(4 days, 7 hours ago)
Grand CommitteeMy Lords, Amendment 138 tabled by the noble Lord, Lord Clement-Jones, and Amendment 141, tabled by the noble Baroness, Lady Kidron, and the noble Lord, Lord Knight, would both require the ICO to publish a code of practice for controllers and processors on the processing of personal data by educational technologies in schools.
I say at the outset that I welcome this debate and the contributions of noble Lords on this important issue. As various noble Lords have indicated, civil society organisations have also been contacting the Department for Science, Innovation and Technology and the Department for Education directly to highlight their concerns about this issue. It is a live issue.
I am grateful to my noble friend Lord Knight, who talked about some of the important and valuable contributions that technology can play in supporting children’s development and guiding teaching interventions. We have to get the balance right, but we understand and appreciate that schoolchildren, parents and schoolteachers must have the confidence to trust the way that services use children’s personal data. That is at the heart of this debate.
There is a lot of work going on, on this issue, some of which noble Lords have referred to. The Department for Education is already exploring ways to engage with the edtech market to reinforce the importance of evidence-based quality products and services in education. On my noble friend Lord Knight’s comments on AI, the Department for Education is developing a framework outlining safety expectations for AI products in education and creating resources for teachers and leaders on safe AI use.
I recognise why noble Lords consider that a dedicated ICO code of practice could help ensure that schools and edtech services are complying with data protection legislation. The Government are open-minded about exploring the merits of this further with the ICO, but it would be premature to include these requirements in the Bill. As I said, there is a great deal of work going on and the findings of the recent ICO audits of edtech service providers will help to inform whether a code of practice is necessary and what services should be in scope.
I hope that we will bear that in mind and engage on it. I would be happy to continue discussions with noble Lords, the ICO and colleagues at the Department for Education, outside of the Bill’s processes, about the possibility of future work on this, particularly as the Secretary of State has powers under the Data Protection Act 2018 to require the ICO to produce new statutory codes, as noble Lords know. Considering the explanation that I have given, I hope that the noble Lord, Lord Clement-Jones, will consider withdrawing his amendment at this stage.
My Lords, I thank the Minister for her response and all speakers in this debate. On the speech from the noble Lord, Lord Knight, I entirely agree with the Minister and the noble Viscount, Lord Camrose, that it is important to remind ourselves about the benefits that can be achieved by AI in schools. The noble Lord set out a number of those. The noble Lord, Lord Russell, also reminded us that this is not a purely domestic issue; it is international across the board.
However, all noble Lords reminded us of the disbenefits and risks. In fact, the noble Lord, Lord Knight, used the word “dystopian”, which was quite interesting, although he gets very close to science fiction sometimes. He said that
“we have good reason to be concerned”,
particularly because of issues such as the national pupil database, where the original purpose may not have been fulfilled and was, in many ways, changed. He gave an example of procurement during Covid, where the choice was either Google or Microsoft—Coke or Pepsi. That is an issue across the board in competition law, as well.
There are real issues here. The noble Lord, Lord Russell, put it very well when he said that there is any number of pieces of guidance for schools but it is important to have a code of conduct. We are all, I think, on the same page in trying to find—in the words of the noble Baroness, Lady Kidron—a fairer and more equitable set of arrangements for children in schools. We need to navigate our way through this issue; of course, organisations such as Defend Digital Me and 5rights are seriously working on it.
My Lords, I, too, shall speak very briefly, which will save valuable minutes in which I can order my CyberUp Christmas mug.
Amendments 156A and 156B add to the definition of unauthorised access, so that it includes instances where a person who accesses data in the reasonable knowledge that the controller would not consent if they knew about the access or the reason for the access, and this person is not empowered to access by an enactment. Amendment 156B introduces defences to this new charge. Given the amount of valuable personal data held by controllers, as our lives have moved increasingly online—as many speakers in this debate have vividly brought out—there is absolutely clear merit not just in this idea but in the pace implied, which many noble Lords have called for. There is a need for real urgency here, and I look forward to hearing more detail from the Minister.
My Lords, I turn to Amendments 156A and 156B, tabled by the noble Lord, Lord Holmes. I understand the strength of feeling and the need to provide legal protections for legitimate cybersecurity activities. I agree with the noble Lord that the UK should have the right legislative framework to allow us to tackle the harms posed by cybercriminals. We have heard examples of some of those threats this afternoon.
I reassure the noble Lord that this Government are committed to ensuring that the Computer Misuse Act remains up to date and effective in tackling criminality. We will continue to work with the cybersecurity industry, the National Cyber Security Centre and law enforcement agencies to consider whether there are workable proposals on this. The noble Lord will know that this is a complex and ongoing issue being considered as part of the review of the Computer Misuse Act being carried out by the Home Office. We are considering improved defences by engaging extensively with the cybersecurity industry, law enforcement agencies, prosecutors and system owners. However, engagement to date has not produced a consensus on the issue, even within the industry, and that is holding us back at this moment—but we are absolutely determined to move forward with this and to reach a consensus on the way forward.
I think the noble Lord, Lord Clement-Jones, said in the previous debate that the amendments were premature, and here that is certainly the case. The specific amendments that the noble Lord has tabled are premature, because we need a stronger consensus on the way forward, notwithstanding all the good reasons that noble Lords have given for why it is important that we have updated legislation. With these concerns and reasons in mind, I hope that the noble Lord will feel able to withdraw his amendment.
Could the Minister say a few words on some of those points of discourse and non-consensus, to give the Committee some flavour of the type of issues where there is no consensus as well as the extent of the gap between some of those perspectives?
I can tell the noble Lord, Lord Holmes, that we published our analysis of the consultation responses to the previous Home Office investigation in November 2023, so all those mixed responses are on the record. It was therefore concluded by the Government that further work needed to be done on this. On my noble friend’s report, was there a government response?
Yes, the Government accepted the recommendations in full.
My Lords, although I have no amendments in this group, I will comment on some of them. I might jump around the order, so please forgive me for that.
Amendment 197 would change Clause 123 so that the Secretary of State must, as soon as reasonably practicable and no later than 12 months after the Act is passed, make regulations requiring regulated services to provide information for the purposes of research into online safety. This is clearly sensible. It would ensure that valuable research into online safety may commence as soon as possible, which would benefit us all, as speakers have made abundantly clear. To that end, Amendment 198D, which would ensure that researcher access is enforceable in the same way as other requirements under the Online Safety Act, would ensure that researchers can access valuable information and carry out their beneficial research.
I am still left with some curiosity on some of these amendments, so I will indicate where I have specific questions to those who have tabled them and hope they will forgive me if I ask to have a word with them between now and Report, which would be very helpful. In that spirit, I turn to Amendment 198B, which would allow the Secretary of State to define the term “independent researcher”. I ask the noble Lord, Lord Clement-Jones, who tabled the amendment, whether he envisages the Secretary of State taking advice before making such regulations and, if so, from whom and in what mechanism. I recognise that it is a probing amendment, but I would be keen to understand more.
I am also keen to understand further from my noble friend Lord Bethell and the noble Baroness, Lady Kidron, why, under Amendment 198A, the Secretary of State would not be able to make regulations providing for independent research into the “enforcement of requirements” under these regulations. Again, I look forward to discussing that with them.
I have some concerns about Amendment 198, which would require service providers to give information pertaining to age, stage of development, gender, race, ethnicity, disability and sexuality to researchers. I understand the importance of this but my concern is that it would require the disclosure of special category data to those researchers. I express reservations, especially if the data pertains to children. Do we have the right safeguards in place to address the obviously heightened risks here?
Additionally, I have some concerns about the provisions suggested in Amendment 198E. Should we allow researchers from outside the United Kingdom to require access to information from regulated service providers? Could this result in data being transferred into jurisdictions where there are less stringent data protection laws?
My Lords, I thank noble Lords who have welcomed the provisions in the Bill. I very much appreciate that we have taken on board the concerns that were raised in the debates on the previous legislation. I thank the noble Baroness, Lady Kidron, and the noble Lords, Lord Bethell and Lord Clement-Jones, for their amendments.
I will speak first to Amendment 197, tabled by the noble Baroness, Lady Kidron, which would compel the Secretary of State to create a framework and to do so within 12 months of passage. I understand and share her desire to ensure that a framework allowing researchers access is installed and done promptly. This is precisely why we brought forward this provision. I reassure her that the department will consult on the framework as soon as possible after the publication of Ofcom’s report.
Turning to Amendments 198 and 198B, tabled by the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, respectively, Clause 123 provides the Secretary of State with the power to make regulations relating to researchers’ access to data. I can reassure noble Lords that it does not limit the regulations to the non-exhaustive list of examples provided. I agree that fair and proportionate criteria for who is considered a researcher are critical to the success of the future framework. I reassure noble Lords that in the provision as currently written the Secretary of State can include in the design of the framework the specific requirements that a person must meet to be considered a researcher.
Turning to Amendments 198A and 198D, tabled by the noble Lord, Lord Bethell, while I am sympathetic to his desire to provide a future framework with the robust enforcement powers of the OSA, I assure him that as the provision is written, the Secretary of State can already use the existing enforcement powers of the OSA to support a future framework. Furthermore, should the evidence suggest that additional or different measures would be more effective and appropriate, this provision allows the Secretary of State the flexibility to introduce them.
Turning next to Amendments 198C and 198E, tabled by the noble Lord, Lord Bethell, I understand the spirit of these amendments and note the importance of this issue, given the global nature of the online world. It is entirely reasonable to allow researchers who are not based in the UK to utilise our researcher access framework, as long as the subject of their research is the experience of UK users online. I reassure him that the provisions as drafted already allow the Secretary of State to make regulations permitting non-UK-based researchers to use the framework where appropriate. We plan to use the evidence gathered through our own means and through Ofcom’s report to set out who will be eligible to use the framework in the secondary legislation.
Finally, turning to Amendment 198F, I am aware of the concern that researchers have encountered blockages to conducting research and I am sympathetic to the intentions behind the amendment. We must ensure that researchers can use the future framework without fear of legal action or other consequences. I am conscious that the noble Baroness, Lady Kidron, asked me a specific question about legal exemptions and I will write to her to make that answer much clearer. I reassure noble Lords that the Government are considering the specific issues that the noble Lord raises. For these reasons, I ask that the amendments not be pressed while the Government consider these issues further and I am of course happy to engage with noble Lords in the meantime.
My Lords, I thank the Minister and everyone who spoke. I do not think I heard an answer to the may/must issue and I think I need to say that just relying on Ofcom’s report to set the framework for the regime is not adequate, for two reasons. First, it is no news to the Committee that there is a considerable amount of disquiet about how the Online Safety Act has been reinterpreted without Parliament’s intention. During the passage of this Bill, we are trying to be really clear—we will win some and we will lose some—on the face of the Bill what Parliament’s intention is, so that the regulator really does what we agree, because that subject is currently quite contentious.
This is a new area and a lot of the issues that the Minister and, indeed, the noble Viscount, Lord Camrose, raised are here to be sorted out to make sure that we understand collectively what it will look like. Having said that, I would like the Government to have heard that we do not wish to rest on the actions of whistleblowers but we will be increasingly forced to do so if we do not have a good regime. We must understand the capacity of this sector to go to court. We are in court everywhere, all over the world; the sector has deep pockets.
Finally, I welcome the nitpicking of the noble Lord, Lord Arbuthnot. Long may he nitpick. We will make sure that he is content before Report. With that, I beg leave to withdraw the amendment.
My Lords, I was involved in an ethics committee that looked at genomics and cancer research some years ago, and this is very important. If research could be done on different genomic and racial types, it could be used against us adversely at some point. So there is a lot of sense in this.
My Lords, I thank the noble Viscount, Lord Camrose, for moving this amendment, which raises this important question about our genomics databases, and for the disturbing examples that he has drawn to our attention. He is right that the opportunities from harnessing genomic data come with very real risks. This is why the Government have continued the important work of the UK Biological Security Strategy of 2023, including by conducting a full risk assessment and providing updated guidance to reduce the risks from the misuse of sensitive data. We plan to brief the Joint Committee on the National Security Strategy on the findings of the risk assessment in the new year. Following that, I look forward to engaging with the noble Viscount on its outcome and on how we intend to take these issues forward. As he says, this is a vital issue, but in the meantime I hope he is prepared to withdraw his amendment.
I thank the Minister for her answer, and I very much accept her offer of engagement. I will make a few further brief comments about the importance of this amendment, as we go forward. I hope that other noble Lords will consider it carefully before Report.
I will set out a few reasons why I believe this amendment can benefit both the Bill and this country. The first is its scope. The amendment will allow the Secretary of State and the Information Commissioner to assess data security risks across the entirety of the genomic sector, covering consumers, businesses, citizens and researchers who may be partnering with state-linked genomics companies.
The second reason is urgency. DNA is regularly described as the “new gold” and it represents our most permanent identifier, revealing physical and mental characteristics, family medical history and susceptibility to diseases. Once it has been accessed, the damage from potential misuse cannot be researched, and this places a premium on proactively scrutinising the potential risks to this data.
Thirdly, there are opportunities for global leadership. This amendment offers the UK an opportunity to take a world-leading role and become the first European country to take authoritative action to scrutinise data vulnerabilities in this area of critical technology. Scrutinising risks to UK genomic data security also provides a foundation to foster domestic genomics companies and solutions.
Fourthly, this amendment would align the UK with key security partners, particularly, as my noble friend Lord Bethell mentioned, the United States, which has already blacklisted certain genomics companies linked to China and taken steps to protect American citizens’ DNA from potential misuse.
The fifth and final reason is protection of citizens and consumers. This amendment would provide greater guidance and transparency to citizens and consumers whose DNA data is exposed to entities linked to systemic competitors. With all of that said, I thank noble Lords for their consideration and beg leave to withdraw my amendment.
My Lords, the current law does not sufficiently protect children from AI-driven CSAM because it is simply such a fast-moving issue. It is a sobering thought that, of all the many wonderful developments of AI that many of us have been predicting and speculating on for so long, CSAM is really driving the technology forward. What a depressing reflection that is.
Overall, AI is developing at an extraordinarily rapid pace and has come with a number of concerning consequences that are not all yet fully understood. However, it is understood that child sexual abuse is completely unacceptable in any and all contexts, and it is right that our law should be updated to reflect the dangers that have increased alongside AI development.
Amendment 203 seeks to create a specific offence for using personal data or digital information to create or facilitate the creation of computer-generated child sexual abuse material. Although legislation is in place to address possessing or distributing such horrendous material, we must prioritise the safety of children in this country and take the law a step further to prevent its creation. Our children must be kept safe and, subject to one reservation, which I will come to in a second, I support the amendment from the noble Baroness, Lady Kidron, to further protect them.
That reservation comes in proposed new subsection 1(c), which includes in the offence the act of collating files that, when combined, enable the creation of sexual abuse material. This is too broad. A great deal of the collation of such material can be conducted by innocent people using innocent materials that are then corrupted or given more poisonous aspects by further training, fine-tuning or combination with other materials by more malign actors. I hope there is a way we can refine this proposed new paragraph on that basis.
Unfortunately, adults can also be the targets of individuals who use AI to digitally generate non-consensual explicit images or audio files of an individual, using their likeness and personal data. I am really pleased that my noble friend Lady Owen tabled Amendments 211G and 211H to create offences for these unacceptable, cruel acts. I support these amendments unambiguously.
My Lords, I thank the noble Baroness, Lady Kidron, for her Amendment 203. It goes without saying that the Government treat all child sexual abuse material with the utmost seriousness. I can therefore confirm to her and the Committee that the Government will bring forward legislative measures to address the issue in this Session and that the Home Office will make an announcement on this early in the new year.
On Amendments 211G and 211H, tabled by the noble Baroness, Lady Owen, the Government share concerns that more needs to be done to protect women from deepfake image abuse. This is why the Government committed in their manifesto to criminalise the creation of sexually explicit deepfake images of adults. I reassure the noble Baroness and the whole Committee that we will deliver on our manifesto commitment in this Session. The Government are fully committed to protecting the victims of tech-enabled sexual abuse. Tackling intimate audio would be a new area of law, but we continue to keep that legislation under review.
I also say to the noble Baroness that there is already a process under Section 153 of the Sentencing Act 2020 for the court to deprive a convicted offender of property, including images that have been used for the purpose of committing or facilitating any criminal offence. As well as images, that includes computers and mobile phones that the offender either used to commit intimate image offences or intended to use for that purpose in future. For those reasons and the reassurances I have given today, I hope that noble Lords will feel able to withdraw or not press their amendments.
My Lords, I thank the noble Baroness, Lady Kidron, for tabling her amendment. We understand its great intentions, which we believe are to prevent another scandal similar to that of Horizon and to protect innocent people from having to endure what thousands of postmasters have undergone and suffered.
However, while this amendment would make it easier to challenge evidence derived from, or produced by, a computer or computer system, we are concerned that, should it become law, this amendment could be misused by defendants to challenge good evidence. Our fear is that, in determining the reliability of such evidence, we may create a battle of the expert witnesses. This will not only substantially slow down trials but result in higher costs. Litigation is already expensive, and we would aim not to introduce additional costs to an already costly process unless absolutely necessary.
From our perspective, the underlying problem in the Horizon scandal was not that computer systems were critically wrong or that people were wrong, but that the two in combination drove the terrible outcomes that we have unfortunately seen. For many industries, regulations require firms to conduct formal systems validation, with serious repercussions and penalties should companies fail to do so. It seems to us that the disciplines of systems validation, if required for other industries, would be both a powerful protection and considerably less disruptive than potentially far-reaching changes to the law.
My Lords, I thank the noble Baroness and the noble Lord, Lord Arbuthnot, for Amendment 207 and for raising this important topic. The noble Baroness and other noble Lords are right that this issue goes far wider than Horizon. We could debate what went wrong with Horizon, but the issues before us today are much wider than that.
The Government are agreed that we must prevent future miscarriages of justice. We fully understand the intention behind the amendment and the significance of the issue. We are actively considering this matter and will announce next steps in the new year. I reassure noble Lords that we are on the case with this issue.
In the meantime, as this amendment brings into scope evidence presented in every type of court proceeding and would have a detrimental effect on the courts and prosecution—potentially leading to unnecessary delays and, more importantly, further distress to victims—I must ask the noble Baroness whether she is content to withdraw it at this stage. I ask that on the basis that this is an ongoing discussion that we are happy to have with her.
I thank the Minister, in particular for understanding that this goes way beyond Horizon. I would be very interested to be involved in those conversations, not because I have the great truth but because I have access to people with the great truth on this issue. In the conversations I have had, there has been so much pushing back. A bit like with our previous group, it would have been better to have been in the conversation before the consultation was announced than after. On that basis, I beg leave to withdraw the amendment.
My Lords, I thank the noble Baroness, Lady Kidron, for moving this amendment. As she rightly identified, the UK has a number of publicly held data assets, many of which contain extremely valuable information. This data—I flag, by way of an example, NHS data specifically—could be extremely valuable to certain organisations, such as pharmaceutical companies.
We are drawn to the idea of licensing such data—indeed, we believe that we could charge an extremely good price—but we have a number of concerns. Most notably, what additional safeguards would be required, given its sensitivity? What would be the limits and extent of the licensing agreement? Would this status close off other routes to monetising the data? Would other public sector bodies be able to use the data for free? Can this not already be done without the amendment?
Although His Majesty’s Official Opposition of course recognise the wish to ensure that the UK taxpayer gets a fair return on our information assets held by public bodies and arm’s-length organisations, and we certainly agree that we need to look at licensing, we are not yet sure that this amendment is either necessary or sufficient. We once again thank the noble Baroness, Lady Kidron, for moving it. We look forward to hearing both her and the Minister’s thoughts on the matter.
My Lords, I am grateful to the noble Baroness, Lady Kidron, for her amendment. I agree with her that the public sector has a wealth of data assets that could be used to help our society achieve our missions and contribute to economic growth.
As well as my previous comments on the national data library, the Government’s recent Green Paper, Invest 2035: The UK’s Modern Industrial Strategy, makes it clear that we consider data access part of the modern business environment, so improving data access is integral to the UK’s approach to growth. However, we also recognise the value of our data assets as part of this approach. At the same time, it is critical that we use our data assets in a trustworthy and ethical way, as the noble Baroness, Lady Kidron, and the noble Lord, Lord Tarassenko, said, so we must tackle these issues carefully.
This is an active area of policy development for the Government, and we need to get it right. I must therefore ask the noble Baroness to withdraw her amendment. However, she started and provoked a debate that will, I hope, carry on; we would be happy to engage in that debate going forward.
I thank all speakers, in particular my noble friend Lord Tarassenko for his perspective. I am very happy to discuss this matter and let the Official Opposition know that this is a route to something more substantive to which they can agree. I beg leave to withdraw my amendment.
My Lords, I am grateful to the noble Lord, Lord Holmes, for tabling Amendment 221B and his other amendments in this group, which are on a range of varied and important issues. Given the hour, I hope he will be content if I promise to write to him on each of these issues and in the meantime, I ask him to withdraw the amendment.
I thank all noble Lords who participated: I will not go through them by name. I thank the Minister for her response and would very much welcome a letter. I am happy to meet her on all these subjects but, for now, I beg leave to withdraw the amendment.
My Lords, I thank my noble friend Lord Lucas for tabling Amendment 211F and all noble Lords for their brief contributions to this group.
Amendment 211F ensures that all the biodiversity data collected by or in connection with government is collected in local environment records centres to ensure that records are as good as possible. That data is then used by or in connection with government, so it is put to the best possible use.
The importance of sufficient and high-quality record collection cannot and must not be understated. With this in mind, His Majesty’s Official Opposition support the sentiment of the amendment in my noble friend’s name. These Benches will always champion matters related to biodiversity and nature recovery. In fact, many of my noble friends have raised concerns about biodiversity in Committee debates in your Lordships’ House on the Crown Estate Bill, the Water (Special Measures) Bill and the Great British Energy Bill. Indeed, they have tabled amendments that ensure that matters related to biodiversity appear at the forefront of draft legislation.
With that in mind, I am grateful to my noble friend Lord Lucas for introducing provisions, via Amendment 211F, which would require any planning application involving biodiversity net gain to include a data search report from the relevant local environmental records centre. I trust that the Minister has listened to the concerns raised collaboratively in the debate on this brief group. We must recognise the importance of good data collection and ensure that such data is used in the best possible way.
My Lords, I thank the noble Lord, Lord Lucas, for his Amendment 211F. I absolutely agree that local environmental records centres provide an important service. I reassure noble Lords that the Government’s digital planning programme is developing data standards and tools to increase the availability, accessibility and usability of planning data. This will transform people’s experience of planning and housing, including through local environmental records centres. On that basis, I must ask the noble Lord whether he is prepared to withdraw his amendment.
My Lords, I am grateful for that extensive answer from the Minister. If I have anything that I hope that she might add, I will write to her afterwards.
My heart is always in the cause of making sure that the Government get their business done on time every time, and that we finish Committee stages when they ask, as doubtless they will discover with some of the other Bills they have in this Session. For now, I beg leave to withdraw my amendment.
(6 days, 7 hours ago)
Grand CommitteeMy Lords, in carrying on on this group, I will speak to the question that Clause 78 stands part, and to Amendments 107, 109, 125, 154, 155 and 156, but to start I support Amendment 87 in the name of the noble and learned Lord, Lord Thomas of Cwmgiedd. We had a masterclass from him last Tuesday and he made an extremely good case for that amendment, which is very elegant.
The previous Government deleted the EU Charter of Fundamental Rights from the statute book through the Retained EU Law (Revocation and Reform) Act 2023, and this Bill does nothing to restore it. Although references in the UK GDPR to fundamental rights and freedoms are now to be read as references to the ECHR as implemented through the Human Rights Act 1998, the Government’s ECHR memorandum states:
“Where processing is conducted by a private body, that processing will not usually engage convention rights”.
As the noble and learned Lord mentioned, this could leave a significant gap in protection for individuals whose data is processed by private organisations and will mean lower data protection rights in the UK compared with the EU, so these Benches strongly support his Amendment 87, which would apply the convention to private bodies where personal data is concerned. I am afraid we do not support Amendments 91 and 97 from the noble Viscount, Lord Camrose, which seem to hanker after the mercifully defunct DPDI.
We strongly support Amendments 139 and 140 from the noble Baroness, Lady Kidron. Data communities are one of the important omissions from the Bill. Where are the provisions that should be there to support data-sharing communities and initiatives such as Solid? We have been talking about data trusts and data communities since as long ago as the Hall-Pesenti review. Indeed, it is interesting that the Minister herself only this April said in Grand Committee:
“This seems to be an area in which the ICO could take a lead in clarifying rights and set standards”.
Indeed, she put forward an amendment:
“Our Amendment 154 would therefore set a deadline for the ICO to do that work and for those rights to be enacted. The noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, made a good case for broadening these rights in the Bill and, on that basis, I hope the Minister will agree to follow this up, and follow up his letter so that we can make further progress on this issue”.—[Official Report, 17/4/24; col. GC 322.]
I very much hope that, now the tables are turned, so to speak, the Minister will take that forward herself in government.
Amendments 154, 155 and 156 deal with the removal of the principle of the supremacy of EU law. They are designed to undo the lowering of the standard of data protection rights in the UK brought about by the REUL Act 2023. The amendments would apply the protections required in Article 23.2 of the UK GDPR to all the relevant exceptions in Schedules 2 to 4 to the Data Protection Act 2018. This is important because data adequacy will be lost if the standard of protection of personal data in the UK is no longer essentially equivalent to that in the EU.
The EU’s adequacy decision stated that it did not apply in the area of immigration and referred to the case of Open Rights Group v the Secretary of State for the Home Department in the Court of Appeal. This case was brought after the UK left the EU, but before the REULA came into effect. The case is an example of how the preservation of the principle of the supremacy of EU law continued to guarantee high data protection standards in the UK, before this principle was deleted from the statute book by the REULA. In broad terms, the Court of Appeal found that the immigration exception in Schedule 2 to the Data Protection Act 2018 conflicted with the safeguards in Article 23 of the UK GDPR. This was because the immigration exemption was drafted too broadly and failed to incorporate the safeguards prescribed for exemptions under Article 23.2 of the UK GDPR. It was therefore held to be unlawful and was disapplied.
The Home Office redrafted the exemption to make it more protective, but it took several attempts to bring forward legislation which provided sufficient safeguards for data subjects. The extent of the safeguards now set out in the immigration exemption underscores both what is needed for compatibility with Article 23.2 of the UK GDPR and the deficiencies in the rest of the Schedule 2 exemptions. It is clear when reading the judgment in the Open Rights case that the majority of the exemptions from data subject rights under Schedule 2 to the Data Protection Act fail to meet the standards set out in Article 23.2 to the UK GDPR. The deletion of the principle of the supremacy of EU law has removed the possibility of another Open Rights-style challenge to the other exemptions in Schedule 2 to the Data Protection Act 2018. I hope that, ahead of the data adequacy discussions with the Commission, the Government’s lawyers have had a good look at the amendments that I have tabled, drafted by a former MoJ lawyer.
The new clause after Clause 107 in Amendment 154 applies new protections to the immigration exemption to the whole of Schedule 2 to the DPA 2018, with the exception of the exemptions that apply in the context of journalism or research, statistics and archiving. Unlike the other exemptions, they already contain detailed safeguards.
Amendment 155 is a new clause extending new protections which apply to the immigration exemption to Schedule 3 to the DPA 2018, and Amendment 156 is another new clause applying new protections which apply to the immigration exemption to Schedule 2 to the DPA 2018.
As regards Amendment 107, the Government need to clarify how data processing under recognised legitimate interests are compatible with conditions for data processing under existing lawful bases, including the special categories of personal data under Articles 5 and 9 of the UK GDPR. The Bill lowers the standard of the protection of personal data where data controllers only have to provide personal data based on
“a reasonable and proportionate search”.
The lack of clarity on what reasonable and proportionate mean in the context of data subject requests creates legal uncertainty for data controllers and organisations, specifically regarding whether the data subject’s consideration on the matter needs to be accounted for when responding to requests. This is a probing amendment which requires the Secretary of State to explain why the existing lawful bases for data processing are inadequate for the processing of personal data when additional recognised legitimate interests are introduced. It requires the Secretary of State to publish guidance within six months of the Act’s passing to clarify what constitutes reasonable and proportionate protections of personal data.
Amendment 109 would insert a new clause, to ensure that data controllers assess the risk of collective and societal harms,
“including to equality and the environment”,
when carrying out data protection impact assessments. It requires them to consult affected people and communities while carrying out these assessments to improve their quality, and requires data controllers to publish their assessments to facilitate informed decision-making by data subjects and to enable data controllers to be held accountable.
Turning to whether Clause 78 should stand part, on top of Clause 77, Clause 78 would reduce the scope of transparency obligations and rights. Many AI systems are designed in a way that makes it difficult to retrieve personal data once ingested, or understand how this data is being used. This is not principally due to technical limitations but the decision of AI developers who do not prioritise transparency and explainability.
As regards Amendment 125, it is clear that there are still further major changes proposed to the GDPR on police duties, automated decision-making and recognised legitimate interests which continue to make retention of data adequacy for the purposes of digital trade with the EU of the utmost priority in considering those changes. During the passage of the Data Protection and Digital Information Bill, I tabled an amendment to require the Government to publish an assessment of the impact of the Bill on EU/UK data adequacy within six months of the Act passing; I have tabled a similar amendment, with one change, to this Bill. As the next reassessment of data adequacy is set for June 2025, a six-month timescale may prove inconsequential to the overall adequacy decision. We must therefore recommend stipulating that this assessment takes place before this reassessment.
My Lords, I thank all noble Lords for their consideration of these clauses. First, I will address Amendment 87 tabled by the noble and learned Lord, Lord Thomas, and the noble and learned Lord—sorry, the noble Lord—Lord Clement-Jones.
We should take them while we can. Like the noble Lord, Lord Clement-Jones, I agree that the noble and learned Lord, Lord Thomas, made an excellent contribution. I appreciate this is a particularly technical area of legislation, but I hope I can reassure both noble Lords that the UK’s data protection law gives effect to convention rights and is designed to protect them. The Human Rights Act requires legislation to be interpreted compatibly with convention rights, whether processing is carried out by public or private bodies. ECHR rights are therefore a pervasive aspect of the rules that apply to public and private controllers alike. The noble and learned Lord is right that individuals generally cannot bring claims against private bodies for breaches of convention rights, but I reassure him that they can bring a claim for breaching the data protection laws giving effect to those rights.
I turn to Amendment 91, tabled by the noble Viscount, Lord Camrose, Amendment 107, tabled by the noble Lord, Lord Clement-Jones, and the question of whether Clause 78 should stand part, which all relate to data subject requests. The Government believe that transparency and the right of access is crucial. That is why they will not support a change to the language around the threshold for data subject requests, as this will undermine data subjects’ rights. Neither will the Bill change the current expectations placed on controllers. The Bill reflects the EU principle of proportionality, which has always underpinned this legislation, as well as existing domestic case law and current ICO guidance. I hope that reassures noble Lords.
Amendments 97 and 99, tabled by the noble Viscount, Lord Camrose, and the noble Lord, Lord Markham, relate to the notification exemption in Article 14 of the UK GDPR. I reassure noble Lords that the proportionality test provides an important safeguard for the existing exemption when data is collected from sources other than the data subject. The controller must always consider the impact on data subjects’ rights of not notifying. They cannot rely on the disproportionate effort exemption just because of how much data they are processing—even when there are many data subjects involved, such as there would be with web scraping. Moreover, a lawful basis is required to reuse personal data: a web scraper would still need to pass the balancing test to use the legitimate interest ground, as is usually the case.
The ICO’s recent outcomes report, published on 12 December, specifically referenced the process of web scraping. The report outlined:
“Web scraping for generative AI training is a high-risk, invisible processing activity. Where insufficient transparency measures contribute to people being unable to exercise their rights, generative AI developers are likely to struggle to pass the balancing test”.
The Minister said there is a power to amend, but she has not said whether she thinks that would be desirable. Is the power to be used only if we are found not to be data-adequate because the immigration exemption does not apply across the board? That is, will the power be used only if we are forced to use it?
I reassure the noble Lord that, as he knows, we are very hopeful that we will have data adequacy so that issue will not arise. I will write to him to set out in more detail when those powers would be used.
I thank the Minister for her offer of a meeting. I could tell from the nods of my co-signatories that that would indeed be very welcome and we would all like to come. I was interested in the quote from the ICO about scraping. I doubt the Minister has it to hand, but perhaps she could write to say what volume of enforcement action has been taken by the ICO on behalf of data rights holders against scraping on that basis.
Yes, it would be helpful if we could write and set that out in more detail. Obviously the ICO’s report is fairly recent, but I am sure he has considered how the enforcement would follow on from that. I am sure we can write and give more details.
My Lords, I thank the Minister for her response. I wish to make three points. First, the critical question is: are our laws adequate to pass the adequacy test? Normally, when you go in for a legal test, you check that your own house is in order. I am therefore slightly disappointed by the response to Amendment 125. Normally one has the full-scale medical first, rather than waiting until you are found to be ill afterwards.
Secondly, I listened to what the Minister said about my Amendment 87 and the difference between what rights are protected by the charter and the much greater limitation of the ECHR, normally simply to do with the extent to which they apply horizontally to private individuals. I will look at her answer, but at first sight it does not seem right to me that, where you have fundamental rights, you move to a second stage of rights—namely, the rights under the Data Protection Act.
Thirdly, I want to comment on the whole concept of data communities and data trusts. This is an important area, and it takes me back to what I said last time: this legislation really needs trying to reduce to principles. I am going to throw out a challenge to the very learned people behind the Minister, particularly the lawyers: can they come up with something intelligible to the people who are going to do this?
This legislation is ghastly; I am sorry to say that, but it is. It imposes huge costs on SMEs—not to say on others, but they can probably afford it—and if you are going to get trust from people, you have to explain things in simple principles. My challenge to those behind the Minister is: can they draft a Clause 1 of the Bill to say, “The principles that underpin the Bill are as follows, and the courts are to interpret it in accordance with those principles”? That is my challenge—a challenge, as the noble Baroness, Lady Kidron, points out, to be ambitious and not to sit in a tepid bath. I beg leave to withdraw the amendment.
My Lords, I thank the noble Viscount, Lord Colville, and the noble Baroness, Lady Kidron, for their amendments and consideration of this policy area. I hope noble Lords will bear with me if I save some of the points I shall make on web crawling and intellectual property for the later group, which is specifically on that topic.
Amendments 92 and 93 from the noble Viscount are about the new disproportionate effort exemption in Article 13. I can reassure noble Lords that this exemption applies only when data is collected directly from the data subject, so it cannot be used for web crawling, which is, if you like, a secondary activity. I think that answers that concern.
Amendments 101 and 105, also from the noble Viscount, are about the changes to the existing exemption in Article 14, where data is collected from other sources. Noble Lords debated this issue in the previous group, where Amendments 97 and 99 sought to remove this exemption. The reassurances I provided to noble Lords in that debate about the proportionality test being a case-by-case exercise also apply here. Disproportionate effort cannot be used as an excuse; developers must consider the rights of the data subject on each occasion.
I also draw noble Lords’ attention to another quote from the ICO itself, made when publishing its recent outcome reports. I know I have already said that I will share more information on this. It says:
“Generative AI developers, it’s time to tell people how you’re using their information”.
The ICO is on the case on this issue, and is pursuing it.
On Amendment 137 from the noble Baronesses, Lady Kidron and Lady Harding, and other noble Lords, I fully recognise the importance of organisations receiving clear guidance from regulators, especially on complex and technical issues. AI is one such issue. I know that noble Lords are particularly conscious of how it might affect children, and I am hearing the messages about that today.
As the noble Baroness will know, the Secretary of State already has the power to request statutory codes such as this from the regulator. The existing power will allow us to ensure the correct scope of any future codes, working closely with the ICO and stakeholders and including noble Lords here today, and I am happy to meet them to discuss this further. The Government are, naturally, open to evidence about whether new statutory codes should be provided for by regulations in future. Although I appreciate the signal this can send, at the moment I do not believe that a requirement for codes on this issue is needed in this legislation. I hope noble Lords are reassured that the Government are taking this issue seriously.
Amendment 211A from the noble Lord, Lord Holmes, is about prohibiting the processing of people’s names, facial images, voices or any physical characteristics for AI training without their consent. Facial images and other physical characteristics that can be used to identify a person are already protected by the data protection legislation. An AI developer processing such data would have to identify a lawful ground for this. Consent is not the only option available, but I can reassure the noble Lord that there are firm safeguards in place for all the lawful grounds. These include, among many other things, making sure that the processing is fair and transparent. Noble Lords will know that even more stringent conditions, such as safeguards applying in relation to race, sexual orientation and any biometric data that can be used to identify someone as types of a special category of data are also covered.
Noble Lords tried to tempt me once again on the timetable for the AI legislation. I said as much as I could on that when we debated this in the last session, so I cannot add any more at this stage.
I hope that reassures noble Lords that the Bill has strong protections in place to ensure responsible data use and reuse, and, as such, that they feel content not to press their amendments.
I understand the point that the Secretary of State has the power, but does he have the intention? We are seeking an instruction to the ICO to do exactly this thing. The Secretary of State’s intention would be an excellent compromise all round to activate such a thing, and to see that in the Bill is the point here.
Discussions with the ICO are taking place at the moment about the scope and intention of a number of issues around AI, and this issue would be included in that. However, I cannot say at the moment that that intention is specifically spelled out in the way that the noble Baroness is asking.
This has been a wide-ranging debate, with important contributions from across the Committee. I take some comfort from the Minister’s declaration that the exemptions will not be used for web crawling, but I want to make sure that they are not used at the expense of the privacy and control of personal data belonging to the people of Britain.
That seems particularly so for Amendment 137 in the name of the noble Baroness, Lady Kidron. I was particularly taken by her pointing out that children’s data privacy had not been taken into account when it came to AI, reinforced by the noble Baroness, Lady Harding, telling us about the importance of the Bill. She said it was paramount to protect children in the digital age and reminded us that this is the biggest breakthrough of our lifetime and that children need protecting from it. I hope very much that there will be some successful meetings, and maybe a government amendment on Report, responding to these passionate and heartfelt demands. On that basis, I sincerely hope the Minister will meet us all and other noble Lords to discuss these matters of data privacy further. On that basis, I beg leave to withdraw my amendment.
I thank noble Lords for their comments and contributions. I shall jump to Amendments 159 and 159A, one of which is in my name and both of which are concerned with cookie paywalls. I am not sure I can have properly understood the objection to cookie paywalls. Do they not simply offer users three choices: pay money and stay private; share personal data and read for free; or walk away? So many times, we have all complained about the fact that these websites harvest our data and now, for the first time, this approach sets a clear cash value on the data that they are harvesting and offers us the choice. The other day somebody sent me a link from the Sun. I had those choices. I did not want to pay the money or share my data, so I did not read the article. I feel this is a personal decision, supported by clear data, which it is up to the individual to take, not the Government. I do not think we should take away this choice.
Let me turn to some of the other amendments in this group. Amendment 161 in the name of my noble friend Lord Lucas is, if I may say so, a thoughtful amendment. It would allow pension providers to communicate information on their product. This may mean that the person who will benefit from that pension does not miss out on useful information that would benefit their saving for retirement. Given that pension providers already hold the saver’s personal data, it seems to be merely a question of whether this information is wanted; of course, if it is not, the saver can simply opt out.
Amendment 162 makes an important point: many charities rely on donations from the public. Perhaps we should consider bringing down the barriers to contacting people regarding fundraising activities. At the very least, I am personally not convinced that members of the public have different expectations around what kinds of organisation can and cannot contact them and in what circumstances, so I support any step that simplifies the—to my mind—rather arbitrary differences in the treatment of business and charity communications.
Amendment 104 certainly seems a reasonable addition to the list of what might constitute “unreasonable effort” if the information is already public. However, I have some concerns about Amendments 98 and 100 to 103. For Amendment 98, who would judge the impact on the individual? I suspect that the individual and the data controllers may have different opinions on this. In Amendment 100, the effort and cost of compliance are thorny issues that would surely be dictated by the nature of the data itself and the reason for providing it to data subjects. In short, I am concerned that the controllers’ view may be more subjective than we would want.
On Amendment 102, again, when it comes to providing information to them,
“the damage and distress to the data subjects”
is a phrase on which the subject and the controller will almost inevitably have differing opinions. How will these be balanced? Additionally, one might presume that information that is either damaging or distressing to the data subjects should not necessarily be withheld from them as it is likely to be extremely important.
My Lords, we have covered a range of issues in our debate on this grouping; nevertheless, I will try to address each of them in turn. I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Harding, for their Amendments 95, 96, 98, 100, 102 to 104 and 106 regarding notification requirements.
First, with regard to the amendments in the name of the noble Baroness, Lady Harding, I say that although the Government support the use of public data sources, transparency is a key data protection principle. We do not agree that such use of personal data should remove or undermine the transparency requirements. The ICO considers that the use and sale of open electoral register data alone is likely not to require notification. However, when the data is combined with data from other sources, in order to build an extensive profile to be sold on for direct marketing, notification may be proportionate since the processing may go beyond the individual’s reasonable expectations. When individuals are not notified about processing, it makes it harder for them to exercise their data subject rights, such as the right to object.
Adding other factors to the list of what constitutes a “disproportionate effort” for notification is unnecessary given that the list is already non-exhaustive. The “disproportionate effort” exemption must be applied according to the safeguards of the wider data protection framework. According to the fairness principle, controllers should already account for whether the processing meets the reasonable expectations of a data subject. The data minimisation and purpose limitation principles also act as an important consideration for data controllers. Controllers should continue to assess on a case-by-case basis whether they meet the threshold for the existing exemptions to notify; if not, they should notify. I hope that this helps clarify our position on that.
When does the Minister anticipate that the ICO will produce that report?
I do not have the detail of all that. Obviously, the call for views has only recently gone out and he will need time for consideration of the responses. I hope the noble Lord will accept that the ICO is on the case on this matter. If we can provide more information, we will.
May I ask the Minister a hypothetical question? If the ICO believes that these are not desirable, what instruments are there for changing the law? Can the ICO, under its own steam, so to speak, ban them; do we need to do it in primary legislation; or can it be done in secondary legislation? If the Minister cannot answer now, perhaps she can write to me.
Of course I will write to the noble Lord. It will be within the ICO’s normal powers to make changes where he finds that they are necessary.
I move to Amendment 160, tabled by noble Lord, Lord Lucas, which seeks to create a new exemption for advertising performance cookies. There is a balance to strike between driving growth in the advertising, news and publishing sectors while ensuring that people retain choice and control over how their data is used. To exempt advertising measurement cookies, we would need to assess how intrusive these cookies are, including what they track and where data is sent. We have taken a delegated power so that exemptions to the prohibition can be added in future once evidence supports it, and we can devise appropriate safeguards to minimise privacy risks. In the meantime, we have been actively engaging with the advertising and publishing sectors on this issue and will continue to work with them to consider the potential use of the regulation-making power. I hope that the noble Lord will accept that this is work in progress.
Amendment 161, also from the noble Lord, Lord Lucas, aims to extend the soft opt-in rule under the privacy and electronic communications regulations to providers of auto-enrolment pension schemes. The soft opt-in rule removes the need for some commercial organisations to seek consent for direct marketing messages where there is an existing relationship between the organisation and the customer, provided the recipient did not object to receiving direct marketing messages when their contact details were collected.
The Government recognise that people auto-enrolled by their employers in workplace pension schemes may not have an existing relationship with their pension provider, so I understand the noble Lord’s motivations for this amendment. However, pension providers have opportunities to ask people to express their direct mail preferences, such as when the customer logs on to their account online. We are taking steps to improve the support available for pension holders through the joint Government and FCA advice guidance boundary review. The FCA will be seeking feedback on any interactions of proposals with direct marketing rules through that consultation process. Again, I hope the noble Lord will accept that this issue is under active consideration.
Amendment 162, tabled by the noble Lord, Lord Clement-Jones, would create an equivalent provision to the soft opt-in but for charities. It would enable a person to send electronic marketing without permission to people who have previously expressed an interest in their charitable objectives. The noble Lord will recall, and has done so, that the DPDI Bill included a provision similar to his amendment. The Government removed it from that Bill due to the concerns that it would increase direct marketing from political parties. I think we all accepted at the time that we did not want that to happen.
As the noble Lord said, his amendment is narrower because it focuses on communications for charitable purposes, but it could still increase the number of messages received by people who have previously expressed an interest in the work of charities. We are listening carefully to arguments for change in this area and will consider the points he raises, but I ask that he withdraws his amendment while we consider its potential impact further. We are happy to have further discussions on that.
I apologise to the Minister for intervening on her when I have not spoken earlier in this debate, but I was reassured by what she just said on Amendment 162. Remarks made by other noble Lords in this debate suggest both that members of the public might not object to charities having the same access rights as businesses and that the public do not necessarily draw a distinction between businesses and charities. As a former chairman of the Charity Commission, I can say that that is not what is generally found. People have an expectation of charities that differs from what they would expect by way of marketing from businesses. In considering this amendment, therefore, I urge the Minister to think carefully before deciding what action the Government should take.
I thank the noble Baroness very much for that very helpful intervention. If she has any more information about the view of the Charity Commission, we would obviously like to engage with that because we need to get this right. We want to make sure that individuals welcome and appreciate the information given to them, rather than it being something that could have a negative impact.
I think I have covered all the issues. I hope those explanations have been of some reassurance to noble Lords and that, as such, they are content not to press their amendments.
May I just follow up by asking one quick question? I may be clutching at straws here but, in responding to the amendments in my name, she stated what the ICO believes rather than what the Government believe. She also said that the ICO may think that further permission is required to ensure transparency. I understand from the Data & Marketing Association that users of this data have four different ways of ensuring transparency. Would the Minister agree to a follow-up meeting to see whether there is a meeting of minds with what the Government think, rather than the ICO?
I am very happy to talk to the noble Baroness about this issue. She asked what the Government’s view is; we are listening very carefully to the Information Commissioner and the advice that he is putting together on this issue.
My Lords, I am very grateful for the answers the noble Baroness gave to my amendments. I will study carefully what she said in Hansard, and if I have anything further to ask, I will write to her.
My Lords, we have had a really profound and significant debate on these issues; it has been really helpful that they have been aired by a number of noble Lords in a compelling and articulate way. I thank everybody for their contributions.
I have to say at the outset that the Government want data protection rules fit for the age of emerging technologies. The noble Lord, Lord Holmes, asked whether we are addressing issues of the past or issues of the future. We believe that the balance we have in this Bill is exactly about addressing the issues of the future. Our reforms will reduce barriers to the responsible use of automation while clarifying that organisations must provide stringent safeguards for individuals.
I stress again how seriously we take these issues. A number of examples have been quoted as the debate has gone on. I say to those noble Lords that examples were given where there was no human involved. That is precisely what the new provisions in this Bill attempt to address, in order to make sure that there is meaningful human involvement and people’s futures are not being decided by an automated machine.
Amendment 110 tabled by the noble Lords, Lord Clement-Jones and Lord Knight, seeks to clarify that, for human involvement to be meaningful, it must be carried out by a competent person. Our reforms make clear that solely automated decisions lack meaningful human involvement. That goes beyond a tick-box exercise. The ICO guidance also clarifies that
“the human involvement has to be active and not just a token gesture”;
that right is absolutely underpinned by the wording of the regulations here.
I turn next to Amendment 111. I can assure—
My Lords, I was listening very carefully. Does “underpinned by the regulations” mean that it will be underpinned?
Yes. The provisions in this Bill cover exactly that concern.
The issue of meaningful human involvement is absolutely crucial. Is the Minister saying that regulations issued by the Secretary of State will define “meaningful human involvement”, or is she saying that it is already in the primary legislation, which is not my impression?
Sorry—it is probably my choice of language. I am saying that it is already in the Bill; it is not intended to be separate. I was talking about whether solely automated decisions lack meaningful human involvement. This provision is already set out in the Bill; that is the whole purpose of it.
On Amendment 111, I assure the noble Viscount, Lord Camrose, that controllers using solely automated processing are required to comply with the data protection principles. I know that he was anticipating this answer, but we believe that it captures the principles he proposes and achieves the same intended effect as his amendment. I agree with the noble Viscount that data protection is not the only lens through which AI should be regulated, and that we cannot address all AI risks through the data protection legislation, but the data protection principles are the right ones for solely automated decision-making, given its place in the data protection framework. I hope that that answers his concerns.
On Amendment 112, which seeks to prohibit solely automated decisions that contravene the Equality Act 2010, I assure the noble Lords, Lord Clement-Jones and Lord Knight, that the data protection framework is clear that controllers must adhere to the Equality Act.
Amendments 113 and 114 would extend solely automated decision-making safeguards to predominantly automated decision-making. I assure the noble and learned Lord Thomas, the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, that the safeguards in Clause 80 are designed to protect individuals where meaningful human involvement is lacking. Predominantly automated decision-making will already include meaningful human involvement and therefore does not require these additional safeguards.
On Amendments 114A and 115A, tabled by the noble Viscount, Lord Camrose, many noble Lords have spoken in our debates about the importance of future-proofing the legislation. These powers are an example of that: without them, the Government will not have the ability to act quickly to update protections for individuals in the light of rapid technology developments.
I assure noble Lords that the regulation powers are subject to a number of safeguards. The Secretary of State must consult the Information Commissioner and have regard to other relevant factors, which can include the impact on individuals’ rights and freedoms as well as the specific needs and rights of children. As with all regulations, the exercise of these powers must be rational; they cannot be used irrationally or arbitrarily. Furthermore, the regulations will be subject to the affirmative procedure and so must be approved by both Houses of Parliament.
I assure the noble Lord, Lord Clement-Jones, that one of the powers means that his Amendment 123 is not necessary, as it can be used to describe specifically what is or is not meaningful human involvement.
Amendment 115A, tabled by the noble Viscount, Lord Camrose, would remove the reforms to Parts 3 and 4 of the Data Protection Act, thereby putting them out of alignment with the UK GDPR. That would cause confusion and ambiguity for data subjects.
I am sorry to interrupt again as we go along but, a sentence or so ago, the Minister said that the definition in Amendment 123 of meaningful human involvement in automated decision-making was unnecessary. The amendment is designed to change matters. It would not be the Secretary of State who determined the meaning of meaningful human involvement; in essence, it would be initiated by the Information Commissioner, in consultation with the Secretary of State. So I do not quite understand why the Minister used “unnecessary”. It may be an alternative that is undesirable, but I do not understand why she has come to the conclusion that it is unnecessary. I thought it was easier to challenge the points as we go along rather than at the very end.
My Lords, we would say that a definition in the Bill is not necessary because it is dealt with case by case and is supplemented by these powers. The Secretary of State does not define meaningful human involvement; it is best done case by case, supported by the ICO guidance. I hope that that addresses the noble Lord’s point.
That is slightly splitting hairs. The noble Viscount, Lord Camrose, might want to comment because he wanted to delete the wording that says:
“The Secretary of State may by regulations provide that … there is, or is not, to be taken to be meaningful human involvement”.
He certainly will determine—or is able to determine, at least—whether or not there is human involvement. Surely, as part of that, there will need to be consideration of what human involvement is.
The Secretary of State can help describe specific cases in the future but, on the point made by my noble friend Lord Knight, the ICO guidance will clarify some of that. There will be prior consultation with the ICO before that guidance is finalised, but if noble Lords are in any doubt about this, I am happy to write and confirm that in more detail.
Amendment 115 in the names of the noble Lords, Lord Clement-Jones, Lord Lucas and Lord Knight, and Amendment 123A in the name of the noble Lord, Lord Holmes, seek to ensure that individuals are provided with clear and accessible information about solely automated decision-making. The safeguards set out in Clause 80, alongside the wider data protection framework’s safeguards, such as the transparency principle, already achieve this purpose. The UK GDPR requires organisations to notify individuals about the existence of automated decision-making and provide meaningful information about the logic involved in a clear and accessible format. Individuals who have been subject to solely automated decisions must be provided with information about the decisions.
On Amendment 116 in the names of the noble Viscount, Lord Camrose, and the noble Lord, Lord Markham, I reassure noble Lords that Clause 69 already provides a definition of consent that applies to all processing under the law enforcement regime.
On Amendment 117 in the names of the noble Viscount, Lord Camrose, the noble Lords, Lord Markham, and my noble friend Lord Knight, I agree with them on the importance of protecting the sensitive personal data of children by law enforcement agencies, and there is extensive guidance on this issue. However, consent is rarely used as the basis for processing law enforcement data. Other law enforcement purposes, such as the prevention, detection and investigation of crime, are quite often used instead.
I will address Amendment 118 in the name of the noble Viscount, Lord Camrose, and Amendment 123B in the name of the noble Lord, Lord Holmes, together, as they focus on obtaining human intervention for a solely automated decision. I agree that human intervention should be carried out competently and by a person with the authority to correct a wrongful outcome. However, the Government believe that there is currently no need to specify the qualifications of human reviewers as the ICO’s existing guidance explains how requests for human review should be managed.
Does the Minister agree that the crux of this machinery is solely automated decision-making as a binary thing—it is or it is not—and, therefore, that the absolute key to it is making sure that the humans involved are suitably qualified and finding some way to do so, whether by writing a definition or publishing guidelines?
On the question of qualification, the Minister may wish to reflect on the broad discussions we have had in the past around certification and the role it may play. I gently her take her back to what she said on Amendment 123A about notification. Does she see notification as the same as a personalised response to an individual?
Noble Lords have asked several questions. First, in response to the noble Viscount, Lord Camrose, I think I am on the same page as him about binary rather than muddying the water by having degrees of meaningful intervention. The ICO already has guidance on how human review should be provided, and this will be updated after the Bill to ensure that it reflects what is meant by “meaningful human involvement”. Those issues will be addressed in the ICO guidance, but if it helps, I can write further on that.
I have forgotten the question that the noble Lord, Lord Holmes, asked me. I do not know whether I have addressed it.
In her response the Minister said “notification”. Does she see notification as the same as “personalised response”?
My understanding is that it would be. Every individual who was affected would receive their own notification rather than it just being on a website, for example.
Let me just make sure I have not missed anyone out. On Amendment 123B on addressing bias in automated decision-making, compliance with the data protection principles, including accuracy, transparency and fairness, will ensure that organisations take the necessary measures to address the risk of bias.
On Amendment 123C from the noble Lord, Lord Clement-Jones, I reassure him that the Government strongly agree that employment rights should be fit for a modern economy. The plan to make work pay will achieve this by addressing the challenges introduced by new trends and technologies. I agree very much with my noble friend Lord Knight that although we have to get this right, there are opportunities for a different form of work, and we should not just see this as being potentially a negative impact on people’s lives. However, we want to get the balance right with regard to the impact on individuals to make sure that we get the best rather than the possible negative effects out of it.
Employment rights law is more suitable for regulating the specific use of data and technology in the workplace rather than data protection law in isolation, as data protection law sets out general rules and principles for processing that apply in all contexts. Noble Lords can rest assured that we take the impact on employment and work very seriously, and as part of our plan to make work pay and the Employment Rights Bill, we will return to these issues.
On Amendments 119, 120, 121 and 122, tabled by the noble Lord, Lord Clement-Jones, the noble Viscount, Lord Colville, and my noble friend Lord Knight, the Government share the noble Lords’ belief in the importance of public sector algorithmic transparency, and, as the noble Lord, Lord Clement-Jones, reminded us, we had a very good debate on this last week. The algorithmic transparency recording standard is already mandatory for government departments and arm’s-length bodies. This is a cross-government policy mandate underpinned by digital spend controls, which means that when budget is requested for a relevant tool, the team in question must commit to publishing an ATRS record before receiving the funds.
As I said on Friday, we are implementing this policy accordingly, and I hope to publish further records imminently. I very much hope that when noble Lords see what I hope will be a significant number of new records on this, they will be reassured that the nature of the mandation and the obligation on public sector departments is working.
Policy routes also enable us to provide detailed guidance to the public sector on how to carry out its responsibilities and monitor compliance. Examples include the data ethics framework, the generative AI framework, and the guidelines for AI procurement. Additionally, the data protection framework already achieves some of the intended outcomes of these amendments. It requires organisations, including public authorities, to demonstrate how they have identified and mitigated risks when processing personal data. The ICO provides guidance on how organisations can audit their privacy management and ensure a high level of data protection compliance.
I know I have given a great deal of detail there. If I have not covered all the points that the noble Lords have raised, I will write. In the meantime, given the above assurances, I hope that the noble Lord will withdraw his amendment.
My Lords, I would be very grateful if the Minister wrote to me about Amendment 115. I have done my best before and after to study Clause 80 to understand how it provides the safeguards she describes, and have failed. If she or her officials could take the example of a job application and the responses expected from it, and take me through the clauses to understand what sort of response would be expected and how that is set out in the legislation, I would be most grateful.
My Lords, I thank the Minister for her very detailed and careful response to all the amendments. Clearly, from the number of speakers in this debate, this is one of the most important areas of the Bill and one that has given one of the greatest degrees of concern, both inside and outside the Committee. I think the general feeling is that there is still concern. The Minister is quite clear that the Government are taking these issues seriously, in terms of ADM itself and the impact in the workplace, but there are missing parts here. If you add all the amendments together—no doubt we will read Hansard and, in a sense, tick off the areas where we have been given an assurance about the interpretation of the Bill—there are still great gaps.
It was very interesting to hear what the noble Lord, Lord Kamall, had to say about how the computer said “no” as he reached the gate. A lot of this is about communications. I would be very interested if any letter to the noble Lord, Lord Lucas, was copied more broadly, because that is clearly one of the key issues. It was reassuring to hear that the ICO will be on top of this in terms of definitions, guidance, audit and so on, and that we are imminently to get the publication of the records of algorithmic systems in use under the terms of the algorithmic transparency recording standard.
We have had some extremely well-made points from the noble Viscounts, Lord Colville and Lord Camrose, the noble Lords, Lord Lucas, Lord Knight and Lord Holmes, and the noble Baroness, Lady Kidron. I am not going to unpack all of them, but we clearly need to take this further and chew it over before we get to Report. I very much hope that the Minister will regard a will write letter on stilts as required before we go very much further, because I do not think we will be purely satisfied by this debate.
The one area where I would disagree is on treating solely automated decision-making as the pure subject of the Clause 80 rights. Looking at it in the converse, it is perfectly proper to regard something that does not have meaningful human involvement as predominantly automated decision-making. I do not think, in the words of the noble Viscount, Lord Camrose, that this does muddy the waters. We need to be clearer about what we regard as being automated decision-making for the purpose of this clause.
There is still quite a lot of work to do in chewing over the Minister’s words. In the meantime, I beg leave to withdraw my amendment.
I thank the noble Lord, Lord Clement-Jones; let me consider it a marker for future discussion.
I thank the noble Lord, Lord Clement-Jones, for coming to my rescue there.
I turn to the Clause 81 stand part notice tabled by the noble Lord, Lord Clement-Jones, which would remove Clause 81 from the Bill. Section 62 of the Data Protection Act requires law enforcement agencies to record their processing activities, including their reasons for accessing and disclosing personal information. Entering a justification manually was intended to help detect unauthorised access. The noble Lord was right that the police do sometimes abuse their power; however, I agree with the noble Viscount, Lord Camrose, that the reality is that anyone accessing the system unlawfully is highly unlikely to record that, making this an ineffective safeguard.
Meanwhile, the position of the National Police Chiefs’ Council is that this change will not impede any investigation concerning the unlawful processing of personal data. Clause 81 does not remove the strong safeguards that ensure accountability for data use by law enforcement that include the requirement to record time, date, and where possible, who has accessed the data, which are far more effective in monitoring potential data misuse. We would argue that the requirement to manually record a justification every time case information is accessed places a considerable burden on policing. I think the noble Lord himself said that we estimate that this clause may save approximately 1.5 million policing hours, equivalent to a saving in the region of £42.8 million a year.
Yes, we could not see the noble Lord’s raised eyebrows.
Turning to Amendment 124, I thank the noble Baroness, Lady Morgan, for raising this important issue. While I obviously understand and welcome the intent, I do not think that the legislative change is what is required here. The Information Commissioner’s Office agrees that the Data Protection Act is not a barrier to the sharing of personal data between the police and the CPS. What is needed is a change in the operational processes in place between the police and the CPS that are causing this redaction burden that the noble Baroness spelled out so coherently.
We are very much aware that this is an issue and, as I think the noble Baroness knows, the Government are committed to reducing the burden on the police and the Home Office and to exploring with partners across the criminal justice system how this can best be achieved. We absolutely understand the point that the noble Baroness has raised, but I hope that she could agree to give space to the Home Office and the CPS to try to find a resolution so that we do not have the unnecessary burden of redaction when it is not necessary. It is an ongoing discussion—which I know the noble Baroness knows really—and I hope that she will not pursue it on that basis.
I will address Amendments 126 to 129 together. These amendments seek to remove parts of Schedule 8 to avoid divergence from EU legislation. The noble Lord, Lord Clement-Jones, proposes instead to remove existing parts of Section 73 of the Data Protection Act 2018. New Section 73(4)(aa), introduced by this Bill, with its bespoke path for personal data transfers from UK controllers to international processors, is crucial. In the modern age, where the use of such capabilities and the benefits they provide is increasing, we need to ensure that law enforcement can make effective use of them to tackle crime and keep citizens safe.
My Lords, I thank the Minister for her response on this group, which was, again, very detailed. There is a lot to consider in what she had to say, particularly about the clauses beyond Clause 81. I am rather surprised that the current Government are still going down the same track on Clause 81. It is as if, because the risk of abuse is so high, this Government, like the previous one, have decided that it is not necessary to have the safeguard of putting down the justification in the first place. Yet we have heard about the Sarah Everard police officers. It seems to me perverse not to require justification. I will read further what the Minister had to say but it seems quite extraordinary to be taking away a safeguard at this time, especially when the Minister says that, at the same time, they need to produce logs of the time of the data being shared and so on. I cannot see what is to be gained—I certainly cannot see £42 million being saved. It is a very precise figure: £42.8 million. I wonder where the £800,000 comes from. It seems almost too precise to be credible.
I emphasise that we believe the safeguards are there. This is not a watering down of provisions. We are just making sure that the safeguards are more appropriate for the sort of abuse that we think might happen in future from police misusing their records. I do not want it left on the record that we do not think that is important.
No. As I was saying, it seems that the Minister is saying that there will still be the necessity to log the fact that data has been shared. However, it seems extraordinary that, at the same time, it is not possible to say what the justification is. The justification could be all kinds of things, but it makes somebody think before they simply share the data. It seems to me that, given the clear evidence of abuse of data by police officers—data of the deceased, for heaven’s sake—we need to keep all the safeguards we currently have. That is a clear bone of contention.
I will read what else the Minister had to say about the other clauses in the group, which are rather more sensitive from the point of view of national security, data sharing abroad and so on.
I wanted to rise to my feet in time to stop the noble Viscount leaping forward as he gets more and more excited as we reach—I hope—possibly the last few minutes of this debate. I am freezing to death here.
I wish only to add my support to the points of the noble Baroness, Lady Kidron, on Amendment 145. It is much overused saw, but if it is not measured, it will not get reported.
My Lords, I thank noble Lords for their consideration of the issues before us in this group. I begin with Amendment 134 from the noble Lord, Lord Clement-Jones. I can confirm that the primary duty of the commissioner will be to uphold the principal objective: securing an appropriate level of data protection, carrying out the crucial balancing test between the interests of data subjects, controllers and wider public interests, and promoting public trust and confidence in the use of personal data.
The other duties sit below this objective and do not compete with it—they do not come at the expense of upholding data protection standards. The commissioner will have to consider these duties in his work but will have discretion as to their application. Moreover, the new objectives inserted by the amendment concerning monitoring, enforcement and complaints are already covered by legislation.
I thank the noble Lord, Lord Lucas for Amendment 135A. The amendment was a previous feature of the DPDI Bill but the Government decided that a statement of strategic priorities for the ICO in this Bill is not necessary. The Government will of course continue to set out their priorities in relation to data protection and other related areas and discuss them with the Information Commissioner as appropriate.
Amendment 142 from the noble Viscount, Lord Camrose, would remove the ICO’s ability to serve notices by email. We would argue that email is a fast, accessible and inexpensive method for issuing notices. I can reassure noble Lords that the ICO can serve a notice via email only if it is sent to an email address published by the recipient or where the ICO has reasonable grounds to believe that the notice will come to the attention of the person, significantly reducing the risk that emails may be missed or sent to the wrong address.
Regarding the noble Viscount’s Amendment 143, the assumption that an email notice will be received in 48 hours is reasonable and equivalent to the respective legislation of other regulators, such as the CMA and Ofcom.
I thank the noble Lord, Lord Clement-Jones, for Amendment 144 concerning the ICO’s use of reprimands. The regulator does not commonly issue multiple reprimands to the same organisation. But it is important that the ICO, as an independent regulator, has the discretion and flexibility in instances where there may be a legitimate need to issue multiple reprimands within a particular period without placing arbitrary limits on that.
Turning to Amendment 144A, the new requirements in Clause 101 will already lead to the publication of an annual report, which will include the regulator’s investigation and enforcement activity. Reporting will be categorised to ensure that where the detail of cases is not public, commercially sensitive investigations are not inadvertently shared. Splitting out reporting by country or locality would make it more difficult to protect sensitive data.
Turning to Amendment 145, with thanks to the noble Baroness, Lady Kidron, I agree with the importance of ensuring that the regulator can be held to account on this issue effectively. The new annual report in Clause 101 will cover all the ICO’s regulatory activity, including that taken to uphold the rights of children. Clause 90 also requires the ICO to publish a strategy and report on how it has complied with its new statutory duties. Both of these will cover the new duty relating to children’s awareness and rights, and this should include the ICO’s activity to support and uphold its important age-appropriate design code.
I thank the noble Lord, Lord Clement-Jones, for Amendments 163 to 192 to Schedule 14, which establishes the governance structure of the information commission. The approach, including the responsibilities conferred on the Secretary of State, at the core of the amendments follows standard corporate governance best practice and reflects the Government’s commitment to safeguarding the independence of the regulator. This includes requiring the Secretary of State to consult the chair of the information commission before making appointments of non-executive members.
Amendments 165 and 167A would require members of the commission to be appointed to oversee specific tasks and to be from prescribed fields of expertise. Due to the commission’s broad regulatory remit, the Government consider that it would not be appropriate or helpful for the legislation to set out specific areas that should receive prominence over others. The Government are confident that the Bill will ensure that the commission has the right expertise on its board. Our approach safeguards the integrity and independence of the regulator, draws clearly on established precedent and provides appropriate oversight of its activities.
Finally, Clauses 91 and 92 were designed to ensure that the ICO’s statutory codes are consistent in their development, informed by relevant expertise and take account of their impact on those likely to be affected by them. They also ensure that codes required by the Secretary of State have the same legal effect as pre-existing codes published under the Data Protection Act.
Considering the explanations I have offered, I hope that the noble Lords, Lord Clement-Jones and Lord Lucas, the noble Viscount, Lord Camrose, and the noble Baroness, Lady Kidron, will agree not to press their amendments.
My Lords, I thank the Minister for that response. If I speak for four minutes, that will just about fill the gap, but I hope to speak for less than that.
The Minister’s response was very helpful, particularly the way in which she put the clarification of objectives. Of course, this is shared with other regulators, where this new growth duty needs to be set in the context of the key priorities of the regulator. My earlier amendment reflected a nervousness about adding innovation and growth duties to a regulator, which may be seen to unbalance the key objectives of the regulator in the first place, but I will read carefully what the Minister said. I welcome the fact that, unlike in the DPDI Bill, there is no requirement for a statement of strategic priorities. That is why I did not support Amendment 135A.
It is somewhat ironic that, in discussing a digital Bill, the noble Viscount, Lord Camrose, decided to go completely analogue, but that is life. Maybe that is what happens to you after four and a half hours of the Committee.
I do not think the Minister covered the ground on the reprimands front. I will read carefully what she said about the annual report and the need for the ICO—or the commission, as it will be—to report on its actions. I hope, just by putting down these kinds of amendments on reprimands, that the ICO will take notice. I have been in correspondence with the ICO myself, as have a number of organisations. There is some dissatisfaction, particularly with companies such as Clearview, where it is felt that the ICO has not taken adequate action on scraping and building databases from the internet. We will see whether the ICO becomes more proactive in that respect. I was reassured, however, by what the Minister said about NED qualifications and the general objective on the independence of the regulator.
There is much to chew on in what the Minister said. In the meantime, I beg leave to withdraw my amendment.
(1 week, 2 days ago)
Lords ChamberMy Lords, I thank all noble Lords for contributing to a very insightful debate. I particularly welcome the noble Baroness, Lady Lane-Fox, to her new role chairing the board of the new digital centre of government. I am sure she will have a great contribution to make in debates of this kind. I also thank the noble Lord, Lord Clement-Jones, for bringing forward the Bill.
The Government understand the intent of the Bill, in particular on the safe, responsible and transparent use of algorithmic and automated decision-making systems in the public sector. However, for reasons I will now outline, the Government would like to express reservations about the noble Lord’s Bill.
The Government of course believe that such systems have a positive role to play in the public sector. As many noble Lords have said, they can improve services, unlock new insights, deliver efficiencies and give citizens back their time. However, they must be used in ways that maintain public trust. The noble Lord, Lord Clement-Jones, highlighted some shocking examples of where threats of bias and racism, for example, have undermined public trust, and these issues need to be addressed.
We know that transparency is a particularly important driver of rebuilding that trust and delivering fairness. That is what the Algorithmic Transparency Recording Standard, or ATRS, aims to address. The noble Lord asked about its status in government. The ATRS is now mandatory for all government departments. This mandate was agreed in cross-government policy. The ATRS is also recommended by the Data Standards Authority for use across the broader public sector, and the standards will become publicly available on GOV.UK.
The initial groundwork to comply with this mandate is complex, particularly for large organisations. They must identify and assess algorithmic tools from across multiple functions, engaging many individuals and multidisciplinary teams. However, I am pleased to reassure my noble friend Lord Knight and other noble Lords that a number of these records have now been completed under the mandatory rollout, and the Government will publish them in the coming weeks.
The ATRS complements the UK’s data protection framework, which provides protections for individuals when their personal data is processed. The technology-neutral approach of the data protection framework means that its principles, including accuracy, security, transparency and fairness, apply to the processing of personal data regardless of the technology used.
The framework provides additional protections for solely automated decision-making which has a legal or significant effect on individuals. It places a requirement on organisations to provide stringent safeguards for individuals where this type of processing takes place, so that they are available when they matter most. These rules apply to all organisations, including the public sector.
I agree, though, with the noble Baroness, Lady Hamwee, that there are specific responsibilities for clarifying and building our trust relationship with the state. I also agree with my noble friend Lord Knight that we have to be particularly sensitive about how we handle protections at work, given their significance to the individuals involved. To ensure that these rules are effective in the light of emerging technologies and changing societal expectations, the Government have introduced reforms to these rules in the Data (Use and Access) Bill, which is currently in Committee in the Lords. I have been engaging with noble Lords on this topic and look forward to further debates on these issues next week.
The Government are confident that these reforms strike the right balance between ensuring that organisations can make the best use of automated decision-making technology to support economic growth, productivity and service delivery, while maintaining high data protection standards and public trust. I am grateful to the noble Baroness, Lady Freeman, and the noble Lord, Lord Tarassenko, for their specific insights, which will help us finesse our policies on these issues as we go forward.
We recognise that our approach to technology can sometimes be too fragmented across the public sector. To help address this, the Government are establishing a revitalised digital centre of government, with further details to be announced shortly. This transformation is being overseen by a digital inter-ministerial group which will be a powerful advocate for digital change across government, setting a clear expectation on when standards such as the ATRS must be adopted. This combination of the ATRS policy mandate and the establishment of the digital centre are moving us towards a “business as usual” process for public sector bodies to share information about how and why they use algorithmic tools.
I turn to the key proposals in the noble Lord’s Bill. The Bill would require public authorities to complete a prescribed algorithmic impact assessment, and an algorithmic transparency record, prior to deployment of an algorithmic or automated decision-making system. Public authorities would be required to give notice on a public register when decisions are made wholly or partly by such systems, and to give affected individuals meaningful information about these decisions. Further provisions include monitoring and validating performance, outcomes and data; mandatory training; prohibition of the procurement of certain systems and redress. The technical scope of the Bill is broadly similar to that of the ATRS.
The ATRS was deliberately made mandatory via cross-government policy rather than legislation in the first instance. This was to enable better testing and iteration of the ATRS; that ethos still applies. Since the introduction of the policy mandate for the ATRS, we have seen significant progress towards adoption. We are confident that the foundations are in place for a smooth ongoing approach to government algorithmic transparency, delivered from the new digital centre.
Completing and publishing ATRS records also has benefits beyond transparency. A field on risks and mitigations enables references to other resources, such as data protection impact assessment. A field on alternative solutions asks how the tool owners know this tool was the right one to deploy, and indeed, whether an algorithmic tool was necessary. As such, the ATRS encourages a holistic view of how the impact of the tool has been considered, and potential negative outcomes avoided, overlapping considerably with the requirements of an algorithmic impact assessment, as the noble Lord has proposed. As such, we do not believe that legislation for either mandatory transparency records or AIAs for public authorities is necessary at this time.
As I set out earlier, under the data protection framework, individuals already have the right to specific safeguards where they have been subject to solely automated decisions with legal or significant effects on them. These safeguards include the right to be told about a decision, the right to obtain human intervention and the right to challenge the decision. Our reforms under the Data (Use and Access) Bill specifically provide that human involvement must be meaningful. This is to prevent cursory human involvement being used to rubber-stamp decisions as having had meaningful involvement.
Where an individual believes that there has been a failure in compliance with data protection legislation, they can bring a complaint to the independent data protection regulator, the Information Commissioner’s Office. The ICO has the authority to investigate and impose significant penalties for non-compliance, providing robust safeguards against misuse of personal data. Therefore, proposals by the noble Lord are also broadly covered under the data protection framework.
The data protection framework also requires organisations to carry out data protection impact assessments prior to any processing likely to result in a high risk to data protection and to the rights and freedoms of individuals to mitigate against such risks.
To summarise, the Government believe that transparency in public sector algorithmic and automated decision-making is crucial both to building public trust and to accelerating innovation. Meaningful transparency should not merely identify the existence of such systems but also discuss their purpose and effectiveness. The ATRS provides an established and effective mechanism to deliver this transparency.
The Government are also committed to maintaining the UK’s strong data protection framework while delivering on the DSIT Secretary of State’s priorities of accelerating innovation, technology for good, and modern digital government through the Data (Use and Access) Bill.
The noble Baroness, Lady Lane-Fox, is quite right to identify the need to upskill civil servants. That has certainly been identified within my department and it is part of the need to upskill everyone for the future. Everyone in the existing generation and the next will need those skills to fulfil the exciting technological opportunities that we will have in the future, so we all have a responsibility to upskill our skills.
We look forward to continuing to engage with noble Lords on these important issues as we develop our approach, and to the many other chances we will have, starting with our debates on Monday. I look forward to those debates. If I have missed anything out—I know the noble Viscount, Lord Camrose, asked some specific questions at the end—I will follow-up in writing.
(1 week, 3 days ago)
Lords ChamberTo ask His Majesty’s Government what plans they have to overturn the convictions of sub-postmasters or former Post Office employees convicted in relation to the Capture system.
My Lords, I pay tribute to the important work that the noble Lord has done in campaigning for justice for the postmasters—and indeed his ongoing work on that issue.
We were concerned to learn about the issues outlined in the Kroll report, which related to the Capture system. However, the report did not comment on whether the convictions were unsafe. As the noble Lord will know, the Government are committed to responding to the report, and that response will be published next week. In the meantime, convictions in relation to the Capture software are being reviewed by the Criminal Cases Review Commissions. The UK Government and the Post Office are assisting them with their requests for information, and I encourage all those who believe they have been wrongly convicted to contact the CCRC.
I am grateful to the Minister for that Answer. It is now clear from the Kroll report that the Minister referred to that the Post Office’s behaviour in relation to the Capture system was just as bad as its behaviour in relation to Horizon. The Horizon Compensation Advisory Board—I declare an interest as a member of it—wrote to the Lord Chancellor in November saying that there was no difference between the Horizon victims and the Capture victims on the question of whether they should have their convictions overturned.
Might the Government consider an alternative approach, which might not offend the understandable concerns of those who do not like the idea of Parliament overturning judicial decisions? Earlier this year the noble and learned Lord, Lord Burnett, who I see in his place, proposed such an alternative arrangement, which involved the judges in an appropriate way. Perhaps we can take the opportunity of reducing the evidential requirements to take a case to the Criminal Cases Review Commission.
I thank the noble Lord for that. The proposal for the Horizon cases from the noble and learned Lord, Lord Burnett, related to the Lord Chancellor taking a power to refer cases to the Court of Appeal, and putting in place a statutory presumption that any convictions are unsafe unless there is evidence to the contrary. As noble Lords will know, this would represent a significant departure from existing appeals processes, and any further exploration of such an approach would need careful consideration, not just for this case but potentially for others. That is not to say we are dismissing it; it would be under review. I emphasise that, unlike Horizon, we do not yet have evidence that the flaws in the Capture system resulted in wrongful convictions. In fact, the Kroll report is clear on this point, stating:
“Kroll does not provide comment on whether any convictions arising from sub-postmasters using Capture could be considered unsafe”.
Part of the problem with the Kroll report is that because it related to the 1990s it had some difficulty in getting the documentation to assess whether that was the case.
My Lords, can I ask Ministers to be absolutely sure that there is no cover-up, as happened so scandalously with Horizon? Surely the plight of the sub-postmasters under Capture, as the noble Lord, Lord Arbuthnot, said, is exactly the same as under Horizon, except that the convicted Capture sub-postmasters were badly treated more than 20 years ago and have suffered ever since without any redress. All that time, the accounting officer for the Post Office was a Civil Service Permanent Secretary and the Government had their own appointee on the Post Office board. Will Ministers ensure that these sub-postmasters get the justice denied to them for so long and are not forced to go to court to do so?
My Lords, I hope my noble friend will bear with us, because we are coming back with a response on the Capture system next week, so I am sorry I am not able to answer on the detail of that. On the current ownership and governance arrangements, we are committed to a Green Paper looking at those relationships between the Post Office and the Government. It will be published in the early part of next year and will address issues about the involvement and representation on the board that my noble friend has raised.
My Lords, as my name has been mentioned on two occasions already, it is perhaps apt that I should say something. I yield to no one in my admiration for the work that the noble Lord, Lord Arbuthnot, has done in this field. He was good enough to pay an undeserved tribute to some of the work I did in the background as well. I fear, on this occasion, that in praying in aid the scheme I proposed for the Horizon problem, to deal with a constitutional solipsism, we are not yet there with Capture.
Does the Minister agree that, in our constitutional arrangements, the separation of powers and rule of law suggest that courts should deal with wrongful convictions, and overturn them if they are established as such? Does she also agree that in this instance it is much better to wait for the Criminal Cases Review Commission to refer some cases to the Court of Appeal, which will then deal with them by looking at all the facts, evidence and arguments and, if there are problems, quash the convictions?
The noble and learned Lord raises important issues of law. He will know that the Law Commission is already looking at the law relating to criminal appeals and is due to report next year. That review includes consideration of the CCRC’s role and the statutory tests it applies. The Government will carefully consider any recommendations.
To return briefly to the Capture system, the Court of Appeal is yet to overturn any convictions relating to the use of Capture. The Criminal Cases Review Commission is already considering five potential cases and it is right and proper, in these circumstances, that we let the CCRC and the SCCRC finish conducting those reviews.
My Lords, it is appalling that the key information for the Kroll report forensic investigation into Capture, which pre-dates Horizon, was provided only the day before the report was submitted to government; it did not change the report. Kroll has found that there is a “reasonable likelihood” that Capture had caused these accounting shortfalls.
Back in May, when we were discussing the Post Office (Horizon System) Offences Bill, I asked questions about Capture on three separate occasions. I was told that it was completely different and there was absolutely no connection. It now appears there is a connection. Regardless of the route to justice, will the Government undertake to move as speedily as they can, not just to overturn these cases but to provide redress to these postmasters and staff?
I thank the noble Baroness for that. There is a difference between Horizon and the Capture system. The Capture system was not networked to a central system like Horizon was, which meant the data in Capture could not be accessed or manipulated from elsewhere. However, notwithstanding that, we are looking at whether there have been miscarriages of justice. I am sorry to say this, but perhaps the noble Baroness should wait for the report we will produce next week. I feel frustrated saying this today, but I know noble Lords will understand how the machinery of government works. I hope to come back with clearer news next week.
More broadly, can the Minister tell us what safeguards are being put in place to ensure that no authority, public or private, can act with unchecked power similar to that exercised by the Post Office during the Horizon case?
The noble Lord is absolutely right to raise this; it is an issue that relates not just to the Post Office and Horizon. We are very aware of that and are looking at whether other actions should be taken on a more general basis. It is at the top of our list of concerns, and I hope we will be able to come back with more information on that.
My Lords, does the Minister not accept that in the case of Capture, as Horizon, justice delayed is justice denied? Dewi Lewis, the sub-postmaster in Penrhyndeudraeth, is the son of my late agent, Maldwyn Lewis. He had to sell his house to bail out his son, hoping to avoid further prosecution. Is it not necessary to make maximum speed with these cases to avoid such circumstances?
The noble Lord is absolutely right: speed is of the essence. No postmaster who suffered from either of these schemes should have to wait longer than is absolutely necessary. We are doing everything we can to speed up the payments for the Horizon scheme, and we are working very quickly on the Capture scheme to see whether there are major issues we need to take on immediately. We moved quickly to conclude and publish the results of the independent investigation into Capture. As I say, we are committed to publishing a response this month, which will now be next week. We are moving quickly on this. The noble Lord is absolutely right, and none of us wants to see anyone waiting longer than they should to get justice in what are some terrible cases.
(1 week, 5 days ago)
Grand CommitteeI start by thanking all noble Lords who spoke for their comments and fascinating contributions. We on these Benches share the concern of many noble Lords about the Bill allowing the use of data for research purposes, especially scientific research purposes.
Amendment 59 has, to my mind, the entirely right and important intention of preventing misuse of the scientific research exemption for data reuse by ensuring that the only purpose for which the reuse is permissible is scientific research. Clearly, there is merit in this idea, and I look forward to hearing the Minister give it due consideration.
However, there are two problems with the concept and definition of scientific research in the Bill overall, and, again, I very much look forward to hearing the Government’s view. First, I echo the important points raised by my noble friend Lord Markham. Almost nothing in research or, frankly, life more broadly, is done with only one intention. Even the most high-minded, curiosity-driven researcher will have at the back of their mind the possibility of commercialisation. Alongside protecting ourselves from the cynical misuse of science as a cover story for commercial pursuit, we have to be equally wary of creating law that pushes for the complete absence of the profit motive in research, because to the extent that we succeed in doing that, we will see less research. Secondly—the noble Viscount, Lord Colville, and the noble Lord, Lord Clement-Jones, made this point very powerfully—I am concerned that the broad definition of scientific research in the Bill might muddy the waters further. I worry that, if the terminology itself is not tightened, restricting the exemption might serve little purpose.
On Amendment 62, to which I have put my name, the same arguments very much apply. I accept that it is very challenging to find a form of words that both encourages research and innovation and does not do so at the expense of data protection. Again, I look forward to hearing the Government’s view. I am also pleased to have signed Amendment 63, which seeks to ensure that personal data can be reused only if doing so is in the public interest. Having listened carefully to some of the arguments, I feel that the public interest test may be more fertile ground than a kind of research motivation purity test to achieve that very difficult balance.
On Amendment 64, I share the curiosity to hear how the Minister defines research and statistical processes —again, not easy but I look forward to her response.
Amendment 65 aims to ensure that research seeking to use the scientific research exemption to obtaining consent meets the minimum levels of scientific rigour. The aim of the amendment is, needless to say, excellent. We should seek to avoid creating opportunities which would allow companies—especially but not uniquely AI labs—to cloak their commercial research as scientific, thus reducing the hoops they must jump through to reuse data in their research without explicit consent. However, Amendment 66, tabled in my name, which inserts the words:
“Research considered scientific research that is carried out as a commercial activity must be subject to the approval of an independent ethics committee”,
may be a more adaptive solution.
Many of these amendments show that we are all quite aligned in what we want but that it is really challenging to codify that in writing. Therefore, the use of an ethics committee to conduct these judgments may be the more agile, adaptive solution.
I confess that I am not sure I have fully understood the mechanism behind Amendments 68 and 69, but I of course look forward to the Minister’s response. I understand that they would essentially mean consent by failing to opt out. If so, I am not sure I could get behind that.
Amendment 130 would prevent the processing of personal data for research, archiving and statistical purposes if it permits the identification of a living individual. This is a sensible precaution. It would prevent the sharing of unnecessary or irrelevant information and protect people’s privacy in the event of a data breach.
Amendment 132 appears to uphold existing patient consent for the use of their data for research, archiving and statistical purposes. I just wonder whether this is necessary. Is that not already the case?
Finally, I turn to the Clause 85 stand part notice. I listened carefully to the noble Lord, Lord Clement-Jones, but I am not, I am afraid, at a point where I can support this. There need to be safeguards on the use of data for this purpose; I feel that Clause 85 is our way of having them.
My Lords, it is a great pleasure to be here this afternoon. I look forward to what I am sure will be some excellent debates.
We have a number of debates on scientific research; it is just the way the groupings have fallen. This is just one of several groupings that will, in different ways and from different directions, probe some of these issues. I look forward to drilling down into all the implications of scientific research in the round. I should say at the beginning—the noble Lord, Lord Markham, is absolutely right about this—that we have a fantastic history of and reputation for doing R&D and scientific research in this country. We are hugely respected throughout the world. We must be careful that we do not somehow begin to demonise some of those people by casting aspersions on a lot of the very good research that is taking place.
A number of noble Lords said that they are struggling to know what the definition of “scientific research” is. A lot of scientific research is curiosity driven; it does not necessarily have an obvious outcome. People start a piece of research, either in a university or on a commercial basis, and they do not quite know where it will lead them. Then—it may be 10 or 20 years later—we begin to realise that the outcome of their research has more applications than we had ever considered in the past. That is the wonderful thing about human knowledge: as we build and we learn, we find new applications for it. So I hope that whatever we decide and agree on in this Bill does not put a dampener on that great aspect of human knowledge and the drive for further exploration, which we have seen in the UK in life sciences in particular but also in other areas such as space exploration and quantum. Noble Lords could probably identify many more areas where we are increasingly getting a reputation for being at the global forefront of this thinking. We have to take the public with us, of course, and get the balance right, but I hope we do not lose sight of the prize we could have if we get the regulations and legislation right.
Let me turn to the specifics that have been raised today. Amendments 59 and 62 to 65 relate to scientific provisions, and the noble Lord, Lord Clement-Jones, the noble Viscount, Lord Colville, and others have commented on them. I should make it clear that this Bill is not expanding the meaning of “scientific research”. If anything, it is restricting it, because the reasonableness test that has been added to the legislation—along with clarification of the requirement for research to have a lawful basis—will constrain the misuse of the existing definition. The definition is tighter, and we have attempted to do that in order to make sure that some of the new developments and technologies coming on stream will fall clearly within the constraints we are putting forward in the Bill today.
Amendments 59 and 62 seek to prevent misuse of the exceptions for data reuse. I assure the noble Viscount, Lord Colville, that the existing provisions for research purposes already prevent the controller taking advantage of them for any other purpose they may have in mind. That is controlled.
I thank the Minister very much, but is she not concerned by the preliminary opinion from the EDPS, particularly that traditional academic research is blurrier than ever and that it is even harder to distinguish research which generally benefits society from that which primarily serves private interest? People in the street would be worried about that and the Bill ought to be responding to that concern.
I have not seen that observation, but we will look at it. It goes back to my point that the provisions in this Bill are designed to be future facing as well as for the current day. The strength of those provisions will apply regardless of the technology, which may well include AI. Noble Lords may know that we will bring forward a separate piece of legislation on AI, when we will be able to debate this in more detail.
My Lords, this has been a very important debate about one of the most controversial areas of this Bill. My amendments are supported across the House and by respected civic institutions such as the Ada Lovelace Institute. I understand that the Minister thinks they will stifle scientific research, particularly by nascent AI companies, but the rights of the data subject must be borne in mind. As it stands, under Clause 67, millions of data subjects could find their information mined by AI companies, to be reused without consent.
The concerns about this definition being too broad were illustrated very well across the Committee. The noble Lord, Lord Clement-Jones, said that it was too broad and must recognise that AI development will be open to using data research for any AI purposes and talked about his amendment on protecting children’s data, which is very important and worthy of consideration. This was supported by my noble friend Lady Kidron, who pointed out that the definition of scientific research could cover everything and warned that Clause 67 is not just housekeeping. She quoted the EDPS and talked about its critical clarification not being included in the transfer of the scientific definition into the Bill. The noble Lord, Lord Holmes, asked what in the Bill has changed when you consider how much has changed in AI. I was very pleased to have the support of the noble Viscount, Lord Camrose, who warned against the abuse and misuse of data and the broad definition in this Bill, which could muddy the waters. He supported the public interest test, which would be fertile ground for helping define scientific data.
Surely this Bill should walk the line in encouraging the AI rollout to boost research and development in our science sector. I ask the Minister to meet me and other concerned noble Lords to tighten up Clauses 67 and 68. On that basis, I beg leave to withdraw my amendment.
My Lords, I share the confusion of the noble Baroness, Lady Kidron, about the groupings. If we are not careful, we are going to keep returning to this issue again and again over four or five groups.
With the possible exception of the noble Lord, Lord Lucas, I think that we are all very much on the same page here. On the suggestion from the noble Viscount, Lord Colville, that we meet to discuss the precise issue of the definition of “scientific research”, this would be extremely helpful; the noble Baroness and I do not need to repeat the concerns.
I should declare an interest in two respects: first, my interests as regards AI, which are set out on the register; and, secondly—I very much took account of what the noble Viscount, Lord Camrose, and the noble Lord, Lord Markham, had to say—I chair the council of a university that has a strong health faculty. It does a great deal of health research and a lot of that research relies on NHS datasets.
This is not some sort of Luddism we are displaying here. This is caution about the expansion of the definition of scientific research, so that it does not turn into something else: that it does not deprive copyright holders of compensation, and that it does not allow personal data to be scraped off the internet without consent. There are very legitimate issues being addressed here, despite the fact that many of us believe that this valuable data should of course be used for the public benefit.
One of the key themes—this is perhaps where we come back on to the same page as the noble Lord, Lord Lucas—may be public benefit, which we need to reintroduce so that we really understand that scientific research for public benefit is the purpose we want this data used for.
I do not think I need to say much more: this issue is already permeating our discussions. It is interesting that we did not get on to it in a major way during the DPDI Bill, yet this time we have focused much more heavily on it. Clearly, in opposition, the noble Viscount has seen the light. What is not to like about that? Further discussion, not least of the amendment of the noble Baroness, Lady Kidron, further down the track will be extremely useful.
My Lords, I feel we are getting slightly repetitive, but before I, too, repeat myself, I should like to say something that I did not get the chance to say the noble Viscount, Lord Colville, the noble Baroness, Lady Kidron, and others: I will write, we will meet—all the things that you have asked for, you can take it for granted that they will happen, because we want to get this right.
I say briefly to the noble Baroness: we are in danger of thinking that the only good research is health research. If you go to any university up and down the country, you find that the most fantastic research is taking place in the most obscure subjects, be it physics, mechanical engineering, fabrics or, as I mentioned earlier, quantum. A lot of great research is going on. We are in danger of thinking that life sciences are the only thing that we do well. We need to open our minds a bit to create the space for those original thinkers in other sectors.
Perhaps I did not make myself clear. I was saying that the defence always goes to space or to medicine, and we are trying to ascertain the product development that is not textiles, and so on. I have two positions in two different universities; they are marvellous places; research is very important.
I am glad we are on the same page on all that.
I now turn to the specifics of the amendments. I thank the noble Lords, Lord Freyberg and Lord Holmes, and the noble Viscount, Lord Camrose, for their amendments, and the noble Lord, Lord Lucas, for his contribution. As I said in the previous debate, I can reassure all noble Lords that if an area of research does not count as scientific research at the moment, it will not under the Bill. These provisions do not expand the meaning of scientific research. If noble Lords still feel unsure about that, I am happy to offer a technical briefing to those who are interested in this issue to clarify that as far as possible.
Moreover, the Bill’s requirement for a reasonableness test will help limit the misuse of this definition more than the current UK GDPR, which says that scientific research should be interpreted broadly. We are tightening up the regulations. This is best assessed on a case-by- case basis, along with the ICO guidance, rather than automatically disqualifying or passing into our activity sectors by approval.
Scientific research that is privately funded or conducted by commercial organisations can also have a life-changing impact. The noble Lord, Lord Markham, was talking earlier about health; issues such as the development of Covid vaccines are just one example of this. It was commercial research that was absolutely life-saving, at the end of the day.
Can the Minister say whether this will be a Bill, a draft Bill or a consultation?
We will announce this in the usual way—in due course. I refer the noble Lord to the King’s Speech on that issue. I feel that noble Lords want more information, but they will just have to go with what I am able to say at the moment.
Perhaps another aspect the Minister could speak to is whether this will be coming very shortly, shortly or imminently.
Let me put it this way: other things may be coming before it. I think I promised at the last debate that we would have something on copyright in the very, very, very near future. This may not be as very, very, very near future as that. We will tie ourselves in knots if we carry on pursuing this discussion.
On that basis, I hope that this provides noble Lords with sufficient reassurance not to press their amendments.
I thank your Lordships for this interesting debate. I apologise to the Committee for degrouping the amendment on copyright, but I thought it was important to establish from the Minister that there really was no effect on the copyright Act. I am very reassured that she has said that. It is also reassuring to hear that there will be more of an opportunity to look at this issue in greater detail. On that basis, I beg leave to withdraw the amendment.
My Lords, I welcome the noble Viscount to the sceptics’ club because he has clearly had a damascene conversion. It may be that this goes too far. I am slightly concerned, like him, about the bureaucracy involved in this, which slightly gives the game away. It could be seen as a way of legitimising commercial research, whereas we want to make it absolutely certain that that research is for the public benefit, rather than imposing an ethical board on every single aspect of research which has any commercial content.
We keep coming back to this, but we seem to be degrouping all over the place. Even the Government Whips Office seems to have given up trying to give titles for each of the groups; they are just called “degrouped” nowadays, which I think is a sign of deep depression in that office. It does not tell us anything about what the different groups contain, for some reason. Anyway, it is good to see the noble Viscount, Lord Camrose, kicking the tyres on the definition of the research aspect.
I am not quite sure about the groupings, either, but let us go with what we have. I thank noble Lords who have spoken, and the noble Viscount, Lord Camrose, for his amendments. I hope I am able to provide some reassurance for him on the points he raised.
As I said when considering the previous group, the Bill does not expand the definition of scientific research. The reasonableness test, along with clarifying the requirement for researchers to have a lawful basis, will significantly reduce the misuse of the existing definition. The amendment seeks to reduce the potential for misuse of the definition of scientific research by commercial companies using AI by requiring scientific researchers for a commercial company to submit their research to an ethics committee. As I said on the previous group, making it a mandatory requirement for all research may impede studies in areas that might have their own bespoke ethical procedures. This may well be the case in a whole range of different research areas, particularly in the university sector, and in sectors more widely. Some of this research may be very small to begin with but might grow in size. The idea that a small piece of start-up research has to be cleared for ethical research at an early stage is expecting too much and will put off a lot of the new innovations that might otherwise come forward.
Amendment 80 relates to Clause 71 and the reuse of personal data. This would put at risk valuable research that relies on data originally generated from diverse contexts, since the difference between the purposes may not always be compatible.
Turning to Amendment 67, I can reassure noble Lords that the concept of broad consent is not new. Clause 68 reproduces the text from the current UK GDPR recitals because the precise definition of scientific research may become clear only during later analysis of the data. Obtaining broad consent for an area of research from the outset allows scientists to focus on potentially life-saving research. Clause 68 has important limitations. It cannot be used if the researcher already knows the specific purpose—an important safeguard that should not be removed. It also includes a requirement to give the data subject the choice to consent to only part of the research processing, if possible. Most importantly, the data subject can revoke their consent at any point. I hope this reassures the noble Viscount, Lord Camrose, and he feels content to withdraw his amendment on this basis.
I thank the noble Viscount, Lord Colville, and the noble Lord, Lord Clement-Jones, for their remarks and support, and the Minister for her helpful response. Just over 70% of scientific research in the UK is privately funded, 28% is taxpayer funded and around 1% comes through the charity sector. Perhaps the two most consequential scientific breakthroughs of the last five years, Covid vaccines and large language models, have come principally from private funding.
My Lords, when the noble Lord, Lord Clement-Jones, opened his speech he said that he hoped that noble Lords would be made of strong stuff while he worked his way through it. I have a similar request regarding my response: please bear with me. I will address these amendments slightly out of order to ensure that related issues are grouped together.
The Schedule 4 stand part notice, and Amendments 73 and 75, tabled by the noble Lord, Lord Clement-Jones, and supported by the noble Baroness, Lady Kidron, would remove the new lawful ground of “recognised legitimate interests” created by Clause 70 and Schedule 4 to the Bill. The aim of these provisions is to give data controllers greater confidence about processing personal data for specified and limited public interest objectives. Processing that is necessary and proportionate to achieve one of these objectives can take place without a person’s consent and without undertaking the legitimate interests balancing test. However, they would still have to comply with the wider requirements of data protection legislation, where relevant, ensuring that the data is processed in compliance with the other data protection principles.
I say in response to the point raised by the noble Lord, Lord Cameron, that the new lawful ground of recognised legitimate interest will apply from the date of commencement and will not apply retrospectively.
The activities listed include processing of data where necessary to prevent crime, safeguarding national security, protecting children or responding to emergencies. They also include situations where a public body requests that a non-public body share personal data with it to help deliver a public task that is sanctioned by law. In these circumstances, it is very important that data is shared without delay, and removal of these provisions from the Bill, as proposed by the amendment, could make that harder.
Amendment 74, tabled by noble Lord, Lord Scriven, would prevent health data being processed as part of this new lawful ground, but this could have some unwelcome effects. For example, the new lawful ground is designed to give controllers greater confidence about reporting safeguarding concerns, but if these concerns relate to a vulnerable person’s health, they would not be able to rely on the new lawful ground to process the data and would have to identify an alternative lawful ground.
On the point made by the noble Lord, Lord Clement-Jones, about which data controllers can rely on the new lawful ground, it would not be available to public bodies such as the NHS; it is aimed at non-public bodies.
I reassure noble Lords that there are still sufficient safeguards in the wider framework. Any processing that involves special category data, such as health data, would also need to comply with the conditions and safeguards in Article 9 of the UK GDPR and Schedule 1 to the Data Protection Act 2018.
Amendment 78A, tabled by the noble Lord, Lord Clement-Jones, would remove the new lawful ground for non-public bodies or individuals to disclose personal data at the request of public bodies, where necessary, to help those bodies deliver their public interest tasks without carrying out a legitimate interest balance test. We would argue that, without it, controllers may lack certainty about the correct lawful ground to rely on when responding to such requests.
Amendment 76, also tabled by the noble Lord, Lord Clement-Jones, would remove the powers of regulations in Clause 70 that would allow the Secretary of State to keep the list of recognised legitimate interests up to date. Alternatively, the noble Lord’s Amendment 78 would require the Secretary of State to publish a statement every time he added a new processing activity to the list, setting out its purpose, which controllers it was aimed at and for how long they can use it. I reassure the noble Lord that the Government have already taken steps to tighten up these powers since the previous Bill was considered by this House.
Any new processing activities added would now also have to serve
“important objectives of … public interest”
as described in Article 23.1 of the UK GDPR and, as before, new activities could be added to the list only following consultation with the ICO and other interested parties. The Secretary of State would also have to consider the impact of any changes on people’s rights and have regard to the specific needs of children. Although these powers are likely to be used sparingly, the Government think it important that they be retained. I reassure the Committee that we will be responding to the report from the Delegated Powers Committee within the usual timeframes and we welcome its scrutiny of the Bill.
The noble Lord’s Amendment 77 seeks to make it clear that organisations should also be able to rely on Article 6.1(f) to make transfers between separate businesses affiliated by contract. The list of activities mentioned in Clause 70 is intended to be illustrative only and is drawn from the recitals to the UK GDPR. This avoids providing a very lengthy list that might be viewed as prescriptive. Article 6.1(f) of the UK GDPR is flexible. The transmission of personal data between businesses affiliated by contract may constitute a legitimate interest, like many other commercial interests. It is for the controller to determine this on a case-by-case basis.
I will now address the group of amendments tabled by the noble Lord, Lord Clement-Jones, concerning the purpose limitation principle, specifically Amendments 83 to 86. This principle limits the ways that personal data collected for one purpose can be used for another, but Clause 71 aims to provide more clarity and certainty around how it operates, including how certain exemptions apply.
Amendment 84 seeks to clarify whether the first exemption in proposed new Annexe 2 to the UK GDPR would allow personal data to be reused for commercial purposes. The conditions for using this exemption are that the requesting controller has a public task or official authority laid down in law that meets a public interest objective in Article 23.1 of the UK GDPR. As a result, I and the Government are satisfied that these situations would be for limited public interest objectives only, as set out in law.
Amendments 85 and 86 seek to introduce greater transparency around the use of safeguarding exemptions in paragraph 8 of new Annexe 2. These conditions are drawn from the Care Act 2014 and replicated in the existing condition for sensitive data processing for safeguarding purposes in the Data Protection Act 2018. I can reassure the Committee that processing cannot occur if it does not meet these conditions, including if the vulnerability of the individual no longer exists. In addition, requiring that an assessment be made and given to the data subject before the processing begins could result in safeguarding delays and would defeat the purpose of this exemption.
Amendment 83 would remove the regulation-making powers associated with this clause so that new exceptions could not be added in future. I remind noble Lords that there is already a power to create exemptions from the purpose limitation principle in the DPA 2018. This Bill simply moves the existing exemptions to a new annexe to the UK GDPR. The power is strictly limited to the public objectives listed in Article 23.1 of the UK GDPR.
I now turn to the noble Lord’s Amendment 89, which seeks to set conditions under which pseudonymised data should be treated as personal data. This is not necessary as pseudonymised data already falls within the definition of personal data under Article 4.1 of the UK GDPR. This amendment also seeks to ensure that a determination by the ICO that data is personal data applies
“at all points in that processing”.
However, the moment at which data is or becomes personal should be a determination of fact based on its identifiability to a living individual.
I turn now to Clause 74 stand part, together with Amendment 90. Noble Lords are aware that special categories of data require additional protection. Article 9 of the UK GDPR sets out an exhaustive list of what is sensitive data and outlines processing conditions. Currently, this list cannot be amended without primary legislation, which may not always be available. This leaves the Government unable to respond swiftly when new types of sensitive data are identified, including as a result of emerging technologies. The powers in Clause 74 enable the Government to respond more quickly and add new special categories of data, tailor the conditions applicable to their use and add new definitions if necessary.
Finally, I turn to the amendment tabled by the noble Lord, Lord Clement-Jones, that would remove Schedule 7 from the Bill. This schedule contains measures to create a clearer and more outcomes-focused UK international data transfers regime. As part of these reforms, this schedule includes a power for the Secretary of State to recognise new transfer mechanisms for protecting international personal data transfers. Without this, the UK would be unable to respond swiftly to emerging developments and global trends in personal data transfers. In addition, the ICO will be consulted on any new mechanisms, and they will be subject to debate in Parliament under the affirmative resolution procedure.
I hope this helps explain the Government’s intention with these clauses and that the noble Lord will feel able to withdraw his amendment.
My Lords, I thank the Minister. She covered quite a lot of ground and all of us will have to read Hansard quite carefully. However, it is somewhat horrifying that, for a Bill of this size, we had about 30 seconds from the Minister on Schedule 7, which could have such a huge influence on our data adequacy when that is assessed next year. I do not think anybody has talked about international transfers at this point, least of all me in introducing these amendments. Even though it may appear that we are taking our time over this Bill, we are not fundamentally covering all its points. The importance of this Bill, which obviously escapes most Members of this House—there are just a few aficionados—is considerable and could have a far-reaching impact.
I still get Viscount Camrose vibes coming from the Minister.
I thank all noble Lords who have raised this important topic. I say at the outset that I appreciate and pay tribute to those who have worked on this for many years—in particular the noble Baroness, Lady Kidron, who has been a fantastic champion of these issues.
I also reassure noble Lords that these provisions are intended to build upon, and certainly not to undermine, the rights of children as they have previously been defined. We share noble Lords’ commitment to ensuring high standards of protection for children. That is why I am glad that the Bill, together with existing data protection principles, already provides robust protections for children. I hope that my response to these amendments shows that we take these issues seriously. The ICO also recognises in its guidance, after the UN Committee on the Rights of the Child, that the duties and responsibilities to respect the rights of children extend in practice to private actors and business enterprises.
Amendment 82, moved by the noble Lord, Lord Clement-Jones, would exclude children’s personal data from the exemptions to the purpose limitation principles in Schedule 5 to the Bill. The new purposes are for important public interests only, such as safeguarding vulnerable individuals or children. Broader existing safeguards in the data protection framework, such as the fairness and lawfulness principles, also apply. Prohibiting a change of purpose in processing could impede important activities, such as the safeguarding issues to which I have referred.
Amendment 88, tabled by the noble Baroness, Lady Kidron, would introduce a new duty requiring all data controllers to consider that children are entitled to higher protection than adults. We understand the noble Baroness’s intentions and, in many ways, share her aims, but we would prefer to focus on improving compliance with the current legislation, including through the way the ICO discharges its regulatory functions.
In addition, the proposed duty could have some unwelcome and unintended effects. For example, it could lead to questions about why other vulnerable people are not entitled to enhanced protections. It would also apply to organisations of all sizes, including micro-businesses and voluntary sector organisations, even if they process children’s data on only a small scale. It could also cause confusion about what they would need to do to verify age to comply with the new duty.
Amendment 94, also tabled by the noble Baroness, would ensure that the new notification exemptions under Article 13 would not apply to children. However, removing children’s data from this exemption could mean that some important research—for example, on the causes of childhood diseases—could not be undertaken if the data controller were unable to contact the individuals about the intended processing activity.
Amendment 135 would place new duties on the ICO to uphold the rights of children. The ICO’s new strategic framework, introduced by the Bill, has been carefully structured to achieve a similar effect. Its principal objective requires the regulator to
“secure an appropriate level of protection for personal data”.
This gives flexibility and nuance in the appropriateness of the level of protections; they are not always the same for all data subjects, all the time.
Going beyond this, though, the strategic framework includes the new duty relating to children. This acknowledges that, as the noble Baroness, Lady Kidron, said, children may be less aware of the risks and consequences associated with the processing of their data, as well of as their rights. As she pointed out, this is drawn from recital 38 to the UK GDPR, but the Government’s view is that the Bill’s language gives sufficient effect to the recital. We recognise the importance of clarity on this issue and hope that we have achieved it but, obviously, we are happy to talk further to the noble Baroness on this matter.
This duty will also be a consideration for the ICO and one to which the commissioner must have regard across all data protection activities, where relevant. It will inform the regulator’s thinking on everything from enforcement to guidance, including how work might need to be tailored to suit children at all stages of childhood in order to ensure that the levels of protection are appropriate.
Finally, regarding Amendment 196—
I thank the Minister for giving way. I would like her to explain why only half of the recital is in the Bill and why the fact that children merit special attention is in the Bill. How can it possibly be that, in this Bill, we are giving children adequate protection? I can disagree with some of the other things that she said, but I would like her to answer that specific question.
To be on the safe side, I will write to the noble Baroness. We feel that other bits in the provisions of the Bill cover the other aspects but, just to be clear on it, I will write to her. On Amendment 196 and the Online Safety Act—
I am sorry to interrupt but I am slightly puzzled by the way in which that exchange just happened. I take it from what the Minister is saying that there is no dissent, in her and the Bill team’s thinking, about children’s rights having to be given the correct priority, but she feels that the current drafting is better than what is now proposed because it does not deflect from the broader issues that she has adhered to. She has fallen into the trap, which I thought she never would do, of blaming unintended consequences; I am sure that she will want to rethink that before she comes back to the Dispatch Box.
Surely the point being made here is about the absolute need to make sure that children’s rights never get taken down because of the consideration of other requirements. They are on their own, separate and not to be mixed up with those considerations that are truly right for the commissioner—and the ICO, in its new form—to take but which should never deflect from the way children are protected. If the Minister agrees with that, could she not see some way of reaching out to be a bit closer to where the noble Baroness, Lady Kidron, is?
I absolutely recognise the importance of the issues being raised here, which is why I think I really should write: I want to make sure that whatever I say is properly recorded and that we can all go on to debate it further. I am not trying to duck the issue; this issue is just too important for me to give an off-the-cuff response on it. I am sure that we will have further discussions on this. As I say, let me put it in writing, and we can pick that up. Certainly, as I said at the beginning, our intention was to enhance children’s protection rather than deflect from it.
Moving on to Amendment 196, I thank the noble Lord, Lord Clement-Jones, and other noble Lords for raising this important issue and seeking clarity on how the provision relates to the categorisation of services in the Online Safety Act. These categories are, however, not directly related to Clause 122 of this Bill as a data preservation notice can be issued to any service provider regulated in the Online Safety Act, regardless of categorisation. A list of the relevant persons is provided in paragraphs (a) to (e) of Section 100(5) of the Act; it includes any user-to-user service, search service and ancillary service.
I absolutely understand noble Lords saying that these things should cross-reference in some way but, as far we are concerned, they complement each other, and that protection is currently in the Online Safety Act. As I said, I will write to noble Lords and am happy to meet if that would be helpful. In the meantime, I hope that the explanations I have given are sufficient grounds for noble Lords not to press their amendments at this stage.
(2 weeks, 5 days ago)
Grand CommitteeMy Lords, I am not sure whether I should open by saying that it is a pleasure to take part in the passage of the third iteration of this Bill, but, as I said at Second Reading, this is an improvement. Nevertheless, there are aspects of the Bill that need close scrutiny.
The noble Viscount, Lord Camrose, explained his approach to this Bill. Our approach is that we very much support the use of data for public benefit but, at the same time, we want to make sure that this Bill does not water down individual data rights and that they are, where necessary, strengthened. In that spirit, I wish to ask the Minister about the general nature of Clause 1, rather than following up on the amendments tabled by the noble Viscount.
The definition of “business data” seems quite general. A report that came out yesterday, Data On Our Minds: Affective Computing At Work, highlighted the kinds of data that are now being collected in the workplace. It is a piece of work sponsored by the Joseph Rowntree Charitable Trust, the Trust for London and the Institute for the Future of Work. They are concerned about the definition of “business data”. The Minister probably will not have an answer on this matter at this stage but it would be useful if she could write in due course to say whether the definition of excludes emotional data and neurosurveillance data collected from employees.
This is very much a workplace question rather than a question about the customer; I could ask the same question about the customer, I suppose, except the report is about workplace data collection. I thought I would opportunistically take advantage of the rather heavy de-grouping that has taken place and ask the Minister a question.
First, let me say what a pleasure it is to be back on this old ground again, although with slightly different functions this time round. I very much support what the noble Viscount, Lord Camrose, said. We want to get the wording of this Bill right and to have a robust Bill; that is absolutely in our interests. We are on the same territory here. I thank the noble Viscount and other noble Lords for expressing their interest.
On Amendments 1 and 2, the Government consider the terms used in Part 1, as outlined in Clause 1, necessary to frame the persons and the data to which a scheme will apply. The noble Lord, Lord Clement-Jones, mentioned the powers. I assure him that the powers in Part 1 sit on top of the Data Protection Act. They are not there instead of it; they are another layer on top of it, and they provide additional rights over and above what already exists.
In relation to the specific questions from the noble Viscount, Lord Camrose, and the noble Lord, Lord Markham, smart data schemes require suppliers or providers of goods, services or digital content to provide data. They are referred to as “traders” in accordance with recent consumer legislation, including the Consumer Rights Act 2015. The term “data holder” ensures that the requirements may also be imposed on any third party that might hold the data on the trader’s behalf. That is why these additional terminologies have been included: it is based on existing good legislation. I hope noble Lords will recognise why this is necessary and that this explains the rationale for these terms. These terms are independent of terms in data protection legislation; they have a different scope and that is why separate terms are necessary. I hope that, on that basis, the noble Viscount will withdraw his amendment.
I thank the Minister for that explanation. I see the point she makes that, in existing legislation, these terms are used. I wonder whether there is anything we can do better to explain the terms. There seems to be significant overlap between processors, holders, owners and traders. The more we can do to clarify absolutely, with great rigour, what those terms mean, the more we will bring clarity and simplicity to this necessarily complex body of law.
I thank the Minister for explaining the rationale. I am satisfied that, although it may not be the most elegant outcome, for the time being, in the absence of a change to the 2015 Act that she references, we will probably have to grin and bear it. I beg leave to withdraw the amendment.
My Lords, Amendments 3, 4 and 20 seek to probe the Government’s position on the roles of the Secretary of State and the Treasury. Amendment 6 seeks to probe whether the Treasury or the Secretary of State shall have precedence when making regulations under this Bill.
Clarity over decision-making powers is critical to good governance, in particular over who has final decision rights and in what circumstances. Throughout Part 1 of the Bill, the Secretary of State and the Treasury are both given regulation-making powers, often on the same matter. Our concern is that having two separate Ministers and two departments responsible for making the same regulations is likely to cause problems. What happens if and when the departments have a difference of opinion on what these regulations should contain or achieve? Who is the senior partner in the relationship? When it comes to putting statute on paper, who has the final say, the Secretary of State or the Treasury?
All the amendments are probing and, at this point, simply seek greater clarification from the Government. If the Minister can explain why two departments are jointly responsible for the same regulations, why this is necessary and a good idea, and what provisions will be in place to avoid legislative confusion, I will be happy not to press the amendments.
The amendments in group 2 cover smart data and relate to the Secretary of State and the Treasury. Apart from the financial services sector clauses, most of the powers in Part 1, as well as the statutory spending authority in Clause 13, are imposed on the Secretary of State and the Treasury. That is the point that the noble Viscount made. These allow the relevant government departments to make smart data regulations. Powers are conferred on the Treasury as the department responsible for financial services, given the Government’s commitment to open banking and open financing. There is no precedence between the Secretary of State or the Treasury when using these powers, as regulations are likely to be made by the department responsible for the sector to which the smart data scheme applies, following, as with other regulations, the appropriate cross-government write-round and collective agreement procedures. I add that interdepartmental discussions are overseen by the Smart Data Council, which will give advice on this issue.
The noble Viscount raises concerns relating to Clause 13. Just as regulations may be made by the relevant government department, it is most appropriate for financial assistance to be provided by the government department responsible for the smart data scheme in question. Clause 13 is intended to provide statutory authority for that assistance, as a matter of regularity. It is for these reasons that I urge the noble Viscount not to press these amendments. These are standard procedures where the Treasury is involved and that is why more than one department is referenced.
I thank the Minister for that explanation. I am pleased to hear that these are standard procedures. Will she put that in writing, in a letter to me, explaining and setting it out so that we have it on the record? It is really important to understand where the decisions break down and to have a single point of accountability for all such decisions and, if it cannot be in the Bill, it could at least be explained elsewhere. Otherwise, I am happy to proceed with the explanation that she has kindly given.
I thank my noble friends Lord Lucas and Lord Arbuthnot for their Amendments 5, 34, 48, 200 and 202. They and other noble Lords who have spoken have powerfully raised some crucial issues in these amendments.
Amendment 5 addresses a key gap, and I take on board what my noble friend Lord Markham said, in how we manage and use customer data in specific contexts. At its heart, it seeks to enable effective communication between organisations holding customer data and customers themselves. The ability to communicate directly with individuals in a specified manner is vital for various practical reasons, from regulatory compliance to research purposes.
One clear example of where this amendment would be crucial is in the context of the Student Loans Company. Through this amendment, the Secretary of State could require the SLC to communicate with students for important purposes, such as conducting research into the outcomes of courses funded by loans. For instance, by reaching out to students who have completed their courses, the SLC could gather valuable insights into how those qualifications have impacted on their employment prospects, income levels or career trajectories. This is the kind of research that could help shape future educational policies, ensuring that loan schemes are working as intended and that the investments made in students’ education are yielding tangible benefits. This, in turn, would allow for better decision-making on future student loans funding and educational opportunities.
Amendment 34 from my noble friend Lord Arbuthnot proposes a welcome addition to the existing clause, specifically aiming to ensure that public authorities responsible for ascertaining key personal information about individuals are reliable in their verification processes and provide clear, accurate metadata on that information. This amendment addresses the essential issue of trust and reliability in the digital verification process. We increasingly rely on digital systems to confirm identity, and for these systems to be effective, we have to make sure that the core information they are verifying is accurate and consistent. If individuals’ key identifying details—date of birth, place of birth and, as we heard very powerfully, sex at birth—are not consistently or accurately recorded across various official databases, it undermines the integrity of the digital verification process. It is important that we have consistency across the public authorities listed in this amendment. By assessing whether these bodies are accurately verifying and maintaining this data, we can ensure uniformity in the information they provide. This consistency is essential for establishing a reliable foundation for digital verification.
When we consider the range of public services that rely on personal identification information, from the NHS and His Majesty’s Revenue and Customs to the Home Office, they are all responsible for verifying identity in some capacity. The amendment would ensure that the data they are using is robust, accurate and standardised, creating smoother interactions for individuals seeking public services. It reduces the likelihood of discrepancies that delay or prevent access to public services.
Amendment 48 would introduce important protections for the privacy and integrity of personal information disclosed by public authorities. In our increasingly digital world, data privacy has become one of the most pressing concerns for individuals and for society. By requiring public authorities to attest to the accuracy, integrity and clarity of the data they disclose, the amendment would help to protect the privacy of individuals and ensure that their personal information was handled with the proper care and respect.
My noble friend Lord Lucas’s Amendment 200 would introduce a data dictionary. It would allow the Secretary of State to establish regulations defining key terms used in digital verification services, birth and death registers, and public data more generally. I heard clearly the powerful arguments about sex and gender, but I come at the issue of data dictionaries from the angle of the efficiency, effectiveness and reusability of the data that these systems generate. The more that we have a data dictionary defining the metadata, the more we will benefit from the data used, whichever of these bodies generates the data itself. I am supportive of the requirement to use a data dictionary to provide standardised definitions in order to avoid confusion and ensure that data used in government services is accurate, reliable and consistent. The use of the negative resolution procedure would ensure that Parliament had oversight while allowing for the efficient implementation of these definitions.
Amendment 202 would create a national register for school admissions rules and outcomes in England. This would be a crucial step towards increasing transparency and ensuring fairness in the school admissions process, which affects the lives of millions of families every year. We want to ensure that navigating the school admissions system is not overly opaque and too complex a process for many parents. With different schools following different rules, criteria and procedures, it can, as my noble friend, Lord Lucas, pointed out, be difficult for families to know what to expect or how best to make informed decisions. The uncertainty can be especially challenging for those who are new to the system, those who face language barriers or those in areas where the school’s rules are not readily accessible or clear.
For many parents, particularly those in areas with complex school systems or scarce school places, access to clear, consistent information can make all the difference. This amendment would allow parents to see exactly how the school admissions process works and whether they were likely to secure a place at their preferred school. By laying out the rules in advance, the system would ensure that parents could make better informed decisions about which schools to apply to, based on criteria such as proximity, siblings or academic performance.
We want to ensure that parents understand how decisions are made and whether schools are adhering to the rules fairly. By requiring all schools to publish their admissions rules and the outcomes of their admissions process, the amendment would introduce a level of accountability. I join other noble Lords in strongly supporting this amendment, as it would create a more effective and efficient school admissions system that works for everyone.
My Lords, we have had a good and wide-ranging discussion on all this. I will try to deal with the issues as they were raised.
I thank the noble Lord, Lord Lucas, for the proposed Amendment 5 to Clause 2. I am pleased to confirm that the powers under Clauses 2 and 4 can already be used to provide customer data to customers or third parties authorised by them, and for the publication or disclosure of wider data about the goods or services that the supplier provides. The powers provide flexibility as to when and how the data may be provided or published, which was in part the point that the noble Viscount, Lord Camrose, was making. The powers may also be used to require the collection and retention of specific data, including to require new data to be gathered by data holders so that this data may be made available to customers and third parties specified by regulations.
I note in particular the noble Lord’s interest in the potential uses of these powers for the Student Loans Company. It would be for the Department for Education to consider whether the use of the smart data powers in Part 1 of the Bill may be beneficial in the context of providing information about student loans and to consult appropriately if so, rather than to specify it at this stage in the Bill. I hope the noble Lord will consider those points and how it can best be pursued with that department in mind.
On Amendments 34, 48 and 200, the Government believe that recording, storing and sharing accurate data is essential to deliver services that meet citizens’ needs. Public sector data about sex and gender is collected based on user needs for data and any applicable legislation. As noble Lords have said, definitions and concepts of sex and gender differ.
Amendment 48 would require that any information shared must be accurate, trusted and accompanied by meta data. Depending on the noble Lord’s intentions here, this could either duplicate existing protections under data protection legislation or, potentially, conflict with them and other legal obligations.
The measures in Part 2 of the Bill are intended to secure the reliability of the process by which citizens verify their data. It is not intended to create new ways to determine a person’s sex or gender but rather to allow people to digitally verify the facts about themselves based on documents that already exist. It worries me that, if noble Lords pursued their arguments, we could end up with a passport saying one thing and a digital record saying something different. We have to go back to the original source documents, such as passports and birth certificates, and rely on them for accuracy, which would then feed into the digital record—otherwise, as I say, we could end up pointing in two different directions.
I reassure the noble Lord, Lord Arbuthnot, that my colleague, Minister Clark, is due to meet Sex Matters this week to discuss digital verification services. Obviously, I am happy to encourage that discussion. However, to prescribe where public authorities can usefully verify “sex at birth”, as noble Lords now propose, extends well beyond the scope of the measures in the Bill, so I ask them to reflect on that and whether this is the right place to pursue those issues.
In addition, the Government recently received the final report of the Sullivan review of data, statistics and research on sex and gender, which explores some of these matters in detail. These matters are more appropriately considered holistically—for example, in the context of that report—rather than by a piecemeal approach, which is what is being proposed here. We are currently considering our response to that report. I hope noble Lords will consider that point as they consider their amendments; this is already being debated and considered elsewhere.
Amendment 202 seeks to create a national register of individual school admissions arrangements and outcomes, which can be used to provide information to parents to help them understand their chances of securing a place at their local school. I agree with the noble Lord that choosing a school for their child is one of the most important decisions that a parent can make. That is why admissions authorities are required to publish admission arrangements on their schools’ websites. They must also provide information to enable local authorities to publish an annual admissions prospectus for parents, including admissions arrangements and outcomes for all state schools in their area.
I refer the noble Lord, Lord Lucas, to the School Information (England) Regulations 2008, which require admission authorities and local authorities to publish prescribed information relating to admissions. Those protections are already built into the legislation, and if a local authority is not complying with that, there are ways of pursuing it. We believe that the existing approach is proportionate, reflects the diversity of admissions arrangements and local circumstances, and is not overly burdensome on schools or local authorities, while still enabling parents to have the information they need about their local schools.
I hope that, for all the reasons I have outlined, noble Lords will be prepared not to press their amendments.
My Lords, I am delighted that the Government have chosen to take forward the smart data schemes from the DPDI Bill. The ability seamlessly to harness and use data is worth billions to the UK economy. However, data sharing and the profit that it generates must be balanced against proper oversight.
Let me start by offering strong support to my noble friend Lord Arbuthnot’s Amendment 7. Personally, I would greatly welcome a more sophisticated and widespread insurance market for cyber protections. Such a market would be based on openly shared data; the widespread publication of that data, as set out in the amendment, could help to bring this about.
I also support in principle Amendments 8 and 10 in the name of the noble Lord, Lord Clement-Jones, because, as I set out on the previous group, there is real and inherent value in interoperability. However, I wonder whether the noble Lord might reconsider the term “machine readable” and change it to something— I do not think that I have solved it—a bit more like “digitally interoperable”. I just worry that, in practice, everything is machine-readable today and the term might become obsolete. I am keen to hear the Minister’s response to his very interesting Amendment 31 on the compulsion of any person to provide data.
I turn to the amendments in my name. Amendment 16 would insert an appeals mechanism by which a person is charged a fee under subsection (1). It is quite reasonable that persons listed under subsection (2)—that is, data holders, decision-makers, interface bodies, enforcers and others with duties or powers under these regulations —may charge a fee for the purposes of meeting the expenses they incur, performing duties or exercising powers imposed by regulations made under this part. However, there should be an appeals mechanism so that, in the event that a person is charged an unreasonable fee, they have a means of recourse.
Amendment 17 is a probing amendment intended to explore the rate at which interest accrues on money owed to specific public authorities for unpaid levies. Given that this interest will be mandated by law, do the Government intend to monitor the levels and, if so, how?
Amendment 18 is a probing amendment designed to explore how the Government intend to deal with a situation when a person listed under subsection (2) of this clause believes they have been charged a levy wrongly. Again, it is reasonable that an appeals mechanism be created, and this would ensure that those who considered themselves to have been wrongly charged have a means of recourse.
Amendment 19 is looking for clarification on how the Government envisage unpaid levies being recovered. I would be grateful if the Minister could set out some further detail on that matter.
Amendment 21 is a probing amendment. I am curious to know the maximum value of financial assistance that the Government would allow the Secretary of State or the Treasury to give to persons under Clause 13. I do not think it would be prudent for the Government to become a financial backstop for participants in smart data schemes, so on what basis is that maximum going to be calculated?
Amendment 22 follows on from those concerns and looks to ensure that there is parliamentary oversight of any assistance provided. I am most curious to hear the Minister’s comments on this matter.
Amendment 23 is a straightforward—I think—amendment to the wording. I feel that the phrase “reasonably possible” seems to open the door to almost limitless endeavours and therefore suggest replacing it with “reasonably practicable”.
On Amendment 25, easy access to the FCA’s policy regarding penalties and levies is important. That would allow oversight, not only parliamentary but by those who are directly or indirectly affected by decisions taken under this policy. I therefore believe the amendment is necessary, as a website is the most accessible location for that information. Furthermore, regular review is necessary to ensure that the policy is functioning and serving its purpose.
Amendments 26 and 27 return to the matter of an appeals process. I will not repeat myself too much, but it is important to be able to appeal penalties and to create a route by which individuals understand how they can go about doing so.
Amendment 28 would ensure that, when the Secretary of State and the Treasury review the regulations made under Part 1 of the Bill, they do so concurrently. This amendment would prevent separate reviews being conducted that may contradict each other or be published at different times; it would force the relevant departments to produce one review and to produce it together. This would be prudent. It would prevent the Government doing the same work twice, unnecessarily spending public money, and would prevent contradicting reviews, which may cause confusion and financial costs in the smart data scheme industry.
Lastly, Amendment 29, which would ensure that Section 10 of this part was subject to the affirmative procedure, would allow for parliamentary oversight of regulations made under this clause.
We are pleased that the Government have chosen to bring smart data schemes forward, but I hope the Minister can take my concerns on board and share with us some of the detail in her response.
My Lords, we have had a detailed discussion, and it may be that I will not be able to pick up all the points that noble Lords have raised. If I do not, I guarantee to write to people.
First, I want to pick up the issues raised by the noble Lord, Lord Arbuthnot, and the noble Baroness, Lady Neville-Jones, about cybersecurity and cyber resilience. This Government, like previous Governments, take this issue hugely seriously. It is built into all our thinking. The noble Lord, and the noble Baroness in particular, will know that the advice we get on all these issues is top class. The Government are already committed to producing a cybersecurity and resilience Bill within this Parliament. We have all these things in hand, and that will underpin a lot of the protections that we are going to have in this Bill and others. I agree with noble Lords that this is a hugely important issue.
I am pleased to confirm that Clause 3(7) allows the regulations to impose requirements on third-party recipients in relation to the processing of data, which will include security-related requirements. So it is already in the Bill, but I assure noble Lords that it will be underpinned, as I say, by other legislation that we are bringing forward.
In relation to Amendments 8 and 10, I am pleased to confirm that Clause 5(4) clarifies that regulations may make provision about the providing or publishing of business data and the format in which that must be provided. That may include relevant energy-related data. The noble Lord gave some very good examples about how useful those connections and that data could be; he was quite right to raise those issues.
Regarding Amendment 9, in the name of the noble Lord, Lord Clement-Jones, I am pleased to confirm that there is nothing to prevent regulations requiring the provision of business data to government departments, publicly owned bodies and local and regional authorities. This is possible through Clause 4(1)(b), which allows regulations to require provision of business data to a person of a specified description. I hope the noble Lord will look at those cross-references and be satisfied by them.
Noble Lords spoke about the importance of sensitive information in future smart data schemes. A smart data scheme about legal services is not currently under consideration. Having said that, the Government would have regard to the appropriateness of such a scheme and the nature of any data involved and would consult the sector and any other appropriate stakeholders if that was being considered. It is not at the top of our list of priorities, but the noble Lord might be able to persuade us that it would have some merit, and we could start a consultation based on that.
Amendments 16 to 22 consider fees and the safeguards applying to them, which were raised by the noble Viscount. Fees and levies, enabled by Clauses 11 and 12, are an essential mechanism to fund a smart data scheme. The Government consider that appropriate and proportionate statutory safeguards are already built in. For example, requirements in Clause 11(3) and Clause 12(2) circumscribe the expenses in relation to which fees or the levy may be charged, and the persons on whom they may be charged.
Capping the interest rate for unpaid money, which is one of the noble Viscount’s proposals, would leave a significant risk of circumstances in which it might be financially advantageous to pay the levy late. The Government anticipate that regulations would provide an appropriate mechanism to ensure payment of an amount that is reasonable in the context of a late payment that is proposed. Just as regulations may be made by the relevant government department, it is most appropriate for financial assistance to be provided by the government department responsible for the smart data scheme in question. Clause 13 is intended to provide statutory authority for that assistance as a matter of regularity.
Amendments 23 to 27 deal with the clauses relating to the FCA. Clause 15(3) is drafted to be consistent with the wording of established legislation which confers powers on the FCA, most notably the Financial Services and Markets Act 2000. Section 1B of that Act uses the same formulation, using the phrase
“so far as is reasonably possible”
in relation to the FCA’s general duties. This wording is established and well understood by both the FCA and the financial services sector as it applies to the FCA’s strategic and operational objectives. Any deviation from it could create uncertainty and inconsistency.
Amendment 24 would cause significant disruption to current data-sharing arrangements and fintech businesses. Reauthenticating this frequently with every data holder would add considerable friction to open banking services and greatly reduce the user experience—which was the point raised by the noble Lord, Lord Clement-Jones. For example, it is in the customer’s interest to give ongoing consent to a fintech app to provide them with real-time financial advice that might adapt to daily changes in their finances.
Many SMEs provide ongoing access to their bank accounts in order to receive efficient cloud accounting services. If they had to re-register frequently, that would undermine the basis and operability of some of those services. It could inhibit the adoption and viability of open banking, which would defeat one of the main purposes of the Bill.
Does the Minister have any thoughts about where smart data schemes might be introduced? I am sure that they are being introduced for a purpose. Is there a plan to issue a policy document or is it purely about consulting different sectors? Perhaps the Minister can give us a glimpse of the future.
The noble Lord is tempting me. What I would say is that, once this legislation is passed, it will encourage departments to look in detail at where they think smart data schemes can be applied and provide a useful service for customers and businesses alike. I know that one issue that has been talked about is providing citizens with greater information about their energy supplies—the way that is being used and whether they can use their energy differently or find a different supplier—but that is only one example, and I do not want people to get fixated on it.
The potential is enormous; I feel that we need to encourage people to think creatively about how some of these provisions can be used when the Bill is finally agreed. There is a lot of cross-government thinking at the moment and a lot of considering how we can empower citizens more. I could say a lot off the top of my head but putting it on the record in Hansard would probably be a mistake, so I will not be tempted any more by the noble Lord. I am sure that he can write to me with some suggestions, if he has any.
My Lords, one problem with cybersecurity is the fact that, if one company is spending money on it but is worrying that its competitor companies are not, they might feel that an element of compulsion would be helpful. I just raise that with the Minister, who suggests that some of these things might be better in the cybersecurity and resilience Bill. My noble friend Lady Neville-Jones and I think she is right, so I beg leave to withdraw my amendment.
I thank noble Lords for their comments and contributions in what has been an absolutely fascinating debate. I have a couple of points to make.
I agree with the noble Lord, Lord Clement-Jones, on his Amendment 33, on ongoing monitoring, and his Amendment 50. Where we part company, I think, is on his Amendment 36. I feel that we will never agree about the effectiveness or otherwise of five-year strategies, particularly in the digital space. I simply do not buy that his amendment will have the desirable effects that the noble Lord wants.
I do not necessarily agree with the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, that we should put extra burdens around the right to use non-digital methods. In my opinion, and I very much look forward to hearing from the Minister on this matter, the Act preserves that right quite well as it is. I look forward to the Government’s comments on that.
I strongly support the noble Viscount, Lord Colville, on his very important point about international standards. I had intended to sign his amendment but I am afraid that, for some administrative reason, that did not happen. I apologise for that, but I will sign it because I think that it is so important. In my opinion, not much of the Bill works in the absence of effective international collaboration around these matters. This is so important. We are particularly going to run up against this issue when we start talking about ADM, AI and copyright issues. It is international standards that will allow us to enforce any of the provisions that we put in here, so they are so important. I am more agnostic on whether this will happen via W3C, the ITU or other international standards bodies, but we really must go forward with the principle that international standards are what will get us over the line here. I look forward to hearing the Minister’s confirmation of the importance, in the Government’s view, of such standards.
Let me turn to the amendments listed in my name. Amendment 37 would ensure parliamentary oversight of the DVS trust framework. Given the volume of sensitive data that these services providers will be handling, it is so important that Parliament can keep an eye on how the framework operates. I thank noble Lords for supporting this amendment.
Amendment 40 is a probing amendment. To that end, I look forward to hearing the Minister’s response. Accredited conformity assessment bodies are charged with assessing whether a service complies with the DVS framework. As such, they are giving a stamp of approval from which customers will draw a sense of security. Therefore, the independence of these accreditation bodies must be guaranteed. Failing to do so would allow the industry to regulate itself. Can the Minister set out how the Government will guarantee the independence of these accreditation bodies?
Amendment 49 is also a probing amendment. It is designed to explore the cybersecurity measures that the Government expect of digital verification services. Given the large volume of data that these services will be handling, it is essential that the Government demand substantial cybersecurity measures. This is a theme that we are going to come back to again and again; we heard about it earlier, and I think that we will come on to more of this. As these services become more useful and more powerful, they present a bigger attack surface that we have to defend, and I look forward to hearing how we will do that.
I thank the noble Lords, Lord Clement-Jones and Lord Markham, the noble Viscount, Lord Colville, and the noble Baroness, Lady Kidron, for raising these topics around digital verification services. As I explained at Second Reading, these digital verification services already exist. They are already out there making all sorts of claims for themselves. With the new trust framework, we are trying to provide some more statutory regulation of the way that they operate. It is important that we have this debate and that we get it right, but some of the things we are doing are still work in progress, which is why we do not always have all the detailed answers that noble Lords are searching for here and why some powers have been left to the Secretary of State.
I shall go from the top through the points that have been raised. Amendments 33 and 43, tabled by the noble Lord, Lord Clement-Jones, and Amendment 40 tabled by the noble Viscount, Lord Colville, would require the trust framework to include rules on monitoring compliance and redress mechanisms and would require the Secretary of State to ensure the independence of accredited conformity assessment bodies. The noble Baroness, Lady Kidron, asked questions akin to those regarding redress for the vulnerable, and I will write to her setting out a response to that in more detail.
On the issue of redress mechanisms in the round, the scope of the trust framework document is solely focused on the rules that providers of digital verification services are required to follow. It does not include matters of governance. Compliance is ensured via a robust certification process where services are assessed against the trust framework rules. They are assessed by independent conformity assessment bodies accredited by the United Kingdom Accreditation Service, so some oversight is already being built into this model.
The Bill contains powers for the Secretary of State to refuse applications to the DVS register or to remove providers where he is satisfied that the provider has failed to comply with the trust framework or if he considers it necessary in the interests of national security. These powers are intended as a safety net, for example, to account for situations where the Secretary of State might have access to intelligence sources that independent conformity assessment bodies cannot assess and therefore will not be able to react to, or it could be that a particular failure of the security of one of these trust marks comes to light very quickly, and we want to act very quickly against it. That is why the Secretary of State has those powers to be able to react quickly in what might be a national security situation or some other potential leak of important data and so on.
In addition, conformity assessment bodies carry out annual surveillance audits and can choose to conduct spot audits on certified providers, and they have the power to withdraw certification where non-conformities are found. Adding rules on compliance would cut across that independent certification process and would be outside the scope of the trust framework. Those independent certification processes already exist.
Amendments 33, 41, 42, 44 and 45 tabled by the noble Lord, Lord Clement-Jones, would in effect require the creation of an independent appeals body to adjudicate on the refusal of an application to the DVS register and the implementation of an investigatory process applicable to refusal and removal from the DVS register. The powers of the Secretary of State in this regard are not without safeguards. They may be exercised only in limited circumstances after the completion of an investigatory process and are subject to public law principles, for example, reasonableness. They may also be challenged by judicial review.
To go back to the point I was making, it might be something where we would need to move quickly. Rather than having a convoluted appeals process in the way that the noble Lord was talking about, I hope he understands the need sometimes for that flexibility. The creation and funding of an independent body to adjudicate such a limited power would therefore be inappropriate.
It would be reassuring if the Minister could share with us some of the meetings that the Secretary of State or Ministers are having with those bodies on the subject of these internationally shared technical standards.
I might need to write to the noble Viscount, but I am pretty sure that that is happening at an official level on a fairly regular basis. The noble Viscount raises an important point. I reassure him that those discussions are ongoing, and we have huge respect for those international organisations. I will put the detail of that in writing to him.
I turn to Amendment 37, tabled by the noble Viscount, Lord Camrose, which would require the DVS trust framework to be laid before Parliament. The trust framework contains auditable rules to be followed by registered providers of digital verification services. The rules, published in their third non-statutory iteration last week on GOV.UK, draw on and often signpost existing technical requirements, standards, best practice, guidance and legislation. It is a hugely technical document, and I am not sure that Parliament would make a great deal of sense of it if it was put forward in its current format. However, the Bill places consultation on a statutory footing, ensuring that it must take place when the trust framework is being prepared and reviewed.
Amendments 36 and 38, tabled by the noble Lord, Lord Clement-Jones, would create an obligation for the Secretary of State to reconsult and publish a five-year strategy on digital verification services. It is important to ensure that the Government have a coherent strategy for enabling the digital verification services market. That is why we have already consulted publicly on these measures, and we continue to work with experts. However, given the nascency of the digital identity market and the pace of those technological developments, as the noble Viscount, Lord Camrose, said, forecasting five years into the future is not practical at this stage. We will welcome scrutiny through the publication of the annual report, which we are committed to publishing, as required by Clause 53. This report will support transparency through the provision of information, including performance data regarding the operation of Part 2.
Amendment 39, also tabled by the noble Lord, Lord Clement-Jones, proposes to exclude certified public bodies from registering to provide digital verification services. We believe that such an exclusion could lead to unnecessary restrictions on the UK’s young digital verification market. The noble Lord mentioned the GOV.UK One Login programme, which is aligned with the standards of the trust framework but is a separate government programme which gives people a single sign-on service to access public services. It uses different legal powers to operate its services from what is being proposed here. We do not accept that we need to exclude public bodies from the scrutiny that would otherwise take place.
Amendment 46 seeks to create a duty for organisations that require verification and use digital verification for that purpose to offer, where reasonably practicable, a non-digital route and ensure that individuals are made aware of both options for verification. I should stress here that the provision in the Bill relates to the provision of digital verification services, not requirements on businesses in general about how they conduct verification checks.
Ensuring digital inclusion is a priority for this Government, which is why we have set up the digital inclusion and skills unit within DSIT. Furthermore, there are already legislative protections in the Equality Act 2010 in respect of protected groups, and the Government will take action in the future if evidence emerges that people are being excluded from essential products and services by being unable to use digital routes for proving their identity or eligibility.
The Government will publish a code of practice for disclosure of information, subject to parliamentary review, highlighting best practice and relevant information to be considered when sharing information. As for Amendment 49, the Government intend to update this code only when required, so an annual review process would not be necessary. I stress to the Committee that digital verification services are not going to be mandatory. It is entirely voluntary for businesses to use them, so it is up to individuals whether they use that service or not. I think people are feeling that it is going to be imposed on people, and I would push against that proposal.
If the regulation-making power in Amendment 50 proposed by the noble Lord, Lord Clement-Jones, was used, it would place obligations on the Information Commissioner to monitor the volume of verification checks being made, using the permissive powers to disclose information created in the clause. The role of the commissioner is to regulate data protection in the UK, which already includes monitoring and promoting responsible data-sharing by public authorities. For the reasons set out above, I hope that noble Lords will feel comfortable in not pressing their amendments.
Can I double-check that nothing was said about the interaction between the Bill and the OSA in all of that? I understood the Minister to say that she would perhaps write to me about vulnerable people, but my question about how this interacts was not answered. Perhaps she will write to me on that issue as well.
Yes, the ICO is undertaking work on age assurance under the OSA at the moment. My point was about how the two regimes intersect and how children get treated under each. Do they fall between?
Was the Minister saying that in view of the current duties of the ICO, Amendment 50 is not needed because public authorities will have the duty to inform the ICO of the information that they have been passing across to these identity services?
Again, I will have to write to the noble Lord on that. I think we were saying that it is outside the current obligations of the ICO, but we will clarify the responsibility.
My Lords, I am not quite sure whether to be reassured or not because this is terra incognita. I am really struggling, given the Minister’s response. This is kind of saying, “Hands off, Parliament, we want the lightest touch on all of this, and the Secretary of State will decide”.
I should first thank the noble Baroness, Lady Kidron, for her support. I thought that the noble Viscount, Lord Colville, made an extremely good case for Amendment 35 because all of us want to make sure that we have that interoperability. One of the few areas where I was reassured by the Minister was on the consultations taking place.
I am sure that the noble Viscount, Lord Camrose, was right to ask what the consultations are. We need to be swimming in the right pool for our digital services to be interoperable. It is not as if we do not have contact with quite a number of these digital service providers. Some of them are extremely good and want a level of mandation for these international services. There is a worrying lack of detail here. We have devil and the deep blue sea. We have these rules on GOV.UK which are far too complicated for mere parliamentarians to comprehend. They are so detailed that we are going to get bogged down.
On the other hand, we do not know what the Secretary of State is doing. This is the detailed trust framework, but what is the governance around it? At the beginning of her speech, the Minister said that governance is different from certification and the conformity assessment service. I would have thought that governance was all part of the same warp and weft. I do not really understand. The Secretary of State has the power to refuse accreditation, so we do not need an independent appeals body. It would be much more straightforward if we knew that there was a regulator and that it was going to be transparent in terms of how the system worked. I just feel that this is all rather half baked at the moment. We need a lot more information than we are getting. To that extent, that is the case for all the amendments in this group.
The crucial amendment is Amendment 37 tabled by the noble Viscount, Lord Camrose, because we absolutely need to bring all this into the light of day by parliamentary approval, whether or not it is a complicated document. Perhaps we could put it through an AI model and simplify it somewhat before we debate it. We have to get to grips with this. I have a feeling that we are going to want to return to this aspect on Report because no good reason has been given, not to the DPRRC either, about why we are not debating this in Parliament in terms of the scheme itself. It is a bit sad to have to say this because we all support the digital verification progress, if you like. Yet, we are all in a bit of a fog about how it is all going to work.
I very much hope that the Minister can come back to us, perhaps with a must-write letter that sets it all out to a much more satisfactory extent. I hope she understands why we have had this fairly protracted debate on this group of amendments because this is an important aspect that the Bill is skeletal about. I beg leave to withdraw the amendment.
I support that. I completely agree with all the points that the noble Lord, Lord Clement-Jones, made on the previous groupings, but the one that we all agree is absolutely vital is the one just brought up by my noble friend. Coming from the private sector, I am all in favour of a market—I think that it is the right way to go—but standards within that are equally vital.
I come at this issue having had the misfortune of having to manage the cyberattack that we all recall happening against our diagnostic services in hospitals last summer. We found that the weakest link there was through the private sector supplier to that system, and it became clear that the health service—or cybersecurity, or whoever it was—had not done enough to make sure that those standards were set, published and adhered to effectively.
With that in mind, and trying to learn the lessons from it, I think that this clause is vital in terms of its intent, but it will be valuable only if it is updated on a frequent basis. In terms of everything that we have spoken about today, and on this issue in particular, I feel that that point is probably the most important. Although everything that we are trying to do is a massive advance in terms of trying to get the data economy to work even better, I cannot emphasise enough how worrying that attack on our hospitals last summer was at the time.
I thank both noble Lords for raising this; I absolutely concur with them on how important it is. In fact, I remember going to see the noble Viscount, Lord Camrose, when he was in his other role, to talk about exactly this issue: whether the digital verification services were going to be robust enough against cyberattacks.
I pray in aid the noble Lord, Lord Arbuthnot, and the noble Baroness, Lady Neville-Jones, who both felt that the new Cyber Security and Resilience Bill will provide some underpinning for all of this, because our Government take this issue very seriously. As the Committee can imagine, we get regular advice from the security services about what is going on and what we need to do to head it off. Yes, it is a difficult issue, but we are doing everything we can to make sure that our data is safe; that is fundamental.
Amendment 47 would require the Secretary of State to prepare and publish rules on cybersecurity for providers to follow. The existing trust framework includes rules on cybersecurity, against which organisations will be certified. Specifically, providers will be able to prove either that they meet the internationally recognised information security standards or that they have a security management system that matches the criteria set out in the trust framework.
I assure noble Lords that the Information Commissioner’s Office, the National Cyber Security Centre and other privacy stakeholders have contributed to the development of the trust framework. This includes meeting international best practice around encryption and cryptology techniques. I will happily write to noble Lords to reassure them further by detailing the range of protections already in place. Alternatively, if noble Lords here today would benefit from an official technical briefing on the trust framework, we would be delighted to set up such a meeting because it is important that we all feel content that this will be a robust system, for exactly the reasons that the noble Lord, Lord Markham, explained. We are absolutely on your Lordships’ side and on the case on all this; if it would be helpful to have a meeting, we will certainly do that.
I thank the Minister and my noble friend Lord Markham for those comprehensive and welcome comments. I would certainly like to take up the Minister’s offer of a technical briefing on the trust framework; that really is extremely important.
To go briefly off-piste, one sign that we are doing this properly will be the further development of an insurance marketplace for cybersecurity. It exists but is not very developed at the moment. As and when this information is regularly published and updated, we will see products becoming available that allow people to take insurance based on known risks around cybersecurity.
As I say, I take comfort from the Minister’s words and look forward to attending the tech briefing. When it comes, the cyber Bill will also play a serious role in this space and I look forward to seeing how, specifically, it will interact with DVS and the other services that we have been discussing and will continue to discuss. I beg leave to withdraw my amendment.
My Lords, I will address the amendments proposed by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron. I have nothing but the deepest respect for their diligence, and indeed wisdom, in scrutinising all three flavours of the Bill as it has come out, and for their commitment to strengthening the legislative framework against fraud and other misuse of digital systems. However, I have serious reservations about the necessity and proportionality of the amendments under consideration, although I look forward to further debates and I am certainly open to being convinced.
Amendments 51 and 52 would introduce criminal sanctions, including imprisonment, for the misuse of trust marks. While the protection of trust marks is vital for maintaining public confidence in digital systems, I am concerned that introducing custodial sentences for these offences risks overcriminalisation. The misuse of trust marks can and should be addressed through robust civil enforcement mechanisms. Turning every such transgression into a criminal matter would place unnecessary burdens on, frankly, an already strained justice system and risks disproportionately punishing individuals or small businesses for inadvertent breaches.
Furthermore, the amendment’s stipulation that proceedings could be brought only by or with the consent of the Director of Public Prosecutions or the Secretary of State is an important safeguard, yet it underscores the high level of discretion required to enforce these provisions effectively, highlighting the unsuitability of broad criminalisation in this context.
Amendment 53 seeks to expand the definition of identity documents under the Identity Documents Act 2010 to include digital identity documents. While the noble Lord, Lord Clement-Jones, makes a persuasive case, the proposal raises two concerns. First, it risks pre-emptively criminalising actions before a clear and universally understood framework for digital identity verification is in place. The technology and its standards are still evolving, and it might be premature to embed such a framework into criminal law. Secondly, there is a risk that this could have unintended consequences for innovation in the digital identity sector. Businesses and individuals navigating this nascent space could face disproportionate legal risks, which may hinder progress in a field critical to the UK’s digital economy.
Amendment 54 would introduce an offence of knowingly or recklessly providing false information in response to notices under Clause 51. I fully support holding individuals accountable for deliberate deception, but the proposed measure’s scope could lead to serious ambiguities. What constitutes recklessness in this context? Are we inadvertently creating a chilling effect where individuals or businesses may refrain from engaging with the system for fear of misinterpretation or error? These are questions that need to be addressed before such provisions are enshrined in law.
We must ensure that our legislative framework is fit for purpose, upholds the principles of justice and balances enforcement with fairness. The amendments proposed, while they clearly have exactly the right intentions, risk, I fear, undermining these principles. They introduce unnecessary criminal sanctions, create uncertainty in the digital identity space and could discourage good-faith engagement with the regulatory system. I therefore urge noble Lords to carefully consider the potential consequences of these amendments and, while expressing gratitude to the noble Lords for their work, I resist their inclusion in the Bill.
My Lords, of course we want to take trust seriously. I could not agree more that the whole set of proposals is predicated on that. Noble Lords have all made the point, in different ways, that if there is not that level of trust then people simply will not use the services and we will not be able to make progress. We absolutely understand the vital importance of all that. I thank all noble Lords for their contributions on this and I recognise their desire to ensure that fraudulent use of the trust mark is taken seriously, as set out in Amendments 51 and 52.
The trust mark is in the process of being registered as a trademark in the UK. As such, once that is done, the Secretary of State will be able to take appropriate legal action for misuse of it. Robust legal protections are also provided through Clause 50, through the trademark protections, and through other existing legislative provisions, such as the Consumer Protection from Unfair Trading Regulations 2008. There is already legislation that underpins the use of that trust mark. Additionally, each trust mark will have a unique number that allows users to check that it is genuine. These amendments would duplicate those existing protections.
In seeking to make the misuse of a digital identity a criminal offence, which Amendments 53 and 209 attempt to do, the noble Lord offered me several different ways of approaching this, so I will offer him some back. The behaviour he is targeting is already addressed in the Fraud Act 2006, the Computer Misuse Act 1990 and the Data Protection Act 2018. We would argue that it is already by existing legislation.
On the noble Lord’s point about the Identity Documents Act 2010, defining every instance of verification as an identity document within the scope of offences in that Act could create an unclear, complicated and duplicative process for the prosecution of digital identity theft. The provision of digital verification services does not always create one single comprehensive identity proof—I think this is the point that the noble Viscount, Lord Camrose, was making. People use it in different ways. It might be a yes/no check to ensure that a person is over 18, or it might be a digital verification services provider providing several derived credentials that can be used in different combinations for different use cases. We have to be flexible enough to be able to deal with that and not just make one fraudulent act. It would not be appropriate to add digital identity to the list of documents set out in the Identity Documents Act.
Amendment 54 would create an offence of supplying false information to the Secretary of State, but sanctions already exist in this situation, as the organisation can be removed from the DVS register via the power in Clause 41. Similarly, contractual arrangements between the Office for Digital Identities and Attributes and conformity assessment bodies require them to adhere to the principle of truthfulness and accuracy. To create a new offence would be disproportionate when safeguards already exist. I take on board the intent and aims of the noble Lord, Lord Clement-Jones, but argue that there are already sufficient protections in current law and in the way in which the Bill is drafted to provide the reassurance that he seeks. Therefore, I hope that he feels comfortable in not pressing his amendment.
My Lords, I am confident that, somewhere, there is a moral philosopher and legal scholar who can explain why this amendment is not part of the next group on NUAR but, in the meantime, my amendment addresses a fundamental issue. It would ensure that strict security measures are in place before any individual or organisation is allowed access to the sensitive information held on the National Underground Asset Register. The NUAR is a crucial tool for managing the UK’s underground infrastructure. It holds critical data about pipelines, cables and other assets that underpin vital services such as water, energy, telecommunications and transport.
This information, while essential for managing and maintaining infrastructure, is also a potential target for misuse. As such, ensuring the security of this data is not just important but vital for the safety and security of our nation. The information contained in the NUAR is sensitive. Its misuse could have disastrous consequences. If this data were to fall into the wrong hands, whether through criminal activities, cyberattacks or terrorism, it could be exploited to disrupt or damage critical infrastructure. I know that the Government take these risks seriously but this amendment seeks to address them further by ensuring that only those with a legitimate need, who have been properly vetted and who have met specific security requirements can access this data. We must ensure that the people accessing this register are trusted individuals or organisations that understand the gravity of handling this sensitive information and are fully aware of the risks involved.
The amendment would ensure that we have a framework for security—one that demands that the Secretary of State introduces clear, enforceable regulations specifying the security measures that must be in place before anyone can access the NUAR. These measures may include: background checks to ensure that those seeking access are trustworthy and legitimate; cybersecurity safeguards to prevent unauthorised digital access or breaches; physical security measures to protect the infrastructure where this information is stored; and clear guidelines on who should be allowed access and the conditions under which they can view this sensitive data.
The potential threats posed by unsecured access to the NUAR cannot be overstated. Criminals could exploit this information to target and disrupt key infrastructure systems. Terrorist organisations could use it to plan attacks on essential services, endangering lives and causing mass disruption. The stakes are incredibly high; I am sure that I do not need to convince noble Lords of that. In an era where digital and physical infrastructure are increasingly interconnected, the risks associated with unsecured access to information of the kind held in the NUAR are growing every day. This amendment would address this concern head on by requiring that we implement safeguards that are both thorough and resilient to these evolving threats. Of course, the cyber Bill is coming, but I wonder whether we need something NUAR-specific and, if so, whether we need it in this Bill. I beg to move.
I thank the noble Viscount for raising the issue of the National Underground Asset Register’s cybersecurity. As he said, Amendment 55 seeks to require more detail on the security measures in the regulations that will be applied to the accessing of NUAR data.
The noble Viscount is right: it is absolutely fundamental that NUAR data is protected, for all the reasons he outlined. It hosts extremely sensitive data. It is, of course, supported by a suite of sophisticated security measures, which ensure that the very prescribed users’ access to data is proportionate. I hope that the noble Viscount understands that we do not necessarily want to spell out what all those security measures are at this point; he will know well enough the sorts of discussions and provisions that go on behind the scenes.
Security stakeholders, including the National Cyber Security Centre and the National Protective Security Authority, have been involved in NUAR’s development and are members of its security governance board, which is a specific governance board overseeing its protection. As I say, access to it occurs on a very tight basis. No one can just ask for access to the whole of the UK’s data on NUAR; it simply is not geared up to be operated in that way.
We are concerned that the blanket provision proposed in the amendment would lead to the publication of detailed security postures, exposing arrangements that are not public knowledge. It could also curtail the Government’s ability to adapt security measures when needed and, with support from security stakeholders, to accommodate changing circumstances—or, indeed, changing threats—that we become aware of. We absolutely understand why the noble Viscount wants that reassurance. I can assure him that it is absolutely the best security system we could possibly provide, and that it will be regularly scrutinised and updated; I really hope that the noble Viscount can take that assurance and withdraw his amendment.
I thank the Minister for that answer. Of course, I take the point that to publish the security arrangements is somehow to advertise them, but I am somehow not yet altogether reassured. I wonder whether there is something that we can push further as part of a belt-and-braces approach to the NUAR security arrangements. We have talked about cybersecurity a lot this afternoon. All of these things tend to create additional incentives towards cyberattacks —if anything, NUAR does so the most.
If it helps a little, I would be very happy to write to the noble Viscount on this matter.
Yes, that would be great. I thank the Minister. I beg leave to withdraw my amendment.
I am not going to say much except to try to persuade my noble friend. I am absolutely with the intent of what the noble Lord, Lord Clement-Jones, is trying to do here and I understand the massive benefits that can be gained from it.
I am grateful to the noble Viscount for joining me in my enthusiasm for NUAR. He is right: having seen it in practice, I am a great enthusiast for it. If it is possible to demonstrate it to other people, I would be very happy to do so, because it is quite a compelling story when you see it in practice.
Amendment 56, in the name of the noble Lord, Lord Clement-Jones, would place a duty on the Secretary of State to consult relevant private sector organisations before implementing the NUAR provisions under the Bill. I want to make clear then that the Geospatial Commission, which oversees NUAR, has been engaging with stakeholders on NUAR since 2018. Since then, there have been extensive reviews of existing processes and data exchange services. That includes a call for evidence, a pilot project, public consultation and numerous workshops. A series of in-person focus groups were completed last week and officials have visited commercial companies with specific concerns, including LinesearchbeforeUdig, so there has been extensive consultation with them.
I suppose one can understand why they feel slightly put out about NUAR appearing on the scene, but NUAR is a huge public asset that we should celebrate. We can potentially use it in other ways for other services in the future, once it is established, and we should celebrate the fact that we have managed to create it as a public asset. I say to the noble Lord, Lord Clement-Jones, that a further consultation on that basis would provide no additional benefit but would delay the realisation of the significant benefits that NUAR could deliver.
Moving on to the noble Lord’s other amendments, Amendments 193, 194, and 195, he is absolutely right about the need for data interoperability in the health service. We can all think of examples of where that would be of benefit to patients and citizens. It is also true that we absolutely need to ensure that our health and care system is supported by robust information standards. Again, we go back to the issue of trust: people need to know that those protections are there.
This is why we would ensure, through Clause 119 and Schedule 15, that suppliers of IT products and services used in the provision of health or adult social care in England are required to meet relevant information standards. In doing so, we can ensure that IT suppliers are held to account where information standards are not implemented. The application of information standards is independent of commercial organisations, and we would hold IT companies to them. Furthermore, the definition of healthcare as set out in the Health and Social Care Act 2012, as amended by the Health and Care Act 2022, already ensures that all forms of healthcare are within scope of information standards, which would include primary care. That was one of the other points that the noble Lord made.
As an add-on to this whole discussion, the noble Lord will know that the Government are preparing the idea of a national data library, which would encourage further interoperability between government departments to make sure that we use it to improve services. Health and social care is the obvious one, but the members of the Committee can all think of all sorts of other ways where government departments, if they collaborated on an interoperable basis, could drive up standards and make life easier for a whole lot of citizens in different ways. We are on the case and are absolutely determined to deliver it. I hope that, on that basis, the noble Lord will withdraw his amendment.
I am sorry to interrupt the Minister, but she has whetted our appetite about the national data library. It is not included in the Bill. We talked about it a little at Second Reading, but I wonder whether she can tell us a little more about what is planned. Is it to be set up on a statutory basis or is it a shadow thing? What substance will it actually have and how?
Well, details of it were in our manifesto, in as much as a manifesto is ever detailed. It is a commitment to deliver cross-departmental government services and create a means whereby some of the GDPR blockages that stop one department speaking to another can, where necessary, be freed up to make sure that people exchange data in a more positive way to improve services. There will be more details coming out. It is a work in progress at the moment and may well require some legislation to underpin it. There is an awful lot of work to be done in making sure that one dataset can talk to another before we can progress in any major way, but we are working at speed to try to get this new system up and running.
I thank the Minister for that, which was very interesting. We were talking about medical health IT and “GDPR blockages” almost has a medical quality to it. The embryonic national data library will obviously get some more mentions as we go through the Bill. It is a work in progress, so I hope that we will know more at the end of the Bill than we did at the beginning.
The Minister talked about datasets talking to each other. We will have to get the noble Viscount, Lord Camrose, to use other phrases, not just “Netflix in the age of Blockbuster” but something equally exciting about datasets talking to each other.
My Lords, there is a great deal to be gained from digitising the registers of births, stillbirths and deaths. Not only does it reduce the number of physical documents that need to be maintained and kept secure but it means that people do not have to physically sign the register of births or deaths in the presence of a registrar. This will make people’s lives a great deal easier during those stressful periods of their lives.
However, digitising all this data—I am rather repeating arguments I made about NUAR and other things earlier—creates a much larger attack surface for people looking to steal personal data. This amendment explores how the Government will protect this data from malign actors. If the Minister could provide further detail on this, I would be most grateful.
This is a probing amendment and has been tabled in a constructive spirit. I know that we all want to harness the power of data and tech in this space and use it to benefit people’s lives but, particularly with this most personal of data, we have to take appropriate steps to keep it secure. Should there be a data breach, hackers would have access to an enormous quantity of personal data. Therefore, I suggest that, regardless of how much thought the Government have given this point up to now, the digitisation of these registers should not occur until substantial cybersecurity measures are in place. I look forward to the Minister’s comments.
On Amendment 57, legislation is already in place to ensure the security of electronic registers. Articles 25 and 32 of the UK General Data Protection Regulation impose duties on controllers of personal data to implement appropriate technical and organisational measures, including security measures, so this already applies.
The electronic system has been in place for births and deaths since 2009, and all events have been registered electronically since that date, in parallel with the paper registers and with no loss of data. What is happening with this legislation is that people do not have to keep paper records anymore; it is about the existing electronic system. The noble Lord will remember that it is up to registrars even so, but I think that the idea is that they will no longer have to keep the paper registers as well, which everybody felt was an unnecessary administrative burden.
Nevertheless, the system is subject to Home Office security regulations, and robust measures are in place to protect the data. There has been no loss of data or hacking of that data up to now. Obviously, we need to make sure that the security is kept up to date, but we think that it is a pretty robust system. It is the paper documents that are losing out here.
I thank the Minister. I take the point that this has been ongoing for a while and that, in fact, the security is better because there is less reliance on the paper documents. That said, I am encouraged by her answer and encouraged that the Government continue to anticipate this growing risk and act accordingly. On that basis, I withdraw the amendment.
My Lords, the noble Lord, Lord Clement-Jones, explained very well how the Tell Us Once service works. It is a really important asset for bereaved citizens who would otherwise have to notify all sorts of different departments right across government of a death. It provides a lifesaver for those who are struggling with providing all that information; we should put on record our thanks to Marie Curie and others for helping to create it and promoting it so well.
I think I have go on the record in the past—I thought that the noble Lord, Lord Clement-Jones, was going to dig out another one of my previous speeches—on this issue. I seem to remember making a very positive speech on the importance of the Tell Us Once service when we debated the previous Bill.
We support this service, of course—we can see the potential for expanding it further if we get this measure right—but I have to tell noble Lords that the current service is not in great shape in terms of its technology. It has suffered from insufficient investment over time and it needs to be improved before we can take it to the next stage of its potential. We consider that the best way to address this issue is, first, to upgrade its legacy technology, which is what we are operating at the moment. I realised that this is a problem only as I took over this brief; I had assumed that it would be more straightforward, but the problem seems to be that we are operating on ancient technology here.
Work is already under way to try to bring it all up to date. We are looking to improve the current service and at the opportunities to extend it to more of government. Our initial task is to try to extend it to some of the government departments that do not recognise it at the moment. Doing that will inform us of the potential limitations and the opportunities should we wish to extend it to the private sector in future. I say to the noble Lord that this will have to be a stage process because of the technological challenges that we currently have.
We are reluctant to commit to a review and further expansion of the service at this time but, once the service is updated, we would absolutely be happy to talk to noble Lords and revisit this issue, because we see the potential of it. The update is expected to be completed in the next two years; I hope that we will be able to come back and give a progress report to noble Lords at that time. However, I have to say, this is what we have inherited—bear with us, because we have a job to do in bringing it up to date. I hope that, on that basis, the noble Lord will withdraw his amendment, albeit reluctantly.
(3 weeks, 3 days ago)
Lords ChamberMy Lords, I feel that the onus is on me to concentrate on the Statement at hand. This is undeniably a sad announcement for a business that stretches back to the start of the previous century. It is a sad day for Luton, which has a proud tradition in vehicle manufacturing. Most of all, it is a sad day for the 1,000-plus men and women who are potentially losing their jobs.
There are people in your Lordships’ House who know Vauxhall better than I do, but although I no longer have a pecuniary interest in the automotive industry, my past work in that sector led me to value the skills and ingenuity of the people around whom I worked. My first question is this. Many businesses in other sectors are crying out for the skills possessed by the people being laid off, but in many cases those jobs are not in Luton. How do the Government plan to help retain those skills and channel those people, who are skilled workers, into well-remunerated, vital jobs? My second question concerns the town of Luton itself. What is being done to support the local community that is being denied an important driver of its local prosperity and economy? The Government need to work with Vauxhall and others to mitigate this, as it will be a major shock for the area.
This sad announcement is at the leading edge of a wider set of issues that face UK vehicle manufacturers and the Government’s plans to electrify personal transport in the UK, their so-called ZEV mandate. There are important questions regarding this ZEV mandate. As we know, 22% of cars sold this year have to be electric vehicles, EVs, rising to 28% next year. If a business fails to meet that target, either it pays a £15,000 fine on each internal combustion car it sells or it buys credits. This is handing cash to usually foreign competitors, such as Mr Musk’s Tesla. This system was put in place by the previous Government. Is it a sensible industrial strategy?
Successive Governments have taken a largely supply-side approach to this, and initially it had some success. Does the Minister agree that unless the Government address the demand side, UK manufacturers will not achieve their mandate targets? Added to that, the previous Government sent out mixed messages that caused many people who might have bought their first EV to opt for one more internal combustion engine. Demand needs to be stimulated. Infrastructure remains patchy, pavement charging is expensive for users—inhibiting the spread of EVs to people who do not have a drive on which to charge their vehicle—and sensible subsidies are being phased out. Can the Minister confirm that her department is now discussing incentives—for example, cutting VAT on EVs—with the Treasury?
Lib Dems have repeatedly called for it to be made easier and cheaper to charge vehicles by rolling out far more residential on-street chargers, ultra-fast chargers at service stations and the electricity grid infrastructure needed to support them. Additionally, VAT on public charging should be cut to 5% and all charging points should be accessible by a bank card, rather than the collection of different smart cards required.
Meanwhile, as demand stalls, the market for UK firms is getting harder. UK car makers are already competing with Chinese EVs that benefit from inbuilt domestic subsidies. In the EU and the US, these Chinese businesses are likely to face high tariffs in future. If both these huge potential markets erect such barriers, the likelihood is that Chinese EVs will flood into their remaining markets. Can the Minister set out the Government’s position on possible UK tariffs on Chinese EVs?
Yesterday the Secretary of State referred to the £2 billion for research and capital funding that was announced in the Budget. Can the Minister tell us the split between R&D and capital for that money? What is the phasing of that money—for example, how much will the industry see this financial year?
In summary, for the UK car industry basic costs have risen, energy costs have rocketed and labour costs will rise following the Budget. In the meantime, UK manufacturers are trying to sell more EVs than UK consumers want to buy, with a backdrop of cheap, subsidised imports. Does the Minister recognise that these are existential issues? When will the industry get to know what the Government’s response to these issues will be?
My Lords, I thank noble Lords for their responses to the Secretary of State’s Statement in the other place. The news on Tuesday that Stellantis was commencing a consultation with staff on the future of the plant at Luton will have been very difficult to hear for the hard-working staff, their families and the wider Luton community. We have asked the company to share the details of its plans with us so that we can put in place the right support across government to help them through this process. Luton has a proud history. While this is disappointing news, we are confident that the town has a bright future ahead. We will work closely with Stellantis, trade unions, Luton Borough Council and other partners to look at the impact of this decision.
I heard the points made by the noble Lord, Lord Fox, about the zero-emission vehicle mandate and how it links to this decision. Ministers met Stellantis within days of coming into office to discuss the pressures it was facing in its business, including concerns on the zero EV mandate, but that was not the only concern it raised. Noble Lords will know that this is a complicated area. The automotive industry is operating under a lot of different pressures, and this is just one of them that we are seeking to address.
The noble Earl, Lord Effingham, asked about consultation. The Statement made clear that the Secretary of State has been in constant discussion with Stellantis and others in the automotive industry to address their concerns. The Secretary of State for Business and Trade and the Secretary of State for Transport are listening closely to the concerns of the industry and the wider sector about the transition to electric vehicles. This included the round table earlier this month to hear directly from major automotive companies, the Society of Motor Manufacturers and Traders and the charging sector. In response, we will shortly be fast-tracking a consultation on our manifesto commitment to end the sale of new pure petrol and diesel cars by 2030, but the question here is the transition rather than the endpoint. I think we are clear about what we want to achieve by 2030. We will use this consultation to engage with industry on the previous Government’s zero EV transition mandate and the flexibilities within it, and we will welcome the industry’s feedback as we move forward.
We want to do everything we can, together with industry, to secure further investment in the British automotive sector now and over the longer term. That is why in the Budget the Chancellor committed £2 billion to research and development and capital funding to support the zero-emission vehicle manufacturing sector and the supply chain. The noble Lord, Lord Fox, asked about this support. The Government are already backing the wider industry with more than £300 million to drive uptake of zero-emission vehicles, and we have also committed long-term funding of more than £2 billion of capital and R&D funding to 2030 for zero-emission vehicle manufacturing and its supply chain as part of a comprehensive offer to attract strategic investment and deliver real growth. There is a real opportunity for the UK from the transition to zero-emission vehicles, and we welcome the commitment Stellantis made to expand its production of electric vehicles at its other plant in Ellesmere Port by adding a second van model.
This is a complicated issue. An expansion of electric vehicle production is going ahead. I make clear that, at Luton, only diesel vans are being produced, so, if anything, production is switching to electric vehicles and not the other way around. Our automotive sector is at the heart of UK manufacturing and the global and British brands that make vehicles here are central to unlocking further growth and investment. Our industrial strategy will address these issues and ensure that further growth and investment is absolutely at the heart of what we intend to do. As the Secretary of State said yesterday, the Government are clear that decarbonisation must not mean deindustrialisation, and that winning the race to net zero and having a world-leading automotive sector must go hand in hand.
The noble Earl, Lord Effingham, asked about the Budget. I do not need to take any lessons from the previous Government, since they left a £22 billion black hole that we inherited. I am sorry to remind them—I know they would rather we forgot that—but let us be honest: that is what we have inherited and have been struggling with ever since. The Budget dealt with that black hole in the Government’s finances, and—as the noble Earl mentioned—over this Parliament the Government will transform business rates into a fairer system that protects the high street, supports investment and is fit for the 21st century. The Government are permanently lowering business rates for retail, hospitality and leisure properties from 2026-27—so we are addressing business rates.
The noble Earl mentioned the employment Bill. I am proud that we are bringing modern employment practices to this country—the previous Government promised this, but it was never delivered. The noble Lord, Lord Fox, asked about imports, and several noble Lords mentioned Chinese EVs. Again, this is a complicated area, but we are closely analysing how imports of Chinese EVs will impact the UK’s economy and industry. It is worth stressing that the UK’s economy and industry differ from other countries in both ownership and markets. We export 80% of what we make, compared to, for example, the US and EU, where a greater proportion of production is sold domestically. So we need to adapt our approach to what is appropriate for our situation here in the UK. When we need to act, we will do so, but any action taken on Chinese EVs has to be the right one for the UK industry.
We are also looking at unfair trading practices on an international basis by supporting global initiatives at the WTO and G7, and domestically through our industry-led trade remedy systems. Here, we already apply 44 trade remedy measures, 28% of which are on China. I hope I have addressed the main points that noble Lords have raised today, and I look forward to further questions.
My Lords, I declare an interest: three generations of my family have worked at Vauxhall. My sympathies go out to the Luton plant. I thank the Minister for meeting me and the former chief executive of Vauxhall last week to discuss the difficulties surrounding Stellantis.
The noble Lord, Lord Fox, covered most of my points admirably, and I thank him for that. There is no doubt that the ZEV mandate has been and still is a problem, and it needs changing now or this will not be the last problem we have. The plant at Luton is profitable, and it is not 1,100 workers losing their jobs but 4,000-plus when we add the component supporters.
Maybe there are cynics among us who would say that the Government have not tried and that this situation does not have a great deal to do with the ZEV mandate but rather relates to the value of the land that sits alongside the airport at Luton. I would not like to be a cynic, but I sincerely hope—in line with the demands of my union, Unite, for this company to be pushed to rethink its closure strategy—that it is made sure that, if the land is sold, it is sold for industrial purposes and not for housing. I would like to hear the Minister’s comments about that. However, this is not over; we have a lot of work to do and my people at Luton are determined to fight this. I wish them the very best of good fortune.
I thank my noble friend for those points. As I said at the outset, we very much feel for the people of Luton—this is a terrible time for them. My noble friend is quite right that this is not just about the people who are directly employed in the sector; it has much wider ramifications. At the end of the day, these are commercial decisions, but we are working very closely with Stellantis on how the consultation is dealt with and what support can be given to those affected. There will be the opportunity for some people to transfer to Ellesmere Port, but we understand the impact that this closure will have on the remaining population.
The Government recognise that Luton is a vibrant and very diverse community that has ambitions for the future. We are already investing £20 million in the Stage mixed-use development to help unlock Luton’s town centre regeneration plans, so we are looking at what wider support we can give. In the meantime, it is absolutely right that we focus on those who are affected now, and that we give them support through both the Department for Work and Pensions and further negotiations that we will have with Stellantis, to make sure that we provide the maximum protection for those affected by this decision. However, I will not underestimate the challenge of this, and my noble friend is quite right to raise it. I am sure there will be further discussions about what else we can do.
My Lords, this is the tip of the iceberg of the obsession this Government have with their punitive net-zero targets. I agree with the noble Lord opposite. I visited Vauxhall Ellesmere Port as a former Member of the European Parliament. I was closely involved with the car industry. As the noble Lord rightly said, this is not just about the 1,100 workers at the Luton plant. They will all have families and people to support, so there will be at least 4,000 people affected just from that plant alone, and that is without the thousands of others who work at the small and medium-sized manufacturers that supply that plant—and that is aside from the vast local economy. That figure of 1,100 at Vauxhall that the Government, and even the newscasts, keep emphasising is very much understated.
Therefore, I ask the Minister: what exactly have the Government put in place to deal with this? Clearly, the trade unions are vehemently opposed and the TUC is opposed—I had a look at the Morning Star, by the way—and I think we would all be extremely interested to know. I ask the Government to start to rethink clearly the consequences of this obsession with these targets that, in my view, are totally unrealistic and will damage the future of this country.
As I said, we will provide whatever support we can to the people affected. We are talking to Stellantis about how we can identify these individuals and what support they need, and we stand ready with the Department for Work and Pensions to provide accelerated support and help to them. I challenge the noble Baroness’s concern that we should step back from our progress on rolling out electric vehicles, which is part of our net-zero ambitions. I think everybody understands the need for us to meet our net-zero ambitions, which are very important for this country and our climate but also for delivering green jobs for the future.
As we set out in the manifesto, we will support the transition to electric vehicles by accelerating the rollout of, for example, charge points. That ambition was supported in the Budget and was confirmed with £200 million for an accelerated charge point rollout next year. We are working closely with industry stakeholders to promote positive messages around electric vehicles and improve consumer confidence in the public charging network, so there is a lot that we can do to carry on promoting the use of electric vehicles.
Those who have electric vehicles respond with a very positive view of their ownership, so they are popular when people purchase them; we just have to persuade people to make that transition when they purchase new vehicles. As I say, that is important for our climate change ambitions and for jobs in the future. We believe there will be more jobs in future based on the rollout of electric vehicles.
I thank my noble friend the Minister for the Statement. This must go down as one of the more difficult jobs that any Minister has to do in any circumstances, so I thank her for the clarity of her replies so far.
My sympathies go to the families of the direct and indirect workers, the shopkeepers and all those members of the community who are always affected by these closures or proposed closures. As I come from a family where most of them worked in manufacturing, we have had that experience. That was in the Midlands, not Luton.
This all brought to mind my noble friend the late Lord McKenzie of Luton, the amount of work that he did to improve the prosperity of Luton and how he would be feeling today and fighting for that community. Can my noble friend the Minister say a little more about the efforts to find jobs and improve the prospects of transfer for those workers who are directly affected?
We know this is a global issue; there is no point in pretending otherwise. When some of us who were members of the EU Internal Market Sub-Committee and then the EU Services Sub-Committee visited various research plants, they showed us the exciting developments that were taking place in car manufacturing. If only we were a bit quicker at developing research into practical production. That is a failure that this country has experienced for a long time. The work and the knowledge are there, and the Minister has indicated that we are further supporting that research. Will she confirm that? There was an implication by the Opposition Front Bench spokesperson that Stellantis was abandoning production. Can she confirm that Stellantis is developing production at Ellesmere Port and that it has not abandoned manufacturing in this country?
One issue where politics and government come in is in the provision of consistency. One of the difficulties that manufacturing has had over the years is that Governments do not provide consistency and long-term objectives. Can my noble friend the Minister assure the House that there will be consistent government policies rather than chopping and changing, so that industry and manufacturers know where they stand for years to come?
My noble friend rightly reminds us of the fantastic contribution that Lord McKenzie made to this House. I am sorry that he might be looking down and hearing these messages from us, because I know how passionate he was about his town.
My noble friend makes a point about consistent policies. We have learned over many years that industry responds to consistent policies and consistent targets, and it is important that we maintain that. That is why I made it clear that we are still pursuing, and are determined to deliver, our targets for net zero and the contribution that the rollout of electric vehicles will ultimately make to that. That is an important message. We are hearing from the automotive industry, among others, that it wants those consistent policies; as my noble friend says, it does not want us to chop and change, which is not helpful to anyone. The industry makes long-term investment decisions, and we have to support it in that.
On the jobs, the announcement from Stellantis has been relatively recent and we had hoped we would not have to hear that message from it, so we are still in active talks with it and are continuing to talk about the full implications of who will be affected. We will continue to work closely with it and the trade unions and the council on the next steps of its proposals. It is early days, but we are actively pursuing this issue and we take to heart the fact that we need to protect those workers and their future in whatever way we can.
My noble friend mentioned funding. I think I mentioned that we already committed in the Budget to a multiyear funding commitment to the automotive sector, with long-term funding of over £2 billion of capital and R&D funding to 2030 for zero-emission vehicle manufacturers and their supply chains, so we are putting in the money to support that investment. We have a proud history in all this of being at the forefront of R&D, and it is important that we capitalise on that R&D investment.
In the intermediate term, the Department for Work and Pensions is ready to support anyone affected by the decision. It has a rapid response service that is designed to support and advise both employers and their employees when faced with redundancies. Affected employees will be able to access our broad range of support, including universal credit and the new-style jobseekers’ allowance, as well as, perhaps more importantly, access to tools and support to find new jobs in the area. Our priority is to find those people new jobs in the sector.
My Lords, the SMMT says that EV sales overall fell by 30% last month compared with October 2023. This is clearly a critical time in the industry. My noble friend has explained many of the problems facing the UK auto industry, most of them a direct result of the previous Government’s dysfunctional policies, but the Statement emphasises the amount of work that has been going on, which makes the point that the Government were fully aware of the critical condition of the automotive industry. I am therefore concerned that the Government are announcing yet another consultation. They have emphasised how closely they are working with the industry, so they know the problems. They have identified the problems with current policy, and it is essential that action takes place now. Why are we having another time-wasting consultation when the Government tell us they know all the problems?
As the noble Baroness has said, the problems at Stellantis are due to a variety of factors that have impacted its business across the whole of Europe, not just to do with electric vehicles.
On consultation, the Government’s intention is not to have what we would see as a normal, traditional consultation; this is going to be a quickfire consultation to get everyone around the table quickly to understand what needs to be done. I reassure the noble Baroness that we are not pushing this into a long-term period of time. I anticipate that it will be in the form of round tables and quickly getting all the issues on to the table so that we can begin to address them.
We will look at some of the wider problems that are affecting the industry but also at the impact that the zero-emission vehicle mandate is having. If there are adjustments that we need to make, we can look at them in the rollout of that mandate, but we need to be clear, as I said earlier, that the endpoint is that we need to have clean transport in the future.
(1 month ago)
Lords ChamberThat the draft order and regulations laid before the House on 15, 17 and 24 October be approved. Considered in Grand Committee on 18 November.
(1 month ago)
Lords ChamberThat the Bill be now read a second time.
Relevant document: 3rd Report from the Constitution Committee. Scottish, Welsh and Northern Ireland Legislative Consent sought.
My Lords, data is the DNA of modern life. It is integral to almost every aspect of our society and economy, from NHS treatments and bank transactions to social interactions. An estimated 85% of UK businesses handle some form of digital data, and the UK data economy was estimated to represent 6.9% of UK GDP. Data-enabled UK service exports accounted for 85% of total service exports, estimated to be worth £259 billion, but data use in the UK drives productivity benefits of around 0.12%, which is only one minute per worker per day.
We can do much more to drive productivity through data. That is why the Government are presenting the Data (Use and Access) Bill today, to harness the power of data to drive economic growth, support modern digital government and improve people’s lives. The Bill is forecast to generate £10 billion over 10 years, to underpin the Prime Minister’s missions and to fulfil several manifesto commitments; most importantly, it will help everyday processes for people, business and our public services.
The Bill has eight parts, which I will speak to in order. Before I start, I recognise that noble Lords have debated data legislation over a number of years, and many measures in the Bill will be familiar to them, as they are to me. I pay particular tribute to the noble Viscount, Lord Camrose, for his work on these measures in the past. That said, the Government and I have carefully considered the measures to be taken forward in this Bill, and noble Lords will notice several important changes that make the Bill more focused, more balanced and better able to achieve its objectives.
The first three parts are focused on growing the economy. First, we will create the right conditions to set up future smart data schemes. These models allow consumers and businesses to safely share information about themselves with authorised third parties, which can then in turn offer innovative uses, such as personalised market comparisons and financial advice. This measure, which is also a manifesto commitment, will cut costs, give people greater consumer choice and deliver economic benefit. In September this year, more than 11 million people—one in six of the UK population—were already making use of open banking services.
In Part 2, the Bill will legislate on digital verification services, meaning that organisations will be able to receive a trust mark if they are approved as meeting the stringent requirements in the trust framework and appear on the government register. As well as increasing trust in the market, these efficiency gains are expected to boost the UK economy by £4.3 billion over the next decade by doing things such as reducing the time spent completing checks to hire new workers from days to minutes.
Part 3, on the national underground asset register, or NUAR, will place this comprehensive digital map of the underground pipes and cables on a statutory footing. The measures mandate that owners of underground infrastructure, such as water companies or telecoms operators, register their assets on NUAR. This will deliver more than £400 million per year through more efficient data sharing, reduced accidents and delays, and improved worker safety. The proposed measures will also allow this data to be used for additional prescribed use cases, such as improved street work co-ordination, where commercial and national security considerations allow.
Part 4 relates to the format of the registers of births and deaths, allowing for the first time the possibility of digital registration.
Part 5 is specifically about data protection and privacy, although I stress that this Government are committed to the strongest data privacy protections throughout the Bill. This part of the Bill is the one that the Government and I have most thoroughly revisited. Our objective has been to address the current lack of clarity that impedes the safe development and responsible deployment of new technologies.
We have removed previous measures watering down the accountability framework, along with other measures that risked protections. Since the Bill’s introduction I have spoken to members of industry, civil society and the research community about this, as well as some noble Lords here today, and I am glad to note that these changes have been broadly welcomed. In this context, I would like to say something about AI, which will undoubtedly have a vital role to play in growing the UK’s economy and transforming its public services. This will include the responsible and safe use of solely automated decision-making. However, the rules in Article 22 of the UK GDPR are unclear, which holds us back. Organisations are not confident about when they can make solely automated decisions, nor about what safeguards apply and when. We suffer when this leads to hollow attempts at token human involvement to try to move the goalposts.
The Bill will fix these issues. It writes the safeguards much more clearly. You will have the right to be told about a decision, the right to human intervention, and the right to make representations about it. It specifically provides that human involvement must be meaningful or else it does not count. This—alongside clearer safeguards, the restored accountability framework, and a modernised information commission—will help us strike the right balance between the benefits of this technology being available in more circumstances, and public trust and protection.
Part 6 is on the regulator: the new information commission. This is a new-look regulator—modernised, with clear strategic direction and stronger powers, and still independent. We will bring the information commission in line with regulatory best practice, increase accountability, and enable greater transparency for organisations and the public. It will be empowered to engage effectively with the increasingly complex opportunities and challenges we see in the use of personal data, as well as to ensure high data protection standards and increased public trust.
The Government have worked closely with the ICO on these reforms, and the commissioner noted in his response to the Bill that these changes
“will significantly improve the ICO’s ability to function effectively”
and the
“refreshed governance arrangements will maintain our independence and enhance our accountability”.
Part 7 includes other provisions about the use of or access to data. Clauses on NHS information standards will create consistency across IT systems to enable data sharing. This is a positive step in driving up efficiency in our NHS and will save 140,000 hours of staff time a year. These measures will also improve patient safety; for example, by allowing authorised medical staff to access patient data to provide care in emergencies.
There is a new, fairly technical measure on smart meters, which will provide the Gas and Electricity Markets Authority with flexibility to determine the best process to follow in appointing the successor smart meter communication licensee. These clauses will ensure that the authority is able to appoint a successor in a timely and efficient way that is in the best interests of energy consumers.
Part 7 also includes measures on online safety research, laying the groundwork for crucial research into online harms to help us learn and adapt, to keep the internet safe. This is in addition to measures on data preservation notices to help coroners, or procurators fiscal in Scotland, investigate how online platform use may have had a contributing effect in the tragic death of a child. I thank the noble Lord, Lord Bethell, and the noble Baroness, Lady Kidron, for their campaigning on these important issues, which we supported in opposition. I am pleased to be able to deliver these measures early in the new Parliament.
Finally, Part 8 includes standard final provisions.
As noble Lords can probably tell from the length of that list, this is quite a wide-ranging Bill. However, I hope they will agree that the focus—on growing the economy, supporting modern, digital government, and improving lives—is a lot clearer. In summary, I have three main points to encourage the swift passage of the Bill through the House.
First, I have worked very closely with noble Lords across the House on a number of these measures over the years. I am glad to have been able to make the necessary changes to the legislation in response to our shared concerns. Secondly, we are very keen to implement these changes as soon as possible for our stakeholders—the ICO, business, and the research community, to name but a few—which have all been waiting patiently to see the benefits these reforms will bring. Thirdly and most importantly, the measures in the Bill will make a material, positive difference to people’s lives.
I hope noble Lords will work with me to pass the Bill and ensure that these reforms can bring real benefits to our economy and public services and the UK public. I beg to move.
My Lords, I thank all noble Lords for what has genuinely been a fascinating, very insightful debate. Even though I was part, I think, of my noble friend Lord Stevenson’s gang that has been working on this for some time, one learns new things, and I have learned new things again today about some of the issues that are challenging us. So I thank noble Lords for their contributions this evening, and I am very pleased to hear that a number of noble Lords have welcomed the Government’s main approach to the Bill, though of course beyond that there are areas where our concerns will diverge and, I am sure, be subject to further debate. I will try to clarify the Government’s thinking. I am sure noble Lords will understand, because we have had a very wide-ranging discussion, that if I am not able to cover all points, I will follow those up in writing.
I shall start with smart data. As was raised by my noble friend Lord Knight of Weymouth, and other noble Lords, the Government are keen to establish a smart data economy that brings benefits to consumers across all sectors.
Through the Smart Data Council, the Government are working closely to identify areas where smart data schemes might be able to bring more benefits. I think the point was made that we are perhaps not using it sufficiently at the moment. The Government intend to communicate where and in what ways smart data schemes can support innovation and growth and empower customers across a spectrum of markets—so there is more work to be done on that, for sure. These areas include providing the legislative basis for the fuel finder service announced by the Department for Energy Security and Net Zero, and supporting an upcoming call for evidence on the smart data scheme for the energy sector. Last week, the Government set out their priorities for the future of open banking in the national payments vision, which will pave the way for the UK to lead in open finance.
I turn now to digital identity, as raised by the noble Earl, Lord Erroll, and a number of other noble Lords. The measures in the Bill aim to help people and businesses across Britain to use innovative digital identity technologies and to realise their benefits with confidence. As the noble Lord, Lord Arbuthnot, said, the Bill does not make digital identities mandatory. The Bill will create a legislative structure of standards, governance and oversight for digital verification services that wish to appear on a government register, so that people will know what a good digital identity looks like. It is worth saying that a lot of these digital verification schemes already exist; we are trying to make sure that they are properly registered and have oversight. People need to know what a good digital identity looks like.
The noble Lord, Lord Arbuthnot, raised points about Sex Matters. Digital verification services can be used to prove sex or gender in the same way that individuals can already prove their sex using their passport, for example. Regarding the concerns of the noble Lord, Lord Vaux, about the inclusion of non-digital identity, the Government are clear that people who do not want to use digital identity or the digital verification services can continue to access services and live their daily lives referring to paper documents when they need to. Where people want to use more technology and feel left behind, DSIT is working hard to co-ordinate government work on digital inclusion. This is a high priority for the Government, and we hope to come back with further information on that very soon.
The Office for Digital Identities and Attributes has today published its first digital identity inclusion monitoring report. The results show a broadly positive picture of inclusion at this early stage of the markets, and its findings will inform future policy interventions.
I would like to reassure the noble Lord, Lord Markham, and the noble Viscount, Lord Camrose, that NUAR takes advantage of the latest technologies to ensure that data is accessed only for approved purposes, with all access audited. It also includes controls, developed in collaboration with the National Protective Security Authority, the National Cyber Security Centre and the security teams of asset owners themselves.
We had a very wide-ranging debate on data protection issues, and I thank noble Lords for their support for our changes to this legislation. The noble Viscount, Lord Camrose, and others mentioned delegated powers. The Government have carefully considered each delegated power and the associated parliamentary procedure and believe that each is proportionate. The detail of our rationale is set out in our delegated powers memorandum.
Regarding the concerns of the noble Lord, Lord Markham, and the noble Viscount, Lord Camrose, about the effect of the legislation on SMEs, we believe that small businesses would have struggled with the lack of clarity in the term “high-risk processing activities” in the previous Bill, which could have created more burdens for SMEs. We would prefer to focus on how small businesses can be supported to comply with the current legislation, including through user-friendly guidance on the ICO’s small business portal.
Many noble Lords, including the noble Viscount, Lord Camrose, the noble and learned Lord, Lord Thomas, and the noble Lord, Lord Vaux, raised EU adequacy. The UK Government recognise the importance of retaining our personal data adequacy decisions from the EU. I reassure the noble Lord, Lord Vaux, and my noble friend Lord Bassam that Ministers are already engaging with the European Commission, and officials will actively support the EU’s review process in advance of the renewal deadline next year. The free flow of personal data between the UK and the EU is one of the underpinning actions that enables research and innovation, supports the improvement of public services and keeps people safe. I join the noble Lord, Lord Vaux, in thanking the European Affairs Committee for its work on the matter. I can reassure him and the committee that the Secretary of State will respond within the required timeframe.
The noble Lord, Lord Bethell, and others raised international data transfers. Controllers and processors must take reasonable and proportionate steps to satisfy themselves that, after the international transfer, the level of protection for the data subject will be “not materially lower” than under UK data protection law. The Government take their responsibility seriously to ensure that data and its supporting infrastructure are secure and resilient.
On the question from the noble Viscount, Lord Colville, about the new recognised legitimate interest lawful ground, the entire point of the new lawful ground is to provide more legal certainty for data controllers that they are permitted to process personal data for the activities mentioned in new Annexe 1 to the UK GDPR. However, the processing must still be necessary and proportionate and meet all other UK GDPR requirements. That includes the general data protection principles in Article 5 of the UK GDPR, and the safeguards in relation to the processing of special category data in Article 9.
The Bill has significantly tightened up on the regulation-making power associated with this clause. The only processing activities that can be added to the list of recognised legitimate interests are those that serve the objectives of public interest, as described in Article 23(1) of the UK GDPR. The Secretary of State would also have to have regard to people’s rights and the fact that children may be less aware of the risks and consequences of the processing of their data before adding new activities to the list.
My noble friends Lord Davies of Brixton and Lord Stevenson of Balama—do you know, I have never had to pronounce his full name—Balmacara, raised NHS data. These clauses are intended to ensure that IT providers comply with relevant information standards in relation to IT use for health and adult social care, so that, where data is shared, it can be done in an easier, faster and cheaper way. Information standards create binding rules to standardise the processing of data where it is otherwise lawful to process that data. They do not alter the legal obligations that apply in relation to decisions about whether to share data. Neither the Department of Health and Social Care nor the NHS sells data or provides it for purely commercial purposes such as insurance or marketing purposes.
With regard to data assets, as raised by the noble Baroness, Lady Kidron, and my noble friend Lord Knight of Weymouth, the Government recognise that data is indeed one of the most valuable assets. It has the potential to transform public services and drive cutting-edge innovation. The national data library will unlock the value of public data assets. It will provide simple, secure and ethical access to our key public data assets for researchers, policymakers and businesses, including those at the frontier of AI development, and make it easier to find, discover and make connections across those different databases. It will sit at the heart of an ambitious programme of reform that delivers the incentives, investment and leadership needed to secure the full benefits for people and the economy.
The Government are currently undertaking work to design the national data library. In its design, we want to explore the best models of access so that public sector data benefits our society, much in the way that the noble Baroness, Lady Kidron, outlined. So, decisions on its design and implementation will be taken in due course.
Regarding the concerns of the noble Lord, Lord Markham, about cybersecurity, as announced in the King’s Speech, the Government will bring forward a cybersecurity and resilience Bill this Session. The Bill will strengthen our defences and ensure that more essential digital services than ever before are protected.
The noble Baroness, Lady Kidron, the noble Viscount, Lord Colville, and my noble friend Lord Stevenson of Balmacara, asked about the Government’s plans to regulate AI and the timing of this legislation. As set out in the King’s Speech, the Government are committed to establishing appropriate legislation for companies developing the most powerful AI systems. The Government will work with industry, civil society and experts across the UK before legislation is drawn up. I look forward to updating the House on these proposals in due course. In addition, the AI opportunities action plan will set out a road map for government to capture the opportunities of AI to enhance growth and productivity and create tangible benefits for UK citizens.
Regarding data scraping, as raised by the noble Baroness, Lady Kidron, the noble Viscount, Lord Colville of Culross, and others, although it is not explicitly addressed in the data protection legislation, any such activity involving personal data would require compliance with the data protection framework, especially that the use of data must be fair, lawful and transparent.
A number of noble Lords talked about AI in the creative industries, particularly the noble Lords, Lord Holmes and Lord Freyberg—
I am sorry to interrupt what is a very fluent and comprehensive response. I do not want to break the thread, but can I press the Minister a little bit on those companies whose information which is their intellectual property is scraped? How will that be resolved? I did not pick up from what the Minister said that there was going to be any action by the Government. Are we left where we are? Is it up to those who feel that their rights are being taken away or that their data has been stolen to raise appropriate action in the courts?
I was going to come on to some of those issues. Noble Lords talked about AI in the creative industries, which I think my noble friend is particularly concerned about. The Government are working hard on this and are developing an effective approach that meets the needs of the UK. We will announce more details in due course. We are working closely with relevant stakeholders and international partners to understand views across the creative sector and AI sectors. Does that answer my noble friend’s point?
With respect, it is the narrow question that a number of us have raised. Training the new AI systems is entirely dependent on them being fed vast amounts of material which they can absorb, process and reshape in order to answer questions that are asked of them. That information is to all intents and purposes somebody else’s property. What will happen to resolve the barrier? At the moment, they are not paying for it but just taking it—scraping it.
Perhaps I may come in too. Specifically, how does the data protection framework change it? We have had the ICO suggesting that the current framework works perfectly well and that it is the responsibility of the scrapers to let the IP holders know, while the IP holders have not a clue that it is being scraped. It is already scraped and there is no mechanism. I think we are a little confused about what the plan is.
I can certainly write to noble Lords setting out more details on this. I said in response to an Oral Question a few days ago that my honourable friend Minister Clark in DSIT and Chris Bryant, whom the noble Lord, Lord Russell, mentioned, are working jointly on this. They are looking at a proposal that can come forward on intellectual property in more detail. I hope that I can write to noble Lords and set out more detail on that.
On the question of the Horizon scandal and the validity of computers, raised, quite rightly, by the noble Lords, Lord Arbuthnot and Lord Holmes, and the noble Baroness, Lady Kidron, I think we all understand that the Horizon scandal was a terrible miscarriage of justice, and the convictions of postmasters who were wrongly convicted have been rightly overturned. Those Post Office prosecutions relied on assertions that the Horizon system was accurate and reliable, which the Post Office knew to be wrong. This was supported by expert evidence, which it knew to be misleading. The issue was not, therefore, purely about the reliability of the computer-generated evidence. Almost all criminal cases rely to some extent on computer evidence, so the implications of amending the law in this area are far- reaching, a point made by several noble Lords. The Government are aware that this is an issue, are considering this matter very carefully and will announce next steps in due course.
Many noble Lords, including the noble Lords, Lord Clement-Jones, Lord Vaux and Lord Holmes of Richmond, and the noble and learned Lord, Lord Thomas, raised automated decision-making. I noted in my opening speech how the restored accountability framework gives us greater confidence in ADM, so I will not go over that again in detail. But to explain the Bill’s drafting, I want to reassure and clarify for noble Lords that the Bill means that the organisation must first inform individuals if a legal or significant decision has been taken in relation to them based solely on automated processing, and then they must give individuals the opportunity to challenge such decisions, obtain human intervention for them and make representations about them to the controller.
The regulation-making powers will future-proof the ADM reforms in the Bill, ensuring that the Government will have the powers to bring greater legal certainty, where necessary and proportionate, in the light of constantly evolving technology. I reiterate that there will be the right to human intervention, and it will be on a personal basis.
The noble Baroness, Lady Kidron, and the noble Lords, Lord Russell of Liverpool and Lord Clement-Jones, raised concerns about edtech. The Government recognise that concerns have been raised about the amount of personal data collected by education technology used in schools, and whether this is fully transparent to children and parents. The Department for Education is committed to improving guidance and support for schools to help them better navigate this market. For example, its Get Help with Data Protection in Schools project has been established to help schools develop guidance and tools to help them both understand and comply with data protection legislation. Separately, the ICO has carried out a series of audits on edtech service providers, assessing privacy risks and potential non-compliance with data protection regulations in the development, deployment and use of edtech solutions in schools.
The creation of child sexual abuse material, CSAM, through all mediums including AI—offline or online—is and continues to be illegal. This is a forefront priority for this Government and we are considering all levers that can be utilised to fight child sexual abuse. Responsibility for the law in this area rests with the Home Office; I know it is actively and sympathetically looking at this matter and I understand that my colleague the Safeguarding Minister will be in touch with the noble Baroness, Lady Kidron, and the noble Lord, Lord Bethell, ahead of Committee.
I can see that I am running out of time so, rather than testing noble Lords’ patience, will draw my comments to a close. I have not picked up all the comments that colleagues made, but I thank everybody for their excellent contributions. This is the beginning of a much longer conversation, which I am very much looking forward to, as I am to hearing all those who promised to participate in Committee. I am sure we will have a rich and interesting discussion then.
I hope I have persuaded some noble Lords that the Bill is not only wide ranging but has a clear and simple focus, which is about growing the economy, creating a modern, digital government and, most importantly, improving people’s lives, which will be underpinned by robust personal data protection. I will not say any more at this stage. We will follow up but, in the meantime, I beg to move.
That the Bill be committed to a Grand Committee, and that it be an instruction to the Grand Committee that they consider the Bill in the following order: Clauses 1 to 56, Schedule 1, Clauses 57 and 58, Schedule 2, Clauses 59 to 65, Schedule 3, Clauses 66 to 70, Schedule 4, Clause 71, Schedule 5, Clauses 72 to 80, Schedule 6, Clauses 81 to 84, Schedules 7 to 9, Clauses 85 to 102, Schedule 10, Clauses 103 to 107, Schedule 11, Clauses 108 to 111, Schedule 12, Clauses 112 and 113, Schedule 13, Clauses 114 and 115, Schedule 14, Clauses 116 to 119, Schedule 15, Clause 120, Schedule 16, Clauses 121 to 138, Title.
(1 month ago)
Lords ChamberThat the draft Regulations laid before the House on 9 October be approved.
Relevant document: 4th Report from the Secondary Legislation Scrutiny Committee. Considered in Grand Committee on 11 November.