Baroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Scotland Office
Digital Economy Bill
Baroness Hamwee ExcerptsMonday 6th February 2017
(7 years, 2 months ago)
Lords ChamberRead Full debate Digital Economy Act 2017 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 80-IV Fourth marshalled list for Committee (PDF, 161KB) - (6 Feb 2017)
Baroness Hamwee (LD)
My Lords, I come rather late to the table with the Bill, but fresh, if that is the term, from the Investigatory Powers Act, as does the noble and learned Lord. Like me, he may have reflected on the fact that one of our basic documents in debating the Investigatory Powers Act was called by David Anderson A Question of Trust; the issue of trust is equally relevant to the provisions in the Bill. Like other noble Lords, I see the value of sharing information but—and for me it is a big “but”—with constraints, limits, conditions, checks. I would say balances but I do not think they always do the job. It would be too easy in this area to let convenience obscure other considerations. I have concerns about fundamental issues and I have difficulty, as I suspect do other noble Lords, knowing quite what to raise where, but my most fundamental concern is about respect for privacy. The use of bulk data, which we will come to, is bound to raise this.
I share concerns which have been raised about providers—not the public authorities and public services themselves, but the providers. Maybe we have to be realistic, as our public services are now provided so much through commissioning and procurement but, as I read the Bill, the regulations will not be required to list specific providers. I may be wrong about that. If providers have to be included, it would be appropriate for the public to be reassured, for instance, that the public authority in question maintains a register of its providers and publishes it. Maybe, also, all records of information held under these provisions should be destroyed at the termination of the provider’s contract.
The purposes set out here include well-being, which includes the contribution to society. I am not going to let this pass without saying that that risks being read, and I read it, as very paternalistic. I cannot see how it properly covers anything that is not covered by the other well-being provisions. Others have suggested that Clause 30 might lead to profiling. There is certainly a concern over health information, which we will come to separately. I also find it quite hard to think: if you are not contributing to society, are you not deserving of or entitled to public services? I think it is a very unfortunate term to use in legislation.
I share the concerns about Clause 33. At the very least, to share personal information to prevent anti-social behaviour which is not a crime—we know it is not a crime; you do not even need to go to the legislation about anti-social behaviour to know that, because it is referred to separately from crime—is going several steps too far. I start—I am not suggesting that others do not—from the premise that personal information should be kept confidential unless there is good reason not to do so, and if it is not confidential it needs to be treated with the greatest care and sensitivity. Respect for private life is one of our basic values. The Minister would be able to quote Article 8 of the European Convention on Human Rights—as I will do—without reading it. It says that there are “necessary”—I stress that word—exceptions in the interests of national security, public safety, the economic well-being of the country, the prevention of disorder or crime, the protection of health or morals or the protection of the rights and freedoms of others. I support the amendments—I think they are in this group—that would import the term “necessary”.
Article 8 refers to disorder and crime, but—I will not be surprised if the Minister quotes some case law at me on the definition of “disorder”—I would have thought that in this context it must refer to something a good deal more serious than what may fall within “anti-social behaviour”.
The Investigatory Powers Act includes the much-welcomed and much-discussed “privacy” clause; during the debate on that we considered the requirements of both necessity and proportionality. The Act also refers specifically to the Human Rights Act and to crime as a consideration when it is a serious crime, and it refers to using “less intrusive means”. These points are all relevant to this debate.
For my part, this amounts to support for all the amendments in the group and a concern to persuade the Government to look at the issues through the lens of rights to privacy as well as efficiency. Most citizens accept—indeed, expect—that in a digital age government departments will share information, but with narrower purposes and stricter checks than the Bill offers.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, I am obliged to noble Lords for their observations on this group.
The powers in Chapter 1 of Part 5 will support the delivery of better services to achieve specified objectives, such as providing assistance to those suffering, for example, from fuel poverty. Your Lordships would all appear to be agreed on the need for effective data-sharing, but when we talk about that we must mean data-sharing that is secure and commands the trust of the general public—that is sufficiently ring-fenced to give confidence in the whole process. No one would take issue with that.
In that context I make this observation at the outset. It applies not only to this group of amendments but to further groups that we will come to this afternoon and perhaps much later this evening. We have to look at the provisions in this Bill in the context, first, of the Data Protection Act 1998, because the provisions of that Act apply in the context of this Bill. Therefore, as we look at the Bill, we must remember the protections that already exist in law with regard to data in this context. First, processing of personal data must always be fair and lawful. Secondly, data cannot be processed in a way that is incompatible with the purpose for which they were gathered. Thirdly, personal data must be,
“adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
The personal data should be “accurate”, so a subject may be in a position to demand that they should be corrected.
Furthermore, on the point made by the noble Baroness, Lady Hamwee, personal data can be kept no longer than is necessary for a particular objective. Where, therefore, they have been employed for a particular objective—or a party has received them for a particular purpose—and a need to keep the data for that purpose can no longer be displayed, they cannot be retained.
Baroness Hamwee
My Lords, will the noble and learned Lord address—in a later group, if not this one—why the terminology in the Bill is “personal information” rather than “personal data”, which might have made the marrying-up of the legislation a bit easier?
Lord Keen of Elie
Indeed I can. The reason is that in the present context, personal information extends to bodies corporate and other personalities that are not otherwise covered by the first definition. I will elaborate upon that later but that is why there is a distinction between the two terms. We can see that the two terms substantially overlap but it is only because of that technical distinction that they are employed in this way. I hope that that satisfies the inquiry from the noble Baroness, Lady Hamwee.
The Data Protection Act not only circumscribes the use of data in very particular ways—for example, personal data must be processed in accordance with the data subject’s rights under the Act and be held securely to guard against unlawful or unauthorised processing, which addresses a point that many of your Lordships referred—but provides remedies in the event that those obligations are not adhered to. Generally speaking, that involves a complaint to the Information Commissioner.
Of course there have been lapses in data control. We are well aware of many of them. The noble Lord, Lord Collins, alluded to Concentrix, where there clearly appeared to have been lapses such that the Revenue terminated its contract without further notice in November of last year. We recognise that there are risks associated with data and data-sharing. That is why we emphasise the need to look at the provisions in the Bill not only alone but in the context of the Data Protection Act.
Baroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Scotland Office
Digital Economy Bill
Baroness Hamwee ExcerptsMonday 6th February 2017
(7 years, 2 months ago)
Lords ChamberRead Full debate Digital Economy Act 2017 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 80-IV Fourth marshalled list for Committee (PDF, 161KB) - (6 Feb 2017)
Baroness Janke (LD)
My Lords, I, too, shall speak to this group of amendments, having put my name to some of them. The noble Lord, Lord Collins, has already raised the issue about the permissive approach in the Bill, which we have rather rejected, and the question of inserting “complied with” rather than “had regard to”. Many of the amendments deal with that issue across the various agencies involved. When you consider that this is operated in relation to various criteria to do with improving people’s physical health, their emotional well-being, their contribution to society and their social and emotional well-being, the breadth of those areas is really rather daunting. You could justify almost anything under those four areas, and I do not really believe that the code of practice could be remotely enforceable if those were the criteria that were used.
Worse still, they could be used in a rather punitive way. For example, it could be argued that it is improving people’s well-being by making them work; and if they are disabled, pursuing people who have disabilities or difficulty in getting work could be used to penalise vulnerable groups. It would affect people who are on benefits or are pensioners—all sorts of vulnerable people. There needs to be somewhat more rigour in the Bill than criteria such as those that we see there now.
Moreover, these amendments deal with a minimum consultation period, which we support. Finally, the code of practice should be laid before Parliament, which, again, would be another safeguard. We must have much more transparency and greater rigour of application, enforceability and consistency across all the agencies and with other rules of disclosure. I would like to hear what the Minister has to say about these concerns. We believe that these matters must be answered and wish to understand the Government’s approach in order to decide whether we need to take this forward at a later stage.
Baroness Hamwee (LD)
My Lords, I, too, support the various amendments in this group. “Having regard to” a matter always seems to leave some wriggle room. If there should be exceptions to compliance—because I think we are talking about compliance here, not about consistency—then those should be spelled out. I accept that having codes of practice outside primary legislation allows for flexibility, which might be useful, for a response to experience of the operation of the code and, perhaps, for changing circumstances. However, there is so much reliance on codes of practice here that an inclusive process for constructing and finalising them is very important, as well as transparency in operation.
The noble and learned Lord will probably have a better recollection than I have of the discussion during the passage of the Investigatory Powers Bill about providing transparency by way of ensuring that people who were affected by the transmission of information knew about it. This was rejected for security reasons, but that would not be the case here. The overall objective has to be transparency and inclusiveness.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, Amendment 81 and the other amendments in this group are intended, of course—and I understand this—to strengthen enforcement of the codes of practice in relation to the public service delivery, debt and fraud, and research powers by requiring authorities who use the powers to “comply with” rather than “have regard to” these codes. The noble Lord, Lord Collins, has sight of a loophole, and the noble Baroness, Lady Hamwee, has encountered wriggle room, but I would take issue with those descriptions.
There is common ground here. We, too, believe that the codes are an important part of the data-sharing powers. However, the Government believe that “have regard to” is the right level of obligation for a code of practice. This is a legal obligation. Such persons when disclosing or using information will be expected as a matter of law to take the codes seriously and follow their requirements in all cases unless there are cogent reasons why they should not do so. It is, of course, common practice for legislation to set out the critical limitations on a power while codes of practice—which are more adaptable, as the noble Baroness, Lady Hamwee, acknowledged—are advisory tools that supplement with regard to best practice, principles and guidance.
The noble Lord, Lord Collins, alluded to a situation in which an authority exceeds its powers for the public good. In such a situation—without going into the detail of it—the authority would be exceeding its powers and it would have to answer for that, whatever the public good might justify in other circumstances.
Key conditions for the disclosure and use of information are set out in the Bill, including what can be shared, by whom and for what purpose. We have followed a common approach taken by government and others, including the Information Commissioner, to provide more detail on how data are to be shared in a code of practice. That does not mean that the code is to be treated lightly. Legal consequences may follow if the code is disregarded, as the Delegated Powers and Regulatory Reform Committee pointed out in its report on the Bill. The relevant Minister can make regulations to remove a body’s ability to share information under the power if it fails to adhere to the code. The noble Lord, Lord Collins, raised the question as to whether that is considered sufficient in the circumstances. We do consider that that is a sufficient safeguard in the circumstances. I also remind noble Lords—in particular, the noble Baroness, Lady Janke—that the first requirement of the Data Protection Act is that processing of data should be fair and reasonable. That underpins in existing legislation the whole approach that should be taken to this Bill.
The noble Baroness, Lady Hamwee, sought to draw a distinction between the provisions here and those in the Investigatory Powers Act about knowledge of data transfers. Of course, although we are not necessarily dealing here with national security, we are dealing with issues such as fraud, where it would be wholly inappropriate to give people advance notice of data sharing, particularly if one were going to address issues of criminal conduct.
Amendment 107B would require breaches of the code of practice on the public service delivery power to be reported to the Investigatory Powers Commissioner. It also places a duty on the Investigatory Powers Commissioner to investigate serious breaches and, where necessary, to inform the relevant individual of the breach. In doing so, the commissioner would have to ask the person in breach to make submissions before making a decision. With respect, the amendment would impose a considerable additional function on the Investigatory Powers Commissioner, where he or she would be bound to deal with breaches of a code of practice on information sharing which in no way relates to the commissioner’s remit of investigatory powers.
Indeed, placing such duties on the Information Commissioner would effectively be broadening the Information Commissioner’s remit without appropriate consultation. It would, as with Amendment 81B, cut right across the functions of the Information Commissioner, as distinct from the Investigatory Powers Commissioner; the Information Commissioner being responsible for upholding the Data Protection Act 1998, and also the safeguards and procedures for dealing with breaches of the code, which are already set out in various provisions. Such an amendment would blur the lines between the responsibilities of the Information Commissioner and the Investigatory Powers Commissioner and potentially lead to confusion and unnecessary duplication. If, in making those observations, I referred to the Investigatory Powers Commissioner when I meant the Information Commissioner and referred to the Information Commissioner when I meant the Investigatory Powers Commissioner, that simply underlines how easy it is to cause confusion in this area.
Amendments 108, 115, 134 and 151 call for the codes to be subject to approval by Parliament. A similar requirement was also raised by the Delegated Powers Committee in its recent report. We are carefully considering that proposal and I assure noble Lords that we will be responding to it shortly. Amendments 109 and 135 would introduce a requirement for the Minister to consult publicly on the code for a minimum of 12 weeks before issuing or reissuing it. Amendments 110, 152 and 190 would require that the Minister demonstrate that responses to the public consultation,
“have been given conscientious consideration”.
The policy in respect of these powers, and much of the content of the codes of practice, have been developed over two years of open policy development with a range of public authority and civil society organisations. The code sets out procedures and best practice drawn from guidance produced by the ICO and Her Majesty’s Government. We amended Clauses 36, 45, 53 and 61 in the other place to ensure our code will be consistent with the Information Commissioner’s data-sharing code of practice. The clauses contain a requirement that the Minister consults the devolved Administrations, the Information Commissioner and any other person the Minister considers appropriate prior to the issue or reissue of the code. I assure noble Lords that these other persons will include civil society groups and experts from the data and technology areas. It is, indeed, our intention to run a public consultation before laying the code before Parliament. I need hardly add that all consultations are taken seriously by the Government and all responses considered with appropriate conscientiousness.
I understand the interest in the codes and the desire to make sure they are effective. The codes will provide a strong safeguard for the use of the power, backed up by real consequences if they are not adhered to. With that, and while we consider the recommendations of the Delegated Powers Committee further—as I have indicated, we intend to do that in the very near future—I invite the noble Lord to withdraw his amendment.
Baroness Hamwee
The noble and learned Lord warned us against giving advance notice to potential fraudsters, but I think we are talking in these amendments about notice which may be in retrospect. I am looking at the noble Lord who has tabled the amendments. There are different issues, I think, about giving notice in advance and telling people that you have transferred information. Maybe we need to come back to the distinction between the two at the next stage. On the requirement to have regard but not necessarily to comply, does that not point up the real weakness of a code that is not approved by Parliament? These two bits of fragility seem to me to go hand in hand and undermine the security, as it were, of the regime.
Lord Keen of Elie
I am content that we return to the noble Baroness’s first point if she feels that there is a point of distinction to be made. On her second point, I do not accept that there is fragility in this context. We are well aware, by virtue of past practice, that this formulation is appropriate to the application of codes of practice. Indeed, the noble Baroness herself observed that when applying one’s mind to a code of practice, a degree of flexibility is necessary. One cannot freeze them. That is why we consider that the wording here is appropriate.
Lord Whitty (Lab)
My Lords, like those of the noble Lord, Lord Kirkwood, my three relatively small amendments in this group relate to fuel poverty. I was not at all surprised when my noble friend Lord Collins of Highbury was a bit confused at the beginning of this rather mixed-up group. It covers not only my subjects but voter registration and free school meals; most of the government amendments seem to relate to water and sewerage. I was tempted to say that it covers electoral rolls, bread rolls and toilet rolls. However, my amendments deal with something entirely different and their intention is very much the same as those of the noble Lord, Lord Kirkwood. I will not repeat all that he said.
My aim here is to make the system of data sharing more effective. I recognise all the concerns expressed around this Committee about the dangers of data sharing by public bodies and I understand them, because in different circumstances I have been deeply suspicious of the gas and electricity companies, as the noble Baroness, Lady Byford, clearly was a couple of groups ago. To make identification of the fuel poor more effective, we need more effective and comprehensive data sharing, along with the ability of different authorities and companies to share them, but this must be subject to all the safeguards. One safeguard is clearly stated in the Bill: that the information that can be used and shared in this way relates to the health of those affected by fuel poverty because they live in cold, draughty and damp homes. I do not need to spell out the effects of fuel poverty on those people’s health. It is quite important that in addition to the provisions in Clause 30(8) for helping the delivery of services and benefits, the clause should also refer to improving the health of those affected by it. My first amendment would do that.
My second and third amendments simply extend those gas and electricity operators which need to be engaged in it and will be subject to the same safeguards. It is increasingly the case that consumers and householders, including the fuel poor, have a closer affinity with the distribution networks than with their sensible supplier, which sends them the bill. To improve their situation, they will have to deal with the electricity distributor and, shortly, with the gas network distributor company. These amendments to Clause 31 deal with putting those distributors in the same category as gas and electricity suppliers. These are tidying-up amendments but they will make data sharing in this important area of fuel poverty more effective. The noble Lord, Lord Kirkwood, spelled out why that is necessary and, in particular, why those not automatically assigned to the warm home discount need to be identified and automatically put on the list of those who receive it. If we achieve that via the Bill, it will be a very important improvement and a step towards eliminating fuel poverty in our society.
Baroness Hamwee
My Lords, I want to ask a question about government Amendments 83A and 83B, which are about water and sewerage. Will these provisions apply only where there is a water meter? I am struggling to understand how they can work if the customer does not have metered water, and whether the information would be relevant—and how it could be used—if that is not the case. I am quite prepared to be told that I have not understood this properly but if I am right, should the provision not spell out that it is confined to that situation? That would make it clearer.
Lord Hunt of Wirral (Con)
My Lords, I declare my interest as a partner in the global insurance law firm DAC Beachcroft and as chair of the British Insurance Brokers’ Association, along with other interests set out in the register.
In speaking to Amendment 196A, I seek to address a small but important point on the operation of the Employers’ Liability Tracing Office, or ELTO. Colleagues may recall that I also raised this when we debated the Enterprise Bill in 2015. Although it has been grouped with amendments to Clause 30—I am happy to accept the grouping—it seeks to insert a new clause after Clause 65 in Chapter 6 of the Bill, which deals with Her Majesty’s Revenue and Customs.
In 2010, the Department for Work and Pensions identified the need for a tracing office, and ELTO was established in the same year. Sadly, former employees continue to contract industrial diseases, including cancer, due to workplace exposure many years earlier. All too often, the employer is no longer in existence by the time the disease is diagnosed. This was considered by our colleagues at the Department for Work and Pensions as a major obstacle to the former employees’ obtaining compensation.
ELTO was established, and the insurers are now required to provide to ELTO details of all employers’ liability policies that have been issued since April 2011. According to the information I have received, ELTO is working well. In the 11 months to the end of November last year, there were more than 178,000 successful searches of the Employers’ Liability Database, but it could be working better.
The piece of the jigsaw that is often missing is the employer’s PAYE reference number. This number is now used to identify an individual employer in the Pay as You Earn system. Each employer is given a unique reference number. If this unique reference number could be applied to the Employers’ Liability Database, it would make searches more accurate, as it would avoid problems of company names’ changing over time. Generally speaking, it would enable the correct employer to be traced.
One major obstacle is that by law ELTO is unable to gain this information under the Commissioners for Revenue and Customs Act 2005, which prevents HMRC from sharing information except in specified circumstances. Alternatives to primary legislation have already been explored with HMRC. Although we often think of employers as large companies, many are sole traders or family partnerships. For them, the reference number could well amount to personal data, which are rightly protected from general disclosure.
The measure, which I now understand is supported by ELTO and HMRC, is proportionate. HMRC has a ready-made database of these unique reference numbers to which ELTO could be given limited access. All ELTO needs is the reference number itself and the name and address of the employer as a cross check. The amendment would permit ELTO and HMRC to set up, at no cost to HMRC, a facility to share this limited information. It will help make the ELTO database fit for the future.
Many noble Lords will know that I have the honour to be an officer of a number of all-party groups, including not only the Occupational Safety and Health All-Party Group but also the All-Party Group on Insurance and Financial Services, so I should also declare those interests because this amendment is strongly supported by my colleagues on those groups.
This amendment would provide great benefit to employees, employers and insurers alike. I hope my noble friend the Minister will feel able to accept it.
Baroness Byford (Con)
My Lords, in this group I tabled Amendments 100 and 196. Within this group we are debating data sharing and the putting in place of safeguards that make us confident in the next move to make life better for the majority of people. I have one or two direct questions, particularly on the level of data that will be supplied from one authority to another. For example, does the Bill intend that information be supplied on the number of households in a given postal area where child benefit is being claimed and/or where all adults are unemployed? Would it be up to the users of the data to extract a summary picture from details of, for example, names, addresses, whether benefits are received, whether householders are unemployed or any other data?
At any level of inquiry, I presume data will be transferred such as dates of birth and marital status that, were they to fall into the wrong hands, could be used to perpetrate private fraud. No one today has mentioned private fraud, but it can come about as a result of lack of security and safeguarding. Again, perhaps the Minister will indicate what relevant provisions there are. I am unsure whether I have missed some. At earlier stages of the Bill I mentioned the amount of fraud going on and it is horrifying. If the Bill can in any way tighten up on that, it would be an advantage.
For example, will personal information cover things such as whether an individual has a diagnosis of dementia or whether a family has been a cause of concern to the social work department in their own area? Who makes these judgments? At what stage are these activated? I may not have read the Bill carefully enough to find the missing answers. I pose these fairly simple questions to make sure that our safeguarding of this information is secure.
Amendment 100 is a probing amendment that seeks to complete the explanation of what information HMRC would disclose, providing examples of the circumstances under which it would be disclosed and a complete list of the groups or persons whose information would be handed over. This relates to Clause 30, of which we spoke earlier. Subsections (9) and (10) specify the well-being of persons or households and define well-being in terms of physical or mental health, contributions to society—which we have covered slightly earlier on and which is difficult; I should be glad of clarification on that—and emotional, social and economic well-being. The latter are easier to understand.
Clause 31 refers to people living in fuel poverty. Again, we debated this previously. Fuel poverty has been defined as,
“living on a lower income in a home which cannot be kept warm at a reasonable cost”.
Clause 32 also refers to people living in fuel poverty. I do not understand what is intended, nor what will be involved for those deemed to be affected. Defining well-being in terms of well-being suggests that definitions of those covered by this legislation could depend on the personal and political stance of those making those decisions. What is “lower income”? Within what limits do homes qualify under these clauses and who will rule that they cannot be kept warm at reasonable cost? What will be the limits of powers of such a decision-maker over, for example, someone who prefers to wrap up for three months of the year so they may enjoy their garden for nine; in other words, somebody who is living in a bigger house that costs more to heat? Will an individual be able to opt not to have personal information shared within local authorities and/or with gas and electricity suppliers?
Turning now to my Amendment 196 in this group, I do not pretend to know anything about the structure, organisation or responsibilities of HMRC. Hence, I do not understand whether an “official” is someone equivalent, say, to a board member in a quoted company. I fear, however, that that is unlikely to be the case. In this era of Facebook, Snapchat and the substitution of public opinion for demonstrable fact, I am unhappy—I do not know whether other noble Lords are—that perhaps a more junior member of HMRC could decide that disclosure would be in the public interest. In other words, where does the buck stop?
Disclosure of personal information, even supposedly non-identifying, should be done only on the authority of the head of the organisation. He or she presumably will have the knowledge, experience and breadth of understanding to be sure that it cannot be combined with other data to name individuals. He or she will also, presumably, be less likely to make errors of judgment, and of course a claim of ignorance of any such disclosure would not stand up to scrutiny, as they would obviously be at the most senior level.
Baroness Hamwee
My Lords, I will just pick up the noble Baroness’s last point about who is an official. There are examples, in other legislation, of references to “senior officials” and “designated officials”, which might be somewhere between the junior official she has in mind and the Permanent Secretary, but she is right to draw the issue to the Committee’s attention.
On an earlier group, the noble and learned Lord indicated that he was going to speak at greater length—I assume that may be on this group—on the reason for using the term “personal information” rather than “data”. Perhaps I may use my noble friend’s Amendment 213 to ensure that we get to share more of Government’s thinking. I understand the point about corporations, since in the one case, they come within the group covered, and in the other they do not. But I am still puzzled as to why such efforts have had to be made to deal with personal information and then to add in references to the Data Protection Act, rather than starting from the DPA—with any necessary exclusions—which would have taken us straight to the involvement of the Information Commissioner, the data protection principles and so on.
I wondered during the Statement whether to have a go at some alternative drafting for Report, but thought I had better wait for this discussion. But perhaps part of it boils down to a question on Clause 33(8), which says, in wording replicated elsewhere, that,
“nothing in section 30, 31 or 32 authorises … a disclosure which … contravenes the Data Protection Act”.
To look at it from the other end of that telescope, is there any personal information which is the subject of the Bill that would not fall within the DPA and therefore not be protected by that clause?
Lord Clement-Jones (LD)
My Lords, I thought I would intervene to see if it might help the Minister. The code of practice does not make things any clearer. With reference to my noble friend’s very apt point about information versus data, paragraph 4 of the code says:
“The definitions of ‘personal information’ contained in the Bill are intended to ensure that the information shared through these powers is handled carefully”.
That does not sound like a particularly good legal answer to the question. It goes on:
“Though the definition of ‘personal information’ for the purposes of the Bill may differ from the definition of ‘personal data’ in the DPA, all information shared and used under the public service delivery, debt and fraud provisions must be handled in accordance with the framework of rules set out in the DPA”.
Where is that explicitly set out? It would be very helpful if the Minister, in answering, could advert to that as well.
Baroness Hamwee
My Lords, the noble and learned Lord may have already answered this, as his response was inevitably very full and quite dense, but on my question about Clause 33(8)—and the words are repeated in other clauses—although nothing in the sections authorises a contravention of the DPA, is there personal information within the Bill that would not be within the DPA and therefore not protected by that subsection?
Lord Keen of Elie
I am obliged to the noble Baroness, Lady Hamwee. Although the definition of personal information differs from the definition of personal data in the DPA, all personal data shared and used under the public service delivery provisions must be handled in accordance with the framework of rules set out in the DPA, and in particular with the data protection principles, because the DPA is not overridden by this chapter. To the extent that the class of personal information is wider than personal data, although the DPA does not directly govern such information, we still expect that information will be handled in accordance with that framework because of the requirements of the codes of practice under Part 5. I hope that answers the noble Baroness’s question.
Lord Collins of Highbury
My Lords, I thank the noble and learned Lord for his comprehensive response. Clearly, there is a lot in the codes of practice, so we await the response. I welcome, too, his commitment to come back to report on the issues that the Information Commissioner and we have raised.
Both the GMC and the BMA raised the issue of confidentiality and the common law. They obviously have legitimate concerns about the future impact. Confidentiality is not simply an issue of administration and protection administratively; it is a fundamental issue about the nature of the relationship between doctor and patient, where trust is absolutely vital for medical treatment, ongoing treatment and so on. We may have to come back to this issue at Report. In the meantime, I beg leave to withdraw the amendment.
Baroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Scotland Office
Digital Economy Bill
Baroness Hamwee ExcerptsMonday 6th February 2017
(7 years, 2 months ago)
Lords ChamberRead Full debate Digital Economy Act 2017 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 80-IV Fourth marshalled list for Committee (PDF, 161KB) - (6 Feb 2017)
Baroness Byford (Con)
My Lords, my opposition to Clause 39 standing part of the Bill forms part of this group. I have listened carefully to what the noble Lord, Lord Clement-Jones, has just said. I come to this from a slightly different angle but the conversation goes round and round in a circle, and here we are trying to introduce protections again.
I tabled my opposition to the clause for probing reasons. I wonder whether it is possible to have examples of when and why a civil registration authority would disclose information. The definition in new Section 19AA(6)(e), introduced in Clause 39, lists as civil registration officials those local authority classifications which also appear as specified public authorities. Do the disclosure powers mean therefore that a civil registration official in, for example, my home county of Leicestershire may disclose information to other personnel employed within the county council, or do they empower him to disclose information to any or all of the other specified public authorities? From my reading of the subsection, that is not quite clear.
Would the regulations be used to divulge information specific to a person or perhaps a family, or could they ever cover everything registered at a particular time or relating to a particular location? For example, why would the NHS have an interest in receiving such information?
Could this chapter result in a large-scale information exchange between civil registration officials and public authorities using the internet? If so, how will such data be protected both in transit and at the receiving end? Do all public authorities use the same methods to guard against data theft and hacking? I shall be interested to hear the Minister’s response.
Baroness Hamwee (LD)
My Lords, perhaps I may ask a couple of questions which arise from the fact sheet on this issue. On civil registration, it says:
“The Bill establishes a framework, with appropriate safeguards, to share bulk registration information where there is a clear and compelling need”.
I wonder whether the Minister can help the Committee in understanding where that is translated into the Bill. The fact sheet also says:
“There are no intentions to share data with the private sector or for data to be used for any commercial purposes”.
It then goes on to say that,
“the powers would not permit this”.
However, I am sure that the Minister will understand my querying the words “no intentions”, because they suggest that there could be a change, and possibly one with which Parliament is not hugely involved. I am going to assume that the points made by the Delegated Powers and Regulatory Reform Committee are in the rather large pile of items that it raised and which the Government will reply to before Report, so I am referring to that only in passing, but it would be very helpful to understand how the points in the fact sheet, which is where many people would start, move over into the legislation.
Lord Keen of Elie
My Lords, the proposals in Chapter 2 of Part 5, which are being addressed here, will ensure that citizens are able to access future—can I have a moment to sort out my own speaking notes?
Baroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Scotland Office
Digital Economy Bill
Baroness Hamwee ExcerptsMonday 20th March 2017
(7 years, 1 month ago)
Lords ChamberRead Full debate Digital Economy Act 2017 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 102-III Third marshalled list for Report (PDF, 182KB) - (20 Mar 2017)
Baroness Hamwee
Baroness Hamwee (LD)
My Lords, on behalf of my noble friend Lord Clement-Jones and myself I beg to move Amendment 25YX and will speak to the other amendments in this group, which are all about limiting disclosure—but, I want to stress, limiting it in what we regard as an appropriate way, accepting that there are benefits in information sharing but perhaps with more of an eye to privacy considerations than are in the Bill.
The first of the amendments would provide that disclosure of information should be only to the extent necessary and proportionate in connection with public service delivery. This is both because we regard “no more disclosure than is necessary and proportionate” as being important but also, in this context, because disclosure goes outside and beyond public authorities. We have tabled similar amendments to clauses dealing with debt, fraud and research.
In evidence to the Public Bill Committee, the Information Commissioner wrote:
“Proportionality and necessity are key to ensuring data sharing complies with data protection and human rights law”,
and that,
“the Bill does not directly correlate with these concepts”.
Our amendments would put these notions in the Bill. The ICO also commented on bulk data sharing. She wrote:
“As more data is shared ever more widely … big data analytics are used in complex and unexpected ways”.
Our Amendment 28CB would require the civil registration official to be satisfied that disclosure is proportionate to the recipient’s requirement.
Bulk data sharing is so significant that we think it should be reviewed after three years. Amendment 28CF refers particularly to the review covering public attitudes, the use of the powers, the availability of alternative mechanisms, and security considerations.
Amendment 26A takes us to a point that I raised in Committee. We would like to understand what is meant by individuals’ and households’ contribution to society in the context of improving their well-being. This is a condition for disclosure. What is additional in this phrase to the health and social and economic well-being provided for elsewhere in the clause? The expression is paternalistic and judgmental—and, probably more importantly for this purpose, it suggests a concern more for an advantage to society than to the individual or household. That goes against the thrust of the data sharing for public services, which is framed as being for the benefit of individuals and households.
We are also concerned that the exceptions to the protections include the prevention of anti-social behaviour. In Committee, the Minister said that people have a right to be protected against such behaviour. We would not argue against that, but “balance” is a term often used from that Dispatch Box and we think that the balance here is right out of kilter. Protection against anti-social behaviour is very different from protection against serious physical harm and so on. By definition—the definition being that there is a provision elsewhere—anti-social behaviour is not criminal behaviour.
The Government have explained this, as I said at the previous stage, but we do not believe that they have justified it. Nor have they justified exceptions for any crime, which is why our amendments would limit crime here to serious crime, which we have defined using the definition used in the Investigatory Powers Act. I have to say that not a lot of Clause 36 would fall within the DPA “vital interests” provision.
Next, in Committee we asked about the use of the definition of personal information rather than building on the DPA’s personal data. The Minister told the Committee that to the extent that personal information is not governed by the DPA,
“we still expect that information will be handled in accordance with that framework because of the requirements of the codes of practice”.—[Official Report, 6/2/17; col. 1259.]
Indeed, it would be the codes of practice, not the statute. Our Amendment 28AU is an opportunity for the Minister to answer the Information Commissioner’s observation that there is a gap here. There are compensatory safeguards under the DPA—they apply under the DPA but seem not to apply under the Bill.
We remain concerned that an individual whose information is disclosed should be informed. My noble friend Lady Janke referred to the transparency that is necessary for public trust in the process. I completely agree with that. The Minister was concerned that, if a fraud were being investigated, you would not go out and tell the alleged fraudster what you were doing. I hope that the amendment answers that point, because it is a relatively narrow situation that should not preclude doing what is right more generally.
Amendment 28BM has been tabled to seek an explanation of Clause 40(4), in particular its wording,
“similar to that made by section 38”.
Clause 38 gives powers to HMRC and, as I read it, HMRC will have powers to lift restrictions on disclosure. So, under Clause 40, does this mean that a specified person has a power to lift the restrictions? That does not seem right to me. I have undoubtedly misunderstood it—but, if I have done so, perhaps one or two other people would misunderstand it, too.
Amendment 39 is rather different: a sunrise clause—it could have been a sunset—to explore further how all this fits with the new rules that will come into effect in May 2018, when we will still be in the EU, under the EU general data protection regulation and the law enforcement directive. The GDPR will strengthen provisions on processing only the minimum data, on privacy notices with explicit requirements for data protection by design and default, and on data protection impact assessments.
We were assured in Committee that Part 5 is “compatible”—that was the word used—with the GDPR. Thinking about that afterwards, I wondered whether that meant that Part 5 was not inconsistent but possibly not as wide as the GDPR. We were told:
“When the regulation comes into direct force, we”—
that is, the Government—
“will look at the provisions of the Act and the codes of practice to ensure that they are consistent with it”.—[Official Report, 6/2/17; col. 1490.]
Given that there will be a need to share certain data with other EU states after the date when we leave, how will all this be done? I hope that the Minister can share with the House the Government’s proposals for checking that there is more than just consistency and that, more particularly, nothing is left out. I beg to move.
The Advocate-General for Scotland (Lord Keen of Elie) (Con)
My Lords, I am obliged to the noble Baroness, Lady Hamwee. Amendment 25YX and the related Amendments 28CB, 28CG, 28DV and 28FD seek to impose an express requirement that the public service delivery power may be used to share information only to the extent that it is necessary and proportionate to do so. That covers the changes to debt fraud research and similar civil registration provisions in the Bill. With respect, the amendments are unnecessary as the powers will need to be exercised in line with the Data Protection Act and the codes of practice, which already require that only the minimum data necessary to fulfil the particular objective may be shared. It is therefore unnecessary to amend in accordance with this proposal.
The effect of Amendment 25YYD would be that the list of specified persons permitted to use the public service delivery power could be amended only to add or remove bodies. The removal of the word “modify” would affect the way that minor amendments could be made. I do not believe that the noble Baroness, Lady Hamwee, expressly referred to this amendment, but as it is listed in this group as her amendment I just mention the point because clearly it is necessary that there should be a degree of flexibility in how that provision operates.
Baroness Hamwee
I apologise; I thought that was in another group, though I received a note later. I would like to understand how extensive a modification might be.
Lord Keen of Elie
I am obliged to the noble Baroness. I am happy to explain within this group, where I understand the amendment remains. The removal of the word “modify” would affect the way in which minor amendments could be made. For example, where a body changes its name or the description of the category of a body needs to be adjusted, you would then want to modify rather than delete and start again.
Amendment 26A seeks to remove reference to,
“the contribution made by individuals or households to society”,
from the public service delivery chapter. Again, I venture that the amendment is unnecessary because subsection (10) gives examples of “well-being” but does not provide an exhaustive list. Therefore we have three categories by way of example—but only by way of example. In response to the specific observation made by the noble Baroness, Lady Hamwee, I respectfully suggest that there is nothing paternalistic or judgmental about any of the examples given in the Bill. Indeed, where a party makes a contribution to society, that benefits the contributor as well as society, which is why it is appropriate that it should be given as an example in this context.
Amendment 28AU would provide a new definition of “personal information” for the purposes of the public service delivery power. This point was raised in Committee as well. The amendment expressly incorporates the definition of “personal data” under the Data Protection Act 1998 into the definition of personal information for the purposes of these powers, as well as making clear that the Bill’s extended definition also includes deceased individuals and companies. We consider that the existing provisions set out the same position, albeit in slightly different words. I note that reference was made to the issue in Committee, and to the provision of codes of practice in that context.
The intention of Amendment 28AY seems to be to provide greater transparency by ensuring that individuals would know when information about them has been shared. Existing provisions in the Bill already require those using the powers to comply with Data Protection Act requirements as to the information that people are given about the usage of their personal data. This, supplemented by the requirements imposed by applicable codes of practice, ensures that the use of these powers will be as transparent as it can be.
Amendments 28AR and related amendments seek to narrow the exceptions to the general rule in Clause 36(1) that personal information received under the public service delivery powers may be used only for the purpose for which it was shared, to the effect that such information may not be shared for the purpose of preventing anti-social behaviour, and to restrict the exception permitting disclosure for the purpose of preventing or detecting crime to “serious” crime, as indicated by the noble Baroness. These amendments would also bring in an offence of disclosing personal information for the purposes of anti-social behaviour. The prevention of anti-social behaviour and the prevention or detection of crime are matters of significant public interest. If information sharing indicates potential criminal activity, public authorities should be able to take action. Similarly, if information received under the powers indicates that anti-social behaviour is occurring or is likely, we consider that this information should be disclosable to maintain public order. Anti-social behaviour may itself be seriously harmful to those who become its victims.
Amendment 28BM seeks to remove the power given by Clause 40(4), which allows regulations to make disclosures by newly specified persons subject to the same conditions that apply to disclosures of information provided by HMRC. That power would be used to require the consent of the original provider to any subsequent disclosures of particularly sensitive information, as is the case for information provided by HMRC under Clause 38. The amendment is undesirable, as it would remove flexibility to give enhanced protection to information from certain sources. I do not believe the noble Baroness read the provision in that form, but it is there so that enhanced protection may be given in a particular circumstance.
Amendment 28CF would impose a duty on the Secretary of State to review the civil registration power after three years, akin to the powers already provided in the debt and fraud powers. This duty was included in the debt and fraud powers to assess whether the powers deliver demonstrable benefit via an initial piloting process. The information gathered in the course of the pilot process will provide evidence for the review. It is our view that a similar duty to review the civil registration power would not be appropriate. First, civil registration information is already a matter of public record. Secondly, the powers are simply looking to update outmoded legislation to simplify and provide the flexibility to share civil registration data within the public sector to avoid the need to enact specific powers whenever a new need arises. The power has been developed to support a range of public authorities at national and local government level to transform the services that they can provide to citizens.
Finally, Amendment 39 is intended to ensure that Part 5 could not be brought into force until after the GDPR comes into effect, which would be in May 2018. This would prevent the use of the powers until that date, which would be unhelpful given that a number of bodies are keen to use the powers to achieve particular objectives, such as extending the warm home discount scheme. As we have said before, we consider that the present provisions are compatible with the GDPR—compliant, therefore, in that context—and we are committed to revisiting the codes of practice before May 2018 to ensure that they reflect the latest best practice of compliance with the GDPR.
In those circumstances, I invite the noble Baroness to withdraw her amendment.
Baroness Hamwee
My Lords, I thank the Minister, but all that will bear some reading. We felt it important to extend some of the comments that we made in Committee to get a more extended response. Noble Lords will be pleased to know that I shall not respond to all those points. On the Minister’s first point about “necessary or proportionate”, I do not know whether he means that I misread the ICO’s comments, that the Government disagree with the ICO, or whether some of the changes to the Bill since its initial form have dealt with them. Perhaps I should just leave that hanging.
The fact that the “contribution to society” is an example does not answer our concerns. I remain anxious about it, as I do about “anti-social behaviour”, which the Minister described as being a matter of significant public interest. I do not dispute that, but data sharing is a matter of significant public interest—I suggest, possibly greater. We are told that anti-social behaviour may be seriously harmful, but it is not criminal in this context, because we have other provisions to deal with crime.
I was indeed confused about the application of the HMRC powers to other bodies, and I remain confused about whether that extension is appropriate.
Finally, of course civil registration information is a matter of public record, but the updating takes us into a very different regime. The ability to share information in bulk is very different from that to look up individual pieces of information. Can the Minister tell the House today whether the consultation to which he referred extended beyond the sharing organisations to the sort of bodies concerned with privacy? He may not know, and I may be quite out of order in asking this on Report. I do not think he is going to leap to his feet—pause—no, he is not. I do not hold that against him. It is probably not in his brief. If there was not such consultation, that answers my point.
However, clearly, I should beg leave to withdraw the amendment.
Lord Hunt of Wirral (Con)
I declare my interest as a partner in the global law firm DAC Beachcroft, and other interests set out in the register, including chairing the British Insurance Brokers’ Association and being president of the All-Party Parliamentary Group on Occupational Safety and Health. Taken at face value, Amendment 28FY would appear somewhat technical, but the Employers’ Liability Tracing Office is working well, but it could work better, and this amendment would help to facilitate that.
I am so grateful to the Minister and his colleagues for the support that they have given to this amendment, which could make a substantial difference to the capacity of the office to help to secure compensation, expeditiously and effectively, for those afflicted by industrial illnesses. When someone faces a reduced quality of life and possibly an avoidably and unnecessarily early death because of an industrial illness innocently contracted, the least that we can do is to deliver compensation as quickly as possible in the hope that the individual with the illness can enjoy at least some benefit from it. I believe that in some small way the amendment will serve to make this a more civilised and compassionate country.
Baroness Hamwee
My Lords, we have two amendments in this group. The Minister was just a little previous in answering Amendment 25YYD on modification, so we do not need to go back to that. Amendment 33ZYD would remove several organisations from the list of specified persons for the purposes of fraud provisions, and the amendment is here to enable us to ask whether all these require the data-sharing gateway or, conversely, whether there are many other government-related organisations; I am not quite sure what the correct term might be for organisations such as the National Lottery or the British Council, but I shall use the term government-related organisations tonight. Are there not others that might use the power? What were the criteria used to select the ones that are in the schedule?
Lord Keen of Elie
I am obliged to my noble friend Lord Hunt and note what he said with regard to the amendment. On the amendment proposed by the noble Baroness, Lady Hamwee, Amendment 33ZYD, which seeks to remove a number of non-departmental public bodies listed in the schedule for the fraud power, I accept that the list in the schedule is long but the fact is that many public authorities are at serious risk of fraud. Each of the bodies was considered individually before being added to the schedule, and the NDPBs have been included because they each administer many millions of pounds in grant expenditure each year, which exposes them to a significant risk of fraud.
Lord Keen of Elie
I am not in a position to say what number of bodies were considered and discarded, but I will undertake to write to the noble Baroness on that point. All the public bodies included in the schedule must, of course, comply with the data-sharing safeguards in the Bill. Clearly, public authorities may not enter into data sharing lightly. They will have to follow the codes of practice, comply with the Information Commissioner’s requirements on data sharing and privacy and have in place all necessary protections to prevent unlawful disclosure.
The list of public bodies in the government amendments is shorter than the lists we have previously published in draft regulations although, as I indicated to the noble Baroness a moment ago, I do not know how many bodies were considered and removed before the process of listing them in the draft regulations took place. Care has been given to ensuring that we share only where there is a clear benefit, as required by the legislation. I hope that, with that explanation, the noble Baroness will withdraw her amendment.
Baroness Hamwee
Baroness Hamwee
My Lords, the published groupings include Amendment 28CY, which should not have been tabled. I apologise to the House; it was a hangover from drafting before the Government tabled their amendments, which we have just dealt with, in response to the Delegated Powers and Regulatory Reform Committee. I will not be speaking to it and am sorry for the confusion. Similarly, Amendment 28CUA, published on the supplementary list, should not have been tabled—it was drafted a while ago but somebody panicked late on Friday afternoon and thought it had better be published.
Lord Keen of Elie
I thank noble Lords for their observations on these matters. There are of course government amendments in this group as well and perhaps I may begin with those.
This group of amendments concerns the codes of practice issued under Part 5 and those issued by the Information Commissioner’s Office. It includes the government amendments that implement the recommendations of the Delegated Powers and Regulatory Reform Committee and, as the noble Lord, Lord Collins, observed, the recommendations of the Information Commissioner’s Office. In addition, there are some opposition amendments on similar points.
We have already published draft codes of practice on data sharing. The Delegated Powers and Regulatory Reform Committee recommended that the first codes of practice and the UK Statistics Authority’s statement of principles should be laid before Parliament in draft and should not be brought into force until they had been approved under the affirmative procedure. Revisions were to follow the draft negative procedure. We agree and have tabled amendments to achieve this, and it is intended that Parliament should have a suitable opportunity to consider these drafts and any amendments thereto in due course.
A further series of government amendments will require persons disclosing personal information under relevant chapters of Part 5 to have regard to the Information Commissioner’s codes of practice on privacy impact assessments and privacy notices, transparency and control in so far as they apply to information which is being shared. As the noble Lord, Lord Collins, observed, the Information Commissioner called for explicit reference to these two codes to be made on the face of the Bill. We have worked with her office to develop these amendments, which supplement the existing requirement that the codes of practice prepared under the Bill must be consistent with the commissioner’s own code on data sharing, and I understand that she is satisfied with the steps we have taken in that regard. I hope that this will provide further assurance to noble Lords that we are committed to ensuring that best practice concerning compliance with data protection and transparency will be applied to the exercise of powers under Part 5 of the Bill.
I now turn to the opposition amendments in the names of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Clement-Jones. I hope I can persuade them that their amendments are no longer necessary, as the government amendments fully address the concerns of both the Information Commissioner’s Office and the DPRRC.
As the noble Baroness has explained, the amendments in their names seek to ensure further consistency with the ICO’s codes and to strengthen the role of those codes in the regime set up by Part 5, as well as providing for greater parliamentary oversight of the Government’s codes, and I believe that we are now there. The Bill already requires that codes of practice issued under Part 5 of the Bill must be consistent with the ICO’s data-sharing code of practice. The government amendments further require persons to have regard to the ICO’s codes on privacy impact assessments and privacy notices, transparency and control when exercising relevant powers under Part 5. So we are now referencing all the codes which the ICO felt were critical for the operation of Part 5.
Of course, this is not the first time we have discussed amendments that seek to strengthen enforcement of the codes of practice by requiring authorities that use the powers of determined specified bodies to “comply with” rather than “have regard to” these codes. The Government’s position remains that “have regard to” is the right weight to give to codes of this type. That is itself a legal obligation, as the noble Lord, Lord Collins, noted. Moreover, the public law will expect those who are subject to the codes to follow their stipulations unless there are cogent reasons why they should not. We note that the Information Commissioner’s own codes are themselves advisory. A requirement to “comply with” the codes could lead to their being applied in a tick-box fashion, without due regard to whether the recommendations are actually applicable to and desirable in the context of the specific data share.
On the issue of adding additional persons to the consultation obligations for the codes, since Ministers have committed before Parliament to consult publicly on the Part 5 codes of practice, we suggest that such a requirement is unnecessary. The present provisions reflect what the noble Baroness noted to be the normal position.
Finally, on parliamentary oversight, the Government’s amendments fully implement the DPRRC’s recommendations, including, exceptionally, the use of the affirmative procedure for the first codes and the draft negative procedure thereafter. They go further than the noble Baroness’s amendment, and I hope that that will be welcomed by all noble Lords. I therefore invite the noble Baroness not to press her amendments.
Baroness Hamwee
My Lords, I thank the Minister for that response. I had forgotten to say that I was glad to see the government amendments about the affirmative procedure—it was because of looking at those that we got those two stray amendments that were tabled in error.
The noble Lord, Lord Collins, is absolutely right about the codes of practice. I simply say, before begging leave to withdraw, that it will not be possible for amendments to be made once the codes are put formally to Parliament. That is why wide consultation and—I do not like the term—an iterative process is very important on what will be significant documents. I beg leave to withdraw my amendment.
Baroness Finlay of Llandaff (CB)
My Lords, I have tabled amendments in this group. I start by thanking the noble and learned Lord, Lord Keen of Elie, and his Bill team for having met with me and for dealing patiently with my queries. I know from that meeting that the Government are not minded to accept my amendments, but I would like the arguments to be put on the record.
I have listened carefully to the noble Lord, Lord Whitty. While I do not dispute at all that his amendments are well intentioned, I can see enormous difficulties arising in determining the threshold of the condition—how severe it has to be, which co-morbidities might be aggravating one another, which members of the family would be involved and so on. I am not sure from the way he argued for his amendment whether an email notification system against a set of clear criteria that had been pre-negotiated with the consent of the patient or family would meet the needs and be simple and straightforward. Would it be a communication system free from the risk of mining the patient’s clinical records? The reason I ask is that at the moment health bodies are not specified in the Bill, but if they were included, that would certainly need legislation because in effect it would override the common-law duty of confidentiality.
I know that at the previous stage the noble and learned Lord, Lord Keen, said that the Government were minded to consider bringing health and social care bodies within the scope of these powers in the future and that that would be done using a statutory instrument passed by the affirmative procedure. I appreciate that the Minister said that there would be wide consultation before that happened.
The difficulty is that in Clause 36(7) it appears that the duty of confidence, which could apply to the duty of medical confidentiality, could be removed if health is brought within the scope of the Bill. It could provide a legal gateway for sharing medical records for purposes that are not currently specified among a wide range of government departments and public service providers. The concern is that to date a special legal status has been afforded to health data in the common-law duty of medical confidentiality due to its sensitivity and the importance to the public of a confidential health service. This common-law duty of confidentiality protects health data over and above the safeguards provided by the Data Protection Act, so simply referring to the Bill’s requirement to comply with that Act when making disclosures does not maintain the current level of protection.
If the Bill proceeds unamended and the Government include health bodies in the list of specified bodies, which they could do by statutory instrument, I think that would be viewed as a serious assault on medical confidentiality because it would open up the power to share confidential information. Indeed, problems with the failure of the current safeguards in the system were aired this weekend over TPP, the IT system that many general practitioners use. In a way, that demonstrated that the current safeguards in place around the IT systems are, frankly, inadequate.
NHS Digital could be drawn into the Bill’s information-sharing powers. It holds vast quantities of confidential data, which would mean that the Bill could give the Government direct access to them without consent, because the process would override the current common-law duty. This needs to be considered in the context of the National Data Guardian, who has spoken about the need to build trust in the health system’s ability to handle data, and a real concern among many patient groups of the general mistrust that their very confidential data could be shared.
I believe that my amendments will not be accepted, but if they are not I hope the Government will be able to reassure me that if health data were to be brought into the Bill’s information-sharing powers they will not just be added to the current framework created by the Bill and then the duty of medical confidentiality deemed to be protected, but that there will be full public engagement and full parliamentary scrutiny prior to proceeding, and that the protections in place would include independent oversight and real-time monitoring of the data sharing. In Wales, the IT system overseeing NHS Wales has instituted real-time monitoring because there was concern that staff could have used their access rights to unprofessionally access healthcare records of people with whom they did not have a direct care relationship. I am afraid that human nature is that people are rather inquisitive about what may be happening to people they know, but those may be very sensitive and very private data. Therefore, they need the highest safeguards around them.
The problem is that once there is a data leak it really cannot be pulled back and closed. I hope the Government will provide the reassurance that, as well as the other aspects, there will be real-time monitoring and independent oversight of the whole process, with additional sanctions that will be of a high enough level to, I hope, act as a major deterrent for any breaches of any data-sharing agreement.
Baroness Hamwee
My Lords, we have Amendment 28AV in this group, which is also about the common-law duty of confidentiality. Obviously that includes doctor-patient confidentiality. We are with the noble Baroness in her concerns. Apart from wanting to see that duty preserved, the reason for the amendment is to seek confirmation that it is to be overwritten rather than preserved. I found subsection (7) quite difficult. When we were contacted by a member of the public who was clearly qualified to read the legislation with a query about it, it seemed appropriate to raise this because it is quite difficult to follow. Clearly, one should be quite certain about what we are doing.