|
|
| |
| |
|
| |
| given up to and including |
|
| |
| New Amendments handed in are marked thus  |
|
| Amendments which will comply with the required notice period at their next appearance
|
|
| Amendments tabled since the last publication: 129 to 170 and NC3 to NC16 |
|
| |
| Data Protection Bill [Lords]
|
|
| |
| | This document includes all amendments tabled to date and includes any |
|
| | withdrawn amendments at the end. The amendments have been arranged in |
|
| | accordance with the Order to be proposed by Margot James. |
|
| |
| |
| | To move, That the Bill be considered in the following order, namely, Clauses 1 to 10, |
|
| | Schedule 1, Clauses 11 to 15, Schedules 2 to 4, Clauses 16 and 17, Schedule 5, Clauses |
|
| | 18 to 22, Schedule 6, Clauses 23 to 30, Schedule 7, Clauses 31 to 35, Schedule 8, Clauses |
|
| | 36 to 86, Schedules 9 and 10, Clauses 87 to 112, Schedule 11, Clauses 113 and 114, |
|
| | Schedule 12, Clauses 115 and 116, Schedule 13, Clauses 117 and 118, Schedule 14, |
|
| | Clauses 119 to 153, Schedule 15, Clause 154, Schedule 16, Clauses 155 to 181, Schedule |
|
| | 17, Clauses 182 to 204, Schedule 18, Clauses 205 to 208, new Clauses, new Schedules, |
|
| | remaining proceedings on the Bill. |
|
| |
| |
| | That, subject to the discretion of the Chair, any written evidence received by the |
|
| | Committee shall be reported to the House for publication. |
|
| |
|
|
| |
| |
|
| |
| | |
| Clause 3, page 2, line 25, leave out “personal data” and insert “information” |
|
| | Member’s explanatory statement
|
|
| | This amendment and Amendment 2 enable the definition of “processing” to be used in relation to |
|
| | any information, not just personal data. |
|
| |
| | |
| Clause 3, page 2, line 26, leave out “personal data, or on sets of personal data” and |
|
| insert “information, or on sets of information” |
|
| | Member’s explanatory statement
|
|
| | See the explanatory statement for Amendment 1. |
|
| |
| | |
| Clause 3, page 2, line 41, after “83” insert “and see also subsection (14)(c)” |
|
| | Member’s explanatory statement
|
|
| | This amendment is consequential on Amendment 6. |
|
| |
| | |
| Clause 3, page 3, line 27, at end insert — |
|
| | “(aa) | references to Chapter 2 of Part 2, or to a provision of that Chapter, include |
|
| | that Chapter or that provision as applied by Chapter 3 of Part 2;” |
|
| | Member’s explanatory statement
|
|
| | This amendment makes clear that references to Chapter 2 of Part 2 in Parts 5 to 7 of the bill |
|
| | include that Chapter as applied by Chapter 3 of Part 2. |
|
| |
| | |
| Clause 3, page 3, line 28, leave out “processing and personal data are to processing |
|
| and personal data” and insert “personal data, and the processing of personal data, are to |
|
| personal data and processing” |
|
| | Member’s explanatory statement
|
|
| | This amendment is consequential on Amendment 1. |
|
| |
| | |
| Clause 3, page 3, line 29, at end insert — |
|
| | “(c) | references to a controller or processor are to a controller or processor in |
|
| | relation to the processing of personal data to which Chapter 2 or 3 of Part |
|
| | 2, Part 3 or Part 4 applies.” |
|
| | Member’s explanatory statement
|
|
| | This amendment and Amendment 3 make clear that references to controllers and processors in |
|
| | Parts 5 to 7 of the bill are to controllers and processors in relation to processing to which the |
|
| | GDPR, the applied GDPR or Part 3 or 4 of the bill applies. |
|
| |
|
|
| |
| |
|
| |
| | |
| Clause 7, page 5, line 8, leave out “a body specified” and insert “body specified or |
|
| |
| | Member’s explanatory statement
|
|
| | This amendment and Amendment 8 make clear that regulations under Clause 7 may identify an |
|
| | authority or body by describing a type of authority or body, as well as by specifying an authority |
|
| | |
| |
| | |
| Clause 7, page 5, line 13, after “specified” insert “or described” |
|
| | Member’s explanatory statement
|
|
| | See the explanatory statement for Amendment 7. |
|
| |
| |
| | |
|
| Clause 8, page 5, line 23, after “includes” insert “but is not limited to,”. |
|
| |
| | |
| Clause 8, page 5, line 29, at end insert— |
|
| | “( ) | an activity that supports or promotes democratic engagement.” |
|
| | Member’s explanatory statement
|
|
| | This amendment adds a reference to processing of personal data that is necessary for activities |
|
| | that support or promote democratic engagement to Clause 8 (lawfulness of processing: public |
|
| | |
| |
| | |
|
| Clause 8, page 5, line 29, at end insert “or |
|
| | (e) | the exercise of research functions by public bodies.” |
|
| | Member’s explanatory statement
|
|
| | This amendment would ensure that university researchers and public bodies with a research |
|
| | function are able to use the ‘task in the public interest’ lawful basis for processing personal data, |
|
| | where consent is not a viable lawful basis. |
|
| |
|
|
| |
| |
|
| |
| |
| |
| |
| |
| | |
|
| Clause 10, page 6, line 19, leave out subsections (6) and (7). |
|
| | Member’s explanatory statement
|
|
| | This amendment would remove delegated powers that would allow the Secretary of State to vary |
|
| | the conditions and safeguards governing the general processing of sensitive personal data. |
|
| |
| |
| | |
| Schedule 1, page 123, line 21, at beginning insert “Except as otherwise provided,” |
|
| | Member’s explanatory statement
|
|
| | This amendment is consequential on Amendments 79, 82 and 90. |
|
| |
| | |
| Schedule 1, page 124, line 24, leave out from “subject” to end of line 25 |
|
| | Member’s explanatory statement
|
|
| | In paragraph 8 of Schedule 1, sub-paragraph (3) contains an exception from the condition in sub- |
|
| | paragraph (1). This amendment would remove from the exception the requirement that the |
|
| | processing is carried out without the data subject’s consent. |
|
| |
| | |
| Schedule 1, page 124, line 36, at end insert— |
|
| | “Racial and ethnic diversity at senior levels of organisations |
|
| | 8A (1) | This condition is met if the processing— |
|
| | (a) | is of personal data revealing racial or ethnic origin, |
|
| | (b) | is carried out as part of a process of identifying suitable individuals to |
|
| | hold senior positions in a particular organisation, a type of |
|
| | organisation or organisations generally, |
|
| | (c) | is necessary for the purposes of promoting or maintaining diversity in |
|
| | the racial and ethnic origins of individuals who hold senior positions |
|
| | in the organisation or organisations, and |
|
| | (d) | can reasonably be carried out without the consent of the data subject, |
|
| | | subject to the exception in sub-paragraph (3). |
|
| | (2) | For the purposes of sub-paragraph (1)(d), processing can reasonably be carried |
|
| | out without the consent of the data subject only where— |
|
| | (a) | the controller cannot reasonably be expected to obtain the consent of |
|
| | |
| | (b) | the controller is not aware of the data subject withholding consent. |
|
| | (3) | Processing does not meet the condition in sub-paragraph (1) if it is likely to |
|
| | cause substantial damage or substantial distress to an individual. |
|
|
|
| |
| |
|
| | (4) | For the purposes of this paragraph, an individual holds a senior position in an |
|
| | organisation if the individual— |
|
| | (a) | holds a position listed in sub-paragraph (5), or |
|
| | (b) | does not hold such a position but is a senior manager of the |
|
| | |
| | |
| | (a) | a director, secretary or other similar officer of a body corporate; |
|
| | (b) | a member of a limited liability partnership; |
|
| | (c) | a partner in a partnership within the Partnership Act 1890, a limited |
|
| | partnership registered under the Limited Partnerships Act 1907 or an |
|
| | entity of a similar character formed under the law of a country or |
|
| | territory outside the United Kingdom. |
|
| | (6) | In this paragraph, “senior manager”, in relation to an organisation, means a |
|
| | person who plays a significant role in— |
|
| | (a) | the making of decisions about how the whole or a substantial part of |
|
| | the organisation’s activities are to be managed or organised, or |
|
| | (b) | the actual managing or organising of the whole or a substantial part of |
|
| | |
| | (7) | The reference in sub-paragraph (2)(b) to a data subject withholding consent |
|
| | does not include a data subject merely failing to respond to a request for |
|
| | |
| | Member’s explanatory statement
|
|
| | Part 2 of Schedule 1 describes types of processing of special categories of personal data which |
|
| | meet the requirement in Article 9(2)(g) of the GDPR (processing necessary for reasons of |
|
| | substantial public interest) for a basis in UK law (see Clause 10(3)). This amendment adds to Part |
|
| | 2 of Schedule 1 certain processing of personal data for the purposes of promoting or maintaining |
|
| | diversity in the racial and ethnic origins of individuals who hold senior positions in organisations. |
|
| |
| | |
| Schedule 1, page 125, line 3, at end insert— |
|
| | “( ) | If the processing consists of the disclosure of personal data to a competent |
|
| | authority, or is carried out in preparation for such disclosure, the condition in |
|
| | sub-paragraph (1) is met even if, when the processing is carried out, the |
|
| | controller does not have an appropriate policy document in place (see |
|
| | paragraph 5 of this Schedule). |
|
| | Member’s explanatory statement
|
|
| | This amendment, and Amendment 80, provide that where processing falling within paragraph 9 of |
|
| | Part 2 of Schedule 1 (preventing or detecting unlawful acts) consists of, or is carried out in |
|
| | preparation for, the disclosure of personal data to a competent authority, the condition in that |
|
| | paragraph is met even if the controller does not have an appropriate policy document in place |
|
| | when the processing is carried out. |
|
| |
| | |
| Schedule 1, page 125, line 4, at end insert— |
|
| | ““competent authority” has the same meaning as in Part 3 of this Act (see |
|
| | |
| | Member’s explanatory statement
|
|
| | See the explanatory statement for Amendment 79. |
|
|
|
| |
| |
|
| |
| | |
| Schedule 1, page 125, line 16, at end insert— |
|
| | “Regulatory requirements relating to unlawful acts and dishonesty etc |
|
| | 10A(1) | This condition is met if— |
|
| | (a) | the processing is necessary for the purposes of complying with, or |
|
| | assisting other persons to comply with, a regulatory requirement |
|
| | which involves a person taking steps to establish whether another |
|
| | |
| | (i) | committed an unlawful act, or |
|
| | (ii) | been involved in dishonesty, malpractice or other seriously |
|
| | |
| | (b) | in the circumstances, the controller cannot reasonably be expected to |
|
| | obtain the consent of the data subject to the processing, and |
|
| | (c) | the processing is necessary for reasons of substantial public interest. |
|
| | |
| | “act” includes a failure to act; |
|
| | “regulatory requirement” means— |
|
| | (a) | a requirement imposed by legislation or by a person in exercise |
|
| | of a function conferred by legislation, or |
|
| | (b) | a requirement forming part of generally accepted principles of |
|
| | good practice relating to a type of body or an activity.” |
|
| | Member’s explanatory statement
|
|
| | Part 2 of Schedule 1 describes types of processing of special categories of personal data which |
|
| | meet the requirement in Article 9(2)(g) of the GDPR (processing necessary for reasons of |
|
| | substantial public interest) for a basis in UK law (see Clause 10(3)). This amendment adds to Part |
|
| | 2 of Schedule 1 certain processing of personal data for the purposes of complying with, or assisting |
|
| | others to comply with, a regulatory requirement. |
|
| |
| | |
| Schedule 1, page 125, line 35, at end insert— |
|
| | “( ) | The condition in sub-paragraph (1) is met even if, when the processing is |
|
| | carried out, the controller does not have an appropriate policy document in |
|
| | place (see paragraph 5 of this Schedule).” |
|
| | Member’s explanatory statement
|
|
| | This amendment provides that the condition in paragraph 11 of Part 2 of Schedule 1 (journalism |
|
| | etc in connection with unlawful acts and dishonesty etc) is met even if the controller does not have |
|
| | an appropriate policy document in place when the processing is carried out. |
|
| |
| | |
| Schedule 1, page 126, line 22, at end insert— |
|
| | “Support for individuals with a particular disability or medical condition |
|
| | 13A(1) | This condition is met if the processing— |
|
| | (a) | is carried out by a not-for-profit body which provides support to |
|
| | individuals with a particular disability or medical condition, |
|
| | (b) | is of a type of personal data falling within sub-paragraph (2) which |
|
| | relates to an individual falling within sub-paragraph (3), |
|
|
|
| |
| |
|
| | (c) | is necessary for the purposes of— |
|
| | (i) | raising awareness of the disability or medical condition, or |
|
| | (ii) | providing support to individuals falling within sub-paragraph |
|
| | (3) or enabling such individuals to provide support to each |
|
| | |
| | (d) | can reasonably be carried out without the consent of the data subject, |
|
| | |
| | (e) | is necessary for reasons of substantial public interest. |
|
| | (2) | The following types of personal data fall within this sub-paragraph— |
|
| | (a) | personal data revealing racial or ethnic origin; |
|
| | (b) | genetic data or biometric data; |
|
| | (c) | data concerning health; |
|
| | (d) | personal data concerning an individual’s sex life or sexual orientation. |
|
| | (3) | An individual falls within this sub-paragraph if the individual is or has been a |
|
| | member of the body mentioned in sub-paragraph (1)(a) and— |
|
| | (a) | has the disability or condition mentioned there, has had that disability |
|
| | or condition or has a significant risk of developing that disability or |
|
| | |
| | (b) | is a relative or carer of an individual who satisfies paragraph (a) of this |
|
| | |
| | (4) | For the purposes of sub-paragraph (1)(d), processing can reasonably be carried |
|
| | out without the consent of the data subject only where— |
|
| | (a) | the controller cannot reasonably be expected to obtain the consent of |
|
| | |
| | (b) | the controller is not aware of the data subject withholding consent. |
|
| | |
| | “carer” means an individual who provides or intends to provide care for |
|
| | another individual other than— |
|
| | (a) | under or by virtue of a contract, or |
|
| | |
| | “disability” has the same meaning as in the Equality Act 2010 (see |
|
| | section 6 of, and Schedule 1 to, that Act). |
|
| | (6) | The reference in sub-paragraph (4)(b) to a data subject withholding consent |
|
| | does not include a data subject merely failing to respond to a request for |
|
| | |
| | Member’s explanatory statement
|
|
| | Part 2 of Schedule 1 describes types of processing of special categories of personal data which |
|
| | meet the requirement in Article 9(2)(g) of the GDPR (processing necessary for reasons of |
|
| | substantial public interest) for a basis in UK law (see Clause 10(3)). This amendment adds to Part |
|
| | 2 of Schedule 1 certain processing of personal data by not-for-profit bodies involved in supporting |
|
| | individuals with a particular disability or medical condition. |
|
| |
| | |
| Schedule 1, page 126, line 27, leave out “a reason” and insert “one of the reasons” |
|
| | Member’s explanatory statement
|
|
| | This amendment amends paragraph 14(1)(b) of Schedule 1 for consistency with paragraphs 18(2) |
|
| | and 19(2) of that Schedule. |
|
|