Digital Government (Disclosure of Information) Regulations 2018 Debate
Full Debate: Read Full DebateLord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Digital, Culture, Media & Sport
(6 years, 5 months ago)
Lords ChamberMy Lords, I start with an apology. Because of the way in which these items of business have been scheduled—or perhaps I should say not scheduled—I might have to leave before I hear the Minister’s response. He is aware of that and I am very grateful for his indulgence in that respect, which will make me feel even guiltier when he hears what I have to say.
I am indebted to medConfidential for many of the points I shall make and to the noble Lord, Lord Freyberg, who takes a keen interest in these matters but cannot be present today.
The essence of what I have to say is that these regulations and codes should be withdrawn. In summary, earlier this month the Secondary Legislation Scrutiny Committee published a report on these draft regulations made under Part 5 of Chapter 1 of the Digital Economy Act, as the Minister explained. The DCMS offered assurances that the codes of practice were consistent with each other and drafted to be compliant with the new Data Protection Act 2018 and the latest standards of best practice. However, subsequently it replaced the standards with a new set under a different name—the data ethics framework—so the codes as laid do not reflect current DCMS guidance. In our view, this invalidates the whole of our debate.
I will go through the details. The Secondary Legislation Scrutiny Committee drew the digital government regulations to the special attention of the House. The DCMS told the committee that the codes were to
“the latest standards of best practice for information sharing, including the ‘Data Science Ethical Framework’”.
That is at paragraph 9 of the committee’s report. As the SLSC says:
“In their response, DCMS have also offered assurances that these codes of practice are consistent with each other and have been drafted to be compliant with the new Data Protection Act 2018 and the latest standards of best practice for information sharing, including the ‘Data Science Ethical Framework’”.
The committee’s report was finalised on a Tuesday and printed the following Thursday. On the Wednesday, the DCMS replaced the “latest” standards with a new set under a different name, the data ethics framework. Quite apart from the concerns raised by the committee, when the DCMS gave its response to the committee it surely must have known that a new framework was due the following day to replace the one to which it referred, and that its assurances would therefore be untrue even before they were printed.
The current codes reference the Data Science Ethical Framework, which predates the Data Protection Act and the GDPR. By that fact alone, these DCMS codes cannot be approved. They are, by definition, out of date following legislation on which the DCMS and the Minister himself led.
As the Minister described, a number of groups were consulted on the draft codes in the middle of last year, and while there is consensus from all sides that the codes are improved as a result of that constructive engagement, those consultations were before the Government surprised everyone with the proposal for a “framework for data processing by government” in the Data Protection Act—before the guidance changes due to the GDPR had fully begun, before the Government announced that the Data Science Ethical Framework was in need of replacement, and certainly before the DCMS launched the replacement with a new name last week. The department assured Parliament that,
“these codes of practice are consistent with each other”,
but it cannot assert they will be compliant with other codes, as yet unlaid and unwritten by the Information Commissioner. What the Information Commissioner does should be up to the Information Commissioner. She should not have her hands tied by her sponsor department.
It is particularly important that these codes and the regulations are withdrawn given that the first issuance of the codes is under the affirmative procedure for approval of the House and future updates will be under the negative procedure.
I have a few other questions. Where is the framework for data processing by government included at the last minute by Ministers in Committee on the Data Protection Bill? There is still no clarity as to what the Government plan to do with it, only that it is not the Data Science Ethical Framework nor the data ethics framework. It is, however, yet another government data framework that must be taken into account. The passage of the Data Protection Act 2018 necessitates updates to many ICO codes. Late in the day, the DCMS chose to introduce its new framework for data processing by government, which surely must be the governing instrument for these codes, but, as I said earlier, it has provided no clarity on how this will operate.
The department seems to be offering nothing other than assurances of compliance when one looks through the codes. It talks of consultation with the ICO. Has the ICO confirmed publicly that these codes are compliant with the GDPR, the new Data Protection Act and the ICO guidance?
According to recent announcements from University College London Hospitals NHS Foundation Trust, it is conducting artificial intelligence trials internally for issues of direct benefit to it. This shows not only that the NHS is beginning to understand the power of data and digital tools, but that this can be done in-house for public benefit and that there are viable alternatives to handing data to and sharing data with multinational companies. What are the Government doing more broadly across the NHS to ensure that there is full recognition across the NHS?
The Digital Economy Act affords the Secretary of State considerable powers to make use of publicly controlled data, which is of considerable concern in some quarters. The key concern is the scope for different departments to share and then link datasets, such as sharing health data from the Department of Health and Social Care with the Home Office to identify illegal immigrants, as stated in recent headlines. What is the scope and/or limitation for the Secretary of State to share publicly controlled data with private entities? Is this likely to inform the introduction of so-called “data trusts”?
Then, of course, there is the question of whether any of the codes is fit for the future in terms of technology. In particular, what are the duties of transparency and explainability where datasets are used to construct artificial intelligence solutions, algorithms and the like for government purposes? What consultation was engaged in this respect? There appears to be no reference in any of the codes to this. Should we not wait for the data ethics and innovation centre to give its guidance on these matters involving the Government and their deployment of artificial intelligence?
In the light of the above, it is clear that neither these regulations nor the codes are fit for purpose. Will the Government withdraw them before placing replacement codes before the House? Will the Minister confirm that the codes will be compliant with any yet-to-be-written Information Commissioner codes? Will they be confirmed as such by the Information Commissioner? Sadly, I will not hear the Minister’s reply but I very much hope that it is a full one.
My Lords, far be it from me to get the Minister off that hook. It is always humbling to be in the presence of those who have seen the heat of the day and borne the burdens of bringing some complicated pieces of legislation on to our statute book. Perhaps we can all breathe a sigh of relief as we notice the noble Lord, Lord Clement-Jones, depart from his place.
I will restrict my remarks, since I was not in possession of the briefing that the noble Lord had, to the observations I made on the simple basis of reading these papers. It was a jolly weekend and some good bedtime reading—150 pages on a very complicated matter—but as far as the regulations themselves are concerned, it seemed mildly reassuring that multiple disadvantages, such as television retuning, fuel poverty and water poverty, were all to be held in view with a view to ensuring that people who might suffer in these areas had their suffering minimised as far as possible. One million vulnerable energy consumers might qualify for help. From this side of the House, we cannot particularly grumble at that.
The thing that worried me was that, since these are the first tinkerings with or things that ensue from last year’s Digital Economy Act, it is incumbent on us to ensure we monitor very carefully the direction of travel as the Act lives its life and is implemented. For that reason, I find myself again and again wondering whether—while, yes, three years down the line it all has to be embedded and to work itself out—we should not promise ourselves a bit more micromanagement than that as things go along.
I liked the way that liaison with devolved bodies—to ensure that a UK-wide measure is implemented in Wales and Scotland in a way consistent with legal provision—was set out because, with another hat on, when we were arguing the devolution clauses in the EU withdrawal Bill we talked all the time about frameworks within which UK-wide pieces of action would have to be worked out in consultation with, and with consent from, the various interested parties. Here is a lived example, I thought, of how that might work.
I worried about how on earth we would keep together pieces of action that would see nine departments of state share information across their boundaries, as well as the Revenue and 32 local and regional bodies, as we considered how best legitimately to allow these bodies to share information. What kind of computer system do we have in place? We have had such a string of unfortunate experiences of supportive technology for mountainous pieces of government activity going wrong that I just look at this and am glad that it is not me operating it.