Members discussed a range of subjects including penalty notices, criminal liability and how the bill applies to Parliament.
Following the completion of third reading, the bill now goes to the House of Commons for its consideration.
Lords report stage day three: Wednesday 10 January
Members discussed a wide range of subjects, including national security certificates, data protection in schools and support for small organisations.
There were also three divisions (votes) on proposed changes (amendments) to the bill.
Members considered a change to increase the responsibilities of the Information Commissioner to include:
- maintaining a register of publicly controlled personal data of national significance
- preparing a code of practice with practical guidance in relation to nationally significant data
The change would also empower the Commissioner to decide if personal data is of national significance, if:
- the data furthers collective economic, social or environmental well-being, or has the potential to do so in the future
- a financial benefit may be derived from processing the data or the development of associated software
235 members were in favour of this amendment, with 204 against, and so the change was made.
The next vote was on the insertion of a new clause to require the government to set up an inquiry within three months of the bill’s passing to investigate breaches of data protection rules by, or on behalf of, news publishers.
The inquiry’s terms of reference would include:
- the extent of unlawful or improper conduct by news publishers and other organisations within the media
- the extent of corporate governance and management failures within news publishers in regard to data protection
- the implications for data protection in regards to freedom of speech
The change would also empower the inquiry to make recommendations on actions to be taken in the public interest.
238 members voted for this change and 209 voted against, and so the change was made.
The final vote was on the insertion of a new clause to define the rules when a relevant claim made against a defendant for data protection breaches is connected to the publication of news-related material.
The clause seeks to clarify the criteria for a court’s decision to award costs and damages in favour of the claimant, depending on whether the defendant was a member of an approved regulator at the time the claim was made.
217 members were in favour with 200 against, so this change was made.
Lords report stage day two: Wednesday 13 December
Members discussed subjects including the use of private personal data accounts, organisations responsible for anti-doping in sport and data protection breaches due to ransomware attacks. There were two divisions (votes) on proposed changes (amendments) to the bill.
Members considered a change to specify that references to an association that is responsible for eliminating doping in sport are to be read as references to UK Anti-Doping (Ukad), its successor bodies or a body designated by the secretary of state. The change would also require the secretary of state to define the responsibilities of Ukad and its relationship with other sporting bodies and associations. 229 members were in favour of this amendment, with 232 against, and so the change was not made.
The next vote was on a change to remove a paragraph in the bill which listed examples of personal data processing where the provisions of the General Data Protection Regulation (GDPR) would not apply, and further examples where an individual processing such data would be exempt from certain obligations. 92 members voted for this change and 222 voted against, and so the change was not made.
Lords report stage day one: Monday 11 December
Members discussed a range of subjects including national security certificates, children's consent in relation to information society services and data processing by patient support groups and health organisations.
There was one division (vote) on a proposed change to the bill.
Members considered the insertion of new clause into the bill entitled 'Protection of personal data'. This clause would protect individuals (data subjects) under the General Data Protection Regulation (GDPR) by:
- requiring personal data to be processed lawfully under the consent of the data subject
- conferring rights on the data subject to obtain information about the processing of personal data
- conferring responsibility on the Information Commissioner for monitoring and enforcing provisions under the GDPR, applied GDPR and this Act
The clause would also require the Commissioner to be particularly aware of the importance of appropriate levels of personal data protection, taking account of the interests of data subjects, controllers and others.
172 members voted in favour of the new clause and 139 voted against, and so the change was made.
Lords committee stage day six: Wednesday 22 November
Members are expected to discuss enforcement notices, compensation for the contravention of General Data Protection Regulation and the alteration of personal data.
Lords committee stage day five: Monday 20 November
Members discussed a code of practice for processing of personal data, enforcement notices and the confidentiality of information.
Lords committee stage day four: Wednesday 15 November
Members discussed regulations and the General Data Protection Regulation (GDPR) after Brexit.
Lords committee stage day three: Monday 13 November
Members discussed processing of personal data and the right to be informed about the commercial use of personal data.
Lords committee stage day two: Monday 6 November
Members discussed parental consent for use of minors' data and education for schoolchildren on their rights relating to data protection.
Lords committee stage day one: Monday 30 October
Members discussed subjects including the GDPR, the right to protection of personal data and the age of child's consent in relation to information society services.
Lords second reading: Tuesday 10 October
Members discussed the key points raised by the bill including data protection reform, the processing of personal data for security and law enforcement purposes and minimum requirements for companies' age verification systems.
Members also raised issues relating to European Union withdrawal legislation and the flow of data between the EU and the UK post-Brexit.
Data Protection Bill
This bill will aim to:
- update the UK’s data protection regime in accordance with new rules agreed at a European level
- repeal and replace the Data Protection Act 1998
- update regulations on four main matters: data processing; law enforcement data processing; data processing for national security purposes; and regulatory oversight and enforcement
- update the enforcement powers available to the Information Commissioner and introduce new offences relating to the processing of personal data, amongst other measures