Data (Use and Access) Bill [HL]
Debate between Baroness Jones of Whitchurch and Lord Stevenson of BalmacaraMonday 16th December 2024
(1 month, 1 week ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-III(a) Amendments for Grand Committee (Supplementary to the Third Marshalled List) - (13 Dec 2024)
Lord Stevenson of Balmacara (Lab)
I wanted to rise to my feet in time to stop the noble Viscount leaping forward as he gets more and more excited as we reach—I hope—possibly the last few minutes of this debate. I am freezing to death here.
I wish only to add my support to the points of the noble Baroness, Lady Kidron, on Amendment 145. It is much overused saw, but if it is not measured, it will not get reported.
Baroness Jones of Whitchurch (Lab)
My Lords, I thank noble Lords for their consideration of the issues before us in this group. I begin with Amendment 134 from the noble Lord, Lord Clement-Jones. I can confirm that the primary duty of the commissioner will be to uphold the principal objective: securing an appropriate level of data protection, carrying out the crucial balancing test between the interests of data subjects, controllers and wider public interests, and promoting public trust and confidence in the use of personal data.
The other duties sit below this objective and do not compete with it—they do not come at the expense of upholding data protection standards. The commissioner will have to consider these duties in his work but will have discretion as to their application. Moreover, the new objectives inserted by the amendment concerning monitoring, enforcement and complaints are already covered by legislation.
I thank the noble Lord, Lord Lucas for Amendment 135A. The amendment was a previous feature of the DPDI Bill but the Government decided that a statement of strategic priorities for the ICO in this Bill is not necessary. The Government will of course continue to set out their priorities in relation to data protection and other related areas and discuss them with the Information Commissioner as appropriate.
Amendment 142 from the noble Viscount, Lord Camrose, would remove the ICO’s ability to serve notices by email. We would argue that email is a fast, accessible and inexpensive method for issuing notices. I can reassure noble Lords that the ICO can serve a notice via email only if it is sent to an email address published by the recipient or where the ICO has reasonable grounds to believe that the notice will come to the attention of the person, significantly reducing the risk that emails may be missed or sent to the wrong address.
Regarding the noble Viscount’s Amendment 143, the assumption that an email notice will be received in 48 hours is reasonable and equivalent to the respective legislation of other regulators, such as the CMA and Ofcom.
I thank the noble Lord, Lord Clement-Jones, for Amendment 144 concerning the ICO’s use of reprimands. The regulator does not commonly issue multiple reprimands to the same organisation. But it is important that the ICO, as an independent regulator, has the discretion and flexibility in instances where there may be a legitimate need to issue multiple reprimands within a particular period without placing arbitrary limits on that.
Turning to Amendment 144A, the new requirements in Clause 101 will already lead to the publication of an annual report, which will include the regulator’s investigation and enforcement activity. Reporting will be categorised to ensure that where the detail of cases is not public, commercially sensitive investigations are not inadvertently shared. Splitting out reporting by country or locality would make it more difficult to protect sensitive data.
Turning to Amendment 145, with thanks to the noble Baroness, Lady Kidron, I agree with the importance of ensuring that the regulator can be held to account on this issue effectively. The new annual report in Clause 101 will cover all the ICO’s regulatory activity, including that taken to uphold the rights of children. Clause 90 also requires the ICO to publish a strategy and report on how it has complied with its new statutory duties. Both of these will cover the new duty relating to children’s awareness and rights, and this should include the ICO’s activity to support and uphold its important age-appropriate design code.
I thank the noble Lord, Lord Clement-Jones, for Amendments 163 to 192 to Schedule 14, which establishes the governance structure of the information commission. The approach, including the responsibilities conferred on the Secretary of State, at the core of the amendments follows standard corporate governance best practice and reflects the Government’s commitment to safeguarding the independence of the regulator. This includes requiring the Secretary of State to consult the chair of the information commission before making appointments of non-executive members.
Amendments 165 and 167A would require members of the commission to be appointed to oversee specific tasks and to be from prescribed fields of expertise. Due to the commission’s broad regulatory remit, the Government consider that it would not be appropriate or helpful for the legislation to set out specific areas that should receive prominence over others. The Government are confident that the Bill will ensure that the commission has the right expertise on its board. Our approach safeguards the integrity and independence of the regulator, draws clearly on established precedent and provides appropriate oversight of its activities.
Finally, Clauses 91 and 92 were designed to ensure that the ICO’s statutory codes are consistent in their development, informed by relevant expertise and take account of their impact on those likely to be affected by them. They also ensure that codes required by the Secretary of State have the same legal effect as pre-existing codes published under the Data Protection Act.
Considering the explanations I have offered, I hope that the noble Lords, Lord Clement-Jones and Lord Lucas, the noble Viscount, Lord Camrose, and the noble Baroness, Lady Kidron, will agree not to press their amendments.
Data (Use and Access) Bill [HL]
Debate between Baroness Jones of Whitchurch and Lord Stevenson of BalmacaraTuesday 10th December 2024
(1 month, 2 weeks ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-II(a) Amendment for Grand Committee (Supplementary to the Second Marshalled List) - (9 Dec 2024)
Baroness Jones of Whitchurch (Lab)
To be on the safe side, I will write to the noble Baroness. We feel that other bits in the provisions of the Bill cover the other aspects but, just to be clear on it, I will write to her. On Amendment 196 and the Online Safety Act—
Lord Stevenson of Balmacara (Lab)
I am sorry to interrupt but I am slightly puzzled by the way in which that exchange just happened. I take it from what the Minister is saying that there is no dissent, in her and the Bill team’s thinking, about children’s rights having to be given the correct priority, but she feels that the current drafting is better than what is now proposed because it does not deflect from the broader issues that she has adhered to. She has fallen into the trap, which I thought she never would do, of blaming unintended consequences; I am sure that she will want to rethink that before she comes back to the Dispatch Box.
Surely the point being made here is about the absolute need to make sure that children’s rights never get taken down because of the consideration of other requirements. They are on their own, separate and not to be mixed up with those considerations that are truly right for the commissioner—and the ICO, in its new form—to take but which should never deflect from the way children are protected. If the Minister agrees with that, could she not see some way of reaching out to be a bit closer to where the noble Baroness, Lady Kidron, is?
Baroness Jones of Whitchurch (Lab)
I absolutely recognise the importance of the issues being raised here, which is why I think I really should write: I want to make sure that whatever I say is properly recorded and that we can all go on to debate it further. I am not trying to duck the issue; this issue is just too important for me to give an off-the-cuff response on it. I am sure that we will have further discussions on this. As I say, let me put it in writing, and we can pick that up. Certainly, as I said at the beginning, our intention was to enhance children’s protection rather than deflect from it.
Moving on to Amendment 196, I thank the noble Lord, Lord Clement-Jones, and other noble Lords for raising this important issue and seeking clarity on how the provision relates to the categorisation of services in the Online Safety Act. These categories are, however, not directly related to Clause 122 of this Bill as a data preservation notice can be issued to any service provider regulated in the Online Safety Act, regardless of categorisation. A list of the relevant persons is provided in paragraphs (a) to (e) of Section 100(5) of the Act; it includes any user-to-user service, search service and ancillary service.
I absolutely understand noble Lords saying that these things should cross-reference in some way but, as far we are concerned, they complement each other, and that protection is currently in the Online Safety Act. As I said, I will write to noble Lords and am happy to meet if that would be helpful. In the meantime, I hope that the explanations I have given are sufficient grounds for noble Lords not to press their amendments at this stage.
Data (Use and Access) Bill [HL]
Debate between Baroness Jones of Whitchurch and Lord Stevenson of BalmacaraTuesday 19th November 2024
(2 months, 1 week ago)
Lords ChamberRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts
Baroness Jones of Whitchurch (Lab)
My Lords, I thank all noble Lords for what has genuinely been a fascinating, very insightful debate. Even though I was part, I think, of my noble friend Lord Stevenson’s gang that has been working on this for some time, one learns new things, and I have learned new things again today about some of the issues that are challenging us. So I thank noble Lords for their contributions this evening, and I am very pleased to hear that a number of noble Lords have welcomed the Government’s main approach to the Bill, though of course beyond that there are areas where our concerns will diverge and, I am sure, be subject to further debate. I will try to clarify the Government’s thinking. I am sure noble Lords will understand, because we have had a very wide-ranging discussion, that if I am not able to cover all points, I will follow those up in writing.
I shall start with smart data. As was raised by my noble friend Lord Knight of Weymouth, and other noble Lords, the Government are keen to establish a smart data economy that brings benefits to consumers across all sectors.
Through the Smart Data Council, the Government are working closely to identify areas where smart data schemes might be able to bring more benefits. I think the point was made that we are perhaps not using it sufficiently at the moment. The Government intend to communicate where and in what ways smart data schemes can support innovation and growth and empower customers across a spectrum of markets—so there is more work to be done on that, for sure. These areas include providing the legislative basis for the fuel finder service announced by the Department for Energy Security and Net Zero, and supporting an upcoming call for evidence on the smart data scheme for the energy sector. Last week, the Government set out their priorities for the future of open banking in the national payments vision, which will pave the way for the UK to lead in open finance.
I turn now to digital identity, as raised by the noble Earl, Lord Erroll, and a number of other noble Lords. The measures in the Bill aim to help people and businesses across Britain to use innovative digital identity technologies and to realise their benefits with confidence. As the noble Lord, Lord Arbuthnot, said, the Bill does not make digital identities mandatory. The Bill will create a legislative structure of standards, governance and oversight for digital verification services that wish to appear on a government register, so that people will know what a good digital identity looks like. It is worth saying that a lot of these digital verification schemes already exist; we are trying to make sure that they are properly registered and have oversight. People need to know what a good digital identity looks like.
The noble Lord, Lord Arbuthnot, raised points about Sex Matters. Digital verification services can be used to prove sex or gender in the same way that individuals can already prove their sex using their passport, for example. Regarding the concerns of the noble Lord, Lord Vaux, about the inclusion of non-digital identity, the Government are clear that people who do not want to use digital identity or the digital verification services can continue to access services and live their daily lives referring to paper documents when they need to. Where people want to use more technology and feel left behind, DSIT is working hard to co-ordinate government work on digital inclusion. This is a high priority for the Government, and we hope to come back with further information on that very soon.
The Office for Digital Identities and Attributes has today published its first digital identity inclusion monitoring report. The results show a broadly positive picture of inclusion at this early stage of the markets, and its findings will inform future policy interventions.
I would like to reassure the noble Lord, Lord Markham, and the noble Viscount, Lord Camrose, that NUAR takes advantage of the latest technologies to ensure that data is accessed only for approved purposes, with all access audited. It also includes controls, developed in collaboration with the National Protective Security Authority, the National Cyber Security Centre and the security teams of asset owners themselves.
We had a very wide-ranging debate on data protection issues, and I thank noble Lords for their support for our changes to this legislation. The noble Viscount, Lord Camrose, and others mentioned delegated powers. The Government have carefully considered each delegated power and the associated parliamentary procedure and believe that each is proportionate. The detail of our rationale is set out in our delegated powers memorandum.
Regarding the concerns of the noble Lord, Lord Markham, and the noble Viscount, Lord Camrose, about the effect of the legislation on SMEs, we believe that small businesses would have struggled with the lack of clarity in the term “high-risk processing activities” in the previous Bill, which could have created more burdens for SMEs. We would prefer to focus on how small businesses can be supported to comply with the current legislation, including through user-friendly guidance on the ICO’s small business portal.
Many noble Lords, including the noble Viscount, Lord Camrose, the noble and learned Lord, Lord Thomas, and the noble Lord, Lord Vaux, raised EU adequacy. The UK Government recognise the importance of retaining our personal data adequacy decisions from the EU. I reassure the noble Lord, Lord Vaux, and my noble friend Lord Bassam that Ministers are already engaging with the European Commission, and officials will actively support the EU’s review process in advance of the renewal deadline next year. The free flow of personal data between the UK and the EU is one of the underpinning actions that enables research and innovation, supports the improvement of public services and keeps people safe. I join the noble Lord, Lord Vaux, in thanking the European Affairs Committee for its work on the matter. I can reassure him and the committee that the Secretary of State will respond within the required timeframe.
The noble Lord, Lord Bethell, and others raised international data transfers. Controllers and processors must take reasonable and proportionate steps to satisfy themselves that, after the international transfer, the level of protection for the data subject will be “not materially lower” than under UK data protection law. The Government take their responsibility seriously to ensure that data and its supporting infrastructure are secure and resilient.
On the question from the noble Viscount, Lord Colville, about the new recognised legitimate interest lawful ground, the entire point of the new lawful ground is to provide more legal certainty for data controllers that they are permitted to process personal data for the activities mentioned in new Annexe 1 to the UK GDPR. However, the processing must still be necessary and proportionate and meet all other UK GDPR requirements. That includes the general data protection principles in Article 5 of the UK GDPR, and the safeguards in relation to the processing of special category data in Article 9.
The Bill has significantly tightened up on the regulation-making power associated with this clause. The only processing activities that can be added to the list of recognised legitimate interests are those that serve the objectives of public interest, as described in Article 23(1) of the UK GDPR. The Secretary of State would also have to have regard to people’s rights and the fact that children may be less aware of the risks and consequences of the processing of their data before adding new activities to the list.
My noble friends Lord Davies of Brixton and Lord Stevenson of Balama—do you know, I have never had to pronounce his full name—Balmacara, raised NHS data. These clauses are intended to ensure that IT providers comply with relevant information standards in relation to IT use for health and adult social care, so that, where data is shared, it can be done in an easier, faster and cheaper way. Information standards create binding rules to standardise the processing of data where it is otherwise lawful to process that data. They do not alter the legal obligations that apply in relation to decisions about whether to share data. Neither the Department of Health and Social Care nor the NHS sells data or provides it for purely commercial purposes such as insurance or marketing purposes.
With regard to data assets, as raised by the noble Baroness, Lady Kidron, and my noble friend Lord Knight of Weymouth, the Government recognise that data is indeed one of the most valuable assets. It has the potential to transform public services and drive cutting-edge innovation. The national data library will unlock the value of public data assets. It will provide simple, secure and ethical access to our key public data assets for researchers, policymakers and businesses, including those at the frontier of AI development, and make it easier to find, discover and make connections across those different databases. It will sit at the heart of an ambitious programme of reform that delivers the incentives, investment and leadership needed to secure the full benefits for people and the economy.
The Government are currently undertaking work to design the national data library. In its design, we want to explore the best models of access so that public sector data benefits our society, much in the way that the noble Baroness, Lady Kidron, outlined. So, decisions on its design and implementation will be taken in due course.
Regarding the concerns of the noble Lord, Lord Markham, about cybersecurity, as announced in the King’s Speech, the Government will bring forward a cybersecurity and resilience Bill this Session. The Bill will strengthen our defences and ensure that more essential digital services than ever before are protected.
The noble Baroness, Lady Kidron, the noble Viscount, Lord Colville, and my noble friend Lord Stevenson of Balmacara, asked about the Government’s plans to regulate AI and the timing of this legislation. As set out in the King’s Speech, the Government are committed to establishing appropriate legislation for companies developing the most powerful AI systems. The Government will work with industry, civil society and experts across the UK before legislation is drawn up. I look forward to updating the House on these proposals in due course. In addition, the AI opportunities action plan will set out a road map for government to capture the opportunities of AI to enhance growth and productivity and create tangible benefits for UK citizens.
Regarding data scraping, as raised by the noble Baroness, Lady Kidron, the noble Viscount, Lord Colville of Culross, and others, although it is not explicitly addressed in the data protection legislation, any such activity involving personal data would require compliance with the data protection framework, especially that the use of data must be fair, lawful and transparent.
A number of noble Lords talked about AI in the creative industries, particularly the noble Lords, Lord Holmes and Lord Freyberg—
Lord Stevenson of Balmacara (Lab)
I am sorry to interrupt what is a very fluent and comprehensive response. I do not want to break the thread, but can I press the Minister a little bit on those companies whose information which is their intellectual property is scraped? How will that be resolved? I did not pick up from what the Minister said that there was going to be any action by the Government. Are we left where we are? Is it up to those who feel that their rights are being taken away or that their data has been stolen to raise appropriate action in the courts?
Baroness Jones of Whitchurch (Lab)
I was going to come on to some of those issues. Noble Lords talked about AI in the creative industries, which I think my noble friend is particularly concerned about. The Government are working hard on this and are developing an effective approach that meets the needs of the UK. We will announce more details in due course. We are working closely with relevant stakeholders and international partners to understand views across the creative sector and AI sectors. Does that answer my noble friend’s point?
Lord Stevenson of Balmacara (Lab)
With respect, it is the narrow question that a number of us have raised. Training the new AI systems is entirely dependent on them being fed vast amounts of material which they can absorb, process and reshape in order to answer questions that are asked of them. That information is to all intents and purposes somebody else’s property. What will happen to resolve the barrier? At the moment, they are not paying for it but just taking it—scraping it.
Baroness Kidron (CB)
Perhaps I may come in too. Specifically, how does the data protection framework change it? We have had the ICO suggesting that the current framework works perfectly well and that it is the responsibility of the scrapers to let the IP holders know, while the IP holders have not a clue that it is being scraped. It is already scraped and there is no mechanism. I think we are a little confused about what the plan is.
Social Media: Catfishing
Debate between Baroness Jones of Whitchurch and Lord Stevenson of Balmacara(2 months, 4 weeks ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Baroness Jones of Whitchurch (Lab)
Ofcom published its latest vision of the media literacy strategy just a couple of months ago, so its implementation is very much in its infancy. The Government very much support it and we will work with Ofcom very closely to roll it out. So Ofcom has a comprehensive media literacy strategy on these issues, but as we all know, schools have to play their part as well: it has to be part of the curriculum. We need to make sure that children are kept safe in that way.
The noble Viscount referred to AI. The rules we have—the Online Safety Act and so on—are tech-neutral in the sense that, even if an image is AI generated, it would still fall foul of that Act; it does not matter whether it is real or someone has created it. Also, action should be taken by the social media companies to take down those images.
Lord Stevenson of Balmacara (Lab)
My Lords, as a survivor of the seven-year long period during which the Online Safety Act was developed, I have to confess that I do not think we ever came across the word “catfishing”. In a quick moment, I looked it up on Google—and, of course, it has not even reached Google yet. It talks about those who wish to catch fish, rather than catfishing. I make a joke, but this is a serious issue and the Minister is trying to address it very fairly. The problem is that the technology is so efficient and quick that the offences are moving ahead of our ability as legislators to make the necessary laws. The key element of the Online Safety Act is that that which is illegal offline is also illegal online. When will we see the necessary offence on the statute book?
Baroness Jones of Whitchurch (Lab)
My noble friend is quite right about the expression “catfishing”. I had to check the definition before I came here today, and for anyone who wants that clarification, it is when someone sets up a fake online identity and uses it to trick and control others. It covers a whole range of offences, including scamming people out of money, blackmailing them or trying to harm them in another way.
On my noble friend’s general point, yes, we are of course looking at how we can match online safety with offline safety; that is part of ongoing work. But for the time being, as I have said several times from the Dispatch Box, rolling out the Online Safety Act is the crucial thing. We are within touching distance, and it will make a huge difference when it is fully implemented. That is our priority at this time.