Read Bill Ministerial Extracts
Lord Collins of Highbury
Main Page: Lord Collins of Highbury (Labour - Life peer)Department Debates - View all Lord Collins of Highbury's debates with the Scotland Office
(7 years, 9 months ago)
Lords ChamberMy Lords, this group includes a wide range of amendments and our debate on it will be one of our key debates on this section of the Bill. Clause 30 allows specified persons to share data for a specified objective. Our amendments seek to define and limit this and to ensure that additional approval is required where there is broadening or leakage
My honourable friend Louise Haigh thoroughly scrutinised this provision in the other place. Certainly, it took me most of Saturday to read what was said in that Committee stage. I do not intend to repeat all the arguments that were made—but I give fair warning that it will take me some time to go through these key elements, given that the principles in these clauses have given rise to concern, certainly in your Lordships’ Delegated Powers and Regulatory Reform Committee.
I start by saying that we on these Benches are completely in favour of effective data sharing across government to achieve public sector efficiencies, value for money, improved public sector services, improved take-up of benefits for the most vulnerable such as the warm home discount, free school meals and, most importantly, an improved experience for those who use public services. We will come to a lot of those issues in later groups today where we have tabled specific amendments.
The public also support these objectives, but their trust is fragile. In recent years we have seen a number of failures in managing data. The Information Commissioner said in her recent briefing distributed to all noble Lords:
“Transparency and a progressive information rights regime work together to build trust”.
This part of the Bill gives the Government considerable powers to share data. But those building blocks in restoring trust that the Information Commissioner and just about everyone else agree are needed are sadly not mirrored in the Bill. That is the crux of today’s debate.
Instead, the building blocks are covered in regulations and codes of practice. As I said, many, including the Information Commissioner and your Lordships’ DPRRC, have stressed the importance of including such measures in primary legislation as opposed to codes of practice. Having read through all the codes of practice, I sometimes asked myself what we were dealing with. Is this Bill really at the stage of being submitted for parliamentary consideration? So much of it needs further work and further consultation that I really do wonder whether it should be in this House at all at this stage. This is something that we may have to return to.
A specified objective to permit disclosure must meet conditions set out in subsections (6) and (10) of the clause, but they are so all-encompassing that it is difficult to see anything that the public sector does that is not covered by the clause. The published codes give examples of objectives that would fall foul of these criteria, including those that are punitive, and it is useful to see those examples. But it is a real concern that such a clarification of the power is not in the Bill. Why does the Bill not explicitly contain or exclude a punitive objective? What are we avoiding here?
The codes also give examples of objectives that are too general rather than too specific, and it would help if the Minister could say exactly where that line could be drawn. Not only are the objectives not limited in the Bill but the bodies that can share or receive data are not particularly limited either. Subsection (3) states:
“A person specified in regulations under subsection (2) must be … (a) a public authority, or (b) a person providing services to a public authority”.
This is another area that gives people a lot of concern.
In the Government’s original consultation on the Bill, they stated their intention to proceed with proposals to enable non-public sector organisations that fulfil a public function on behalf of a public authority to be in scope of the powers. In that consultation, they said:
“We will strictly define the circumstances and purposes under which data-sharing will be allowed, together with controls to protect the data within the Code of Practice. We will set out in the Code of Practice the need to identify any conflicts of interest that a non-public authority may have and factor that information in the decision-making”.
I read the code of practice. Paragraph 71 refers to this and mentions non-public sector organisations. It says that,
“an assessment should be made of any conflicts of interest that the non-public authority may have”—
but it does not give any examples of what those conflicts of interest might look like. I hope that in his response the Minister will be able to give more examples of what they might look like. We will come back to this issue in our consideration of other groups of amendments to this section.
The code also states that data-sharing agreements should,
“identify whether there are any unintended risks involved with disclosing data”,
to an organisation. In the Commons, my honourable friend Louise Haigh—I congratulate her on this work—raised the behaviour of Concentrix, which was mentioned again on the radio today. It was contracted by HMRC to investigate tax credits and fraud. But the code of practice does not list any examples of risks or set out how specified persons might go about ascertaining them. We heard on the radio today that that contract and the mismanagement of the data has caused huge distress to tens of thousands of people, and that it is ongoing.
The code also states:
“Non-public authorities can only participate in a data sharing arrangement once their sponsoring public authority has assessed their systems and procedures to be appropriate for secure handling data”.
It does not give any sense of what conditions they will be measured against and how officials should assess them. I hope it is not going to be on the same basis that the HMRC gave the contract to Concentrix. It is that that we need to know about. This draft code—and I will keep coming back to it—is in an extremely draft form and needs substantially more work done on it. I hope that the noble Lord will assure us that these codes will be revised and I hope that, within the revisions, he will acknowledge that substantial improvements will be made.
Indeed I can. The reason is that in the present context, personal information extends to bodies corporate and other personalities that are not otherwise covered by the first definition. I will elaborate upon that later but that is why there is a distinction between the two terms. We can see that the two terms substantially overlap but it is only because of that technical distinction that they are employed in this way. I hope that that satisfies the inquiry from the noble Baroness, Lady Hamwee.
The Data Protection Act not only circumscribes the use of data in very particular ways—for example, personal data must be processed in accordance with the data subject’s rights under the Act and be held securely to guard against unlawful or unauthorised processing, which addresses a point that many of your Lordships referred—but provides remedies in the event that those obligations are not adhered to. Generally speaking, that involves a complaint to the Information Commissioner.
Of course there have been lapses in data control. We are well aware of many of them. The noble Lord, Lord Collins, alluded to Concentrix, where there clearly appeared to have been lapses such that the Revenue terminated its contract without further notice in November of last year. We recognise that there are risks associated with data and data-sharing. That is why we emphasise the need to look at the provisions in the Bill not only alone but in the context of the Data Protection Act.
There were obviously risks associated with the contract for Concentrix and the fall-out from that contract is certainly ongoing, because of the people who have suffered hardship. The Government will undoubtedly have to investigate even more because at the moment, we are dealing only with the people who have appealed. Can the Minister tell us exactly why the existing provisions for a risk assessment did not stop this contract from going sour?
As the noble Lord is aware, Concentrix was not the only incident in which there were data breaches. They have happened not only in the context of parties operating with government but also entirely in the private sector. So far as I am aware, no one has made a claim for infallibility where data protection is concerned. Albeit that we aspire to the highest standards in data protection, we are not making claims of infallibility.
The noble Lord, Lord Collins, also referred in the present context to the GDPR, which will come into effect as a European regulation in May 2018. I reiterate that the provisions in Part 5 of the Bill are compatible with the GDPR. The noble Lord appeared to take some issue with that term, but let me be clear: the provisions of Part 5 are drafted in such a way as to be compatible with the regulation. When the regulation comes into direct force, we will look at the provisions of the Act and the codes of practice to ensure that they are consistent with it. That is the way in which these things are done. The regulation is not yet in force and will be applied to the existing statutory structure from May 2018. I reassure him that it has always been intended that Part 5 of the Bill should be compatible with the regulation, for very obvious reasons.
Then there is the matter of the draft codes of practice. At this stage they are, of course, a draft. Those drafts have incorporated comments and advice from practitioners right across the public sector, from the Information Commissioner and from the devolved Administrations, so they have brought in that body of knowledge at this stage.
I am perfectly prepared to write to my noble friend to clarify that point, and I will place a copy of any letter in the Library.
I thank the Minister for his response. One of the things that we will encounter as we go through this section is the fact that the 1998 Act has some fundamental principles but that we have the Bill before us because there is a need for greater clarity. The world has changed in the past 20 years, certainly in the way that we handle and interrogate data. We no longer simply say that this set of data will go to that person and so on. We do not necessarily even have to share the whole dataset. The point is about how one might interrogate data. It is a very different world. I am not suggesting for one moment that errors do not occur, accidents do not happen and mistakes cannot happen, but in the modern world we conduct risk assessments to understand how we can minimise those things. That is what I want properly addressed when we come back to some of these issues.
The Minister says that the Government will consider the report of your Lordships’ committee. If there are to be further amendments, I hope that we will have time to consider them and even to put down our own amendments to ensure that the principles about which we are concerned will be able to be addressed. With those comments and, if you like, fair warnings, I beg leave to withdraw the amendment.
Lord Collins of Highbury
Main Page: Lord Collins of Highbury (Labour - Life peer)Department Debates - View all Lord Collins of Highbury's debates with the Scotland Office
(7 years, 9 months ago)
Lords ChamberMy Lords, I have no doubt that we will constantly return to codes of practice, especially about the need for them to be revised and, I hope, improved. But the purpose of these amendments, particularly Amendment 81, is to ensure that when they are finally agreed they have strength and a statutory basis to ensure that they are properly applied. It is important that the principles and safeguards that we have debated so far are included and statutory. I am concerned that having “regard to” provides too many loopholes that will undermine the very public confidence that we seek in passing the Bill. I hope that the Minister will be able to reassure all sides of the House, once again, about how we can consult broadly on these codes and ensure that they are properly referenced in legislation and properly complied with.
In Amendment 107B, we know that what is important is that corrective action can take place if there is a breach of the code. We know that measures are also in the Bill, including criminal sanctions, where data protection is breached. But what about those areas and cases where public authorities exceed those powers for supposedly public good? Will the Minister tell us what adequate measures would be in place? The Minister in the other place said that the wording “had regard to” already follows common practice in legislation, as illustrated in Section 25 of the Immigration Act 2016 and Section 77 of the Children and Families Act 2014. He argued that as the power covers a range of public authorities and devolved territories, the Government want flexibility about how the powers can be operated so that we can learn what works and adapt the code as necessary. This comes to the crux of the matter once again and why so many noble Lords have concerns about these provisions. It is this open-ended flexibility and uncertainty about where this is going to lead to that raise concerns. We are told that to put these matters into the Bill would hamper the ability to adapt for future purposes. If bodies fail to adhere to the code, the Minister will make regulations that remove their ability to share information under that power.
Part 11 of the code states:
“Government departments will expect public authorities wishing to participate in a data sharing arrangement to agree to adhere to the code before data is shared. Failure to have regard to the code may result in your public authority or organisation being removed from the relevant regulations and losing the ability to disclose, receive and use information under the powers”.
Is that really sufficient? Is that enough? What about the cases that we have heard? As the Minister said in the previous debate, departments are not infallible. I do not think that this is sufficient. We know that the Information Commissioner wants changes; we know that they want these codes not only to be improved but to have proper force. I beg to move.
I am content that we return to the noble Baroness’s first point if she feels that there is a point of distinction to be made. On her second point, I do not accept that there is fragility in this context. We are well aware, by virtue of past practice, that this formulation is appropriate to the application of codes of practice. Indeed, the noble Baroness herself observed that when applying one’s mind to a code of practice, a degree of flexibility is necessary. One cannot freeze them. That is why we consider that the wording here is appropriate.
I thank the Minister for his response. Obviously, the codes of practice are key to giving a sense of security and to building public confidence. They are critical, which is why noble Lords want to see exactly how they will end up. I am very happy with the reassurance that the Minister gave regarding parliamentary involvement and consideration of the report of your Lordships’ committee. That is very welcome and we will return, obviously, to some of the issues, particularly on medical information and other information set out in other groups. We will return to the subject of the Investigatory Powers Commissioner in the next group and I will explain in that discussion why we see, perhaps, a distinct role, arising from the debate this House had on the Investigatory Powers Act. In the meantime, I beg leave to withdraw the amendment.
Are we dealing with Amendment 81ZA? I would hate to give the wrong speech on the wrong group, although I suspect that noble Lords would notice. I have been in other forums where people have not noticed, but that is another matter.
Amendment 81ZA focuses on the extension of sharing objectives to include the electoral register. A number of amendments in this group address concerns that have been raised about living in cold homes or school meals provision: basically, how we make this sharing of data more effective. I have no doubt that the Minister will say in response that the Bill will allow for this, but we want to raise on the Floor of the House the importance of these extensions of sharing objectives to the overall, broad objectives set out in Part 5.
Focusing on the electoral register, we know that the Electoral Commission has said that up to 1.9 million people could lose their right to vote as we transition to the individual registration of electors. Of course, until 2009 one person in each household completed the registration for every resident eligible to vote. It was a Labour Administration who accepted the principle, and there may be very good reasons, but the way the changes are introduced could be a disaster for our electoral system. That is why it is fundamentally important that we see data sharing as a positive way to address this potential effect on our democratic system. My noble friend Lord Stevenson has tabled an amendment to the higher education Bill that seeks to enhance the responsibility of higher education institutions to remind students of their right to register to vote—and particularly to decide where to vote. In this amendment we are trying to ensure that institutions have proper powers to share data to that end.
It must be understood that this transition to individual registration has put a huge burden on cash-strapped local councils, who need to contact 46 million people instead of 20 million. Some people have been unable to register, many of them because they simply do not have the required access that they would previously have had. This amendment focuses on people who are vulnerable, who need help, or who have not previously taken up their rights, perhaps because they do not have the necessary access or are not fully aware. That comes back to the issues—many other noble Lords will pick up the point—of fuel poverty and access to free school meals. The right to free school meals is important not only for the individual child—for the benefits the child will get—but for the funding of the educational institutions. I hope, therefore, that the Minister will accept these amendments, which are about ensuring that we can do these things and that these issues are addressed, even if he does not think that they should necessarily be in the Bill.
My Lords, I shall speak to Amendment 82. This Bill is an opportunity possibly to enhance the lives of the most disadvantaged and vulnerable people in our society. The words of our Prime Minister always come to mind:
“a country that works for everyone”.
This amendment will help the country work for everyone. Currently, the parent of a child wishing to have a free school meal must apply for it. Not only does that provide a free school meal, which is hugely important for children because hungry children are not good learners, but it ensures that the school gets a pupil premium—a substantial sum of money—to help those disadvantaged pupils.
This simple amendment would ensure that local authorities automatically enrol those entitled to receive free school meals. Local authorities currently administer a number of benefits, such as council tax and housing benefit, so they are aware of families that would be eligible to claim free meals and would automatically contact the school. This would ensure that parents who, for a host of reasons, fail to claim would be able to do so.
It is estimated that a family with a child receiving free school meals can save up to £400 a year. Noble Lords may imagine that if the parents have more than one child the saving is quite substantial. As well as the family saving money and the child getting a free school meal it ensures that the school gets a substantial amount of money—the pupil premium—to help disadvantaged pupils.
The Minister will probably reply—as did the Minister from the other place—that the department’s own electronic eligibility checking system means that the clause is not really needed. That, however, is only a system which enables a school to check whether the parent is on the free meals register: it has speeded up the process but does not do the job that this amendment hopes to do.
I make a further point about this, at a time when we are all sensitive about the amount of private data that circulates: there is perhaps a fear that leads people to question why schools should have private data on pupils entitled to free meals. For that reason the amendment clearly states that parents will be notified before this information is made available and that there will be opt-out arrangements. I hope, therefore, that the Minister will be sympathetic to this very important amendment.
I thank the Minister for his response. The problem is that these issues are not simply about entitlement but about a system in which people have to choose. The point is how you make that easier. With individual voter registration, which is a new system, there is a possibility that people will be removed from the electoral roll and therefore denied the opportunity to vote. We talk about a positive outcome. It might be one for one particular party. The boundary reviews will be based on registers that will be removing people and therefore on numbers of electors that are not necessarily the real numbers. I find it a bit disappointing that the Minister sees it as simply an administrative step.
This comes back to the fundamental point that everyone who has spoken, whether about school meals or the warm home discount, sees that this is an opportunity to improve governance and outcomes for people, obviously with the required safeguards. I think all of us in this Chamber will want to return to these issues because they are vital for the well-being of our people. In the light of the Minister’s comments, I beg leave to withdraw the amendment.
The Minister gave me some preliminary notice of the Government’s attitude to this amendment and alluded to the potential confusion of different roles and different names. No doubt I might even make the mistake of using the term “Information Commissioner” rather than “Investigatory Powers Commissioner”.
However, there is an important point here on which we want to probe the Government, and that is about the changing world and how we respond to it to make sure that the interests of the individual are properly thought of and protected. The point is about restoring public confidence. We have a legal framework that is structured around the Data Protection Act and a regulatory framework that allows breaches to be investigated and matters to be determined where there has been a breach. It is a system that protects the individual after the event. What we are trying to do here is what the Investigatory Powers Act, which became law at the end of last year, sought to do—that is, it does everything possible to ensure that intelligence agencies and law enforcement use only such powers as Parliament approved after a careful and well-informed debate. We cannot revert to a world in which the Government understand and apply the law in ways that were not foreseeable to the rest of us, still less to a world in which our freedoms depend on the potentially harmful activities of whistleblowers.
This amendment seeks to ensure that, in this fast-changing world, in the plans for the future use of powers identified in the Bill, the rights of the individual are not only safeguarded but are put at the head of the agenda rather than considered as an afterthought. That is why we have used the framework of the Investigatory Powers Act to raise this issue. With regard to future changes or extension of powers, who is thinking of the rights of the individual? It is important that the Government, if they are unable to deal with this consideration in today’s group, return to this subject in future provisions.
My Lords, I thank the noble and learned Lord for his comprehensive response. Clearly, there is a lot in the codes of practice, so we await the response. I welcome, too, his commitment to come back to report on the issues that the Information Commissioner and we have raised.
Both the GMC and the BMA raised the issue of confidentiality and the common law. They obviously have legitimate concerns about the future impact. Confidentiality is not simply an issue of administration and protection administratively; it is a fundamental issue about the nature of the relationship between doctor and patient, where trust is absolutely vital for medical treatment, ongoing treatment and so on. We may have to come back to this issue at Report. In the meantime, I beg leave to withdraw the amendment.
My Lords, as one of my colleagues in the trade union movement used to say, there may be a sense of déjà vu: we are going to be repeating issues in these amendments. As we have said, transparency is a vital ingredient in building public confidence. If we do not have public confidence we will not have effective data sharing and therefore the aims and objectives of the Bill will not be met. That is why we are very keen to focus on the elements of how we build that confidence, with transparency as the vital ingredient. That is why we are proposing to have an independent review of the collection and use of data by government and commercial bodies. A report of that review would be put before Parliament.
Having spent a considerable part of the weekend reminding myself about the Data Protection Act—I was responsible in the trade union movement for elements of implementation of data protection—I was struck by how complex the law can be and how different elements impact on each other. That is where we need to do more to build public confidence. People are concerned, asking. “Why do they want it? How are they going to use it? Have they used it? Have they done it without my knowledge? Have I given consent? Shouldn’t I be allowed to give consent?” All those issues need explanation. That is why transparency provisions in the amendments are really important. Where there has been a breach it needs to be effectively reported and dealt with. Some of the episodes we have seen in the private sector are scandalous—breaches of data have occurred and nothing has been said for years, let alone weeks and months. Whether we like it or not, those breaches in the commercial and private sector will impact on people’s confidence about the Government’s ability to share data fairly. That is why we need to be open about how we are dealing with problems. I come back to the Minister’s point on infallibility. Of course we are not infallible; but whenever mistakes happen, we want to make sure we learn from them and minimise the risk of them happening again. That is what we seek to do in these amendments.
The more we move towards digital government, the more we need to ensure that all these issues are properly recorded. Again, that is why we are proposing mandatory transparency in the public register of data-sharing agreements. It is about building trust in the process, with people knowing they will have to be accountable for their decisions in this area.
Transparency must be central to the process, alongside privacy and security. It is one of the arguments that we would make strongly in this group of amendments. No doubt we will hear from the Minister about it being mentioned in the code of practice and how that will be vital. I agree that we have seen a lot of movement; what we want to do as we move forward is to receive reassurance that the principle of building confidence will be openness and transparency. I beg to move.
I thank the Minister for his response. We await the revised and improved codes of practice, which will be a fundamental ingredient in building confidence in data sharing. If there are existing powers with regard to the requirement to report breaches, I think most people in this country will wonder why Yahoo was not picked up for failing for 10 years to report a breach which could have impacted on its confidential financial information. I welcome the fact that we will come back to these issues at later stages following consultation with the Information Commissioner. We know what is in the GDPR and what we are required to do. It will come into force in May 2018 and it is very important that the Government commit to the principles in it. We may have to come back to that issue at later stages of the Bill. In the meantime, I beg leave to withdraw the amendment.
Lord Collins of Highbury
Main Page: Lord Collins of Highbury (Labour - Life peer)Department Debates - View all Lord Collins of Highbury's debates with the Scotland Office
(7 years, 8 months ago)
Lords ChamberI am not in a position to say what number of bodies were considered and discarded, but I will undertake to write to the noble Baroness on that point. All the public bodies included in the schedule must, of course, comply with the data-sharing safeguards in the Bill. Clearly, public authorities may not enter into data sharing lightly. They will have to follow the codes of practice, comply with the Information Commissioner’s requirements on data sharing and privacy and have in place all necessary protections to prevent unlawful disclosure.
The list of public bodies in the government amendments is shorter than the lists we have previously published in draft regulations although, as I indicated to the noble Baroness a moment ago, I do not know how many bodies were considered and removed before the process of listing them in the draft regulations took place. Care has been given to ensuring that we share only where there is a clear benefit, as required by the legislation. I hope that, with that explanation, the noble Baroness will withdraw her amendment.
My Lords, I will take this opportunity to briefly comment on this group of amendments. These Benches did submit a series of amendments in Committee. The Minister responded that the Government were giving due consideration to the Delegated Powers Committee report, so there was no opportunity to go through some of those issues in detail. We welcome the Government’s amendments and the fact that they have responded to the Delegated Powers Committee. I have read the Information Commissioner’s briefing for Report, and I welcome the fact that she strongly supports the Government’s adoption of these amendments, which she believes will strengthen parliamentary scrutiny and government accountability.
The next group of amendments deals with the code of practice, on which we had lengthy debates in Committee, but I believe that the Government are now striking the right proportional balance between improving public and government services and the need to protect data.
My Lords, in Committee I had my name to an amendment regarding the status of the codes of practice. At that time, the noble and learned Lord referred to the appropriate level of legal obligation. He certainly persuaded me that the wording “having regard to” or “complying with” did not relate to whether a public authority could ignore a code, but whether there were reasons for doing so. I was persuaded about that level of flexibility.
Of course, we were really concerned about what the codes of practice would ultimately look like, what the engagement of the Information Commissioner would be and what the Information Commissioner’s view was. On these Benches we were pleased to see not only the Government’s amendments but the Information Commissioner saying that she was extremely pleased that the Government had accepted her recommendations on there being references in the Bill to codes of practice and the privacy impact assessments.
In the light of the Information Commissioner’s overall comments and the fact that the Government have responded, we certainly welcome these amendments. However, I give notice that—the noble Baroness, Lady Hamwee, referred to this—what is in the codes and how public authorities operate them will be very important, and parliamentary scrutiny of and engagement in them will be critical in the future. I hope that we will see further drafts of the codes before they are ultimately laid before Parliament. It is really important not only that there is the highest level of consultation on them but that Members of Parliament are properly engaged in them.
I thank noble Lords for their observations on these matters. There are of course government amendments in this group as well and perhaps I may begin with those.
This group of amendments concerns the codes of practice issued under Part 5 and those issued by the Information Commissioner’s Office. It includes the government amendments that implement the recommendations of the Delegated Powers and Regulatory Reform Committee and, as the noble Lord, Lord Collins, observed, the recommendations of the Information Commissioner’s Office. In addition, there are some opposition amendments on similar points.
We have already published draft codes of practice on data sharing. The Delegated Powers and Regulatory Reform Committee recommended that the first codes of practice and the UK Statistics Authority’s statement of principles should be laid before Parliament in draft and should not be brought into force until they had been approved under the affirmative procedure. Revisions were to follow the draft negative procedure. We agree and have tabled amendments to achieve this, and it is intended that Parliament should have a suitable opportunity to consider these drafts and any amendments thereto in due course.
A further series of government amendments will require persons disclosing personal information under relevant chapters of Part 5 to have regard to the Information Commissioner’s codes of practice on privacy impact assessments and privacy notices, transparency and control in so far as they apply to information which is being shared. As the noble Lord, Lord Collins, observed, the Information Commissioner called for explicit reference to these two codes to be made on the face of the Bill. We have worked with her office to develop these amendments, which supplement the existing requirement that the codes of practice prepared under the Bill must be consistent with the commissioner’s own code on data sharing, and I understand that she is satisfied with the steps we have taken in that regard. I hope that this will provide further assurance to noble Lords that we are committed to ensuring that best practice concerning compliance with data protection and transparency will be applied to the exercise of powers under Part 5 of the Bill.
I now turn to the opposition amendments in the names of the noble Baroness, Lady Hamwee, and the noble Lord, Lord Clement-Jones. I hope I can persuade them that their amendments are no longer necessary, as the government amendments fully address the concerns of both the Information Commissioner’s Office and the DPRRC.
As the noble Baroness has explained, the amendments in their names seek to ensure further consistency with the ICO’s codes and to strengthen the role of those codes in the regime set up by Part 5, as well as providing for greater parliamentary oversight of the Government’s codes, and I believe that we are now there. The Bill already requires that codes of practice issued under Part 5 of the Bill must be consistent with the ICO’s data-sharing code of practice. The government amendments further require persons to have regard to the ICO’s codes on privacy impact assessments and privacy notices, transparency and control when exercising relevant powers under Part 5. So we are now referencing all the codes which the ICO felt were critical for the operation of Part 5.
Of course, this is not the first time we have discussed amendments that seek to strengthen enforcement of the codes of practice by requiring authorities that use the powers of determined specified bodies to “comply with” rather than “have regard to” these codes. The Government’s position remains that “have regard to” is the right weight to give to codes of this type. That is itself a legal obligation, as the noble Lord, Lord Collins, noted. Moreover, the public law will expect those who are subject to the codes to follow their stipulations unless there are cogent reasons why they should not. We note that the Information Commissioner’s own codes are themselves advisory. A requirement to “comply with” the codes could lead to their being applied in a tick-box fashion, without due regard to whether the recommendations are actually applicable to and desirable in the context of the specific data share.
On the issue of adding additional persons to the consultation obligations for the codes, since Ministers have committed before Parliament to consult publicly on the Part 5 codes of practice, we suggest that such a requirement is unnecessary. The present provisions reflect what the noble Baroness noted to be the normal position.
Finally, on parliamentary oversight, the Government’s amendments fully implement the DPRRC’s recommendations, including, exceptionally, the use of the affirmative procedure for the first codes and the draft negative procedure thereafter. They go further than the noble Baroness’s amendment, and I hope that that will be welcomed by all noble Lords. I therefore invite the noble Baroness not to press her amendments.
My Lords, I hesitate before intervening in this group of amendments because, the last time I intervened, my noble friend said that I must be slightly confused, as I was talking about electoral rolls, bread rolls and toilet rolls. We are, of course, conflating a number of issues in this group, but I think that there is a really good point. My noble friend has raised an important area where the public good can be served not by sharing confidential information but by ensuring the availability of information that will serve a specific purpose in relation to fuel poverty. We on these Benches are very sympathetic on that point. In Committee we tabled amendments on the common-law duty of confidentiality, and the noble and learned Lord responded to those amendments. The only point I would make now is that it is vital that medical records remain confidential. They contain information that can affect not only people’s health but their access to jobs and to insurance. Access to a whole range of things is at risk if it is felt that this information will not remain confidential. Of course, the consequence of that is another public health issue, because if people do not have confidence that their records will remain confidential, they will not go to their doctor, they will not tell their doctor and they will not seek the treatment that they perhaps should. So there is a very strong case here.
One other point—it is not related to this group of amendments so I ask for forgiveness—is that there is a balance between maintaining confidentiality and security. Many of the problems in the health service, and why people lack confidence in it, are not about policies and procedures but about the health service’s ability to maintain a secure IT system. I hope the noble and learned Lord will be able to address those issues. The assurances that my noble friend has sought about future ability are really important. The ability to communicate—not the details of people’s confidential records but one government department to another and one public agency to another, to serve a very clear public need—is vital.
I am obliged to noble Lords, and in particular I thank the noble Lord, Lord Whitty, for his continued interest in this area and for taking the time to meet and discuss this matter at some length with me and the Bill team. Clearly, as the noble Lord, Lord Collins, observed, this is an important part of the fuel poverty agenda. That is why it takes on such considerable importance even when faced with issues such as medical confidentiality.
On the point about common-law confidentiality, and medical confidentiality in particular, it is not an absolute; there are already statutory gateways through which information can and must flow on occasions, and therefore one must not take it that medical confidentiality is somehow completely ring-fenced and separate from the world that we actually live in. There are circumstances where there should be, has to be and is disclosure. It may be possible—I put it no higher in terms of this Bill—to address a further gateway. However, one should not confuse any mechanism within the Bill with the consequences of human or IT failure, however regrettable they may be. I agree with the noble Lord, Lord Collins, that one has to have regard not only to the structure within which information is shared but to the need to ensure that the sharing process is itself secure. But they are separate issues.
The noble Lord, Lord Whitty, acknowledges that some parts of his amendment may not be necessary. Amendments 27 and 28 would provide that information can be shared with licensed electricity and gas distributors for the provision of fuel poverty assistance. They can already be added to the data-sharing arrangements in Clause 32 by regulations. The Government will consider whether to exercise this power in the context of considering the future role of electricity and gas distributors in delivering fuel poverty schemes. I reassure the noble Lord that the provision made by Amendment 26 is already covered by Clause 31, which provides powers to share information for,
“the improvement of the well-being of individuals or households”.
Of course, this includes,
“their physical and mental health and emotional well-being”.
While we do not consider the noble Lord’s amendment necessary in this instance, the objectives that he highlights are an example of how in appropriate circumstances information held by healthcare providers could, in future, be valuable to support the more effective delivery of public services to those in need. It underlines why the Government are unable to accept Amendments 28AV, 28AW and 28AX, tabled by the noble Baronesses, Lady Finlay and Lady Hamwee.
The Government do recognise the particular sensitivities with identifiable health information, as highlighted in the National Data Guardian for Health and Social Care’s recent review of data security, consent and opt-outs. Health bodies in England are therefore not included in the list of bodies now in the Bill that will be permitted to use these powers. However, as the noble Lord, Lord Whitty, noted, health issues are a key factor in the complex social problems faced by people, whom we are aiming to support with these powers. Excluding the use of identifiable health information altogether would remove the possibility of including such information in the future without amending legislation. It would be premature to take this step in advance of the implementation of the National Data Guardian’s review and the public consultation that that will engage.
An amendment to maintain the common-law duty of medical confidentiality is not considered necessary. Those powers enable information to be shared only where it is already held by specified persons, acquired in a different context from the patient-doctor relationship. Any information that would have been subject to medical confidentiality would have found its way into a specified person’s hands only through an existing gateway. As I indicated earlier, there are already statutory gateways through which such information can move. Of course, we are dealing with permissive powers.
At this late hour, I will attempt the impossible: to satisfy the interests of all parties in the context of these provisions. Beginning with the inquiry from the noble Lord, Lord Whitty, health bodies are not presently included in the schedules. As drafted, it would be possible for health bodies to be added to the schedules at a future date but—and I emphasise this—no decision will be taken until, first, the Government publish their response to the Caldicott review and any recommendations have been embedded and assessed; secondly, there has been a public consultation on the issue and the views of the National Data Guardian and appropriate representative health bodies such as the GMC and BMA have been sought; and, thirdly, there has been a debate in both Houses pursuant to the affirmative procedure required to add bodies to the schedule. I hope that that reassures the noble Lord, Lord Whitty, that it can be done, although it has yet to be done, and that there are steps that we will take to reassure the noble Baronesses, Lady Finlay and Lady Hamwee, before any such step is implemented.
If health bodies or information were to be expressly excluded in the Bill, it would require primary legislation to enable those bodies to share information under the powers. If and when we decide that it would be helpful to have those powers—in implementing the fuel poverty initiative, for example—it would be most unfortunate if we were delayed by literally years before we could actually achieve the objective, when in fact there is provision here to do it by way of the affirmative procedure so that both Houses have ample opportunity for debate.
If we take those steps, there will be safeguards. When considering whether to add any health bodies to the schedules in the public service delivery, debt and fraud chapters, clear safeguards will apply. First, before a new body may be added to the schedule, it must show that it fulfils the relevant criteria relating to that specific power designed to ensure that only bodies with relevant functions for holding or requiring information relevant to that particular power may be added. The Minister must consider the procedures in place for secure handling of information before any new body can be added to the schedule—a point raised by the noble Lord, Lord Collins. A decision will be taken on whether it is in the public interest and proportionate to share identifying health information in order to achieve a specified objective. There would be no question of simply sharing this information more widely. The powers must be exercised in accordance with the Data Protection Act, which requires that only the minimum information necessary to achieve the objective may be shared. Under the Bill—and under the Data Protection Act—personal information may be used only for the purpose for which it was shared and data must be stored securely to ensure compliance with that Act. Again, this point was raised a moment ago.
Identifying health information will constitute sensitive personal data and so to ensure fair and lawful processing, it must fulfil one of the more onerous Schedule 3 conditions as well as the Schedule 2 condition under the Bill. In addition, new criminal sanctions have been included for wrongful disclosure with a maximum penalty of up two years’ imprisonment, a heavy fine or both. Further steps can of course also be taken to remove a body from the schedule if it does not comply with the requirements of the Act.
I do not suppose that I have satisfied anyone with that explanation at the end of the day. But, if nothing else, I hope that it has assisted in informing your Lordships as to why we consider that these amendments are not appropriate and that it would be appropriate to retain the ability to introduce health bodies by way of appropriate regulation. We feel that there will be appropriate safeguards and extensive consultation before any such step is taken, so I invite the noble Lord to withdraw his amendment.
Lord Collins of Highbury
Main Page: Lord Collins of Highbury (Labour - Life peer)(7 years, 8 months ago)
Lords ChamberMy Lords, I too thank the noble Baroness, Lady Howe, for this amendment. I added my name to it and support very much the principles contained in it. As she said in her introduction, this is not simply about pornography or about age verification, where we have addressed those issues. It is about giving parents the tools for the job so that they can be sure that their children are accessing the internet in a responsible way. That is a key issue because we have just had an hour-long debate on gambling; we know that access to gambling is on the internet nowadays. We have controls in casinos and age limits in betting shops, but we also know that someone can bet huge amounts on mobile phones using the internet. We need to give parents those tools. That is what the House of Lords Communications Committee resolved. The report is excellent and I welcome noble Lords’ references to it.
The Minister will no doubt reassure the House about what we are doing with the major ISPs and how Ofcom will be reviewing that, but if, as the noble Baroness said, 10% or potentially even 15% of the market is not covered by that review, we are not addressing the full picture. What we need to aim for in this highly competitive market is an industry standard so that consumers understand that, wherever they go to get the best price for access to the internet, the whole industry will be applying the same standards in terms of the ability of parents to ensure that their children are accessing the internet in a responsible way.
Reference has been made in this discussion to the review being conducted by Ofcom. Will the Minister consider whether that review could be extended to all ISPs? He has the authority and he does not need this amendment to be approved, but he could reassure us that we will not simply rely on the letter from the industry saying, “we will approach the other ISPs and seek their co-operation”. He can ask Ofcom to do this and I urge him to give noble Lords that reassurance.
I have tabled Amendment 33ZPA, which deals explicitly with the Delegated Powers Committee’s recommendation. As the Minister will know, immediately on seeing the government amendments I approached him and wanted a discussion, because I was anxious that items were suddenly being put in the Bill of which no mention had been made before. We had had amendments relating to the Government’s willingness to implement the GDPR and they were reluctant to address that issue in the Bill, but suddenly the GDPR was to come into force on 18 May and we needed time to ensure that charges could be properly accommodated. I was concerned that suddenly all this was happening. The Minister wrote to me after our meeting and I was happy to learn that the Delegated Powers Committee had come up with the same concerns as me.
I want to be clear that my amendment specifically picks up the words of the committee. This is not simply about covering costs—I am sure that the Minister will reassure us about that; it is also about creep. It is about whether the Government will ask the ICO to undertake other things for which charges will suddenly become applicable, as was referenced in the report. It cited,
“broadly similar legislation enabling the Government to prescribe enhanced court fees, which they are relying on to introduce large increases in probate fees”.
We know that the ICO wants to extend its powers—quite rightly in some respects—but it should not do so without proper parliamentary scrutiny. I want the Minister to give me a clear assurance that the specific example given by the committee will not be applicable in relation to these charges. The “limited flexibility” of which he spoke gives the Government much wider powers. Why do they need limited flexibility when they are introducing a charging regime to meet the requirements of the GDPR and the specified responsibilities of the ICO? If they are to go beyond that and say that they need wriggle room in the form of what are described as limited powers, Parliament deserves the opportunity properly to scrutinise such changes. I reserve the option of tabling amendments at Third Reading that bring forward the recommendations of the Delegated Powers Committee. I hope that the Minister can reassure me about the limited power or wriggle room that he says the Government need. I want to know why they need it.
My Lords, I listened with interest and a certain amount of apprehension to this debate and the contributions made by noble Lords. As I said in my opening remarks, the Government intend to bring forward at Third Reading amendments to address the intentions of Amendments 33ZR, 33ZS, 33ZT and 33ZV tabled by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Hamwee.
I listened to the arguments in support of Amendments 33ZN, 33ZP and 33ZPA. However, we need the existing flexibility in the government amendments because there is rapid development in the digital economy. That means that the role of the data protection regulator is continually evolving. We want to allow flexibility to manage the period of transition as the ICO takes on additional responsibilities under the forthcoming GDPR. For example, in our amendment we specifically refer to discounts to certain organisations.
I understand why noble Lords are worried about giving additional powers to the ICO. The noble Lord, Lord Collins, talked about “creep” on this. I reassure noble Lords that this will be on a full cost recovery basis and it is in line with the current charging regime, so the fees will be determined by the size and turnover of the organisation, as I said at the beginning. We will consult data controllers on the shape of the new regime before laying regulations to introduce new charges. I repeat that the new model will continue to be based on the full cost recovery principle. On parliamentary scrutiny, the affirmative procedure will allow that scrutiny in Parliament.
The other reason for this is that the ICO fees regime needs to be in place by 1 April, ahead of the GDPR. In advance of this, it will be necessary to consult organisations on the proposed fees levels and lay the fees regulations in sufficient time for the start of the 2018-19 financial year. We would not be able to do that in the third Session.
To answer the noble Lord, Lord Clement-Jones, on the language in the proposed new section, the nature of the ICO role is changing with the changes in electronic communications—for example, in the regulation on cookies. We need some flexibility without the restrictive language of the noble Lord’s amendment.
I hope noble Lords will agree that subjecting regulations made under these powers to consultation and the affirmative procedure offers the necessary safeguards to ensure the powers are used proportionately. I therefore respectfully ask that the noble Lord withdraws the amendment.
Bearing in mind the comments I made, would the Minister take the opportunity to meet me and other interested Peers before Third Reading so that we can be clear and reassured that those points are covered by the government amendments?
It is always a pleasure to meet the noble Lord and I give that undertaking.
Lord Collins of Highbury
Main Page: Lord Collins of Highbury (Labour - Life peer)(7 years, 7 months ago)
Lords ChamberMy Lords, I thank the Minister for his introduction to Amendment 10. This amendment may not be the full loaf, but it certainly is three-quarters of a loaf in terms of an assurance on the two matters which gave us concern, the first of which was the extent to which the charges might exceed the costs incurred by the ICO. The Minister’s assurance is very helpful in terms of the operation of Clause 113, as is his assurance on mission creep, which is something that the noble Lord, Lord Collins, was particularly concerned about. Again, I am grateful to the Minister for his two assurances.
My Lords, I too am grateful for the assurances that the Minister has given us and I thank the Delegated Powers Committee for its excellent report which drew specific attention to this issue. The committee’s concern was not without evidence and it gave an example in relation to probate—I notice that the noble and learned Lord, Lord Keen, is in his place—so it is an issue that was very much in people’s minds when considering this part of the Bill. However, the assurances given by the Minister are clear and concise. We have protections in terms of parliamentary scrutiny, in particular in relation to the element of function creep where there is a requirement for primary legislation. I welcome and support the amendment.
Lord Collins of Highbury
Main Page: Lord Collins of Highbury (Labour - Life peer)(7 years, 7 months ago)
Lords ChamberMy Lords, I have no doubt that the noble Lord, Lord Stevenson, will want to give a more substantive response since this was fundamentally an opposition amendment, but it was supported strongly on these Benches. I accept that the Minister has tried to incorporate the spirit of the original amendment in this amendment coming from the Commons. He made a number of detailed points about objections to the drafting of the original amendment, but there is one thundering great hole in the amendment as brought forward by him, which is that there is no obligation on providers to comply with the code of practice once it comes into force. It is nakedly a voluntary code rather than any code that is able to be enforced by the Secretary of State. That is the major difference between the amendment that this House passed and that which has now come forward.
The Minister mentioned the internet safety strategy and the work being done on it. Many of us are convinced that when the work on that is done the need for an enforcement power in such a code of conduct will become clear. Will the Minister assure us that enforcement will be considered as part of the internet safety strategy and that, if the overwhelming body of evidence is that such a form of compliance is needed, the Government will come forward with amendments?
My Lords, I will not delay the House but I want to repeat what the noble Lord, Lord Clement-Jones, has just said because the point about no enforcement and no sanctions is important. I recognise the words of the Minister in terms of reflecting the spirit and intent of our original amendment, and I think that that is what the government Motion now seeks to do. It will give notice to the social networks that failure to comply will result in further government action. Like the noble Lord, Lord Clement-Jones, I hope that the Minister will be able to respond positively, in particular on the internet strategy review.
In conclusion, our examination of these issues has been extremely good in the Lords both in Committee and on Report. We now have a clear policy which gives notice to the social networks that we want to ensure that proper standards are maintained and that action will be taken when evidence of abuse is found. It should not be a matter of days or weeks, which has been the case, before offensive material is taken down. We have seen evidence of the horrendous things that have been put up on social networks in the US and Thailand, so we want to ensure that the networks understand fully the gravity of the situation.
My Lords, I am grateful for the remarks of noble Lords and I shall start by responding to the last comments made by the noble Lord, Lord Collins. I think that the social media companies are in absolutely no doubt about the Government’s determination to review what they do and make sure that they live up to their responsibilities. We are all agreed on that and we realise that even when something is technically lawful, it can be very damaging and unpleasant. Anything that sets out to humiliate people has no place in our society. I of course understand why some noble Lords are disappointed that the code of practice is not mandatory, but we should have confidence that it will make a difference if, as I have suggested, both we and the social media companies take it seriously. The code of practice will clearly set out our expectations of social media providers and it is in the interests of a site to be responsible with regard to online safety. It is critical for the future of sites that their users should trust them and that they protect the health of their brand.
I accept that there has been a lot of talk about the internet safety strategy. We have not ruled anything out of the strategy and we have heard the clear views of the House. I can say that we will consider carefully the points which have been raised in the development of the strategy and we will welcome contributions from noble Lords and other interested parties. I shall repeat: my department has absolutely taken on board the views of the House along with those of many other stakeholders in relation to social media companies and we will see what comes of that. The fact is that if this amendment is accepted, the code must and will be produced, and I am convinced that it will have a beneficial effect.