Baroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Scotland Office
(7 years, 10 months ago)
Lords ChamberMy Lords, I, too, shall speak to this group of amendments, having put my name to some of them. The noble Lord, Lord Collins, has already raised the issue about the permissive approach in the Bill, which we have rather rejected, and the question of inserting “complied with” rather than “had regard to”. Many of the amendments deal with that issue across the various agencies involved. When you consider that this is operated in relation to various criteria to do with improving people’s physical health, their emotional well-being, their contribution to society and their social and emotional well-being, the breadth of those areas is really rather daunting. You could justify almost anything under those four areas, and I do not really believe that the code of practice could be remotely enforceable if those were the criteria that were used.
Worse still, they could be used in a rather punitive way. For example, it could be argued that it is improving people’s well-being by making them work; and if they are disabled, pursuing people who have disabilities or difficulty in getting work could be used to penalise vulnerable groups. It would affect people who are on benefits or are pensioners—all sorts of vulnerable people. There needs to be somewhat more rigour in the Bill than criteria such as those that we see there now.
Moreover, these amendments deal with a minimum consultation period, which we support. Finally, the code of practice should be laid before Parliament, which, again, would be another safeguard. We must have much more transparency and greater rigour of application, enforceability and consistency across all the agencies and with other rules of disclosure. I would like to hear what the Minister has to say about these concerns. We believe that these matters must be answered and wish to understand the Government’s approach in order to decide whether we need to take this forward at a later stage.
My Lords, I, too, support the various amendments in this group. “Having regard to” a matter always seems to leave some wriggle room. If there should be exceptions to compliance—because I think we are talking about compliance here, not about consistency—then those should be spelled out. I accept that having codes of practice outside primary legislation allows for flexibility, which might be useful, for a response to experience of the operation of the code and, perhaps, for changing circumstances. However, there is so much reliance on codes of practice here that an inclusive process for constructing and finalising them is very important, as well as transparency in operation.
The noble and learned Lord will probably have a better recollection than I have of the discussion during the passage of the Investigatory Powers Bill about providing transparency by way of ensuring that people who were affected by the transmission of information knew about it. This was rejected for security reasons, but that would not be the case here. The overall objective has to be transparency and inclusiveness.
My Lords, Amendment 81 and the other amendments in this group are intended, of course—and I understand this—to strengthen enforcement of the codes of practice in relation to the public service delivery, debt and fraud, and research powers by requiring authorities who use the powers to “comply with” rather than “have regard to” these codes. The noble Lord, Lord Collins, has sight of a loophole, and the noble Baroness, Lady Hamwee, has encountered wriggle room, but I would take issue with those descriptions.
There is common ground here. We, too, believe that the codes are an important part of the data-sharing powers. However, the Government believe that “have regard to” is the right level of obligation for a code of practice. This is a legal obligation. Such persons when disclosing or using information will be expected as a matter of law to take the codes seriously and follow their requirements in all cases unless there are cogent reasons why they should not do so. It is, of course, common practice for legislation to set out the critical limitations on a power while codes of practice—which are more adaptable, as the noble Baroness, Lady Hamwee, acknowledged—are advisory tools that supplement with regard to best practice, principles and guidance.
The noble Lord, Lord Collins, alluded to a situation in which an authority exceeds its powers for the public good. In such a situation—without going into the detail of it—the authority would be exceeding its powers and it would have to answer for that, whatever the public good might justify in other circumstances.
Key conditions for the disclosure and use of information are set out in the Bill, including what can be shared, by whom and for what purpose. We have followed a common approach taken by government and others, including the Information Commissioner, to provide more detail on how data are to be shared in a code of practice. That does not mean that the code is to be treated lightly. Legal consequences may follow if the code is disregarded, as the Delegated Powers and Regulatory Reform Committee pointed out in its report on the Bill. The relevant Minister can make regulations to remove a body’s ability to share information under the power if it fails to adhere to the code. The noble Lord, Lord Collins, raised the question as to whether that is considered sufficient in the circumstances. We do consider that that is a sufficient safeguard in the circumstances. I also remind noble Lords—in particular, the noble Baroness, Lady Janke—that the first requirement of the Data Protection Act is that processing of data should be fair and reasonable. That underpins in existing legislation the whole approach that should be taken to this Bill.
The noble Baroness, Lady Hamwee, sought to draw a distinction between the provisions here and those in the Investigatory Powers Act about knowledge of data transfers. Of course, although we are not necessarily dealing here with national security, we are dealing with issues such as fraud, where it would be wholly inappropriate to give people advance notice of data sharing, particularly if one were going to address issues of criminal conduct.
Amendment 107B would require breaches of the code of practice on the public service delivery power to be reported to the Investigatory Powers Commissioner. It also places a duty on the Investigatory Powers Commissioner to investigate serious breaches and, where necessary, to inform the relevant individual of the breach. In doing so, the commissioner would have to ask the person in breach to make submissions before making a decision. With respect, the amendment would impose a considerable additional function on the Investigatory Powers Commissioner, where he or she would be bound to deal with breaches of a code of practice on information sharing which in no way relates to the commissioner’s remit of investigatory powers.
Indeed, placing such duties on the Information Commissioner would effectively be broadening the Information Commissioner’s remit without appropriate consultation. It would, as with Amendment 81B, cut right across the functions of the Information Commissioner, as distinct from the Investigatory Powers Commissioner; the Information Commissioner being responsible for upholding the Data Protection Act 1998, and also the safeguards and procedures for dealing with breaches of the code, which are already set out in various provisions. Such an amendment would blur the lines between the responsibilities of the Information Commissioner and the Investigatory Powers Commissioner and potentially lead to confusion and unnecessary duplication. If, in making those observations, I referred to the Investigatory Powers Commissioner when I meant the Information Commissioner and referred to the Information Commissioner when I meant the Investigatory Powers Commissioner, that simply underlines how easy it is to cause confusion in this area.
Amendments 108, 115, 134 and 151 call for the codes to be subject to approval by Parliament. A similar requirement was also raised by the Delegated Powers Committee in its recent report. We are carefully considering that proposal and I assure noble Lords that we will be responding to it shortly. Amendments 109 and 135 would introduce a requirement for the Minister to consult publicly on the code for a minimum of 12 weeks before issuing or reissuing it. Amendments 110, 152 and 190 would require that the Minister demonstrate that responses to the public consultation,
“have been given conscientious consideration”.
The policy in respect of these powers, and much of the content of the codes of practice, have been developed over two years of open policy development with a range of public authority and civil society organisations. The code sets out procedures and best practice drawn from guidance produced by the ICO and Her Majesty’s Government. We amended Clauses 36, 45, 53 and 61 in the other place to ensure our code will be consistent with the Information Commissioner’s data-sharing code of practice. The clauses contain a requirement that the Minister consults the devolved Administrations, the Information Commissioner and any other person the Minister considers appropriate prior to the issue or reissue of the code. I assure noble Lords that these other persons will include civil society groups and experts from the data and technology areas. It is, indeed, our intention to run a public consultation before laying the code before Parliament. I need hardly add that all consultations are taken seriously by the Government and all responses considered with appropriate conscientiousness.
I understand the interest in the codes and the desire to make sure they are effective. The codes will provide a strong safeguard for the use of the power, backed up by real consequences if they are not adhered to. With that, and while we consider the recommendations of the Delegated Powers Committee further—as I have indicated, we intend to do that in the very near future—I invite the noble Lord to withdraw his amendment.
The noble and learned Lord warned us against giving advance notice to potential fraudsters, but I think we are talking in these amendments about notice which may be in retrospect. I am looking at the noble Lord who has tabled the amendments. There are different issues, I think, about giving notice in advance and telling people that you have transferred information. Maybe we need to come back to the distinction between the two at the next stage. On the requirement to have regard but not necessarily to comply, does that not point up the real weakness of a code that is not approved by Parliament? These two bits of fragility seem to me to go hand in hand and undermine the security, as it were, of the regime.
I am content that we return to the noble Baroness’s first point if she feels that there is a point of distinction to be made. On her second point, I do not accept that there is fragility in this context. We are well aware, by virtue of past practice, that this formulation is appropriate to the application of codes of practice. Indeed, the noble Baroness herself observed that when applying one’s mind to a code of practice, a degree of flexibility is necessary. One cannot freeze them. That is why we consider that the wording here is appropriate.
My Lords, like those of the noble Lord, Lord Kirkwood, my three relatively small amendments in this group relate to fuel poverty. I was not at all surprised when my noble friend Lord Collins of Highbury was a bit confused at the beginning of this rather mixed-up group. It covers not only my subjects but voter registration and free school meals; most of the government amendments seem to relate to water and sewerage. I was tempted to say that it covers electoral rolls, bread rolls and toilet rolls. However, my amendments deal with something entirely different and their intention is very much the same as those of the noble Lord, Lord Kirkwood. I will not repeat all that he said.
My aim here is to make the system of data sharing more effective. I recognise all the concerns expressed around this Committee about the dangers of data sharing by public bodies and I understand them, because in different circumstances I have been deeply suspicious of the gas and electricity companies, as the noble Baroness, Lady Byford, clearly was a couple of groups ago. To make identification of the fuel poor more effective, we need more effective and comprehensive data sharing, along with the ability of different authorities and companies to share them, but this must be subject to all the safeguards. One safeguard is clearly stated in the Bill: that the information that can be used and shared in this way relates to the health of those affected by fuel poverty because they live in cold, draughty and damp homes. I do not need to spell out the effects of fuel poverty on those people’s health. It is quite important that in addition to the provisions in Clause 30(8) for helping the delivery of services and benefits, the clause should also refer to improving the health of those affected by it. My first amendment would do that.
My second and third amendments simply extend those gas and electricity operators which need to be engaged in it and will be subject to the same safeguards. It is increasingly the case that consumers and householders, including the fuel poor, have a closer affinity with the distribution networks than with their sensible supplier, which sends them the bill. To improve their situation, they will have to deal with the electricity distributor and, shortly, with the gas network distributor company. These amendments to Clause 31 deal with putting those distributors in the same category as gas and electricity suppliers. These are tidying-up amendments but they will make data sharing in this important area of fuel poverty more effective. The noble Lord, Lord Kirkwood, spelled out why that is necessary and, in particular, why those not automatically assigned to the warm home discount need to be identified and automatically put on the list of those who receive it. If we achieve that via the Bill, it will be a very important improvement and a step towards eliminating fuel poverty in our society.
My Lords, I want to ask a question about government Amendments 83A and 83B, which are about water and sewerage. Will these provisions apply only where there is a water meter? I am struggling to understand how they can work if the customer does not have metered water, and whether the information would be relevant—and how it could be used—if that is not the case. I am quite prepared to be told that I have not understood this properly but if I am right, should the provision not spell out that it is confined to that situation? That would make it clearer.
My Lords, I declare my interest as a partner in the global insurance law firm DAC Beachcroft and as chair of the British Insurance Brokers’ Association, along with other interests set out in the register.
In speaking to Amendment 196A, I seek to address a small but important point on the operation of the Employers’ Liability Tracing Office, or ELTO. Colleagues may recall that I also raised this when we debated the Enterprise Bill in 2015. Although it has been grouped with amendments to Clause 30—I am happy to accept the grouping—it seeks to insert a new clause after Clause 65 in Chapter 6 of the Bill, which deals with Her Majesty’s Revenue and Customs.
In 2010, the Department for Work and Pensions identified the need for a tracing office, and ELTO was established in the same year. Sadly, former employees continue to contract industrial diseases, including cancer, due to workplace exposure many years earlier. All too often, the employer is no longer in existence by the time the disease is diagnosed. This was considered by our colleagues at the Department for Work and Pensions as a major obstacle to the former employees’ obtaining compensation.
ELTO was established, and the insurers are now required to provide to ELTO details of all employers’ liability policies that have been issued since April 2011. According to the information I have received, ELTO is working well. In the 11 months to the end of November last year, there were more than 178,000 successful searches of the Employers’ Liability Database, but it could be working better.
The piece of the jigsaw that is often missing is the employer’s PAYE reference number. This number is now used to identify an individual employer in the Pay as You Earn system. Each employer is given a unique reference number. If this unique reference number could be applied to the Employers’ Liability Database, it would make searches more accurate, as it would avoid problems of company names’ changing over time. Generally speaking, it would enable the correct employer to be traced.
One major obstacle is that by law ELTO is unable to gain this information under the Commissioners for Revenue and Customs Act 2005, which prevents HMRC from sharing information except in specified circumstances. Alternatives to primary legislation have already been explored with HMRC. Although we often think of employers as large companies, many are sole traders or family partnerships. For them, the reference number could well amount to personal data, which are rightly protected from general disclosure.
The measure, which I now understand is supported by ELTO and HMRC, is proportionate. HMRC has a ready-made database of these unique reference numbers to which ELTO could be given limited access. All ELTO needs is the reference number itself and the name and address of the employer as a cross check. The amendment would permit ELTO and HMRC to set up, at no cost to HMRC, a facility to share this limited information. It will help make the ELTO database fit for the future.
Many noble Lords will know that I have the honour to be an officer of a number of all-party groups, including not only the Occupational Safety and Health All-Party Group but also the All-Party Group on Insurance and Financial Services, so I should also declare those interests because this amendment is strongly supported by my colleagues on those groups.
This amendment would provide great benefit to employees, employers and insurers alike. I hope my noble friend the Minister will feel able to accept it.
My Lords, in this group I tabled Amendments 100 and 196. Within this group we are debating data sharing and the putting in place of safeguards that make us confident in the next move to make life better for the majority of people. I have one or two direct questions, particularly on the level of data that will be supplied from one authority to another. For example, does the Bill intend that information be supplied on the number of households in a given postal area where child benefit is being claimed and/or where all adults are unemployed? Would it be up to the users of the data to extract a summary picture from details of, for example, names, addresses, whether benefits are received, whether householders are unemployed or any other data?
At any level of inquiry, I presume data will be transferred such as dates of birth and marital status that, were they to fall into the wrong hands, could be used to perpetrate private fraud. No one today has mentioned private fraud, but it can come about as a result of lack of security and safeguarding. Again, perhaps the Minister will indicate what relevant provisions there are. I am unsure whether I have missed some. At earlier stages of the Bill I mentioned the amount of fraud going on and it is horrifying. If the Bill can in any way tighten up on that, it would be an advantage.
For example, will personal information cover things such as whether an individual has a diagnosis of dementia or whether a family has been a cause of concern to the social work department in their own area? Who makes these judgments? At what stage are these activated? I may not have read the Bill carefully enough to find the missing answers. I pose these fairly simple questions to make sure that our safeguarding of this information is secure.
Amendment 100 is a probing amendment that seeks to complete the explanation of what information HMRC would disclose, providing examples of the circumstances under which it would be disclosed and a complete list of the groups or persons whose information would be handed over. This relates to Clause 30, of which we spoke earlier. Subsections (9) and (10) specify the well-being of persons or households and define well-being in terms of physical or mental health, contributions to society—which we have covered slightly earlier on and which is difficult; I should be glad of clarification on that—and emotional, social and economic well-being. The latter are easier to understand.
Clause 31 refers to people living in fuel poverty. Again, we debated this previously. Fuel poverty has been defined as,
“living on a lower income in a home which cannot be kept warm at a reasonable cost”.
Clause 32 also refers to people living in fuel poverty. I do not understand what is intended, nor what will be involved for those deemed to be affected. Defining well-being in terms of well-being suggests that definitions of those covered by this legislation could depend on the personal and political stance of those making those decisions. What is “lower income”? Within what limits do homes qualify under these clauses and who will rule that they cannot be kept warm at reasonable cost? What will be the limits of powers of such a decision-maker over, for example, someone who prefers to wrap up for three months of the year so they may enjoy their garden for nine; in other words, somebody who is living in a bigger house that costs more to heat? Will an individual be able to opt not to have personal information shared within local authorities and/or with gas and electricity suppliers?
Turning now to my Amendment 196 in this group, I do not pretend to know anything about the structure, organisation or responsibilities of HMRC. Hence, I do not understand whether an “official” is someone equivalent, say, to a board member in a quoted company. I fear, however, that that is unlikely to be the case. In this era of Facebook, Snapchat and the substitution of public opinion for demonstrable fact, I am unhappy—I do not know whether other noble Lords are—that perhaps a more junior member of HMRC could decide that disclosure would be in the public interest. In other words, where does the buck stop?
Disclosure of personal information, even supposedly non-identifying, should be done only on the authority of the head of the organisation. He or she presumably will have the knowledge, experience and breadth of understanding to be sure that it cannot be combined with other data to name individuals. He or she will also, presumably, be less likely to make errors of judgment, and of course a claim of ignorance of any such disclosure would not stand up to scrutiny, as they would obviously be at the most senior level.
My Lords, I will just pick up the noble Baroness’s last point about who is an official. There are examples, in other legislation, of references to “senior officials” and “designated officials”, which might be somewhere between the junior official she has in mind and the Permanent Secretary, but she is right to draw the issue to the Committee’s attention.
On an earlier group, the noble and learned Lord indicated that he was going to speak at greater length—I assume that may be on this group—on the reason for using the term “personal information” rather than “data”. Perhaps I may use my noble friend’s Amendment 213 to ensure that we get to share more of Government’s thinking. I understand the point about corporations, since in the one case, they come within the group covered, and in the other they do not. But I am still puzzled as to why such efforts have had to be made to deal with personal information and then to add in references to the Data Protection Act, rather than starting from the DPA—with any necessary exclusions—which would have taken us straight to the involvement of the Information Commissioner, the data protection principles and so on.
I wondered during the Statement whether to have a go at some alternative drafting for Report, but thought I had better wait for this discussion. But perhaps part of it boils down to a question on Clause 33(8), which says, in wording replicated elsewhere, that,
“nothing in section 30, 31 or 32 authorises … a disclosure which … contravenes the Data Protection Act”.
To look at it from the other end of that telescope, is there any personal information which is the subject of the Bill that would not fall within the DPA and therefore not be protected by that clause?
My Lords, I thought I would intervene to see if it might help the Minister. The code of practice does not make things any clearer. With reference to my noble friend’s very apt point about information versus data, paragraph 4 of the code says:
“The definitions of ‘personal information’ contained in the Bill are intended to ensure that the information shared through these powers is handled carefully”.
That does not sound like a particularly good legal answer to the question. It goes on:
“Though the definition of ‘personal information’ for the purposes of the Bill may differ from the definition of ‘personal data’ in the DPA, all information shared and used under the public service delivery, debt and fraud provisions must be handled in accordance with the framework of rules set out in the DPA”.
Where is that explicitly set out? It would be very helpful if the Minister, in answering, could advert to that as well.
My Lords, the noble and learned Lord may have already answered this, as his response was inevitably very full and quite dense, but on my question about Clause 33(8)—and the words are repeated in other clauses—although nothing in the sections authorises a contravention of the DPA, is there personal information within the Bill that would not be within the DPA and therefore not protected by that subsection?
I am obliged to the noble Baroness, Lady Hamwee. Although the definition of personal information differs from the definition of personal data in the DPA, all personal data shared and used under the public service delivery provisions must be handled in accordance with the framework of rules set out in the DPA, and in particular with the data protection principles, because the DPA is not overridden by this chapter. To the extent that the class of personal information is wider than personal data, although the DPA does not directly govern such information, we still expect that information will be handled in accordance with that framework because of the requirements of the codes of practice under Part 5. I hope that answers the noble Baroness’s question.
My Lords, I thank the noble and learned Lord for his comprehensive response. Clearly, there is a lot in the codes of practice, so we await the response. I welcome, too, his commitment to come back to report on the issues that the Information Commissioner and we have raised.
Both the GMC and the BMA raised the issue of confidentiality and the common law. They obviously have legitimate concerns about the future impact. Confidentiality is not simply an issue of administration and protection administratively; it is a fundamental issue about the nature of the relationship between doctor and patient, where trust is absolutely vital for medical treatment, ongoing treatment and so on. We may have to come back to this issue at Report. In the meantime, I beg leave to withdraw the amendment.