Data Protection Bill [Lords] Debate
Full Debate: Read Full DebateDaniel Zeichner
Main Page: Daniel Zeichner (Labour - Cambridge)Department Debates - View all Daniel Zeichner's debates with the Department for Digital, Culture, Media & Sport
(6 years, 9 months ago)
Commons ChamberI will not speak about the problems of the analogue past, but instead look ahead to the digital future. It is a pleasure to speak on a Bill that has been subject to very detailed scrutiny by some very eminent people in the other place.
It may seem curious to have such lengthy and detailed legislation before us when the heart of it, the GDPR, is actually somewhere else—it is, of course, in EU legislation. Our discussion is on how to implement it and other such issues rather than on the actual proposals themselves. I dare say that there are some who will jump to the conclusion that it is yet another example of rules being made elsewhere. However, I take the opposite view, as this is legislation that British representatives helped to fashion in Brussels, and as I will point out later in my speech, because data flows across national boundaries, having a full and frank discussion with one’s neighbours is to one’s advantage, not disadvantage. By being in the European Union, through the GDPR as in so many other fields, we take control of our future, rather than hunker down in a defeated bunker and wait for others to do things to us—taking back control of nothing other than the ability to bemoan our unfortunate fate.
This debate today is very timely, because on Friday the Prime Minister finally made the first faltering steps towards recognising that reality. I was pleased to see her acknowledge just how important data is to our future—it was one of the four key areas that she outlined—but, even after all the warnings, she still does not seem quite to understand the pitfalls in seeking an adequacy arrangement when, without the freedoms that membership of the European Union gives us to determine our own balance between security and privacy, that balance will be subject to the very different judgment of other EU countries.
I have been fortunate, through my work as chair of the all-party group on data analytics, to learn from a range of very expert people about some of the possible advances that come with a much more sophisticated use of data. I have also learned of the fears that many rightly have about the potential consequences of those same advances. That is why I was pleased that, following the excellent work by the Royal Society led by Dame Ottoline Leyser from Cambridge among others, we do now have the prospect of a data ethics and governance body, and, perhaps unusually, I pay credit to the Government for bringing that forward. Although I have questioned exactly how that will sit within the current structures, particularly with the Information Commissioner’s Office, we have the potential to create something really rather important, and I hope that, in further discussion of this Bill, we will be able to explore with Ministers in more detail the future landscape for data governance. We most certainly need such governance, because hardly a day goes by without further concerns being raised in one sphere or another, whether it be internet safety issues or the accurate reporting of news. To put it mildly, this is a big subject.
I will not attempt to address all, or even many, of the issues in the Bill; that can be for another day. Instead, I will confine my comments to one or two areas of particular concern. As someone who was very taken by the account of the potential dangers of relying too heavily on closed algorithms when I read the aptly titled “Weapons of Math Destruction” by Cathy O’Neil, I must mention the concern so many of us feel about the dangers of automated decision making, which so risk hardcoding previous injustices and social and cultural prejudices. In this Bill in particular, I share the concerns already raised about the immigration exemption.
A further concern raised in general about GDPR is the potential unintended consequences on some voluntary organisations, particularly small ones. It may be that the legislation has not always been properly understood, and it may be that some accounts have caused people to be more fearful than they need be, but I was struck just a few days ago to hear from a small charity in Cambridge that it had decided to discontinue its operations because it was not confident that it could meet GDPR requirements. Stopping small voluntary organisations from helping people is not the intention of this legislation. Indeed, if that is an unintended consequence, we need urgently to find ways to remedy it.
Similarly, we need to make sure that this legislation facilitates, rather than damages, our ability to use NHS data effectively. I know that many are working very hard on that, and that everyone is mindful of previous false starts. In particular, the shadow of Care.data still looms, because, despite good intentions, that programme clearly got it wrong. It failed to win public trust: there was widespread concern that the appropriate safeguards were not in place, and a failure properly to explain potential benefits to patients. It is easy to criticise, but winning trust is a very hard thing to do. The public are rightly concerned that data obtained for one use could then be applied in a different context and could possibly be commercialised. All the evidence is that that is what people particularly revile. We now have another programme under way, which we are told is GDPR compliant, and yet I wonder again just how many people are aware of it and whether we can be sure that there will not be further problems. I hope that, as we discuss this Bill, we can help raise public awareness and understanding, because without that, all the work and effort being put in by so many could be at risk.
I turn briefly to potential impacts on the research sector and universities. I am grateful to the Sanger Institute, located outside Cambridge, and the Wellcome Trust for explaining some of the very real concerns facing the sector, particularly around health data. We know that reviews such as Caldicott have made sensible recommendations, which hon. Members are working hard to get on the statute book. The principle of opt-outs regarding the usage of data collected is sound, and the safeguards such as those enshrined in GDPR are vital for ensuring data subjects’ interests are protected in research. However, as currently drafted, the framework for data processing by the Government, which was introduced at a very late stage in the other place, risks undermining that. The ICO also has concerns, as it is not clear that the public can have absolute confidence in the way that the Government use their data, and I hope that we can have some clarity from Ministers over how that can be resolved. It is also worth noting in passing that the introduction of the National Data Guardian for Health and Social Care, which has come about through a private Member’s Bill, is welcome but is awaiting Committee stage. The process needs to be speeded up to dovetail with this Bill as a matter of urgency.
There are further concerns. Research institutions tell me that this Bill currently does not provide a clear enough legal basis for conducting research using personal data. They have some fairly straightforward suggestions for improvement, which I hope the Government will consider in Committee, around better defining public interest to make it explicit that it includes research uses, particularly medical research.
Additionally, when I spoke to the Sanger Institute, which has to process data not under the public interest category but under legitimate interest, it was clear to me that it is important that it has confidence about the legitimate provenance of the processed data that it uses, which has often been passed from universities. The research community needs it written explicitly in the Bill that university research can be conducted legitimately on a “task in the public interest” lawful basis. That is also needed to satisfy guidance from the ICO to confirm that this is an appropriate lawful basis for university research. Although larger institutions may have the confidence to continue with their research and risk challenge, this could present more of a problem to newer or smaller universities. We have huge potential for healthcare transformation and innovation in the UK economy, and to risk that by getting this part of the Bill wrong would be very foolish.
Let me conclude by returning to where I and the GDPR began—with our relationship with the European Union and the extent to which this Bill will or will not help us secure the adequacy agreement that we all agree that we need and that the Prime Minister confirmed that we needed on Friday. Why does it matter? I urge Members to look no further than the excellent work done by techUK, which has explained in detail just how much our economy depends on data flows. Let me share a local example. A few weeks ago, I visited Jagex, a video games developer in my constituency. It was not my first visit. It is a fantastic and inspiring example of what work might be like in the future, and its model is very positive. Visiting Jagex, with representatives from Ukie, the trade body for the video games sector, it was explained to me just how vital data flows are for the sector. It is because these games and their players span many nations, and their data does not respect national boundaries.
On a Friday afternoon, 100,000 people were playing RuneScape—I was told that, over the weekend, there would be more than a million players. Huge flows of data are serviced and maintained by skilled staff in Cambridge, who are from all over Europe and beyond. That is the future, and it is a good future, but it requires that we keep open those flows of data, and—although this is for another day—those flows of people. None the less, we are potentially putting this UK success story at risk. Some of the national security and immigration exemptions in this Bill are potentially enough to deny us data adequacy in the eyes of some countries in the EU. We need to ensure that this Bill is not going to cause us harm further down the line.
There is also the question of timing. These are complicated and controversial issues, but the Bill must be on the statute book in a mere two months’ time—on 6 May—for the new rules to be in place for 25 May. Missing the GDPR implementation date really is not a great look for a country that is trying to achieve a data adequacy agreement with its international partners.
We may also need to assess other countries for their adequacy. Who is to do that assessment? The ICO does not feel that it is appropriate for it to do that, so is the Department for Digital, Culture, Media and Sport really ready? Does it have the resources? Has the work started? And what of the complexities of the relationship with the United States of America and the privacy shield? At the moment, we are covered by the data privacy shield as an EU member state and a similar arrangement would be welcome, but the American system is complicated, with no federal oversight and it may not be quick.
I welcome this Bill overall, but significant challenges remain. I look forward to seeing how the Bill will be improved in Committee, particularly around safeguarding data owners’ rights, ensuring that we can make best use of our health data, and ensuring that universities and researchers have the clarity that they need to continue their excellent and life-saving research.
I hope that the Minister will go further to explain the ways in which she is preparing for adequacy decisions that may need to be both applied for and made by the UK in the coming months and years. Most importantly, perhaps, I hope to learn further from Ministers how this Bill will be adapted so that our approach to the balance between privacy and security is sufficiently aligned with EU standards, meaning that adequacy can be achieved smoothly. I am afraid that “ambitious managed divergence” simply will not cut it, and I leave the Minister to explain how the conundrum can be resolved.
It is very much for a Minister to decide for how long he, or in this case she, responds to a debate. I understand that the hon. Gentleman is somewhat agitated. I am saddened to see him in a state of perturbation about the matter, but there is no immediate relief, other than the fact that he has registered his concern and it is on the record. There is, however, nothing to be added by me in response to his point of order.
Further to that point of order, Mr Speaker. As my hon. Friend says, this has been a very long debate in which serious issues have been raised by Opposition Members. This debate was about not just Leveson, but data protection, which is particularly important for the future, and Opposition Members asked some major questions. I asked about the future of research. Researchers are very concerned, but they have not had an answer from the Minister. Is there is anything you that can suggest, Mr Speaker, that would enable them to get an answer this evening from the Minister?
It is for the Minister to decide how long she replies. I am sorry if the hon. Gentleman feels that his points have not been responded to by the Minister, but she is legendarily succinct, and has obviously decided—independently, or in consultation with her colleagues on a collective basis—that tonight shall be no exception to the general principle of Jamesian succinctness.