(6 years, 5 months ago)
Lords ChamberThat the draft Regulations and Codes of Practice laid before the House on 17 and 21 May be approved.
Relevant documents: 32nd Report from the Secondary Legislation Scrutiny Committee
My Lords, the purpose of these draft regulations is to allow information sharing between specified bodies for specific purposes. They also seek to make an amendment to the Digital Economy Act 2017. In addition, six codes of practice and one statement of principles associated with Chapters 1 to 5 and 7 of Part 5 of the Digital Economy Act 2017 have been consolidated into four instruments, to be approved by a resolution of each House.
Turning first to the draft regulations, the public service delivery power supports the improvement or targeting of public services. The powers are designed to give public services the information needed to provide early intervention or, where possible, prevent the problems that reduce people’s life chances. In order to exercise the public service delivery power, government must set specific purposes for data sharing via regulations. Those purposes must meet specific criteria defined in the primary legislation. These draft regulations seek to establish four specific objectives for data sharing under the public service delivery power to address “multiple disadvantages”, including fuel poverty and water poverty, and to provide targeted assistance in retuning televisions following spectrum changes.
We have worked closely with colleagues across the UK Government and the devolved Administrations to ensure that these powers have a UK-wide reach. However, due to the absence of a functioning Assembly in Northern Ireland, the data-sharing powers in relation to fraud, debt and public service delivery have not been commenced to cover Northern Ireland at this time.
I am sure that noble Lords will agree that the Government have a clear duty to support the citizens we serve and to ensure that the most vulnerable in society get the help they need. The formulation of each of the public service delivery objectives has been guided by this principle. Data sharing is a vital and effective way of identifying individuals and households experiencing problems which reduce their life chances.
I shall set out some details of the objectives in the regulations. The first concerns multiple disadvantages. The regulations would allow for data sharing between specified public authorities to help identify individuals or households which face two or more disadvantages. By disadvantages, I mean factors which, in combination with each other, limit the life chances of individuals or households—for example, by affecting people’s health or emotional well-being, or their social and economic chances. The objective was initially developed to support the troubled families programme, which supports the identification of families across England, but it is also intended to be available for similar programmes across the UK.
The second objective relates to television retuning. In order to meet the increasing demand for mobile data, the Government have agreed to fund up to £600 million so that the 700 megahertz band, which is currently used for digital terrestrial television, can be allocated for mobile broadband. As a result of the clearing of the band, approximately 150,000 households may need either to replace or realign their aerial to continue receiving all available channels. These powers will help identify those who are on certain benefits and require further support to ensure that they continue to receive digital terrestrial television services.
Thirdly, the fuel poverty objective will provide a gateway for specified public bodies to share information between themselves to help them identify households living in fuel poverty and ensure that those households get the support they need. It will also enable specified public bodies to flag those who are eligible to energy suppliers. The aim is to enable more vulnerable households and families to receive automatic rebates in the same way as over 1 million pensioners do through the warm home discount scheme. However, these rebates can take place only if the state can inform energy suppliers which of their customers should receive them.
The fourth objective concerns water poverty. Similarly, this would allow the sharing of information between public authorities to help identify those who might be living in water poverty and help ensure that they receive the support they need. The information could be shared by public authorities with water and sewerage companies to help them better target their support schemes, such as social tariffs, as allowed by powers in the Digital Economy Act.
My Lords, I start with an apology. Because of the way in which these items of business have been scheduled—or perhaps I should say not scheduled—I might have to leave before I hear the Minister’s response. He is aware of that and I am very grateful for his indulgence in that respect, which will make me feel even guiltier when he hears what I have to say.
I am indebted to medConfidential for many of the points I shall make and to the noble Lord, Lord Freyberg, who takes a keen interest in these matters but cannot be present today.
The essence of what I have to say is that these regulations and codes should be withdrawn. In summary, earlier this month the Secondary Legislation Scrutiny Committee published a report on these draft regulations made under Part 5 of Chapter 1 of the Digital Economy Act, as the Minister explained. The DCMS offered assurances that the codes of practice were consistent with each other and drafted to be compliant with the new Data Protection Act 2018 and the latest standards of best practice. However, subsequently it replaced the standards with a new set under a different name—the data ethics framework—so the codes as laid do not reflect current DCMS guidance. In our view, this invalidates the whole of our debate.
I will go through the details. The Secondary Legislation Scrutiny Committee drew the digital government regulations to the special attention of the House. The DCMS told the committee that the codes were to
“the latest standards of best practice for information sharing, including the ‘Data Science Ethical Framework’”.
That is at paragraph 9 of the committee’s report. As the SLSC says:
“In their response, DCMS have also offered assurances that these codes of practice are consistent with each other and have been drafted to be compliant with the new Data Protection Act 2018 and the latest standards of best practice for information sharing, including the ‘Data Science Ethical Framework’”.
The committee’s report was finalised on a Tuesday and printed the following Thursday. On the Wednesday, the DCMS replaced the “latest” standards with a new set under a different name, the data ethics framework. Quite apart from the concerns raised by the committee, when the DCMS gave its response to the committee it surely must have known that a new framework was due the following day to replace the one to which it referred, and that its assurances would therefore be untrue even before they were printed.
The current codes reference the Data Science Ethical Framework, which predates the Data Protection Act and the GDPR. By that fact alone, these DCMS codes cannot be approved. They are, by definition, out of date following legislation on which the DCMS and the Minister himself led.
As the Minister described, a number of groups were consulted on the draft codes in the middle of last year, and while there is consensus from all sides that the codes are improved as a result of that constructive engagement, those consultations were before the Government surprised everyone with the proposal for a “framework for data processing by government” in the Data Protection Act—before the guidance changes due to the GDPR had fully begun, before the Government announced that the Data Science Ethical Framework was in need of replacement, and certainly before the DCMS launched the replacement with a new name last week. The department assured Parliament that,
“these codes of practice are consistent with each other”,
but it cannot assert they will be compliant with other codes, as yet unlaid and unwritten by the Information Commissioner. What the Information Commissioner does should be up to the Information Commissioner. She should not have her hands tied by her sponsor department.
It is particularly important that these codes and the regulations are withdrawn given that the first issuance of the codes is under the affirmative procedure for approval of the House and future updates will be under the negative procedure.
I have a few other questions. Where is the framework for data processing by government included at the last minute by Ministers in Committee on the Data Protection Bill? There is still no clarity as to what the Government plan to do with it, only that it is not the Data Science Ethical Framework nor the data ethics framework. It is, however, yet another government data framework that must be taken into account. The passage of the Data Protection Act 2018 necessitates updates to many ICO codes. Late in the day, the DCMS chose to introduce its new framework for data processing by government, which surely must be the governing instrument for these codes, but, as I said earlier, it has provided no clarity on how this will operate.
The department seems to be offering nothing other than assurances of compliance when one looks through the codes. It talks of consultation with the ICO. Has the ICO confirmed publicly that these codes are compliant with the GDPR, the new Data Protection Act and the ICO guidance?
According to recent announcements from University College London Hospitals NHS Foundation Trust, it is conducting artificial intelligence trials internally for issues of direct benefit to it. This shows not only that the NHS is beginning to understand the power of data and digital tools, but that this can be done in-house for public benefit and that there are viable alternatives to handing data to and sharing data with multinational companies. What are the Government doing more broadly across the NHS to ensure that there is full recognition across the NHS?
The Digital Economy Act affords the Secretary of State considerable powers to make use of publicly controlled data, which is of considerable concern in some quarters. The key concern is the scope for different departments to share and then link datasets, such as sharing health data from the Department of Health and Social Care with the Home Office to identify illegal immigrants, as stated in recent headlines. What is the scope and/or limitation for the Secretary of State to share publicly controlled data with private entities? Is this likely to inform the introduction of so-called “data trusts”?
Then, of course, there is the question of whether any of the codes is fit for the future in terms of technology. In particular, what are the duties of transparency and explainability where datasets are used to construct artificial intelligence solutions, algorithms and the like for government purposes? What consultation was engaged in this respect? There appears to be no reference in any of the codes to this. Should we not wait for the data ethics and innovation centre to give its guidance on these matters involving the Government and their deployment of artificial intelligence?
In the light of the above, it is clear that neither these regulations nor the codes are fit for purpose. Will the Government withdraw them before placing replacement codes before the House? Will the Minister confirm that the codes will be compliant with any yet-to-be-written Information Commissioner codes? Will they be confirmed as such by the Information Commissioner? Sadly, I will not hear the Minister’s reply but I very much hope that it is a full one.
My Lords, far be it from me to get the Minister off that hook. It is always humbling to be in the presence of those who have seen the heat of the day and borne the burdens of bringing some complicated pieces of legislation on to our statute book. Perhaps we can all breathe a sigh of relief as we notice the noble Lord, Lord Clement-Jones, depart from his place.
I will restrict my remarks, since I was not in possession of the briefing that the noble Lord had, to the observations I made on the simple basis of reading these papers. It was a jolly weekend and some good bedtime reading—150 pages on a very complicated matter—but as far as the regulations themselves are concerned, it seemed mildly reassuring that multiple disadvantages, such as television retuning, fuel poverty and water poverty, were all to be held in view with a view to ensuring that people who might suffer in these areas had their suffering minimised as far as possible. One million vulnerable energy consumers might qualify for help. From this side of the House, we cannot particularly grumble at that.
The thing that worried me was that, since these are the first tinkerings with or things that ensue from last year’s Digital Economy Act, it is incumbent on us to ensure we monitor very carefully the direction of travel as the Act lives its life and is implemented. For that reason, I find myself again and again wondering whether—while, yes, three years down the line it all has to be embedded and to work itself out—we should not promise ourselves a bit more micromanagement than that as things go along.
I liked the way that liaison with devolved bodies—to ensure that a UK-wide measure is implemented in Wales and Scotland in a way consistent with legal provision—was set out because, with another hat on, when we were arguing the devolution clauses in the EU withdrawal Bill we talked all the time about frameworks within which UK-wide pieces of action would have to be worked out in consultation with, and with consent from, the various interested parties. Here is a lived example, I thought, of how that might work.
I worried about how on earth we would keep together pieces of action that would see nine departments of state share information across their boundaries, as well as the Revenue and 32 local and regional bodies, as we considered how best legitimately to allow these bodies to share information. What kind of computer system do we have in place? We have had such a string of unfortunate experiences of supportive technology for mountainous pieces of government activity going wrong that I just look at this and am glad that it is not me operating it.
My Lords, I am grateful to one of the two speakers for remaining and for the points that both have made. If the noble Lord, Lord Griffiths, thinks that was a rant, compared to the noble Lord, Lord Clement-Jones, he is an amateur; I thought he was very reasonable and measured in what he said. I shall go through his points as quickly as I can.
The noble Lord, Lord Griffiths, was correct to point out that we need to help where we can. The measure is to enable public authorities to share information. A key criterion for the Digital Economy Act was that it had to be for the benefit of individuals and households. The noble Lord, Lord Clement-Jones, suggested that, because things were in the wrong order—I will address some of his points shortly—we should withdraw the codes, wait for the Information Commissioner to issue her code and lay the codes again in six to nine months. That will mean that all the good work that is done, which the noble Lord, Lord Griffiths, identified, in using public information to help individual households that are vulnerable or suffering will effectively be put off. For example, on the fuel poverty measure, that would be another winter when we could not use the information to help the public.
On some of the issues raised by the noble Lord about the information shared, I remind him that the information is permissive: it does not have to be shared; it just allows public authorities to do that. They have very clear outlines of what they are able to do; they must have information sharing agreements. The measure merely allows public authorities to do it; there is no compulsion on any of them. It must also be in accordance with the Digital Economy Act and the Data Protection Act. That will give individuals the right—and mean that they can trust—that their information will not be misused, because it is subject also to the GDPR.
In talking about the difference between the Digital Economy Act and the Data Protection Act the noble Lord was a bit confused about paragraph 9. I was surprised—I thought it seemed pretty clear, but I accept that it could be made simpler. What it is really getting at is that the Digital Economy Act referred not just to living people, as the Data Protection Act does, but also includes bodies corporate and distinguishes between the information in those. So we are saying that there is a distinction, and they therefore need to apply both, but when it comes to the information referred to, and referring to individual living people, the Data Protection Act will apply and so will the General Data Protection Regulation. I will send a letter to the noble Lord outlining that paragraph to see if we can explain it. I doubt we will be able to do it in words of one syllable but we will try to make it a bit clearer for him and I will put a copy in the Library. I accept that it is not immediately obvious to a normal person.
I am glad that the noble Lord, in contrast, said that the codes were “clear, succinct and admirable”. I point out, however, that these are not for small businesses but for public authorities. The only time that they would involve a private business is when the private business has been contracted by a public authority to deliver something.
I am grateful to the noble Lord for that clarification—of course, I should have been clear about that myself—but in my small business I did have registration responsibilities, so under one of the codes I would have had to bear some of these things in mind; so there was just a hint of relevance about what I said.
I am grateful for that reminder.
There has been an awful lot of consultation around this. In many ways, this is a model: it has taken about two years of open, public policy-making. The codes were in place in draft while the Act went through Parliament, so parliamentarians of both Houses were able to discuss the codes. They have been amended as a result of that and made clearer, and we have also put in some increased transparency and some review mechanisms. They were consulted on again after the Act was passed: we had a formal consultation again on the codes that are with us today. That included organisations that might have thought to have worried about it, such as privacy groups, so a lot of stakeholders were involved in that.
Coming eventually to the noble Lord, Lord Clement-Jones, his speech was based on a briefing by the only organisation, I think, which had any worries about this. The overwhelming majority of stakeholders that were involved in the consultation were very supportive of these codes.
The noble Lord asked about the statistical methodology. I cannot remember exactly what it was, but I will write to the noble Lord.
The noble Lord, Lord Griffiths, also asked how we will keep track of all this. Of course, there will be a register in place, open and fully searchable by the public. The Information Commissioner has a power of audit, which will be used to keep track of all the data that is shared, and the audit logs will be kept for all data shared under the powers.
The noble Lord talked about transparency: how are we going to monitor and track the impact of this data sharing? Review boards will be established to oversee any non-devolved and England-only information sharing pilots that are set up, and there will also be a review board to advise Ministers and make recommendations on the establishment of new objectives, if there are any. The membership of those review boards will come from across the various data holding departments, as well as the ICO and representatives of civil society. Lastly, the ICO has said that she will carry out an independent review of all the Part 5 powers in two to three years.