Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025

Considered in Grand Committee

Moved by

That the Grand Committee do consider the Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025.

My Lords, this instrument was laid before the House on 7 July. The then Home Secretary and the current Home Secretary have exercised powers under Section 82(2A) of the Data Protection Act 2018 to specify in this instrument the qualifying competent authorities that will be able to apply for a designation notice under Section 82(2A) of the DPA. During the passage of the Data (Use and Access) Bill, the House debated the parent provisions for this instrument; I hope that noble Lords will bear with me. Section 89 of the Data (Use and Access) Act will insert Sections 82A to 82E into the Data Protection Act 2018. I will briefly summarise those provisions so that noble Lords are reminded of the context.

Under the Data Protection Act, authorities processing for law enforcement purposes and intelligence services are subject to two separate legislative data-processing regimes for processing personal data. This precludes a joint controllership between both entities and makes working together much more difficult, especially in the context of public safety and national security.

Let me give noble Lords an example. An intelligence service and a police force working together on a joint investigation could not work from a single shared dataset setting out individuals of interest and related intelligence. Instead, each must have their own copy of the data, sharing data back and forth between one another and across data protection regimes in order to allow each other to update their intelligence. Self-evidently, this decreases efficiency and reduces joint-working capabilities. I suggest to noble Lords that there is a clear public interest in enabling closer joint working between law enforcement bodies and the intelligence services in matters of national security. I remind noble Lords that these issues were highlighted in the reports on the Fishmongers’ Hall and Manchester Arena terrorist attacks.

Once the provisions are in force, qualifying competent authorities will, together with at least one intelligence service, be able to apply for a designation notice from the Secretary of State under Section 82A of the Data Protection Act where it is required for the purposes of safeguarding national security. This designation notice will allow the intelligence services and qualifying competent authority in question to form a joint controllership for that processing activity. It does not mean that open sharing of all data between the organisations can take place. When applying for a notice, the organisations must set out the processing for which they are applying, and a designation notice will apply to that processing only. Prior to granting a notice, the Secretary of State must consult the ICO.

I turn to the instrument itself. The Data (Use and Access) Act inserted Section 82(2A) into the Data Protection Act 2018, allowing the Secretary of State to specify by regulations which competent authorities are able to apply for a designation notice alongside an intelligence service. Competent authorities are defined in Section 30(1) of the DPA 2018 as

My Lords, this instrument is a welcome step in increasing the efficacy of our data sharing and protecting our national security interests. Until the enactment of this instrument, authorities processing information under the Data Protection Act 2018 have been subject to two separate legislative data-processing regimes for law enforcement and intelligence services respectively, as the Minister outlined. The previous Government recognised the unduly burdensome process of data processing between two bodies with no means of centralising multiple datasets for analysis and operation, which is why the previous Government put forward the Data Protection and Digital Information Bill. It is a welcome step that the current Government are now taking the same initiative.

There is an evident public interest in correcting the inertia. Data sharing between authorities has proved inefficient and bureaucratic at the expense of national security. In particular, reports into the Fishmongers’ Hall and Manchester Arena terror attacks highlighted the shortcomings in the current arrangements. As has been stated here and in the other place, we must heed the lessons learned from those tragedies and act on them.

As the Minister summarised, the instrument lays out the list of those entities or persons considered qualifying competent authorities that, once this measure is in place, will be able to apply for a designation notice from the Secretary of State alongside an intelligence service for the purpose of safeguarding national security, thereby allowing both parties to form a joint operational controllership.

I am aware that the Government cannot divulge further information about their decisions as to which bodies are included in the list of qualifying competent authorities, but I am none the less aware of the challenges that come with data sharing across different entities and the variance of protection and sophistication that they may use. It is always worth being sceptical when it is announced that intelligence services will begin to share their data or at least permit others joint operational control. While I am sure that none of the competent authorities’ data systems is subpar and that the Secretary of State will thoroughly have vetted this, it is still worth asking the Minister for reassurance that the qualifying competent authorities are prepared to enter into joint controllership.

My Lords, I am grateful to the noble Lord, Lord Cameron of Lochiel, for his broad support for this instrument. As he mentioned, the competent authorities, which we have now specified as qualifying competent authorities, have been selected following consultation with partners operating in the area of national security. They include competent authorities involved in areas where national security is a consideration. The noble Lord is absolutely right that we cannot go publicly into the details of the rationale, and I do not wish to publicly comment on the differing preparedness of the bodies, but I can assure him that authorities have been included where there is a reasonable potential for joint controllership to be formed. There will be activity to make sure that that synergy occurs. It is done for a purpose.

The 23 authorities are clearly listed in the regulations before us today. They are all very competent authorities. They include chief constables and commissioners of police, the British Transport Police and the Civil Nuclear Constabulary, the Royal Navy Police and the Royal Air Force Police. They are very assured in dealing with security issues and having secure data control. The bodies include HM Revenue & Customs, the National Crime Agency, the Parole Board, the Parole Commissioners for Northern Ireland and the Probation Board for Northern Ireland. They are all public bodies that have great experience in managing, controlling and, where appropriate, sharing data.

The noble Lord is right to test that question, but I believe that the competent authorities can be trusted with the information that is there to be shared. Again, I confirm to him that these recommendations follow serious terrorist incidents that have taken place. The risk of not having that sharing capacity is much greater than the issues he mentioned. I am grateful for his support and for the work of the previous Government. Unless there are further comments, I commend this instrument to the Committee.

Motion agreed.