All 1 Earl of Erroll contributions to the Data (Use and Access) Bill [HL] 2024-26

Read Bill Ministerial Extracts

Tue 19th Nov 2024

Data (Use and Access) Bill [HL]

Earl of Erroll Excerpts
2nd reading
Tuesday 19th November 2024

(5 days, 10 hours ago)

Lords Chamber
Read Full debate Data (Use and Access) Bill [HL] 2024-26 Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Earl of Erroll Portrait The Earl of Erroll (CB)
- View Speech - Hansard - -

My Lords, I want to get on to the digital verification service. First, I declare that I am very interested in digital twins; there are huge advantages in modelling—for instance, the underground and all the various things that can choke traffic. I went to a very interesting event at Connected Places Catapult, where they are modelling all the inferences on traffic and flows, et cetera, to try to work out how you can alleviate it and get emergency services through when everything is choked up. There is huge advantage in being able to model that, and for that we need data sharing and all the other things.

The other thing I got very interested and involved in, with FIDO and Kaimai, is causal AI. As people say, we need to know how it got there: what sources was it relying on when it reached certain things that it put in the reports or decisions made? It is a very important aspect, because the “I” in AI is not really the right word to use. A computer is not innately intelligent. It is like a child; what you put into it and what it learns from that could well be not what you expected it to learn at all. We have to be very careful of believing too much in it, putting too much faith in it and thinking that it will run the future beautifully.

Here is the bit that I am more interested in. I was talking to my noble friend Lady Kidron just before the debate, and she pointed out something to me because of my previous involvement in chairing the British Standard PAS 1296 on age verification, which we did around the Digital Economy Act when we were worried about all the implications and the pornography issues. The trouble now is that the Government seem to think that the only age verification that matters is checking that someone is over 18, so that they can purchase alcohol and knives and view inappropriate pornography, which should not be there for youngsters. But when we wrote it, we were very careful to make sure that there was no age specified. For educational purposes, there is material that you want to go to particular age cohorts and do not want for children at other ages because it is wrong for their stage of development and knowledge. Also, you need to be able to check that older people are not trying to get into children’s social groups; they must be excludable from them. Age verification, whenever it is referred to, should work in any direction and at any age you want it. It should not be so inflexible.

I was sent a briefing by the Association of Document Validation Professionals and the Age Verification Providers Association. I was very much there when all that started off, when I was chairman of EURIM, which became the Digital Policy Alliance. They represent some 50 attribute and identity providers, and they warmly welcome the Bill and the priority that the new Government are giving to returning it to Parliament. I will highlight the sections of the Bill dealing with digital verification services that they feel would merit further discussion during later stages.

In Clause 27, “Introductory”, ideally there would be a clear purpose statement that the Bill makes certified digital ID legally valid as a proof of identity. This has always been a problem. To progress in the digital world, we will need to ensure that digital verification of ID is given equal standing with physical passports and driving licences. These data are technically only tokens to enable you to cross borders or drive a vehicle, but they are frequently used as proof of ID. This can be done digitally, and the benefit of digital ID is that it is much harder to forge and therefore much more reliable. For some reason, we have always had a fear of that in the past.

In Clause 29, on “supplementary codes”, they are very worried that it could add time and cost to developing these if these processes are owned by the Office for Digital Identities and Attributes—OfDIA. There should be a stronger obligation to co-create with the industry, both in preparing the initial rules and in any revisions. The drafting is, apparently, currently ambiguous about any requirements for consultation. I know that that has been a problem in the past. There will be specialist requirements particular to specific sectors and the OfDIA will not necessarily have the required expertise in-house. There are already organisations in place to do things around each of these codes.

In Clause 33, on registration on the digital verification services register, the changes to the previous Bill around registration processes are welcome and, most notably, the Government have recognised in the Bill the need for national security checks. The problem is that there is no independent appeals mechanism if the Secretary of State refuses to register a DVS or removes it from the register, short of judicial review—and that is both time consuming and very expensive. Most would not be able to survive long enough to bring the case to a conclusion, so we need to think of other remedies, such as some form of appeals tribunal.

In Clause 39, on the fees for registration et cetera, the fees are a new tax on the industry and may go beyond raising sufficient funds for the costs of administering the scheme. They welcome fees now being subject to parliamentary scrutiny, but would like to see a statutory limit on raising more than is required to fund DVS governance. There are figures on it which I could give you, but I will not bore you with them right now.

In Clause 50, on trust marks for use by registered persons, there may be a benefit from more direct linking of the requirements relating to marks of conformity to the Trade Marks Act.

In Clause 51, on the powers of a Secretary of State to require information, this wide-ranging power to demand information may inherently override the Data Protection Act. It extinguishes any obligation of confidentiality owed by a conformity assessment body to its clients, such as the contents of an audit report. The net effect could be to open up audit reports to freedom of information requests, because the exemption to an FoI would be that they were confidential, but the Bill appears to override that, and the way the Bill is structured could mean that the Secretary of State can also override a court order imposing confidentiality. I do not think we should allow that.

Clause 52 is about arrangements for third parties to exercise functions. In its current form, the Office for Digital Identities and Attributes is an unusual regulator. It is not independent from the Government and does not share the features of other regulators. It may therefore not be able to participate in the Digital Regulation Cooperation Forum, for example, based on the powers relied upon by its members to collaborate with other regulators.

The OfDIA may not be in scope of regulatory duty for most regulators to promote growth. It is unclear whether the new regulatory innovation office will have jurisdiction over the OfDIA. It would be helpful to explore whether a more conventional status as an independent regulator would be preferable.

I think that is enough complication for the moment.