Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Baroness Sherlock
Main Page: Baroness Sherlock (Labour - Life peer)Department Debates - View all Baroness Sherlock's debates with the Department for Science, Innovation & Technology
Data Protection and Digital Information Bill
Baroness Sherlock ExcerptsWednesday 24th April 2024
(2 weeks, 2 days ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-VII Seventh marshalled list for Grand Committee - (23 Apr 2024)
Baroness Sherlock
Member’s explanatory statement
This amendment would make it a requirement for the Secretary of State to issue a code of practice in connection with the use of account information notices.
Baroness Sherlock (Lab)
My Lords, in moving Amendment 225, I will speak to the other amendments in this group. They cover two issues: first, the code of practice, which features in Part 2 of new Schedule 3B, inserted by the Bill into the Social Security Administration Act 1992. Paragraph 6(1) of new Schedule 3B says:
“The Secretary of State may issue a code of practice in connection with account information notices”.
Amendment 225 would change “may” to “must”. Paragraph 6(2) mentions some matters that a code “may” include and Amendment 226 would change that “may” to “must”.
Amendment 227 would ensure that a code of practice includes the criteria to be used by the Secretary of State in determining whether to issue account information notices—I will come back to criteria shortly. Amendment 230 would require the Government to consult on the draft code of conduct with consultees including the Social Security Advisory Committee and organisations that would have to comply with account information notices. Amendment 231 would require the code of practice and any revisions to it to be approved by both Houses of Parliament. The Secretary of State would still be able to withdraw a code of practice, but the ability to issue notices would lapse if no code were in force. Amendments 228, 229 and 232 are consequential.
The other matter covered in this group is how the Government report to Parliament on these notices. Amendment 233 amends new Schedule 3B to provide for annual reporting to Parliament on the use of account information notices. As well as requiring the provision of statistics around the use of such notices during the previous financial year, the amendment would compel the Secretary of State to outline his or her views on the proportionality and effectiveness of notices. I hope that the need for these amendments is self-evident. Ministers are proposing to take new powers of astonishing breadth, which will involve the ability to search the bank accounts of tens of millions of our citizens, most of whom will have done nothing wrong. There is still very little detail about how these powers could be, or will be, used.
I will address two particular sets of issues. The first is criteria. Paragraph 2 of new Schedule 3B explains that banks have to return information about matching accounts. As well as specifying the identity of the account holders, they have to meet certain risk criteria. The Bill, the Explanatory Memorandum and briefings always talk in terms of examples of those criteria, usually around capital limits or time abroad. But my understanding, which may be wrong—I invite the Minister to correct me if I am—is that the criteria could be anything related to eligibility for the benefits in question.
For example, the eligibility for some benefits includes being a single parent. Paragraph 2(2)(a) of new Schedule 3B says that an account information notice
“may require information relating to a person who holds a matching account even if the person does not claim a relevant benefit”.
On our last day in Committee, we established that that directly related to appointees, but that made me wonder whether it could apply to anybody else. For example, we also established that a notice could cover a joint account where one of the holders is the person to whom the benefit is paid and the other is not. Would this power allow DWP to ask banks to search for any accounts linked to any single parent and to examine those accounts for evidence that they and the other holder of a joint account might be living together? Would these powers allow DWP to devise any criteria designed to identify whether a claimant was living with another adult? To be clear, I am not asking whether it intends to do that or whether it knows how to do that. I am just asking whether it would be permissible. Is this a category of thing that it could do under the powers in the Bill?
Related to that, could DWP issue notices to a bank other than that into which the benefit is paid? Again, we have heard that the intention is to go only to the bank into which the benefit is paid, but I want to know specifically: does this Bill gives DWP the power to do that or would it need additional primary legislation to do it?
Secondly, the Bill does not say that notices can be given only to banks. It says that they can be given only to a “person of prescribed description”. The Information Commissioner said:
“I have been unable to identify where such persons are prescribed and the provision itself is silent on the matter”.
It is therefore unclear which organisations will be in scope of the power or how this will be determined. Can the Minister tell us any more about who will be covered and how that will be determined? Who could be subject to a notice? A bank or a building society could be, clearly, but could a credit union, a Christmas club savings scheme or any other financial body?
Paragraph 58 of the impact assessment on this part of the Bill says:
“This measure is drafted broadly to ensure it is future-proofed against future changes and innovation, particularly in the financial services sector, i.e. in Fintech and Crypto, and enable DWP to apply this measure to non-financial organisations in future if it is deemed appropriate and proportionate”.
Can the Minister give the Committee an example of a non-financial organisation that could be appropriate? Specifically, could this apply to, for example, phone companies? Given the open-ended nature of the powers being taken, one way for Ministers to give reassurance to both the Committee and the wider public would be to ensure that DWP is constrained by a clear and transparent code of practice over which Parliament has oversight and that it reports to Parliament on the way it is using these powers. If the Minister does not like the approach in this amendment, perhaps he could offer the Committee other forms of assurance in this area. I beg to move.
Lord Anderson of Ipswich (CB)
My Lords, I apologise to the Committee that duties elsewhere in the House prevented me from attending the last two debates on Monday and so from speaking to the amendments that I had tabled and signed. However, I have read the Official Report with care.
I cannot pretend to be a data protection nerd, or even a social security nerd, like some speakers in those debates, but I hope that I pass muster as a surveillance nerd, having written for the Home Secretary two of the reports that informed the Investigatory Powers Act 2016 and, more recently, a report that informed the Investigatory Powers (Amendment) Bill, which I see is to be given Royal Assent tomorrow.
I support all the amendments in the name of the noble Baroness, Lady Sherlock, in this group. Of course there must be a code of practice. Of course it must be consulted on and scrutinised. I would add that that of course we could not contemplate passing this schedule into law until we have seen and studied it. An annual report of the sort that accompanies the reasonable suspicion power to issue financial institution notices, exercised by HMRC under Schedule 36 to the Finance Act 2008, would also be useful. For example, it is from the last of those reports, dated January 2024, that I learned that these reasonable suspicion tax information powers were now being used to obtain location data—something that it had previously been said would not be done.
Dan Squires, one of the authors of the legal opinion that I know was referred to on Monday, is not only a King’s Counsel but a deputy High Court judge and a genuine expert in this area. He and his junior, Aidan Wills, point in that opinion to the personal nature of some of the data that could be harvested under the proposed power and advise that Schedule 11 does not come close to the safeguards required for compliance with Article 8. They refer in particular to the striking lack of clarity about the grounds on which and the circumstances in which the proposed power can be used, as well as to the absence of both independent authorisation and independent oversight. They point out that, although saving up to £600 million over five years is a very important objective, it weighs no more heavily—indeed, probably less heavily—than the normal justifications for obtaining information in bulk: protecting national security and the prevention and detection of serious crime. Their opinion is well referenced, persuasive and consistent with the view on proportionality expressed by both the Information Commissioner and the Constitution Committee, on which I sit.
On Monday, the Minister referred to the power in Schedule 23 to the Finance Act 2011 to obtain certain data items from particular classes of data holder—for example, employers and land agents. So I had a look at that schedule and the data-gathering regulations under its paragraph 1. The power would appear to apply only to certain tightly defined items, such as payments made by the employer or arising from use of land. There would appear to be a noticeable contrast with location data, personal spending habits and so on, which fall within the scope of the powers in this schedule, as they are written in the Bill. Both HMRC and the Home Office operate under powers tightly defined in legislation. Assurances that those powers will be used in a restrained way, as Justice has commented in its useful briefing on the Bill, simply do not cut it. I am afraid that the law requires the DWP to be subject to the same constraints.
I am concerned: concerned that this important new power was not subject to detailed consultation or even to scrutiny by a Commons Bill Committee, where useful evidence could have been heard; concerned that it could even have been contemplated that so vague a power might be in the Bill and not accompanied by a code of practice; concerned about the absence of an independent approval and oversight mechanism, equivalent to the Office for Communications Data Authorisations and the Investigatory Powers Commissioner’s Office; and concerned that, if we do not get this potentially valuable power right from the start, it will immediately be subject to legal challenges, which will swiftly render it unusable.
If, as I believe, Schedule 11 is currently unfit for purpose, is there time to rescue it? I have a couple of practical suggestions. First, I saw the investigatory powers unit from the Home Office when it happened to be in the House yesterday, and I wondered if there might be utility in it comparing notes with the Bill team about these types of powers and their attendant safeguards.
Secondly, I hope the Government appreciate the significance—at least to us nerds in the Committee—of the legal analysis of Dan Squires KC and Aidan Wills. If we are to be told that it is mistaken, which would certainly be unusual, I for one would like to see that backed up by an opinion from a lawyer of equivalent stature, whether at the GLD or independent counsel, explaining precisely and persuasively why Mr Squires and Mr Wills are wrong. Otherwise, and without significant change of the type identified in the opinion, I am afraid I am not inclined to give this schedule the benefit of the doubt.
I signed up to the stand part notice of the noble Baroness, Lady Kidron, thinking it would at least be a platform to think about what amendments to the schedule might be needed. The more I read the schedule and the more I hear about it, the more I am driven to the conclusion that, if we do not see substantial change, opposing the schedule may be the way that we have to go at the next stage.
Viscount Younger of Leckie (Con)
My understanding —with his experience, I am sure that the noble Lord will be ahead of me on this—is that this is defined. We define it pretty clearly in paragraph 1(2). In the interests of time, I will reflect on what he has asked and will be absolutely sure to add this to the letter that I pledged to write on Monday—it is getting bigger by the moment, as I fully expected.
Baroness Sherlock (Lab)
My Lords, as I asked only four questions, I want to try to nail each one as we go. I am grateful to the Minister. Before we leave the matter of the kind of organisations to which this applies, I think that he is saying that the Bill would allow the DWP to request information from any kind of organisation, including phone companies, which I asked about specifically. The kinds of organisations are to be specified in regulations, which the Government will bring forward, initially naming financial institutions. By virtue of further regulations, could they extend that to anything—to Garmin, the people who monitor your runs, to gyms and to anyone else? Is that correct?
Viscount Younger of Leckie (Con)
That is correct. I hope indeed that it provides some reassurance that extending it to the banks and financial institutions initially is deliberately designed to be narrow. It would be subject to both Houses to debate other areas beyond those. I am coming on to address that. The noble Baroness asked about phone companies. Simply put, we will be able to designate the third parties that fit within the provisions of this legislation where they hold information that would help us to verify whether someone meets the eligibility criteria for the benefit that they are receiving. However, ultimately, it would be for Parliament to decide whether a third party can be designated under this power, as we must bring affirmative regulations forward to do this. We have that power.
Baroness Sherlock (Lab)
I am most grateful to the Minister. There is one question, so I apologise if he answered it and I did not quite pick it up. I specifically asked if these powers would allow the DWP to devise criteria designed to identify if a claimant was in fact living with another adult. With the appropriate regulation, would the powers allow it to do that?
Viscount Younger of Leckie (Con)
That is one of the questions that I can now answer. The power will allow this, in so far as it pertains to helping the Secretary of State establish whether the benefits are being paid properly, as with paragraph 1(2) of new Schedule 3B. Rules around living together are relevant only to some benefits. That is a very short answer, but I could expand on it.
Viscount Younger of Leckie (Con)
No, I did not, but that is something which surely we can deal with outside the Room. However, I can assure noble Lords that it is in there.
Baroness Sherlock (Lab)
My Lords, I thank the Minister for his attempts to answer my questions and those of many noble Lords. I will not detain the Committee for very long at all.
I am grateful to know that there will be a code and that it will be consulted on. Given that, it would have saved an awful lot of trouble if the Government had simply not put “may” in the Bill in the first place—that would have cut out a whole loop of this. I am very grateful to know that that is there. I agree with the Minister that we all want to know about and to clamp down on fraud and error; the question is one of proportionality.
When the Minister comes to write—I realise that this letter is turning into “War and Peace”, but it will make us all come to Report in a much better place if we can get a clearer answer to many of these questions— I still wonder whether he properly answered the question from the noble Lord, Lord Anderson, about the legality of these powers, because the point about when they engage is crucial. The Minister is still coming back to a distinction between the gathering of the data and what the DWP will do using its existing “business as usual” powers, to investigate. I think the point the noble Lord was making is that the question of legality engages at the point of that data gathering, not at the point at which it is used, if I am correct. I am not sure that the Minister answered that—I am not inviting him to do it now—but I specifically suggest that he takes advice on that point before we come back on Report.
The other issue is that, if the Government have come in so late in the day introducing these powers into the Bill, it would have been better to have draft regulations before Report at the first stage. The Minister thinks the code can be available in the summer, but the summer is fast approaching so I see no reason why the usual channels could not accommodate the date for Report to allow us to go past the date for producing a draft code if the Government wish to. I realise that they may not wish to, but it must be perfectly possible—unless the Minister knows something I do not about a likely date of a general election, presumably we should still have time to do that. So I commend that thought to him.
However, we also know that a lot of the constraints he has described will happen solely in regulations. Everybody in this Committee is aware of the limitations of the capacity of both Houses to do anything about regulations. We cannot amend them here. The Government will bring them forward, but the capacity of us to do anything about that is small, so that is not as much of an assurance as it would be in other circumstances.
Finally, what I am left with is that these powers could do anything from something that might sound very proportionate to something that might sound entirely disproportionate, and we simply have not heard anything that enables us to make a judgment early enough to know where that is contained. I therefore ask the Government to think again before Report about ways in which they might provide assurance about a more contained and proportionate approach to these measures.
Since we are in Committee, in the meantime, I thank all noble Lords for their work on this and the Minister for his response. Before I beg leave to withdraw, I see that the Minister is intervening on me now, which is a joyful change.
Viscount Younger of Leckie (Con)
Before the noble Baroness sits down, I want to say one very important thing. As ever with Bills, there is an opportunity to engage, and I pledge right now to engage with all noble Lords who wish to, and we would like to as well, on these particular measures, to provide, I hope, further reassurances to those that I have given. I hope there is some acceptance that I have given some reassurances.
Baroness Sherlock (Lab)
My Lords, I am sure that on behalf of the Committee I can thank the Minister for that generous offer, and we look forward to taking it up. In the meantime, I beg leave to withdraw the amendment.