DUA Bill Committee Stage Day 2 #HumanRightsDay 2024 #DataProtection

On international Human Rights Day 2024, December 10, 2024 peers in the House of Lords discussed the next stage of the Data Use and Access Bill that will take the word protection out of UK data protection law. The wide-ranging discussion of probing amendments and questions, included key areas about which we, along with many others across civil society have warned are flawed, and need revision or removal.

Not in chronological order, but let’s begin with a key question to upholding public trust in data protection law, and in a new government.

If the goalposts are moved, if what people were told was true at the time of personal data collection in the past, becomes null and void across the whole of the Bill upon its commencement, how will anything people have been told in the past be believed as trustworthy in future, not only in this law, but all of the new government’s actions?

If you want to #StandUp4HumanRights you can write to them, especially those peers who raised these issues at Second Reading, and / or now.

Lord Cameron of Lochiel:
“My Lords, I want to ask the Minister and the noble Lord, Lord Clement-Jones, in very general terms for their views on retrospectivity. Do they believe that the changes to data protection law in the Bill are intended to be applied to data already held at this time or will the new regime apply only to personal data collected going forwards from this point? I ask that specifically of data pertaining to children, from whom sensitive data has already been collected. Will the forthcoming changes to data protection law apply to such data that controllers and processors already hold, or will it apply only to data held going forward?”

The Minister did not answer the question, saying at 18:30:

“in response to the point raised by the noble Lord, Lord Cameron, that the new lawful ground of recognised legitimate interest will apply from the date of commencement and will not apply retrospectively.”

This is a key question. It does not only apply to the legitimate interests new clause, but all of the changes in the rest of the Bill to purpose limitation, new definitions of research, removal of obligations on fair processing, and the extension of consent to new compatible purposes. The Minister will need to clarify: Will the forthcoming changes to data protection law apply to such data that controllers and processors already hold on Day zero, or will it apply only to data first collected and processed going forward, only after the commencement date of the Bill? It is the point of collection in time and what data subjects were told then, that matters. The law must be fair, and foreseeable.

Why the former Scotland Minister might care, is following on from the controversy over the Health and Wellbeing Census where children were asked about their sexual experiences in highly intrusive detail and the data is now kept by the Scottish government. The children were told the data collected would not be identifying, but it was in fact sent to the national data storage using the child’s unique email with pupil ID. The Children’s Commissioner in Scotland asked for it to be stopped but was ignored. Many called for it to be scrapped.

The new clauses could for example be used to re-use the data now held for purposes beyond those the pupils and parents were told at the time of collection. Any future Scottish Government, for example, might consider using the highly sensitive data to train commercial AI products, that under current law would not meet the threshold of ‘scientific’ research.

On data processing in the Education Sector, including for research purposes

Lord Clement-Jones:

“Since the Data Protection Act was introduced in 2018, based on the 2016 GDPR, the education sector has seen enormous expansion of state and commercial data collection, partly normalised in the pandemic, of increased volume, sensitivity, intrusiveness, and high risk. Children need particular care in view of the special environment of educational settings, where pupils and families are disempowered and have no choice over the products procured, which they are obliged to use for school administrative purposes, for learning in the classroom, for homework and for digital behavioural monitoring.”

“The implications of broadening the definition of research activities conducted within the state education sector include questions of the appropriateness of applying the same rules where children are in a compulsory environment without agency or routine practice for research ethics oversight, particularly if the definition is expanded to commercial activity.”

“Parental and family personal data is often inextricably linked to the data of a child in education, such as home address, heritable health conditions or young carer status. The Responsible Technology Adoption Unit within DSIT commissioned research in the Department for Education to understand how parents and pupils feel about the use of AI tools in education and found that, while parents and pupils did not expect to make specific decisions about AI optimisation, they did expect to be consulted on whether and by whom pupil work and data can be used. There was widespread consensus that work and data should not be used without parents’ and/or pupils’ explicit agreement.”

“Businesses already routinely conduct trials or profit from children’s use of educational technology for product development, without their knowledge or parental permission. This is contrary to the UNCRC Article 32 principle of a right to protection from economic exploitation [that] public engagement, [which] [this] work suggests parents want.”

Baroness Kidron:

“I turn briefly to Amendment 64, which would limit the use of children’s personal data for the purposes of research and education by making it subject to a public interest requirement and opt-in from the child or a parent. I will speak in our debate on a later grouping to amendments that would enshrine children’s right to higher protection and propose a comprehensive code of practice on the use of children’s data in education, which is scandal and concern. For now, it would be good to understand whether the Government agree that education is an area of research where a public interest requirement is necessary and appropriate and that children’s data should always be used to support their right to learn, rather than to commoditise them.”

“During debate on the DPDI Bill, a code of practice on children’s data and scientific research was proposed; the Minister added her name to it. It is by accident rather than by design that I have failed to lay it here, but I will listen carefully to the Minister’s reply to see whether children need additional protections from scientific research as the Government now define it.”

On changes to the nature of purpose limitation where consent can be extended to new purposes

Viscount Camrose:

“Commercial research is, perhaps counterintuitively, generally subjected to fewer ethical safeguards than research carried out purely for scientific endeavour by educational institutions. Given the current broad definition of scientific research in the Bill—I am sorry to repeat this—which includes research for commercial purposes, and the lower bar for obtaining consent for data reuse should the research be considered scientific, I think it would be fair to require more substantial ethical safeguards on such activities.”

“We do not want to create a scenario where unscrupulous tech developers use the Bill to harvest significant quantities of personal data under the guise of scientific endeavour to develop their products, without having to obtain consent from data subjects or even without them knowing. An independent ethics committee would be an excellent way to monitor scientific research that would be part of commercial activities, without capping data access for scientific research, which aims more purely to expand the horizon of our knowledge and benefit society. Let us be clear: commercial research makes a huge and critically important contribution to scientific research, but it is also surely fair to subject it to the same safeguards and scrutiny required of non-commercial scientific research.”

“Amendment 67 would ensure that data controllers cannot gain consent for research purposes that cannot be defined at the time of data collection.”

“Children’s unique vulnerabilities demand special consideration. Their personal data, whether collected through educational platforms, social media or health applications, requires the most stringent protections. It is clearly both our moral and legislative obligation to ensure that this data is used responsibly and ethically, without compromising their privacy or exposing them to harm. Moreover, by extending these protections beyond childhood, this amendment recognises that the consequences of data collection during childhood can stretch far into adulthood. This is an acknowledgment of the fact that privacy is a lifelong right; the data collected in our formative years should not be used in ways that could undermine our dignity or well-being later in life.”