Commons Sense

Hansard-based summaries and metrics

<-- Back to proposed bills

Data Protection and Digital Information (No. 2) Bill - Sitting 3

16 May 2023

Proposing MP
Philip Hollobone Con
Kettering
Type
Public Bill Committee

At a Glance

Issue Summary

The statement addresses Clause 1 of the Data Protection and Digital Information (No. 2) Bill, which introduces a test to help organisations determine whether data is personal or anonymous. The statement discusses the definition of personal data in the Data Protection and Digital Information (No. 2) Bill and its implications on data protection regulations. Philip Hollobone discusses amendments related to data protection for children and the interpretation of scientific research purposes. The speaker discusses concerns about the Data Protection and Digital Information (No. 2) Bill's impact on scientific research and the sharing of personal data, particularly regarding children. The MP is questioning the Government's approach to data protection and assurance regarding companies that process and store UK users' data abroad, particularly mentioning TikTok. Philip Hollobone is discussing the Data Protection and Digital Information Bill, specifically addressing amendments to clause 5 that require controllers to document and publish statements regarding their reliance on 'legitimate interests' for processing personal data. The statement discusses concerns about proposed changes to the lawful basis for data processing under the UK GDPR. The statement addresses concerns about the lawful basis for processing personal data under 'legitimate interests' and proposes changes to ease this burden for certain activities. The statement discusses amendments to extend the period during which former MPs can continue processing sensitive data after elections. Philip Hollobone is discussing the Data Protection and Digital Information (No. 2) Bill and addressing concerns about clause 6 which allows the Secretary of State to amend Annex 2 through secondary legislation. The statement addresses amendments related to personal data reuse and processing in the context of the Data Protection and Digital Information (No. 2) Bill. The statement addresses amendments related to data protection regulations, specifically concerning taxation purposes and data disclosure to non-public bodies. Philip Hollobone is discussing amendments related to data protection regulations in the context of subject access requests and the definition of vexatious or excessive requests. The statement discusses amendments related to subject access requests (SARs) under the Data Protection and Digital Information Bill. MP Philip Hollobone is discussing the Data Protection and Digital Information Bill and its implications on subject access requests. MP John Whittingdale is discussing clause 8 of the Data Protection and Digital Information (No. 2) Bill, which addresses time limits for responding to subject access requests. Philip Hollobone is addressing clause 10 of the Data Protection and Digital Information Bill, which introduces an exemption for legally privileged data in the law enforcement regime.

Action Requested

Clause 1 will create a framework for organisations to confidently use anonymous data for various activities without concern about data protection rules applying to personal data. The clause aims to facilitate data exchange and the benefits of emerging technologies.

Key Facts

  • Clause 1 establishes a test to differentiate between personal and anonymous data.
  • Personal data is subject to data protection rules, while anonymous data is not.
  • Organisations must consider two scenarios to determine if data can be re-identified.
  • The Bill defines personal data where a data subject can be identified by reasonable means at the time of processing.
  • 'Reasonable means' considers time, effort, costs, technology, and resources available to the person.
  • Stakeholders are concerned that this could reduce clarity on what counts as personal data.
  • Amendment 65 aims to require a statutory code of practice on interpreting 'scientific research'.
  • The code must include examples of what constitutes scientific research and ethical standards.
  • Amendment 66 seeks to exempt children's data from being used for commercial processing under the definition of scientific purposes.
  • The Bill focuses on easing regulations for those who hold data rather than promoting safe redistribution and sharing of data.
  • Amendment 65 aims to provide further clarity around the definition of scientific research in clause 2 without preventing genuine research benefits.
  • Amendment 66 seeks to exempt children’s data from being defined as scientific when used for commercial purposes.
  • The government is addressing amendments related to data protection, scientific research, and commercial activity.
  • Clause 2 inserts a definition for processing for scientific research in legislation.
  • TikTok stores UK user data in Singapore and it may be accessed by engineers in China.
  • Amendment 67 would require controllers to publish statements regarding their reliance on 'legitimate interests'.
  • The statement must include which conditions in Annex 1 have been met, the specific processing activities involved, and why this processing is necessary.
  • This amendment aims to enhance transparency and accountability in data protection practices.
  • The current lawful bases include consent, contract, legal obligation, vital interests, public task, and legitimate interests.
  • Consent is the most commonly relied upon basis.
  • A balancing test is required when using legitimate interests as grounds for lawful processing.
  • Amendment 67 aims to retain purpose and necessity tests to prevent conflation of purposes.
  • Which? research highlights consumers' value on control over their data.
  • Clause 5 addresses difficulties in relying on 'legitimate interests' lawful ground.
  • The clause removes the need to balance interests against individuals' rights for certain legitimate activities.
  • Amendment 68 aims to require an impact assessment before adding new activities to the list.
  • Data protection legislation prohibits use of special category data without specific exemptions.
  • Current exemption allows former MPs four days after an election to process sensitive data for casework purposes.
  • New clause extends this period to 30 days beginning with the day after the election.
  • Clause 6 aims to extend the Secretary of State's power to amend Annex 2 via secondary legislation.
  • The amendment would remove these powers from the Secretary of State.
  • Stakeholders like Which? and Defend Digital Me are concerned about the weakening of purpose limitation.
  • Amendment 70 aims to add clarification about legitimate interests in processing personal data.
  • The amendment specifies that such processing must be related to the purposes of assessing or collecting taxes and duties levied by public bodies.
  • Schedule 2 is proposed as a Second schedule to the Bill.
  • Amendment 70 seeks to clarify wording related to taxation purposes.
  • Amendment 71 aims to ensure genuine need for data disclosure to non-public bodies.
  • Amendment 74 would oblige controllers to issue a notice explaining refusal or fee charges.
  • Amendment 73 aims to clarify that lack of staff appointments cannot be used as an excuse for non-compliance with subject access requests.
  • Amendment 72 requires the ICO to produce a code of practice defining vexatious and excessive requests, including examples of troublesome but not vexatious or excessive requests.
  • Currently, everyone has the right to ask an organisation whether it is using or storing personal data.
  • Stakeholders recognise the value of SARs in helping individuals understand how and why their data is being used.
  • The Bill introduces a new threshold allowing controllers to charge a reasonable fee or refuse requests if they are deemed 'vexatious or excessive'.
  • Controllers must consider factors such as the nature of the request, relationship with the subject, resources available, previous requests, extent of overlap, and time elapsed when deciding on vexatiousness.
  • Concerns exist that without further guidance, controllers may abuse the terms to refuse valid SARs.
  • The ICO is in a position to provide clear statutory guidance.
  • Amendment 73 aims to ensure controllers cannot claim a request is excessive simply due to resource neglect.
  • Clause 7 places power with the controller to decide whether a request is vexatious or excessive.
  • The Bill changes wording from 'manifestly unfounded or excessive' to 'vexatious or excessive'.
  • Parameters include considering the nature of the request and the relationship between the data subject and controller.
  • Examples of vexatious requests are those intended to cause distress, not made in good faith, or that abuse process.
  • Clause 8 enables organisations to 'stop the clock' on response times when further information is needed from a data subject.
  • It allows law enforcement and intelligence services to extend their response period by up to two additional months in certain complex cases.
  • The Information Commissioner's Office can be complained to if a request has not been processed within appropriate time limits.
  • Clause 10 introduces an exemption relating to legally professionally privileged data into the law enforcement regime.
  • The existing exemption in the UK GDPR restricts an individual’s right to access personal data processed or held by an organisation.
  • The new exemption will make it simpler for organisations to exempt legally privileged information without justifying its use on a case-by-case basis.
Assessment & feedback
Summary accuracy