(7 years, 9 months ago)
Lords ChamberMy Lords, I have no doubt that we will constantly return to codes of practice, especially about the need for them to be revised and, I hope, improved. But the purpose of these amendments, particularly Amendment 81, is to ensure that when they are finally agreed they have strength and a statutory basis to ensure that they are properly applied. It is important that the principles and safeguards that we have debated so far are included and statutory. I am concerned that having “regard to” provides too many loopholes that will undermine the very public confidence that we seek in passing the Bill. I hope that the Minister will be able to reassure all sides of the House, once again, about how we can consult broadly on these codes and ensure that they are properly referenced in legislation and properly complied with.
In Amendment 107B, we know that what is important is that corrective action can take place if there is a breach of the code. We know that measures are also in the Bill, including criminal sanctions, where data protection is breached. But what about those areas and cases where public authorities exceed those powers for supposedly public good? Will the Minister tell us what adequate measures would be in place? The Minister in the other place said that the wording “had regard to” already follows common practice in legislation, as illustrated in Section 25 of the Immigration Act 2016 and Section 77 of the Children and Families Act 2014. He argued that as the power covers a range of public authorities and devolved territories, the Government want flexibility about how the powers can be operated so that we can learn what works and adapt the code as necessary. This comes to the crux of the matter once again and why so many noble Lords have concerns about these provisions. It is this open-ended flexibility and uncertainty about where this is going to lead to that raise concerns. We are told that to put these matters into the Bill would hamper the ability to adapt for future purposes. If bodies fail to adhere to the code, the Minister will make regulations that remove their ability to share information under that power.
Part 11 of the code states:
“Government departments will expect public authorities wishing to participate in a data sharing arrangement to agree to adhere to the code before data is shared. Failure to have regard to the code may result in your public authority or organisation being removed from the relevant regulations and losing the ability to disclose, receive and use information under the powers”.
Is that really sufficient? Is that enough? What about the cases that we have heard? As the Minister said in the previous debate, departments are not infallible. I do not think that this is sufficient. We know that the Information Commissioner wants changes; we know that they want these codes not only to be improved but to have proper force. I beg to move.
My Lords, I, too, shall speak to this group of amendments, having put my name to some of them. The noble Lord, Lord Collins, has already raised the issue about the permissive approach in the Bill, which we have rather rejected, and the question of inserting “complied with” rather than “had regard to”. Many of the amendments deal with that issue across the various agencies involved. When you consider that this is operated in relation to various criteria to do with improving people’s physical health, their emotional well-being, their contribution to society and their social and emotional well-being, the breadth of those areas is really rather daunting. You could justify almost anything under those four areas, and I do not really believe that the code of practice could be remotely enforceable if those were the criteria that were used.
Worse still, they could be used in a rather punitive way. For example, it could be argued that it is improving people’s well-being by making them work; and if they are disabled, pursuing people who have disabilities or difficulty in getting work could be used to penalise vulnerable groups. It would affect people who are on benefits or are pensioners—all sorts of vulnerable people. There needs to be somewhat more rigour in the Bill than criteria such as those that we see there now.
Moreover, these amendments deal with a minimum consultation period, which we support. Finally, the code of practice should be laid before Parliament, which, again, would be another safeguard. We must have much more transparency and greater rigour of application, enforceability and consistency across all the agencies and with other rules of disclosure. I would like to hear what the Minister has to say about these concerns. We believe that these matters must be answered and wish to understand the Government’s approach in order to decide whether we need to take this forward at a later stage.
My Lords, I, too, support the various amendments in this group. “Having regard to” a matter always seems to leave some wriggle room. If there should be exceptions to compliance—because I think we are talking about compliance here, not about consistency—then those should be spelled out. I accept that having codes of practice outside primary legislation allows for flexibility, which might be useful, for a response to experience of the operation of the code and, perhaps, for changing circumstances. However, there is so much reliance on codes of practice here that an inclusive process for constructing and finalising them is very important, as well as transparency in operation.
The noble and learned Lord will probably have a better recollection than I have of the discussion during the passage of the Investigatory Powers Bill about providing transparency by way of ensuring that people who were affected by the transmission of information knew about it. This was rejected for security reasons, but that would not be the case here. The overall objective has to be transparency and inclusiveness.
My Lords, Amendment 81 and the other amendments in this group are intended, of course—and I understand this—to strengthen enforcement of the codes of practice in relation to the public service delivery, debt and fraud, and research powers by requiring authorities who use the powers to “comply with” rather than “have regard to” these codes. The noble Lord, Lord Collins, has sight of a loophole, and the noble Baroness, Lady Hamwee, has encountered wriggle room, but I would take issue with those descriptions.
There is common ground here. We, too, believe that the codes are an important part of the data-sharing powers. However, the Government believe that “have regard to” is the right level of obligation for a code of practice. This is a legal obligation. Such persons when disclosing or using information will be expected as a matter of law to take the codes seriously and follow their requirements in all cases unless there are cogent reasons why they should not do so. It is, of course, common practice for legislation to set out the critical limitations on a power while codes of practice—which are more adaptable, as the noble Baroness, Lady Hamwee, acknowledged—are advisory tools that supplement with regard to best practice, principles and guidance.
The noble Lord, Lord Collins, alluded to a situation in which an authority exceeds its powers for the public good. In such a situation—without going into the detail of it—the authority would be exceeding its powers and it would have to answer for that, whatever the public good might justify in other circumstances.
Key conditions for the disclosure and use of information are set out in the Bill, including what can be shared, by whom and for what purpose. We have followed a common approach taken by government and others, including the Information Commissioner, to provide more detail on how data are to be shared in a code of practice. That does not mean that the code is to be treated lightly. Legal consequences may follow if the code is disregarded, as the Delegated Powers and Regulatory Reform Committee pointed out in its report on the Bill. The relevant Minister can make regulations to remove a body’s ability to share information under the power if it fails to adhere to the code. The noble Lord, Lord Collins, raised the question as to whether that is considered sufficient in the circumstances. We do consider that that is a sufficient safeguard in the circumstances. I also remind noble Lords—in particular, the noble Baroness, Lady Janke—that the first requirement of the Data Protection Act is that processing of data should be fair and reasonable. That underpins in existing legislation the whole approach that should be taken to this Bill.
The noble Baroness, Lady Hamwee, sought to draw a distinction between the provisions here and those in the Investigatory Powers Act about knowledge of data transfers. Of course, although we are not necessarily dealing here with national security, we are dealing with issues such as fraud, where it would be wholly inappropriate to give people advance notice of data sharing, particularly if one were going to address issues of criminal conduct.
Amendment 107B would require breaches of the code of practice on the public service delivery power to be reported to the Investigatory Powers Commissioner. It also places a duty on the Investigatory Powers Commissioner to investigate serious breaches and, where necessary, to inform the relevant individual of the breach. In doing so, the commissioner would have to ask the person in breach to make submissions before making a decision. With respect, the amendment would impose a considerable additional function on the Investigatory Powers Commissioner, where he or she would be bound to deal with breaches of a code of practice on information sharing which in no way relates to the commissioner’s remit of investigatory powers.
Indeed, placing such duties on the Information Commissioner would effectively be broadening the Information Commissioner’s remit without appropriate consultation. It would, as with Amendment 81B, cut right across the functions of the Information Commissioner, as distinct from the Investigatory Powers Commissioner; the Information Commissioner being responsible for upholding the Data Protection Act 1998, and also the safeguards and procedures for dealing with breaches of the code, which are already set out in various provisions. Such an amendment would blur the lines between the responsibilities of the Information Commissioner and the Investigatory Powers Commissioner and potentially lead to confusion and unnecessary duplication. If, in making those observations, I referred to the Investigatory Powers Commissioner when I meant the Information Commissioner and referred to the Information Commissioner when I meant the Investigatory Powers Commissioner, that simply underlines how easy it is to cause confusion in this area.
Amendments 108, 115, 134 and 151 call for the codes to be subject to approval by Parliament. A similar requirement was also raised by the Delegated Powers Committee in its recent report. We are carefully considering that proposal and I assure noble Lords that we will be responding to it shortly. Amendments 109 and 135 would introduce a requirement for the Minister to consult publicly on the code for a minimum of 12 weeks before issuing or reissuing it. Amendments 110, 152 and 190 would require that the Minister demonstrate that responses to the public consultation,
“have been given conscientious consideration”.
The policy in respect of these powers, and much of the content of the codes of practice, have been developed over two years of open policy development with a range of public authority and civil society organisations. The code sets out procedures and best practice drawn from guidance produced by the ICO and Her Majesty’s Government. We amended Clauses 36, 45, 53 and 61 in the other place to ensure our code will be consistent with the Information Commissioner’s data-sharing code of practice. The clauses contain a requirement that the Minister consults the devolved Administrations, the Information Commissioner and any other person the Minister considers appropriate prior to the issue or reissue of the code. I assure noble Lords that these other persons will include civil society groups and experts from the data and technology areas. It is, indeed, our intention to run a public consultation before laying the code before Parliament. I need hardly add that all consultations are taken seriously by the Government and all responses considered with appropriate conscientiousness.
I understand the interest in the codes and the desire to make sure they are effective. The codes will provide a strong safeguard for the use of the power, backed up by real consequences if they are not adhered to. With that, and while we consider the recommendations of the Delegated Powers Committee further—as I have indicated, we intend to do that in the very near future—I invite the noble Lord to withdraw his amendment.
The noble and learned Lord warned us against giving advance notice to potential fraudsters, but I think we are talking in these amendments about notice which may be in retrospect. I am looking at the noble Lord who has tabled the amendments. There are different issues, I think, about giving notice in advance and telling people that you have transferred information. Maybe we need to come back to the distinction between the two at the next stage. On the requirement to have regard but not necessarily to comply, does that not point up the real weakness of a code that is not approved by Parliament? These two bits of fragility seem to me to go hand in hand and undermine the security, as it were, of the regime.
I am content that we return to the noble Baroness’s first point if she feels that there is a point of distinction to be made. On her second point, I do not accept that there is fragility in this context. We are well aware, by virtue of past practice, that this formulation is appropriate to the application of codes of practice. Indeed, the noble Baroness herself observed that when applying one’s mind to a code of practice, a degree of flexibility is necessary. One cannot freeze them. That is why we consider that the wording here is appropriate.
I thank the Minister for his response. Obviously, the codes of practice are key to giving a sense of security and to building public confidence. They are critical, which is why noble Lords want to see exactly how they will end up. I am very happy with the reassurance that the Minister gave regarding parliamentary involvement and consideration of the report of your Lordships’ committee. That is very welcome and we will return, obviously, to some of the issues, particularly on medical information and other information set out in other groups. We will return to the subject of the Investigatory Powers Commissioner in the next group and I will explain in that discussion why we see, perhaps, a distinct role, arising from the debate this House had on the Investigatory Powers Act. In the meantime, I beg leave to withdraw the amendment.
Are we dealing with Amendment 81ZA? I would hate to give the wrong speech on the wrong group, although I suspect that noble Lords would notice. I have been in other forums where people have not noticed, but that is another matter.
Amendment 81ZA focuses on the extension of sharing objectives to include the electoral register. A number of amendments in this group address concerns that have been raised about living in cold homes or school meals provision: basically, how we make this sharing of data more effective. I have no doubt that the Minister will say in response that the Bill will allow for this, but we want to raise on the Floor of the House the importance of these extensions of sharing objectives to the overall, broad objectives set out in Part 5.
Focusing on the electoral register, we know that the Electoral Commission has said that up to 1.9 million people could lose their right to vote as we transition to the individual registration of electors. Of course, until 2009 one person in each household completed the registration for every resident eligible to vote. It was a Labour Administration who accepted the principle, and there may be very good reasons, but the way the changes are introduced could be a disaster for our electoral system. That is why it is fundamentally important that we see data sharing as a positive way to address this potential effect on our democratic system. My noble friend Lord Stevenson has tabled an amendment to the higher education Bill that seeks to enhance the responsibility of higher education institutions to remind students of their right to register to vote—and particularly to decide where to vote. In this amendment we are trying to ensure that institutions have proper powers to share data to that end.
It must be understood that this transition to individual registration has put a huge burden on cash-strapped local councils, who need to contact 46 million people instead of 20 million. Some people have been unable to register, many of them because they simply do not have the required access that they would previously have had. This amendment focuses on people who are vulnerable, who need help, or who have not previously taken up their rights, perhaps because they do not have the necessary access or are not fully aware. That comes back to the issues—many other noble Lords will pick up the point—of fuel poverty and access to free school meals. The right to free school meals is important not only for the individual child—for the benefits the child will get—but for the funding of the educational institutions. I hope, therefore, that the Minister will accept these amendments, which are about ensuring that we can do these things and that these issues are addressed, even if he does not think that they should necessarily be in the Bill.
My Lords, I shall speak to Amendment 82. This Bill is an opportunity possibly to enhance the lives of the most disadvantaged and vulnerable people in our society. The words of our Prime Minister always come to mind:
“a country that works for everyone”.
This amendment will help the country work for everyone. Currently, the parent of a child wishing to have a free school meal must apply for it. Not only does that provide a free school meal, which is hugely important for children because hungry children are not good learners, but it ensures that the school gets a pupil premium—a substantial sum of money—to help those disadvantaged pupils.
This simple amendment would ensure that local authorities automatically enrol those entitled to receive free school meals. Local authorities currently administer a number of benefits, such as council tax and housing benefit, so they are aware of families that would be eligible to claim free meals and would automatically contact the school. This would ensure that parents who, for a host of reasons, fail to claim would be able to do so.
It is estimated that a family with a child receiving free school meals can save up to £400 a year. Noble Lords may imagine that if the parents have more than one child the saving is quite substantial. As well as the family saving money and the child getting a free school meal it ensures that the school gets a substantial amount of money—the pupil premium—to help disadvantaged pupils.
The Minister will probably reply—as did the Minister from the other place—that the department’s own electronic eligibility checking system means that the clause is not really needed. That, however, is only a system which enables a school to check whether the parent is on the free meals register: it has speeded up the process but does not do the job that this amendment hopes to do.
I make a further point about this, at a time when we are all sensitive about the amount of private data that circulates: there is perhaps a fear that leads people to question why schools should have private data on pupils entitled to free meals. For that reason the amendment clearly states that parents will be notified before this information is made available and that there will be opt-out arrangements. I hope, therefore, that the Minister will be sympathetic to this very important amendment.
My Lords, it is a pleasure to follow my noble friend. I support his Amendment 82 and shall speak to Amendment 92, which is in a similar vein but relates to the warm home discount. I am grateful to the right reverend Prelate the Bishop of St Albans and to the noble Baroness, Lady Massey, who have other duties in the House and would otherwise be here.
It is my pleasure to speak to Amendment 92, which seeks to test the possibilities that Clauses 30 to 32 open up. For years I have been banging away at the Department for Work and Pensions to make proper and better beneficial use, in terms of client well-being, of the vast amount of data that it has on families. That, together with the data held by HMRC, and particularly the data generated when universal credit comes in, will give the Government as a whole immensely enhanced abilities to promote well-being, particularly in our low-income households. I warmly welcome Clauses 30 to 32.
I am listening carefully and correctly to some of the interrogation that is being properly directed at the Government, because we have to get this right; it is very important that the protections are there. Subject to those protections, I am an enthusiast for making use of these provisions. I am slightly surprised that there have not been more attempts—like mine and that of my noble friend—to prise open new opportunities as the Bill goes through. This amendment tries to test the willingness, enthusiasm and ingenuity of Ministers in seeing how they can expand public services to our citizens under Clauses 30 to 32.
Amendment 92 simply seeks to improve the use of data-sharing powers to extend the reach of the warm home discount. The provenance of this amendment is work that I have been doing over months and years for the Children’s Society, and I acknowledge and pay tribute to the work it does with families, particularly with children in fuel-poor households. The Children’s Society has been making the argument to me about the importance and urgency of getting the issue of fuel poverty dealt with more adequately. We need only look at the announcement from npower last week, and indeed some of the wider economic indicators that are showing that this group of fuel-poor households is likely to find things getting a lot worse before they get any better. We need to pay attention to that.
I am told by the Children’s Society that, according to the Government’s own figures, families with children are now the biggest group affected by fuel poverty: 45% of households that can claim the warm home discount are now families with children under 18. The Children’s Society has some valuable survey evidence of a project that it carried out in Bradford and in other places, which indicates clearly the distress caused by fuel poverty. For instance, there is the fact that parents in these households are frightened to turn up the heating in cold winter months because they fear the level of the increased bills it would occasion. Some of those same parents believe that their children’s health is potentially affected by not doing so, so it is a real concern for the parents involved.
My Lords, like those of the noble Lord, Lord Kirkwood, my three relatively small amendments in this group relate to fuel poverty. I was not at all surprised when my noble friend Lord Collins of Highbury was a bit confused at the beginning of this rather mixed-up group. It covers not only my subjects but voter registration and free school meals; most of the government amendments seem to relate to water and sewerage. I was tempted to say that it covers electoral rolls, bread rolls and toilet rolls. However, my amendments deal with something entirely different and their intention is very much the same as those of the noble Lord, Lord Kirkwood. I will not repeat all that he said.
My aim here is to make the system of data sharing more effective. I recognise all the concerns expressed around this Committee about the dangers of data sharing by public bodies and I understand them, because in different circumstances I have been deeply suspicious of the gas and electricity companies, as the noble Baroness, Lady Byford, clearly was a couple of groups ago. To make identification of the fuel poor more effective, we need more effective and comprehensive data sharing, along with the ability of different authorities and companies to share them, but this must be subject to all the safeguards. One safeguard is clearly stated in the Bill: that the information that can be used and shared in this way relates to the health of those affected by fuel poverty because they live in cold, draughty and damp homes. I do not need to spell out the effects of fuel poverty on those people’s health. It is quite important that in addition to the provisions in Clause 30(8) for helping the delivery of services and benefits, the clause should also refer to improving the health of those affected by it. My first amendment would do that.
My second and third amendments simply extend those gas and electricity operators which need to be engaged in it and will be subject to the same safeguards. It is increasingly the case that consumers and householders, including the fuel poor, have a closer affinity with the distribution networks than with their sensible supplier, which sends them the bill. To improve their situation, they will have to deal with the electricity distributor and, shortly, with the gas network distributor company. These amendments to Clause 31 deal with putting those distributors in the same category as gas and electricity suppliers. These are tidying-up amendments but they will make data sharing in this important area of fuel poverty more effective. The noble Lord, Lord Kirkwood, spelled out why that is necessary and, in particular, why those not automatically assigned to the warm home discount need to be identified and automatically put on the list of those who receive it. If we achieve that via the Bill, it will be a very important improvement and a step towards eliminating fuel poverty in our society.
My Lords, I want to ask a question about government Amendments 83A and 83B, which are about water and sewerage. Will these provisions apply only where there is a water meter? I am struggling to understand how they can work if the customer does not have metered water, and whether the information would be relevant—and how it could be used—if that is not the case. I am quite prepared to be told that I have not understood this properly but if I am right, should the provision not spell out that it is confined to that situation? That would make it clearer.
My Lords, I declare my interest as a partner in the global insurance law firm DAC Beachcroft and as chair of the British Insurance Brokers’ Association, along with other interests set out in the register.
In speaking to Amendment 196A, I seek to address a small but important point on the operation of the Employers’ Liability Tracing Office, or ELTO. Colleagues may recall that I also raised this when we debated the Enterprise Bill in 2015. Although it has been grouped with amendments to Clause 30—I am happy to accept the grouping—it seeks to insert a new clause after Clause 65 in Chapter 6 of the Bill, which deals with Her Majesty’s Revenue and Customs.
In 2010, the Department for Work and Pensions identified the need for a tracing office, and ELTO was established in the same year. Sadly, former employees continue to contract industrial diseases, including cancer, due to workplace exposure many years earlier. All too often, the employer is no longer in existence by the time the disease is diagnosed. This was considered by our colleagues at the Department for Work and Pensions as a major obstacle to the former employees’ obtaining compensation.
ELTO was established, and the insurers are now required to provide to ELTO details of all employers’ liability policies that have been issued since April 2011. According to the information I have received, ELTO is working well. In the 11 months to the end of November last year, there were more than 178,000 successful searches of the Employers’ Liability Database, but it could be working better.
The piece of the jigsaw that is often missing is the employer’s PAYE reference number. This number is now used to identify an individual employer in the Pay as You Earn system. Each employer is given a unique reference number. If this unique reference number could be applied to the Employers’ Liability Database, it would make searches more accurate, as it would avoid problems of company names’ changing over time. Generally speaking, it would enable the correct employer to be traced.
One major obstacle is that by law ELTO is unable to gain this information under the Commissioners for Revenue and Customs Act 2005, which prevents HMRC from sharing information except in specified circumstances. Alternatives to primary legislation have already been explored with HMRC. Although we often think of employers as large companies, many are sole traders or family partnerships. For them, the reference number could well amount to personal data, which are rightly protected from general disclosure.
The measure, which I now understand is supported by ELTO and HMRC, is proportionate. HMRC has a ready-made database of these unique reference numbers to which ELTO could be given limited access. All ELTO needs is the reference number itself and the name and address of the employer as a cross check. The amendment would permit ELTO and HMRC to set up, at no cost to HMRC, a facility to share this limited information. It will help make the ELTO database fit for the future.
Many noble Lords will know that I have the honour to be an officer of a number of all-party groups, including not only the Occupational Safety and Health All-Party Group but also the All-Party Group on Insurance and Financial Services, so I should also declare those interests because this amendment is strongly supported by my colleagues on those groups.
This amendment would provide great benefit to employees, employers and insurers alike. I hope my noble friend the Minister will feel able to accept it.
My Lords, I am grateful to all noble Lords who have spoken. It is refreshing that, after the debate that we have had on all the concerns and worries that noble Lords have on data sharing, we now hear proposals on how data sharing can benefit various groups. This is our ambition. This is why we set the Bill up as we did and also why the devolved Administrations are so supportive. The noble Lords, Lord Collins, Lord Kirkwood, Lord Storey, Lord Whitty and my noble friend Lord Hunt all made valuable suggestions. I will come to some of the reasons that we agree or disagree with them, but fundamentally the principle is exactly why we set the system up.
Amendment 81ZA, in the name of the noble Lord, Lord Collins, seeks to require the effective maintenance of the electoral register to be specified as an objective in regulations under the public service delivery power. Electoral registration officers already have extensive powers to seek access to information in public records, providing it is for the purpose of ensuring that electoral registers are as complete and accurate as possible. Under current provisions, they would not be able to seek access to other public records for the purposes of identity verification if an applicant’s details cannot be matched against DWP records or local data sources.
I thank the Minister for his response. The problem is that these issues are not simply about entitlement but about a system in which people have to choose. The point is how you make that easier. With individual voter registration, which is a new system, there is a possibility that people will be removed from the electoral roll and therefore denied the opportunity to vote. We talk about a positive outcome. It might be one for one particular party. The boundary reviews will be based on registers that will be removing people and therefore on numbers of electors that are not necessarily the real numbers. I find it a bit disappointing that the Minister sees it as simply an administrative step.
This comes back to the fundamental point that everyone who has spoken, whether about school meals or the warm home discount, sees that this is an opportunity to improve governance and outcomes for people, obviously with the required safeguards. I think all of us in this Chamber will want to return to these issues because they are vital for the well-being of our people. In the light of the Minister’s comments, I beg leave to withdraw the amendment.
The Minister gave me some preliminary notice of the Government’s attitude to this amendment and alluded to the potential confusion of different roles and different names. No doubt I might even make the mistake of using the term “Information Commissioner” rather than “Investigatory Powers Commissioner”.
However, there is an important point here on which we want to probe the Government, and that is about the changing world and how we respond to it to make sure that the interests of the individual are properly thought of and protected. The point is about restoring public confidence. We have a legal framework that is structured around the Data Protection Act and a regulatory framework that allows breaches to be investigated and matters to be determined where there has been a breach. It is a system that protects the individual after the event. What we are trying to do here is what the Investigatory Powers Act, which became law at the end of last year, sought to do—that is, it does everything possible to ensure that intelligence agencies and law enforcement use only such powers as Parliament approved after a careful and well-informed debate. We cannot revert to a world in which the Government understand and apply the law in ways that were not foreseeable to the rest of us, still less to a world in which our freedoms depend on the potentially harmful activities of whistleblowers.
This amendment seeks to ensure that, in this fast-changing world, in the plans for the future use of powers identified in the Bill, the rights of the individual are not only safeguarded but are put at the head of the agenda rather than considered as an afterthought. That is why we have used the framework of the Investigatory Powers Act to raise this issue. With regard to future changes or extension of powers, who is thinking of the rights of the individual? It is important that the Government, if they are unable to deal with this consideration in today’s group, return to this subject in future provisions.
My Lords, our amendments in this group add safeguards. The noble Lord, Lord Collins, referred to some of these: that sharing of information be minimal; that the authorised conduct be proportionate to the object of the exercise; that a privacy impact assessment be conducted; and that proposed measures be subject to public consultation.
In addition, we support the amendments advocated by the BMA. Amendment 89 would remove the subsection through which sharers of information are not bound by the principle of confidentiality. Amendment 93 is a further safeguard preventing an authorised sharer of information from disclosing identifiable health information. I look forward to the Minister’s response.
My Lords, in this group I tabled Amendments 100 and 196. Within this group we are debating data sharing and the putting in place of safeguards that make us confident in the next move to make life better for the majority of people. I have one or two direct questions, particularly on the level of data that will be supplied from one authority to another. For example, does the Bill intend that information be supplied on the number of households in a given postal area where child benefit is being claimed and/or where all adults are unemployed? Would it be up to the users of the data to extract a summary picture from details of, for example, names, addresses, whether benefits are received, whether householders are unemployed or any other data?
At any level of inquiry, I presume data will be transferred such as dates of birth and marital status that, were they to fall into the wrong hands, could be used to perpetrate private fraud. No one today has mentioned private fraud, but it can come about as a result of lack of security and safeguarding. Again, perhaps the Minister will indicate what relevant provisions there are. I am unsure whether I have missed some. At earlier stages of the Bill I mentioned the amount of fraud going on and it is horrifying. If the Bill can in any way tighten up on that, it would be an advantage.
For example, will personal information cover things such as whether an individual has a diagnosis of dementia or whether a family has been a cause of concern to the social work department in their own area? Who makes these judgments? At what stage are these activated? I may not have read the Bill carefully enough to find the missing answers. I pose these fairly simple questions to make sure that our safeguarding of this information is secure.
Amendment 100 is a probing amendment that seeks to complete the explanation of what information HMRC would disclose, providing examples of the circumstances under which it would be disclosed and a complete list of the groups or persons whose information would be handed over. This relates to Clause 30, of which we spoke earlier. Subsections (9) and (10) specify the well-being of persons or households and define well-being in terms of physical or mental health, contributions to society—which we have covered slightly earlier on and which is difficult; I should be glad of clarification on that—and emotional, social and economic well-being. The latter are easier to understand.
Clause 31 refers to people living in fuel poverty. Again, we debated this previously. Fuel poverty has been defined as,
“living on a lower income in a home which cannot be kept warm at a reasonable cost”.
Clause 32 also refers to people living in fuel poverty. I do not understand what is intended, nor what will be involved for those deemed to be affected. Defining well-being in terms of well-being suggests that definitions of those covered by this legislation could depend on the personal and political stance of those making those decisions. What is “lower income”? Within what limits do homes qualify under these clauses and who will rule that they cannot be kept warm at reasonable cost? What will be the limits of powers of such a decision-maker over, for example, someone who prefers to wrap up for three months of the year so they may enjoy their garden for nine; in other words, somebody who is living in a bigger house that costs more to heat? Will an individual be able to opt not to have personal information shared within local authorities and/or with gas and electricity suppliers?
Turning now to my Amendment 196 in this group, I do not pretend to know anything about the structure, organisation or responsibilities of HMRC. Hence, I do not understand whether an “official” is someone equivalent, say, to a board member in a quoted company. I fear, however, that that is unlikely to be the case. In this era of Facebook, Snapchat and the substitution of public opinion for demonstrable fact, I am unhappy—I do not know whether other noble Lords are—that perhaps a more junior member of HMRC could decide that disclosure would be in the public interest. In other words, where does the buck stop?
Disclosure of personal information, even supposedly non-identifying, should be done only on the authority of the head of the organisation. He or she presumably will have the knowledge, experience and breadth of understanding to be sure that it cannot be combined with other data to name individuals. He or she will also, presumably, be less likely to make errors of judgment, and of course a claim of ignorance of any such disclosure would not stand up to scrutiny, as they would obviously be at the most senior level.
My Lords, I will just pick up the noble Baroness’s last point about who is an official. There are examples, in other legislation, of references to “senior officials” and “designated officials”, which might be somewhere between the junior official she has in mind and the Permanent Secretary, but she is right to draw the issue to the Committee’s attention.
On an earlier group, the noble and learned Lord indicated that he was going to speak at greater length—I assume that may be on this group—on the reason for using the term “personal information” rather than “data”. Perhaps I may use my noble friend’s Amendment 213 to ensure that we get to share more of Government’s thinking. I understand the point about corporations, since in the one case, they come within the group covered, and in the other they do not. But I am still puzzled as to why such efforts have had to be made to deal with personal information and then to add in references to the Data Protection Act, rather than starting from the DPA—with any necessary exclusions—which would have taken us straight to the involvement of the Information Commissioner, the data protection principles and so on.
I wondered during the Statement whether to have a go at some alternative drafting for Report, but thought I had better wait for this discussion. But perhaps part of it boils down to a question on Clause 33(8), which says, in wording replicated elsewhere, that,
“nothing in section 30, 31 or 32 authorises … a disclosure which … contravenes the Data Protection Act”.
To look at it from the other end of that telescope, is there any personal information which is the subject of the Bill that would not fall within the DPA and therefore not be protected by that clause?
My Lords, I thought I would intervene to see if it might help the Minister. The code of practice does not make things any clearer. With reference to my noble friend’s very apt point about information versus data, paragraph 4 of the code says:
“The definitions of ‘personal information’ contained in the Bill are intended to ensure that the information shared through these powers is handled carefully”.
That does not sound like a particularly good legal answer to the question. It goes on:
“Though the definition of ‘personal information’ for the purposes of the Bill may differ from the definition of ‘personal data’ in the DPA, all information shared and used under the public service delivery, debt and fraud provisions must be handled in accordance with the framework of rules set out in the DPA”.
Where is that explicitly set out? It would be very helpful if the Minister, in answering, could advert to that as well.
My Lords, Amendment 81B seeks to place a duty on the Investigatory Powers Commissioner to ensure that the data-protection rights of citizens are considered and protected under the public service delivery power. The effect of this amendment would be to impose similar duties on the Investigatory Powers Commissioner as are already carried out by the Information Commissioner. It is for that reason that we do not consider that this amendment is necessary. I understand the points that the noble Lord, Lord Collins, has made in this context. We are all concerned to ensure that these powers are ring-fenced as far as is reasonably practicable and that any breach should be policed to the extent required. However, in our view, the Investigatory Powers Commissioner is not the appropriate party to deal with this matter. The Bill is not about investigatory powers, and accepting this amendment would result in a substantial and, as I sought to indicate earlier, confusing addition to the portfolio of the Investigatory Powers Commissioner.
We are of course concerned that there should be public confidence in the provisions of the Bill and in the whole body of data-sharing powers. I understand the observation of the noble Lord, Lord Collins, that the Investigatory Powers Act does everything possible to ensure security is there, so that only the given powers are exercised and that the rights of the individual are put at the head of any agenda, but that is clearly the intention of this Bill as well. That can be achieved by having regard to the position of the Information Commissioner in the context of the present provisions.
I understand and indeed admire the noble Lord’s suggestion that we should in some sense be seeking to future-proof the Bill. There are limits to our ability to do that, but I will return to that point in the context of the regulations that come into force in May 2018. We have already had regard to that in order to try to ensure that the provisions of the Bill will comply with imminent regulations, such as those I have just referred to.
The noble Lord also raised the question of confidentiality and the concerns that have been expressed by the medical profession in that context. Let us be clear that, as noble Lords will recollect, common-law obligations of confidentiality are rarely if ever absolute. We know that various common-law issues of confidentiality tend to be subject to one qualification or another. Concerns have been expressed over the interaction between the provisions of the Bill and medical confidentiality, primarily in respect of the statutory override within the Bill. The provisions of the Bill are clear that sharing data under the powers in the Bill does not breach any existing duty of confidentiality. That includes the common-law duty of confidentiality to the extent that it applies to patient information.
The use and processing of medical information is governed by common law, but also by the Data Protection Act 1998, by the provisions of the Human Rights Act 1998 and indeed by specific legislation which allows, requires or prohibits certain uses of such data. There is no blanket ban on the use of medical information outside the patient-doctor context, and it is not the case that every instance of sharing such information will constitute a breach of confidentiality. Indeed, the General Medical Council’s 2017 guidance expressly states personal information can be disclosed,
“without breaching duties of confidentiality”,
in particular circumstances, one of which is where the disclosure is,
“approved through a statutory process that sets aside the common law duty of confidentiality”.
So it is acknowledged by the General Medical Council itself that this may occur from time to time, and the provisions of the Bill are structured to reflect this. They override duties of confidentiality only in order to ensure that public authorities have clarity in terms of what they can and cannot share under the powers of the Bill. I hope that goes some way to meeting his concerns about confidentiality in that context.
Amendments 84, 87, 119, 138 and 213, which are also in this group and were referred to by the noble Baroness, Lady Janke, cover a broad range of suggested additional safeguards and restrictions on the use of the powers. They seek to introduce, among other things, an express data minimisation rule, a requirement to conduct and publish a privacy impact assessment and provisions extending the Information Commissioner’s powers in respect of enforcement notices. They also introduce a provision enabling data subjects to request that inaccurate personal data disclosed under the powers be amended. We are firmly of the view that while all of these requirements represent important safeguards on the use of our powers, they are already provided for in different ways under the Bill, the codes of practice or existing legislation, including in particular the Data Protection Act 1998. Indeed, under the DPA only the minimum personal data necessary may be shared to achieve the particular objective, and all personal data that is held must be accurate. I hope that that goes some way to meeting one of the points made by my noble friend Lady Byford about excess data being given to public authorities. That is simply not permitted in the existing legislation, particularly the requirements of the Data Protection Act 1998. Over and above that, the Information Commissioner already has a range of mechanisms to enforce compliance with the DPA. Amendment 213, which would insert a new clause on enforcement notices, would not add to those powers in any material way.
Further, Amendment 213 requires certain information to be gathered in respect of the benefits of data-sharing arrangements. Again, that is not necessary: bodies wishing to exercise the powers in these provisions must consider benefits as part of their privacy impact assessment. We acknowledge the importance of privacy impact assessments and, following discussions with the Information Commissioner’s Office, will look to return to this matter on Report to address concerns about public authorities’ adherence to the Information Commissioner’s specific guidance on privacy impact assessments, as well as privacy notices. I hope noble Lords will accept our willingness to return to that matter in due course.
Amendment 213 would bar the processing of personal information under the powers for particular purposes. With respect and understanding of what lies behind the amendment, our approach is simpler and more complete. There are specific limited purposes for which personal information can be disclosed under Part 5 of the Bill. Other than a few limited exemptions, the disclosure or use of personal information for other purposes is not permitted. Tough new criminal sanctions will apply to all unlawful disclosures.
Amendment 87 seeks to introduce a duty to review in the public service delivery power, akin to the existing duty in the debt and fraud powers. All data-sharing arrangements under the debt and fraud powers have to be piloted and reviewed after three years to ensure that the powers deliver demonstrable benefits. The public service delivery powers are different in kind, being more conventional data-sharing powers, constructed specifically to improve the delivery of services to citizens in cases of acknowledged need, such as assisting those suffering from fuel poverty.
On that point, my noble friend Lady Byford essentially raised the question of definitions—what do we mean by “fuel poverty”, “well-being” and “warm home discount”, as mentioned in Clause 31? All this is dealt with in Part 2 of the Energy Act 2010, which contains the schemes referred to in Clause 31(3)(a). I hope further consideration of those provisions of the Bill may go some way to meeting her concerns about those definitions.
On the question of private fraud, of course we are alert to the idea that where there is data sharing there may be data intrusion, and we are determined to guard against that. That is why we seek to ring-fence these powers in the way that we do in the Bill. We have not claimed that any system we introduce will inevitably be infallible; history tells us that where we ring-fence, people will seek to go under, over or through such a fence. However, we shall try to ensure that all data that are shared in this context are kept as secure as we reasonably and practicably can keep them.
Amendment 88 would change the definition of “personal information”, a point raised by the noble Baroness, Lady Hamwee. The point here is that in the current draft “personal information” includes “a body corporate”. The existing definition is intended to capture all persons, including all corporate bodies, to ensure that taxpayer information, including that of bodies corporate, is protected irrespective of the size of the organisation. Narrowing the definition would limit the protections for HMRC data under these powers, which would be likely to affect significantly HMRC’s willingness to make use of the powers. I am sure the noble Baroness is aware that the disclosure of data by HMRC is subject to additional statutory controls quite distinct from the provisions of the Bill, and these have to be factored in. This is where the term “official” comes into use because the existing statutory legislation uses that term in the context of data and disclosure. Therefore, for the purposes of consistency, that term is used in this context. It is not an attempt to suggest that the janitor, or anyone else, should be responsible for disclosing relevant information—certainly not the commissioners of revenue in isolation.
Amendments 87 and 93 are also in this group. Clause 33(7) provides that a disclosure under the public service delivery power does not breach any obligation of confidence or any other restriction on the disclosure of the information. This provision ensures that public authorities can be confident that their disclosure is lawful, provided that they comply with the strict requirements of this legislation. To remove that subsection would undermine a primary objective of providing authorities with the legal certainty required to ensure efficient and effective data sharing under these powers. In other words, where they satisfy the requirements of this legislation, they do not have to go back and worry about any aspect of the common law of confidentiality on individual occasions, which would effectively make the provision unworkable.
Amendment 93 seeks to expressly exclude health data from the public service delivery clauses. I have already touched upon this. The Government believe that this amendment, while well intentioned, is unnecessary and would lead to the kind of legislative barriers that the Bill is designed to overcome. As I have indicated before, the Government recognise the particular sensitivities around identifiable health information, and indeed this was highlighted in the National Data Guardian’s recent review of data security, consent and opt-outs. For this reason, health bodies in England are not included in the draft list of bodies that will be permitted to use the powers in the Bill. Health and adult social care information, however, could potentially be of considerable assistance in bringing benefit to individuals, as this power aims to do. I acknowledge that we may wish to bring such bodies within the scope of these powers in future, but we will form a view on this after the implementation of the National Data Guardian’s recommendations and public consultation on the issue. We believe it would be wrong to rule out that possibility until that debate has been concluded. However, I underline the point that at present health bodies in England are not included in the draft list of bodies that will be permitted to use these powers.
I turn to Amendment 100. Clause 34(8) provides that the prohibition on onward disclosure, and its associated provisions, do not apply to personal information disclosed by HMRC. The amendment seeks to remove that provision. There was a suggestion that someone was seeking consistency here. Throughout Part 5 of the Bill, in order to take account of HMRC’s statutory duty of confidentiality and maintain consistency with the existing statutory framework in respect of HMRC information, the Bill contains separate provisions for the disclosure of information by HMRC. Criminal sanctions apply to the disclosure of HMRC information, but it is all framed slightly differently in order to be consistent with earlier statutory provision. I refer in particular to the Commissioners for Revenue and Customs Act 2005, which already covers these areas. The effect of the noble Baroness’s amendment would be to create two regimes for disclosing HMRC information under this power. We suggest that that would undermine consistency between Part 5 of the Bill and the provisions that already exist under the Commissioners for Revenue and Customs Act 2005. I hope that that goes some way to explaining why HMRC, though not a special case, is dealt with slightly differently within Part 5.
The noble Baroness, Lady Byford, then referred to Amendment 196. Again, in the context of accountability for public interest disclosures of non-identifying HMRC information, the aim of Clause 65 is to enable Her Majesty’s Revenue and Customs to meet requests from external organisations to provide aggregate statistics or general information, which is what other government departments do. Safeguards for disclosure of personal information will continue to apply for the reasons I have already alluded to. This amendment, again, would be inconsistent with HMRC’s existing statutory framework which authorises officials to act on behalf of the commissioners of revenue. It would not be practicable for the commissioners of revenue to have to deal with each of these requests. Indeed, it would be an unnecessary use of public resources if that was the case.
The noble Lord, Lord Clement-Jones, raised a point that appears to have prompted a note from the Box which I have not yet read. I shall scan it now. And I will undertake to write to the noble Lord. On that occasion, I will use typescript.
In those circumstances, I invite noble Lords not to press these amendments.
My Lords, the noble and learned Lord may have already answered this, as his response was inevitably very full and quite dense, but on my question about Clause 33(8)—and the words are repeated in other clauses—although nothing in the sections authorises a contravention of the DPA, is there personal information within the Bill that would not be within the DPA and therefore not protected by that subsection?
I am obliged to the noble Baroness, Lady Hamwee. Although the definition of personal information differs from the definition of personal data in the DPA, all personal data shared and used under the public service delivery provisions must be handled in accordance with the framework of rules set out in the DPA, and in particular with the data protection principles, because the DPA is not overridden by this chapter. To the extent that the class of personal information is wider than personal data, although the DPA does not directly govern such information, we still expect that information will be handled in accordance with that framework because of the requirements of the codes of practice under Part 5. I hope that answers the noble Baroness’s question.
My Lords, I thank the noble and learned Lord for his comprehensive response. Clearly, there is a lot in the codes of practice, so we await the response. I welcome, too, his commitment to come back to report on the issues that the Information Commissioner and we have raised.
Both the GMC and the BMA raised the issue of confidentiality and the common law. They obviously have legitimate concerns about the future impact. Confidentiality is not simply an issue of administration and protection administratively; it is a fundamental issue about the nature of the relationship between doctor and patient, where trust is absolutely vital for medical treatment, ongoing treatment and so on. We may have to come back to this issue at Report. In the meantime, I beg leave to withdraw the amendment.
My Lords, as one of my colleagues in the trade union movement used to say, there may be a sense of déjà vu: we are going to be repeating issues in these amendments. As we have said, transparency is a vital ingredient in building public confidence. If we do not have public confidence we will not have effective data sharing and therefore the aims and objectives of the Bill will not be met. That is why we are very keen to focus on the elements of how we build that confidence, with transparency as the vital ingredient. That is why we are proposing to have an independent review of the collection and use of data by government and commercial bodies. A report of that review would be put before Parliament.
Having spent a considerable part of the weekend reminding myself about the Data Protection Act—I was responsible in the trade union movement for elements of implementation of data protection—I was struck by how complex the law can be and how different elements impact on each other. That is where we need to do more to build public confidence. People are concerned, asking. “Why do they want it? How are they going to use it? Have they used it? Have they done it without my knowledge? Have I given consent? Shouldn’t I be allowed to give consent?” All those issues need explanation. That is why transparency provisions in the amendments are really important. Where there has been a breach it needs to be effectively reported and dealt with. Some of the episodes we have seen in the private sector are scandalous—breaches of data have occurred and nothing has been said for years, let alone weeks and months. Whether we like it or not, those breaches in the commercial and private sector will impact on people’s confidence about the Government’s ability to share data fairly. That is why we need to be open about how we are dealing with problems. I come back to the Minister’s point on infallibility. Of course we are not infallible; but whenever mistakes happen, we want to make sure we learn from them and minimise the risk of them happening again. That is what we seek to do in these amendments.
The more we move towards digital government, the more we need to ensure that all these issues are properly recorded. Again, that is why we are proposing mandatory transparency in the public register of data-sharing agreements. It is about building trust in the process, with people knowing they will have to be accountable for their decisions in this area.
Transparency must be central to the process, alongside privacy and security. It is one of the arguments that we would make strongly in this group of amendments. No doubt we will hear from the Minister about it being mentioned in the code of practice and how that will be vital. I agree that we have seen a lot of movement; what we want to do as we move forward is to receive reassurance that the principle of building confidence will be openness and transparency. I beg to move.
I am drawn to recall the words of the noble Baroness, Lady Buscombe, when she spoke on some of these issues. She said that the technology was moving so quickly that we need to be aware that things are changing—and that it would be important for the public to trust these procedures. A review of these processes is a good thing. Equally, government sometimes changes very slowly, so it may be a better opportunity to revisit some of the issues during a review. We would certainly support that. Again, it has been drawn to our attention by a number of data breaches that have not been notified, ever—so we certainly support the processes that have been outlined in the amendments about putting these on record to have the trust and confidence of the public. Our Amendment 111 in this group is to do with individuals being notified that personal data have been disclosed about them. Again, we feel that this is very important to engender public trust in the processes that we are introducing.
My Lords, I would like to speak to Amendments 213A to 213C, which explore the Government’s commitment to transparency and how people can know about information-sharing agreements that are in place and, looking to the future, how the equivalent of a subject access request could work, explicitly to assist with fraud detection.
I draw the Committee’s attention to the comment from the Delegated Powers and Regulatory Reform Committee at paragraph 52, which noted that, without even allowing for parliamentary scrutiny, the powers in Clause 39 as drafted are as “inappropriately wide” as those in Clause 30, and seem to be deliberately so. Those very wide powers are of great concern. As an increase in digital technology emerges, the public need to be informed to understand how to use the resources available to them—and they need to know how data on them, as citizens, are being used. They must have confidence in the safeguards in place, otherwise we will have a population that increasingly refuses to engage with any kind of data registration.
It is unclear where health issues sit in this Bill. I declare all my interests in relation to health, as in the register. The powers can include, in Clause 30(10)(a), individuals’,
“physical and mental health and emotional well-being”.
That suggests that health data must fall within the remit of this clause, whether held originally by the NHS or whether they are then held by other bodies. It was in an interview that the Government Digital Service director-general gave as an example the large databases between the NHS and the DWP, commenting that these are large databases of citizens’ records and that we really need to be able to match them, which would suggest a read-across between the two. So while there is a prohibition in the Bill on the use of health and social care data for research, the approach may not have a prohibition in relation to data otherwise disclosed. The NHS bodies, for example, hold the data and, although the Secretary of State is not currently listed in the regulations as published, it is difficult to see how the Secretary of State could not be added to regulations at a later point.
My Lords, the noble Lord, Lord Collins, should make no apology for revisiting the issues of transparency and public confidence because they lie at the heart of what this Bill is attempting to achieve and are contained in Part 5. It may be déjà vu again but that is perfectly justified by the circumstances. We are all concerned to ensure that there is such transparency within these provisions as to maintain, and perhaps even restore, public confidence in the use and sharing of data.
Amendment 82ZA proposes that, within six months of the Act coming into force, an independent review of the collection and use of data by the Government and commercial organisations is conducted. With respect, the scope of the review appears extremely broad and goes much further than the provisions of Part 5. The Royal Society and the British Academy are undertaking a review to consider the ethical and legal frameworks needed in the United Kingdom as data technologies advance. We intend to consider the findings of that review when it is published. In addition, I mentioned that the general data protection regulation will come into effect in the United Kingdom in May 2018. The implementation of that regulation will represent a significant change to the data protection legal framework for both the public and private sectors, including strengthening rights for individuals so that they have more control over their personal data. We intend to work with the Information Commissioner to explore how we can best meet these requirements, as well as to improve transparency in this space. As such, we do not see the value in commissioning a further major review of data ahead of preparing to implement the new data protection framework when the regulation comes into force in May 2018.
Amendment 103 also seeks to improve the transparency of data sharing under the powers in Part 5. As I have indicated, we support this intention as transparency, along with the protection of personal data, is clearly at the heart of all these proposals. There are, however, a number of real problems with the proposed new clause. Setting the requirement and contents in primary legislation would significantly restrict our ability to explore and consider the benefits and consequences of publishing a register. For example, there may be a need to exempt the inclusion of certain types of data sharing for reasons such as national security or commercial confidentiality.
Ahead of the 2018 regulation coming into force, we will work with the Information Commissioner’s Office and other interested parties to explore how we can best meet its requirements and improve transparency. In our view, the statutory codes of practice in the Bill are a more appropriate vehicle for setting out requirements to support greater transparency. We will run a public consultation on the codes of practice as well as the required statutory consultations and we propose, as part of that, to gather views on the type of information about data sharing that should be captured and made public, as well as the risks and benefits. In addition, the draft codes already contain requirements for privacy impact assessments to be prepared and published. Further, we are continuing to explore with the Information Commissioner whether more can be done in this Bill to ensure that his codes of practices on privacy impact assessments and privacy are fully considered when data are shared under Part 5. I hope to return to this point later in the proceedings.
Amendment 104 proposes an obligation for organisations to report data breaches and submit associated audit returns to the Information Commissioner’s Office. As I have indicated, the EU general data protection regulation will apply in the United Kingdom from May 2018. The new regime will introduce tough measures on breach notification, making it a requirement for all data controllers and data processors to report breaches to the Information Commissioner’s Office if they are likely to result in a risk to the rights and freedoms of individuals, and the individuals affected must also be notified where there is a high risk. The new regime will also allow tougher penalties to be imposed on organisations in breach of the rules. I believe these will be penalties of up to 4% of the organisations’ total global annual turnover, or €20 million.
Under current arrangements, the Information Commissioner’s civil monetary penalties guidance says that he can take into account what steps, if any, the person or organisation had taken once they became aware of the contravention, when determining the amount of the monetary penalty to be issued, so there is provision for those who delay or defer the reporting of data breaches. At this stage, we are confident that the Information Commissioner has the necessary powers to take action against those organisations that are in breach of the rules so, while I accept the spirit of the amendment and understand the need for transparency, I do not believe it is necessary as the new tougher rules under the EU regulations will apply from May 2018. As I stated, under the current regime, the commissioner can and does take into account what steps, if any, an organisation has taken in addressing breaches and in deciding penalties under the Data Protection Act.
Amendment 111 would require a secure audit record to be compiled specifying the personal information shared under the public service delivery power. This well-intentioned amendment is also considered unnecessary. The code of practice that has been drafted in support of the public service delivery provisions already requires an audit to be kept by data controllers of information shared under this power, and the Information Commissioner’s data-sharing code of practice similarly requires organisations to keep records of information shared. In addition, the EU general data protection regulation will apply to Part 5 and place further specific legal obligations on organisations to maintain records of personal data shared and of processing activities. Organisations will now make the necessary preparations to comply with that regulation.
For the benefit of the noble Baroness, Lady Finlay, I emphasise that the processing of personal data under the public service delivery power must already be in accordance with the Data Protection Act. The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act. The commissioner undertakes a programme of consensual audits across the public and private sector to assess their processing of personal information. The commissioner also has the power to conduct compulsory audits of public sector entities to evaluate compliance with the data protection principles. The commissioner has powers to obtain access to the information she may need to conduct those assessments.
I thank the Minister for his response. We await the revised and improved codes of practice, which will be a fundamental ingredient in building confidence in data sharing. If there are existing powers with regard to the requirement to report breaches, I think most people in this country will wonder why Yahoo was not picked up for failing for 10 years to report a breach which could have impacted on its confidential financial information. I welcome the fact that we will come back to these issues at later stages following consultation with the Information Commissioner. We know what is in the GDPR and what we are required to do. It will come into force in May 2018 and it is very important that the Government commit to the principles in it. We may have to come back to that issue at later stages of the Bill. In the meantime, I beg leave to withdraw the amendment.