 34 35 36 37 38 39 40 43 44 45 46 48 49 53 55 56 59 71 92 107 108 111 113 114 118 119 120 121 123 124 125 Parts 3 and 4 - law enforcement and intelligence services processing Time limits (technical amendments) Clause 42 A series of technical amendments to allow for Clause 54 consistency of approach to defined time periods that differ between EU law and domestic law. Clause 94 Clause 99 Clause 124 Clause 125 Clause 143 Clause 146 Clause 149 Clause 164 Clause 198 1 3 5 11 16 3

Amendment 25 26 27 28 Clause 51 Clause 53 Part 5 - The Information Commissioner 47 122 Clause 121 13 Part 6 - Enforcement 50 60 61 72 Clause 142 Clause 168 Clause 169 Clause 205 Exercise of rights through the Commissioner (technical amendments) As Part 3 of the Bill stands, a data subject could complain to the ICO that their access rights have been restricted, following which the ICO would investigate and inform the data subject whether or not the processing of their personal data was lawful. By confirming whether or not the processing of personal data behind the restriction is lawful, the current draft would effectively nullify any neither confirm nor deny response that was provided to the data subject, for example by the police, when their rights were restricted. There is a risk this could be used by data subjects to determine whether or not a law enforcement agency is processing their data thereby tipping them off that they are the subject of an investigation. Charges for manifestly unfounded or excessive requests (technical amendments) Requests for access to data are not chargeable under the GDPR and Law Enforcement Directive unless manifestly unfounded or excessive. The Bill allows data controllers to charge for manifestly unfounded or excessive requests to exercise data rights and these amendments ensure that unfounded and excessive requests in relation to automated processing are also chargeable. Data of national significance These provisions were inserted by amendments made in the Lords that were not supported by the government. A register and code of practice on data of national significance are not considered necessary. Inquiry into news publishers and litigation costs. These provisions were inserted by amendments made in the Lords that were not supported by the government. The government has since published a response to its recent consultation setting out its position. These provisions inserted by the Lords are not considered necessary. 4

Amendment 51 52 54 58 126 Clause 143 Clause 159 16 57 Clause 154 Part 7 - Supplementary 63 64 65 66 67 68 73 74 115 NC1 NC2 Clause 183 Clause 207 6 New Clause New Clause 70 Clause 198 75 Clause 208 Data processing by households (technical amendments) The GDPR does not apply to the processing of personal data in the course of a purely personal or household activity. These amendments are necessary to clarify that the Information Commissioner may investigate to see if the household exemption applies (eg, to inspect if a household CCTV system is directed at private property of the public highway or other private property beyond the controller s property boundary). Penalty notices (technical amendment) The Information Commissioner may consider the damage suffered by data subjects when considering whether to give a penalty. Damage is a matter found across the Bill. To ensure consistency an amendment is needed to additionally refer to distress. Representation of data subjects by not for profit bodies These amendments provide for a review of provision on representation of data subjects as well as a power to implement Article 80(2) of the GDPR at a later date. This would allow not for profit bodies to initiate litigation on data subjects behalf without needing their mandate ( opt-in ). Additionally these amendments provide a power to make provision and implement procedures allowing not for profit bodies to bring one claim on behalf of multiple individuals. This relates to provision already included in the Bill Definition of UK government department (technical amendment) Clause 185 (Framework for data processing by government) and 7 (Competent Authorities) include a reference to a UK government department, whilst clause 198 includes an overarching definition of government department for the purposes of the Bill. This technical amendment will avoid any confusion by making it clear these two different terms are not related. The term UK government department excludes functions of devolved administrations. Financial resolution (technical amendment) Following second reading in the House of Commons on 5 March 2018 a financial resolution was agreed. In consequence, this amendment removes the standard form financial privilege Lords amendment. 5

s 76 79 80 82 90 1 Data processing conditions (technical amendments) The following amendments resolve technical points identified by stakeholders in the drafting: 1. As a safeguard, where data controllers processing sensitive data are reliant on necessity in the substantial public interest, they are required to record their procedures in a policy document. In the government s view, where a data controller only wishes to process data to prevent or detect crime on a one-off or occasional basis, this may be disproportionate. Amendments 76 to 82 remove this requirement for such instances. Similarly, persons tipping off a sports body or association with antidoping concerns should not need a policy document and amendment 90 seeks to make this change. 81 1 2. The Bill allows private companies (in particular in the financial services sector) to screen against UK laws such as the Proceeds of Crime Act to help financial institutions identify customers suspected of money laundering etc., but they may not screen against widely-recognised sectoral guidelines, for example, like those promulgated by the Financial Action Task Force (FATF). This amendment corrects that omission. 88 1 3. The Bill enables the processing of the data of relatives of members of pension schemes. This amendment will limit the processing condition to data concerning health relating to certain relatives of a member of the scheme. 91 1 4. This is a technical correction to remove duplication of processing conditions. 77 78 1 Data processing for diversity in recruitment Data on race is subject to special protections under the GDPR, limiting the ability of recruitment consultants and organisations themselves to process this data as part of efforts to ensure businesses and other organisations such as charities meet their commitments to have a diverse workforce. This amendment enables recruiters to process this kind of data appropriately. 83 87 89 1 Data processing by patient support groups Patient support groups provide services to those suffering from (typically rare) diseases or other medical conditions. The GDPR will make it more difficult for UKbased groups to go about their work. These amendments, sought in the House of Lords by Baroness Neville-Jones, ensure support groups may continue their data processing. Amendments 87 and 89 are consequential. 6

84 85 86 116 117 93 95 109 1 8 10 Data processing for safeguarding This amendment is to provide greater clarity on the face of the Bill that front-line practitioners and others can lawfully process personal data by retaining records and sharing information with statutory agencies, such as the police, for the purpose of safeguarding children and vulnerable adults. Exemptions from data rights (technical amendments) The following amendments resolve technical points identified by stakeholders in the drafting: 1. Article 19 of the GDPR requires data controllers to give notice when responding to a request for rectification, erasure or restriction. It was originally considered unnecessary to additionally exempt controllers from this Article, if they were already exempted from the underlying rights to rectification, erasure and restriction. The government has since been provided examples of where it may be necessary to prevent notification separately from the underlying right, for example in a scenario where a bank has passed information about one of its customers to a law enforcement agency, such as the NCA due to suspected fraud. The customer asks for their data to be updated, such as an address which would trigger the bank having to inform the data subject that they have passed on the new details to the NCA. This would tip off the customer that they are being suspected of fraud. By relying on a A19 exemption, the bank would not be required to notify the customer who they have shared their data with. 96 2. This is a technical correction needed to row 2 of paragraph 7 of to disapply GDPR rights where it would be likely to prejudice the vetting and integrity checks. 97 98 99 100 101 102 103 104 105 3. These amendments deal with exemptions for the purpose of regulatory functions. An exemption is added for the National Audit Office (NAO) to ensure the GDPR can be disapplied to prevent interference with its audit functions. Similarly amendments add an exemptions for the Bank of England, Charity Commission, Scottish Information Commissioner and the Financial Conduct Authority into (under Article 23 of the GDPR) which captures their full functions. (The remit of the Scottish Information Commissioner is for Freedom of Information only). 7

106 112 127 128 3 17 4. These are technical amendments to paragraph 16 of 3 to expand the types of educational records which can be processed without consent to include records processed by or on behalf of the proprietor or trustees of an independent school in Northern Ireland. Health records (technical amendments) Clause 181 makes it an offence to circumvent data protection by requiring a person to obtain and hand over health and criminal records data in connection with employment or the provision of services unless there is an enactment or other legal basis to authorise it. The offence only applies in respect of relevant records as defined in 17 but the definition of relevant health records has not been limited to health records obtained via a subject access request (as for other types of relevant records ). These amendments will correct this omission. Department for Digital, Culture, Media and Sport 7 March 2018 8

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback