|
|
| |
| |
|
| |
| |
| Data Protection Bill [Lords]
|
|
| [Third and Fourth Sittings]
|
|
| |
| This document shows the fate of each clause, schedule, amendment and new clause. |
|
| The following terms are used: |
|
| Agreed to: agreed without a vote. |
|
| Agreed to on division: agreed following a vote. |
|
| Negatived: rejected without a vote. |
|
| Negatived on division: rejected following a vote. |
|
| Not called: debated in a group of amendments, but not put to a decision. |
|
| Not moved: not debated or put to a decision. |
|
| Question proposed: debate underway but not concluded. |
|
| Withdrawn after debate: moved and debated but then withdrawn, so not put to a decision. |
|
| Not selected: not chosen for debate by the Chair. |
|
| |
| |
| |
| | Negatived on division 152 |
|
| Schedule 6, page 179, line 17, leave out paragraph 2 (as inserted by paragraph 49) |
|
| |
| | “2 | The Commissioner must, in carrying out the Commissioner’s functions under |
|
| | this Regulation, incorporate with any modifications which he or she considers |
|
| | necessary in any guidance or code of practice which the Commissioner issues, |
|
| | decisions, advice, guidelines, recommendations and best practices issued by |
|
| | the European Data Protection Board established under Article 68 of the GDPR. |
|
| | 2A | The Commissioner must, in carrying out the Commissioner’s functions under |
|
| | this Regulation, have regard to any implementing acts adopted by the |
|
| | Commission under Article 67 of the GDPR (exchange of information).” |
|
|
|
| |
| |
|
| |
| | |
| Schedule 6, page 180, line 2, leave out sub-paragraph (b) and insert— |
|
| | “(b) | in paragraph 2, for “Member States” substitute “The Secretary of State”; |
|
| | (c) | after that paragraph insert— |
|
| | “3 | The power under paragraph 2 may only be exercised by |
|
| | making regulations under section (Duty to review provision |
|
| | for representation of data subjects) of the 2018 Act.” |
|
| | Schedule, as amended, Agreed to. |
|
| | Clauses 23 and 24 Agreed to. |
|
| |
| |
| | |
| Clause 25, page 15, line 40, leave out “individual” and insert “data subject” |
|
| | Clause, as amended, Agreed to. |
|
| | |
| |
| |
| |
| |
| |
| | Negatived on division 161 |
|
| Clause 27, page 17, line 2, leave out subsection (1) and insert— |
|
| | | “A Minister of the Crown must apply to a Judicial Commissioner for a certificate, |
|
| | if exemptions are sought from specified provisions in relation to any personal |
|
| | data for the purpose of safeguarding national security.” |
|
| |
| |
| |
| |
| |
| |
| | |
| Clause 27, page 17, line 5, at end insert— |
|
| | “(1A) | The decision to issue the certificate must be— |
|
| | (a) | approved by a Judicial Commissioner, |
|
| | (b) | laid before Parliament, |
|
| | (c) | published and publicly accessible on the Information Commissioner’s |
|
| | |
| | (1B) | In deciding whether to approve an application under subsection (1), a Judicial |
|
| | Commissioner must review the Minister’s conclusions as to the following |
|
| | |
|
|
| |
| |
|
| | (a) | whether the certificate is necessary on relevant grounds, |
|
| | (b) | whether the conduct that would be authorised by the certificate is |
|
| | proportionate to what it sought to be achieved by that conduct, and |
|
| | (c) | whether it is necessary and proportionate to exempt all provisions |
|
| | specified in the certificate.” |
|
| |
| |
| |
| |
| |
| |
| | |
| Clause 27, page 17, leave out lines 6 to 8 and insert— |
|
| | “(2) | An application for a certificate under subsection (1)— |
|
| | (a) | must identify the personal data to which it applies by means of a detailed |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
| Clause 27, page 17, line 9, leave out subsection (2)(b) |
|
| |
| |
| |
| |
| |
| |
| | |
| Clause 27, page 17, line 9, at end insert— |
|
| | “(c) | must specify each provision of this Act which it seeks to exempt, and |
|
| | (d) | must provide a justification for both (a) and (b).” |
|
| |
| |
| |
| |
| |
| |
| | |
| Clause 27, page 17, line 10, leave out “directly” and insert “who believes they are |
|
| |
|
|
| |
| |
|
| |
| |
| |
| |
| |
| |
| | |
| Clause 27, page 17, line 12, leave out “, applying the principles applied by a court |
|
| on an application for judicial review,” |
|
| |
| |
| |
| |
| |
| |
| | |
| Clause 27, page 17, line 13, leave out “the Minister did not have reasonable |
|
| grounds for issuing” and insert “it was not necessary or proportionate to issue” |
|
| |
| |
| |
| |
| |
| |
| | |
| Clause 27, page 17, line 16, at end insert— |
|
| | “(4A) | Where a Judicial Commissioner refuses to approve a Minister’s application for a |
|
| | certificate under this Chapter, the Judicial Commissioner must give the Minister |
|
| | of the Crown reasons in writing for the refusal. |
|
| | (4B) | Where a Judicial Commissioner refuses to approve a Minister’s application for a |
|
| | certificate under this Chapter, the Minister may apply to the Information |
|
| | Commissioner for a review of the decision. |
|
| | (4C) | It is not permissible for exemptions to be specified in relation to— |
|
| | (a) | Chapter II of the applied GDPR (principles)— |
|
| | (i) | Article 5 (lawful, fair and transparent processing), |
|
| | (ii) | Article 6 (lawfulness of processing), |
|
| | (iii) | Article 9 (processing of special categories of personal data), |
|
| | (b) | Chapter IV of the applied GDPR— |
|
| | (i) | GDPR Articles 24 – 32 inclusive, |
|
| | (ii) | GDPR Articles 35 – 43 inclusive, |
|
| | (c) | Chapter VIII of the applied GDPR (remedies, liabilities and penalties)— |
|
| | (i) | GDPR Article 83 (general conditions for imposing |
|
| | |
| | (ii) | GDPR Article 84 (penalties), |
|
| | (d) | Part 5 of this Act, or |
|
| | |
| | |
|
|
| |
| |
|
| | Clauses 28 and 29 Agreed to. |
|
| |
| |
| | |
| Clause 30, page 19, line 4, after “specified” insert “or described” |
|
| |
| | |
| Clause 30, page 19, line 10, leave out from “add” to end of line and insert “or |
|
| remove a person or description of person” |
|
| | Clause, as amended, Agreed to. |
|
| | |
| | Clauses 31 to 34 Agreed to. |
|
| |
| |
| |
| |
| |
| |
| |
| | |
| Clause 35, page 21, line 29, leave out subsections (6) and (7). |
|
| | |
| |
| |
| | |
| Schedule 8, page 184, line 32, at end insert— |
|
| | “Safeguarding of children and of individuals at risk |
|
| | 3A (1) | This condition is met if— |
|
| | (a) | the processing is necessary for the purposes of— |
|
| | (i) | protecting an individual from neglect or physical, mental or |
|
| | |
| | (ii) | protecting the physical, mental or emotional well-being of an |
|
| | |
| | |
| | |
| | (ii) | aged 18 or over and at risk, |
|
|
|
| |
| |
|
| | (c) | the processing is carried out without the consent of the data subject for |
|
| | one of the reasons listed in sub-paragraph (2), and |
|
| | (d) | the processing is necessary for reasons of substantial public interest. |
|
| | (2) | The reasons mentioned in sub-paragraph (1)(c) are— |
|
| | (a) | in the circumstances, consent to the processing cannot be given by the |
|
| | |
| | (b) | in the circumstances, the controller cannot reasonably be expected to |
|
| | obtain the consent of the data subject to the processing; |
|
| | (c) | the processing must be carried out without the consent of the data |
|
| | subject because obtaining the consent of the data subject would |
|
| | prejudice the provision of the protection mentioned in sub-paragraph |
|
| | |
| | (3) | For the purposes of this paragraph, an individual aged 18 or over is “at risk” if |
|
| | the controller has reasonable cause to suspect that the individual— |
|
| | (a) | has needs for care and support, |
|
| | (b) | is experiencing, or at risk of, neglect or physical, mental or emotional |
|
| | |
| | (c) | as a result of those needs is unable to protect himself or herself against |
|
| | the neglect or harm or the risk of it. |
|
| | (4) | In sub-paragraph (1)(a), the reference to the protection of an individual or of |
|
| | the well-being of an individual includes both protection relating to a particular |
|
| | individual and protection relating to a type of individual.” |
|
| | Schedule, as amended, Agreed to. |
|
| | Clauses 36 to 40 Agreed to. |
|
| |
| |
| | |
| Clause 41, page 23, line 34, leave out “an individual” and insert “a data subject” |
|
| | Clause, as amended, Agreed to. |
|
| |
| |
| | |
| Clause 42, page 24, line 29, leave out “with the day” and insert “when” |
|
| | Clause, as amended, Agreed to. |
|
| | Clauses 43 to 46 Agreed to. |
|
| |
|
|
| |
| |
|
| |
| | |
| Clause 47, page 28, line 20, leave out second “data” |
|
| | Clause, as amended, Agreed to. |
|
| | Clauses 48 and 49 Agreed to. |
|
| |
| |
| |
| |
| |
| |
| |
| | |
| Clause 50, page 30, line 5, at end insert “, and |
|
| | (c) | it does not engage the rights of the data subject under the Human Rights |
|
| | |
| |
| | |
| Clause 50, page 30, line 11, leave out “21 days” and insert “1 month” |
|
| |
| | |
| Clause 50, page 30, line 17, leave out “21 days” and insert “1 month” |
|
| | Clause, as amended, Agreed to. |
|
| |
| |
| | |
| Clause 51, page 31, line 2, leave out from first “the” to end of line 3 and insert |
|
| “restriction imposed by the controller was lawful;” |
|
| |
| | |
| Clause 51, page 31, line 11, leave out from first “the” to end of line 12 and insert |
|
| “restriction imposed by the controller was lawful;” |
|
| | Clause, as amended, Agreed to. |
|
| | |
| |
|