Lord Collins of Highbury
Main Page: Lord Collins of Highbury (Labour - Life peer)Department Debates - View all Lord Collins of Highbury's debates with the Scotland Office
(7 years, 9 months ago)
Lords ChamberMy Lords, this group includes a wide range of amendments and our debate on it will be one of our key debates on this section of the Bill. Clause 30 allows specified persons to share data for a specified objective. Our amendments seek to define and limit this and to ensure that additional approval is required where there is broadening or leakage
My honourable friend Louise Haigh thoroughly scrutinised this provision in the other place. Certainly, it took me most of Saturday to read what was said in that Committee stage. I do not intend to repeat all the arguments that were made—but I give fair warning that it will take me some time to go through these key elements, given that the principles in these clauses have given rise to concern, certainly in your Lordships’ Delegated Powers and Regulatory Reform Committee.
I start by saying that we on these Benches are completely in favour of effective data sharing across government to achieve public sector efficiencies, value for money, improved public sector services, improved take-up of benefits for the most vulnerable such as the warm home discount, free school meals and, most importantly, an improved experience for those who use public services. We will come to a lot of those issues in later groups today where we have tabled specific amendments.
The public also support these objectives, but their trust is fragile. In recent years we have seen a number of failures in managing data. The Information Commissioner said in her recent briefing distributed to all noble Lords:
“Transparency and a progressive information rights regime work together to build trust”.
This part of the Bill gives the Government considerable powers to share data. But those building blocks in restoring trust that the Information Commissioner and just about everyone else agree are needed are sadly not mirrored in the Bill. That is the crux of today’s debate.
Instead, the building blocks are covered in regulations and codes of practice. As I said, many, including the Information Commissioner and your Lordships’ DPRRC, have stressed the importance of including such measures in primary legislation as opposed to codes of practice. Having read through all the codes of practice, I sometimes asked myself what we were dealing with. Is this Bill really at the stage of being submitted for parliamentary consideration? So much of it needs further work and further consultation that I really do wonder whether it should be in this House at all at this stage. This is something that we may have to return to.
A specified objective to permit disclosure must meet conditions set out in subsections (6) and (10) of the clause, but they are so all-encompassing that it is difficult to see anything that the public sector does that is not covered by the clause. The published codes give examples of objectives that would fall foul of these criteria, including those that are punitive, and it is useful to see those examples. But it is a real concern that such a clarification of the power is not in the Bill. Why does the Bill not explicitly contain or exclude a punitive objective? What are we avoiding here?
The codes also give examples of objectives that are too general rather than too specific, and it would help if the Minister could say exactly where that line could be drawn. Not only are the objectives not limited in the Bill but the bodies that can share or receive data are not particularly limited either. Subsection (3) states:
“A person specified in regulations under subsection (2) must be … (a) a public authority, or (b) a person providing services to a public authority”.
This is another area that gives people a lot of concern.
In the Government’s original consultation on the Bill, they stated their intention to proceed with proposals to enable non-public sector organisations that fulfil a public function on behalf of a public authority to be in scope of the powers. In that consultation, they said:
“We will strictly define the circumstances and purposes under which data-sharing will be allowed, together with controls to protect the data within the Code of Practice. We will set out in the Code of Practice the need to identify any conflicts of interest that a non-public authority may have and factor that information in the decision-making”.
I read the code of practice. Paragraph 71 refers to this and mentions non-public sector organisations. It says that,
“an assessment should be made of any conflicts of interest that the non-public authority may have”—
but it does not give any examples of what those conflicts of interest might look like. I hope that in his response the Minister will be able to give more examples of what they might look like. We will come back to this issue in our consideration of other groups of amendments to this section.
The code also states that data-sharing agreements should,
“identify whether there are any unintended risks involved with disclosing data”,
to an organisation. In the Commons, my honourable friend Louise Haigh—I congratulate her on this work—raised the behaviour of Concentrix, which was mentioned again on the radio today. It was contracted by HMRC to investigate tax credits and fraud. But the code of practice does not list any examples of risks or set out how specified persons might go about ascertaining them. We heard on the radio today that that contract and the mismanagement of the data has caused huge distress to tens of thousands of people, and that it is ongoing.
The code also states:
“Non-public authorities can only participate in a data sharing arrangement once their sponsoring public authority has assessed their systems and procedures to be appropriate for secure handling data”.
It does not give any sense of what conditions they will be measured against and how officials should assess them. I hope it is not going to be on the same basis that the HMRC gave the contract to Concentrix. It is that that we need to know about. This draft code—and I will keep coming back to it—is in an extremely draft form and needs substantially more work done on it. I hope that the noble Lord will assure us that these codes will be revised and I hope that, within the revisions, he will acknowledge that substantial improvements will be made.
Indeed I can. The reason is that in the present context, personal information extends to bodies corporate and other personalities that are not otherwise covered by the first definition. I will elaborate upon that later but that is why there is a distinction between the two terms. We can see that the two terms substantially overlap but it is only because of that technical distinction that they are employed in this way. I hope that that satisfies the inquiry from the noble Baroness, Lady Hamwee.
The Data Protection Act not only circumscribes the use of data in very particular ways—for example, personal data must be processed in accordance with the data subject’s rights under the Act and be held securely to guard against unlawful or unauthorised processing, which addresses a point that many of your Lordships referred—but provides remedies in the event that those obligations are not adhered to. Generally speaking, that involves a complaint to the Information Commissioner.
Of course there have been lapses in data control. We are well aware of many of them. The noble Lord, Lord Collins, alluded to Concentrix, where there clearly appeared to have been lapses such that the Revenue terminated its contract without further notice in November of last year. We recognise that there are risks associated with data and data-sharing. That is why we emphasise the need to look at the provisions in the Bill not only alone but in the context of the Data Protection Act.
There were obviously risks associated with the contract for Concentrix and the fall-out from that contract is certainly ongoing, because of the people who have suffered hardship. The Government will undoubtedly have to investigate even more because at the moment, we are dealing only with the people who have appealed. Can the Minister tell us exactly why the existing provisions for a risk assessment did not stop this contract from going sour?
As the noble Lord is aware, Concentrix was not the only incident in which there were data breaches. They have happened not only in the context of parties operating with government but also entirely in the private sector. So far as I am aware, no one has made a claim for infallibility where data protection is concerned. Albeit that we aspire to the highest standards in data protection, we are not making claims of infallibility.
The noble Lord, Lord Collins, also referred in the present context to the GDPR, which will come into effect as a European regulation in May 2018. I reiterate that the provisions in Part 5 of the Bill are compatible with the GDPR. The noble Lord appeared to take some issue with that term, but let me be clear: the provisions of Part 5 are drafted in such a way as to be compatible with the regulation. When the regulation comes into direct force, we will look at the provisions of the Act and the codes of practice to ensure that they are consistent with it. That is the way in which these things are done. The regulation is not yet in force and will be applied to the existing statutory structure from May 2018. I reassure him that it has always been intended that Part 5 of the Bill should be compatible with the regulation, for very obvious reasons.
Then there is the matter of the draft codes of practice. At this stage they are, of course, a draft. Those drafts have incorporated comments and advice from practitioners right across the public sector, from the Information Commissioner and from the devolved Administrations, so they have brought in that body of knowledge at this stage.
I am perfectly prepared to write to my noble friend to clarify that point, and I will place a copy of any letter in the Library.
I thank the Minister for his response. One of the things that we will encounter as we go through this section is the fact that the 1998 Act has some fundamental principles but that we have the Bill before us because there is a need for greater clarity. The world has changed in the past 20 years, certainly in the way that we handle and interrogate data. We no longer simply say that this set of data will go to that person and so on. We do not necessarily even have to share the whole dataset. The point is about how one might interrogate data. It is a very different world. I am not suggesting for one moment that errors do not occur, accidents do not happen and mistakes cannot happen, but in the modern world we conduct risk assessments to understand how we can minimise those things. That is what I want properly addressed when we come back to some of these issues.
The Minister says that the Government will consider the report of your Lordships’ committee. If there are to be further amendments, I hope that we will have time to consider them and even to put down our own amendments to ensure that the principles about which we are concerned will be able to be addressed. With those comments and, if you like, fair warnings, I beg leave to withdraw the amendment.