Asked by Lord Brabazon of Tara To ask Her Majesty’s
Government for what purpose small clubs and charities have to
comply with the General Data Protection Regulation, which came into
force on 25 May. The Parliamentary Under-Secretary of State,
Department for Digital, Culture, Media and Sport (Lord Ashton of
Hyde) (Con) My Lords, clubs and charities...Request free trial
Asked by
-
To ask Her Majesty’s Government for what purpose small
clubs and charities have to comply with the General Data
Protection Regulation, which came into force on 25 May.
-
The Parliamentary Under-Secretary of State, Department for
Digital, Culture, Media and Sport (Lord Ashton of Hyde)
(Con)
My Lords, clubs and charities which handle personal data
will need to comply with the general data protection
regulation in the Data Protection Act 2018 because people
have the right to expect organisations of all sizes to keep
their data safe and secure and not to misuse it. Small
clubs and charities may also process sensitive personal
data, such as medical records or children’s data. It is
especially important that this is kept safe and secure and
used appropriately. To assist smaller organisations, which
may have more limited access to legal resources, the
Information Commissioner’s Office has published a range of
user-friendly material on the GDPR on its website and set
up a dedicated phone line for small businesses and
charities.
-
(Con)
I am grateful to my noble friend for that reply. He has
confirmed that any club, however small, that keeps a record
of its membership must register, and not just register but
renew and pay up every year. I will not ask my noble friend
to give an estimate of the numbers involved, because it
must be many thousands and I do not know who on earth is
going to keep track of it all. I doubt whether anybody
knows the numbers. But can my noble friend tell me what
these organisations are doing wrong at the moment? What ill
is being done that is going to be cured by making them
involve themselves in this process?
-
My Lords, I am glad that my noble friend realises that it
is very important to pay the fee that is required, as
agreed by this House last month, in order to fund the ICO.
All this is clearly explained on the ICO website under the
heading, “The Data Protection Fee: A Guide for
Controllers”. As for ills, it is not that any organisation,
or even individual, has committed any sin, or that there is
an ill to be cured; this is about individual data subjects’
rights. As far as an individual data subject is concerned,
if his or her sensitive personal data is misused—for
example, by not being kept securely—the damage done to that
person or organisation is the same whether it is by a large
or a small organisation. That is why the GDPR requires all
data controllers, unless they are using it just for
personal or household matters, to be clearer with people
how their data is going to be used, to process it where it
is lawful to do so, and, very importantly, to make sure it
is held securely.
-
(Lab)
My Lords, would it be a good idea for the Government to allow
small clubs to opt out of that if their membership wished to?
-
No, I do not agree with that, for the reason I have just
given.
-
(Con)
Will my noble friend explain to all of us data controllers
here assembled exactly what this mischief is? I think the
principal mischief is that this is a piece of legislation
invented in Brussels and cursed on us.
-
Of course, the noble Lord is entitled to his opinion but I do
not agree with him. In this case, as I tried to explain, it
does not matter whether it is a large or small organisation,
or even an individual data controller, that misuses
information. Individuals’ personal data is very important and
has grown enormously since the previous Data Protection Act
20 years ago. My noble friend will of course realise that
there was a Data Protection Act 20 years ago.
-
(LD)
My Lords, does the Minister agree that small clubs perform a
useful function for society generally, as do small charities?
If a problem becomes apparent, will the Minister give an
assurance that the Government will review it and see if there
is anything there? I agree with him that data should be
guarded but we do not want to damage these clubs unduly.
-
I am sure the noble Lord is aware that the situation for data
controllers has not changed since the Data Protection Act
1998. This is not a question of problems but of protecting
the data rights of everyone in this Chamber. Therefore, it
applies to all organisations and to individual people, but
only if they deal in personal data and are controllers of
that information.
-
(Lab)
Does the Minister accept that one of the benefits of this
legislation is that now people have to write and ask you
whether or not you want to receive junk mail? That is fine.
But with many of them, not only do you click “unsubscribe”
but they ask you why you have unsubscribed. Will the Minister
make sure that these issues are vigorously pursued and there
is no slacking off? Frankly, my current emails have reduced
by half and could be reduced by a great deal more.
-
I believe that when that happens, that is the end of it. If
they ask, they obviously want to know why the noble Lord no
longer wants to be in touch with them—I do not blame them for
that. Of course, I accept that those emails have a benefit.
One of the principal features of the GDPR and the Data
Protection Act 2018 is that there is a much stronger measure
of consent. People have to give active consent to have their
personal data processed.
-
(CB)
My Lords, are there proposals to review the impact of this
measure on small organisations? Irrespective of the fact that
there is continuity from the previous Data Protection Act,
there is concern that small organisations, such as charities
et cetera, will be disproportionately affected. It is
important that we should know whether that is the case. I
declare an interest as the chairman of the charity Kent
Search and Rescue.
-
Of course, we have to comply with the GDPR while we are
members of the EU. We want to continue to have a data
protection regime that is in accord with the EU’s when we
leave. I believe that all new legislation is reviewed after a
period of time, so we will obviously keep an eye on whether
there is a disproportionate effect on small organisations.
Charities are obviously important but, for the reasons I set
out before, individual data subjects’ rights are important so
there has to be a balance.
-
(Lab)
My Lords, the recent document submitted by the Government to
the EU as part of their negotiating structure talks about
data protection and its importance for our economy. These are
indeed important issues. It says, however, that the way
forward is not just by an adequacy agreement, which is what I
thought we were all expecting, but by a treaty. Can the
Minister shed some light on that issue?
-
As in, I believe, many negotiations with the EU, what we want
is frictionless trade. In terms of data it is very important
that there is no gap between leaving the EU, when we become a
third country, and still being able to exchange personal data
between the EU 27 countries and this country. We would like
to get an agreement so that we have not only adequacy, which
can be achieved only after we leave the EU, but an
arrangement that allows us to continue exchanging data with
members of the EU. That would have to be done by a treaty.
|
