(7 years, 9 months ago)
Lords ChamberI am not in a position to say what number of bodies were considered and discarded, but I will undertake to write to the noble Baroness on that point. All the public bodies included in the schedule must, of course, comply with the data-sharing safeguards in the Bill. Clearly, public authorities may not enter into data sharing lightly. They will have to follow the codes of practice, comply with the Information Commissioner’s requirements on data sharing and privacy and have in place all necessary protections to prevent unlawful disclosure.
The list of public bodies in the government amendments is shorter than the lists we have previously published in draft regulations although, as I indicated to the noble Baroness a moment ago, I do not know how many bodies were considered and removed before the process of listing them in the draft regulations took place. Care has been given to ensuring that we share only where there is a clear benefit, as required by the legislation. I hope that, with that explanation, the noble Baroness will withdraw her amendment.
My Lords, I will take this opportunity to briefly comment on this group of amendments. These Benches did submit a series of amendments in Committee. The Minister responded that the Government were giving due consideration to the Delegated Powers Committee report, so there was no opportunity to go through some of those issues in detail. We welcome the Government’s amendments and the fact that they have responded to the Delegated Powers Committee. I have read the Information Commissioner’s briefing for Report, and I welcome the fact that she strongly supports the Government’s adoption of these amendments, which she believes will strengthen parliamentary scrutiny and government accountability.
The next group of amendments deals with the code of practice, on which we had lengthy debates in Committee, but I believe that the Government are now striking the right proportional balance between improving public and government services and the need to protect data.
My Lords, in Committee I had my name to an amendment regarding the status of the codes of practice. At that time, the noble and learned Lord referred to the appropriate level of legal obligation. He certainly persuaded me that the wording “having regard to” or “complying with” did not relate to whether a public authority could ignore a code, but whether there were reasons for doing so. I was persuaded about that level of flexibility.
Of course, we were really concerned about what the codes of practice would ultimately look like, what the engagement of the Information Commissioner would be and what the Information Commissioner’s view was. On these Benches we were pleased to see not only the Government’s amendments but the Information Commissioner saying that she was extremely pleased that the Government had accepted her recommendations on there being references in the Bill to codes of practice and the privacy impact assessments.
In the light of the Information Commissioner’s overall comments and the fact that the Government have responded, we certainly welcome these amendments. However, I give notice that—the noble Baroness, Lady Hamwee, referred to this—what is in the codes and how public authorities operate them will be very important, and parliamentary scrutiny of and engagement in them will be critical in the future. I hope that we will see further drafts of the codes before they are ultimately laid before Parliament. It is really important not only that there is the highest level of consultation on them but that Members of Parliament are properly engaged in them.
I thank noble Lords for their observations on these matters. There are of course government amendments in this group as well and perhaps I may begin with those.
This group of amendments concerns the codes of practice issued under Part 5 and those issued by the Information Commissioner’s Office. It includes the government amendments that implement the recommendations of the Delegated Powers and Regulatory Reform Committee and, as the noble Lord, Lord Collins, observed, the recommendations of the Information Commissioner’s Office. In addition, there are some opposition amendments on similar points.
We have already published draft codes of practice on data sharing. The Delegated Powers and Regulatory Reform Committee recommended that the first codes of practice and the UK Statistics Authority’s statement of principles should be laid before Parliament in draft and should not be brought into force until they had been approved under the affirmative procedure. Revisions were to follow the draft negative procedure. We agree and have tabled amendments to achieve this, and it is intended that Parliament should have a suitable opportunity to consider these drafts and any amendments thereto in due course.
A further series of government amendments will require persons disclosing personal information under relevant chapters of Part 5 to have regard to the Information Commissioner’s codes of practice on privacy impact assessments and privacy notices, transparency and control in so far as they apply to information which is being shared. As the noble Lord, Lord Collins, observed, the Information Commissioner called for explicit reference to these two codes to be made on the face of the Bill. We have worked with her office to develop these amendments, which supplement the existing requirement that the codes of practice prepared under the Bill must be consistent with the commissioner’s own code on data sharing, and I understand that she is satisfied with the steps we have taken in that regard. I hope that this will provide further assurance to noble Lords that we are committed to ensuring that best practice concerning compliance with data protection and transparency will be applied to the exercise of powers under Part 5 of the Bill.
I now turn to the opposition amendments in the names of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Clement-Jones. I hope I can persuade them that their amendments are no longer necessary, as the government amendments fully address the concerns of both the Information Commissioner’s Office and the DPRRC.
As the noble Baroness has explained, the amendments in their names seek to ensure further consistency with the ICO’s codes and to strengthen the role of those codes in the regime set up by Part 5, as well as providing for greater parliamentary oversight of the Government’s codes, and I believe that we are now there. The Bill already requires that codes of practice issued under Part 5 of the Bill must be consistent with the ICO’s data-sharing code of practice. The government amendments further require persons to have regard to the ICO’s codes on privacy impact assessments and privacy notices, transparency and control when exercising relevant powers under Part 5. So we are now referencing all the codes which the ICO felt were critical for the operation of Part 5.
Of course, this is not the first time we have discussed amendments that seek to strengthen enforcement of the codes of practice by requiring authorities that use the powers of determined specified bodies to “comply with” rather than “have regard to” these codes. The Government’s position remains that “have regard to” is the right weight to give to codes of this type. That is itself a legal obligation, as the noble Lord, Lord Collins, noted. Moreover, the public law will expect those who are subject to the codes to follow their stipulations unless there are cogent reasons why they should not. We note that the Information Commissioner’s own codes are themselves advisory. A requirement to “comply with” the codes could lead to their being applied in a tick-box fashion, without due regard to whether the recommendations are actually applicable to and desirable in the context of the specific data share.
On the issue of adding additional persons to the consultation obligations for the codes, since Ministers have committed before Parliament to consult publicly on the Part 5 codes of practice, we suggest that such a requirement is unnecessary. The present provisions reflect what the noble Baroness noted to be the normal position.
Finally, on parliamentary oversight, the Government’s amendments fully implement the DPRRC’s recommendations, including, exceptionally, the use of the affirmative procedure for the first codes and the draft negative procedure thereafter. They go further than the noble Baroness’s amendment, and I hope that that will be welcomed by all noble Lords. I therefore invite the noble Baroness not to press her amendments.
My Lords, I hesitate before intervening in this group of amendments because, the last time I intervened, my noble friend said that I must be slightly confused, as I was talking about electoral rolls, bread rolls and toilet rolls. We are, of course, conflating a number of issues in this group, but I think that there is a really good point. My noble friend has raised an important area where the public good can be served not by sharing confidential information but by ensuring the availability of information that will serve a specific purpose in relation to fuel poverty. We on these Benches are very sympathetic on that point. In Committee we tabled amendments on the common-law duty of confidentiality, and the noble and learned Lord responded to those amendments. The only point I would make now is that it is vital that medical records remain confidential. They contain information that can affect not only people’s health but their access to jobs and to insurance. Access to a whole range of things is at risk if it is felt that this information will not remain confidential. Of course, the consequence of that is another public health issue, because if people do not have confidence that their records will remain confidential, they will not go to their doctor, they will not tell their doctor and they will not seek the treatment that they perhaps should. So there is a very strong case here.
One other point—it is not related to this group of amendments so I ask for forgiveness—is that there is a balance between maintaining confidentiality and security. Many of the problems in the health service, and why people lack confidence in it, are not about policies and procedures but about the health service’s ability to maintain a secure IT system. I hope the noble and learned Lord will be able to address those issues. The assurances that my noble friend has sought about future ability are really important. The ability to communicate—not the details of people’s confidential records but one government department to another and one public agency to another, to serve a very clear public need—is vital.
I am obliged to noble Lords, and in particular I thank the noble Lord, Lord Whitty, for his continued interest in this area and for taking the time to meet and discuss this matter at some length with me and the Bill team. Clearly, as the noble Lord, Lord Collins, observed, this is an important part of the fuel poverty agenda. That is why it takes on such considerable importance even when faced with issues such as medical confidentiality.
On the point about common-law confidentiality, and medical confidentiality in particular, it is not an absolute; there are already statutory gateways through which information can and must flow on occasions, and therefore one must not take it that medical confidentiality is somehow completely ring-fenced and separate from the world that we actually live in. There are circumstances where there should be, has to be and is disclosure. It may be possible—I put it no higher in terms of this Bill—to address a further gateway. However, one should not confuse any mechanism within the Bill with the consequences of human or IT failure, however regrettable they may be. I agree with the noble Lord, Lord Collins, that one has to have regard not only to the structure within which information is shared but to the need to ensure that the sharing process is itself secure. But they are separate issues.
The noble Lord, Lord Whitty, acknowledges that some parts of his amendment may not be necessary. Amendments 27 and 28 would provide that information can be shared with licensed electricity and gas distributors for the provision of fuel poverty assistance. They can already be added to the data-sharing arrangements in Clause 32 by regulations. The Government will consider whether to exercise this power in the context of considering the future role of electricity and gas distributors in delivering fuel poverty schemes. I reassure the noble Lord that the provision made by Amendment 26 is already covered by Clause 31, which provides powers to share information for,
“the improvement of the well-being of individuals or households”.
Of course, this includes,
“their physical and mental health and emotional well-being”.
While we do not consider the noble Lord’s amendment necessary in this instance, the objectives that he highlights are an example of how in appropriate circumstances information held by healthcare providers could, in future, be valuable to support the more effective delivery of public services to those in need. It underlines why the Government are unable to accept Amendments 28AV, 28AW and 28AX, tabled by the noble Baronesses, Lady Finlay and Lady Hamwee.
The Government do recognise the particular sensitivities with identifiable health information, as highlighted in the National Data Guardian for Health and Social Care’s recent review of data security, consent and opt-outs. Health bodies in England are therefore not included in the list of bodies now in the Bill that will be permitted to use these powers. However, as the noble Lord, Lord Whitty, noted, health issues are a key factor in the complex social problems faced by people, whom we are aiming to support with these powers. Excluding the use of identifiable health information altogether would remove the possibility of including such information in the future without amending legislation. It would be premature to take this step in advance of the implementation of the National Data Guardian’s review and the public consultation that that will engage.
An amendment to maintain the common-law duty of medical confidentiality is not considered necessary. Those powers enable information to be shared only where it is already held by specified persons, acquired in a different context from the patient-doctor relationship. Any information that would have been subject to medical confidentiality would have found its way into a specified person’s hands only through an existing gateway. As I indicated earlier, there are already statutory gateways through which such information can move. Of course, we are dealing with permissive powers.
At this late hour, I will attempt the impossible: to satisfy the interests of all parties in the context of these provisions. Beginning with the inquiry from the noble Lord, Lord Whitty, health bodies are not presently included in the schedules. As drafted, it would be possible for health bodies to be added to the schedules at a future date but—and I emphasise this—no decision will be taken until, first, the Government publish their response to the Caldicott review and any recommendations have been embedded and assessed; secondly, there has been a public consultation on the issue and the views of the National Data Guardian and appropriate representative health bodies such as the GMC and BMA have been sought; and, thirdly, there has been a debate in both Houses pursuant to the affirmative procedure required to add bodies to the schedule. I hope that that reassures the noble Lord, Lord Whitty, that it can be done, although it has yet to be done, and that there are steps that we will take to reassure the noble Baronesses, Lady Finlay and Lady Hamwee, before any such step is implemented.
If health bodies or information were to be expressly excluded in the Bill, it would require primary legislation to enable those bodies to share information under the powers. If and when we decide that it would be helpful to have those powers—in implementing the fuel poverty initiative, for example—it would be most unfortunate if we were delayed by literally years before we could actually achieve the objective, when in fact there is provision here to do it by way of the affirmative procedure so that both Houses have ample opportunity for debate.
If we take those steps, there will be safeguards. When considering whether to add any health bodies to the schedules in the public service delivery, debt and fraud chapters, clear safeguards will apply. First, before a new body may be added to the schedule, it must show that it fulfils the relevant criteria relating to that specific power designed to ensure that only bodies with relevant functions for holding or requiring information relevant to that particular power may be added. The Minister must consider the procedures in place for secure handling of information before any new body can be added to the schedule—a point raised by the noble Lord, Lord Collins. A decision will be taken on whether it is in the public interest and proportionate to share identifying health information in order to achieve a specified objective. There would be no question of simply sharing this information more widely. The powers must be exercised in accordance with the Data Protection Act, which requires that only the minimum information necessary to achieve the objective may be shared. Under the Bill—and under the Data Protection Act—personal information may be used only for the purpose for which it was shared and data must be stored securely to ensure compliance with that Act. Again, this point was raised a moment ago.
Identifying health information will constitute sensitive personal data and so to ensure fair and lawful processing, it must fulfil one of the more onerous Schedule 3 conditions as well as the Schedule 2 condition under the Bill. In addition, new criminal sanctions have been included for wrongful disclosure with a maximum penalty of up two years’ imprisonment, a heavy fine or both. Further steps can of course also be taken to remove a body from the schedule if it does not comply with the requirements of the Act.
I do not suppose that I have satisfied anyone with that explanation at the end of the day. But, if nothing else, I hope that it has assisted in informing your Lordships as to why we consider that these amendments are not appropriate and that it would be appropriate to retain the ability to introduce health bodies by way of appropriate regulation. We feel that there will be appropriate safeguards and extensive consultation before any such step is taken, so I invite the noble Lord to withdraw his amendment.
(7 years, 10 months ago)
Lords ChamberIndeed I can. The reason is that in the present context, personal information extends to bodies corporate and other personalities that are not otherwise covered by the first definition. I will elaborate upon that later but that is why there is a distinction between the two terms. We can see that the two terms substantially overlap but it is only because of that technical distinction that they are employed in this way. I hope that that satisfies the inquiry from the noble Baroness, Lady Hamwee.
The Data Protection Act not only circumscribes the use of data in very particular ways—for example, personal data must be processed in accordance with the data subject’s rights under the Act and be held securely to guard against unlawful or unauthorised processing, which addresses a point that many of your Lordships referred—but provides remedies in the event that those obligations are not adhered to. Generally speaking, that involves a complaint to the Information Commissioner.
Of course there have been lapses in data control. We are well aware of many of them. The noble Lord, Lord Collins, alluded to Concentrix, where there clearly appeared to have been lapses such that the Revenue terminated its contract without further notice in November of last year. We recognise that there are risks associated with data and data-sharing. That is why we emphasise the need to look at the provisions in the Bill not only alone but in the context of the Data Protection Act.
There were obviously risks associated with the contract for Concentrix and the fall-out from that contract is certainly ongoing, because of the people who have suffered hardship. The Government will undoubtedly have to investigate even more because at the moment, we are dealing only with the people who have appealed. Can the Minister tell us exactly why the existing provisions for a risk assessment did not stop this contract from going sour?
As the noble Lord is aware, Concentrix was not the only incident in which there were data breaches. They have happened not only in the context of parties operating with government but also entirely in the private sector. So far as I am aware, no one has made a claim for infallibility where data protection is concerned. Albeit that we aspire to the highest standards in data protection, we are not making claims of infallibility.
The noble Lord, Lord Collins, also referred in the present context to the GDPR, which will come into effect as a European regulation in May 2018. I reiterate that the provisions in Part 5 of the Bill are compatible with the GDPR. The noble Lord appeared to take some issue with that term, but let me be clear: the provisions of Part 5 are drafted in such a way as to be compatible with the regulation. When the regulation comes into direct force, we will look at the provisions of the Act and the codes of practice to ensure that they are consistent with it. That is the way in which these things are done. The regulation is not yet in force and will be applied to the existing statutory structure from May 2018. I reassure him that it has always been intended that Part 5 of the Bill should be compatible with the regulation, for very obvious reasons.
Then there is the matter of the draft codes of practice. At this stage they are, of course, a draft. Those drafts have incorporated comments and advice from practitioners right across the public sector, from the Information Commissioner and from the devolved Administrations, so they have brought in that body of knowledge at this stage.
I am perfectly prepared to write to my noble friend to clarify that point, and I will place a copy of any letter in the Library.
I thank the Minister for his response. One of the things that we will encounter as we go through this section is the fact that the 1998 Act has some fundamental principles but that we have the Bill before us because there is a need for greater clarity. The world has changed in the past 20 years, certainly in the way that we handle and interrogate data. We no longer simply say that this set of data will go to that person and so on. We do not necessarily even have to share the whole dataset. The point is about how one might interrogate data. It is a very different world. I am not suggesting for one moment that errors do not occur, accidents do not happen and mistakes cannot happen, but in the modern world we conduct risk assessments to understand how we can minimise those things. That is what I want properly addressed when we come back to some of these issues.
The Minister says that the Government will consider the report of your Lordships’ committee. If there are to be further amendments, I hope that we will have time to consider them and even to put down our own amendments to ensure that the principles about which we are concerned will be able to be addressed. With those comments and, if you like, fair warnings, I beg leave to withdraw the amendment.
(7 years, 10 months ago)
Lords ChamberI am content that we return to the noble Baroness’s first point if she feels that there is a point of distinction to be made. On her second point, I do not accept that there is fragility in this context. We are well aware, by virtue of past practice, that this formulation is appropriate to the application of codes of practice. Indeed, the noble Baroness herself observed that when applying one’s mind to a code of practice, a degree of flexibility is necessary. One cannot freeze them. That is why we consider that the wording here is appropriate.
I thank the Minister for his response. Obviously, the codes of practice are key to giving a sense of security and to building public confidence. They are critical, which is why noble Lords want to see exactly how they will end up. I am very happy with the reassurance that the Minister gave regarding parliamentary involvement and consideration of the report of your Lordships’ committee. That is very welcome and we will return, obviously, to some of the issues, particularly on medical information and other information set out in other groups. We will return to the subject of the Investigatory Powers Commissioner in the next group and I will explain in that discussion why we see, perhaps, a distinct role, arising from the debate this House had on the Investigatory Powers Act. In the meantime, I beg leave to withdraw the amendment.