(7 years, 9 months ago)
Lords ChamberMy Lords, I come rather late to the table with the Bill, but fresh, if that is the term, from the Investigatory Powers Act, as does the noble and learned Lord. Like me, he may have reflected on the fact that one of our basic documents in debating the Investigatory Powers Act was called by David Anderson A Question of Trust; the issue of trust is equally relevant to the provisions in the Bill. Like other noble Lords, I see the value of sharing information but—and for me it is a big “but”—with constraints, limits, conditions, checks. I would say balances but I do not think they always do the job. It would be too easy in this area to let convenience obscure other considerations. I have concerns about fundamental issues and I have difficulty, as I suspect do other noble Lords, knowing quite what to raise where, but my most fundamental concern is about respect for privacy. The use of bulk data, which we will come to, is bound to raise this.
I share concerns which have been raised about providers—not the public authorities and public services themselves, but the providers. Maybe we have to be realistic, as our public services are now provided so much through commissioning and procurement but, as I read the Bill, the regulations will not be required to list specific providers. I may be wrong about that. If providers have to be included, it would be appropriate for the public to be reassured, for instance, that the public authority in question maintains a register of its providers and publishes it. Maybe, also, all records of information held under these provisions should be destroyed at the termination of the provider’s contract.
The purposes set out here include well-being, which includes the contribution to society. I am not going to let this pass without saying that that risks being read, and I read it, as very paternalistic. I cannot see how it properly covers anything that is not covered by the other well-being provisions. Others have suggested that Clause 30 might lead to profiling. There is certainly a concern over health information, which we will come to separately. I also find it quite hard to think: if you are not contributing to society, are you not deserving of or entitled to public services? I think it is a very unfortunate term to use in legislation.
I share the concerns about Clause 33. At the very least, to share personal information to prevent anti-social behaviour which is not a crime—we know it is not a crime; you do not even need to go to the legislation about anti-social behaviour to know that, because it is referred to separately from crime—is going several steps too far. I start—I am not suggesting that others do not—from the premise that personal information should be kept confidential unless there is good reason not to do so, and if it is not confidential it needs to be treated with the greatest care and sensitivity. Respect for private life is one of our basic values. The Minister would be able to quote Article 8 of the European Convention on Human Rights—as I will do—without reading it. It says that there are “necessary”—I stress that word—exceptions in the interests of national security, public safety, the economic well-being of the country, the prevention of disorder or crime, the protection of health or morals or the protection of the rights and freedoms of others. I support the amendments—I think they are in this group—that would import the term “necessary”.
Article 8 refers to disorder and crime, but—I will not be surprised if the Minister quotes some case law at me on the definition of “disorder”—I would have thought that in this context it must refer to something a good deal more serious than what may fall within “anti-social behaviour”.
The Investigatory Powers Act includes the much-welcomed and much-discussed “privacy” clause; during the debate on that we considered the requirements of both necessity and proportionality. The Act also refers specifically to the Human Rights Act and to crime as a consideration when it is a serious crime, and it refers to using “less intrusive means”. These points are all relevant to this debate.
For my part, this amounts to support for all the amendments in the group and a concern to persuade the Government to look at the issues through the lens of rights to privacy as well as efficiency. Most citizens accept—indeed, expect—that in a digital age government departments will share information, but with narrower purposes and stricter checks than the Bill offers.
My Lords, I am obliged to noble Lords for their observations on this group.
The powers in Chapter 1 of Part 5 will support the delivery of better services to achieve specified objectives, such as providing assistance to those suffering, for example, from fuel poverty. Your Lordships would all appear to be agreed on the need for effective data-sharing, but when we talk about that we must mean data-sharing that is secure and commands the trust of the general public—that is sufficiently ring-fenced to give confidence in the whole process. No one would take issue with that.
In that context I make this observation at the outset. It applies not only to this group of amendments but to further groups that we will come to this afternoon and perhaps much later this evening. We have to look at the provisions in this Bill in the context, first, of the Data Protection Act 1998, because the provisions of that Act apply in the context of this Bill. Therefore, as we look at the Bill, we must remember the protections that already exist in law with regard to data in this context. First, processing of personal data must always be fair and lawful. Secondly, data cannot be processed in a way that is incompatible with the purpose for which they were gathered. Thirdly, personal data must be,
“adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
The personal data should be “accurate”, so a subject may be in a position to demand that they should be corrected.
Furthermore, on the point made by the noble Baroness, Lady Hamwee, personal data can be kept no longer than is necessary for a particular objective. Where, therefore, they have been employed for a particular objective—or a party has received them for a particular purpose—and a need to keep the data for that purpose can no longer be displayed, they cannot be retained.
My Lords, will the noble and learned Lord address—in a later group, if not this one—why the terminology in the Bill is “personal information” rather than “personal data”, which might have made the marrying-up of the legislation a bit easier?
Indeed I can. The reason is that in the present context, personal information extends to bodies corporate and other personalities that are not otherwise covered by the first definition. I will elaborate upon that later but that is why there is a distinction between the two terms. We can see that the two terms substantially overlap but it is only because of that technical distinction that they are employed in this way. I hope that that satisfies the inquiry from the noble Baroness, Lady Hamwee.
The Data Protection Act not only circumscribes the use of data in very particular ways—for example, personal data must be processed in accordance with the data subject’s rights under the Act and be held securely to guard against unlawful or unauthorised processing, which addresses a point that many of your Lordships referred—but provides remedies in the event that those obligations are not adhered to. Generally speaking, that involves a complaint to the Information Commissioner.
Of course there have been lapses in data control. We are well aware of many of them. The noble Lord, Lord Collins, alluded to Concentrix, where there clearly appeared to have been lapses such that the Revenue terminated its contract without further notice in November of last year. We recognise that there are risks associated with data and data-sharing. That is why we emphasise the need to look at the provisions in the Bill not only alone but in the context of the Data Protection Act.
There were obviously risks associated with the contract for Concentrix and the fall-out from that contract is certainly ongoing, because of the people who have suffered hardship. The Government will undoubtedly have to investigate even more because at the moment, we are dealing only with the people who have appealed. Can the Minister tell us exactly why the existing provisions for a risk assessment did not stop this contract from going sour?
As the noble Lord is aware, Concentrix was not the only incident in which there were data breaches. They have happened not only in the context of parties operating with government but also entirely in the private sector. So far as I am aware, no one has made a claim for infallibility where data protection is concerned. Albeit that we aspire to the highest standards in data protection, we are not making claims of infallibility.
The noble Lord, Lord Collins, also referred in the present context to the GDPR, which will come into effect as a European regulation in May 2018. I reiterate that the provisions in Part 5 of the Bill are compatible with the GDPR. The noble Lord appeared to take some issue with that term, but let me be clear: the provisions of Part 5 are drafted in such a way as to be compatible with the regulation. When the regulation comes into direct force, we will look at the provisions of the Act and the codes of practice to ensure that they are consistent with it. That is the way in which these things are done. The regulation is not yet in force and will be applied to the existing statutory structure from May 2018. I reassure him that it has always been intended that Part 5 of the Bill should be compatible with the regulation, for very obvious reasons.
Then there is the matter of the draft codes of practice. At this stage they are, of course, a draft. Those drafts have incorporated comments and advice from practitioners right across the public sector, from the Information Commissioner and from the devolved Administrations, so they have brought in that body of knowledge at this stage.
I specifically asked why the responsibility has been placed on gas and electricity suppliers to have regard to some of the things stated in the Bill, and I would be grateful for an answer. I do not mind if the answer is not given now, but if that could be clarified I would be grateful.
I am perfectly prepared to write to my noble friend to clarify that point, and I will place a copy of any letter in the Library.
I thank the Minister for his response. One of the things that we will encounter as we go through this section is the fact that the 1998 Act has some fundamental principles but that we have the Bill before us because there is a need for greater clarity. The world has changed in the past 20 years, certainly in the way that we handle and interrogate data. We no longer simply say that this set of data will go to that person and so on. We do not necessarily even have to share the whole dataset. The point is about how one might interrogate data. It is a very different world. I am not suggesting for one moment that errors do not occur, accidents do not happen and mistakes cannot happen, but in the modern world we conduct risk assessments to understand how we can minimise those things. That is what I want properly addressed when we come back to some of these issues.
The Minister says that the Government will consider the report of your Lordships’ committee. If there are to be further amendments, I hope that we will have time to consider them and even to put down our own amendments to ensure that the principles about which we are concerned will be able to be addressed. With those comments and, if you like, fair warnings, I beg leave to withdraw the amendment.