Lord Vaux of Harrowden (CB)

- View Speech - Hansard -

Copy Link

-

My Lords, like others, I think I am experiencing the same sense of déjà vu that has been referred to. As others said, one of the more welcome aspects of this Bill is that it is not the same as its predecessor, which was introduced by the previous Government and which was mercifully a casualty of the election. Many of us lost far too many hours of our lives on that Bill, which was, frankly, a bad one—others have called it egregious.

So, I am pleased that this Government have clearly taken account of those debates—perhaps some of those hours were not wasted after all—and have produced a slightly slimmed-down version. That, in part, is because some of the old Bill has been removed from this one, but I am afraid it is expected to reappear again; I hate to disappoint the noble Lords, Lord Knight and Lord Stevenson, but we are going to see those DWP bank account access clauses in a separate Bill. However, at least it will be a stand-alone Bill rather than tucked in the background of a two-inch-thick data Bill.

I will start with a general concern which the noble and learned Lord, Lord Thomas, mentioned, which is that of EU data adequacy, which a number of us raised in the context of the last Bill. The helpful letter from the noble Lord, Lord Ricketts, the chair of the European Affairs Committee, dated 22 October to the Secretary of State for Science, Innovation and Technology, sets out very clearly the

“significant extra costs and administrative burdens on businesses and public-sector organisations which share data between the UK and the EU”

that would be incurred if we were to lose that data adequacy ruling, which is due to expire in June 2025—so very soon. I do not think I have seen a response from the Government to that letter, so I would be very interested to hear what the Minister has to say on that. Although this Bill is clearly less contentious than its predecessor and the risk is therefore clearly lower, it is not zero risk, and we need to be careful to ensure that there is nothing in the Bill that risks significantly the loss of that ruling.

To that end, I would be grateful if the Minister could explain what assessment the Government have made of the risk of losing the EU data adequacy ruling and, perhaps more importantly, tell us the extent to which the Bill has been discussed with our European counterparts to ensure that there is nothing in it that is concerning them. Clearly, we do not need to and should not follow the letter of the EU data protection rules, but we should at least work with our EU counterparts to ensure that we are not risking the adequacy ruling.

Part 1 deals with so-called smart data. I welcome it but note that it consists mainly of a series of powers to regulate rather than any firm steps, which is a little disappointing. The only current live example of smart data that we have is open banking, which a number of noble Lords have referred to—maybe, one day, we will see a pensions dashboard; who knows? However, open banking has been rather slower to take off than had been hoped. It has been six or seven years since it was first mooted. I urge the Government to carry out a review of why that is, before they start to make the regulations that the Bill proposes around smart data. There are lessons to be learned from open banking, to ensure that what we do with smart data in the future is more successful. The claims that smart data will boost the UK economy by £10 billion over the next 10 years looks a little optimistic, especially as the impact assessment from the Department for Business and Trade accompanying the Bill fails to monetise any costs or benefits of the smart data elements. I think that the smart data concept is good but hope that we get it right.

Part 2 of the Bill deals with the digital verification services. Again, on the whole, I am supportive of this. The Bill should improve security of and trust in digital verification. As the noble Lord, Lord Arbuthnot, said, it is not about digital ID cards. However, a number of us raised a concern last time round. There is a danger that this could become a slippery slope towards a situation where people may find themselves compelled to use digital verification services and therefore excluded from accessing services or products if they are not able or willing to use digital verification. The “not willing” part of it is important. Some people are wary of putting detailed identity information online. I am increasingly wary, particularly as a resident of Dumfries and Galloway, where all medical records from NHS Dumfries & Galloway were recently hacked, stuck online for ransomware and probably published. Therefore, I have some sympathy with those who do not fully trust official systems. I am curious to hear what the Minister has to say in response to the comments from the noble Lord, Lord Markham, about increased cyber- security in the public sector, as that is a good example of where it has gone wrong.

I know that there is no intention on the part of the Government at this time to make the use of DVS compulsory, but it is quite easy to see other providers, such as estate agents, financial institutions and, as one noble Lord mentioned, employers, making it a requirement. While supportive, I think we need some protections to ensure that people are not excluded from services by that. I would be interested to hear the Minister’s thoughts.

On Part 5, the House of Lords Select Committee on the Fraud Act 2006 and Digital Fraud heard a number of times that banks and other financial institutions were unwilling to share data for fraud prevention purposes because they felt constrained by data protection rules. I suspect that they were wrong but am very pleased that data processing for the purposes of detecting, investigating or preventing crime is to be expressly included as a legitimate interest. I hope that the Information Commissioner will ensure that it is widely pointed out and that we will start to see greater co-operation between payment providers and the tech and telecoms companies where the vast bulk of frauds originate.

However, on the subject of the legitimate interest changes, I am concerned that the Secretary of State will be able to make changes to matters considered to be legitimate interests by regulation. That is a significant power in terms of data processing and potentially a retrograde step. It could also raise concerns with respect to the EU data adequacy points that I raised earlier. While the EU might be happy with what is currently proposed, the ability to change key aspects could raise alarm bells.

Other noble Lords have talked about automated decision-making, where I am also concerned about the weakening of rights. Currently, automated decision-making is broadly prohibited, with specific exceptions. This Bill would permit it in a wider set of circumstances, with fewer safeguards. In her introduction, the Minister seemed to indicate that the same safeguards would apply. As I understand it, that is the case only where special category data is used. I would be grateful if the Minister could explain whether I have got that wrong. It seems to me to increase the risk of unfair or opaque decisions. The noble Lord, Lord Arbuthnot, talked about the Horizon/Post Office scandal. That should certainly give us pause for thought. The computer does not always get it right. There are myriad examples of AI inventing false information and giving fake answers. It is called “hallucination”. The right to challenge solely automated decisions should be sacrosanct. Why have the Government decided to weaken those safeguards?

Finally, I am pleased to get on to a point that no one else has raised so far, which is an achievement. I note with relief that the abolition of the Biometrics and Surveillance Camera Commissioner has been removed. However, issues remain in these areas. In particular, the previous commissioner has described a lack of an overarching accountability framework around surveillance camera and biometrics usage. Can the Minister explain what the Government’s plans are for the regulation of surveillance camera and biometric use, especially facial recognition and especially as the use of AI expands into that area?

In summary, it is a much better Bill, but there is a lot of work to do.