(7 years, 9 months ago)
Lords ChamberI expected more people to be inspired by the contribution of the noble Lord, Lord Arbuthnot, and to join in the debate. I am rising to give my support to Amendments 105 and 106 and to thank the noble Lords, Lord Arbuthnot and Lord Carlile, for highlighting this simple failure in company policy, which can lead to much bigger dangers and threats. As the noble Lord said, it can have commercial implications, personal privacy implications and, ultimately, national security implications. While we all have a part to play setting the highest standards of data protection, it is true that all too often we put the focus on national Governments without recognising the equal responsibilities of the private sector and private companies to play their part. This is particularly vital, given the number of private sector organisations which access data for government contract work. However, it also extends into other realms of commercial activity, such as commercial personal profiling, in which companies build vast data banks of our shopping habits, our friends, our movements—literally, where we are moving around in cities and towns—and our vulnerabilities, all of which have huge value both in their own hands and in the hands of cyber-thieves. These are issues which we have also flagged up in other amendments tabled today, and we have tried to build in more safeguards. My noble friend Lord Collins has said that we believe that individuals should have the right to know what information is being held about them, for example. They should have the right to be able to withdraw permission for the data to be held, and they should have the right to know immediately if a data breach has taken place.
We welcome the amendments, which would begin to address some of our concerns, by putting a straightforward obligation on companies to prepare a cybersecurity report each year, detailing the measures being taken to ensure that data are being kept safely. It is a simple ask, and it should not really be necessary, but the all too frequent security breaches taking place underline why a legal requirement has to be imposed. An Institute of Directors report last year showed that companies tend to keep quiet when there has been a security breach. As a result, there are no accurate figures on the extent of this crime, or the extent to which companies are being held to ransom. A survey of business leaders found that only half had a formal strategy in place to protect themselves and just 20% held insurance against an attack. Yet we also know that companies are also losing confidence in their encryption systems, their staff capabilities and awareness and the ability of their software to withstand a deliberate assault.
This is a huge issue. Of course, we have a vested interest in sorting this out, as often it is our personal data which are being stolen. But on a wider sphere it impacts on everything from company finances to sensitive market data and research and development. So we very much welcome the initiative set out in these amendments, and agree with the noble Lord, Lord Arbuthnot, that they are helpful. In itself, they will not completely solve the problem, but they represent another small step in getting companies to act responsibly in managing the data that they hold.
My Lords, Part 5 of the Bill requires public authorities and specified persons to specify and meet specific legislative conditions and controls on the handling of personal information. As I have said on a number of occasions this evening, these provisions will be underpinned by codes of practice setting out data security requirements, including cybersecurity. A body that fails to meet these could be prevented from using the data-sharing powers. That is the context in which I turn to Amendments 105 and 106.
Amendment 105 would require all but the smallest of companies to conduct audits on their cybersecurity and to report annually on it and their data protection measures. Clearly, the Government recognise that effective cybersecurity risk management is important to the success of the economy and, indeed, to ensuring the safety and integrity of private citizens’ data. The Government conducted the Cyber Security Regulation and Incentives Review in 2016 to consider whether we need additional regulation or incentives to boost cyber risk management in the wider economy and it showed strong justification for regulation to secure personal data.
The Government will seek to improve cyber risk management through our implementation of the EU general data protection regulation in May 2018. Its requirement to report breaches to the Information Commissioner and individuals affected, and the fines that can be issued under it, will represent a significant improvement. These will be supplemented by a number of measures to more clearly link data protection with cybersecurity, including through closer working of the Information Commissioner and the National Cyber Security Centre. However, we will not seek to pursue further general cybersecurity legislation for the wider economy as would be required by Amendment 105.
We believe that mandating the inclusion of cyber risk information in annual reports, or the introduction of legal provisions for cyber audit, is unlikely to be an effective way of encouraging large-scale change in cyber risk management. Instead, the National Cyber Security Centre plans to work with stakeholders to develop guidance for investors. The long-term aim of the organisation is to include cybersecurity in the guidance it provides to businesses on the kind of information it wants to see in an annual report, and in the reports it provides to investors each year on every listed company.
Amendment 106 is very broad in its aims and, as such, could have unintended consequences for the diverse range of grants that the Government fund each year. The supporting audit and insurance regime would be costly and challenging to enforce given the diversity of grant recipients, including those from voluntary and research communities. Furthermore, this amendment is unnecessary as many of these checks are in place as a matter of routine. The level of cybersecurity risk in grants will continue to be monitored and consideration given to how recently launched grant standards could be used to strengthen guidance in this area. This provides a far more flexible and proportionate solution than legislation.
With respect to subsection (2) of the proposed new clause in Amendment 106, the Government are already taking tangible steps to reduce the level of cybersecurity risk in their supply chain. As of October 2014, suppliers of central government contracts that involve the handling of personal data or the supply of IT products and services must demonstrate they have met the technical requirements set out as part of either the government-owned Cyber Essentials scheme or a suitable equivalent. The scheme was developed jointly with GCHQ and industry to support organisations of all sizes and across all sectors in getting a good, basic level of online security in place. In response to my noble friend Lord Arbuthnot I would observe that, as of the end of December 2016, nearly 5,500 certificates had been issued under the scheme, and we have a strategy in place to significantly increase the adoption of the scheme over the coming year. With that explanation, I hope my noble friend will withdraw his amendment.
My Lords, I am grateful to my noble and learned friend for his comments. From what he says I suspect that the Government are not quite there yet. However, I hope that my amendments will help to encourage them along a path of some form of regulation in this area. I suspect that the arguments my noble and learned friend used were similar to those that were first used when financial audit was suggested. However, I am grateful for what he has said. I am also particularly grateful to the noble Baroness, Lady Jones, for what she said and for the gracious way in which she said it. However, my amendments were aimed not so much at government as at business. I suspect that this will be part of a long-term campaign, so, with those words, I beg leave to withdraw the amendment.
My Lords, perhaps I may ask a couple of questions which arise from the fact sheet on this issue. On civil registration, it says:
“The Bill establishes a framework, with appropriate safeguards, to share bulk registration information where there is a clear and compelling need”.
I wonder whether the Minister can help the Committee in understanding where that is translated into the Bill. The fact sheet also says:
“There are no intentions to share data with the private sector or for data to be used for any commercial purposes”.
It then goes on to say that,
“the powers would not permit this”.
However, I am sure that the Minister will understand my querying the words “no intentions”, because they suggest that there could be a change, and possibly one with which Parliament is not hugely involved. I am going to assume that the points made by the Delegated Powers and Regulatory Reform Committee are in the rather large pile of items that it raised and which the Government will reply to before Report, so I am referring to that only in passing, but it would be very helpful to understand how the points in the fact sheet, which is where many people would start, move over into the legislation.
My Lords, the proposals in Chapter 2 of Part 5, which are being addressed here, will ensure that citizens are able to access future—can I have a moment to sort out my own speaking notes?
While the Minister is doing that, can I ask whether this amendment covers Scotland? He is replying as the noble and learned Lord, Lord Keen of Elie. Registration of births, deaths and marriages was not introduced in Scotland until 1855 rather than 1837—I think—so does this amendment cover Scotland?
It does not extend to Scotland. It is a provision pertaining to England and Wales. I am obliged to the noble Lord for giving me time to find my place in my notes. It is greatly appreciated.
As I said, the proposals in Chapter 2 of Part 5 will ensure that citizens are able to access future government digital services efficiently and securely, while removing the current reliance on paper certificates. I will address the two amendments first before addressing the clause stand part aspect of this debate.
Amendment 113 would add a requirement for a civil registration official to be satisfied that the information is required by a recipient to fulfil one or more of their functions before disclosing data and also seeks to add a requirement that an individual must have given valid consent under data protection legislation prior to any disclosure of their personal data. With respect, this amendment is unnecessary because disclosure of personal data under these clauses will already be subject to the provisions of the Data Protection Act. To require explicit consent in all cases would exceed the requirements of the Data Protection Act and the purpose of this clause. Disclosure will take place without consent only if to do so would be consistent with the Data Protection Act, which governs fair disclosure. Examples of how the powers would be exercised in practice include allowing registration officials to disclose information within and across local authority boundaries in order to safeguard children. Being able to share information will ensure that children are known to the local authorities in which they reside and action can be taken to address any needs of the child or the parent. That is what lies behind this matter.
Amendment 116 seeks to amend the Births and Deaths Registration Act 1953 to introduce an electronic register for the registration of births and deaths. However, the proposed amendment to Section 25 of the 1953 Act as currently drafted does not go far enough. The legislation which provides for the registration of births and deaths is based on legislation in place in 1836—or 1837—and very little has changed to the process of registering births and deaths since then. The Act would need more amendment in order to introduce an electronic register. Moving to an electronic register would remove the requirement for hard-copy registers and the electronic register of births and deaths would be the legal record instead of the paper registers. It is certainly an area of reform that the Government are keen to take forward. However, we need more time. I reassure noble Lords that the Government will look in more detail at what changes need to be made to the Act in order to bring in this change and we will consider legislating in due course. We recognise the benefits that the noble Lord, Lord Clement-Jones, suggested could be achieved once that entire process is completed. In light of those points, I hope that the noble Lord will agree not to press that amendment.
I turn to my noble friend Lady Byford and her opposition to the clause standing part of the Bill. Unless there is a specific statutory gateway, information from the records of births, marriages, civil partnerships and deaths may not be disclosed by registration officials other than in the form of a certified copy of an entry, such as a birth or death certificate, on payment of the statutory fee. As I have indicated, the system is outdated and based on paper processes from the 19th century. This clause introduces new data-sharing powers that allow registration officials to share data from birth, death, marriage and civil partnership records with public authorities for the purposes of fulfilling their functions. However, only the minimum amount of data will be provided to enable the public authority to fulfil the function.
My noble friend asked for examples of the benefits of sharing such registration data. Being able to share data about deaths with local authorities would assist in combating housing tenancy fraud. The National Fraud Authority estimates that housing tenancy fraud costs local authorities £845 million each year. An example of this is when someone continues to live in a property following the death of the tenant even when they have no right to do so. The sharing of birth data within the local authority would assist social services, for example, if they wanted to engage with one of the parents in the interests of a child. Sharing marriage data would help to target those living together if there were a fraudulent claim to be single for the purposes of claiming benefits. Sharing death data within local authorities would help them to recover medical equipment following the death of an individual.
There are many examples where such data sharing would be of assistance. It paves the way for citizens to access government services more conveniently, efficiently and securely, for example, by removing the current reliance on paper certificates to access services. This will provide more flexibility and will modernise how government services are delivered. An example is where registration officials will be able to share data on births that have occurred in one district, but where those concerned live in a neighbouring district with no hospital. This would allow local authorities more accurately to plan the provision of health care, school planning and other local services. Being able to share death data across boundaries will also help to prevent unwanted mail being sent to the family of a deceased person.
Registration officials will be able to share registration data only with the public authorities defined in new Section 19AB of the Registration Service Act 1953. Any data sharing will of course be carried out strictly in accordance with the requirements of the Data Protection Act. The sharing of registration data will be underpinned by a statutory code of practice as required by Section 19C. One of the requirements in the code will be that the Registrar-General must personally approve any request for the sharing of large amounts of data.
Before data are shared, the code of practice requires privacy impact assessments and data-sharing agreements to be drawn up and agreed with public authorities to include such things as how data are to be used, stored and retained. Data will be able to be used only for the purpose they have been provided and retained only for as long as necessary. Data-sharing agreements will forbid the creation of a database or the linking of registration data in any way. Any breach would be reported to the Information Commissioner, who has the power to impose penalties where it is appropriate to do so. I hope that that deals with the fears expressed about the bulk use of such registration data.
My Lords, I am not sure whether the Minister has dealt with the questions raised by my noble friend.
I apologise for omitting to respond to the questions asked by the noble Baroness, Lady Hamwee, by reference to the fact sheet. Rather than poring over the provisions of the Bill, I will undertake to write to her pointing out the cross-reference between the terms of the fact sheet and the relevant provisions in the Bill. I will place a copy of that letter in the Library.
My Lords, in an idle moment, a moment of complete frivolity, I looked up GOV.UK to check facts—I thought that would be a useful contribution to the debate. The date we have all been searching for is 1837: the General Register Office is part of Her Majesty’s Passport Office and contains records dating back to 1837. I thought that would be useful.
I beg to move Amendment 117A in my name. This stems from my period of service as chairman of a wonderful charity called StepChange, which deals with individual debt owed by ordinary people. In the time I was there—I resigned about two years ago—we had about 600,000 people a year contacting the telephone helpline or going online to try to seek solutions to their debt problems, so it is a very significant problem in British society and something we must take a great deal of care about. Most people who came to us were struggling with multiple debts; in other words, they owed money to a variety of different sources, ranging from local authorities, mobile phone companies, debt collection agencies, Revenue & Customs, payday lenders, utility companies and catalogue lenders—there is a very large number of them.
A median client would be aged about 45, female and owing about £20,000 to eight different creditors, so it is a significant problem that people get into. Within that, with a tremendous requirement now for debt advice, with lots of people struggling with debt, one worrying trend has been how bad central and local government have been in dealing with people, particularly those with multiple debts. A recent survey of about 1,000 StepChange clients found widespread aggressive enforcement from local authorities even when people were asking their authority for help. Clients were more than twice as likely to be threatened with court action or bailiffs than to be offered an affordable payment option. This is despite guidance being issued by central government about how debts should be treated.
Of course, what happens when people face strong demands, very often from central or local government, is that they tend to go to people who can lend them money quickly, probably from an existing credit line, almost certainly, until recently—but even today it is still happening—taking out a payday loan. They try to borrow more to try to pay back original debts and get themselves into a worse situation than they were before. The same survey asked clients to rate what their creditors had done to them and whether they treated them fairly or unfairly. I am afraid to say that public sector creditors came out very badly, occupying three of the top six places in the unfair treatment table. It is interesting to note that HMRC, for instance, scored no better than payday lenders, which the Government, through the FCA, have spent a lot of time trying to sort out over recent years.
That is the background of our concern. We welcome the provisions in the Bill to think again about how debts owed to the public sector are collected. In that light, these amendments are put forward for suggestion, they are probing amendments at this stage, and I hope that they will elicit a response, because it is not just StepChange, the debt charity, that has been concerned about this. Citizens Advice has also raised concern about public sector debt collection practices, finding that public sector creditors are,
“mostly out of step with financial services and utilities companies when it comes to setting affordable repayment rates, and that our clients can suffer detriment when public bodies have uncoordinated and inconsistent approaches to debt collections ... central government debt collection lags behind the higher standards expected of other creditors”.
This is focused on individuals who have problems with their debts, but of course there is a wider cost to society as a whole which, through relationship breakdown, homelessness and difficulties with maintaining concentration at work, et cetera, has been estimated at about £8 billion a year. The Bill contains clauses that relate to this and they seem to suggest that central government as a whole—but in this case HMRC—are thinking about how the data-sharing powers that are coming should be used to allow them to collect several debts at once, but also to do it in a slightly different way. I hope that is the case. We are back with our old friend, the code of practice, because what is said in the code of practice will determine whether this will work.
I have, then, four things I invite Ministers to respond to. First, Clause 45 is limited to departments that seek data-sharing powers and says only that they should “have regard to” the code of practice. This has, I think, been picked up in other amendments that we have considered today. It would be good if the code of practice were also embedded in a much stronger statutory provision, to give it real bite. We have seen examples of guidance—I mentioned one involving central government issuing guidance on council tax collection methods—but such guidance does not work, because it is non-binding and only advisory. If there is a code, it should be embedded in the statute and people affected by it should be able to refer back to it to make sure that it works properly.
Secondly, the public body itself must believe that this is the way in which it needs to operate. Within the amendments are a range of issues that central government bodies might pick up that would match the best practice in utilities, banks, credit cards and store cards—all of which have been through the cycle of trying to get money out of individuals who owe them and other people money, and have recognised that you have to deal with people with multiple debts in a completely different way from those who just owe money directly. That is gradually changing the way people operate. There is further to go, but it is a lesson that should be learned. I hope that the codes can be adapted to reflect that.
Thirdly—this may be too much of an ask, but it should be recognised—this Bill applies only to public bodies, and their creditors, when they are seeking to use the data-sharing powers. The problem is, of course, wider than the data-sharing powers. Problems with central and local government debt collections are widespread: practices need to be reformed and this is not likely to relate only to places where data sharing is used. The Government should think ahead about this and try to set out an understanding for all their agencies that poor debt-collection practices can harm the rate at which they get their money back and the time it takes, and it will also harm the financially vulnerable people. Taking account of that across all their practices would be a very good thing.
These amendments, therefore, try to raise those points, but there is one other thing that the Government should try to do, which is in the first amendment. It is to take a lesson from Scotland—I am sure that the noble and learned Lord from Scotland will wish to pick this up and think harder about it—where, when you have a private or a public debt and seek guidance from the state agency that operates that scheme, you are given statutory protection from excess charges and your interest rates are frozen, providing you stick to your debt repayment plan. That means that people get a breathing space, time to organise their finances, think about their budgets and work out what they are going to do, without the terrible pressure from those who are owed money to start repaying it. It is only when all those issues have been brought together, and an agreement reached between the creditors and the agency, that repayment begins. That has a very much higher rate of success than any other scheme. England lags way behind on this, and it would be no skin off the Treasury’s nose if it took a leaf out of the Scottish Government’s book and brought in their procedures—with a statutory breathing space that gave some hope to people who want to repay their debts but cannot do so because the practices are not as good.
My Lords, I acknowledge the point made by the noble Lord, Lord Stevenson, that this is a significant issue, and I understand that this is a probing amendment to allow us to consider some of the wider issues that he has touched on in the debate.
Amendment 117A seeks to include in the Bill an additional purpose: to enable debt information to be shared under the powers provided by Clause 41. It seeks to state explicitly that debt data can be disclosed,
“for the purpose of helping individuals to manage their debts”.
There is also a reference to the breathing space, and I will come back to that point in a moment in response to the questions posed by the noble Lord.
In the first instance, we would venture that the amendment is not necessary. The provisions as drafted enable information to be shared,
“for the purposes of the taking of action in connection with debt owed to”,
a public authority or the Crown. This includes but is not limited to, for example, identifying or collecting debt. The provision is sufficiently broad to enable sharing for the purpose set out in this amendment. That is the position of the Government. The Government are considering the recommendations that have been made following work to look into the merits of introducing a breathing space for customers, which we are aware is available in other jurisdictions. While the Government are considering these recommendations, it would be premature to incorporate a reference to this initiative in the Bill at this time. I hope the noble Lord will accept that the matter is being looked at.
My Lords, I rise briefly to support this amendment. There seems to be something quite perverse in obstructing the access of the Statistics Board to datasets that are in the hands of other public bodies. That is a very simplified account, but it is a curious place in which to have an obstacle. I hope that the Minister can consider this clause very seriously.
I am obliged to the noble Baronesses for their interest in this part of the Bill. As your Lordships will be aware, Clause 68 gives the UK Statistics Authority the powers to access important data needed to produce official statistics to support decision-making.
On Amendment 199, new Section 45B gives UKSA a right of access to information held by Crown bodies. A Crown body must respond in writing to a formal notice issued by the UK Statistics Authority and explain any refusal to give the authority information. If the Crown body’s explanation is inadequate or it fails to respond or comply, the UK Statistics Authority may lay the request and any response before the relevant legislature. A Crown body must therefore either comply with the notice or explain its refusal in writing. Where the Statistics Authority puts that correspondence before Parliament, then Parliament can judge the body’s actions openly and transparently. We consider that this is the right approach, creating effective, proportionate accountability and transparency.
Of course, my noble friend Lady Byford would argue that the amendment is a more effective means of requiring a Crown body to give the Statistics Authority the information. We cannot accept that it is either necessary or desirable. The Statistics Authority is part of the Crown, as are government departments. As my noble friend anticipated, it would be extremely novel, and possibly unprecedented, to legislate to compel one part of the Crown to obey another. Even the Health and Safety at Work etc. Act 1974 excludes the Crown from being subject to enforcement measures such as prosecution, instead providing long-standing structures to help departments to work with each other administratively. In this context, new Section 45B strikes the right balance. I hope that explanation reassures my noble friend.
My Lords I declare my interest as chair of the National Mental Capacity Forum, and in that role I have been working closely with the Office of the Public Guardian.
For some time the Public Guardian has wanted to move away from the wet signature requirement for the creation of lasting power of attorney for both health and welfare, and property and financial affairs decisions, as laid out in the Mental Capacity Act 2005. This amendment would allow that process to be purely electronic and carried out online, with the safeguards it outlines. A digital process should now be secure given the advances in technology since the original provision was made, and the amendment would simply allow the Secretary of State to make appropriate regulations rather than creating the process.
As the hour is late I am inclined to ask the Minister, if he has any reservations about this amendment and the powers it would give to the Secretary of State, to curtail the debate by meeting with me and the Public Guardian before Report. However, I am rather pre-empting the Minister’s decision. If he decides to accept my amendment, that would be just wonderful. I beg to move.
My Lords, in view of the hour, it occurs to me that it would be appropriate to give a lengthy and detailed analysis of powers of attorney, and, indeed, to take us back to the Powers of Attorney Act 1971 and the subsequent developments of the law. Nevertheless, and despite the enthusiasm from the Opposition Benches, I am perfectly happy to accept the kind invitation advanced by the noble Baroness, Lady Finlay, and to meet with her to explain the Government’s position on this matter. I would be obliged if she could at this stage withdraw the amendment.
My Lords, in light of the forthcoming meeting—which I am sure the Public Guardian will wish to join—I beg leave to withdraw the amendment.