The Advocate-General for Scotland (Lord Keen of Elie) (Con)

- Hansard -

Copy Link

- - Excerpts

My Lords, Amendment 81 and the other amendments in this group are intended, of course—and I understand this—to strengthen enforcement of the codes of practice in relation to the public service delivery, debt and fraud, and research powers by requiring authorities who use the powers to “comply with” rather than “have regard to” these codes. The noble Lord, Lord Collins, has sight of a loophole, and the noble Baroness, Lady Hamwee, has encountered wriggle room, but I would take issue with those descriptions.

There is common ground here. We, too, believe that the codes are an important part of the data-sharing powers. However, the Government believe that “have regard to” is the right level of obligation for a code of practice. This is a legal obligation. Such persons when disclosing or using information will be expected as a matter of law to take the codes seriously and follow their requirements in all cases unless there are cogent reasons why they should not do so. It is, of course, common practice for legislation to set out the critical limitations on a power while codes of practice—which are more adaptable, as the noble Baroness, Lady Hamwee, acknowledged—are advisory tools that supplement with regard to best practice, principles and guidance.

The noble Lord, Lord Collins, alluded to a situation in which an authority exceeds its powers for the public good. In such a situation—without going into the detail of it—the authority would be exceeding its powers and it would have to answer for that, whatever the public good might justify in other circumstances.

Key conditions for the disclosure and use of information are set out in the Bill, including what can be shared, by whom and for what purpose. We have followed a common approach taken by government and others, including the Information Commissioner, to provide more detail on how data are to be shared in a code of practice. That does not mean that the code is to be treated lightly. Legal consequences may follow if the code is disregarded, as the Delegated Powers and Regulatory Reform Committee pointed out in its report on the Bill. The relevant Minister can make regulations to remove a body’s ability to share information under the power if it fails to adhere to the code. The noble Lord, Lord Collins, raised the question as to whether that is considered sufficient in the circumstances. We do consider that that is a sufficient safeguard in the circumstances. I also remind noble Lords—in particular, the noble Baroness, Lady Janke—that the first requirement of the Data Protection Act is that processing of data should be fair and reasonable. That underpins in existing legislation the whole approach that should be taken to this Bill.

The noble Baroness, Lady Hamwee, sought to draw a distinction between the provisions here and those in the Investigatory Powers Act about knowledge of data transfers. Of course, although we are not necessarily dealing here with national security, we are dealing with issues such as fraud, where it would be wholly inappropriate to give people advance notice of data sharing, particularly if one were going to address issues of criminal conduct.

Amendment 107B would require breaches of the code of practice on the public service delivery power to be reported to the Investigatory Powers Commissioner. It also places a duty on the Investigatory Powers Commissioner to investigate serious breaches and, where necessary, to inform the relevant individual of the breach. In doing so, the commissioner would have to ask the person in breach to make submissions before making a decision. With respect, the amendment would impose a considerable additional function on the Investigatory Powers Commissioner, where he or she would be bound to deal with breaches of a code of practice on information sharing which in no way relates to the commissioner’s remit of investigatory powers.

Indeed, placing such duties on the Information Commissioner would effectively be broadening the Information Commissioner’s remit without appropriate consultation. It would, as with Amendment 81B, cut right across the functions of the Information Commissioner, as distinct from the Investigatory Powers Commissioner; the Information Commissioner being responsible for upholding the Data Protection Act 1998, and also the safeguards and procedures for dealing with breaches of the code, which are already set out in various provisions. Such an amendment would blur the lines between the responsibilities of the Information Commissioner and the Investigatory Powers Commissioner and potentially lead to confusion and unnecessary duplication. If, in making those observations, I referred to the Investigatory Powers Commissioner when I meant the Information Commissioner and referred to the Information Commissioner when I meant the Investigatory Powers Commissioner, that simply underlines how easy it is to cause confusion in this area.

Amendments 108, 115, 134 and 151 call for the codes to be subject to approval by Parliament. A similar requirement was also raised by the Delegated Powers Committee in its recent report. We are carefully considering that proposal and I assure noble Lords that we will be responding to it shortly. Amendments 109 and 135 would introduce a requirement for the Minister to consult publicly on the code for a minimum of 12 weeks before issuing or reissuing it. Amendments 110, 152 and 190 would require that the Minister demonstrate that responses to the public consultation,

“have been given conscientious consideration”.

The policy in respect of these powers, and much of the content of the codes of practice, have been developed over two years of open policy development with a range of public authority and civil society organisations. The code sets out procedures and best practice drawn from guidance produced by the ICO and Her Majesty’s Government. We amended Clauses 36, 45, 53 and 61 in the other place to ensure our code will be consistent with the Information Commissioner’s data-sharing code of practice. The clauses contain a requirement that the Minister consults the devolved Administrations, the Information Commissioner and any other person the Minister considers appropriate prior to the issue or reissue of the code. I assure noble Lords that these other persons will include civil society groups and experts from the data and technology areas. It is, indeed, our intention to run a public consultation before laying the code before Parliament. I need hardly add that all consultations are taken seriously by the Government and all responses considered with appropriate conscientiousness.

I understand the interest in the codes and the desire to make sure they are effective. The codes will provide a strong safeguard for the use of the power, backed up by real consequences if they are not adhered to. With that, and while we consider the recommendations of the Delegated Powers Committee further—as I have indicated, we intend to do that in the very near future—I invite the noble Lord to withdraw his amendment.

Lord Keen of Elie

- Hansard -

Copy Link

- - Excerpts

I am content that we return to the noble Baroness’s first point if she feels that there is a point of distinction to be made. On her second point, I do not accept that there is fragility in this context. We are well aware, by virtue of past practice, that this formulation is appropriate to the application of codes of practice. Indeed, the noble Baroness herself observed that when applying one’s mind to a code of practice, a degree of flexibility is necessary. One cannot freeze them. That is why we consider that the wording here is appropriate.

Lord Keen of Elie

- Hansard -

Copy Link

- - Excerpts

My Lords, Amendment 81B seeks to place a duty on the Investigatory Powers Commissioner to ensure that the data-protection rights of citizens are considered and protected under the public service delivery power. The effect of this amendment would be to impose similar duties on the Investigatory Powers Commissioner as are already carried out by the Information Commissioner. It is for that reason that we do not consider that this amendment is necessary. I understand the points that the noble Lord, Lord Collins, has made in this context. We are all concerned to ensure that these powers are ring-fenced as far as is reasonably practicable and that any breach should be policed to the extent required. However, in our view, the Investigatory Powers Commissioner is not the appropriate party to deal with this matter. The Bill is not about investigatory powers, and accepting this amendment would result in a substantial and, as I sought to indicate earlier, confusing addition to the portfolio of the Investigatory Powers Commissioner.

We are of course concerned that there should be public confidence in the provisions of the Bill and in the whole body of data-sharing powers. I understand the observation of the noble Lord, Lord Collins, that the Investigatory Powers Act does everything possible to ensure security is there, so that only the given powers are exercised and that the rights of the individual are put at the head of any agenda, but that is clearly the intention of this Bill as well. That can be achieved by having regard to the position of the Information Commissioner in the context of the present provisions.

I understand and indeed admire the noble Lord’s suggestion that we should in some sense be seeking to future-proof the Bill. There are limits to our ability to do that, but I will return to that point in the context of the regulations that come into force in May 2018. We have already had regard to that in order to try to ensure that the provisions of the Bill will comply with imminent regulations, such as those I have just referred to.

The noble Lord also raised the question of confidentiality and the concerns that have been expressed by the medical profession in that context. Let us be clear that, as noble Lords will recollect, common-law obligations of confidentiality are rarely if ever absolute. We know that various common-law issues of confidentiality tend to be subject to one qualification or another. Concerns have been expressed over the interaction between the provisions of the Bill and medical confidentiality, primarily in respect of the statutory override within the Bill. The provisions of the Bill are clear that sharing data under the powers in the Bill does not breach any existing duty of confidentiality. That includes the common-law duty of confidentiality to the extent that it applies to patient information.

The use and processing of medical information is governed by common law, but also by the Data Protection Act 1998, by the provisions of the Human Rights Act 1998 and indeed by specific legislation which allows, requires or prohibits certain uses of such data. There is no blanket ban on the use of medical information outside the patient-doctor context, and it is not the case that every instance of sharing such information will constitute a breach of confidentiality. Indeed, the General Medical Council’s 2017 guidance expressly states personal information can be disclosed,

“without breaching duties of confidentiality”,

in particular circumstances, one of which is where the disclosure is,

“approved through a statutory process that sets aside the common law duty of confidentiality”.

So it is acknowledged by the General Medical Council itself that this may occur from time to time, and the provisions of the Bill are structured to reflect this. They override duties of confidentiality only in order to ensure that public authorities have clarity in terms of what they can and cannot share under the powers of the Bill. I hope that goes some way to meeting his concerns about confidentiality in that context.

Amendments 84, 87, 119, 138 and 213, which are also in this group and were referred to by the noble Baroness, Lady Janke, cover a broad range of suggested additional safeguards and restrictions on the use of the powers. They seek to introduce, among other things, an express data minimisation rule, a requirement to conduct and publish a privacy impact assessment and provisions extending the Information Commissioner’s powers in respect of enforcement notices. They also introduce a provision enabling data subjects to request that inaccurate personal data disclosed under the powers be amended. We are firmly of the view that while all of these requirements represent important safeguards on the use of our powers, they are already provided for in different ways under the Bill, the codes of practice or existing legislation, including in particular the Data Protection Act 1998. Indeed, under the DPA only the minimum personal data necessary may be shared to achieve the particular objective, and all personal data that is held must be accurate. I hope that that goes some way to meeting one of the points made by my noble friend Lady Byford about excess data being given to public authorities. That is simply not permitted in the existing legislation, particularly the requirements of the Data Protection Act 1998. Over and above that, the Information Commissioner already has a range of mechanisms to enforce compliance with the DPA. Amendment 213, which would insert a new clause on enforcement notices, would not add to those powers in any material way.

Further, Amendment 213 requires certain information to be gathered in respect of the benefits of data-sharing arrangements. Again, that is not necessary: bodies wishing to exercise the powers in these provisions must consider benefits as part of their privacy impact assessment. We acknowledge the importance of privacy impact assessments and, following discussions with the Information Commissioner’s Office, will look to return to this matter on Report to address concerns about public authorities’ adherence to the Information Commissioner’s specific guidance on privacy impact assessments, as well as privacy notices. I hope noble Lords will accept our willingness to return to that matter in due course.

Amendment 213 would bar the processing of personal information under the powers for particular purposes. With respect and understanding of what lies behind the amendment, our approach is simpler and more complete. There are specific limited purposes for which personal information can be disclosed under Part 5 of the Bill. Other than a few limited exemptions, the disclosure or use of personal information for other purposes is not permitted. Tough new criminal sanctions will apply to all unlawful disclosures.

Amendment 87 seeks to introduce a duty to review in the public service delivery power, akin to the existing duty in the debt and fraud powers. All data-sharing arrangements under the debt and fraud powers have to be piloted and reviewed after three years to ensure that the powers deliver demonstrable benefits. The public service delivery powers are different in kind, being more conventional data-sharing powers, constructed specifically to improve the delivery of services to citizens in cases of acknowledged need, such as assisting those suffering from fuel poverty.

On that point, my noble friend Lady Byford essentially raised the question of definitions—what do we mean by “fuel poverty”, “well-being” and “warm home discount”, as mentioned in Clause 31? All this is dealt with in Part 2 of the Energy Act 2010, which contains the schemes referred to in Clause 31(3)(a). I hope further consideration of those provisions of the Bill may go some way to meeting her concerns about those definitions.

On the question of private fraud, of course we are alert to the idea that where there is data sharing there may be data intrusion, and we are determined to guard against that. That is why we seek to ring-fence these powers in the way that we do in the Bill. We have not claimed that any system we introduce will inevitably be infallible; history tells us that where we ring-fence, people will seek to go under, over or through such a fence. However, we shall try to ensure that all data that are shared in this context are kept as secure as we reasonably and practicably can keep them.

Amendment 88 would change the definition of “personal information”, a point raised by the noble Baroness, Lady Hamwee. The point here is that in the current draft “personal information” includes “a body corporate”. The existing definition is intended to capture all persons, including all corporate bodies, to ensure that taxpayer information, including that of bodies corporate, is protected irrespective of the size of the organisation. Narrowing the definition would limit the protections for HMRC data under these powers, which would be likely to affect significantly HMRC’s willingness to make use of the powers. I am sure the noble Baroness is aware that the disclosure of data by HMRC is subject to additional statutory controls quite distinct from the provisions of the Bill, and these have to be factored in. This is where the term “official” comes into use because the existing statutory legislation uses that term in the context of data and disclosure. Therefore, for the purposes of consistency, that term is used in this context. It is not an attempt to suggest that the janitor, or anyone else, should be responsible for disclosing relevant information—certainly not the commissioners of revenue in isolation.

Amendments 87 and 93 are also in this group. Clause 33(7) provides that a disclosure under the public service delivery power does not breach any obligation of confidence or any other restriction on the disclosure of the information. This provision ensures that public authorities can be confident that their disclosure is lawful, provided that they comply with the strict requirements of this legislation. To remove that subsection would undermine a primary objective of providing authorities with the legal certainty required to ensure efficient and effective data sharing under these powers. In other words, where they satisfy the requirements of this legislation, they do not have to go back and worry about any aspect of the common law of confidentiality on individual occasions, which would effectively make the provision unworkable.

Amendment 93 seeks to expressly exclude health data from the public service delivery clauses. I have already touched upon this. The Government believe that this amendment, while well intentioned, is unnecessary and would lead to the kind of legislative barriers that the Bill is designed to overcome. As I have indicated before, the Government recognise the particular sensitivities around identifiable health information, and indeed this was highlighted in the National Data Guardian’s recent review of data security, consent and opt-outs. For this reason, health bodies in England are not included in the draft list of bodies that will be permitted to use the powers in the Bill. Health and adult social care information, however, could potentially be of considerable assistance in bringing benefit to individuals, as this power aims to do. I acknowledge that we may wish to bring such bodies within the scope of these powers in future, but we will form a view on this after the implementation of the National Data Guardian’s recommendations and public consultation on the issue. We believe it would be wrong to rule out that possibility until that debate has been concluded. However, I underline the point that at present health bodies in England are not included in the draft list of bodies that will be permitted to use these powers.

I turn to Amendment 100. Clause 34(8) provides that the prohibition on onward disclosure, and its associated provisions, do not apply to personal information disclosed by HMRC. The amendment seeks to remove that provision. There was a suggestion that someone was seeking consistency here. Throughout Part 5 of the Bill, in order to take account of HMRC’s statutory duty of confidentiality and maintain consistency with the existing statutory framework in respect of HMRC information, the Bill contains separate provisions for the disclosure of information by HMRC. Criminal sanctions apply to the disclosure of HMRC information, but it is all framed slightly differently in order to be consistent with earlier statutory provision. I refer in particular to the Commissioners for Revenue and Customs Act 2005, which already covers these areas. The effect of the noble Baroness’s amendment would be to create two regimes for disclosing HMRC information under this power. We suggest that that would undermine consistency between Part 5 of the Bill and the provisions that already exist under the Commissioners for Revenue and Customs Act 2005. I hope that that goes some way to explaining why HMRC, though not a special case, is dealt with slightly differently within Part 5.

The noble Baroness, Lady Byford, then referred to Amendment 196. Again, in the context of accountability for public interest disclosures of non-identifying HMRC information, the aim of Clause 65 is to enable Her Majesty’s Revenue and Customs to meet requests from external organisations to provide aggregate statistics or general information, which is what other government departments do. Safeguards for disclosure of personal information will continue to apply for the reasons I have already alluded to. This amendment, again, would be inconsistent with HMRC’s existing statutory framework which authorises officials to act on behalf of the commissioners of revenue. It would not be practicable for the commissioners of revenue to have to deal with each of these requests. Indeed, it would be an unnecessary use of public resources if that was the case.

The noble Lord, Lord Clement-Jones, raised a point that appears to have prompted a note from the Box which I have not yet read. I shall scan it now. And I will undertake to write to the noble Lord. On that occasion, I will use typescript.

In those circumstances, I invite noble Lords not to press these amendments.

Lord Keen of Elie

- Hansard -

Copy Link

- - Excerpts

I am obliged to the noble Baroness, Lady Hamwee. Although the definition of personal information differs from the definition of personal data in the DPA, all personal data shared and used under the public service delivery provisions must be handled in accordance with the framework of rules set out in the DPA, and in particular with the data protection principles, because the DPA is not overridden by this chapter. To the extent that the class of personal information is wider than personal data, although the DPA does not directly govern such information, we still expect that information will be handled in accordance with that framework because of the requirements of the codes of practice under Part 5. I hope that answers the noble Baroness’s question.

Lord Keen of Elie

- Hansard -

Copy Link

- - Excerpts

My Lords, the noble Lord, Lord Collins, should make no apology for revisiting the issues of transparency and public confidence because they lie at the heart of what this Bill is attempting to achieve and are contained in Part 5. It may be déjà vu again but that is perfectly justified by the circumstances. We are all concerned to ensure that there is such transparency within these provisions as to maintain, and perhaps even restore, public confidence in the use and sharing of data.

Amendment 82ZA proposes that, within six months of the Act coming into force, an independent review of the collection and use of data by the Government and commercial organisations is conducted. With respect, the scope of the review appears extremely broad and goes much further than the provisions of Part 5. The Royal Society and the British Academy are undertaking a review to consider the ethical and legal frameworks needed in the United Kingdom as data technologies advance. We intend to consider the findings of that review when it is published. In addition, I mentioned that the general data protection regulation will come into effect in the United Kingdom in May 2018. The implementation of that regulation will represent a significant change to the data protection legal framework for both the public and private sectors, including strengthening rights for individuals so that they have more control over their personal data. We intend to work with the Information Commissioner to explore how we can best meet these requirements, as well as to improve transparency in this space. As such, we do not see the value in commissioning a further major review of data ahead of preparing to implement the new data protection framework when the regulation comes into force in May 2018.

Amendment 103 also seeks to improve the transparency of data sharing under the powers in Part 5. As I have indicated, we support this intention as transparency, along with the protection of personal data, is clearly at the heart of all these proposals. There are, however, a number of real problems with the proposed new clause. Setting the requirement and contents in primary legislation would significantly restrict our ability to explore and consider the benefits and consequences of publishing a register. For example, there may be a need to exempt the inclusion of certain types of data sharing for reasons such as national security or commercial confidentiality.

Ahead of the 2018 regulation coming into force, we will work with the Information Commissioner’s Office and other interested parties to explore how we can best meet its requirements and improve transparency. In our view, the statutory codes of practice in the Bill are a more appropriate vehicle for setting out requirements to support greater transparency. We will run a public consultation on the codes of practice as well as the required statutory consultations and we propose, as part of that, to gather views on the type of information about data sharing that should be captured and made public, as well as the risks and benefits. In addition, the draft codes already contain requirements for privacy impact assessments to be prepared and published. Further, we are continuing to explore with the Information Commissioner whether more can be done in this Bill to ensure that his codes of practices on privacy impact assessments and privacy are fully considered when data are shared under Part 5. I hope to return to this point later in the proceedings.

Amendment 104 proposes an obligation for organisations to report data breaches and submit associated audit returns to the Information Commissioner’s Office. As I have indicated, the EU general data protection regulation will apply in the United Kingdom from May 2018. The new regime will introduce tough measures on breach notification, making it a requirement for all data controllers and data processors to report breaches to the Information Commissioner’s Office if they are likely to result in a risk to the rights and freedoms of individuals, and the individuals affected must also be notified where there is a high risk. The new regime will also allow tougher penalties to be imposed on organisations in breach of the rules. I believe these will be penalties of up to 4% of the organisations’ total global annual turnover, or €20 million.

Under current arrangements, the Information Commissioner’s civil monetary penalties guidance says that he can take into account what steps, if any, the person or organisation had taken once they became aware of the contravention, when determining the amount of the monetary penalty to be issued, so there is provision for those who delay or defer the reporting of data breaches. At this stage, we are confident that the Information Commissioner has the necessary powers to take action against those organisations that are in breach of the rules so, while I accept the spirit of the amendment and understand the need for transparency, I do not believe it is necessary as the new tougher rules under the EU regulations will apply from May 2018. As I stated, under the current regime, the commissioner can and does take into account what steps, if any, an organisation has taken in addressing breaches and in deciding penalties under the Data Protection Act.

Amendment 111 would require a secure audit record to be compiled specifying the personal information shared under the public service delivery power. This well-intentioned amendment is also considered unnecessary. The code of practice that has been drafted in support of the public service delivery provisions already requires an audit to be kept by data controllers of information shared under this power, and the Information Commissioner’s data-sharing code of practice similarly requires organisations to keep records of information shared. In addition, the EU general data protection regulation will apply to Part 5 and place further specific legal obligations on organisations to maintain records of personal data shared and of processing activities. Organisations will now make the necessary preparations to comply with that regulation.

For the benefit of the noble Baroness, Lady Finlay, I emphasise that the processing of personal data under the public service delivery power must already be in accordance with the Data Protection Act. The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act. The commissioner undertakes a programme of consensual audits across the public and private sector to assess their processing of personal information. The commissioner also has the power to conduct compulsory audits of public sector entities to evaluate compliance with the data protection principles. The commissioner has powers to obtain access to the information she may need to conduct those assessments.