(8 years ago)
Public Bill CommitteesIt has been a couple of days since we last met, but my hon. Friend the Member for Sheffield, Heeley made a very important point in her speech regarding where we should look for best practice. The UK is one of the Digital 5, and she brought up Estonia as a country that, when we consider big data, we should reflect on. In dealing with the Bill, we are casting our eye around to see how we can manage big data, personal information, between public bodies. She made the valid point that a fundamental question seems to run throughout the Bill and the clause: does the individual own the information or does the state own it? Because the Government have taken the view, unlike what happens in Estonia, that the state owns the information, we have a series of such clauses. We are primarily trying to find a way to balance the rights of the individual, while the state retains ownership of the information in any form, but, particularly as we move forward, in digital form; that is what I am concerned about.
Let me explain what is done in Estonia and why the Bill in years to come will probably need to be usurped by a new Bill. Estonia has transferred the ownership of data from the state to the individual. When the individual owns the data, there is no need for these complex fudges to try to find a way in which people’s privacy and the integrity of data can be respected, while ownership remains with an umbrella organisation.
The criticism that I make to the Government, and my hon. Friend’s point, is that a fundamental rethink or reset will have to occur at some point because of what is missing from the Bill and the clause. It talks about public bodies, but the Government do not address in this or any other clause the fact that private corporations hold enormous amounts of personal data on people and the ownership of that lies with them, not with the individual. That is why the point that she made was so pertinent. The ownership of data should lie with the individual. As a country, as a nation, we should be looking to transfer that ownership. That is why we cannot address what happens in the private sector. Absent from the Bill are any clauses or even subsections tackling data and information in the private sector. It is solely about the public sector and trying to square off those conundrums and contradictions.
The Government have missed an opportunity to empower people and to be on the side of the individual, the ordinary person, who feels disempowered by all this. They are on the side of big government and, by absence, of big corporations, which in my view is a fundamentally flawed position. That question was asked in Estonia, and it is why it reversed the answer: ownership should lie with the individual.
I can see the Parliamentary Secretary, Cabinet Office, chatting to the Minister for Digital and Culture, and he will probably provide an answer that talks about a destination, saying that if someone gets on a bus, they only get off at the end destination. We all know that when someone gets on a bus, there are many stops before the destination on the front of the bus. They do not have to go all the way. I presume the Minister will explain why the clause is correct from the Government’s point of view and why my argument is flawed. He will say, “If you are going to empower the individual with data, you would need a national identification card system, as in Estonia. The empowerment of the individual must correlate with a national ID card scheme.”
The Minister will make that argument, but that is like getting on a bus and only being able to get off at the final destination, with a national ID card scheme. No one is saying that. There are many bus stops we can get off at before the end. The issue is not binary, with the place we get on the bus and the place we get off. The destination is not necessarily ID cards. The principle that these are the individuals’ own data should be at the heart of the Bill, and the clause does not represent that. The absence of any mention of the private sector is alarming.
Moving on, I want to touch briefly on another aspect that is missing from the Bill and should be considered. This is the Digital Economy Bill, but it is all about the public sector. There is an absence of any reference to the private sector per se. This part of the Bill deals with the digital economy and the provision of public services. Returning to the Estonia example and empowering the individual, people in Estonia can set up a business or company in three or four minutes online. Where is the pro-business element of the Bill? It is certainly not this clause, which relates to data and information in relation to the state and public bodies. Why can individuals here not set up businesses in four minutes? Why is it not a pro-business Bill? Why does it not talk about business? Nothing in the Bill talks about being pro-business.
The clause is simply about public bodies holding big data, and in that respect, it lives in the past, not the future. I urge the Government to think about the fundamental principles and to not make the argument that the amendments would lead to an ID card system, although Estonia does have ID cards. I would have ID cards tomorrow—it is well known across the patch that I would not be on the list of soggy, wet liberals—but that does not mean that the principle that the individual owns data would lead to ID cards. It does not. I ask the Minister, with all due respect, not to suggest that I am making that argument, because I am not.
The Bill is not pro-business and is fundamentally flawed. The clause is simply about trying to manage all the conflicts and contradictions from yesterday’s age. It does not deal with the future. The Government have fallen short. I emphasise the word “economy” in the Bill’s title—it is not about public services, but the economy. I put that word up in bright lights. Where does the Bill talk about the economy? We are talking about public bodies and public authorities.
That was an impressive Second Reading speech. I am here to speak to amendment 97 and 107.
Not necessarily; that has not been called yet. The amendments have been tabled in the name of the hon. Member for Sheffield, Heeley. She finished her speech on Tuesday, and I put on record my thanks for her impressive scrutiny of the Bill, which she has done almost single-handedly. I note that she made a weighty speech about Concentrix yesterday, so I do not know how she finds the time to sleep. I am sure that it will be noted in the Lords that we have gone through a full process of scrutiny in Committee.
The Government will ensure that citizens can access future Government digital services effectively and securely, while removing the current reliance on paper certificates. That will provide more flexibility and modernise how services are delivered.
Amendment 97 would require registration officials and public authorities requesting information to specify reasons for requiring disclosure. In considering a request to share information under those powers, a registration official would first need to be satisfied that the recipient requires the information to enable them to exercise one or more of their functions.
In her speech on Tuesday, the hon. Lady raised some issues about the Data Protection Act 1998 and said that the Government should set out clearly that it is being honoured, particularly for registration. The hon. Member for Hyndburn talked about fundamental principles, and I can confirm that the Bill’s fundamental principle is its compliance with the Data Protection Act. Data should not be disclosed if to do so would be incompatible with that Act, the Human Rights Act 1998 or part 1 of the Regulation of Investigatory Powers Act 2000.
The Data Protection Act is Magna Carta of the data world, and we want to ensure that all parts of the Bill comply with it. When disclosing information, only minimal information will be provided, in accordance with the requirements of the data recipient.
I thank the hon. Lady for her speech, and I appreciate the caution with which she approaches the subject. We have been determined that our definition of data sharing should be in the ICO’s code of practice, and we have adopted that definition in our own draft code. We will comply with ICO’s best practice, which of course means keeping careful records of all data-sharing agreements. We already keep registers of data sharing by Department, and they are FOI-able. We need to take public confidence with us. We will not allow data to be shared with a public authority that does not have appropriate systems in place.
To reassure those whom the hon. Lady seeks to assure that their data can be shared without any compromise to individual security, I will take a journey through the data sharing code of practice. When we come to establish some of the fraud elements, it will be an incremental process. Debt and fraud data-sharing pilots will be set up, and the UK Government are establishing a review group to oversee UK-wide and England-only data sharing under the fraud and debt powers. The review will be responsible for collating the evidence that will inform the Minister’s review of the operations powers as required under the Bill after three years. Devolved Administrations will establish their own Government structure for the oversight of data-sharing arrangements within their respective devolved territories.
Following that, a request to initiate a pilot under the debt and fraud powers must be sent to the appropriate review groups in the territory, accompanied by a business case. The business case must detail its operational period, the nature of the fraud and debt recovery being addressed, the purpose of the data share and how its effectiveness will be measured. Absolutely rock-solid requirements need to be put in place. For instance, the public service delivery debt and fraud powers require a number of documents to be produced as part of the case for a pilot.
Those documents will be a business case for the data-sharing arrangement, which can be collated by all the organisations involved; data-sharing agreements; and a security plan. Furthermore, as part of any formal data-sharing agreements with public authorities that grant access to information, security plans should include storage arrangements to ensure that information is stored in a robust, proportionate and rigorously tested manner and assurances that only people who have a genuine business need—
The Minister is making an argument to which I would extend my previous comments. He is arguing that there will be security because we will have a data repository—it will inevitably be a single data repository—with secure firewalls around it. However, the architectural principle for which he is arguing is that all data will be kept in one place. From a security perspective, that is the most dangerous way to store data. To return to why Estonia leads the world, there is a distribution—