(7 years, 9 months ago)
Lords ChamberMy Lords, this group consists of mainly technical amendments to make sure the Bill works in the way it is meant to. Although they are technical, they are important. They fall into four broad subject areas: whistleblowing and journalistic freedoms; the meaning of “anti-social behaviour”; references to the Investigatory Powers Act; and the description and powers of devolved authorities.
In relation to whistleblowing and journalistic freedom, the first series of amendments relates to the new criminal sanctions for unlawful disclosure of personal information disclosed under the powers. Concerns were raised that the clauses as drafted could criminalise disclosures made by whistleblowers and journalists making disclosures in the public interest. This was never the Government’s intention. These amendments make sure that disclosures made by whistleblowers and journalists will not be subject to criminal sanctions.
There is a distinction here in terms of how the amendments address HMRC information and non-HMRC information. In respect of non-HMRC information, the amendments introduce additional exemptions to the general prohibition on further disclosure to cover “protected disclosures” under the Employment Rights Act 1996, which will protect whistleblowers pursuing the proper channels for disclosure. Disclosures made for the purposes of journalism are also removed from the criminal sanctions, provided that the disclosure is in the public interest.
There are already separate provisions in each of these chapters for personal information disclosed by HMRC. These amendments make clear that the criminal sanction for unlawful disclosure applies only to an official who wrongfully discloses HMRC information outside the permitted scope of the information gateways in Part 5 of the Bill at Chapters 1, 3, 4 and 5. This brings the provision into line with HMRC’s statutory regime in the Commissioners for Revenue and Customs Act 2005 and its other statutory information gateways.
I am conscious that the noble Lords, Lord Stevenson of Balmacara and Lord Collins of Highbury, have two amendments that relate to this section, Amendments 138A and 146A. I suggest that I reply to those amendments separately after hearing from noble Lords.
The second series of amendments concerns the definition of anti-social behaviour. Chapters 1, 3, 4 and 5 of Part 5 all contain a general rule restricting the use of information disclosed under these powers to the particular purpose for which it was shared and a general prohibition on further disclosure. There are a number of exceptions to these rules. A previous amendment added an exception enabling disclosures made for the prevention of anti-social behaviour. The definition as currently drafted needs to be adjusted to work in Scotland and Northern Ireland. These amendments provide a revised definition that works across the UK.
In relation to reflecting the enactment of the Regulation of Investigatory Powers Act, the third series of amendments is also minor and technical in nature. The public service delivery, debt, fraud, research and statistics clauses provide that information cannot be disclosed under these powers if that would contravene the Data Protection Act 1998 or if it is prohibited by Part 1 of the Regulation of Investigatory Powers Act 2000—commonly known in your Lordships’ House as RIPA. The Investigatory Powers Act 2016 received Royal Assent last December and will replace RIPA. These amendments replace the references to RIPA with references to the equivalent provisions in the IPA, with a provision for RIPA until that Act is fully in force.
Regarding devolved public authorities, the final series of amendments facilitates information sharing across the United Kingdom, including by and with public authorities in devolved Administrations. The amendments broadly fall into two categories, which I will take in turn. The first category provides personal information disclosed by Revenue Scotland and the Welsh Revenue Authority with equivalent protection to that given by Clause 60 to personal information disclosed by HMRC. In order to protect information relating to taxpayers, these two new clauses provide, as is the case for personal information disclosed by HMRC, that persons who are processing Revenue Scotland or Welsh Revenue Authority information cannot further disclose that information without the consent of Revenue Scotland or the Welsh Revenue Authority, as applicable. Secondly, reflecting the Government’s amendments to Clause 60, the amendments provide that persons who receive Revenue Scotland or Welsh Revenue Authority information under Clause 57(1) also cannot further disclose that information with the consent of Revenue Scotland or the Welsh Revenue Authority, as applicable.
Amendments 171 and 172 are consequential amendments to those tabled separately in respect of preventing unlawful disclosures under the research power. The first of these amendments is necessary to ensure that the separate safeguards regime for HMRC that has been maintained throughout Part 5 also applies to the criminal offence as amended. The second ensures that the separate arrangements for HMRC will be mirrored in respect of Revenue Scotland and the Welsh Revenue Authority.
The second category ensures that the definition of “Welsh body” in Part 5 is consistent with the definition of “devolved Welsh authority”, as will be enacted by the Wales Bill. The amendments will ensure that no devolved Welsh authority will be inadvertently excluded from the relevant Part 5 powers. The amendments also provide for Welsh Ministers to commence the provisions which relate to the disclosure of information by the Welsh Revenue Authority. This reflects the fact that the Welsh Revenue Authority is not yet operational. I beg to move.
My Lords, I thank the Minister for a very well-read response to the questions we all had about these technical amendments, although some of them were not quite technical of course. In terms of the four categories, I listened to three very carefully, and I will read what she said in Hansard, but we have no further comments to make on them at this stage.
She touched on the issue in relation to which we have two amendments down. I am grateful to the Government for responding so quickly to the discussion in another place on this issue, because as originally drafted, the Bill would have criminalised disclosures by whistleblowers and investigative journalists revealing matters of legitimate public interest. The point was picked up and discussed at some length, and had attracted interest from a wide range of people such as Sir Peter Bottomley and Helen Goodman, who raised it. The Minister in another place undertook to take it back, and we have now had the amendments put forward.
Those of your Lordships who have bothered to read the amendments in Clauses 50 and 51 will recognise that the wording is very similar in both cases. The difference, narrowly put, is that the amendment that we were advised would take the trick in this area included not just print journalism but also broadcast journalism. I am not certain whether that is necessary or not, but the Government have come forward with a slightly narrower point of view. I think we agree the aim, and it may just be a question of the correct wording, so unless there is any particular issue, we can do this either by correspondence or perhaps in a quick meeting, and I do not think there is anything on this point that need detain the Committee further. We are agreed and are delighted that the Government are making the move. It is just a question of trying to use what time we have to make sure that we have absolutely nailed it down completely.
Having said that, what has proved difficult in other pieces of legislation is how one defines whistleblowers. There is no attempt to do that here; the test is simply whether or not what has been disclosed was in the public interest. Again, there might just be something around that where we might look at other discussions and come back on it. But for the moment, I will leave it.
I thank the noble Lord for that. The opposition amendment makes specific reference to broadcast transmission when the government amendment on this topic does not. However, the word “publication” in our view can be construed sufficiently broadly to cover broadcast media. Section 32(6) of the Data Protection Act 1998 provides that:
“For the purposes of this Act ‘publish’, in relation to journalistic … material, means make available to the public or any section of the public”.
The ICO guidance on this indicates that publication for these purposes would therefore cover broadcast. As a result these additional changes are not necessary.
It is quite an interesting point. The world has moved on since those original drafts, and we have to think a bit more carefully about what happens on YouTube and whether disclosure on social media will be covered by this. I do not dissent from what is being said but would just like to be certain that we have used this opportunity, which may not come again, to make sure we have this nailed.
I thank the noble Lord for what he has said and absolutely understand where he is coming from.
My Lords, I draw noble Lords’ attention to my interests in the register, particularly to the fact that I am chairman of the Information Assurance Advisory Council, chair of the advisory board of Thales UK and a member of the advisory board of IRM, among other cyber-interested companies.
This Bill is about the digital economy, but it contains very little mention of security. Yet cybersecurity is essential, both to the proper functioning of the internet, on which we so rely, and to the trust we place in the digital economy. Global research has been done by the Information Systems Audit and Control Association of the United States of America, and I am indebted to it for its help on these amendments. That research has shown that two-thirds of chief executives of major corporations do not have confidence in their workforces to deal with anything beyond the simplest of data breaches. We all know that there has been no shortage of high-profile data breaches on both sides of the Atlantic over the last 12 months. That has damaged the economic performance of companies and their stock price, and has significantly reduced consumer and business confidence.
I congratulate the Government on making real progress in this area. They have introduced Cyber Essentials, which has been helpful in boosting implementation of cyber controls. I suggest, though, that the uptake of Cyber Essentials has been disappointing. It is not always a requirement that companies observe even the relatively low level of assurance that Cyber Essentials suggests. I use the word “suggests” because of course it is not compulsory. Equally, the new cybersecurity strategy has brought £1.9 billion into developing a capability across the whole of society to address everything from the biggest companies to individual citizens. The Minister of State for Digital and Culture recently indicated in another place that the Government intend to implement the General Data Protection Regulation in full. That is a good thing, but I very much doubt that businesses—and probably even government departments—are anywhere near ready for the GDPR, nor as far along as they really should be by this stage.
In view of the existential nature of our reliance on cyber nowadays, I therefore suggest that we need to go further. Consumers, investors, executives and government alike all need confidence that businesses are taking appropriate steps to safeguard their data and their IT systems—and those of their supply chains as well—from malicious activity. So, I have decided to be helpful. I propose these amendments, which introduce the notion of a cyber audit. They are probing amendments: their wording creates obligations that are perhaps more imperative than I would like to see, because I believe we should start with encouragement rather than requirement.
Everyone is now accepting of, and accustomed to, the notion of external independent financial audits, which have become the norm throughout the world. I believe that a similar approach now needs to be followed in relation to cybersecurity. My suggestion is that we should undertake cyber audits—perhaps as part of financial audits, or perhaps separately; it does not really matter. Those audits could be based on standards that could be evolved by industry, rather than by government, because government legislation never manages to keep up with the astonishing pace of technological change. These cyber audits should include external stress tests of a company’s cybersecurity in areas such as email, and possibly even in relation to a company’s products.
I think the entire House knows that, in 2013, the Target chain of 1,800 stores in the United States of America was hacked by people who broke into its air conditioning system, which was supplied by a third party. Everybody knows about last autumn’s botnet attack by rogue webcams. So if we did this and went for cyber audits, we could gradually begin to address the issue of cybersecurity, so that over time no longer would it create quite the existential threat that it does now. It would need to start on a voluntary basis and be driven by business, not by government, but, in time, I believe it would spread internationally, so that the United Kingdom would not be disadvantaged in competitive terms. It would also ensure that the United Kingdom was in the vanguard of global best practice. I beg to move.
I expected more people to be inspired by the contribution of the noble Lord, Lord Arbuthnot, and to join in the debate. I am rising to give my support to Amendments 105 and 106 and to thank the noble Lords, Lord Arbuthnot and Lord Carlile, for highlighting this simple failure in company policy, which can lead to much bigger dangers and threats. As the noble Lord said, it can have commercial implications, personal privacy implications and, ultimately, national security implications. While we all have a part to play setting the highest standards of data protection, it is true that all too often we put the focus on national Governments without recognising the equal responsibilities of the private sector and private companies to play their part. This is particularly vital, given the number of private sector organisations which access data for government contract work. However, it also extends into other realms of commercial activity, such as commercial personal profiling, in which companies build vast data banks of our shopping habits, our friends, our movements—literally, where we are moving around in cities and towns—and our vulnerabilities, all of which have huge value both in their own hands and in the hands of cyber-thieves. These are issues which we have also flagged up in other amendments tabled today, and we have tried to build in more safeguards. My noble friend Lord Collins has said that we believe that individuals should have the right to know what information is being held about them, for example. They should have the right to be able to withdraw permission for the data to be held, and they should have the right to know immediately if a data breach has taken place.
We welcome the amendments, which would begin to address some of our concerns, by putting a straightforward obligation on companies to prepare a cybersecurity report each year, detailing the measures being taken to ensure that data are being kept safely. It is a simple ask, and it should not really be necessary, but the all too frequent security breaches taking place underline why a legal requirement has to be imposed. An Institute of Directors report last year showed that companies tend to keep quiet when there has been a security breach. As a result, there are no accurate figures on the extent of this crime, or the extent to which companies are being held to ransom. A survey of business leaders found that only half had a formal strategy in place to protect themselves and just 20% held insurance against an attack. Yet we also know that companies are also losing confidence in their encryption systems, their staff capabilities and awareness and the ability of their software to withstand a deliberate assault.
This is a huge issue. Of course, we have a vested interest in sorting this out, as often it is our personal data which are being stolen. But on a wider sphere it impacts on everything from company finances to sensitive market data and research and development. So we very much welcome the initiative set out in these amendments, and agree with the noble Lord, Lord Arbuthnot, that they are helpful. In itself, they will not completely solve the problem, but they represent another small step in getting companies to act responsibly in managing the data that they hold.
My Lords, Part 5 of the Bill requires public authorities and specified persons to specify and meet specific legislative conditions and controls on the handling of personal information. As I have said on a number of occasions this evening, these provisions will be underpinned by codes of practice setting out data security requirements, including cybersecurity. A body that fails to meet these could be prevented from using the data-sharing powers. That is the context in which I turn to Amendments 105 and 106.
Amendment 105 would require all but the smallest of companies to conduct audits on their cybersecurity and to report annually on it and their data protection measures. Clearly, the Government recognise that effective cybersecurity risk management is important to the success of the economy and, indeed, to ensuring the safety and integrity of private citizens’ data. The Government conducted the Cyber Security Regulation and Incentives Review in 2016 to consider whether we need additional regulation or incentives to boost cyber risk management in the wider economy and it showed strong justification for regulation to secure personal data.
The Government will seek to improve cyber risk management through our implementation of the EU general data protection regulation in May 2018. Its requirement to report breaches to the Information Commissioner and individuals affected, and the fines that can be issued under it, will represent a significant improvement. These will be supplemented by a number of measures to more clearly link data protection with cybersecurity, including through closer working of the Information Commissioner and the National Cyber Security Centre. However, we will not seek to pursue further general cybersecurity legislation for the wider economy as would be required by Amendment 105.
We believe that mandating the inclusion of cyber risk information in annual reports, or the introduction of legal provisions for cyber audit, is unlikely to be an effective way of encouraging large-scale change in cyber risk management. Instead, the National Cyber Security Centre plans to work with stakeholders to develop guidance for investors. The long-term aim of the organisation is to include cybersecurity in the guidance it provides to businesses on the kind of information it wants to see in an annual report, and in the reports it provides to investors each year on every listed company.
Amendment 106 is very broad in its aims and, as such, could have unintended consequences for the diverse range of grants that the Government fund each year. The supporting audit and insurance regime would be costly and challenging to enforce given the diversity of grant recipients, including those from voluntary and research communities. Furthermore, this amendment is unnecessary as many of these checks are in place as a matter of routine. The level of cybersecurity risk in grants will continue to be monitored and consideration given to how recently launched grant standards could be used to strengthen guidance in this area. This provides a far more flexible and proportionate solution than legislation.
With respect to subsection (2) of the proposed new clause in Amendment 106, the Government are already taking tangible steps to reduce the level of cybersecurity risk in their supply chain. As of October 2014, suppliers of central government contracts that involve the handling of personal data or the supply of IT products and services must demonstrate they have met the technical requirements set out as part of either the government-owned Cyber Essentials scheme or a suitable equivalent. The scheme was developed jointly with GCHQ and industry to support organisations of all sizes and across all sectors in getting a good, basic level of online security in place. In response to my noble friend Lord Arbuthnot I would observe that, as of the end of December 2016, nearly 5,500 certificates had been issued under the scheme, and we have a strategy in place to significantly increase the adoption of the scheme over the coming year. With that explanation, I hope my noble friend will withdraw his amendment.
My Lords, I am grateful to my noble and learned friend for his comments. From what he says I suspect that the Government are not quite there yet. However, I hope that my amendments will help to encourage them along a path of some form of regulation in this area. I suspect that the arguments my noble and learned friend used were similar to those that were first used when financial audit was suggested. However, I am grateful for what he has said. I am also particularly grateful to the noble Baroness, Lady Jones, for what she said and for the gracious way in which she said it. However, my amendments were aimed not so much at government as at business. I suspect that this will be part of a long-term campaign, so, with those words, I beg leave to withdraw the amendment.
My Lords, I wish to speak also to Amendment 116.
This issue is extremely straightforward. My remarks may anticipate some of the points that the noble Baroness, Lady Byford, will make in due course on the clause stand part question, for which we have considerable sympathy. However, we on these Benches and many others outside the House are deeply concerned that Chapter 2 of Part 5 contains no safeguards against bulk copying of civil registration data. We accept the case for a power to disclose civil registration information where an individual has consented. A citizen should, of course, be able to choose to let the registrar inform other bodies of changes. However, new Section 19AA in Clause 39(2) appears to remove any limit to copying registration data in bulk. As regards the draft civil registration code of practice, there appears to be no explicit limit on that sharing of data in bulk, and certainly no requirement for individual consent. Therefore, the essence of this amendment is quite simply to require that there should be express consent of the data subject.
As regards Amendment 116, approximately 1.3 million births and deaths are registered each year under legislation dating back to 1953, which consolidated provisions going back to the start of civil registration in 1837. In 2009, a system was introduced to allow registrars to register births and deaths electronically but it is the hard copy which this generates which is the legal copy that will be used to issue the certificates. Registrars also have to use the electronic system to submit an electronic copy of each event to the superintendent registrar. Primary legislation is required to make the electronic copy the legal copy and to remove the need for paper altogether, although individuals could still order hard-copy certificates should they so choose.
It has been estimated that such a move would save the local registration service and the Home Office around £2.5 million a year, primarily through removing the routine creation of registers containing loose-leaf, watermarked registration documents. Local authorities currently have to pay to store hard copies of all documents, so the change would reduce future storage costs. Provided that sufficient checks are in place, electronic documents are more secure than paper ones, which is particularly important when loose-leaf documents are being moved.
I hope that I have made the case for this amendment, which is very much supported by many in this field, and I hope that the Minister will look favourably on it. I beg to move.
My Lords, my opposition to Clause 39 standing part of the Bill forms part of this group. I have listened carefully to what the noble Lord, Lord Clement-Jones, has just said. I come to this from a slightly different angle but the conversation goes round and round in a circle, and here we are trying to introduce protections again.
I tabled my opposition to the clause for probing reasons. I wonder whether it is possible to have examples of when and why a civil registration authority would disclose information. The definition in new Section 19AA(6)(e), introduced in Clause 39, lists as civil registration officials those local authority classifications which also appear as specified public authorities. Do the disclosure powers mean therefore that a civil registration official in, for example, my home county of Leicestershire may disclose information to other personnel employed within the county council, or do they empower him to disclose information to any or all of the other specified public authorities? From my reading of the subsection, that is not quite clear.
Would the regulations be used to divulge information specific to a person or perhaps a family, or could they ever cover everything registered at a particular time or relating to a particular location? For example, why would the NHS have an interest in receiving such information?
Could this chapter result in a large-scale information exchange between civil registration officials and public authorities using the internet? If so, how will such data be protected both in transit and at the receiving end? Do all public authorities use the same methods to guard against data theft and hacking? I shall be interested to hear the Minister’s response.
My Lords, perhaps I may ask a couple of questions which arise from the fact sheet on this issue. On civil registration, it says:
“The Bill establishes a framework, with appropriate safeguards, to share bulk registration information where there is a clear and compelling need”.
I wonder whether the Minister can help the Committee in understanding where that is translated into the Bill. The fact sheet also says:
“There are no intentions to share data with the private sector or for data to be used for any commercial purposes”.
It then goes on to say that,
“the powers would not permit this”.
However, I am sure that the Minister will understand my querying the words “no intentions”, because they suggest that there could be a change, and possibly one with which Parliament is not hugely involved. I am going to assume that the points made by the Delegated Powers and Regulatory Reform Committee are in the rather large pile of items that it raised and which the Government will reply to before Report, so I am referring to that only in passing, but it would be very helpful to understand how the points in the fact sheet, which is where many people would start, move over into the legislation.
My Lords, the proposals in Chapter 2 of Part 5, which are being addressed here, will ensure that citizens are able to access future—can I have a moment to sort out my own speaking notes?
While the Minister is doing that, can I ask whether this amendment covers Scotland? He is replying as the noble and learned Lord, Lord Keen of Elie. Registration of births, deaths and marriages was not introduced in Scotland until 1855 rather than 1837—I think—so does this amendment cover Scotland?
It does not extend to Scotland. It is a provision pertaining to England and Wales. I am obliged to the noble Lord for giving me time to find my place in my notes. It is greatly appreciated.
As I said, the proposals in Chapter 2 of Part 5 will ensure that citizens are able to access future government digital services efficiently and securely, while removing the current reliance on paper certificates. I will address the two amendments first before addressing the clause stand part aspect of this debate.
Amendment 113 would add a requirement for a civil registration official to be satisfied that the information is required by a recipient to fulfil one or more of their functions before disclosing data and also seeks to add a requirement that an individual must have given valid consent under data protection legislation prior to any disclosure of their personal data. With respect, this amendment is unnecessary because disclosure of personal data under these clauses will already be subject to the provisions of the Data Protection Act. To require explicit consent in all cases would exceed the requirements of the Data Protection Act and the purpose of this clause. Disclosure will take place without consent only if to do so would be consistent with the Data Protection Act, which governs fair disclosure. Examples of how the powers would be exercised in practice include allowing registration officials to disclose information within and across local authority boundaries in order to safeguard children. Being able to share information will ensure that children are known to the local authorities in which they reside and action can be taken to address any needs of the child or the parent. That is what lies behind this matter.
Amendment 116 seeks to amend the Births and Deaths Registration Act 1953 to introduce an electronic register for the registration of births and deaths. However, the proposed amendment to Section 25 of the 1953 Act as currently drafted does not go far enough. The legislation which provides for the registration of births and deaths is based on legislation in place in 1836—or 1837—and very little has changed to the process of registering births and deaths since then. The Act would need more amendment in order to introduce an electronic register. Moving to an electronic register would remove the requirement for hard-copy registers and the electronic register of births and deaths would be the legal record instead of the paper registers. It is certainly an area of reform that the Government are keen to take forward. However, we need more time. I reassure noble Lords that the Government will look in more detail at what changes need to be made to the Act in order to bring in this change and we will consider legislating in due course. We recognise the benefits that the noble Lord, Lord Clement-Jones, suggested could be achieved once that entire process is completed. In light of those points, I hope that the noble Lord will agree not to press that amendment.
I turn to my noble friend Lady Byford and her opposition to the clause standing part of the Bill. Unless there is a specific statutory gateway, information from the records of births, marriages, civil partnerships and deaths may not be disclosed by registration officials other than in the form of a certified copy of an entry, such as a birth or death certificate, on payment of the statutory fee. As I have indicated, the system is outdated and based on paper processes from the 19th century. This clause introduces new data-sharing powers that allow registration officials to share data from birth, death, marriage and civil partnership records with public authorities for the purposes of fulfilling their functions. However, only the minimum amount of data will be provided to enable the public authority to fulfil the function.
My noble friend asked for examples of the benefits of sharing such registration data. Being able to share data about deaths with local authorities would assist in combating housing tenancy fraud. The National Fraud Authority estimates that housing tenancy fraud costs local authorities £845 million each year. An example of this is when someone continues to live in a property following the death of the tenant even when they have no right to do so. The sharing of birth data within the local authority would assist social services, for example, if they wanted to engage with one of the parents in the interests of a child. Sharing marriage data would help to target those living together if there were a fraudulent claim to be single for the purposes of claiming benefits. Sharing death data within local authorities would help them to recover medical equipment following the death of an individual.
There are many examples where such data sharing would be of assistance. It paves the way for citizens to access government services more conveniently, efficiently and securely, for example, by removing the current reliance on paper certificates to access services. This will provide more flexibility and will modernise how government services are delivered. An example is where registration officials will be able to share data on births that have occurred in one district, but where those concerned live in a neighbouring district with no hospital. This would allow local authorities more accurately to plan the provision of health care, school planning and other local services. Being able to share death data across boundaries will also help to prevent unwanted mail being sent to the family of a deceased person.
Registration officials will be able to share registration data only with the public authorities defined in new Section 19AB of the Registration Service Act 1953. Any data sharing will of course be carried out strictly in accordance with the requirements of the Data Protection Act. The sharing of registration data will be underpinned by a statutory code of practice as required by Section 19C. One of the requirements in the code will be that the Registrar-General must personally approve any request for the sharing of large amounts of data.
Before data are shared, the code of practice requires privacy impact assessments and data-sharing agreements to be drawn up and agreed with public authorities to include such things as how data are to be used, stored and retained. Data will be able to be used only for the purpose they have been provided and retained only for as long as necessary. Data-sharing agreements will forbid the creation of a database or the linking of registration data in any way. Any breach would be reported to the Information Commissioner, who has the power to impose penalties where it is appropriate to do so. I hope that that deals with the fears expressed about the bulk use of such registration data.
My Lords, I am not sure whether the Minister has dealt with the questions raised by my noble friend.
I apologise for omitting to respond to the questions asked by the noble Baroness, Lady Hamwee, by reference to the fact sheet. Rather than poring over the provisions of the Bill, I will undertake to write to her pointing out the cross-reference between the terms of the fact sheet and the relevant provisions in the Bill. I will place a copy of that letter in the Library.
My Lords, I thank the Minister for his response, but I am a little bit baffled. Here we are—and I am talking here particularly with reference to Amendment 116—discussing the Digital Economy Bill. It should be doing what it says on the tin. I put forward, in my name and in the name of my noble friend Lady Scott, who is the inspiration behind the amendment, something that would make sure that it was the electronic copy that was the legal copy. Here is the Minister saying—and I do not think I have ever had a Minister say this to me—that the amendment does not go far enough. That is a very joyous response, but on the other hand he wants more time and “it will all happen in due course”. This is the Digital Economy Bill: what other opportunity are we going to have to ensure that our Registrar-General and so on—the General Register Office and local authorities—are under a legal obligation to hold electronic copies rather than the old, steam-driven paper copies? We have been doing this since 1837 or 1836, as we heard earlier. Is it not about time that we changed our practices, and is it not possible that we have been cooking up an amendment over the last 50 years that might suit the book and be able to appear on Report? That is my response on Amendment 116.
My response on Amendment 113 is a little bit dustier. I have read the code of practice, and I accept the Minister’s assurances; throughout this process he has given a lot of assurances about the impact of the Data Protection Act. There is no doubt about that: either explicit consent or, where no explicit consent is given, it is in accordance with the Data Protection Act and so on. There are some very worthy purposes in terms of data sharing: safeguarding children was an absolutely splendid example for the Minister to produce, and he produced some very good examples to the noble Baroness, Lady Byford, as well. Of course, there are some very good examples, but the code of practice is very opaque in that respect. It really does not get into any of that kind of worthy purpose: it simply talks about disclosing in accordance with the Data Protection Act. I looked through when the Minister was talking to see whether it was the Registrar-General who was the one person who was going to authorise disclosure, and it seemed to me that there were an awful lot more people who were authorised to disclose than simply one person.
There is something defective about these codes of practice. They seem to be far too bland and they do not give the public the reassurance that they should. We have talked about public trust right across the Committee, and the fact is that the reason why so many amendments have come forward from a variety of different sources to this part of the Bill is precisely that lack of trust. I suggest that the Minister and his colleagues look again at whether these codes of practice are doing their job.
That is another reason why, at the end of the day, these codes of practice should be approved by Parliament. That has also been a running theme of the Delegated Powers and Regulatory Reform Committee, which had it absolutely right in every single chapter that it dealt with. These codes of practice should be approved by Parliament. Otherwise, I do not believe that the Government are going to build that public trust in this data sharing, which is absolutely essential. The Minister should look again at that aspect, but in the meantime, having given the Minister a hard time at this time of night, I beg leave to withdraw the amendment.
My Lords, in an idle moment, a moment of complete frivolity, I looked up GOV.UK to check facts—I thought that would be a useful contribution to the debate. The date we have all been searching for is 1837: the General Register Office is part of Her Majesty’s Passport Office and contains records dating back to 1837. I thought that would be useful.
I beg to move Amendment 117A in my name. This stems from my period of service as chairman of a wonderful charity called StepChange, which deals with individual debt owed by ordinary people. In the time I was there—I resigned about two years ago—we had about 600,000 people a year contacting the telephone helpline or going online to try to seek solutions to their debt problems, so it is a very significant problem in British society and something we must take a great deal of care about. Most people who came to us were struggling with multiple debts; in other words, they owed money to a variety of different sources, ranging from local authorities, mobile phone companies, debt collection agencies, Revenue & Customs, payday lenders, utility companies and catalogue lenders—there is a very large number of them.
A median client would be aged about 45, female and owing about £20,000 to eight different creditors, so it is a significant problem that people get into. Within that, with a tremendous requirement now for debt advice, with lots of people struggling with debt, one worrying trend has been how bad central and local government have been in dealing with people, particularly those with multiple debts. A recent survey of about 1,000 StepChange clients found widespread aggressive enforcement from local authorities even when people were asking their authority for help. Clients were more than twice as likely to be threatened with court action or bailiffs than to be offered an affordable payment option. This is despite guidance being issued by central government about how debts should be treated.
Of course, what happens when people face strong demands, very often from central or local government, is that they tend to go to people who can lend them money quickly, probably from an existing credit line, almost certainly, until recently—but even today it is still happening—taking out a payday loan. They try to borrow more to try to pay back original debts and get themselves into a worse situation than they were before. The same survey asked clients to rate what their creditors had done to them and whether they treated them fairly or unfairly. I am afraid to say that public sector creditors came out very badly, occupying three of the top six places in the unfair treatment table. It is interesting to note that HMRC, for instance, scored no better than payday lenders, which the Government, through the FCA, have spent a lot of time trying to sort out over recent years.
That is the background of our concern. We welcome the provisions in the Bill to think again about how debts owed to the public sector are collected. In that light, these amendments are put forward for suggestion, they are probing amendments at this stage, and I hope that they will elicit a response, because it is not just StepChange, the debt charity, that has been concerned about this. Citizens Advice has also raised concern about public sector debt collection practices, finding that public sector creditors are,
“mostly out of step with financial services and utilities companies when it comes to setting affordable repayment rates, and that our clients can suffer detriment when public bodies have uncoordinated and inconsistent approaches to debt collections ... central government debt collection lags behind the higher standards expected of other creditors”.
This is focused on individuals who have problems with their debts, but of course there is a wider cost to society as a whole which, through relationship breakdown, homelessness and difficulties with maintaining concentration at work, et cetera, has been estimated at about £8 billion a year. The Bill contains clauses that relate to this and they seem to suggest that central government as a whole—but in this case HMRC—are thinking about how the data-sharing powers that are coming should be used to allow them to collect several debts at once, but also to do it in a slightly different way. I hope that is the case. We are back with our old friend, the code of practice, because what is said in the code of practice will determine whether this will work.
I have, then, four things I invite Ministers to respond to. First, Clause 45 is limited to departments that seek data-sharing powers and says only that they should “have regard to” the code of practice. This has, I think, been picked up in other amendments that we have considered today. It would be good if the code of practice were also embedded in a much stronger statutory provision, to give it real bite. We have seen examples of guidance—I mentioned one involving central government issuing guidance on council tax collection methods—but such guidance does not work, because it is non-binding and only advisory. If there is a code, it should be embedded in the statute and people affected by it should be able to refer back to it to make sure that it works properly.
Secondly, the public body itself must believe that this is the way in which it needs to operate. Within the amendments are a range of issues that central government bodies might pick up that would match the best practice in utilities, banks, credit cards and store cards—all of which have been through the cycle of trying to get money out of individuals who owe them and other people money, and have recognised that you have to deal with people with multiple debts in a completely different way from those who just owe money directly. That is gradually changing the way people operate. There is further to go, but it is a lesson that should be learned. I hope that the codes can be adapted to reflect that.
Thirdly—this may be too much of an ask, but it should be recognised—this Bill applies only to public bodies, and their creditors, when they are seeking to use the data-sharing powers. The problem is, of course, wider than the data-sharing powers. Problems with central and local government debt collections are widespread: practices need to be reformed and this is not likely to relate only to places where data sharing is used. The Government should think ahead about this and try to set out an understanding for all their agencies that poor debt-collection practices can harm the rate at which they get their money back and the time it takes, and it will also harm the financially vulnerable people. Taking account of that across all their practices would be a very good thing.
These amendments, therefore, try to raise those points, but there is one other thing that the Government should try to do, which is in the first amendment. It is to take a lesson from Scotland—I am sure that the noble and learned Lord from Scotland will wish to pick this up and think harder about it—where, when you have a private or a public debt and seek guidance from the state agency that operates that scheme, you are given statutory protection from excess charges and your interest rates are frozen, providing you stick to your debt repayment plan. That means that people get a breathing space, time to organise their finances, think about their budgets and work out what they are going to do, without the terrible pressure from those who are owed money to start repaying it. It is only when all those issues have been brought together, and an agreement reached between the creditors and the agency, that repayment begins. That has a very much higher rate of success than any other scheme. England lags way behind on this, and it would be no skin off the Treasury’s nose if it took a leaf out of the Scottish Government’s book and brought in their procedures—with a statutory breathing space that gave some hope to people who want to repay their debts but cannot do so because the practices are not as good.
My Lords, I acknowledge the point made by the noble Lord, Lord Stevenson, that this is a significant issue, and I understand that this is a probing amendment to allow us to consider some of the wider issues that he has touched on in the debate.
Amendment 117A seeks to include in the Bill an additional purpose: to enable debt information to be shared under the powers provided by Clause 41. It seeks to state explicitly that debt data can be disclosed,
“for the purpose of helping individuals to manage their debts”.
There is also a reference to the breathing space, and I will come back to that point in a moment in response to the questions posed by the noble Lord.
In the first instance, we would venture that the amendment is not necessary. The provisions as drafted enable information to be shared,
“for the purposes of the taking of action in connection with debt owed to”,
a public authority or the Crown. This includes but is not limited to, for example, identifying or collecting debt. The provision is sufficiently broad to enable sharing for the purpose set out in this amendment. That is the position of the Government. The Government are considering the recommendations that have been made following work to look into the merits of introducing a breathing space for customers, which we are aware is available in other jurisdictions. While the Government are considering these recommendations, it would be premature to incorporate a reference to this initiative in the Bill at this time. I hope the noble Lord will accept that the matter is being looked at.
I thank the Minister very much for his considered response. I am grateful to him for that. The breathing space proposal has been around for some time, so I was hoping to get a bit of an edge on it but we will clearly have to wait and see. It would provide a very big step forward for how public debts are organised. As I said, how the code of practice is framed is the main issue and I am grateful for the Minister’s thoughts that there might still be opportunities to influence it. What was said today might do that trick but we will certainly look at it carefully. With that, I would like to withdraw the amendment.
My Lords, these amendments apply to the research power, and there is an additional amendment which applies to the statistics power. Together, they add clarity and strength to the set of robust safeguards that have been developed to facilitate the processing and safe disclosure of personal information provided by public authorities for research purposes. To encourage greater use of publicly held data for research in the public interest, it is important that everyone concerned can have confidence that personal information is appropriately protected, while at the same time researchers are able to interrogate the information to produce research findings that further the public interest. These amendments further help strike that balance.
The amendments fall into four categories. First, Amendment 155, to Clause 57(9), makes clear, for the avoidance of doubt, that a public authority that processes another public authority’s personal information must be accredited to do so, as well as to process its own information.
Secondly, Amendments 159 to 180 and Amendment 191 correct defects in the drafting of Clauses 59 and 60. The defect in each clause prevents persons who receive processed information from processors under Clause 57(1) disclosing that information at all if that information meets the wide definition in Clause 57(12), whereas it was always intended that researchers would be able to disclose the information that they receive under the power to other researchers for the purposes of peer review. The amendments also strengthen the unlawful disclosure provisions by adding a new offence which applies to disclosure of a defined category of personal information by a person who has received processed information under Clause 57(1). The information that is protected is consistent with Section 39 of the Statistics and Registration Service Act 2007. The amendments have been drafted in a way that will enable researchers to submit their findings for peer review and for publication in a similar way to current practice under that Act. These amendments have been developed with the assistance of the UK Statistics Authority, which has considerable expertise in this area.
Thirdly, Amendments 183 to 189 and Amendments 192 to 195 tidy up a drafting error by which the code of practice currently applies to the disclosure, holding or use of both personal information and information that is not, or never has been, personal. To apply the code or any other safeguards in this power to information that does not identify or risk identifying individuals would be unnecessarily bureaucratic.
Finally, Amendment 210 to new Section 53A supports devolved statistics by giving the UK Statistics Authority a mechanism to share information with its statistical counterparts in the devolved Administrations. In Northern Ireland, the principal statistical department is the Northern Ireland Statistics and Research Agency, or NISRA. Some of NISRA’s functions are held specifically by its parent department, the Department of Finance. Other statistical functions are held only by the Registrar-General for Northern Ireland. New Section 53A(2) does not currently list the Registrar-General for Northern Ireland as a devolved authority, meaning that UKSA cannot share information with NISRA relating to the Registrar-General’s statistical functions. This amendment resolves this difficulty by adding the Registrar-General for Northern Ireland to the definition of devolved authority in new Section 53A(2). I beg to move.
My Lords, I rise to move the amendment tabled by my noble friend Lord Willetts, who apologises that he could not be here tonight. I have the two other amendments in the same group. Clause 68 makes mandatory the provision of data by Crown bodies to the ONS for defined statistical research purposes. An alternative approach might be for an organisation such as the Information Commissioner’s Office to provide arbitration on contentious requests.
Clear insight into whether the Bill directs Crown bodies to share data from statistics is needed in Clause 68. At the Bill’s Committee stage in the House of Commons, where there was a long discussion on this, Chris Skidmore, Minister for the Constitution in the Cabinet Office, said it would be possible for a Crown body to refuse an ONS request for data and,
“where necessary, have their refusal put before Parliament”.—[Official Report, Commons, Digital Economy Public Bill Committee, 27/10/16; col. 379.]
The Royal Statistical Society’s primary objection to this is that it provides no subsequent mechanism for the ONS to secure access to the data. It is also unclear to it what the process means in practice, which part of the legislature will deal with that correspondence, what it is expected to do with it and what sanctions it can apply for non-disclosure. The RSS has been asking why this is in place and whether it is justified, especially as other countries, such as Canada, operate with less burdensome arrangements. I should say that I am very grateful to the Royal Statistical Society for its briefing, otherwise I would be really lost. The RSS says:
“Including the Minister’s contribution, we have heard two arguments thus far … The Minister explained the different treatments for Crown bodies and other public authorities as being due to conventions: ‘That way of working, set out in sections 45B and 45C, ensures consistency between how a Crown body interacts with another on the one hand, and how a Crown body interacts with a non-Crown body on the other’ … We have also been privy to a different, earlier argument that due to the indivisibility of the Crown, one Crown body cannot give directions to another”.
If we thought earlier discussions were difficult, I think it is getting even more so.
The briefing continues by saying that,
“we have sought and obtained legal advice, which suggests that Parliament could technically direct departments to do what it deems fit. The government’s position, although it is not unprecedented, appears politically or culturally based. It may be that the government has heard objections from some departments to a mandatory approach. We are aware that there could be reluctance on the part of some departments to share data generally, and with ONS and researchers in particular. However, problems of risk aversion to data sharing ought to be addressed without obstructing the proposed right for ONS to access data for statistical purposes, which has been more widely supported and called for, for example, by the Public Administration Select Committee (2013) and the Science and Technology Select Committee (2016), and in other reports described in the House of Commons Library’s analysis”.
There is much more material here but I shall not push the matter further. I hope I have given my noble friend enough to respond to.
My Amendments 208 and 209, which are linked to this, are much simpler and more direct as far as I am concerned, because I am not technically astute on the other topic. Large, well-known charities employ many people using many skills and who are occupied full-time in their jobs. Little charities rely on unpaid volunteers who may not have a wide range of skills and who use their free time to work purely for the charity. I have two examples in mind. The first is Freddie’s Wish, which commemorates a little boy who died in a car crash. His mother set up the charity to help local bereaved families and to raise money for the children’s hospital and the air ambulance. In two years it has raised over £50,000 and trained more than 100 volunteers in paediatric first aid.
The second example is Evelyn’s Gift, which has been a registered charity for less than a year although its founder and volunteers have been working for nearly four years. It is in memory of a seven year-old girl who died of respiratory illness. Its aims are to arrange CPR training and to continue her practice of doing little acts of kindness. The list of acts done in her name and in the name of people and the organisations that support them is inspiring. The charity employs no one and all the work is carried out by unpaid volunteers.
Organisations such as these have no resources to supply the Statistics Board with information. An unpaid voluntary worker would have to give time to filling in forms instead of doing the work he or she has signed up for and dearly wishes to do. It could be difficult to persuade anyone to donate even more time in this pursuit. A small charity with irregular income but making an important local contribution could well be destroyed by a fine levied under new Section 45F(3).
Most people nowadays have heard of charitable shoe boxes. These are sent, filled with practical gifts—hand-knitted hats, scarves and gloves, pens and paper, recycled soft toys, tennis balls and so on—to underprivileged children in Africa and eastern Europe, and, indeed, in our own country. Those who fill them spend their own money and devote much time to making up these boxes. The work is carried out throughout the year and each box going abroad to Africa costs at least £2.50 to transport in November and December. Villages, primary schools, care homes and religious groups donate goods, money, time and effort to reclaiming, recycling and packing huge quantities of otherwise unwanted items. They also raise funds for basic toiletries, small packs of sweets and things such as pens and paper, without which some children cannot go to school. I know of one village that last year sent 1,326 boxes to the central depot.
Who is to fill in the forms for the Statistics Board, and is that really necessary for these very small charities? The boxes come from all over the country. They must not contain liquids, chocolate or sweets dated for expiry before the end of March of the following year. Beyond this, there is no record of contents, value or hours worked. With such charities, my concern is that the figures available to the Statistics Board will be solely to do with the transport of the finished items. That would surely distort the results of any study by the board. I suggest that we should therefore exempt such charities from the Bill. I beg to move.
I must advise your Lordships that, if this amendment is agreed to, I will not be able to call Amendments 200 to 202 because of pre-emption.
My Lords, I rise briefly to support this amendment. There seems to be something quite perverse in obstructing the access of the Statistics Board to datasets that are in the hands of other public bodies. That is a very simplified account, but it is a curious place in which to have an obstacle. I hope that the Minister can consider this clause very seriously.
I am obliged to the noble Baronesses for their interest in this part of the Bill. As your Lordships will be aware, Clause 68 gives the UK Statistics Authority the powers to access important data needed to produce official statistics to support decision-making.
On Amendment 199, new Section 45B gives UKSA a right of access to information held by Crown bodies. A Crown body must respond in writing to a formal notice issued by the UK Statistics Authority and explain any refusal to give the authority information. If the Crown body’s explanation is inadequate or it fails to respond or comply, the UK Statistics Authority may lay the request and any response before the relevant legislature. A Crown body must therefore either comply with the notice or explain its refusal in writing. Where the Statistics Authority puts that correspondence before Parliament, then Parliament can judge the body’s actions openly and transparently. We consider that this is the right approach, creating effective, proportionate accountability and transparency.
Of course, my noble friend Lady Byford would argue that the amendment is a more effective means of requiring a Crown body to give the Statistics Authority the information. We cannot accept that it is either necessary or desirable. The Statistics Authority is part of the Crown, as are government departments. As my noble friend anticipated, it would be extremely novel, and possibly unprecedented, to legislate to compel one part of the Crown to obey another. Even the Health and Safety at Work etc. Act 1974 excludes the Crown from being subject to enforcement measures such as prosecution, instead providing long-standing structures to help departments to work with each other administratively. In this context, new Section 45B strikes the right balance. I hope that explanation reassures my noble friend.
I am very grateful to my noble and learned friend for his response. I am unable to really comment properly on Amendment 199, because I would like my noble friend Lord Willetts to have a chance to read and reflect on the Minister’s response to that issue.
On my own two amendments, I thank him for his comments. One thing that has always troubled me with charities is that sometimes you have a small charity that has a large income, but at the other end you have a large charity with a very small income. I am not totally clear, but I shall read very carefully on whether the lay-down that we have at the moment on micro and small is correct for what I am trying to suggest the Government should think about. However, I thank the Minister for his full response, which I shall read carefully in Hansard. In the meantime, I beg leave to withdraw the amendment.
My Lords I declare my interest as chair of the National Mental Capacity Forum, and in that role I have been working closely with the Office of the Public Guardian.
For some time the Public Guardian has wanted to move away from the wet signature requirement for the creation of lasting power of attorney for both health and welfare, and property and financial affairs decisions, as laid out in the Mental Capacity Act 2005. This amendment would allow that process to be purely electronic and carried out online, with the safeguards it outlines. A digital process should now be secure given the advances in technology since the original provision was made, and the amendment would simply allow the Secretary of State to make appropriate regulations rather than creating the process.
As the hour is late I am inclined to ask the Minister, if he has any reservations about this amendment and the powers it would give to the Secretary of State, to curtail the debate by meeting with me and the Public Guardian before Report. However, I am rather pre-empting the Minister’s decision. If he decides to accept my amendment, that would be just wonderful. I beg to move.
My Lords, in view of the hour, it occurs to me that it would be appropriate to give a lengthy and detailed analysis of powers of attorney, and, indeed, to take us back to the Powers of Attorney Act 1971 and the subsequent developments of the law. Nevertheless, and despite the enthusiasm from the Opposition Benches, I am perfectly happy to accept the kind invitation advanced by the noble Baroness, Lady Finlay, and to meet with her to explain the Government’s position on this matter. I would be obliged if she could at this stage withdraw the amendment.
My Lords, in light of the forthcoming meeting—which I am sure the Public Guardian will wish to join—I beg leave to withdraw the amendment.