Baroness Hamwee
Main Page: Baroness Hamwee (Liberal Democrat - Life peer)Department Debates - View all Baroness Hamwee's debates with the Scotland Office
(7 years, 9 months ago)
Lords ChamberMy Lords, on behalf of my noble friend Lord Clement-Jones and myself I beg to move Amendment 25YX and will speak to the other amendments in this group, which are all about limiting disclosure—but, I want to stress, limiting it in what we regard as an appropriate way, accepting that there are benefits in information sharing but perhaps with more of an eye to privacy considerations than are in the Bill.
The first of the amendments would provide that disclosure of information should be only to the extent necessary and proportionate in connection with public service delivery. This is both because we regard “no more disclosure than is necessary and proportionate” as being important but also, in this context, because disclosure goes outside and beyond public authorities. We have tabled similar amendments to clauses dealing with debt, fraud and research.
In evidence to the Public Bill Committee, the Information Commissioner wrote:
“Proportionality and necessity are key to ensuring data sharing complies with data protection and human rights law”,
and that,
“the Bill does not directly correlate with these concepts”.
Our amendments would put these notions in the Bill. The ICO also commented on bulk data sharing. She wrote:
“As more data is shared ever more widely … big data analytics are used in complex and unexpected ways”.
Our Amendment 28CB would require the civil registration official to be satisfied that disclosure is proportionate to the recipient’s requirement.
Bulk data sharing is so significant that we think it should be reviewed after three years. Amendment 28CF refers particularly to the review covering public attitudes, the use of the powers, the availability of alternative mechanisms, and security considerations.
Amendment 26A takes us to a point that I raised in Committee. We would like to understand what is meant by individuals’ and households’ contribution to society in the context of improving their well-being. This is a condition for disclosure. What is additional in this phrase to the health and social and economic well-being provided for elsewhere in the clause? The expression is paternalistic and judgmental—and, probably more importantly for this purpose, it suggests a concern more for an advantage to society than to the individual or household. That goes against the thrust of the data sharing for public services, which is framed as being for the benefit of individuals and households.
We are also concerned that the exceptions to the protections include the prevention of anti-social behaviour. In Committee, the Minister said that people have a right to be protected against such behaviour. We would not argue against that, but “balance” is a term often used from that Dispatch Box and we think that the balance here is right out of kilter. Protection against anti-social behaviour is very different from protection against serious physical harm and so on. By definition—the definition being that there is a provision elsewhere—anti-social behaviour is not criminal behaviour.
The Government have explained this, as I said at the previous stage, but we do not believe that they have justified it. Nor have they justified exceptions for any crime, which is why our amendments would limit crime here to serious crime, which we have defined using the definition used in the Investigatory Powers Act. I have to say that not a lot of Clause 36 would fall within the DPA “vital interests” provision.
Next, in Committee we asked about the use of the definition of personal information rather than building on the DPA’s personal data. The Minister told the Committee that to the extent that personal information is not governed by the DPA,
“we still expect that information will be handled in accordance with that framework because of the requirements of the codes of practice”.—[Official Report, 6/2/17; col. 1259.]
Indeed, it would be the codes of practice, not the statute. Our Amendment 28AU is an opportunity for the Minister to answer the Information Commissioner’s observation that there is a gap here. There are compensatory safeguards under the DPA—they apply under the DPA but seem not to apply under the Bill.
We remain concerned that an individual whose information is disclosed should be informed. My noble friend Lady Janke referred to the transparency that is necessary for public trust in the process. I completely agree with that. The Minister was concerned that, if a fraud were being investigated, you would not go out and tell the alleged fraudster what you were doing. I hope that the amendment answers that point, because it is a relatively narrow situation that should not preclude doing what is right more generally.
Amendment 28BM has been tabled to seek an explanation of Clause 40(4), in particular its wording,
“similar to that made by section 38”.
Clause 38 gives powers to HMRC and, as I read it, HMRC will have powers to lift restrictions on disclosure. So, under Clause 40, does this mean that a specified person has a power to lift the restrictions? That does not seem right to me. I have undoubtedly misunderstood it—but, if I have done so, perhaps one or two other people would misunderstand it, too.
Amendment 39 is rather different: a sunrise clause—it could have been a sunset—to explore further how all this fits with the new rules that will come into effect in May 2018, when we will still be in the EU, under the EU general data protection regulation and the law enforcement directive. The GDPR will strengthen provisions on processing only the minimum data, on privacy notices with explicit requirements for data protection by design and default, and on data protection impact assessments.
We were assured in Committee that Part 5 is “compatible”—that was the word used—with the GDPR. Thinking about that afterwards, I wondered whether that meant that Part 5 was not inconsistent but possibly not as wide as the GDPR. We were told:
“When the regulation comes into direct force, we”—
that is, the Government—
“will look at the provisions of the Act and the codes of practice to ensure that they are consistent with it”.—[Official Report, 6/2/17; col. 1490.]
Given that there will be a need to share certain data with other EU states after the date when we leave, how will all this be done? I hope that the Minister can share with the House the Government’s proposals for checking that there is more than just consistency and that, more particularly, nothing is left out. I beg to move.
My Lords, I am obliged to the noble Baroness, Lady Hamwee. Amendment 25YX and the related Amendments 28CB, 28CG, 28DV and 28FD seek to impose an express requirement that the public service delivery power may be used to share information only to the extent that it is necessary and proportionate to do so. That covers the changes to debt fraud research and similar civil registration provisions in the Bill. With respect, the amendments are unnecessary as the powers will need to be exercised in line with the Data Protection Act and the codes of practice, which already require that only the minimum data necessary to fulfil the particular objective may be shared. It is therefore unnecessary to amend in accordance with this proposal.
The effect of Amendment 25YYD would be that the list of specified persons permitted to use the public service delivery power could be amended only to add or remove bodies. The removal of the word “modify” would affect the way that minor amendments could be made. I do not believe that the noble Baroness, Lady Hamwee, expressly referred to this amendment, but as it is listed in this group as her amendment I just mention the point because clearly it is necessary that there should be a degree of flexibility in how that provision operates.
I apologise; I thought that was in another group, though I received a note later. I would like to understand how extensive a modification might be.
I am obliged to the noble Baroness. I am happy to explain within this group, where I understand the amendment remains. The removal of the word “modify” would affect the way in which minor amendments could be made. For example, where a body changes its name or the description of the category of a body needs to be adjusted, you would then want to modify rather than delete and start again.
Amendment 26A seeks to remove reference to,
“the contribution made by individuals or households to society”,
from the public service delivery chapter. Again, I venture that the amendment is unnecessary because subsection (10) gives examples of “well-being” but does not provide an exhaustive list. Therefore we have three categories by way of example—but only by way of example. In response to the specific observation made by the noble Baroness, Lady Hamwee, I respectfully suggest that there is nothing paternalistic or judgmental about any of the examples given in the Bill. Indeed, where a party makes a contribution to society, that benefits the contributor as well as society, which is why it is appropriate that it should be given as an example in this context.
Amendment 28AU would provide a new definition of “personal information” for the purposes of the public service delivery power. This point was raised in Committee as well. The amendment expressly incorporates the definition of “personal data” under the Data Protection Act 1998 into the definition of personal information for the purposes of these powers, as well as making clear that the Bill’s extended definition also includes deceased individuals and companies. We consider that the existing provisions set out the same position, albeit in slightly different words. I note that reference was made to the issue in Committee, and to the provision of codes of practice in that context.
The intention of Amendment 28AY seems to be to provide greater transparency by ensuring that individuals would know when information about them has been shared. Existing provisions in the Bill already require those using the powers to comply with Data Protection Act requirements as to the information that people are given about the usage of their personal data. This, supplemented by the requirements imposed by applicable codes of practice, ensures that the use of these powers will be as transparent as it can be.
Amendments 28AR and related amendments seek to narrow the exceptions to the general rule in Clause 36(1) that personal information received under the public service delivery powers may be used only for the purpose for which it was shared, to the effect that such information may not be shared for the purpose of preventing anti-social behaviour, and to restrict the exception permitting disclosure for the purpose of preventing or detecting crime to “serious” crime, as indicated by the noble Baroness. These amendments would also bring in an offence of disclosing personal information for the purposes of anti-social behaviour. The prevention of anti-social behaviour and the prevention or detection of crime are matters of significant public interest. If information sharing indicates potential criminal activity, public authorities should be able to take action. Similarly, if information received under the powers indicates that anti-social behaviour is occurring or is likely, we consider that this information should be disclosable to maintain public order. Anti-social behaviour may itself be seriously harmful to those who become its victims.
Amendment 28BM seeks to remove the power given by Clause 40(4), which allows regulations to make disclosures by newly specified persons subject to the same conditions that apply to disclosures of information provided by HMRC. That power would be used to require the consent of the original provider to any subsequent disclosures of particularly sensitive information, as is the case for information provided by HMRC under Clause 38. The amendment is undesirable, as it would remove flexibility to give enhanced protection to information from certain sources. I do not believe the noble Baroness read the provision in that form, but it is there so that enhanced protection may be given in a particular circumstance.
Amendment 28CF would impose a duty on the Secretary of State to review the civil registration power after three years, akin to the powers already provided in the debt and fraud powers. This duty was included in the debt and fraud powers to assess whether the powers deliver demonstrable benefit via an initial piloting process. The information gathered in the course of the pilot process will provide evidence for the review. It is our view that a similar duty to review the civil registration power would not be appropriate. First, civil registration information is already a matter of public record. Secondly, the powers are simply looking to update outmoded legislation to simplify and provide the flexibility to share civil registration data within the public sector to avoid the need to enact specific powers whenever a new need arises. The power has been developed to support a range of public authorities at national and local government level to transform the services that they can provide to citizens.
Finally, Amendment 39 is intended to ensure that Part 5 could not be brought into force until after the GDPR comes into effect, which would be in May 2018. This would prevent the use of the powers until that date, which would be unhelpful given that a number of bodies are keen to use the powers to achieve particular objectives, such as extending the warm home discount scheme. As we have said before, we consider that the present provisions are compatible with the GDPR—compliant, therefore, in that context—and we are committed to revisiting the codes of practice before May 2018 to ensure that they reflect the latest best practice of compliance with the GDPR.
In those circumstances, I invite the noble Baroness to withdraw her amendment.
My Lords, I thank the Minister, but all that will bear some reading. We felt it important to extend some of the comments that we made in Committee to get a more extended response. Noble Lords will be pleased to know that I shall not respond to all those points. On the Minister’s first point about “necessary or proportionate”, I do not know whether he means that I misread the ICO’s comments, that the Government disagree with the ICO, or whether some of the changes to the Bill since its initial form have dealt with them. Perhaps I should just leave that hanging.
The fact that the “contribution to society” is an example does not answer our concerns. I remain anxious about it, as I do about “anti-social behaviour”, which the Minister described as being a matter of significant public interest. I do not dispute that, but data sharing is a matter of significant public interest—I suggest, possibly greater. We are told that anti-social behaviour may be seriously harmful, but it is not criminal in this context, because we have other provisions to deal with crime.
I was indeed confused about the application of the HMRC powers to other bodies, and I remain confused about whether that extension is appropriate.
Finally, of course civil registration information is a matter of public record, but the updating takes us into a very different regime. The ability to share information in bulk is very different from that to look up individual pieces of information. Can the Minister tell the House today whether the consultation to which he referred extended beyond the sharing organisations to the sort of bodies concerned with privacy? He may not know, and I may be quite out of order in asking this on Report. I do not think he is going to leap to his feet—pause—no, he is not. I do not hold that against him. It is probably not in his brief. If there was not such consultation, that answers my point.
However, clearly, I should beg leave to withdraw the amendment.
I declare my interest as a partner in the global law firm DAC Beachcroft, and other interests set out in the register, including chairing the British Insurance Brokers’ Association and being president of the All-Party Parliamentary Group on Occupational Safety and Health. Taken at face value, Amendment 28FY would appear somewhat technical, but the Employers’ Liability Tracing Office is working well, but it could work better, and this amendment would help to facilitate that.
I am so grateful to the Minister and his colleagues for the support that they have given to this amendment, which could make a substantial difference to the capacity of the office to help to secure compensation, expeditiously and effectively, for those afflicted by industrial illnesses. When someone faces a reduced quality of life and possibly an avoidably and unnecessarily early death because of an industrial illness innocently contracted, the least that we can do is to deliver compensation as quickly as possible in the hope that the individual with the illness can enjoy at least some benefit from it. I believe that in some small way the amendment will serve to make this a more civilised and compassionate country.
My Lords, we have two amendments in this group. The Minister was just a little previous in answering Amendment 25YYD on modification, so we do not need to go back to that. Amendment 33ZYD would remove several organisations from the list of specified persons for the purposes of fraud provisions, and the amendment is here to enable us to ask whether all these require the data-sharing gateway or, conversely, whether there are many other government-related organisations; I am not quite sure what the correct term might be for organisations such as the National Lottery or the British Council, but I shall use the term government-related organisations tonight. Are there not others that might use the power? What were the criteria used to select the ones that are in the schedule?
I am obliged to my noble friend Lord Hunt and note what he said with regard to the amendment. On the amendment proposed by the noble Baroness, Lady Hamwee, Amendment 33ZYD, which seeks to remove a number of non-departmental public bodies listed in the schedule for the fraud power, I accept that the list in the schedule is long but the fact is that many public authorities are at serious risk of fraud. Each of the bodies was considered individually before being added to the schedule, and the NDPBs have been included because they each administer many millions of pounds in grant expenditure each year, which exposes them to a significant risk of fraud.
I am not in a position to say what number of bodies were considered and discarded, but I will undertake to write to the noble Baroness on that point. All the public bodies included in the schedule must, of course, comply with the data-sharing safeguards in the Bill. Clearly, public authorities may not enter into data sharing lightly. They will have to follow the codes of practice, comply with the Information Commissioner’s requirements on data sharing and privacy and have in place all necessary protections to prevent unlawful disclosure.
The list of public bodies in the government amendments is shorter than the lists we have previously published in draft regulations although, as I indicated to the noble Baroness a moment ago, I do not know how many bodies were considered and removed before the process of listing them in the draft regulations took place. Care has been given to ensuring that we share only where there is a clear benefit, as required by the legislation. I hope that, with that explanation, the noble Baroness will withdraw her amendment.
My Lords, the published groupings include Amendment 28CY, which should not have been tabled. I apologise to the House; it was a hangover from drafting before the Government tabled their amendments, which we have just dealt with, in response to the Delegated Powers and Regulatory Reform Committee. I will not be speaking to it and am sorry for the confusion. Similarly, Amendment 28CUA, published on the supplementary list, should not have been tabled—it was drafted a while ago but somebody panicked late on Friday afternoon and thought it had better be published.
I thank noble Lords for their observations on these matters. There are of course government amendments in this group as well and perhaps I may begin with those.
This group of amendments concerns the codes of practice issued under Part 5 and those issued by the Information Commissioner’s Office. It includes the government amendments that implement the recommendations of the Delegated Powers and Regulatory Reform Committee and, as the noble Lord, Lord Collins, observed, the recommendations of the Information Commissioner’s Office. In addition, there are some opposition amendments on similar points.
We have already published draft codes of practice on data sharing. The Delegated Powers and Regulatory Reform Committee recommended that the first codes of practice and the UK Statistics Authority’s statement of principles should be laid before Parliament in draft and should not be brought into force until they had been approved under the affirmative procedure. Revisions were to follow the draft negative procedure. We agree and have tabled amendments to achieve this, and it is intended that Parliament should have a suitable opportunity to consider these drafts and any amendments thereto in due course.
A further series of government amendments will require persons disclosing personal information under relevant chapters of Part 5 to have regard to the Information Commissioner’s codes of practice on privacy impact assessments and privacy notices, transparency and control in so far as they apply to information which is being shared. As the noble Lord, Lord Collins, observed, the Information Commissioner called for explicit reference to these two codes to be made on the face of the Bill. We have worked with her office to develop these amendments, which supplement the existing requirement that the codes of practice prepared under the Bill must be consistent with the commissioner’s own code on data sharing, and I understand that she is satisfied with the steps we have taken in that regard. I hope that this will provide further assurance to noble Lords that we are committed to ensuring that best practice concerning compliance with data protection and transparency will be applied to the exercise of powers under Part 5 of the Bill.
I now turn to the opposition amendments in the names of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Clement-Jones. I hope I can persuade them that their amendments are no longer necessary, as the government amendments fully address the concerns of both the Information Commissioner’s Office and the DPRRC.
As the noble Baroness has explained, the amendments in their names seek to ensure further consistency with the ICO’s codes and to strengthen the role of those codes in the regime set up by Part 5, as well as providing for greater parliamentary oversight of the Government’s codes, and I believe that we are now there. The Bill already requires that codes of practice issued under Part 5 of the Bill must be consistent with the ICO’s data-sharing code of practice. The government amendments further require persons to have regard to the ICO’s codes on privacy impact assessments and privacy notices, transparency and control when exercising relevant powers under Part 5. So we are now referencing all the codes which the ICO felt were critical for the operation of Part 5.
Of course, this is not the first time we have discussed amendments that seek to strengthen enforcement of the codes of practice by requiring authorities that use the powers of determined specified bodies to “comply with” rather than “have regard to” these codes. The Government’s position remains that “have regard to” is the right weight to give to codes of this type. That is itself a legal obligation, as the noble Lord, Lord Collins, noted. Moreover, the public law will expect those who are subject to the codes to follow their stipulations unless there are cogent reasons why they should not. We note that the Information Commissioner’s own codes are themselves advisory. A requirement to “comply with” the codes could lead to their being applied in a tick-box fashion, without due regard to whether the recommendations are actually applicable to and desirable in the context of the specific data share.
On the issue of adding additional persons to the consultation obligations for the codes, since Ministers have committed before Parliament to consult publicly on the Part 5 codes of practice, we suggest that such a requirement is unnecessary. The present provisions reflect what the noble Baroness noted to be the normal position.
Finally, on parliamentary oversight, the Government’s amendments fully implement the DPRRC’s recommendations, including, exceptionally, the use of the affirmative procedure for the first codes and the draft negative procedure thereafter. They go further than the noble Baroness’s amendment, and I hope that that will be welcomed by all noble Lords. I therefore invite the noble Baroness not to press her amendments.
My Lords, I thank the Minister for that response. I had forgotten to say that I was glad to see the government amendments about the affirmative procedure—it was because of looking at those that we got those two stray amendments that were tabled in error.
The noble Lord, Lord Collins, is absolutely right about the codes of practice. I simply say, before begging leave to withdraw, that it will not be possible for amendments to be made once the codes are put formally to Parliament. That is why wide consultation and—I do not like the term—an iterative process is very important on what will be significant documents. I beg leave to withdraw my amendment.
My Lords, I have tabled amendments in this group. I start by thanking the noble and learned Lord, Lord Keen of Elie, and his Bill team for having met with me and for dealing patiently with my queries. I know from that meeting that the Government are not minded to accept my amendments, but I would like the arguments to be put on the record.
I have listened carefully to the noble Lord, Lord Whitty. While I do not dispute at all that his amendments are well intentioned, I can see enormous difficulties arising in determining the threshold of the condition—how severe it has to be, which co-morbidities might be aggravating one another, which members of the family would be involved and so on. I am not sure from the way he argued for his amendment whether an email notification system against a set of clear criteria that had been pre-negotiated with the consent of the patient or family would meet the needs and be simple and straightforward. Would it be a communication system free from the risk of mining the patient’s clinical records? The reason I ask is that at the moment health bodies are not specified in the Bill, but if they were included, that would certainly need legislation because in effect it would override the common-law duty of confidentiality.
I know that at the previous stage the noble and learned Lord, Lord Keen, said that the Government were minded to consider bringing health and social care bodies within the scope of these powers in the future and that that would be done using a statutory instrument passed by the affirmative procedure. I appreciate that the Minister said that there would be wide consultation before that happened.
The difficulty is that in Clause 36(7) it appears that the duty of confidence, which could apply to the duty of medical confidentiality, could be removed if health is brought within the scope of the Bill. It could provide a legal gateway for sharing medical records for purposes that are not currently specified among a wide range of government departments and public service providers. The concern is that to date a special legal status has been afforded to health data in the common-law duty of medical confidentiality due to its sensitivity and the importance to the public of a confidential health service. This common-law duty of confidentiality protects health data over and above the safeguards provided by the Data Protection Act, so simply referring to the Bill’s requirement to comply with that Act when making disclosures does not maintain the current level of protection.
If the Bill proceeds unamended and the Government include health bodies in the list of specified bodies, which they could do by statutory instrument, I think that would be viewed as a serious assault on medical confidentiality because it would open up the power to share confidential information. Indeed, problems with the failure of the current safeguards in the system were aired this weekend over TPP, the IT system that many general practitioners use. In a way, that demonstrated that the current safeguards in place around the IT systems are, frankly, inadequate.
NHS Digital could be drawn into the Bill’s information-sharing powers. It holds vast quantities of confidential data, which would mean that the Bill could give the Government direct access to them without consent, because the process would override the current common-law duty. This needs to be considered in the context of the National Data Guardian, who has spoken about the need to build trust in the health system’s ability to handle data, and a real concern among many patient groups of the general mistrust that their very confidential data could be shared.
I believe that my amendments will not be accepted, but if they are not I hope the Government will be able to reassure me that if health data were to be brought into the Bill’s information-sharing powers they will not just be added to the current framework created by the Bill and then the duty of medical confidentiality deemed to be protected, but that there will be full public engagement and full parliamentary scrutiny prior to proceeding, and that the protections in place would include independent oversight and real-time monitoring of the data sharing. In Wales, the IT system overseeing NHS Wales has instituted real-time monitoring because there was concern that staff could have used their access rights to unprofessionally access healthcare records of people with whom they did not have a direct care relationship. I am afraid that human nature is that people are rather inquisitive about what may be happening to people they know, but those may be very sensitive and very private data. Therefore, they need the highest safeguards around them.
The problem is that once there is a data leak it really cannot be pulled back and closed. I hope the Government will provide the reassurance that, as well as the other aspects, there will be real-time monitoring and independent oversight of the whole process, with additional sanctions that will be of a high enough level to, I hope, act as a major deterrent for any breaches of any data-sharing agreement.
My Lords, we have Amendment 28AV in this group, which is also about the common-law duty of confidentiality. Obviously that includes doctor-patient confidentiality. We are with the noble Baroness in her concerns. Apart from wanting to see that duty preserved, the reason for the amendment is to seek confirmation that it is to be overwritten rather than preserved. I found subsection (7) quite difficult. When we were contacted by a member of the public who was clearly qualified to read the legislation with a query about it, it seemed appropriate to raise this because it is quite difficult to follow. Clearly, one should be quite certain about what we are doing.