Higher Education and Research Act 2017 (Cooperation and Information Sharing) Regulations 2018 Debate

Full Debate: Read Full Debate
Department: Department for Business, Energy and Industrial Strategy
Monday 2nd July 2018

(6 years, 4 months ago)

General Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
None Portrait The Chair
- Hansard -

Contrary to my normal practice—I am a small “c” conservative about this—I will reluctantly allow gentlemen to remove their jackets, if they wish.

Gordon Marsden Portrait Gordon Marsden (Blackpool South) (Lab)
- Hansard - -

I beg to move,

That the Committee has considered the Higher Education and Research Act 2017 (Cooperation and Information Sharing) Regulations 2018 (S.I. 2018, No. 607).

It is a great pleasure to serve under your chairmanship, Mr Gray. Thank you for your radical innovation, although I will keep my jacket on out of respect for the Chair.

I welcome the opportunity for the Committee finally to discuss the regulations, because, as may be apparent in what I say, they have caused considerable concern in respect of student protections and in particular the way in which they rather blithely appear to allow the sharing of private data, particularly with private companies. That is not easily explained by the so-called explanatory memorandum, although I await enlightenment from the Minister, and the purposes for which the data may be used remain rather open and vague.

Last autumn, the then Minister for Digital and the Creative Industries, who is now the Secretary of State for Digital, Culture, Media and Sport, spoke about the importance of giving the public more control over their data under new UK data protection laws, with the introduction of the Data Protection Bill. However, the lack of transparency in the regulations does not indicate that that was even considered, at least in spirit, by the Department for Education, or indeed the Universities Minister, who is here to respond.

Just weeks after the Government made a fanfare about the new Data Protection Act 2018, which was supposed to give people more control over their data and how it is used, they are passing regulations into law that could ride roughshod over students’ data rights. The regulations were to have been rushed through Parliament in three weeks—including the Whitsun recess—under the negative procedure. In fact, this statutory instrument came into effect without scrutiny, which is not uncommon in this House, but on the whole ought to be avoided, particularly in such sensitive areas. Only when the Opposition tabled an early-day motion to pray against the regulations and the shadow Leader of the House, my hon. Friend the Member for Walsall South (Valerie Vaz) raised the matter at business questions did we finally get this debate.

It is disappointing that the Government tried to force the regulations through using the negative procedure, because as paragraph 7.1 of the explanatory memorandum confirms:

“The enabling legislation for HEFCE did not restrict cooperation or information sharing in the same way as the Act does for the OfS.”

Given that the Office for Students will operate a very different structure from the Higher Education Funding Council for England, why did we not have an automatic right to debate the regulations?

On 13 October 2016, at the 12th sitting of the Higher Education and Research Bill Committee, my hon. Friend the Member for City of Durham (Dr Blackman-Woods) and I raised significant concerns about how students’ personal data might be handled under the new structures. In discussing what at the time were clauses 71 and 72, I said:

“these clauses would give the state access to all university applicants’ full data in perpetuity, for users who would only be defined as ‘researchers’ and without ‘research’ being defined at all; that might be capable of being changed under the direction of the Secretary of State. Therefore”—

this is the generic point that I wish to address in the context of the regulations—

“there are significant concerns that the safeguards need to be stronger to ensure that the clauses are not misused by others and that scope changes are not made in the future.”

I went on to say that, under those proposals,

“there is a possibility that the entire nation’s education data from the age of two to 19 could be joined to university data, which of course is then joined to Her Majesty’s Revenue and Customs”,

and so on.[Official Report, Higher Education and Research Public Bill Committee, 13 October 2016; c. 455.]

I also said during that sitting that this is a complex and difficult area, but if there are genuine, legitimate concerns, the precautionary principle should generally apply. I still hold to that principle. However, the Government are underpinning the regulations without that automatic assessment. They are passing the regulations seemingly without doing a data protection impact assessment or a human rights assessment, which would have considered privacy. Will the Minister confirm that the regulations will go through a privacy impact assessment and an assessment of their impact on human rights, and if not, why not?

Our questions over the regulations are particularly important in the current climate, in which the public have high concerns around personal data exploitation by large companies and publicly produced assets being passed into commercial hands. The lack of limitation in the type of data that may be shared under the regulations runs contrary to what 37,000 students told a UCAS survey in 2015. Applicants’ responses showed an overwhelming preference for remaining in direct control of their personal data, with 90% agreeing—more than 20 times the number who disagreed—that they should be asked in some shape or form before their personal data was provided. That number is likely to have increased in the time since the survey, given that concerns about data sharing have been spread more widely across the mainstream media. It is therefore no wonder that the vice-president of higher education at the National Union of Students, Amatey Doku, has expressed his concern that

“a decision for OfS to share students’ data with third parties was being snuck through parliament.”

We now have the opportunity to look at what is actually being said. In that context, part 5 of the Digital Economy Act 2017 removed horizontal data-sharing safeguards between Government Departments or bodies, meaning that, once students’ data has been provided, via the course provider, to Pearson or the OFS—both are named in the regulations—that data may be shared with any number of other bodies. How is a student or staff member supposed to be able to understand where their personal data has been processed? Under the general data protection regulation and the new Data Protection Act 2018, what is it within their rights to know? I would be grateful if the Minister could explain that relatively briefly and, if he cannot, perhaps he will write to members of the Committee.

It is to the Minister’s credit that he has made a great play of being the Minister for students since he came into post. He went on a listening tour of universities—

Gordon Marsden Portrait Gordon Marsden
- Hansard - -

I apologise. I look forward to further details of the Minister’s travels through the summer and into the autumn. However, the point is well made. The Minister has been on that listening tour and has said that he wants to engage with students about all their concerns, yet he has failed to engage with one of their concerns—student data protection, as I have just described —when arguably the effect of the regulations will be to leave that data open to exploitation. The Committee needs proper and clear assurances on that.

In view of those concerns, I tabled a series of written questions on the implications of the regulations last week, even before the Committee had been scheduled. The Minister replied that section 63 of the Higher Education and Research Act 2017, to which the regulations refer,

“does not place limitations on the type of information that may be provided, and therefore it could include personal data.”

That is extremely concerning and has the potential to be misused. The response went on to say:

“These regulations allow data sharing, they do not oblige it. In practice, the OfS considers that it is unlikely that personal data would routinely be shared with non-government bodies under these regulations. They are in place for circumstances where the OfS or the organisation has identified serious concerns (such as fraud or malpractice) by a provider or its students.”

The particular examples that were listed are reasonable, but frankly that is not enough to ensure that the general principle holds. It is not adequate to say, “As you were.” This is a new organisation that is still finding its feet and it is not operating to HEFCE criteria, as the explanatory memorandum explains and as the Minister’s predecessor, the hon. Member for Orpington (Joseph Johnson), was at pains to emphasise throughout the passage of the Bill. Safer and stronger safeguards are needed.

I was also disappointed at the answer the Minister gave to a further question I asked about whether his Department had consulted universities, student bodies or UCAS on the powers relating to confidential data that are conferred under the regulations. Despite my being quite specific in that question, the Minister and his civil servants—who presumably drafted the answer—failed to answer it. They responded:

“Policy officials have worked closely with colleagues in the Office for Students (OfS) to determine what historical, and new, information sharing requirements may be required to ensure the OfS can do its job well, including protecting the interest of students and taxpayers. Officials and Ministers have regular meetings and interactions with universities and student bodies, and work closely with UCAS.”

Observant members of the Committee will note that there is no causal relationship between that last sentence and the previous one. I hope my concerns are unjustified and that I am being ungenerous on this occasion, but will the Minister let me know if his Department specifically consulted UCAS or the NUS on the issues in the statutory instrument before passing it?

When the Minister was made aware—if, indeed, he was made aware—of the strong concerns and sentiments about student data, he could have instructed his officials to redraft the statutory instrument to list the specific types of information that may be shared with each organisation listed. What specific guarantees is he prepared to give now—or in writing to the Committee, if he wishes—to assuage the strong legitimate concerns about this process? Surely the processes and purposes should be explicit, necessary and proportionate, and should have regard to the capacity of the organisation. For example, Pearson is a provider of higher national certificate and higher national diploma exams. It should be specified why the weights and measures body will receive information and what information it may receive. The Student Loans Company and HMRC are also named in the schedule as relevant persons to receive this data. Similarly, it should be set out explicitly why that is a necessity. Can the Minister assure us that the data will be used for narrowly administrative purposes, or will it be available for other uses?

As the responses to my written questions also noted, the collaboration agreements have not yet been published. Will the Minister tell us when they are likely to be published? There seem to be no plans to publish the data-sharing agreements, as was confirmed in the answer to written question 156351. Why is that the case? The crux of the matter is that it should be fundamental to transparency that if there are no commercial consequences of the statutory instrument—as I understand officials have tried to reassure people—the Government do not have the usual excuse or option of praying in aid commercial confidentiality to conceal the agreement.

As the organisers of the lobby group DefendDigitalMe said prior to this Committee, data-sharing agreements made in secret with the Department for Education do not have a recent good track record. The data-sharing agreements that were made secret in July 2015 were discovered only by civil society campaigners, who had to fight for their release for six months. They revealed the monthly arrangement that still continues—the sharing of children’s names, home addresses, gender and dates of birth for the purposes of immigration enforcement and specifically to support the hostile environment. I say that not to imply that the regulations will be used in any shape or form for those purposes, but it demonstrates why there should be a low level of trust in how Departments use such personal data.

Despite the Information Commissioner having told the DFE that collecting governors’ nationality data, which began in 2016, was excessive, that it should respect the data protection principles of necessity and proportionality, and that it should end that collection, it continues to do so. I am obliged, therefore, to ask the Minister whether he or his Department has spoken to the Information Commissioner’s Office about the requirements for the regulator in respect of the types of data that may be shared through the regulations. If he has not, will he do so very soon so that the implications for all students can be known?

To preserve public and professional trust, the use of personal data from the sector must be transparent and safe, and alert to the future. We must prevent third-party prescribed persons from being exploited by mission creep by Government Departments, without any reference to safeguards. The powers in the information duties of section 64 of the 2017 Act permit the bodies to share data with the Government, and explicitly with the Secretary of State for Education. Will data be passed from Pearson, for example, to other Departments, and if so, which ones? What are the boundaries of the information? That should surely be set out in legislation. If the safeguards are not on a statutory footing, there is limited value in any assurance, whether from this Minister or any other Minister, that the use of potentially named records will not be changed at the whim of policy or by a future Government.

It is unclear whether what the Department is doing is necessary to create a new and very broad legal basis for the purposes of data sharing—compared with, say, a contract—or whether it is seeking to legitimise existing data-sharing practices around the denial of funding, which may previously have avoided scrutiny.

The other concern raised with us by DefendDigitalMe, a non-partisan data privacy and digital rights group led by parents and teachers, is that the track record in the US of Pearson, one of the organisations to which this information will be supplied, has included selling student data as part of company assets. Such data could be used in predictive tools to exclude certain students from certain UK institutions and courses, or unduly to influence applicants’ decision making and choices, based on Pearson’s corporate values and view of the world. That might not be a view that I or the Minister share, but it is a legitimate concern to raise.

People in third-party organisations and in the Government change and move on. What is left standing, however, is the legisation. How the information is used will depend not on what is said, but on what the legislation says. This knowledge could potentially give unprecedented commercial access to confidential student data, and with it knowledge of the potential access routes into education, course content, and completion and destination data. If that happens, it could constitute preferential treatment and give enormous commercial and competitive advantage over other companies. How will the Government prevent that in practice, having passed this statutory instrument, now and in the future? Why have other bodies not been afforded the same privilege?

Pearson has suggested that it will share personal data with the OFS when its stakeholders have identified red flags or serious concerns, such as fraud or malpractice by a provider or its students. That data sharing is from Pearson to the OFS. Why is a data-sharing agreement necessary and proportionate for that purpose?

I also have severe concerns about sharing data with the Student Loans Company, after its well-publicised problems in the past year. While I appreciate that there is a need for it in certain extreme circumstances where there is potential fraudulent activity, there are significant worries about its capability appropriately to handle this data. I think it is legitimate for us to raise continuing concerns about its capacity to handle further responsibility in the context of this statutory instrument.

The Minister will be well aware that the Student Loans Company has recently been subjected to a scathing report by the National Audit Office on its organisational and management failings. As far as I am aware, the Student Loans Company, despite the allegations about the management and leadership of the previous chief executive, whose contract was terminated, still does not have a permanent chief executive. Will the Minister update us on the recruitment process?

The lack of proper co-operation between the SLC and HMRC has also led to significant overpayments of debts by students. That is part of an ongoing trend in which the amount being overpaid by graduates increases year on year. The Student Loans Company also left a number of student nurses in a difficult financial situation earlier this year. I make all these points, Mr Gray, because they reflect strongly on whether the safeguards in the statutory instrument are appropriate to all the various organisations. What guarantees can the Minister give the Committee about this process?

We do not intend to oppose the regulations, because we understand that there are aspects of them that simply cannot be brought to a halt, but we have grave misgivings about the way in which they have been presented and the rather cavalier way in which assurances have been given. We look to the Minister to come back with significant assurances, either today or subsequently. My final question to him is whether there is any proposal to review the effectiveness or otherwise of the regulations. I would have preferred it if there had been a sunset clause in the regulations, but we do not have the ability to insert one.

--- Later in debate ---
Gordon Marsden Portrait Gordon Marsden
- Hansard - -

I thank the Minister for giving those details and the courteous way in which he addressed my concerns. He says, perfectly reasonably, that the regulations will allow the OFS to do its job well and to give firmer, greater protections. The Opposition would not argue with that in any shape or form. However, the devil is in the detail and there is still a question mark over how effective the OFS will be in progressing these matters. Only time will tell. To say that the OFS is “not obliged” to share leaves a very grey area. After all, on the whole, legislation is supposed to be based on the principle of what might go wrong, rather than that of what might go right, and it should at least give clear, strong safeguards. There is some way to go in that respect.

It was good to hear the Minister’s assurance that information sharing will be subject to data protection laws and, indeed, the general data protection agreements with which we have all been grappling in recent weeks. They came into effect in May, whereas the Act to which the statutory instrument applies was set in place 18 months ago or more, so it remains perfectly legitimate to scrutinise the extent to which that Act is consonant with those provisions.

I hope that the Minister’s comments about HND and HNC qualifications with Pearson will be of some comfort to those concerned. He said there has been no specific contact with the OFS and UCAS, which I still think is an omission. He also said that it is for the OFS to discuss such matters with the Information Commissioner as and when it embarks on the process, but that would be a little late in the day. Given the importance of the issue and the way in which it will develop, not least with the expansion of the digital transmission of data, I would have thought it important that his departmental officials should, at least at some point, have had conversations with the Information Commissioner. I may take that up separately with the Information Commissioner.

I still believe that the privacy impact assessment should have assessed human rights and that the issue will require considerable scrutiny. Of course, that will have to be applied by other Committees of the House, not this one. With those words, I confirm that we will not oppose the measure.

Question put and agreed to.

Resolved,

That the Committee has considered the Higher Education and Research Act 2017 (Cooperation and Information Sharing) Regulations 2018 (S.I. 2018, No. 607).