Data (Use and Access) Bill [HL]
Debate between Lord Arbuthnot of Edrom and Lord Clement-JonesWednesday 18th December 2024
(3 weeks ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-IV Fourth marshalled list for Grand Committee - (17 Dec 2024)
Lord Arbuthnot of Edrom (Con)
My Lords, I rise briefly but strongly to support my noble friend Lord Holmes. The CyberUp campaign has been banging this drum for a long time now. I remember taking part in the debates in another place on the Computer Misuse Act 34 years ago. It was the time of dial-up modems, fax machines and bulletin boards. This is the time to act, and it is the opportunity to do so.
Lord Clement-Jones (LD)
My Lords, we ought to be mindful and congratulate the noble Lord on having been parliamentarian of the year as a result of his campaigning activities.
Data (Use and Access) Bill [HL]
Debate between Lord Arbuthnot of Edrom and Lord Clement-JonesTuesday 3rd December 2024
(1 month ago)
Grand CommitteeRead Full debate Data (Use and Access) Bill [HL] 2024-26 View all Data (Use and Access) Bill [HL] 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-I(a) Amendments for Grand Committee (Supplementary to the Marshalled List) - (3 Dec 2024)
Lord Arbuthnot of Edrom (Con)
My Lords, Amendment 7, the first in this group is a probing amendment and I am extremely grateful to ISACA, an international professional association focused on IT governance, for drafting it. This amendment
“would give the Secretary of State or the Treasury scope to introduce requirements on third party recipients of customer data to publish regular statements on their cyber resilience against specified standards and outcomes”.
Third parties play a vital role in the modern digital ecosystem, providing businesses with advanced technology, specialised expertise and a wide range of services, but integrating third parties into business operations comes with cyber risks. Their access to critical networks and all the rest of it can create vulnerabilities that cyber- criminals exploit. Third parties are often seen as easier targets, with weaker security measures or indirect connections serving as gateways to larger organisations.
Further consideration is to be given to the most effective means of driving the required improvements in cyber risk management, including, in my suggestion, making certain guidance statutory. This is not about regulating and imposing additional cost burdens, but rather creating the environment for digital trust and growth in the UK economy, as well as creating the right conditions for the sustainable use of emerging technologies that will benefit us all. This is something that leading associations and groups such as ISACA have been arguing for.
The Cyber Governance Code of Practice, which the previous Administration introduced, marks an important step towards improving how organisations approach cybersecurity. Its primary goal is to ensure that boards of directors should take their proper responsibility in mitigating cyber risks.
While that code is a positive development, compliance is not legally required, which leaves organisations to decide whether to put their priorities elsewhere. As a result, the code’s effectiveness in driving widespread improvements in cyber resilience will largely depend on their organisation’s willingness to recognise its importance. The amendment would require businesses regularly to review and update their cybersecurity strategies and controls, and to stay responsive to evolving threats and technologies, thereby fostering a culture of continuous improvement. In addition, by mandating ongoing assessments of internal controls and risk-management processes, organisations will be better able to anticipate emerging threats and enhance their ability to detect, prevent and respond to cyber incidents. I beg to move.
Lord Clement-Jones (LD)
My Lords, this is a fairly disparate group of amendments. I am speaking to Amendments 8, 9, 10, 24, 30, 31 and 32. In the first instance, Amendments 8, 9, 10 and 30 relate to the question that I asked at Second Reading: where is the ambition to use the Bill to encourage data sharing to support net zero?
The clean heat market mechanism, designed to create a market incentive to grow the number of heat pumps installed in existing premises each year, is set to be introduced after being delayed a year due to backlash from the boiler industry. If government departments and partners had access to sales data of heating appliances, there would be a more transparent and open process for setting effective and realistic targets.
I have been briefed by Ambient, a not-for-profit organisation in this field. It says that low visibility of high power-consuming assets makes it challenging to maintain grid stability in a clean-power world. Low visibility and influence over future installations of high power-consuming assets make it difficult to plan for grid updates. Inability to shift peak electricity demand leads to higher capacity requirements with associated time and cost implications. Giving the Government and associated bodies access to utility-flexible tariff data would enable the Government and utilities to work together to increase availability and uptake of tariffs, leading to lower peak electricity demand requirements.
Knowing which homes have the oldest and least efficient boilers, and giving public sector and partners access to the Gas Safe Register and CORGI data on boiler age at household level, would mean that they could identify and target households and regions, ensuring that available funds go to those most in need. Lack of clarity on future clean heating demand makes it challenging for the industry to scale and create jobs, and to assess workforce needs for growing electricity demand. Better demand forecasting through access to sales data on low-carbon heating appliances would signal when and where electrification was creating need for workforce expansion in grid management and upgrade, as well as identify regional demand for installers and technicians.
The provisions of Part 1 of the Bill contain powers for the Secretary of State to require the sharing of business data to customers and other people of specified description. It does not indicate, however, that persons of specified description could include actors such as government departments, public bodies such as NISO and GB Energy, and Ministers. An expanded list of suggested recipients could overcome this issue, as stated in Amendment 9 in my name. It makes no provision for the format of information sharing—hence, my Amendments 8 and 10.
In summary, my questions to the Minister are therefore on: whether it has been considered how the primary legislation outlined in the Bill could be exercised to accelerate progress towards clean power by 2030; whether climate missions such as clean power by 2030 or achieving net zero are purposes “of a public nature” in relation to the outline provisions for public bodies; and whether specifying the format of shared business data would enable more efficient and collaborative use of data for research and planning purposes.
Coming on to Amendments 24, 31 and 32, the Bill expands the potential use of smart data to additional public and private sector entities, but it lacks safeguards for sensitive information regularly used in court. It makes specific provision for legal privilege earlier in the Bill, but this is not extended in provisions relating to smart data. I very much hope that the Government will commit to consult with legal professions before extending smart data to courts.
Many of us support open banking, but open banking is being used, as designed, by landlords to keep watching tenant bank accounts for months after approving their tenancy. Open banking was set up to enhance inter- operability between finance providers, with the most obvious example being the recent new ability of the iPhone wallet app to display balances and recent transactions from various bank accounts.
Open banking approval normally lasts six months. While individual landlords may not choose this access, if given a free choice, the service industry providing the tenant-checking service to landlords is strongly incentivised to maximise such access, otherwise their competitors have a selling point. If open banking is to be added to the statute book, the Bill should mandate that the default time be reduced to no more than 24 hours in the first instance, and reconfirmed much more often. For most one-off approval processes, these access times may be as short as minutes and the regulations should account for that.
Coming on to Amendment 31, consumers have mixed feelings about the potential benefits to them of smart data schemes, as shown in polling such as that carried out a couple of years ago by Deltapoll with the CDEI, now the Responsible Technology Adoption Unit, as regards the perceived potential risks versus the benefits. Approximately one-quarter of respondents in each case were unsure about this trade-off. Perhaps unsurprisingly, individuals who said that they trusted banks and financial institutions or telecommunications providers were more likely to support open finance and open communications, and customers who had previous experience of switching services more frequently reported believing that the benefits of smart data outweighed the risks.
Is it therefore the Government’s expectation that people should be compelled to use these services? Open banking and imitators can do a great deal of good but can also give easy access to highly sensitive data for long periods. The new clause introduced by Amendment 31 would make it the same criminal offence to compel unnecessary access under these new provisions as it already is to compel data provision via subject access requests under the existing Data Protection Act.
Amendment 32 is a probing amendment as to the Government’s intentions regarding these new smart data provisions. In the Minister’s letter of 27 November, she said:
“The Government is working closely to identify areas where smart data schemes might be able to bring benefits. We want to build on the lessons learned from open banking and establish smart data schemes in other markets for goods and services.”
I very much hope that the Minister will be able to give us a little taste of what she thinks these powers are going to be used for, and in what sectors the Government believe that business can take advantage of these provisions.
Data Protection and Digital Information Bill
Debate between Lord Arbuthnot of Edrom and Lord Clement-JonesWednesday 24th April 2024
(8 months, 2 weeks ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-VII Seventh marshalled list for Grand Committee - (23 Apr 2024)
Lord Arbuthnot of Edrom (Con)
My Lords, I congratulate the noble Baroness, Lady Kidron, on her amendment and thank her for allowing me to add my name to it. I agree with what she said. I, too, had the benefit of a meeting with the Lord Chancellor, which was most helpful. I am grateful to Mr Paul Marshall—whom the noble Baroness mentioned and who has represented several sub-postmasters in the Horizon scandal—for his help and advice in this matter.
My first short point is that evidence derived from a computer is hearsay. There is good reason for treating hearsay evidence with caution. Computer scientists know—although the general public do not—that only the smallest and least complex computer programs can be tested exhaustively. I am told that the limit for that testing is probably around 100 lines of a well-designed and carefully written program. Horizon, which Mr Justice Fraser said was not in the least robust, consisted of a suite of programs involving millions of lines of code. It will inevitably have contained thousands of errors because all computer programs do. Most computer errors do not routinely cause malfunctions. If they did, they would be spotted at an early stage and the program would be changed—but potentially with consequential changes to the program that might not be intended or spotted.
We are all aware of how frequently we are invited to accept software updates from our mobile telephone’s software manufacturers. Those updates are not limited to security chinks but are also required because bugs—or, as we learned yesterday from Paula Vennells’s husband, anomalies and exceptions—are inevitable in computer programs. That is why Fujitsu had an office dedicated not just to altering the sub-postmasters’ balances, shocking as that is, but to altering and amending a program that was never going to be perfect because no computer program is.
The only conclusion that one can draw from all this is that computer programs are, as the noble Baroness said, inherently unreliable, such that having a presumption in law that they are reliable is unsustainable. In the case of the DPP v McKeown and Jones—in 1997, I think—Lord Hoffmann said:
“It is notorious that one needs no expertise in electronics to be able to know whether a computer is working properly”.
One must always hesitate before questioning the wisdom of a man as clever as Lord Hoffmann, but he was wrong. The notoriety now attaches to his comment.
The consequences of the repeal of Section 69 of the Police and Criminal Evidence Act 1984 have been that it reduces the burden of proof, so that Seema Misra was sent to prison in the circumstances set out by the noble Baroness. Further, this matter is urgent for two reasons; they slightly conflict with each other, but I will nevertheless set them out. The first is that for the presumption to remain in place for one minute longer means that there is a genuine risk that miscarriages of justice will continue to occur in other non-Post Office cases, from as early as tomorrow. The second is that any defence lawyer will, in any event, be treating the presumption as having been fatally undermined by the Horizon issues. The presumption will therefore be questioned in every court where it might otherwise apply. It needs consideration by Parliament.
My noble friend the Minister will say, and he will be right, that the Horizon case was a disgraceful failure of disclosure by the Post Office. But it was permitted by the presumption of the correctness of computer evidence, which I hope we have shown is unsustainable. Part of the solution to the problem may lie in changes to disclosure and discovery, but we cannot permit a presumption that we know to be unfounded to continue in law.
My noble friend may also go on to say that our amendment is flawed in that it will place impossible burdens on prosecutors, requiring them to get constant certificates of proper working from Microsoft, Google, WhatsApp, and whatever Twitter is called nowadays. Again, he may be right. We do not seek to bring prosecutions grinding to a halt, nor do we seek to question the underlying integrity of our email or communications systems, so we may need another way through this problem. Luckily, my noble friend is a very clever man, and I look forward to hearing what he proposes.
Lord Clement-Jones (LD)
My Lords, we have heard two extremely powerful speeches; I will follow in their wake but be very brief. For many years now, I campaigned on amending the Computer Misuse Act; the noble Lord, Lord Arbuthnot, did similarly. My motivation did not start with the Horizon scandal, but was more at large because of the underlying concerns about the nature of computer evidence.
I came rather late to this understanding about the presumption of the accuracy of computer evidence. It is somewhat horrifying, the more you look into the history of this, which has been so well set out by the noble Baroness, Lady Kidron. I remember advising MPs at the time about the Police and Criminal Evidence Act. I was not really aware of what the Law Commission had recommended in terms of getting rid of Section 69, or indeed what the Youth Justice and Criminal Evidence Act did in 1999, a year after I came into this House.
The noble Baroness has set out the history of it, and how badly wrong the Law Commission got this. She set out extremely well the impact and illustration of Mrs Misra’s case, the injustice that has resulted through the Horizon cases—indeed, not just through those cases, but through other areas—and the whole aspect of the reliability of computer evidence. Likewise, we must all pay tribute to the tireless campaigning of the noble Lord, Lord Arbuthnot. I thought it was really interesting how he described computer evidence as hearsay, because that essentially is what it is, and there is the whole issue of updates and bug fixing.
The one area that I am slightly uncertain about after listening to the debate and having read some of the background to this is precisely what impact Mr Justice Fraser’s judgment had. Some people seem to have taken it as simply saying that the computer evidence was unreliable, but that it was a one-off. It seems to me that it was much more sweeping than that and was really a rebuttal of the original view the Law Commission took on the reliability of computer evidence.