Digital Economy Bill (Ninth sitting) Debate
Full Debate: Read Full DebateChris Skidmore
Main Page: Chris Skidmore (Conservative - Kingswood)Department Debates - View all Chris Skidmore's debates with the Cabinet Office
(8 years ago)
Public Bill CommitteesIt has been a couple of days since we last met, but my hon. Friend the Member for Sheffield, Heeley made a very important point in her speech regarding where we should look for best practice. The UK is one of the Digital 5, and she brought up Estonia as a country that, when we consider big data, we should reflect on. In dealing with the Bill, we are casting our eye around to see how we can manage big data, personal information, between public bodies. She made the valid point that a fundamental question seems to run throughout the Bill and the clause: does the individual own the information or does the state own it? Because the Government have taken the view, unlike what happens in Estonia, that the state owns the information, we have a series of such clauses. We are primarily trying to find a way to balance the rights of the individual, while the state retains ownership of the information in any form, but, particularly as we move forward, in digital form; that is what I am concerned about.
Let me explain what is done in Estonia and why the Bill in years to come will probably need to be usurped by a new Bill. Estonia has transferred the ownership of data from the state to the individual. When the individual owns the data, there is no need for these complex fudges to try to find a way in which people’s privacy and the integrity of data can be respected, while ownership remains with an umbrella organisation.
The criticism that I make to the Government, and my hon. Friend’s point, is that a fundamental rethink or reset will have to occur at some point because of what is missing from the Bill and the clause. It talks about public bodies, but the Government do not address in this or any other clause the fact that private corporations hold enormous amounts of personal data on people and the ownership of that lies with them, not with the individual. That is why the point that she made was so pertinent. The ownership of data should lie with the individual. As a country, as a nation, we should be looking to transfer that ownership. That is why we cannot address what happens in the private sector. Absent from the Bill are any clauses or even subsections tackling data and information in the private sector. It is solely about the public sector and trying to square off those conundrums and contradictions.
The Government have missed an opportunity to empower people and to be on the side of the individual, the ordinary person, who feels disempowered by all this. They are on the side of big government and, by absence, of big corporations, which in my view is a fundamentally flawed position. That question was asked in Estonia, and it is why it reversed the answer: ownership should lie with the individual.
I can see the Parliamentary Secretary, Cabinet Office, chatting to the Minister for Digital and Culture, and he will probably provide an answer that talks about a destination, saying that if someone gets on a bus, they only get off at the end destination. We all know that when someone gets on a bus, there are many stops before the destination on the front of the bus. They do not have to go all the way. I presume the Minister will explain why the clause is correct from the Government’s point of view and why my argument is flawed. He will say, “If you are going to empower the individual with data, you would need a national identification card system, as in Estonia. The empowerment of the individual must correlate with a national ID card scheme.”
The Minister will make that argument, but that is like getting on a bus and only being able to get off at the final destination, with a national ID card scheme. No one is saying that. There are many bus stops we can get off at before the end. The issue is not binary, with the place we get on the bus and the place we get off. The destination is not necessarily ID cards. The principle that these are the individuals’ own data should be at the heart of the Bill, and the clause does not represent that. The absence of any mention of the private sector is alarming.
Moving on, I want to touch briefly on another aspect that is missing from the Bill and should be considered. This is the Digital Economy Bill, but it is all about the public sector. There is an absence of any reference to the private sector per se. This part of the Bill deals with the digital economy and the provision of public services. Returning to the Estonia example and empowering the individual, people in Estonia can set up a business or company in three or four minutes online. Where is the pro-business element of the Bill? It is certainly not this clause, which relates to data and information in relation to the state and public bodies. Why can individuals here not set up businesses in four minutes? Why is it not a pro-business Bill? Why does it not talk about business? Nothing in the Bill talks about being pro-business.
The clause is simply about public bodies holding big data, and in that respect, it lives in the past, not the future. I urge the Government to think about the fundamental principles and to not make the argument that the amendments would lead to an ID card system, although Estonia does have ID cards. I would have ID cards tomorrow—it is well known across the patch that I would not be on the list of soggy, wet liberals—but that does not mean that the principle that the individual owns data would lead to ID cards. It does not. I ask the Minister, with all due respect, not to suggest that I am making that argument, because I am not.
The Bill is not pro-business and is fundamentally flawed. The clause is simply about trying to manage all the conflicts and contradictions from yesterday’s age. It does not deal with the future. The Government have fallen short. I emphasise the word “economy” in the Bill’s title—it is not about public services, but the economy. I put that word up in bright lights. Where does the Bill talk about the economy? We are talking about public bodies and public authorities.
That was an impressive Second Reading speech. I am here to speak to amendment 97 and 107.
Not necessarily; that has not been called yet. The amendments have been tabled in the name of the hon. Member for Sheffield, Heeley. She finished her speech on Tuesday, and I put on record my thanks for her impressive scrutiny of the Bill, which she has done almost single-handedly. I note that she made a weighty speech about Concentrix yesterday, so I do not know how she finds the time to sleep. I am sure that it will be noted in the Lords that we have gone through a full process of scrutiny in Committee.
The Government will ensure that citizens can access future Government digital services effectively and securely, while removing the current reliance on paper certificates. That will provide more flexibility and modernise how services are delivered.
Amendment 97 would require registration officials and public authorities requesting information to specify reasons for requiring disclosure. In considering a request to share information under those powers, a registration official would first need to be satisfied that the recipient requires the information to enable them to exercise one or more of their functions.
In her speech on Tuesday, the hon. Lady raised some issues about the Data Protection Act 1998 and said that the Government should set out clearly that it is being honoured, particularly for registration. The hon. Member for Hyndburn talked about fundamental principles, and I can confirm that the Bill’s fundamental principle is its compliance with the Data Protection Act. Data should not be disclosed if to do so would be incompatible with that Act, the Human Rights Act 1998 or part 1 of the Regulation of Investigatory Powers Act 2000.
The Data Protection Act is Magna Carta of the data world, and we want to ensure that all parts of the Bill comply with it. When disclosing information, only minimal information will be provided, in accordance with the requirements of the data recipient.
I am grateful to the Minister for his kind and polite words. If that is the case, why does the Bill contain the words “clear and compelling”, rather than “necessary and proportionate”, which is the term associated with the Data Protection Act?
I have taken legal advice about that issue, which the hon. Lady raised in her previous speech, and I have been told that those words do not in any way, shape or form challenge or change the interpretation of and compliance with the Data Protection Act. We will be happy to look again at the wording and reflect on it if that gives her confidence that we are absolutely committed to ensuring that the Data Protection Act runs through the core of the Bill. Registration officials are required to be aware of the reasons for the request, so the intention behind the amendment is already achieved by the clause.
Amendment 97 seeks to prevent the onward disclosure of information by the data recipient to any other public or private body beyond the specified public authorities listed in proposed new section 19AB(1) of the Registration Service Act 1953. Disclosures under the power will be restricted to the specified public authorities listed in proposed new section 19AB(1). In addition, personal data will be shared only in accordance with the power and in adherence to the Data Protection Act, by which the recipients will also be bound. As an additional safeguard, under the code of practice, data-sharing agreements can place restrictions on onward disclosures of data, which will be adopted where appropriate.
Amendment 107 would retain the requirement for a civil registration official to be satisfied that the information was required by a recipient to fulfil one of more of their functions before disclosing data. It seeks to add a requirement that an individual must have given valid consent under data protection legislation before any disclosure of their personal data. The data protection legislation referred to is believed to be the Data Protection Act, to which these clauses are already subject. They already state that personal data must be processed fairly. In practice, it will sometimes be necessary to share information in the public interest, where it is impractical or inappropriate to seek or rely on the consent of the individual concerned, but that is already permitted under the Data Protection Act, which we are determined to ensure remains in force.
In the hon. Lady’s speech on Tuesday, she talked about the uses of bulk data and asked me to give examples of where the powers will be used and where they are already used. The powers will allow registration officials to disclose birth data to other local authorities. Currently, a registrar is unable to notify another local authority if a birth takes place in their district but the child’s parents reside in another. Being able to disclose data across district boundaries will assist healthcare, school and wider local authority planning. Being able to share bulk information will ensure that children are known to the local authorities in which they reside and that action can be taken to address any needs of the child or parent.
Another example relates to blue badge fraud. It is estimated that about 2.1% of blue badge fraud relates to use of a blue badge following the death of the individual to whom it belonged. The new powers will allow data to be shared with the local authorities to help reduce that fraud.
The Minister gives an important example—blue badge fraud—in which data are accessed rather than shared. The local authority will have an access point into Department for Work and Pensions data to determine whether someone is disabled, but there is absolutely no need for bulk data sharing across local authorities. That is the kind of example that we should follow in the rest of the public sector.
The hon. Lady mentions legal portals through which data can be shared. The key point is that although we have specific examples of data being accessed or shared, every new data-sharing arrangement has to be established within a very specified remit. A great example of a data-sharing arrangement for registrars that is already happening is the Tell Us Once service, in which birth and death registration information is shared across local and central Government. That system has been developed by Government, is envied by the private sector and clearly demonstrates the benefit of sharing civil registration information for both citizens and Government, but the problem is that it is very limited.
We cannot move forward by having endless tiny data-sharing agreements; we need to be able to create a wider platform. For instance, to share death data, individual local authorities have to forge individual relationships. We need to ensure that that is far broader, so that local authorities and Departments can work together to help to prevent unwarranted and unwanted mail from being sent to the family of a deceased person, which can often cause a great deal of distress.
This is evolution, not revolution. We are following the Data Protection Act 1998 and the codes of practice, which the Committee will discuss, will be reviewed every year. We can now share data effectively on a bulk level but without using personal details apart from for the benefit of those it will serve: children, local authorities, planning numbers. This is absolutely the right thing to be doing.
Disclosure will take place without consent only where that is consistent with Data Protection Act rules on fair disclosure. At all times, data can be shared only with specified public authorities as defined in section 19AB of the Registration Service Act 1953. The code of practice makes it very clear that if there are any data breaches or any of those authorities do not follow the code—we will discuss the code when we consider debt measures—they can be removed from that list. With that explanation, I hope the hon. Member for Sheffield, Heeley will agree that the necessary measures are already included in the clause and will withdraw her amendment.
My hon. Friend the Member for Hyndburn made important points about the absence from the Bill of clauses dealing with the private sector. In the evidence session, we heard from the chief executive of a tech start-up in Canary Wharf who made it very clear that nothing in the Bill would help his business or others operating in the digital economy. We will certainly return to that theme. I draw my hon. Friend’s attention to new clause 31, which the Committee will consider on Tuesday morning and which will require a review of data ownership across the public and private sectors.
I am grateful that the Minister has confirmed that the Government will consider a rewording of “clear and compelling”, because I think it could lead to some confusion regarding the compliance of part 5 with the Data Protection Act. It is great to hear him praise the Tell Us Once scheme, which was set up by the shadow Secretary of State for Culture, Media and Sport, my hon. Friend the Member for West Bromwich East (Mr Watson)—I will pass on the Minister’s congratulations to him.
The Minister referred to a platform; will he confirm whether he is referring to a central database of citizens’ civil registration information? That is a key concern. I am also glad to hear that sharing information without consent will take place only in explicitly defined circumstances, but I am still not clear why chapter 2 of part 5 will not—as our amendment 97 would—require civil registration officials to disclose why they are sharing information, as all the other chapters in part 5 require data-sharing arrangements or specified persons to do. If the Minister can explain that to me in an intervention, I will happily withdraw the amendment.
I used the word “platform” as part of a process argument about being able to look at data in the round, rather than to suggest that there would be any centralised data collection. That is certainly not the case. For public confidence, measures in the codes of practice set out clearly that when it comes to the data-sharing measures, once data have been used for the required purpose, they are then destroyed. They are not kept on any register for any historical purpose.
Turning to the hon. Lady’s second point—
Minister, this is an intervention. I call Louise Haigh—you may intervene again, Minister.
My question stands: why is there not a requirement in this chapter of this part for the reasons for disclosure, as there is in all the other chapters? I would be grateful if the Minister intervened regarding that point.
The registration codes of practice clearly set out that the purposes will need to be defined and that a business case will need to be made. None of that can take place until we ensure that there is a specified public function defined on the face of legislation, particularly when it comes to the code of practice that registrars will have to follow and which will be reviewed yearly. I believe that measures are in place to ensure that any data-sharing is done through a due process that is incredibly tight, restrictive and respectful of the use of individuals’ data.
The clause amends the Registration Service Act 1953 to introduce new flexible data-sharing powers that allow registration officials to share data from birth, death, marriage and civil partnership records with public authorities for the purpose of fulfilling their functions. That will provide more flexibility and modernise how Government services are delivered.
Being able to share registration data will bring many benefits, for example, in combating housing tenancy fraud. The National Fraud Authority estimates that housing tenancy fraud—for example, a tenant dies and someone else continues to live in the property when they have no right to—costs local authorities around £845 million each year. Being able to provide death data to local authorities will assist in reducing that kind of fraud. The sharing of data will provide benefits for the public in a number of different ways, including the removal of barriers when accessing Government services. It will pave the way for citizens to access Government services more conveniently, efficiently and securely, for example by removing the current reliance on paper certificates to access services.
Data will continue to be protected in accordance with data protection principles, and a number of safeguards will be put in place. Registration officials will be able to share data with only specified public authorities, as defined in new section 19AB—which also includes a power for the Minister to make regulations to add, modify or remove a reference to a public body, thereby providing reassurance that the data will only be disclosed in a targeted way to the Departments listed. As set out in paragraph 58 of the code of practice, the Registrar General has a responsibility to review the code annually, which will involve the national panel for registration. As an additional safeguard, such regulations will be made under the affirmative procedure, requiring the approval of both Houses.
All data sharing will be underpinned by a statutory code of practice, as set out in section 19AC. As I have said, when revising the code the Registrar General will have an obligation to consult the Minister, the Information Commissioner and other relevant parties. The code of practice will act as a safeguard by explaining how discretionary data-sharing powers should be used. The code will require data-sharing agreements to be drawn up, which will includes safeguards on things such as how data will be used and stored and for how long they are to be retained, and forbidding data to be cross-linked in any way.
Question put and agreed to.
Clause 38, as amended, accordingly ordered to stand part of the Bill.
Clause 39
Consequential provision
Question proposed, That the clause stand part of the Bill.
Several questions relating to the clause remain unanswered because we were cantering through on Tuesday afternoon. Will the Minister confirm, and give examples of, what the powers in this part of the Bill will exclude? Will he give some guidance on how officials are meant to determine where the line is for what is and is not included? Will there be more guidance issued for non-public sector authorities that will come under the legislation? Will he assure us that the codes, in their next iteration, will provide further guidance on how officials should deal with conflicts of interest when sharing data, how they should identify any unintended risks from disclosing data to organisations, and how sponsoring public authorities should assess whether their systems and procedures are appropriate for the secure handling of data? I would also be grateful if the Minister confirmed what lessons have been learned from the recent National Audit Office report that found more than 9,000 data incidents in the past year alone, and how the Government are improving their data processes to address those issues.
Will the Minister assure us that nothing in the Bill will undermine patient confidentiality? I am aware that the British Medical Association has written to him but has not had a response. The BMA is unclear about whether the scope of the Bill includes the disclosure of personal health and social care information, which would significantly weaken existing protections for confidential data. Will the well established rules that already protect such confidential information continue to apply, and will he assure us that these powers will not override common law in this vital area?
Finally, on a significant area that has not yet been addressed, do the Government intend to implement the EU’s general data protection regulation? If they do, why is the Bill not compliant with it?
On the European directive, which is to be introduced in May 2018, the codes will be revised and will reflect that. That is why the flexibility we have from the codes not being written into the Bill is so important—so that we can deal with instances in which there will be change in the future. They will be updated to reflect that change in May 2018.
Civil registration officers—public servants who want to share data for the benefit of the public—are not trying to do anything that would compromise those whom they serve. In the code of practice, paragraph 47 states that privacy impact assessments will be put in place to ensure that there will be compliance with data protection obligations and that they meet individual expectations of privacy. All Departments entering into data-sharing arrangements under the powers must comply with privacy impact assessments and publish the findings. We want to ensure transparency so that members of the public understand why it is necessary for those data to be shared.
An application to share data is not simply a permissive path by which new data-sharing arrangements can be established without going through due process and regard. In the fairness and transparency section of the data code of practice, there are many questions that must be addressed in order to establish the data-sharing arrangements. They are clearly laid out.
The Minister says that civil registration officials will be required to publish their findings. What exactly will they be required to publish, under either the code or the measures in the clause?
Paragraphs 47 and 49 of the civil registration data-sharing code of practice clearly state:
“All government departments entering into data sharing arrangements under these powers must conduct a Privacy Impact Assessment and to publish its findings. The Information Commissioner’s Conducting Privacy Impact Assessments code of practice provides guidance on a range of issues in respect of these assessments, including the benefits of conducting privacy impact assessments and practical guidance on the process required to carry one out…Registration officials entering into new data sharing arrangements should refer to the following guidance issued by the Information Commissioner on Privacy Impact Assessments which includes screening questions…to determine whether a Privacy Impact Assessment is required.”
On health care data, the Government are considering Dame Fiona Caldicott’s recommendations. The consultation closed on 7 September, and I confirm that the Bill’s powers will not be used in relation to health and care data before we have completed that process.
The Bill explicitly says that health and social care information should be excluded, but there are concerns that it is drafted so widely that it could be used for that, and I think that the Minister has just confirmed it. He is saying that it is wide enough that should the Government decide on the basis of Dame Fiona’s review that they want to share health and social care information, the Bill will enable it. Is that the case?
The Government will respond to the National Data Guardian’s review. It will not have an impact on the Bill at this stage. The Department of Health recently concluded a public consultation and is considering how to implement her recommendations. As it will take time to make the changes and demonstrate that the public have confidence in them, it would be inappropriate for the Government to seek new information sharing powers in respect of health and care data at this time. I note that we will come to health and care data when we debate a later group of amendments on research, and I hope to provide more information when we do.
Question put and agreed to.
Clause 39 accordingly ordered to stand part of the Bill.
Clause 40
Disclosure of information to reduce debt owed to the public sector
I beg to move amendment 190, in clause 40, page 39, line 21, leave out “have regard, in particular, to” and insert “must comply with”.
I thank the hon. Lady for her speech, and I appreciate the caution with which she approaches the subject. We have been determined that our definition of data sharing should be in the ICO’s code of practice, and we have adopted that definition in our own draft code. We will comply with ICO’s best practice, which of course means keeping careful records of all data-sharing agreements. We already keep registers of data sharing by Department, and they are FOI-able. We need to take public confidence with us. We will not allow data to be shared with a public authority that does not have appropriate systems in place.
To reassure those whom the hon. Lady seeks to assure that their data can be shared without any compromise to individual security, I will take a journey through the data sharing code of practice. When we come to establish some of the fraud elements, it will be an incremental process. Debt and fraud data-sharing pilots will be set up, and the UK Government are establishing a review group to oversee UK-wide and England-only data sharing under the fraud and debt powers. The review will be responsible for collating the evidence that will inform the Minister’s review of the operations powers as required under the Bill after three years. Devolved Administrations will establish their own Government structure for the oversight of data-sharing arrangements within their respective devolved territories.
Following that, a request to initiate a pilot under the debt and fraud powers must be sent to the appropriate review groups in the territory, accompanied by a business case. The business case must detail its operational period, the nature of the fraud and debt recovery being addressed, the purpose of the data share and how its effectiveness will be measured. Absolutely rock-solid requirements need to be put in place. For instance, the public service delivery debt and fraud powers require a number of documents to be produced as part of the case for a pilot.
Those documents will be a business case for the data-sharing arrangement, which can be collated by all the organisations involved; data-sharing agreements; and a security plan. Furthermore, as part of any formal data-sharing agreements with public authorities that grant access to information, security plans should include storage arrangements to ensure that information is stored in a robust, proportionate and rigorously tested manner and assurances that only people who have a genuine business need—
The Minister is making an argument to which I would extend my previous comments. He is arguing that there will be security because we will have a data repository—it will inevitably be a single data repository—with secure firewalls around it. However, the architectural principle for which he is arguing is that all data will be kept in one place. From a security perspective, that is the most dangerous way to store data. To return to why Estonia leads the world, there is a distribution—
Order. That is an intervention. I am quite happy if the hon. Gentleman wants to catch my eye, but interventions should be short. I have been very lenient with that one.
To return to the security angle, we must have assurances that only people with a genuine business need to see the personal information involved in a data-sharing arrangement will have access to it; confirmation of who will notify in the event of any security breach; and procedures in place to investigate the cause of any security breach. Paragraph 104 of the code suggests:
“You should ensure that data no longer required is destroyed promptly and rendered irrecoverable. The same will apply to data derived or produced from the original data, except where section 33 of the DPA applies (in relation to data processed for research purposes).”
At all times, we want to ensure that public confidence is taken forward with the pilots. They will be put in place only once all the boxes have been ticked. Paragraph 108 of the code states:
“You should make it easy for citizens to access data sharing arrangements and provide information so that the general public can understand what information is being shared and for what purposes. You should communicate key findings or the benefits to citizens derived from data sharing arrangements to the general public to support a better public dialogue on the use of public data.”
Security is not discretionary. Amendment 190 would not reinforce that requirement. It is not a question of compliance with systems in place. Instead, there must be adequate systems in place and Ministers must have regard to those systems to ensure they meet the essential security specifications that the Government demand.
Amendments 191 to 194 concern the codes of practice and present a similar discussion to the one we had about using “have regard to” or “compliance to”. The powers cover a range of public authorities in devolved areas, and we want to ensure flexibility in how powers will be operated, so that we can learn from what works and adapt the code as necessary. If bodies fail to adhere to the code, the Minister will make regulations to remove their ability to share information under the power as set out in paragraph 11 of the code of practice.
As I mentioned, the requirement to have regard to the code of practice does not mean that officials have discretion to disregard the code at will. They will be expected to follow the code or they will lose their ability to share data. There could be exceptional reasons why it is reasonable to depart from the requirements of the code. To fix a rigid straitjacket creates a system of bureaucracy where officials must follow processes that run contrary to logic. This is standard drafting language adopted for the above reasons in the Immigration Act 2016, the Children and Families Act 2014 and the Protection of Freedoms Act 2012, to name a few recent pieces of legislation.
It is welcome to hear how detailed and extensive these audits will be. If they are subject to the Freedom of Information Act 2000, will the Minister consider proactively publishing them anyway, so that we can be assured that they are all kept in one place and that data sharing happens only in accordance with data-sharing arrangements that are in the public domain?
When we set up new data-sharing arrangements, we must remember that the ICO and the devolved Administrations must be consulted and that the powers must go before Parliament again. We will have further scrutiny when considering the regulations under the affirmative procedure for secondary legislation.
Given that the arrangements have to go through all the obstacles that the Minister has just outlined, I do not understand why not then include them in a central register, so that they are all in one place. We could then be confident that not just those cases in the Bill but all data sharing across the Government is made public and people can have confidence in how and why their data are being used and shared.
The hon. Lady refers to new clause 35, so I would now like to address that and take her points on board. This is about informing the public about what information is being shared by public authorities and for what reason.
The Bill’s provisions already include a number of commitments to transparency and proportionality, which I have already discussed in disclosing information by public authorities. There is a consistent requirement to uphold the Data Protection Act, including its privacy principles that govern the secure, fair and transparent processing of information.
We require the publishing of privacy impact assessments and privacy notices as set out in paragraph 82 of the code of practice. The research power requires the UK Statistics Authority, as the accrediting body, to maintain and publish a register of all persons and organisations it has accredited, and they can be removed under clause 61(5), which mandates that a withdrawal of accreditation will take place if there has been a failure to have regard to the code of practice.
The requirements of the new clause would inevitably create a new set of administrative burdens, which in turn would carry significant cost implications. It is not clear how the uniform resource locator referred to would be agreed upon, or what assessment has been made of the administrative changes that may be required across the public sector. The requirement might have an unintended consequence. For example, it is possible that including information on the specific data to be disclosed would raise difficult questions about whether the public register would interfere with the duty of confidentiality or breach the provisions of the Data Protection Act. Some of the new powers—in particular, the research provisions—would involve the sharing of non-identifying information, so it is not clear how citizens would understand from a register which datasets contain information relating to them or any particular group of reasons.
The key purpose of the new powers is to simplify the legal landscape to enable public authorities to do their job more effectively and deliver better outcomes for the citizen. The new clause, however well intentioned—I respect the hon. Lady’s point—risks working against that purpose and I therefore invite her to withdraw it.
The Opposition drafted the amendments and I accept that they may not be perfect, but the principle behind the idea of a data register is impossible to argue with. If the Minister claims that these audits will be done thoroughly and that they will be subject to the Freedom of Information Act anyway, I see no reason why they should not be proactively published, so that the public and Opposition Members can have full confidence that everything in the codes of practice, which are not statutory, is being properly adhered to.
Good debt management is a key part of achieving the Government’s fiscal policy objectives. Clause 40 provides a permissive power that will enable information to be shared for the purposes of identifying, collecting, or taking administrative or legal action as a result of debt owed to the Government. With more than £24 billion of debt owed to the Government, the problem is clearly significant.
Public authorities need to work together more intelligently to ensure that more efficient management of debt occurs. We believe that the new power will assist in achieving that. By enabling the efficient sharing of information to allow appropriate bodies to draw on a wider source of relevant data, informed decisions can be made about a customer’s circumstances and their ability to pay. Sharing information across organisational boundaries will help the Government to understand the scale of the issues individuals are facing, and where vulnerable customers are identified, they can be given appropriate support and advice.
Citizens Advice stated:
“This new power is an opportunity to advance the fairness and professionalisation agenda in government debt collection…Sharing data between debt collecting departments will create improved opportunities for better treatment of people in vulnerable situations, and must be matched with fairer and more effective dispute resolution processes.”
The Government agree with that and have worked with non-fee paying debt advice agencies to develop fairness principles to accompany the power, which are included in annex A of the code of practice.
It is important to dwell on the principles that organisations will adhere to, which state:
“Pilots operating under the new data sharing power should aim to use relevant data to help to differentiate between: A customer who cannot pay their debt because of vulnerability or hardship…; A customer who is in a position to pay their debts but who may need additional support; and A customer who has the means to pay their debt, but chooses not to pay - so public authorities, and private bodies acting on their behalf, can assess which interventions could best be used to recover the debt”,
and that:
“Pilots must be conscious of the impact debt collection practices have on vulnerable customers and customers in hardship”.
The principles go on to cover:
“Using relevant sources of data and information to make informed decisions about a customer's individual circumstances and their ability to pay.”
That process could include:
“An assessment of income versus expenditure to create a tailored and affordable repayment plan based on in work and out of work considerations, including the ability to take irregular income into account; and consideration of the need for breathing space to seek advice, or forbearance, in cases of vulnerability and hardship…Where a vulnerable customer is identified, they should be given appropriate support and advice, which may include signposting to non-fee paying debt advice agencies.”
I would be grateful if the Minister confirmed that those pilots and the powers enabled in the Bill will apply only to individuals already identified as being in debt, and that they will not seek to profile individuals who may or may not be in debt.
Yes, I can confirm that. Moving forward, I reassure the Committee that we will continue to work closely with Citizens Advice and StepChange to look at fairness in Government debt management processes. Only HMRC and DWP have full reciprocal debt data-sharing gateways in place, under the Welfare Reform Act 2012. This power will help level the playing field for specified public authorities by providing a straightforward power to share data for clearly outlined purposes. Current data-sharing arrangements are time-consuming and complex to set up, and significantly limit the ability of public authorities to share debt data. This power will help facilitate better cross-Government collaboration that will help drive innovation to improve debt management. The clause will provide a clear power for specified public authorities to share data for those purposes, and will remove the existing complications and ambiguities over what can and cannot be shared and by whom.
The Minister may have just clarified the point I was seeking to tease out of him. The problems that my hon. Friend the Member for Sheffield, Heeley described show that, far from helping people with debt, the agencies acting on behalf of the Government have created debt that did not exist previously by misusing Government data. The Minister may have just assured us that that will not be the case. If the Minister is really concerned about reducing Government debt, perhaps the Government should have not chopped in half the number of HMRC tax inspectors and instead gone after the people who owe the Government tax.
Question put and agreed to.
Clause 40 accordingly ordered to stand part of the Bill.
Clause 41
Further provisions about power in section 40
Amendments made: 120, in clause 41, page 40, line 5, at end insert—
“(ba) for the prevention or detection of crime or the prevention of anti-social behaviour,”
This amendment and amendment 123 create a further exception to the bar on using information disclosed under Chapter 3 of Part 5 of the Bill for a purpose other than that for which it was disclosed. The amendments allow use for the prevention or detection of crime or the prevention of anti-social behaviour.
Amendment 121, in clause 41, page 40, line 6, leave out
“(whether or not in the United Kingdom)”.
This amendment removes the provision stating that a criminal investigation for the purposes of clause 41(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to a criminal investigation covers an investigation overseas in any event.
Amendment 122, in clause 41, page 40, line 8, leave out
“and whether or not in the United Kingdom”.
This amendment removes the provision stating that legal proceedings for the purposes of clause 41 may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to legal proceedings covers proceedings overseas in any event.
Amendment 123, in clause 41, page 40, line 11, at end insert—
‘( ) In subsection (2)(ba) “anti-social behaviour” has the same meaning as in Part 1 of the Anti-social Behaviour, Crime and Policing Act 2014 (see section 2 of that Act).”—(Chris Skidmore.)
See the explanatory statement for amendment 120.
Clause 41, as amended, ordered to stand part of the Bill.
Clause 42
Confidentiality of personal information
Amendments made: 124, in clause 42, page 41, line 4, at end insert—
“(da) for the prevention or detection of crime or the prevention of anti-social behaviour,”
This amendment and amendment 127 create a further exception to the bar on the further disclosure of information disclosed under Chapter 3 of Part 5 of the Bill, allowing disclosure for the prevention or detection of crime or the prevention of anti-social behaviour.
Amendment 125, in clause 42, page 41, line 5, leave out
“(whether or not in the United Kingdom)”.
This amendment removes the provision stating that a criminal investigation for the purposes of clause 42(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to a criminal investigation covers an investigation overseas in any event.
Amendment 126, in clause 42, page 41, line 8, leave out
“and whether or not in the United Kingdom”.
This amendment removes the provision stating that legal proceedings for the purposes of clause 42(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to legal proceedings covers proceedings overseas in any event.
Amendment 127, in clause 42, page 41, line 12, at end insert—
‘( ) In subsection (2)(da) “anti-social behaviour” has the same meaning as in Part 1 of the Anti-social Behaviour, Crime and Policing Act 2014 (see section 2 of that Act).”
See the explanatory statement for amendment 124.
Amendment 128, in clause 42, page 41, line 13, leave out subsections (3) and (4) insert—
‘( ) A person commits an offence if—
(a) the person discloses personal information in contravention of subsection (1), and
(b) at the time that the person makes the disclosure, the person knows that the disclosure contravenes that subsection or is reckless as to whether the disclosure does so.” —(Chris Skidmore.)
This amendment applies to the disclosure of personal information in contravention of subsection (1) of clause 42. It has the effect that it is an offence to do so only if the person knows that the disclosure contravenes that subsection or is reckless as to whether it does so.
Clause 42, as amended, ordered to stand part of the Bill.
Clause 43 ordered to stand part of the Bill.
Clause 44
Code of practice
Amendment made: 129, in clause 44, page 42, line 7, at end insert—
‘( ) The code of practice must be consistent with the code of practice issued under section 52B (data-sharing code) of the Data Protection Act 1998 (as altered or replaced from time to time).”—(Chris Skidmore.)
This amendment requires a code of practice issued under clause 44 by the relevant Minister and relating to the disclosure of information under clause 40 to be consistent with the data-sharing code of practice issued by the Information Commissioner under the Data Protection Act 1998.
Question proposed, That the clause stand part of the Bill.
The Government have started work to look into the common financial statement and standard financial statement alongside non-fee-paying debt advice agencies. That work is in its infancy, but the evidence will help us to decide whether the CFS/SFS could have benefits for Government. Until that work is completed, the Government cannot commit fully to adopt the CFS/SFS.
Will the Minister give a timeframe for when that work will be completed and when we will have a statement from the Government?
It is not possible for me to give a timeframe in a Bill Committee discussing clause stand part. I suggest that I write to the hon. Lady, setting out those details in due course.
Government debt is clearly different from private sector debt. It is not contractual. The Government provide a wide range of services to citizens, such as the NHS and education system, and targeted support for those who meet the eligibility requirements to receive benefits. In return, citizens are required to pay taxes and repay any benefit in tax credit overpayments or fines that have been imposed for criminal activity. That revenue helps to fund vital services. The Government aim to ensure that customers are treated fairly. We encourage customers to engage early, so that they can agree on an affordable and sustainable repayment plan that takes individual circumstances into account. We understand that if poor debt collection practice occurs, that can cause distress.
The clause requires in particular that the code of practice must be issued by the Minister. It sets out more detail about how the power will operate and the disclosure and use of data. All specified public authorities and other bodies disclosing or using information under the power must have regard to the code of practice, which sets out in detail best practice of how the data-sharing power should be used. That includes what data should be shared, how data will be protected, issues around privacy and confidentiality and, significantly, the set of fairness principles that I talked about, which must be considered when exercising the power in clause 40. With that in mind, and the fact I have discussed extensively how the codes of practice will help protect the most vulnerable in society, I hope the clause will stand part of the Bill.
I am grateful to the Minister for the commitment to write to me. It would be welcome if he could write to all members of the Committee. That shows how committed he is to improving the detail of the clause.
Question put and agreed to.
Clause 44, as amended, accordingly ordered to stand part of the Bill.
Clause 45
Duty to review operation of Chapter
I rise to speak to amendment 130, in clause 45, page 43, line 10, at end insert—
‘( ) The relevant Minister may only make regulations under subsection (5)—
(a) in a case where the regulations include provision relating to Scotland, with the consent of the Scottish Ministers;
(b) in a case where the regulations include provision relating to Wales, with the consent of the Welsh Ministers;
(c) in a case where the regulations include provision relating to Northern Ireland, with the consent of the Department of Finance in Northern Ireland.”
This amendment requires the relevant Minister to obtain the consent of the Scottish Minsters, Welsh Ministers or Department of Finance before making regulations which, following a review under clause 45, amend or repeal Chapter 3 of Part 5 and make provision relating to Scotland, Wales or Northern Ireland respectively.
It is envisaged that information-sharing powers will enable sharing arrangements to be set, but they may take place solely within a devolved territory or involving data relating to devolved matters. The amendments intend to require the consent of Scottish Ministers, Welsh Ministers and the Department of Finance in Northern Ireland before making any regulations to amend or repeal the provisions that relate to those territories. Regrettably, we have found technical flaws with the amendments, so we will reconsider this issue and return to it at a later stage.
I would be grateful if the Minister confirmed what technical issues there are with the amendments.
There are a number of technical issues in these amendments, and we are determined to consult thoroughly with the devolved Administrations and the relevant offices. We will do so in due course. We will return to that later in the Bill.
It is unusual for the Government to introduce amendments and then find technical problems with them. That is obviously what has happened and it is very unfortunate. Given that we were expecting to debate the amendments at this point, can the Minister give us an indication of when he will bring back non-defective amendments—or whether, indeed, he intends to bring any further amendments in this area?
When it comes to the point of process that the hon. Gentleman mentions, we intend to return to this further into the Bill. The particular issue that arose with the amendments as currently drafted is that the need for consent needs to apply correctly only to devolved matters. We found that the amendments do not reflect that, which is why we wish to withdraw them today.
It would be helpful if that were to happen during the Commons stage of the Bill, rather than in the Lords, so that this House has an opportunity, at least on Report, to consider this aspect.
I note the hon. Gentleman’s concerns and will reflect on them. I cannot give any further information at this moment. We hope to ensure that the amendments, when later drafted, will reflect the Government’s desire to listen carefully to all devolved nations and ensure that this applies across the UK.
The amendment is not moved.
Clause 45 ordered to stand part of the Bill.
Clauses 46 to 48 ordered to stand part of the Bill.
Clause 49
Further provisions about power in section 48
Amendments made: 131, in clause 49, page 46, line 43, at end insert—
“(ba) for the prevention or detection of crime or the prevention of anti-social behaviour,”
This amendment and amendment 134 create a further exception to the bar on using information disclosed under Chapter 4 of Part 5 of the Bill for a purpose other than that for which it was disclosed. The amendments allows use for the prevention or detection of crime or the prevention of anti-social behaviour.
Amendment 132, in clause 49, page 46, line 44, leave out “(whether or not in the United Kingdom)”
This amendment removes the provision stating that a criminal investigation for the purposes of clause 49(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to a criminal investigation covers an investigation overseas in any event.
Amendment 133, in clause 49, page 46, line 46, leave out “and whether or not in the United Kingdom”
This amendment removes the provision stating that legal proceedings for the purposes of clause 49(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to legal proceedings covers proceedings overseas in any event.
Amendment 134, in clause 49, page 47, line 6, at end insert—
‘( ) In subsection (2)(ba) “anti-social behaviour” has the same meaning as in Part 1 of the Anti-social Behaviour, Crime and Policing Act 2014 (see section 2 of that Act).”—(Chris Skidmore.)
See the explanatory statement for amendment 131.
Clause 49, as amended, ordered to stand part of the Bill.
Clause 50
Confidentiality of personal information
Amendments made: 135, in clause 50, page 47, line 44, at end insert—
“(da) for the prevention or detection of crime or the prevention of anti-social behaviour,”
This amendment and amendment 138 create a further exception to the bar on the further disclosure of information disclosed under Chapter 4 of Part 5 of the Bill, allowing disclosure for the prevention or detection of crime or the prevention of anti-social behaviour.
Amendment 136, in clause 50, page 48, line 1, leave out “(whether or not in the United Kingdom)”
This amendment removes the provision stating that a criminal investigation for the purposes of clause 50(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to a criminal investigation covers an investigation overseas in any event.
Amendment 137, in clause 50, page 48, line 4, leave out “and whether or not in the United Kingdom”
This amendment removes the provision stating that legal proceedings for the purposes of clause 50(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to legal proceedings covers proceedings overseas in any event.
Amendment 138, in clause 50, page 48, line 11, at end insert—
‘( ) In subsection (2)(da) “anti-social behaviour” has the same meaning as in Part 1 of the Anti-social Behaviour, Crime and Policing Act 2014 (see section 2 of that Act).”
See the explanatory statement for amendment 135.
Amendment 139, in clause 50, page 48, line 12, leave out subsections (3) and (4) insert—
‘( ) A person commits an offence if—
(a) the person discloses personal information in contravention of subsection (1), and
(b) at the time that the person makes the disclosure, the person knows that the disclosure contravenes that subsection or is reckless as to whether the disclosure does so.”—(Chris Skidmore.)
This amendment applies to the disclosure of personal information in contravention of subsection (1) of clause 50. It has the effect that it is an offence to do so only if the person knows that the disclosure contravenes that subsection or is reckless as to whether it does so.—
Clause 50, as amended, ordered to stand part of the Bill.
Clause 51 ordered to stand part of the Bill.
Clause 52
Information disclosed by the Revenue and Customs
Amendment made: 140, in clause 52, page 49, line 7, at end insert—
‘( ) The code of practice must be consistent with the code of practice issued under section 52B (data-sharing code) of the Data Protection Act 1998 (as altered or replaced from time to time).”—(Chris Skidmore.)
This amendment requires a code of practice issued under clause 52 by the relevant Minister and relating to the disclosure of information under clause 48 to be consistent with the data-sharing code of practice issued by the Information Commissioner under the Data Protection Act 1998.
Clause 52, as amended, ordered to stand part of the Bill.
Clauses 53 to 55 ordered to stand part of the Bill.
Clause 56
Disclosure of information for research purposes
I beg to move amendment 142, in clause 56, page 52, line 23, at end insert—
‘(3A) For the purposes of the first condition the information may be processed by—
(a) the public authority,
(b) a person other than the public authority, or
(c) both the public authority and a person other than the public authority,
(subject to the following provisions of this Part).
(3B) Personal information may be disclosed for the purpose of processing it for disclosure under subsection (1)—
(a) by a public authority to a person involved in processing the information for that purpose;
(b) by one such person to another such person.”
This amendment and amendments 143, 144, 146 to 149, 151 to 153, 159, 160 and 162 to 166 relate to the processing of information for disclosure under clause 56 so as to remove identifying features. They make it clear that a person other than the public authority which is the source of the information may be involved in processing that information.
With this it will be convenient to discuss Government amendments 143 to 153, 159, 160 and 162 to 170.
The amendments apply to the research power. Together they provide clarity on the conditions that must be met when information provided by public authorities for research purposes is processed, as set out in clause 56. They also require public authorities to obtain accreditation to process personal information with that power, and they provide further clarity on the exclusion of health and adult social care information in clauses 56 and 63.
Personal information must not be disclosed to researchers under the power unless it is first processed in a way that protects the privacy of all data subjects. Those involved in the processing of information must be accredited as part of the conditions under this power. Processing may be carried out by the public authority that holds the data concerned, a different public authority, or specialist persons or organisations outside the public sector, including those providing secure access facilities and other functions, those commonly referred to as trusted third parties, or a combination of the two.
These amendments have been tabled to ensure that the position is reflected accurately in clause 56 and to ensure that it is clear that each accredited processor can disclose information to other accredited processors as required. In addition, they clarify that a person involved in the processing of information other than the public authority holding the information can disclose the de-identified information to researchers.
As drafted, the Bill does not require public authorities to be accredited or to process data for disclosure to researchers. On reflection, the Government recognise the importance of ensuring that all bodies involved in processing information are subject to the same level of accountability and scrutiny. The amendments will enable the UK Statistics Authority, as the accrediting body, to enforce a consistent approach to best practice for handling information.
Finally, it is important that the exclusion of health and adult social care data is defined in a way that is accurate and transparent. As drafted, the research clauses could be interpreted as excluding from the power public authorities that are primarily health and adult social care providers, but which provide some health-related services. That could mean that, contrary to the intention of the Bill, public authorities, including local authorities that provide a range of services, are at risk of being barred from sharing data relating to their functions because they provide some health and social care-related services.
The amendments will clarify that public authorities whose sole function is to provide health and/or adult social care services will be excluded from the power. They also clarify that public authorities that provide health and/or adult social care services as part of a range of services can share information, including health and adult social care data.
I very much welcome the amendments. Has the Minister considered the Information Commissioner’s recommendation to have an additional offence for re-identifying anonymised personal information, as in the Australian model? I otherwise support the amendments.
We are obviously working closely with the Information Commissioner. We will consider all her recommendations in due course, but I cannot comment on that at this moment in time.
Amendment 142 agreed to.