“Schedule A1 - Processing in reliance on relevant international law

Data Protection and Digital Information Bill – in the House of Commons am 1:20 pm ar 29 Tachwedd 2023.

Danfonwch hysbysiad imi am ddadleuon fel hyn

This condition is met where the processing is necessary for the purposes of responding to a request made in accordance with the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3 October 2019.””—(Sir John Whittingdale.)

This new clause provides expressly that, for the purposes of satisfying requirements in Articles 6(1)(e), 8A(3)(e), 9(2)(g) and 10(1) of the UK GDPR, a controller or processor may rely on processing having a basis in, or being authorised by, certain international law.

Brought up, and read the First time.

1.37 pm

Photo of Rosie Winterton Rosie Winterton Deputy Speaker (First Deputy Chairman of Ways and Means)

With this it will be convenient to discuss the following:

Government new clause 48—Processing of personal data revealing political opinions.

Government new clause 7—Searches in response to data subjects’ requests.

Government new clause 8—Notices from the Information Commissioner.

Government new clause 9—Court procedure in connection with subject access requests.

Government new clause 10—Approval of a supplementary code.

Government new clause 11—Designation of a supplementary code.

Government new clause 12—List of recognised supplementary codes.

Government new clause 13—Change to conditions for approval or designation.

Government new clause 14—Revision of a recognised supplementary code.

Government new clause 15—Applications for approval and re-approval.

Government new clause 16—Fees for approval, re-approval and continued approval.

Government new clause 17—Request for withdrawal of approval.

Government new clause 18—Removal of designation.

Government new clause 19—Registration of additional services.

Government new clause 20—Supplementary notes.

Government new clause 21—Addition of services to supplementary notes.

Government new clause 22—Duty to remove services from the DVS register.

Government new clause 23—Duty to remove supplementary notes from the DVS register.

Government new clause 24—Duty to remove services from supplementary notes.

Government new clause 25—Index of defined terms for Part 2.

Government new clause 26—Powers relating to verification of identity or status.

Government new clause 27—Interface bodies.

Government new clause 28—The FCA and financial services interfaces.

Government new clause 29—The FCA and financial services interfaces: supplementary.

Government new clause 30—The FCA and financial services interfaces: penalties and levies.

Government new clause 31—Liability and damages.

Government new clause 32—Other data provision.

Government new clause 33—Duty to notify the Commissioner of personal data breach: time periods.

Government new clause 34—Power to require information for social security purposes.

Government new clause 35—Retention of information by providers of internet services in connection with death of child.

Government new clause 36—Retention of biometric data and recordable offences.

Government new clause 37—Retention of pseudonymised biometric data.

Government new clause 38—Retention of biometric data from INTERPOL.

Government new clause 39—National Underground Asset Register.

Government new clause 40—Information in relation to apparatus.

Government new clause 41—Pre-commencement consultation.

Government new clause 42—Transfer of certain functions of Secretary of State.

New clause 1—Processing of data in relation to a case-file prepared by the police service for submission to the Crown Prosecution Service for a charging decision—

“(1) The 2018 Act is amended in accordance with subsection (2).

(2) In the 2018 Act, after section 40 insert—

“40A Processing of data in relation to a case-file prepared by the police service for submission to the Crown Prosecution Service for a charging decision

(1) This section applies to a set of processing operations consisting of the preparation of a case-file by the police service for submission to the Crown Prosecution Service for a charging decision, the making of a charging decision by the Crown Prosecution Service, and the return of the case-file by the Crown Prosecution Service to the police service after a charging decision has been made.

(2) The police service is not obliged to comply with the first data protection principle except insofar as that principle requires processing to be fair, or the third data protection principle, in preparing a case-file for submission to the Crown Prosecution Service for a charging decision.

(3) The Crown Prosecution Service is not obliged to comply with the first data protection principle except insofar as that principle requires processing to be fair, or the third data protection principle, in making a charging decision on a case-file submitted for that purpose by the police service.

(4) If the Crown Prosecution Service decides that a charge will not be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service it must take all steps reasonably required to destroy and delete all copies of the case-file in its possession.

(5) If the Crown Prosecution Service decides that a charge will be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service it must return the case-file to the police service and take all steps reasonably required to destroy and delete all copies of the case-file in its possession.

(6) Where the Crown Prosecution Service decides that a charge will be pursued when it makes a charging decision on a case-file submitted for that purpose by the police service and returns the case-file to the police service under subsection (5), the police service must comply with the first data protection principle and the third data protection principle in relation to any subsequent processing of the data contained in the case-file.

(7) For the purposes of this section—

(a) The police service means—

(i) constabulary maintained by virtue of an enactment, or

(ii) subject to section 126 of the Criminal Justice and Public Order Act 1994 (prison staff not to be regarded as in police service), any other service whose members have the powers or privileges of a constable.

(b) The preparation of, or preparing, a case-file by the police service for submission to the Crown Prosecution Service for a charging decision includes the submission of the file.

(c) A case-file includes all information obtained by the police service for the purpose of preparing a case-file for submission to the Crown Prosecution Service for a charging decision.””

This new clause adjusts Section 40 of the Data Protection Act 2018 to exempt the police service and the Crown Prosecution Service from the first and third data protection principles contained within the 2018 Act so that they can share unredacted data with one another when making a charging decision.

New clause 2—Common standards and timeline for implementation—

“(1) Within one month of the passage of this Act, the Secretary of State must by regulations require those appointed as decision-makers to create, publish and update as required open and common standards for access to customer data and business data.

(2) Standards created by virtue of subsection (1) must be interoperable with those created as a consequence of Part 2 of the Retail Banking Market Investigation Order 2017, made by the Competition and Markets Authority.

(3) Regulations under section 66 and 68 must ensure interoperability of customer data and business data with standards created by virtue of subsection (1).

(4) Within one month of the passage of this Act, the Secretary of State must publish a list of the sectors to which regulations under section 66 and section 68 will apply within three years of the passage of the Act, and the date by which those regulations will take effect in each case.”

This new clause, which is intended to be placed in Part 3 (Customer data and business data) of the Bill, would require interoperability across all sectors of the economy in smart data standards, including the Open Banking standards already in effect, and the publication of a timeline for implementation.

New clause 3—Provision about representation of data subjects—

“(1) Section 190 of the Data Protection Act 2018 is amended as follows.

(2) In subsection (1), leave out “After the report under section 189(1) is laid before Parliament, the Secretary of State may” and insert “The Secretary of State must, within three months of the passage of the Data Protection and Digital Information Act 2024,”.”

This new clause would require the Secretary of State to exercise powers under s190 DPA2018 to allow organisations to raise data breach complaints on behalf of data subjects generally, in the absence of a particular subject who wishes to bring forward a claim about misuse of their own personal data.

New clause 4—Review of notification of changes of circumstances legislation—

“(1) The Secretary of State must commission a review of the operation of the Social Security (Notification of Changes of Circumstances) Regulations 2010.

(2) In conducting the review, the designated reviewer must—

(a) consider the current operation and effectiveness of the legislation;

(b) identify any gaps in its operation and provisions;

(c) consider and publish recommendations as to how the scope of the legislation could be expanded to include non-public sector, voluntary and private sector holders of personal data.

(3) In undertaking the review, the reviewer must consult—

(a) specialists in data sharing;

(b) people and organisations who campaign for the interests of people affected by the legislation;

(c) people and organisations who use the legislation;

(d) any other persons and organisations the review considers appropriate.

(4) The Secretary of State must lay a report of the review before each House of Parliament within six months of this Act coming into force.”

This new clause requires a review of the operation of the “Tell Us Once” programme, which seeks to provide simpler mechanisms for citizens to pass information regarding births and deaths to government, and consideration of whether the progress of “Tell Us Once” could be extended to non-public sector holders of data.

New clause 5—Definition of “biometric data”—

Article 9 of the UK GDPR is amended by the omission, in paragraph 1, of the words “for the purpose of uniquely identifying a natural person”.”

This new clause would amend the UK General Data Protection Regulation to extend the protections currently in place for biometric data for identification to include biometric data for the purpose of classification.

New clause 43—Right to use non-digital verification services—

“(1) This section applies when an organisation—

(a) requires an individual to use a verification service, and

(b) uses a digital verification service for that purpose.

(2) The organisation—

(a) must make a non-digital alternative method of verification available to any individual required to use a verification service, and

(b) must provide information about digital and non-digital methods of verification to those individuals before verification is required.”

This new clause, which is intended for insertion into Part 2 of the Bill (Digital verification services), creates the right for data subjects to use non-digital identity verification services as an alternative to digital verification services, thereby preventing digital verification from becoming mandatory in certain settings.

New clause 44—Transfer of functions to the Investigatory Powers Commissioner’s Office—

“The functions of the Surveillance Camera Commissioner are transferred to the Investigatory Powers Commissioner.”

New clause 45—Interoperability of data and collection of comparable healthcare statistics across the UK—

“(1) The Health and Social Care Act 2012 is amended as follows.

(2) After section 250, insert the following section—

“250A Interoperability of data and collection of comparable healthcare statistics across the UK

(1) The Secretary of State must prepare and publish an information standard specifying binding data interoperability requirements which apply across the whole of the United Kingdom.

(2) An information standard prepared and published under this section—

(a) must include guidance about the implementation of the standard;

(b) may apply to any public body which exercises functions in connection with the provision of health services anywhere in the United Kingdom.

(3) A public body to which an information standard prepared and published under this section applies must have regard to the standard.

(4) The Secretary of State must report to Parliament each year on progress on the implementation of an information standard prepared in accordance with this section.

(5) For the purposes of this section—

“health services” has the same meaning as in section 250 of this Act, except that for “in England” there is substituted “anywhere in the United Kingdom”, and “the health service” in parts of the United Kingdom other than England has the meaning given by the relevant statute of that part of the United Kingdom;

“public body” has the same meaning as in section 250 of this Act.”

(3) In section 254 (Powers to direct NHS England to establish information systems), after subsection (2), insert—

“(2A) The Secretary of State must give a direction under subsection (1) directing NHS England to collect and publish information about healthcare performance and outcomes in all parts of the United Kingdom in a way which enables comparison between different parts of the United Kingdom.

(2B) Before giving a direction by virtue of subsection (2A), the Secretary of State must consult—

(a) the bodies responsible for the collection and publication of official statistics in each part of the United Kingdom,

(b) Scottish Ministers,

(c) Welsh Ministers, and

(d) Northern Ireland departments.

(2C) The Secretary of State may not give a direction by virtue of subsection (2A) unless a copy of the direction has been laid before, and approved by resolution of, both Houses of Parliament.

(2D) Scottish Ministers, Welsh Ministers and Northern Ireland departments must arrange for the information relating to the health services for which they have responsibility described in the direction given by virtue of subsection (2A) to be made available to NHS England in accordance with the direction.

(2E) For the purposes of a direction given by virtue of subsection (2A), the definition of “health and social care body” given in section 259(11) applies as if for “England” there were substituted “the United Kingdom”.””

New clause 46—Assessment of impact of Act on EU adequacy—

“(1) Within six months of the passage of this Act, the Secretary of State must carry out an assessment of the impact of the Act on EU adequacy, and lay a report of that assessment before both Houses of Parliament.

(2) The report must assess the impact on—

(a) data risk, and

(b) small and medium-sized businesses.

(3) The report must quantify the impact of the Act in financial terms.”

New clause 47—Review of the impact of the Act on anonymisation and the identifiability of data subjects—

“(1) Within six months of the passage of this Act, the Secretary of State must lay before Parliament the report of an assessment of the impact of the measures in the Act on anonymisation and the identifiability of data subjects.

(2) The report must include a comparison between the rights afforded to data subjects under this Act with those afforded to data subjects by the EU General Data Protection Regulation.”

Amendment 278, in clause 5, page 6, line 15, leave out paragraphs (b) and (c).

This amendment and Amendment 279 would remove the power for the Secretary of State to create pre-defined and pre-authorised “recognised legitimate interests”, for data processing. Instead, the current test would continue to apply in which personal data can only be processed in pursuit of a legitimate interest, as balanced with individual rights and freedoms.

Amendment 279, page 6, line 23, leave out subsections (4), (5) and (6).

See explanatory statement to Amendment 278.

Amendment 230, page 7, leave out lines 1 and 2 and insert—

“8. The Secretary of State may not make regulations under paragraph 6 unless a draft of the regulations has been laid before both Houses of Parliament for the 60-day period.

8A. The Secretary of State must consider any representations made during the 60-day period in respect of anything in the draft regulations laid under paragraph 8.

8B. If, after the end of the 60-day period, the Secretary of State wishes to proceed to make the regulations, the Secretary of State must lay before Parliament a draft of the regulations (incorporating any changes the Secretary of State considers appropriate pursuant to paragraph 8A).

8C. Draft regulations laid under paragraph 8B must, before the end of the 40-day period, have been approved by a resolution of each House of Parliament.

8D. In this Article—

“the 40-day period” means the period of 40 days beginning on the day on which the draft regulations mentioned in paragraph 8 are laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the days on which it is laid);

“the 60-day period” means the period of 60 days beginning on the day on which the draft regulations mentioned in paragraph 8B are laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the days on which it is laid).

8E. When calculating the 40-day period or the 60-day period for the purposes of paragraph 8D, ignore any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.”

This amendment would make regulations made in respect of recognised legitimate interest subject to a super-affirmative Parliamentary procedure.

Amendment 11, page 7, line 12, at end insert—

““internal administrative purposes” , in relation to special category data, means the conditions set out for lawful processing in paragraph 1 of Schedule 1 of the Data Protection Act 2018.”

This amendment clarifies that the processing of special category data in employment must follow established principles for reasonable processing, as defined by paragraph 1 of Schedule 1 of the Data Protection Act 2018.

Government amendment 252.

Amendment 222, page 10, line 8, leave out clause 8.

Amendment 3, in clause 8, page 10, leave out line 31.

This amendment would mean that the resources available to the controller could not be taken into account when determining whether a request is vexatious or excessive.

Amendment 2, page 11, line 34, at end insert—

“(6A) When informing the data subject of the reasons for not taking action on the request in accordance with subsection (6), the controller must provide evidence of why the request has been treated as vexatious or excessive.”

This amendment would require the data controller to provide evidence of why a request has been considered vexatious or excessive if the controller is refusing to take action on the request.

Government amendment 17.

Amendment 223, page 15, line 22, leave out clause 10.

Amendment 224, page 18, line 7, leave out clause 12.

Amendment 236, in clause 12, page 18, line 21, at end insert—

“(c) a data subject is an identified or identifiable individual who is affected by a significant decision, irrespective of the direct presence of their personal data in the decision-making process.”

This amendment would clarify that a “data subject” includes identifiable individuals who are subject to data-based and automated decision-making, whether or not their personal data is directly present in the decision-making process.

Amendment 232, page 19, line 12, leave out “solely” and insert “predominantly”.

This amendment would mean safeguards for data subjects’ rights, freedoms and legitimate interests would have to be in place in cases where a significant decision in relation to a data subject was taken based predominantly, rather than solely, on automated processing.

Amendment 5, page 19, line 12, after “solely” insert “or partly”.

This amendment would mean that the protections provided for by the new Article 22C would apply where a decision is based either solely or partly on automated processing, not only where it is based solely on such processing.

Amendment 233, page 19, line 18, at end insert

“including the reasons for the processing.”

This amendment would require data controllers to provide the data subject with the reasons for the processing of their data in cases where a significant decision in relation to a data subject was taken based on automated processing.

Amendment 225, page 19, line 18, at end insert—

“(aa) require the controller to inform the data subject when a decision described in paragraph 1 has been taken in relation to the data subject;”.

Amendment 221, page 20, line 3, at end insert—

“7. When exercising the power to make regulations under this Article, the Secretary of State must have regard to the following statement of principles:

Digital information principles at work

1. People should have access to a fair, inclusive and trustworthy digital environment at work.

2. Algorithmic systems should be designed and used to achieve better outcomes:

to make work better, not worse, and not for surveillance. Workers and their representatives should be involved in this process.

3. People should be protected from unsafe, unaccountable and ineffective algorithmic systems at work. Impacts on individuals and groups must be assessed in advance and monitored, with reasonable and proportionate steps taken.

4. Algorithmic systems should not harm workers’ mental or physical health, or integrity.

5. Workers and their representatives should always know when an algorithmic system is being used, how and why it is being used, and what impacts it may have on them or their work.

6. Workers and their representatives should be involved in meaningful consultation before and during use of an algorithmic system that may significantly impact work or people.

7. Workers should have control over their own data and digital information collected about them at work.

8. Workers and their representatives should always have an opportunity for human contact, review and redress when an algorithmic system is used at work where it may significantly impact work or people. This includes a right to a written explanation when a decision is made.

9. Workers and their representatives should be able to use their data and digital technologies for contact and association to improve work quality and conditions.

10. Workers should be supported to build the information, literacy and skills needed to fulfil their capabilities through work transitions.”

This amendment would insert into new Article 22D of the UK GDPR a requirement for the Secretary of State to have regard to the statement of digital information principles at work when making regulations about automated decision-making.

Amendment 4, in clause 15, page 25, line 4, at end insert

“(including in the cases specified in sub-paragraphs (a) to (c) of paragraph 3 of Article 35)”.

This amendment, together with Amendment 1, would provide a definition of what constitutes “high risk processing” for the purposes of applying Articles 27A, 27B and 27C, which require data controllers to designate, and specify the duties of, a “senior responsible individual” with responsibility for such processing.

Government amendments 18 to 44.

Amendment 12, in page 32, line 7, leave out clause 17.

This amendment keeps the current requirement on police in the Data Protection Act 2018 to justify why they have accessed an individual’s personal data.

Amendment 1, in clause 18, page 32, line 18, leave out paragraph (c) and insert—

“(c) omit paragraph 2,

(ca) in paragraph 3—

(i) for “data protection” substitute “high risk processing”,

(ii) in sub-paragraph (a), for “natural persons” substitute “individuals”,

(iii) in sub-paragraph (a) for “natural person” substitute “individual” in both places where it occurs,

(cb) omit paragraphs 4 and 5,”.

This amendment would leave paragraph 3 of Article 35 of the UK GDPR in place (with amendments reflecting amendments made by the Bill elsewhere in the Article), thereby ensuring that there is a definition of “high risk processing” on the face of the Regulation.

Amendment 226, page 39, line 38, leave out clause 26.

Amendment 227, page 43, line 2, leave out clause 27.

Amendment 228, page 46, line 32, leave out clause 28.

Government amendment 45.

Amendment 235, page 57, line 29, leave out clause 34.

This amendment would leave in place the existing regime, which refers to “manifestly unfounded” or excessive requests to the Information Commissioner, rather than the proposed change to “vexatious” or excessive requests.

Government amendments 46 and 47.

Amendment 237, in clause 48, page 77, line 4, leave out “individual” and insert “person”.

This amendment and Amendments 238 to 240 are intended to enable the digital verification services covered by the Bill to include verification of organisations as well as individuals.

Amendment 238, page 77, line 5, leave out “individual” and insert “person”.

See explanatory statement to Amendment 237.

Amendment 239, page 77, line 6, leave out “individual” and insert “person”.

See explanatory statement to Amendment 237.

Amendment 240, page 77, line 7, leave out “individual” and insert “person”.

See explanatory statement to Amendment 237.

Amendment 241, page 77, line 8, at end insert (on new line)—

“and the facts which may be so ascertained, verified or confirmed may include the fact that an individual has a claimed connection with a legal person.”

This amendment would ensure that the verification services covered by the Bill will include verification that an individual has a claimed connection with a legal person.

Government amendments 48 to 50.

Amendment 280, in clause 49, page 77, line 13, at end insert—

“(2A) The DVS trust framework must include a description of how the provision of digital verification services is expected to uphold the Identity Assurance Principles.

(2B) Schedule (Identity Assurance Principles) describes each Identity Assurance Principle and its effect.”

Amendment 281, page 77, line 13, at end insert—

“(2A) The DVS trust framework must allow valid attributes to be protected by zero-knowledge proof and other decentralised technologies, without restriction upon how and by whom those proofs may be held or processed.”

Government amendments 51 to 66.

Amendment 248, in clause 52, page 79, line 7, at end insert—

“(1A) A determination under subsection (1) may specify an amount which is tiered to the size of the person and its role as specified in the DVS trust framework.”

This amendment would enable fees for application for registration in the DVS register to be determined on the basis of the size and role of the organisation applying to be registered.

Amendment 243, page 79, line 8, after “may”, insert “not”.

This amendment would provide that the fee for application for registration in the DVS register could not exceed the administrative costs of determining the application.

Government amendment 67.

Amendment 244, page 79, line 13, after “may”, insert “not”.

This amendment would provide that the fee for continued registration in the DVS register could not exceed the administrative costs of that registration.

Government amendment 68.

Amendment 245, page 79, line 21, at end insert—

“(10) The fees payable under this section must be reviewed every two years by the National Audit Office.”

This amendment would provide that the fees payable for DVS registration must be reviewed every two years by the NAO.

Government amendments 69 to 77.

Amendment 247, in clause 54, page 80, line 38, after “person”, insert “or by other parties”.

This amendment would enable others, for example independent experts, to make representations about a decision to remove a person from the DVS register, as well as the person themselves.

Amendment 246, page 81, line 7, at end insert—

“(11) The Secretary of State may not exercise the power granted by subsection (1) until the Secretary of State has consulted on proposals for how a decision to remove a person from the DVS register will be reached, including—

(a) how information will be collected from persons impacted by a decision to remove the person from the register, and from others;

(b) how complaints will be managed;

(c) how evidence will be reviewed;

(d) what the burden of proof will be on which a decision will be based.”

This amendment would provide that the power to remove a person from the DVS register could not be exercised until the Secretary of State had consulted on the detail of how a decision to remove would be reached.

Government amendments 78 to 80.

Amendment 249, in clause 62, page 86, line 17, at end insert—

“(3A) A notice under this section must give the recipient of the notice an opportunity to consult the Secretary of State on the content of the notice before providing the information required by the notice.”

This amendment would provide an option for consultation between the Secretary of State and the recipient of an information notice before the information required by the notice has to be provided.

Government amendment 81.

Amendment 242, in clause 63, page 87, line 21, leave out “may” and insert “must”.

This amendment would require the Secretary of State to make arrangements for a person to exercise the Secretary of State’s functions under this Part of the Bill, so that an independent regulator would perform the relevant functions and not the Secretary of State.

Amendment 250, in clause 64, page 87, line 34, at end insert—

“(1A) A report under subsection (1) must include a report on any arrangements made under section 63 for a third party to exercise functions under this Part.”

This amendment would require information about arrangements for a third party to exercise functions under this Part of the Bill to be included in the annual reports on the operation of the Part.

Government amendments 82 to 196.

Amendment 6, in clause 83, page 107, leave out from line 26 to the end of line 34 on page 108.

This amendment would leave out the proposed new regulation 6B of the PEC Regulations, which would enable consent to be given, or an objection to be made, to cookies automatically.

Amendment 217, page 109, line 20, leave out clause 86.

This amendment would leave out the clause which would enable the sending of direct marketing electronic mail on a “soft opt-in” basis.

Amendment 218, page 110, line 1, leave out clause 87.

This amendment would remove the clause which would enable direct marketing for the purposes of democratic engagement. See also Amendment 220.

Government amendments 253 to 255.

Amendment 219, page 111, line 6, leave out clause 88.

This amendment is consequential on Amendment 218.

Government amendments 256 to 265.

Amendment 7, in clause 89, page 114, line 12, at end insert—

“(2A) A provider of a public electronic communications service or network is not required to intercept or examine the content of any communication in order to comply with their duty under this regulation.”

This amendment would clarify that a public electronic communications service or network is not required to intercept or examine the content of any communication in order to comply with their duty to notify the Commissioner of unlawful direct marketing.

Amendment 8, page 117, line 3, at end insert—

“(5) In regulation 1—

(a) at the start, insert “(1)”;

(b) after “shall”, insert “save for regulation 26A”;

(c) at end, insert—

“(2) Regulation 26A comes into force six months after the Commissioner has published guidance under regulation 26C (Guidance in relation to regulation 26A).””

This amendment would provide for the new regulation 26A, Duty to notify Commissioner of unlawful direct marketing, not to come into force until six months after the Commissioner has published guidance in relation to that duty.

Government amendment 197.

Amendment 251, in clause 101, page 127, line 3, leave out “and deaths” and insert “, deaths and deed polls”.

This amendment would require deed poll information to be kept to the same standard as records of births and deaths.

Amendment 9, page 127, line 24, at end insert—

“(2A) After section 25, insert—

“25A Review of form in which registers are to be kept

(1) The Secretary of State must commission a review of the provisions of this Act and of related legislation, with a view to the creation of a single digital register of births and deaths.

(2) The review must consider and make recommendations on the effect of the creation of a single digital register on—

(a) fraud,

(b) data collection, and

(c) ease of registration.

(3) The Secretary of State must lay a report of the review before each House of Parliament within six months of this section coming into force.””

This amendment would insert a new section into the Births and Deaths Registration Act 1953 requiring a review of relevant legislation, with consideration of creating a single digital register for registered births and registered deaths and recommendations on the effects of such a change on reducing fraud, improving data collection and streamlining digital registration.

Government amendment 198.

Amendment 229, in clause 112, page 135, line 8, leave out subsections (2) and (3).

Amendment 10, in clause 113, page 136, line 35, leave out

“which allows or confirms the unique identification of that individual”.

This amendment would amend the definition of “biometric data” for the purpose of the oversight of law enforcement biometrics databases so as to extend the protections currently in place for biometric data for identification to include biometric data for the purpose of classification.

Government amendments 199 to 207.

Government new schedule 1—Power to require information for social security purposes.

Government new schedule 2—National Underground Asset Register: monetary penalties.

New schedule 3—Identity Assurance Principles—