Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateLord Anderson of Ipswich
Main Page: Lord Anderson of Ipswich (Crossbench - Life peer)Department Debates - View all Lord Anderson of Ipswich's debates with the Department for Science, Innovation & Technology
(7 months, 4 weeks ago)
Grand CommitteeMy Lords, in moving Amendment 225, I will speak to the other amendments in this group. They cover two issues: first, the code of practice, which features in Part 2 of new Schedule 3B, inserted by the Bill into the Social Security Administration Act 1992. Paragraph 6(1) of new Schedule 3B says:
“The Secretary of State may issue a code of practice in connection with account information notices”.
Amendment 225 would change “may” to “must”. Paragraph 6(2) mentions some matters that a code “may” include and Amendment 226 would change that “may” to “must”.
Amendment 227 would ensure that a code of practice includes the criteria to be used by the Secretary of State in determining whether to issue account information notices—I will come back to criteria shortly. Amendment 230 would require the Government to consult on the draft code of conduct with consultees including the Social Security Advisory Committee and organisations that would have to comply with account information notices. Amendment 231 would require the code of practice and any revisions to it to be approved by both Houses of Parliament. The Secretary of State would still be able to withdraw a code of practice, but the ability to issue notices would lapse if no code were in force. Amendments 228, 229 and 232 are consequential.
The other matter covered in this group is how the Government report to Parliament on these notices. Amendment 233 amends new Schedule 3B to provide for annual reporting to Parliament on the use of account information notices. As well as requiring the provision of statistics around the use of such notices during the previous financial year, the amendment would compel the Secretary of State to outline his or her views on the proportionality and effectiveness of notices. I hope that the need for these amendments is self-evident. Ministers are proposing to take new powers of astonishing breadth, which will involve the ability to search the bank accounts of tens of millions of our citizens, most of whom will have done nothing wrong. There is still very little detail about how these powers could be, or will be, used.
I will address two particular sets of issues. The first is criteria. Paragraph 2 of new Schedule 3B explains that banks have to return information about matching accounts. As well as specifying the identity of the account holders, they have to meet certain risk criteria. The Bill, the Explanatory Memorandum and briefings always talk in terms of examples of those criteria, usually around capital limits or time abroad. But my understanding, which may be wrong—I invite the Minister to correct me if I am—is that the criteria could be anything related to eligibility for the benefits in question.
For example, the eligibility for some benefits includes being a single parent. Paragraph 2(2)(a) of new Schedule 3B says that an account information notice
“may require information relating to a person who holds a matching account even if the person does not claim a relevant benefit”.
On our last day in Committee, we established that that directly related to appointees, but that made me wonder whether it could apply to anybody else. For example, we also established that a notice could cover a joint account where one of the holders is the person to whom the benefit is paid and the other is not. Would this power allow DWP to ask banks to search for any accounts linked to any single parent and to examine those accounts for evidence that they and the other holder of a joint account might be living together? Would these powers allow DWP to devise any criteria designed to identify whether a claimant was living with another adult? To be clear, I am not asking whether it intends to do that or whether it knows how to do that. I am just asking whether it would be permissible. Is this a category of thing that it could do under the powers in the Bill?
Related to that, could DWP issue notices to a bank other than that into which the benefit is paid? Again, we have heard that the intention is to go only to the bank into which the benefit is paid, but I want to know specifically: does this Bill gives DWP the power to do that or would it need additional primary legislation to do it?
Secondly, the Bill does not say that notices can be given only to banks. It says that they can be given only to a “person of prescribed description”. The Information Commissioner said:
“I have been unable to identify where such persons are prescribed and the provision itself is silent on the matter”.
It is therefore unclear which organisations will be in scope of the power or how this will be determined. Can the Minister tell us any more about who will be covered and how that will be determined? Who could be subject to a notice? A bank or a building society could be, clearly, but could a credit union, a Christmas club savings scheme or any other financial body?
Paragraph 58 of the impact assessment on this part of the Bill says:
“This measure is drafted broadly to ensure it is future-proofed against future changes and innovation, particularly in the financial services sector, i.e. in Fintech and Crypto, and enable DWP to apply this measure to non-financial organisations in future if it is deemed appropriate and proportionate”.
Can the Minister give the Committee an example of a non-financial organisation that could be appropriate? Specifically, could this apply to, for example, phone companies? Given the open-ended nature of the powers being taken, one way for Ministers to give reassurance to both the Committee and the wider public would be to ensure that DWP is constrained by a clear and transparent code of practice over which Parliament has oversight and that it reports to Parliament on the way it is using these powers. If the Minister does not like the approach in this amendment, perhaps he could offer the Committee other forms of assurance in this area. I beg to move.
My Lords, I apologise to the Committee that duties elsewhere in the House prevented me from attending the last two debates on Monday and so from speaking to the amendments that I had tabled and signed. However, I have read the Official Report with care.
I cannot pretend to be a data protection nerd, or even a social security nerd, like some speakers in those debates, but I hope that I pass muster as a surveillance nerd, having written for the Home Secretary two of the reports that informed the Investigatory Powers Act 2016 and, more recently, a report that informed the Investigatory Powers (Amendment) Bill, which I see is to be given Royal Assent tomorrow.
I support all the amendments in the name of the noble Baroness, Lady Sherlock, in this group. Of course there must be a code of practice. Of course it must be consulted on and scrutinised. I would add that that of course we could not contemplate passing this schedule into law until we have seen and studied it. An annual report of the sort that accompanies the reasonable suspicion power to issue financial institution notices, exercised by HMRC under Schedule 36 to the Finance Act 2008, would also be useful. For example, it is from the last of those reports, dated January 2024, that I learned that these reasonable suspicion tax information powers were now being used to obtain location data—something that it had previously been said would not be done.
Dan Squires, one of the authors of the legal opinion that I know was referred to on Monday, is not only a King’s Counsel but a deputy High Court judge and a genuine expert in this area. He and his junior, Aidan Wills, point in that opinion to the personal nature of some of the data that could be harvested under the proposed power and advise that Schedule 11 does not come close to the safeguards required for compliance with Article 8. They refer in particular to the striking lack of clarity about the grounds on which and the circumstances in which the proposed power can be used, as well as to the absence of both independent authorisation and independent oversight. They point out that, although saving up to £600 million over five years is a very important objective, it weighs no more heavily—indeed, probably less heavily—than the normal justifications for obtaining information in bulk: protecting national security and the prevention and detection of serious crime. Their opinion is well referenced, persuasive and consistent with the view on proportionality expressed by both the Information Commissioner and the Constitution Committee, on which I sit.
On Monday, the Minister referred to the power in Schedule 23 to the Finance Act 2011 to obtain certain data items from particular classes of data holder—for example, employers and land agents. So I had a look at that schedule and the data-gathering regulations under its paragraph 1. The power would appear to apply only to certain tightly defined items, such as payments made by the employer or arising from use of land. There would appear to be a noticeable contrast with location data, personal spending habits and so on, which fall within the scope of the powers in this schedule, as they are written in the Bill. Both HMRC and the Home Office operate under powers tightly defined in legislation. Assurances that those powers will be used in a restrained way, as Justice has commented in its useful briefing on the Bill, simply do not cut it. I am afraid that the law requires the DWP to be subject to the same constraints.
I am concerned: concerned that this important new power was not subject to detailed consultation or even to scrutiny by a Commons Bill Committee, where useful evidence could have been heard; concerned that it could even have been contemplated that so vague a power might be in the Bill and not accompanied by a code of practice; concerned about the absence of an independent approval and oversight mechanism, equivalent to the Office for Communications Data Authorisations and the Investigatory Powers Commissioner’s Office; and concerned that, if we do not get this potentially valuable power right from the start, it will immediately be subject to legal challenges, which will swiftly render it unusable.
If, as I believe, Schedule 11 is currently unfit for purpose, is there time to rescue it? I have a couple of practical suggestions. First, I saw the investigatory powers unit from the Home Office when it happened to be in the House yesterday, and I wondered if there might be utility in it comparing notes with the Bill team about these types of powers and their attendant safeguards.
Secondly, I hope the Government appreciate the significance—at least to us nerds in the Committee—of the legal analysis of Dan Squires KC and Aidan Wills. If we are to be told that it is mistaken, which would certainly be unusual, I for one would like to see that backed up by an opinion from a lawyer of equivalent stature, whether at the GLD or independent counsel, explaining precisely and persuasively why Mr Squires and Mr Wills are wrong. Otherwise, and without significant change of the type identified in the opinion, I am afraid I am not inclined to give this schedule the benefit of the doubt.
I signed up to the stand part notice of the noble Baroness, Lady Kidron, thinking it would at least be a platform to think about what amendments to the schedule might be needed. The more I read the schedule and the more I hear about it, the more I am driven to the conclusion that, if we do not see substantial change, opposing the schedule may be the way that we have to go at the next stage.
In the two previous groups, I raised pension credit, and it is notable that the noble Viscount the Minister has not responded on that point. As such, my automatic assumption is that he believes that the implementation of these powers will deter people from seeking pension credit, which is contrary to the Government’s declared policy to encourage people. I mention that in passing, given this opportunity.
My other moan is about the impact assessment; there is none. I do not like the impact assessment that we have. It is a totally impenetrable and meaningless document, which is clearly there just as a matter of form rather than as a serious attempt to try to inform participants in these debates about what is in the Bill and what impact it will have on people and organisations.
My specific points are broadly in line with the points raised by UK Finance, the overall organisation for financial organisations, including banks and insurance companies, which continues to have serious concerns about these provisions. I think we should listen carefully to what it says. In particular, if we are going to have these powers then, in line with the amendments tabled by my noble friend Lady Sherlock, we have to make sure that they are introduced in an effective way that appreciates the vulnerabilities of customers.
My Lords, this has been a somewhat shorter debate than we have been used to, bearing in mind Monday’s experience. As with the first two groups debated then, many contributions have been made today and I will of course aim to answer as many questions as I can. I should say that, on this group, the Committee is primarily focusing on the amendments brought forward by the noble Baroness, Lady Sherlock, and I will certainly do my very best to answer her questions.
From the debate that we have had on this measure, I believe that there is agreement in the Committee that we must do more to clamp down on benefit fraud. That is surely something on which we can agree. In 2022-23, £8.3 billion was overpaid due to fraud and error in the benefit system. We must tackle fraud and error and ensure that benefits are paid to those genuinely entitled to the help. These powers are key to ensuring that we can do this.
I will start by answering a question raised by the noble Lord, Lord Anderson—I welcome him to the Committee for the first time today. He described himself as a “surveillance nerd”, but perhaps I can entreat him to rename himself a “data-gathering nerd”. As I said on Monday, this is not a surveillance power and suggesting that it is simply causes unnecessary worry. This is a power that enables better data gathering; it is not a surveillance or investigation power.
The third-party data measure does not allow the DWP to see how claimants spend their money, nor does it give the DWP access to millions of people’s bank accounts, as has been inaccurately presented. When the DWP examines the data that it receives from third parties, this data may suggest that there is fraud or error and require a further review. This will be done through our normal, regular, business-as-usual processes to determine whether incorrect payments are indeed being made. This approach is not new. As alluded to in this debate, through the Finance Act 2011, Parliament has already determined that this type of power is proportionate and appropriate, as HMRC already owns similar powers regarding banking institutions and third parties in relation to all taxpayers.
I listened very carefully to the noble Lord and will, however, take back his points and refer again to our own legal team. I think the point was made about the legality of all this. It is a very important point that he has made with all his experience, and I will take it back and reflect on it.
I take the Minister’s point and I will settle for the appellation “investigatory powers nerd”; I am quite happy with that. Does the Minister agree with me, however, that the legal difficulty —we see this with the other bulk powers already in our law—is that Article 8 of the European convention locks in not when a human eye gets stuck into the detail, but as soon as a machine harvests the data in bulk? Most of that data relates to people in respect of whom there could be no possible suspicion. Satisfying the requirements of necessity and proportionality must be done even at that stage. I understand that that is awkward and I am sure a lot of people would prefer that it was otherwise, but that is, as I understand it, the law. That renders the distinction that the Minister seeks to draw between data gathering and surveillance perhaps slightly difficult to maintain.
If I may just answer that question from the noble Lord, Lord Anderson; I think it is important to take one question at a time.
I have every sympathy with what the noble Lord has said. As I mentioned on Monday, points could easily raised about that—I think it may have been the noble Baroness, Lady Kidron, who raised points about computers and their robustness. This is the very point that we agree with. It is incredibly important and we have started already to draw up a proper code of practice to work with the banks on how this will actually work. We need continued time to work these issues through. I also made the point on Monday that, at the end of the day, a human being will be there—must be there—to determine where we go from there.
In relation to the code of practice, which I am glad the Minister mentioned, we have just seen the Investigatory Powers (Amendment) Bill through this place. It makes some relatively minor changes to the powers of the intelligence agencies to harvest data in bulk and, to ensure the orderly passage of that Bill through both Houses of Parliament, the key excerpts of the draft code of practice were made available before Committee in either House to enable it to be properly scrutinised. We seem to have left it terribly late in the day still to be talking about a draft code of practice on this Bill, which we have not even seen. Can the Minister assure us that before we come to Report, that code of practice will be available in draft?
Indeed, I was going to come on to that later in my remarks, particularly to address the points raised by the noble Baroness, Lady Sherlock. We need the necessary time to continue to develop this code of practice, and that is particularly important in respect of this measure. The answer is no, I cannot guarantee to have the code of practice ready by Report. Indeed, I am saying that it will be ready sometime in the summer. It is important to make that point but also a further one, which is that there are many instances, as the noble Lord will know, when a code of practice is finalised and brought forward after the primary legislation is brought through, and this is one of those cases. That is not abnormal but normal. The noble Lord may not like it but there is considerable precedent for that to happen.
I appreciate the tone of the noble Lord and, if there is anything that comes from behind me before I conclude my remarks, to be helpful, I will certainly do that.
Our debates on this measure have covered many issues. This group, as mentioned earlier, focuses primarily on the operational delivery of the power, so it would be quite good to move on. Just before I do, for the benefit of the noble Lord, Lord Anderson, in terms of the late introduction—his words—of this measure, as mentioned on Monday the DWP published a fraud plan in May 2022, where it outlined a number of new powers that it would seek to secure when parliamentary time allowed. In the parliamentary time available, DWP has prioritised our key third-party data-gathering measure, which will help it to tackle one of the largest causes of fraud and error in the welfare system. That is a short version of what I said on Monday, but I hope that it might be helpful.
Before I turn to the amendments, it might be helpful to set out how the legislation will frame the delivery of this measure. When we issue a request for data to a third party or, as it is set out, an account information notice or AIN, which is in the Bill, we can only ask it to provide data where it may help the DWP to establish whether benefits have been properly paid in accordance with the rules relating to those benefits. As mentioned earlier, this is defined clearly at paragraph 1(2) of the new schedule. This is where the data that DWP receives may signal—to use the word raised by the noble Lord, Lord Clement-Jones—potential fraud and error. The noble Lord asked for further clarification on that point. To be clear, a signal of fraud and error is where the rules of benefit eligibility appear not to be met. For example, this might be where a claimant has more capital than the benefit rules allow. As I made clear on Monday, all benefits and payments have rules that determine eligibility, which Parliament has agreed are the right rules in its consideration of other social security legislation. To issue an AIN, we must also have designated a third party in affirmative regulations, which need to be passed by both Houses.
As has been covered, we can also only request data from third parties where there is this relationship, which I will not repeat again and which I think the Committee will be familiar with. Our intention is to designate banks and financial institutions as the first third parties that we can approach, enabling us to request information on accounts only held in the UK. Just to clarify that point, we will not be able to request information on overseas accounts.
On the question raised by the noble Baroness, Lady Sherlock, on examples of non-financial organisations that the power could appropriately be used on, we will bring forward regulations to specify the data holders in scope. I hope that this is helpful. In the first instance, this will be, as mentioned, banks and financial institutions. The power also has potential use cases with other third parties, such as housing or childcare providers, but, just to reassure the Committee, this would be subject to further parliamentary approval.
I am grateful to the Minister—I am just trying to catch up. On the point that he made about regulations, I imagine that the power to prescribe the descriptions of persons to whom an account information notice may be sent comes under paragraph 1(1) of the schedule. I think that that is what he was saying. In paragraph 2, on the content of the account information notices, there is a reference to
“other specified information relating to the holders of those accounts, and … such further information in connection with those accounts as may be specified”.
Does that simply mean anything specified in the account information notice or is there a power to make regulations that will limit the types of information that can be specified in an AIN?
Again, I hope that I might have covered this earlier. If I read the noble Lord’s question correctly, the definitions will need to be debated by both Houses. I have made clear what we are bringing in at the moment for banks and financial institutions, but this will need to be looked at by both Houses in future. I hope that that is clear.
I apologise; I did not make myself clear. I think that we are on entirely the same wavelength on the persons to whom an information notice can be given; the Minister has reassured us that they will be specified in regulations and considered by both Houses. My question relates to the content of an account information notice under paragraph 2 and the very broad references to “other specified information”, “such further information” and so on. I did not read that as a regulation-making power. I rather assume that the discretion over the choice of information that is specified remains entirely at large. If the Minister is saying that there will be regulations that will specify the information that an AIN can include, hence mitigating the breadth of paragraph 2, I would be glad if he could make that clear.
My understanding —with his experience, I am sure that the noble Lord will be ahead of me on this—is that this is defined. We define it pretty clearly in paragraph 1(2). In the interests of time, I will reflect on what he has asked and will be absolutely sure to add this to the letter that I pledged to write on Monday—it is getting bigger by the moment, as I fully expected.
I can reassure the noble Lord that that is the case, yes.
I do not know whether I can help. I agree with the noble Baroness: I do not think it is very clear from paragraph 1(1) that there is a regulation-making power. However, if you look at paragraph 5 of the new schedule, there is a reference there to regulations under paragraph 1(1) as well as two other paragraphs of the schedule. That is the rather tortuous route by which I came to the conclusion that the Minister is quite right.
I reassure noble Lords that is correct—it is paragraph 1(1). It may be rather complex, but it is in there, just to reassure all noble Lords.