Data Protection Bill [Lords]

Baroness Laing of Elderslie Excerpts
3rd reading: House of Commons & Report stage: House of Commons
Wednesday 9th May 2018

(6 years, 6 months ago)

Commons Chamber
Read Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Consideration of Bill Amendments as at 8 May 2018 - (9 May 2018)
Margot James Portrait The Minister for Digital and the Creative Industries (Margot James)
- Hansard - - - Excerpts

I beg to move, That the clause be read a Second time.

Baroness Laing of Elderslie Portrait Madam Deputy Speaker (Mrs Eleanor Laing)
- Hansard - -

With this it will be convenient to discuss the following:

Government new clause 14—Destroying or falsifying information and documents etc.

Government new clause 15—Applications in respect of urgent notices.

Government new clause 16—Post-review powers to make provision about representation of data subjects.

Government new clause 17—Reserve forces: data-sharing by HMRC.

New clause 3—Bill of Data Rights in the Digital Environment

‘Schedule [Bill of Data Rights in the Digital Environment] shall have effect.’

This new clause would introduce a Schedule containing a Bill of Data Rights in the Digital Environment.

New clause 4—Bill of Data Rights in the Digital Environment (No. 2)

‘(1) The Secretary of State shall, by regulations, establish a Bill of Data Rights in the Digital Environment.

(2) Before making regulations under this section, the Secretary of State shall—

(a) consult—

(i) the Commissioner,

(ii) trade associations,

(iii) data subjects, and

(iv) persons who appear to the Commissioner or the Secretary of State to represent the interests of data subjects; and

(b) publish a draft of the Bill of Data Rights.

(3) The Bill of Data Rights in the Digital Environment shall enshrine—

(a) a right for a data subject to have privacy from commercial or personal intrusion,

(b) a right for a data subject to own, curate, move, revise or review their identity as founded upon personal data (whether directly or as a result of processing of that data),

(c) a right for a data subject to have their access to their data profiles or personal data protected, and

(d) a right for a data subject to object to any decision made solely on automated decision-making, including a decision relating to education and employment of the data subject.

(4) Regulations under this section are subject to the affirmative resolution procedure.’

This new clause would empower the Secretary of State to introduce a Bill of Data Rights in the Digital Environment.

New clause 6—Targeted dissemination disclosure notice for third parties and others (No. 2)

‘In Schedule 19B of the Political Parties, Elections and Referendums Act 2000 (Power to require disclosure), after paragraph 10 (documents in electronic form) insert—

‘10A (1) This paragraph applies to the following organisations and individuals—

(a) a recognised third party (within the meaning of Part 6);

(b) a permitted participant (within the meaning of Part 7);

(c) a regulated donee (within the meaning of Schedule 7);

(d) a regulated participant (within the meaning of Schedule 7A);

(e) a candidate at an election (other than a local government election in Scotland);

(f) the election agent for such a candidate;

(g) an organisation or individual formerly falling within any of paragraphs (a) to (f); or

(h) the treasurer, director, or another officer of an organisation to which this paragraph applies, or has been at any time in the period of five years ending with the day on which the notice is given.

(2) The Commission may under this paragraph issue at any time a targeted dissemination disclosure notice, requiring disclosure of any settings used to disseminate material which it believes were intended to have the effect, or were likely to have the effect, of influencing public opinion in any part of the United Kingdom, ahead of a specific election or referendum, where the platform for dissemination allows for targeting based on demographic or other information about individuals, including information gathered by information society services.

(3) This power shall not be available in respect of registered parties or their officers, save where they separately and independently fall into one or more of categories (a) to (h) of sub-paragraph (1).

(4) A person or organisation to whom such a targeted dissemination disclosure notice is given shall comply with it within such time as is specified in the notice.’’

This new clause would amend the Political Parties, Elections and Referendums Act 2000 to allow the Electoral Commission to require disclosure of settings used to disseminate material where the platform for dissemination allows for targeting based on demographic or other information about individuals.

New clause 10—Automated decision-making concerning a child

‘(1) Where a data controller expects to take a significant decision based solely on automated processing which may concern a child, the controller must, before such processing is undertaken—

(a) deposit a data protection impact assessment with the Commissioner, and

(b) consult the Commissioner (within the meaning of Article 36 of the GDPR), regardless of measures taken by the controller to mitigate any risk.

(2) Where, following prior consultation, the Commissioner does not choose to prevent processing on the basis of Article 58(2)(f) of the GDPR, the Commissioner must publish the part or parts of the data protection impact assessment provided under subsection (1), relevant to the reaching of that decision.

(3) The Commissioner must produce and publish a list of safeguards to be applied by data controllers where any significant decision based solely on automated processing may concern a child.

(4) For the purposes of this section, the meaning of “child” is determined by the age of lawful processing under Article 8 of the GDPR and section 9 of this Act.’

New clause 11—Education: safe use of personal data

‘(1) The Children and Social Work Act 2017 is amended as follows.

(2) In section 35 (other personal, social, health and economic education), after subsection (1)(b) insert—

‘(1A) In this section, “personal, social, health and economic education” shall include education relating to the safe use of personal data.’’

This new clause would enable the Secretary of State to require that personal information safety be taught as a mandatory part of the national PSHE curriculum.

New clause 12—Health bodies: disclosure of personal data

‘(1) In section 261 of the Health and Social Care Act 2012 (Health and Social Care Information Centre: dissemination of information) after subsection (5) insert—

‘(5A) A disclosure of personal data may be made under subsection (5)(e) only if it is made—

(a) to and at the request of a member of a police force, and

(b) for the purpose of investigating a serious offence.

(5B) In subsection (5A)—

“personal data” has the meaning given by section 3 of the Data Protection Act 2018;

“police force” means—

(a) a police force within the meaning of section 101 of the Police Act 1996, and

(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and

“serious offence” means—

(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,

(b) an offence under the Offences Against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and

(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’

(2) In section 13Z3 of the National Health Service Act 2006 () at the end insert—

‘(3) A disclosure of personal data may be made under subsection (1)(g) only if it is made—

(a) to and at the request of a member of a police force, and

(b) for the purpose of investigating a serious offence.

(4) In subsection (3)—

“personal data” has the meaning given by section 3 of the Data Protection Act 2018;

“police force” means—

(a) a police force within the meaning of section 101 of the Police Act 1996, and

(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and

“serious offence” means—

(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,

(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and

(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’

(3) In section 14Z23 of the National Health Service Act 2006 (clinical commissioning groups: permitted disclosure of information) at the end insert—

‘(3) A disclosure of personal data may be made under subsection (1)(g) only if it is made—

(a) to and at the request of a member of a police force, and

(b) for the purpose of investigating a serious offence.

(4) In subsection (3)—

“personal data” has the meaning given by section 3 of the Data Protection Act 2018;

“police force” means—

(a) a police force within the meaning of section 101 of the Police Act 1996, and

(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and

“serious offence” means—

(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,

(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and

(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’

(4) In section 79 of the Health and Social Care Act 2008 (Care Quality Commission: permitted disclosures) after subsection (3) insert—

‘(3A) A disclosure of personal data may be made under subsection (3)(g) only if it is made—

(a) to and at the request of a member of a police force, and

(b) for the purpose of investigating a serious offence.

(3B) In subsection (3A)—

“personal data” has the meaning given by section 3 of the Data Protection Act 2018;

“police force” means—

(a) a police force within the meaning of section 101 of the Police Act 1996, and

(b) an equivalent force operating under the law of any Part of the United Kingdom or of another country; and

“serious offence” means—

(a) a serious offence within the meaning of Part 1 of Schedule 1 to the Serious Crime Act 2007,

(b) an offence under the Offences against the Person Act 1861, the Sexual Offences Act 2003, the Explosive Substances Act 1883, the Terrorism Act 2000 or the Terrorism Act 2006, and

(c) the equivalent of any of those offences under the law of any Part of the United Kingdom or of another country.’’

This new clause would prevent personal data held by the NHS from being disclosed for the purpose of the investigation of a criminal offence unless the offence concerned is serious, which is consistent with the NHS Code of Confidentiality and GMC guidance on confidentiality. It would also mean that any such disclosure could only be made to the police, and not, for example, to Home Office immigration enforcement officials.

New clause 24—Safeguards on the transfer of data for lethal force operations overseas

‘(1) A transferring controller may not make any transfer of personal data outside the United Kingdom under Part 4 of this Act where—

(a) the transferring controller knows, or should know, that the data will be used in an operation or activity that may involve the use of lethal force, and

(b) there is a real risk that the transfer would amount to a breach of domestic law or an internationally wrongful act under international law.

(2) Where the transferring controller determines that there is no real risk under subsection (1)(b), the transfer is not lawful unless—

(a) the transferring controller documents the determination, providing reasons, and

(b) the Secretary of State has approved the transfer in writing.

(3) Any documentation created under subsection (2) shall be provided to the Information Commissioner and the Investigatory Powers Commissioner within 90 days of the transfer.

(4) A “transferring controller” is a controller who makes a transfer of personal data outside the United Kingdom under Part 4 of this Act.

(5) For the purposes of subsection (1)(b),

(c) “domestic law” includes, but is not limited to,

(i) soliciting, encouraging, persuading or proposing a murder contrary to section 4 of the Offences Against the Person Act 1861,

(ii) conspiracy to commit murder contrary to section 1 or 1A of the Criminal Law Act 1977,

(iii) aiding, abetting, counselling, or procuring murder contrary to section 8 of the Accessories and Abettors Act 1861,

(iv) offences contrary to section 44, 45 and 46 of the Serious Crime Act 2007,

(v) offences under the International Criminal Court Act 2001.

(d) “International law” includes, but is not limited to, Article 16 of the 2001 Draft Articles on the Responsibility of States for Internationally Wrongful Acts.

(6) The Secretary of State must lay before Parliament, within six months of the coming into force of this Act, guidance for intelligence officers on subsections (1) and (2).

(7) The Secretary of State must lay before Parliament any subsequent changes made to the guidance reported under subsection (6) within 90 days of any changes being made.’

Amendment 18, in clause 7, page 5, line 24, after “subsections” insert “(1A),”.

Government amendment 22.

Amendment 19, page 5, line 24, at end insert—

‘(1A) A primary care service provider is not a “public authority” or “public body” for the purposes of the GDPR merely by virtue of the fact that it is defined as a public authority by either—

(a) any of paragraphs 43A to 45A or paragraph 51 of Schedule 1 to the Freedom of Information Act 2000, or

(b) any of paragraphs 33 to 35 of Schedule 1 to the Freedom of Information (Scotland) Act 2002 (asp 13).’

Government amendments 23 and 24.

Amendment 4, in clause 10, page 6, line 37, leave out subsections (6) and (7).

This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.

Amendment 5, in clause 14, page 8, line 11, at end insert—

‘(2A) A decision that engages an individual’s rights under the Human Rights Act 1998 does not fall within Article 22(2)(b) of the GDPR (exception from prohibition on taking significant decisions based solely on automated processing for decisions that are authorised by law and subject to safeguards for the data subject’s rights, freedoms and legitimate interests).

(2B) A decision is “based solely on automated processing” for the purposes of this section if, in relation to a data subject, there is no meaningful input by a natural person in the decision-making process.’

This amendment would ensure that where human rights are engaged by automated decisions these are human decisions and provides clarification that purely administrative human approval of an automated decision does make an automated decision a ‘human’ one.

Amendment 6, page 9, line 36, leave out clause 16.

This amendment would remove delegated powers that would allow the Secretary of State to add further exemptions.

Government amendment 143.

Amendment 7, in clause 35, page 22, line 14, leave out subsections (6) and (7).

This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.

Amendment 151, in clause 49, page 30, line 19, at end insert—

‘(1A) A controller may not take a significant decision based solely on automated processing if that decision affects the rights of the data subject under the Human Rights Act 1998.’

Amendment 2, in clause 50, page 30, line 28, at end insert—‘and

(c) it does not engage the rights of the data subject under the Human Rights Act 1998.’

This amendment would ensure that automated decisions should not be authorised by law if they engage an individual’s human rights.

Amendment 8, in clause 86, page 51, line 21, leave out subsections (3) and (4).

This amendment would remove delegated powers that would allow the Secretary of State to vary the conditions and safeguards governing the general processing of sensitive personal data.

Amendment 3, in clause 96, page 56, line 38, after “law” insert—

‘unless the decision engages an individual’s rights under the Human Rights Act 1998.’

This amendment would ensure that automated decisions should not be authorised by law if they engage an individual’s human rights.

Amendment 9, page 63, line 27, leave out clause 113.

This amendment would remove delegated powers that would allow the Secretary of State to create new exemptions to Part 4 of the Bill.

Government amendments 25 to 37.

Amendment 20, in clause 144, page 81, line 11, leave out “7 days” and insert “24 hours”.

This amendment would reduce from 7 days to 24 hours the minimum period which must elapse before a controller or processor has to comply with an assessment notice which has been issued by the Commissioner and which the Commissioner has stated should be complied with urgently.

Government amendments 38 to 71.

Government new schedule 3—Transitional provision etc.

New schedule 1—Bill of Data Rights in the Digital Environment—

‘The UK recognises the following Data Rights:

Article 1—Equality of Treatment

Every data subject has the right to fair and equal treatment in the processing of his or her personal data.

Article 2—Security

Every data subject has the right to security and protection of their personal data and information systems.

Access requests by government must be for the purpose of combating serious crime and subject to independent authorisation.

Article 3—Free Expression

Every data subject has the right to deploy his or her personal data in pursuit of their fundamental rights to freedom of expression, thought and conscience.

Article 4—Equality of Access

Every data subject has the right to access and participate in the digital environment on equal terms.

Internet access should be open.

Article 5—Privacy

Every data subject has the right to respect for their personal data and information systems and as part of his or her fundamental right to private and family life, home and communications.

Article 6—Ownership

Every data subject has the right to own and control his or her personal data.

Every data subject is entitled to proportionate share of income or other benefit derived from his or her personal data as part of the right to own.

Article 7—Control

Every data subject is entitled to know the purpose for which personal data is being processed. Data controllers should not deliberately extend the gathering of personal data solely for their own purposes. Government, corporations, public authorities and other data controllers must obtain meaningful consent for the use of people’s personal data. Every data subject has the right to own curate, move, revise or review their personal data.

Article 8—Algorithms

Every data subject has the right to transparent and equal treatment in the processing of his or her personal data by an algorithm or automated system.

Every data subject is entitled to meaningful human control in making significant decisions – algorithms and automated systems must not be deployed to make significant decisions.

Article 9—Participation

Every data subject has the right to deploy his or her personal data and information systems to communicate in pursuit of the fundamental right to freedom of association.

Article 10—Protection

Every data subject has the right to safety and protection from harassment and other targeting through use of personal data whether sexual, social or commercial.

Article 11—Removal

Every data subject is entitled to revise and remove their personal data.

Compensation

Breach of any right in this Bill will entitle the data subject to fair and equitable compensation under existing enforcement provisions. If none apply, the Centre for Data Ethics will establish and administer a compensation scheme to ensure just remedy for any breaches.

Application to Children

The application of these rights to a person less than 18 years of age must be read in conjunction with the rights set out in the United Nations Convention on the Rights of the Child. Where an information society service processes data of persons less than 18 years of age it must do so under the age appropriate design code set out in section 123 of this Act.’

Government amendments 72 and 73.

Amendment 16, in schedule 2, page 140, line 15, at end insert—

‘(1A) The exemption in sub-paragraph (1) may not be invoked in relation to offences under—

(a) sections 24, 24A, 24B or 24C of the Immigration Act 1971,

(b) section 21 of the Immigration, Asylum and Nationality Act 2006, or

(c) sections 33A and 33B of the Immigration Act 2014.’

Amendment 15, page 141, line 17, leave out paragraph 4.

Government amendments 141 and 142.

Amendment 10, page 152, line 24, leave out paragraph 19 and insert—

‘19 The listed GDPR provisions do not apply to personal data that consists of information which is protected by legal professional privilege or the duty of confidentiality.’

This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.

Government amendments 139, 74 and 75.

Amendment 11, in schedule 11, page 196, line 39, leave out paragraph 9 and insert—

‘9 The listed provisions do not apply to personal data that consists of information which is protected by legal professional privilege or the duty of confidentiality.’

This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.

Government amendments 140 and 76 to 80.

Amendment 21, in schedule 15, page 206, line 11, at end insert—

‘(1A) A warrant issued under subparagraph (1)(b) or (1)(c) of this paragraph does not require any notice to be given to the controller or processor, or to the occupier of the premises.’

This amendment would make it clear that a judge can issue a warrant to enter premises under subparagraphs 4(1)(b) or 4(1)(c) without the Commissioner having given prior notice to the data controller, data processor or occupier of premises.

Government amendments 81 to 85.

Amendment 12, page 208, line 13, leave out

“with respect to obligations, liabilities or rights under the data protection legislation”.

This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.

Amendment 13, page 208, line 21, leave out from “proceedings” to the end of line 23.

This amendment would ensure that both legal professional privilege and confidentiality are recognised within the legislation.

Government amendments 86 to 138.

Margot James Portrait Margot James
- Hansard - - - Excerpts

I shall start by addressing the Government amendments—[Interruption.]

Baroness Laing of Elderslie Portrait Madam Deputy Speaker (Mrs Eleanor Laing)
- Hansard - -

Order. Will people who are leaving the Chamber please do so quietly? The Minister is making an important speech and people want to hear it. It is just rude to make a noise—unless you happen to be in the Chair.

Margot James Portrait Margot James
- Hansard - - - Excerpts

I propose to start my remarks by addressing the Government amendments to strengthen the powers of the Information Commissioner.

The investigation of the Information Commissioner’s Office into Cambridge Analytica is unprecedented in its scale and complexity. It has, necessarily, pushed the boundaries of what the drafters of the Data Protection Act 1998 and the parliamentarians who scrutinised it could have envisaged. Although we recognise that the Bill already expands and enhances the commissioner’s ability to enforce the requirements of the data protection legislation in such circumstances, the Government undertook to consider whether further provision was desirable in the light of the commissioner’s experience. Following extensive discussions with the commissioner and in Committee, we concluded that such provision is desirable. Our amendments will strengthen the commissioner’s ability to enforce the law, while ensuring that she operates within a clear and accountable structure. I will give a few examples.

First, amendments 27 and 28 will allow the commissioner to require any person who might have knowledge about suspected breaches of the data protection legislation to provide information. Previously, information could be sought only from a data controller or a data processor. That might be important where, for example, a former employee has information about the organisation’s processing activities.

Secondly, new clause 13 will allow the commissioner to apply to the court for an order to force compliance when a person fails to comply with a requirement to provide information. Organisations that might previously have been tempted to pay a fine for non-compliance instead of handing over the information will find themselves at risk of being in contempt of court if they do not comply.

Thirdly, amendments 30 and 45 will allow the commissioner to require controllers to comply with information or enforcement notices within 24 hours in some very urgent cases, rather than the seven days provided for in the existing law. Amendment 38 will allow the commissioner, in certain circumstances, to issue an assessment notice that can have immediate effect. Those amendments will allow the commissioner to obtain information about a suspected breach or put a stop to high-risk processing activities in a prompt and effective way. They will also allow her to carry out no-notice inspections without a warrant in certain circumstances.

Fourthly, new clause 14 will criminalise the behaviour of any person who seeks to frustrate an information or assessment notice by deliberately destroying, falsifying, blocking or concealing evidence that has been identified as relevant to the commissioner’s investigation.

Finally, we have taken this opportunity to modernise the commissioner’s powers. Storing files on an office server is rapidly becoming a thing of the past. Amendment 79 will enable the commissioner to apply for a warrant to access material that can be viewed via computers on the premises but that is held in the cloud.

When strengthening the commissioner’s enforcement powers, we have been mindful of the need to provide appropriate safeguards and remedies for those who find themselves under investigation. For example, when an information, assessment or enforcement notice containing an urgency statement is served on a person, new clause 15 will allow them to apply to the court to disapply the urgency statement. In effect, they will have a right to apply to the court to vary the timetable for compliance with the order. A court considering an application from the commissioner for an information order will be able to take into account all the relevant circumstances at the time, including whether an application has been brought by the person concerned under new clause 15 and whether the person has brought an appeal against the notice itself in the tribunal. These amendments have been developed in close liaison with the Information Commissioner. We are confident that they will give her the powers she needs to ensure that those who flout the law in our increasingly digital age are held to account for their actions.

I now turn to the representation of data subjects. I am very grateful to Baroness Kidron for her continued engagement on this subject. In particular, we agree that children merit special protection in relation to their personal data and that the review the Government will undertake shall look accordingly at the specific barriers young people and children face in enforcing their rights. Government new clause 16, as well as amendments 61, 62, 63, 70 and 75, ensures that they will.

 Government new clause 17 concerns maintaining contact with ex-regular reserve forces. This will allow Her Majesty’s Revenue and Customs to share contact detail information with the Ministry of Defence to ensure that the MOD is better able to locate and contact members of the ex-regular reserve.

New clause 12, on data sharing by health bodies, is in the name of my hon. Friend the Member for Totnes (Dr Wollaston), who chairs the Health and Social Care Committee. I know she and the Committee have significant and legitimate concerns about the operation of the memorandum of understanding between NHS Digital and the Home Office, which currently allows the sharing of non-clinical information, principally address information, for immigration purposes. The Select Committee has argued for the suspension of the MOU pending the outcome of a review of its impact by Public Health England. New clause 12 seeks to adopt a more long-term approach by narrowing the ability of NHS Digital to disclose information in connection with the investigation of criminal offences. The aim is to narrow the MOU’s scope, so that it only facilitates the exchange of personal data in cases involving serious criminality.

The Government have reflected further on the concerns put forward by my hon. Friend and her Committee. As a result, and with immediate effect, the data sharing arrangements between the Home Office and the NHS have been amended. This is a new step and it supersedes the position set out in previous correspondence between the Home Office, the Department for Health and Social Care and the Select Committee.

I know my hon. Friend and her colleagues have been particularly exercised by the contents of a letter dated 23 February from both the above-mentioned Departments to her Select Committee, in which it is stated that

“a person using the NHS can have a reasonable expectation when using this taxpayer-funded service that their non-medical data, which lies at the lower end of the privacy spectrum, will not be shared securely between other officers within government in exercise of their lawful powers”.

The bar for sharing data will now be set significantly higher. By sharing, I mean sharing between the Department of Health and Social Care, the Home Office and, in future, possibly other Departments. No longer will the names of overstayers and illegal entrants be sought against health service records to find current address details. The data sharing, relying on powers under the Health and Social Care Act 2012, the National Health Service Act 2006 and the Health and Social Care Act 2008, will only be used to trace an individual who is being considered for deportation action having been investigated for, or convicted of, a serious criminal offence that results in a minimum sentence of at least 12 months in prison.

The Government have a long-held policy on what level of serious criminality is deserving of deportation, given statutory force by the UK Borders Act 2007. When a custodial sentence of more than 12 months has been given, consideration for deportation must therefore follow. Henceforth, the Home Office will only be able to use the memorandum of understanding to trace an individual who is being considered for deportation action having been convicted of a serious criminal offence, or when their presence is considered non-conducive to the public good—for example, when they present a risk to public security but have yet to be convicted of a criminal offence.

--- Later in debate ---
Liam Byrne Portrait Liam Byrne
- Hansard - - - Excerpts

On a point of order, Madam Deputy Speaker. We are being invited to pass an important piece of legislation which hands important new powers to Her Majesty’s Home Office, yet there is not a Home Office Minister on the Front Bench to respond to the points that we are making about the details of that legislation. What steps can we take to summon a Home Office Minister this afternoon, so that our questions can be answered?

Baroness Laing of Elderslie Portrait Madam Deputy Speaker (Mrs Eleanor Laing)
- Hansard - -

I understand the right hon. Gentleman’s point of order, but the fact is that the Minister, who is a very capable Minister, speaks for the Government, who are seamless. The Minister who is currently at the Dispatch Box is in a position to speak for all Ministers on this matter, which is why she has this responsibility and is responding to the questions that are currently being asked of her.

Margot James Portrait Margot James
- Hansard - - - Excerpts

Thank you, Madam Deputy Speaker. I might as well give way to the right hon. Member for Kingston and Surbiton (Sir Edward Davey) now.

--- Later in debate ---
Baroness Laing of Elderslie Portrait Madam Deputy Speaker (Mrs Eleanor Laing)
- Hansard - -

Order. We have only 40 minutes left to debate this group and around 10 Members wish to speak. If everybody speaks for four to five minutes, everybody will get in; if not, some people will not get to speak at all.

Sarah Wollaston Portrait Dr Sarah Wollaston (Totnes) (Con)
- Hansard - - - Excerpts

I rise to speak to new clause 12, which was tabled in my name, that of my colleague, the hon. Member for Stockton South (Dr Williams), and those of other members of the Health and Social Care Committee and Members from all parties.

I wish to speak about the importance of medical confidentiality, because it lies at the heart of the trust between clinicians and their patients, and we mess with that at our peril. If people do not have that trust, they are less likely to come forward and seek the care that they need. There were many unintended consequences as a result of the decision enshrined in a memorandum of understanding between the Home Office, the Department of Health and NHS Digital, which allowed the sharing of addresses at a much lower crime threshold than serious crime. That was permitted under the terms of the Health and Social Care Act 2012, but patients were always protected, in effect, because the terms of the NHS constitution, the guidance from the General Medical Council and a raft of guidance from across the NHS and voluntary agencies protected the sharing of data in practice.

This shift was therefore particularly worrying. There were many unintended consequences for the individuals concerned. The Health and Social Care Committee was also deeply concerned about the wider implications that this might represent a shift to data sharing much more widely across Government Departments. There was a risk, for example, that the Department for Work and Pensions might take an interest in patients’ addresses to see whether people were co-habiting for the purpose of investigating benefit fraud. There was a really serious risk of that.

I am afraid that the letter that we received from the Department of Health and Social Care and the Home Office declining to withdraw from the memorandum of understanding made the risk quite explicit. I would just like to quote from the letter, because it is very important. I also seek further clarification from the Minister on this. The letter states that

“it is also important to consider the expectations of anybody using the NHS—a state provided national resource. We do not consider that a person using the NHS can have a reasonable expectation when using this taxpayer-funded service that their non-medical data, which lies at the lower end of the privacy spectrum, will not be shared securely between other officers within government in the exercise of their lawful powers in cases such as these.”

I profoundly object to that statement. There was no such contract in the founding principles of the NHS. As I have said, it is vital that we preserve that fundamental principle of confidentiality, including for address data. I was delighted to hear the Minister’s words at the Dispatch Box, but can she just confirm for me absolutely that that statement has now been superseded?