Digital Economy Bill (Eighth sitting) Debate
Full Debate: Read Full DebateDepartment: Cabinet Office
Louise Haigh
Main Page: Louise Haigh (Labour - Sheffield Heeley)Department Debates - View all Louise Haigh's debates with the Cabinet Office
Digital Economy Bill (Eighth sitting)
Louise Haigh ExcerptsTuesday 25th October 2016
(7 years, 11 months ago)
Public Bill CommitteesRead Full debate Digital Economy Act 2017 View all Digital Economy Act 2017 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 25 October 2016 - (25 Oct 2016)
The Chair
We are catapulted into part 5 of the Bill.
Clause 29
Disclosure of information to improve public service delivery
Louise Haigh (Sheffield, Heeley) (Lab)
I beg to move amendment 98, in clause 29, page 28, line 25, leave out “had regard to” and insert “complied with”.
This amendment provides stronger compliance with the code of practice on the disclosure of information.
The Chair
With this it will be convenient to discuss the following:
Amendment 100, in clause 30, page 29, line 33, leave out “had regard to” and insert “complied with”.
This amendment provides stronger compliance with the code of practice on the disclosure of information.
Amendment 99, in clause 32, page 30, line 13, at end insert—
‘(1A) In determining whether to make regulations under section 29, 30 or 31 the appropriate national authority must ensure that—
(a) the sharing of information authorised by the regulations is minimised to what is strictly necessary,
(b) the conduct authorised by the regulations to achieve the “specified objective” is proportionate to what is sought to be achieved by that conduct,
(c) a Privacy Impact Assessment compliant with the relevant code of practice of the Information Commissioner’s Office has taken place and been made publicly available,
(d) the proposed measures have been subject to public consultation for a minimum of 12 weeks, and responses have been given conscientious consideration.
(1B) As soon as is reasonably practicable after the end of three years beginning with the day on which the regulations come into force, the relevant Minister must review its operation for the purposes of deciding whether these should be amended or repealed.
(1C) Before carrying out the review the relevant Minister must publish the criteria by reference to which that determination will be made.
(1D) In carrying out the review the relevant Minister must consult—
(a) the Information Commissioner, and
(b) open the review to public consultation for a minimum of 12 weeks, and demonstrate that responses have been given conscientious consideration.”
This amendment seeks to reduce the risk of successful legal challenges. Challenges are often made on grounds of privacy and this would amend that to increase privacy safeguards.
Amendment 96, in clause 32, page 30, line 33, at end insert—
‘(3A) A particular person identified in personal information disclosed under sections 29, 30 or 31 is able to request to a specified person under subsection 29(1) that the personal information is modified and corrected if necessary.”
Amendment 95, in clause 32, page 30, line 34, leave out
“(including a body corporate)”
and insert
“, a group of persons, a private company or a publicly traded company irrespective of their size and revenue, but”.
Amendment 105, in clause 35, page 32, line 31, leave out “have regard to” and insert “comply with”.
Louise Haigh
I am very grateful to my hon. Friend the Member for Cardiff West for giving me some much-needed time off. I do not wish to disappoint the Minister by not being as brief as we were earlier, but I am not sorry, because part 5 really does require some further scrutiny. I think the Government know that it was not ready for Committee, not least because they have tabled several dozen amendments to it, but also because the codes of practice were not in good enough shape last week, according to the Information Commissioner, but were published just a few days later—some civil servants were clearly working overtime in the intervening period.
Clause 29 allows specified persons to share data for a specified objective. All national authorities will be enabled to lay regulations through secondary legislation for exactly what those data-sharing arrangements will be and what they will be for. In doing so, this clause lays out that they will be required to ensure the secure handling of information and to have regard to the codes of practice. Our amendments seek to strengthen this and to ensure that anyone involved in the sharing of data under these new powers is in full compliance with the codes of practice that were published last week.
I want to be very clear here: the Opposition do not oppose the Government’s sharing data among themselves to improve policy making and public services, but we must get this absolutely right and we are still a long way away from that, given the state of the current proposals. This is a key point: the public support the sharing of data to better enable the Government to provide services and to better enable the public to make use of those services, but public trust is fragile and has been rocked in recent years by varying degrees of incompetence in managing those data. Before Government Members point out that previous Labour Administrations were just as guilty, I should say that I fully accept that. This is not a political but rather an administrative point, which is why such proposals need to proceed with the utmost caution.
The Information Commissioner produced a very instructive report on this very point, which is extremely important to this part of the Bill, because it demonstrates the circumstances in which the public are happy for their data to be shared. The commonly recurring themes of what the public want regarding data could not be clearer: they want control over their data; they want to know what organisations are doing with those data; and they want to understand the different purposes and benefits of sharing their data. In that context, 63% of people agreed that they had lost control over the way in which their data are being used. This demonstrates that if there is to be sharing of data, which we support, there must be very clearly defined safeguards based on consent and transparency.
This part of the Bill gives considerable powers to Government to share data, but there are essentially no safeguards built in to ensure privacy, data protection, proportionality and a whole host of other principles that should sit alongside data sharing. It is vital that these reforms go ahead and we are completely in favour of effective data sharing across Government to achieve public sector efficiencies, value for money, improved public sector services, take-up of benefits for the most vulnerable, such as the warm home discount or free school meals, and, most importantly, an improved experience for those who use public services.
The Minister for Digital and Culture claimed in an evidence session that the safeguards are in the Bill, but that is simply not the case. I would be grateful if the Parliamentary Secretary, Cabinet Office outlined what safeguards he thinks there are. As I, a relatively amateur observer, as well as those who are much more expert in the matter read it, the safeguards are to be added at a later date, written up by the Government and consulted on with people whom the Government deem fit to consult. Furthermore, there is absolutely nothing the public sector does that is not covered by the clause. I would be grateful, therefore, if the Minister gave give us a single example that that—I quote from the clause—for the purposes of
“the improvement of the well-being of individuals or households”,
or of improving
“the contribution made by them to society”,
would not deliver.
Calum Kerr
It is good to see the shadow Minister back in her place. She is making an excellent start to this section of the debate, pulling out many of the key issues. I am afraid that the ministerial team might not like the scrutiny that the process is supposed to provide—and essentially does. The point about transparency is critical and there is a confidential submission that points out that transparency does not prevent people from doing anything; it simply requires them to be accountable for what they do. We have recently seen the case of HMRC outsourcing to Concentrix the ability to collect tax credits. Data from another source were used, and we all know the damage that can be done when that is not done well.
Louise Haigh
I am grateful for that intervention. I am very aware of the Concentrix case and will come on to it shortly.
On the inclusion of non-public sector authorities and the Government’s intention to strictly define the circumstances and purposes under which data sharing with such organisations will be allowed, their statement of intent was clear. However, only one paragraph in the 101-page draft code mentions non-public sector organisations. That paragraph says that an assessment should be made of any conflicts of interest that the non-public authority may have but it does not give any examples of what those conflicts of interest might look like, so perhaps the Minister will elaborate on that when he responds. It states that a data-sharing agreement should identify whether any unintended risks are involved in disclosing data to the organisation—the risk regarding Concentrix was just highlighted—but the code of practice does not list any examples or set out how specified persons might go about ascertaining those. It also states that non-public authorities can only participate in a data-sharing agreement once their sponsoring public authority has assessed their systems and procedures to be appropriate for the secure handling of data, but it does not give any sense of what conditions they will be measured against or how officials should assess them.
That is not the kind of reassurance that was provided in the Government’s consultation response. Given that these are draft codes, I hope the Minister will take what I have said away and improve them, not least because of the recent scandal relating to the US multinational company, Concentrix, which was contracted by HMRC to investigate tax credit error and fraud. Concentrix sent letters to individuals—mostly working single mothers across the country receiving tax credits—in what was essentially a large-scale phishing exercise. Not only did it get things catastrophically wrong by cancelling benefits that it should not have cancelled and leaving working mothers destitute over many weeks and months in some cases, but it performed serious data breaches in sending multiple letters to the wrong individuals and disclosing personal information.
We have made it very clear that the Bill could have done with considerably more work before it was brought before the House. I understand that the civil servant who wrote part 5 has now left, or is in the verge of leaving, the employ of the civil service, so there is even more reason for us to work cross party and with expert organisations on improving the proposals.
As I have said, public trust in Government handling of data is not strong. Unfortunately, the public have not been given any reason to put their concerns to rest. The recent National Audit Office report, “Protecting information across government”, revealed the prevalence of weak controls on the protection and management of personal information in Government. Any continuation of the existing poor information management identified by the NAO, or the further weakening of cyber-security and data protection implied by part 5, is likely to have negative economic and social impacts.
As the Information Commissioner’s Office commented:
“It is important that any provisions that may increase data sharing inspire confidence in those who will be affected. Our research shows that the public are concerned about who their data is shared with and reflects concerns that they have lost control over how their information is used. Even apparently well-meaning sharing of data such as GP patient records for research purposes can arouse strong opinions.”
This is an important time to strengthen cyber-security and the minimisation and protection of data, which is why it is so important to get this part of the Bill right. A huge prize is on offer, but this has the potential of going the way of the care.data scandal. Frankly, it is astonishing that neither Ministers nor civil servants have learnt their lessons from that very regrettable episode, because there was absolutely nothing wrong with the principle of care.data either; it attempted to achieve exactly the kind of aims as the Bill’s reforms.
The idea was to create a database of medical records showing how individuals have been cared for across the GP and hospital sectors. Researchers believed that the information would be vital in helping them to develop new treatments as well as assessing the performance of NHS services. The records would be pseudo-anonymised, meaning that the identifiable data would be taken out. Indeed, they would just contain the patient’s age range, gender and the area they lived in. However, researchers could apply for the safeguards to be lifted in exceptional circumstances, such as during an epidemic. That would have needed the Health Secretary’s permission.
The concept had the backing of almost the entire medical community, many charities and some of the most influential patient groups. The UK’s leading doctors told us how access to so many NHS records would help them to understand the causes of disease, quickly spot the side effects of new drugs and detect outbreaks of infectious diseases.
The problem with care.data was that the advantages and the principles upon which the data would be shared were simply not communicated by the Government or by NHS England, and so it attracted the criticism of bodies as disparate as the British Medical Association, the privacy campaign group Big Brother Watch and the Association of Medical Research Charities. Such was the botched handling of the publicity surrounding care.data that, by April 2014, the launch was aborted. However, it emerged the following June that nearly 1 million people who had opted out of the database were still having their confidential medical data shared with third parties, because the Health and Social Care Information Centre had not processed their requests.
A review by the National Data Guardian, Dame Fiona Caldicott, found that care.data had caused the NHS to lose the trust of patients, and recommended a rethink. That prompted the then Life Sciences Minister, the hon. Member for Mid Norfolk (George Freeman), to announce that the scheme was being scrapped altogether, even though £7.5 million had already been spent on constructing a database, printing leaflets, setting up a patient information helpline and researching public attitudes to data sharing.
The Caldicott review established a set of Caldicott principles, with the primary one being that the public as well as the professionals should be involved in data-sharing arrangements. Dame Fiona Caldicott proposed a simple model that gives people the option to opt out of any of their information being used for purposes beyond care. She said:
“We made it slightly more complicated by saying it was worth putting to the public the choice of having two separate groups of information to opt out of – [those being] research and information used for running the health service. If you put all of the possible uses of data currently in the system together and asked people to opt in or out of that, it’s actually asking them to make a choice about a very big collection of information. [People] may want to have the possibility of saying, ‘Yes, I’d like my data to be used for the possibility of research, but I don’t want it to be used for running the health service’.”
She also made it very clear that the benefits of data sharing and what it means need to be communicated clearly to the public, as there is a lot of confusion around how the data are shared.
Absolutely nothing has changed since that disaster and the subsequent review, so it is concerning not to see those basic principles included in the Bill. I am interested to hear the Minister’s response to those principles laid out by the National Data Guardian. The public need to be able to trust organisations that handle their data and they need to retain control over those data. Both those things are essential to build confidence and encourage participation in the digital economy. The principles have been debated over the past several years at the European level, and we should be told here and now—today—whether the Government intend to implement the EU’s General Data Protection Regulation. If they are, why is the Bill not compliant with it?
The new EU GDPR and the law enforcement directive were adopted in May and will take effect from May 2018. The GDPR includes stronger provisions on: processing only the minimum data needed; consent; requirements on clear privacy notices; explicit requirements for data protection by design and by default; and on carrying out data protection impact assessments.
Although the Government’s arrangements for exiting the European Union have yet to be decided, it seems likely that the GDPR will take effect before the UK leaves, so the Government will have to introduce national level derogations prior to its implementation. If that is the case, there will have to be a thorough consideration of the impact of the new legal framework on all aspects of the Bill affecting data sharing, including implementation arrangements. Indeed, as the Information Commissioner said when giving evidence to the Committee two weeks ago:
“There may be some challenges between the provisions and the GDPR… There would ?be a need to carefully review the provisions of this Bill against the GDPR to ensure that individuals could have the right to be forgotten, for example, so that they could ask for the deletion of certain types of data, as long as that was not integral to a service.”––[Official Report, Digital Economy Public Bill Committee, 13 October 2016; c. 112-13, Q256.]
The GDPR states that data are lawfully processed only if consent has been given by the individual, which is completely lacking in this section of the Bill. It also gives data subjects that right to withdraw consent at any time:
“It shall be as easy to withdraw as to give consent.”
Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased or no longer used for processing.
The Chair
Order. May I gently assist the hon. Lady by saying that I am not sure she has referred to her amendments much yet? She is making an excellent clause stand part speech. This will certainly now be the clause stand part debate, but it might help the Committee if she came on to her amendments as soon as possible.
Louise Haigh
Of course. Thank you very much, Mr Streeter.
Our amendments would ensure that the codes of practice, which have been vastly improved over the past week, are statutory. It is important that the principles and safeguards outlined so far are included and are statutory. That is what I have been alluding to so far in my speech. It seems pointless for civil servants to have put all this work into the codes for them merely to be regarded, rather than statutorily complied with. The codes must be improved further, and we hope that Ministers and officials will work with the industry and organisations to do just that, but we want to see them referenced properly in the legislation and properly complied with. Anything less means that the powers enabled in the clause dwarf any safeguards or checks included in the codes.
Amendment 99, in my name and that of my hon. Friend the Member for Cardiff West, would help to build trust in the Government’s data-sharing provisions—trust that has been rocked over a number of years. That trust is absolutely essential if this extension of the Government’s data-sharing powers is to be effective. It is worth noting again that the draft regulations allow a significant extension of data-sharing powers with a significant number of Departments. That extension is rightly set within defined and strict criteria, but some of the definitions contained within those criteria are at best vague.
Subsection (8) of clause 29 allows for the sharing of data if it is of defined “benefit” to the individual or households. Subsection (9) allows for the sharing of data if it
“has as its purpose the improvement of the well-being of individuals or households.”
While the extension is ostensibly for tightly defined reasons, those reasons are in fact so broad that they could refer to anything at all.
We again come back to the point about public trust. The public want to know why their data are being shared and that it is strictly necessary. Amendment 99 would help build that trust by ensuring that, under clauses 29, 30 and 31,
“the sharing of information authorised by the regulations is minimised to what is strictly necessary…the conduct authorised by the regulations to achieve the “specified objective” is proportionate…”
and that
“a Privacy Impact Assessment…has taken place”.
The amendment would require the Minister to establish a review that consults the Information Commissioner and the public on the effectiveness of the measures. The amendment would require the Minister, after a three-year period, to review the operation of these provisions to decide whether they should be amended or repealed.
A similar measure is included in the Bill in the provisions relating to data sharing for the purposes of the collection of public debt, so it is puzzling that it is not included in this part, too, as these provisions are so much broader and just as risky, if not riskier. Individuals are right to be anxious about their sensitive data being shared. The amendment would allow for the public to be reassured that their data are being handled within the strictest confines.
Amendment 96 would give individuals a right to access and correct their own data. Empowering citizens to have access to and control over their own personal data and how they are used would clearly help improve data quality. Citizens could see, correct and maintain their own records. Data need to work for people and society. Citizens need to be actively engaged in how their data are secured, accessed and used. Again, that needs to be put on the face of the Bill.
Part 5 does not make clear how proposals to data share comply with the Government policy of citizens’ data being under their own control, as set out in paragraph 3 of the UK Government’s technology code of practice. Indeed, the proposals appear to weaken citizens’ control over their personal data in order for public bodies and other organisations to share their data. Weakening controls on the protection of their data is likely to undermine trust in the Government and make citizens less willing to share their data, challenging the move towards digital government and eroding the data insights needed to better inform policy making and related statistical analysis. That type of organisation-centred, rather than citizen-centred, approach characterised the failure of the top-down imposition of care.data in the NHS. That is why we tabled these amendments.
The Parliamentary Secretary, Cabinet Office (Chris Skidmore)
It is an honour to serve under your chairmanship, Mr Streeter, and to be standing here making my Committee debut. The hon. Member for Sheffield, Heeley is obviously new to the business as well, and I hope to follow her example. She has been gracious and proportionate in holding the Government to account. I hope we can have a full and frank exchange—hopefully, a rapid one—as we move through part 5.
The Government share information every day. Like every organisation, we rely on information to deliver the support and services that everybody relies on. These proposals will not do anything radical. They are simple measures designed to provide legal clarity in uncontroversial areas. The hon. Lady said that the Bill’s objectives are too broad, but I am afraid I disagree. We have made available draft regulations that set out three clear objectives, which are constrained and meet the criteria. I believe it is possible to strike a balance between the regulations and the evidence to set out specific objectives on identifying individuals and households that have multiple disadvantages, improving fuel poverty schemes and helping citizens retune their televisions when the broadcasting frequency is changed in a couple of years’ time.
The hon. Lady mentioned some specific examples. I want to turn to the fuel poverty schemes. When we look at those several years down the line, I genuinely believe that we will be proud to have sat here and legislated in a Committee that introduced data-sharing measures that enable, for instance, a significant number of vulnerable people to benefit from the warm home discount scheme. At the moment, about 15% of warm home discount scheme recipients are classed as fuel poor, according to the Government’s definition. By utilising Government-held data on property characteristics to benefit the recipients, we estimate that that figure could be at least tripled. That could mean that an additional 750,000 fuel poor households receive a £140 rebate off their electricity bill each year.
We know that some vulnerable households miss out on the warm home discount because they need to apply and they either do not know the scheme exists or, for one reason or another, are unable to complete an application. Our proposed changes could result in the majority of the 2.1 million recipients receiving the rebate automatically. It will come straight off their energy bills without the need to apply. That is simply an extension of the data-sharing measures that already exist in the Pensions Act 2014 for pension credit. It is evolution, not revolution.
That example clearly sets out how we will require data to be shared among Government organisations and for there to be a flag to suppliers of eligible customers. In that instance, we will require the suppliers to use data only to support customers. Each objective will require a business case setting out the purpose and participants, which will be approved by Ministers and subject to parliamentary scrutiny.
I note that we are debating clause 29 stand part as well as the amendments, so after talking generally about part 5, let me move on to the clause. I believe that these powers do not erode citizens’ privacy rights. They will operate within the existing data protection framework. The new powers explicitly provide that information cannot be disclosed if it contravenes the Data Protection Act 1998 or part 1 of the Regulation of Investigatory Powers Act 2000. Further, they are carefully constrained to allow information to be shared only for specified purposes and in accordance with the 1998 Act’s privacy principles.
The new codes of practice, which the hon. Lady mentioned—I have been assured that they are on the parliamentary website—have been developed to provide guidance to officials in sharing information under the new powers in respect to public service delivery, fraud and debt, civil registration, research and statistics. The codes are consistent with the Information Commissioner’s data sharing code of practice. Transparency and fairness are at the heart of the guidance. Privacy impact assessments will need to be published, and privacy notices issued, to ensure that citizens’ data are held transparently. I was delighted that the Information Commissioner wrote to the Committee on 19 October saying:
“Transparency is key to building people’s trust and confidence in the government’s use of their data. I am pleased to see that further safeguards such as references in some of the codes to the mandatory implementation and publication of privacy impact assessments (PIAs), and reference to my privacy notices code of practice, have been highlighted in the Bill’s codes of practice.”
Louise Haigh
The Information Commissioner also said that she wanted the privacy impact notices to be included in the Bill, and the codes to be explicitly subordinate to her code on data-sharing practices. Will the Minister confirm that those codes are indeed subordinate? Will he also explain why the codes are not included in the Bill if they are so central to the process?
Chris Skidmore
I will come to the second point later. On the Information Commissioner’s desire to include privacy impact assessments, it is clear to me from her letter that she is now content with the situation as it stands:
“I am content that the codes all now reference and better align with the guidance on sharing personal data set out in our statutory code and include effective safeguards to protect people’s information.”
Louise Haigh
The Information Commissioner was referring to the codes being improved since she gave evidence to the Committee. Later in that letter, which I think the Minister has in his hand, she goes on to say that she stands by the other evidence, both the oral evidence that she gave the Committee and her written evidence, which included her view that privacy impact notices should be in the Bill.
Chris Skidmore
The Information Commissioner also mentions that, on privacy impact assessments and with reference to her privacy notices code of practice:
“This will build in transparency at two levels:—”
in the current situation—
“greater accountability through the publication of PIAs and timely and clear information for individuals so they can understand what is going to happen to their data.”
The Government remain committed to working with the Information Commissioner’s Office. When it came to the evidence sessions, I was aware of the fact that we had a long process discussion around the codes of practice and when their publication dates were due. It was very important for me, as a Minister, to ensure that we had the confidence of the ICO going forward and that we could publish those draft codes. We will continue those conversations.
When looking at putting the codes or privacy impact assessments in the Bill, it comes back to the key point of being able to continue that conversation when it comes to a transformational technology that we may not even know exists at the moment and that may radically change our ability to look at how we data share. At the moment we are looking at specified portals through which we will data share for the benefit of the most vulnerable in society, but there may be a new technology that allows the Government to expand our scope. If that new technology comes into being and we write the codes and privacy impact assessments into the Bill, we will have the chilling effect of ossifying the practice; it will impact on our ability to adapt and to be able to look at new technology, to move fast and to realise the opportunities that we may have to data share for the benefit of the most vulnerable in society.
Louise Haigh
I completely agree that we should not tie ourselves down in the Bill, particularly to technology. It came through loud and clear from the evidence sessions that part 5 seems to tie us to a very outdated approach to data sharing. It does not talk about data access; we heard that an awful lot in the evidence sessions. The Bill goes against the Minister’s own guidance on that. We should look not at bulk sharing, which takes us back to when we had filing cabinets or were sending across spreadsheets and databases on USB sticks, but at using application programming interfaces and canonical datasets, on which the Cabinet Office is leading the way. I would appreciate it if the Minister commented on that.
Chris Skidmore
The hon. Lady highlights the argument I am trying to make, which is that the data-sharing measures in the Bill are proportionate, constrained and there to ensure that we can bring public confidence with us, which she mentioned. That is why we have highlighted specific portals through which we will be able to share Government information across Departments. In future, there will be secondary legislation powers to review and expand that, but there will be a whole process for which we need scrutiny.
That is why the Bill is so important: by highlighting how we can help those most in need and how, when it comes to data and consent, some people are in circumstances, by virtue of being in deprived communities or particularly vulnerable, of not knowing that they can benefit from their data being shared. It is the Government’s responsibility to act in this particular area to ensure that data are shared for the benefit of the most vulnerable. That is why the Bill is designed as it is. We have the secondary regulations in place, limited as they are at the moment, going through impact assessments and everything that we need to ensure that we have a proportionate response to sharing data.
I fully appreciate what the hon. Lady said but I hope that she will accept that the Government have pulled out all the stops to ensure that we can take public confidence with us. That is why, for instance, under clause 33, new criminal sanctions have been developed to protect information shared under the new powers in respect of public service delivery, fraud, debt and research, so those convicted of offences could face a maximum penalty of up to two years imprisonment for illegal data sharing, a heavy fine or both.
No statutory restrictions that currently exist on sharing of data, such as in the Adoption and Children Act 2002, will be affected by these data measures. When it comes to audits, which the hon. Lady mentioned, data-sharing agreements entered into under the power will set out a governance structure of how audits will take place. This structure will oversee the arrangement and what participating bodies are required to do under data sharing. The Information Commissioner’s Office also has a general power to conduct audits, including compulsory audits of Departments and organisations to check that they are complying with the law in relation to the handling of personal information. All bodies are required to comply with the ICO’s request for assistance so that it can determine whether data have been processed lawfully in data-sharing arrangements. The ICO can pursue criminal proceedings where necessary.
Louise Haigh
Will the Minister confirm that every Department that undergoes a data-sharing arrangement will complete a full audit of all data-sharing arrangements in that Department? Will that be available under the Freedom of Information Act?
Chris Skidmore
On the individual point of audit, I will have to write to the hon. Lady. I will further consider her amendments and speak about them when we discuss three-year reviews. I want to ensure that bodies sharing information under the public service delivery power, for instance, strictly observe and follow codes of practice. Although I welcome the intention of the amendments, I think they are unnecessary. The Bill sets out the key conditions for disclosing and using information, including what can be shared by whom and for what purposes. We followed the common approach taken by the Government to set out details of how data are shared in the code of practice.
I want to return to the hon. Lady’s question of whether we use “have regard to” or “comply with”. The wording, “have regard to” already follows common practice in legislation, as illustrated in section 25 of the Immigration Act 2016 and section 77 of the Children and Families Act 2014. As the power covers a range of public authorities and devolved territories we want the flexibility that I mentioned about how the powers are to be operated, so that we can learn what works and adapt the code as necessary. To put it into the Bill, as I mentioned, would hamper that ability to adapt for future purposes. If bodies fail to adhere to the code, the Minister will make regulations that remove their ability to share information under that power, as is indicated, indeed, in part 11 of the code of practice, which states:
“Government departments will expect public authorities wishing to participate in a data sharing arrangement to agree to adhere to the code before data is shared. Failure to have regard to the Code may result in your public authority or organisation being removed from the relevant regulations and losing the ability to disclose, receive and use information under the powers”.
Amendment 106 requires the Minister to run a public consultation for a minimum of 12 weeks before issuing or reissuing a code of practice. The code of practice is essentially a technical document that sets out procedures and best practice with guidance produced by the ICO and Her Majesty’s Government. Clause 35 requires the Minister to consult the Information Commissioner and other persons, as the Minister thinks appropriate. I think that that strikes a good balance. Indeed, as I mentioned, we have been working closely with the ICO to ensure that there is confidence in the codes and the Information Commissioner states:
“I am pleased to report that significant progress has been made since my evidence session and I am content that my main concerns about the codes have now been addressed”.
I think it is very important to put that on record.
Chris Skidmore
To respond to the hon. Gentleman on his specific point, we will update the lists of bodies able to share information of the public service delivery power, and the PSD power allows for new objectives to be added by regulations if they meet the conditions specified in primary legislation. So the issue of the pupil premium, which he mentioned, may be one of the many worthy purposes for which new objectives could be created.
I would like also to draw the hon. Gentleman’s attention to the disclosure of information in the draft regulations, which I hope will reassure him. Paragraphs 21 and 22 of schedule 1 to the Bill refer to the organisations that will be sharing data, or that will be permitted to do so once they have applied to do so, including the county councils of England, the district councils in England and even the council of the Isles of Scilly. We recognise that there is that local government fracture that he mentioned and we hope that when it comes to data-sharing measures we will be able to heal that.
Louise Haigh
It was disappointing not to hear the Minister mention the General Data Protection Regulation and explain why this legislation has not been written in compliance with it, or my points about non-public sector authorities. I hope that he can return to those issues later in his remarks.
On the point about the Information Commissioner, in her evidence she supported statutory codes of practice. She also recommended that Parliament should review all aspects of data-sharing, and not just the clauses relating to fraud, after an appropriate time, which is what informed our amendment.
As our amendment says, we would also like the codes to make it clear that good cyber-security practice should not be about data sharing and that it should be about leaving the data with their original owner. I hope that the Minister will return to those issues when he comments on later stages of the Bill.
With that in mind, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Clause 29 ordered to stand part of the Bill.
Clause 30
Disclosure of information to gas and electricity suppliers
Chris Skidmore
I beg to move Government amendment 108, in clause 30, page 29, line 21, at end insert “, or
() the making of grants (by any person) under section 15 of the Social Security Act 1990 in accordance with regulations under that section made by the Scottish Ministers or the Welsh Ministers.”
This amendment enables information to be disclosed by a specified person to a licensed gas or electricity supplier for the purposes of a scheme in Scotland or Wales for the payments of grants to improve energy efficiency under section 15 of the Social Security Act 1990.
This clause enables the person specified in regulations to disclose information to gas and electricity suppliers. The disclosure must be for the purpose of reducing energy costs, or improving energy efficiency or the health or financial wellbeing of those living in fuel poverty, and it must be disclosed for use in connection with one of the fuel poverty support schemes listed in the clause.
The schemes referenced are the warm home discount scheme and the energy company obligation. Although the territorial extent of both these schemes is GB-wide, fuel poverty itself is a devolved matter. Officials in the devolved Administrations, including Labour-run Wales, have asked for Scottish and Welsh fuel poverty schemes to be included in the provisions of the clause. That is because there are grant schemes that fall under section 15 of the Social Security Act 1990 that address fuel poverty in Scotland and Wales. Those schemes would also benefit from the ability to share information between public authorities, and with gas and electricity suppliers, for the provision of assistance to fuel-poor households. The schemes are Nest and Arbed in Wales, and Scotland’s home energy efficiency programme. They help to reduce energy costs, or to improve energy efficiency or the health and financial wellbeing of people living in fuel poverty. The same safeguards will be in place as for all data disclosed under the clause—that is, data can only be disclosed by persons specified in regulations and for the specific purposes identified in the clause. All persons involved in a data-share must have regard to the code of practice.
The inclusion of these grant schemes will strengthen the ability to deliver better targeted, cost-effective fuel poverty schemes in Wales and Scotland.
Amendment 108 agreed to.
Question proposed, That the clause stand part of the Bill.
Louise Haigh
May I welcome the Minister to his position? It was remiss of me not to do so earlier; he is the model of a patient Minister and very polite with it, too.
As with clause 29, we very much support the objective behind the proposals in clause 30—to identify the individuals most in need of warm home funding and any other grant or benefit that will alleviate fuel poverty. As we heard from Citizens Advice, energy firms have found it difficult to establish whether people are entitled to funding, so people who should get the help do not get it. Sharing the data should smooth that process. We know that fuel poverty is a significant contributor to debt. StepChange said that about 10% of its clients would be within the old definition of fuel poverty—they spend more than 10% of their income on fuel—and it has seen the number of people in gas and electricity arrears rise sharply from where things were in 2010.
However, there are concerns about disclosing personal data to gas and electricity suppliers, again with no detail on what personal information might be disclosed or how. There is none of the legal or technical detail essential to ensure data security, the ethical use of data and the necessary trust framework essential to protect the rights, privacy and security of citizens. The same problems plague the rest of part 5, not least that the general data protection regulation explicitly bans the use of data to monitor the behaviour of people in a way that could be seen as profiling, so we would appreciate the Minister’s comments on that point.
As we have seen, the warm home discount can work well, but it must be set within strict safeguards. The initial legislation was introduced to allow data sharing to be carried out, and we know that the Department of Energy and Climate Change was extremely careful with the idea, and concerned about public perceptions about trust and private sector companies’ use of data. There was a great deal of anxiety about the public view when the proposal was put as a theoretical proposition. The public are not convinced about the sharing of data with private companies—let alone between Departments—and particularly with private providers such as energy companies who have a potential commercial stake in the data.
That is why the warm home scheme currently works through data from the DWP and energy suppliers going to a third party, which crunches the data to identify the matches. The energy suppliers are then sent onward a list of their eligible customers and the data are deleted from the third party’s computers. The data are not held on any computers; that provides an appropriate safeguard for all individuals concerned. That is critical to alleviating concerns about the sharing of personal information.
At present, therefore, companies with no public accountability learn nothing of any commercial value to their activities, which is a crucial point. The sharing of data cannot be done if there is a company with a potential conflict of interest. However, clause 30 allows for the disclosure of information to gas and electricity suppliers to help people living in fuel poverty and within other tightly defined criteria. Although the clause is clear that data may be used only for the purposes intended, unease will remain about why, in this instance, the Government have allowed personal information to be shared with electricity suppliers rather than with a third-party trusted provider.
There will be a serious concern that electricity and gas suppliers are being passed information whose content could present a potential conflict of interest. Nobody is suggesting that the electricity or gas suppliers would do anything in breach of their obligations, but the risk is certainly there. That was the basis behind the creation of a third-party supplier in relation to the warm home scheme.
We therefore welcome the creation of an offence for passing on any of this information and we welcome the maximum sentence of two years. It provides a clear steer from Government on the sensitivity of the data, yet clearly we would prefer that the disclosure would not happen directly at all.
Chris Skidmore
These Government amendments concern sanctions for unlawful disclosure and the disclosure and use of data to prevent and detect crime or prevent antisocial behaviour. A person receiving personal information under the public service delivery, debt, fraud and research powers cannot disclose that personal information unless it is for one of the exceptional reasons listed in the Bill, such as preventing loss of life or for national security. Technical amendments will ensure that it is clear that the list of exceptional reasons includes the prevention or detection of crime, or the prevention of antisocial behaviour.
The Bill provides that any person who contravenes the prohibition on further disclosure is guilty of an offence, which carries a penalty of imprisonment, a fine, or both. The introduction of criminal sanctions shows how seriously we take our responsibility to protect personal information, and we consider that it represents a key safeguard to accompany the new powers. It is imperative that individuals handling personal information under the powers take great care in handling that information.
We do not think that mistakes when handling personal data are acceptable, but we do not want to criminalise honest mistakes. The current drafting is slightly overzealous, so amendments 117, 128, 139 and 158 ensure that criminal liability arises only where there has been intent to disclose information. In circumstances involving disclosures made in error, we consider that other sanctions would be more appropriate, such as those set out in the Data Protection Act 1998 or internal disciplinary action.
The remaining amendments are minor technical amendments to ensure that information received under the powers can be shared to assist legal proceedings or criminal investigations outside the United Kingdom where necessary, while maintaining consistency across our clauses and aligning with other similar provisions in other legislation.
Louise Haigh
These Government amendments are technical and seem absolutely fine, apart from the provision to prevent antisocial behaviour. It is not clear to me why the disclosure would be necessary for the purposes of antisocial behaviour as defined under Anti-social Behaviour, Crime and Policing Act 2014. Can the Minister provide a clearer explanation of why any data that are ostensibly there to be shared for the purposes of alleviating fuel poverty and managing public sector debts would be used to prevent antisocial behaviour? Does that point to the concern I expressed earlier about the provisions leading to a broader scope for the use of information?
Chris Skidmore
The exemption has been included to ensure that if information received under the powers points to possible antisocial behaviour, it can be shared. That is intended to avoid any risk that by failing to refer explicitly to antisocial behaviour we cause ambiguity about whether certain information on antisocial behaviour can be shared. That ambiguity would have a chilling effect on multi-agency responses to antisocial behaviour, thereby undermining one of the key purposes of the 2014 Act.
Louise Haigh
Can the Minister give an example of how data relating to fuel poverty shared between a Government agency and a gas and electricity company could possibly relate to antisocial behaviour?
Chris Skidmore
We are talking about public service delivery powers, which do not just cover the warm home discount, attractive though that is. I know that all members of the Committee will be grateful, when this legislation goes through, to go back to their constituents and talk about being on this Bill Committee and how they delivered savings for millions of pensioners, but there are other key aspects of the Bill in relation to the troubled families programme and those living in communities blighted by antisocial behaviour. Data sharing around those programmes could create data matches that point to antisocial behaviour taking place or flag that up. We have a public duty to ensure that we have that power so that we can protect those vulnerable people whose lives are blighted in communities affected by particular types of antisocial behaviour.
Amendment 109 agreed to.
Amendments made: 110, in clause 32, page 30, line 19, leave out
“(whether or not in the United Kingdom)”.
This amendment removes the provision stating that a criminal investigation for the purposes of clause 32(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to a criminal investigation covers an investigation overseas in any event.
Amendment 111, in clause 32, page 30, line 21, leave out
“and whether or not in the United Kingdom”.
This amendment removes the provision stating that legal proceedings for the purposes of clause 32(2) may be within or outside the United Kingdom. This is for consistency and on the basis that a reference to legal proceedings covers proceedings overseas in any event.
Amendment 112, in clause 32, page 30, line 28, at end insert—
“( ) In subsection (2)(ba) “anti-social behaviour” has the same meaning as in Part 1 of the Anti-social Behaviour, Crime and Policing Act 2014 (see section 2 of that Act).”—(Chris Skidmore.)
See the explanatory statement for amendment 109.
Clause 32, as amended, ordered to stand part of the Bill.
Clause 33
Confidentiality of personal information
Louise Haigh
I beg to move amendment 101, in clause 33, page 31, line 19, leave out “or permitted”.
The Chair
With this it will be convenient to discuss the following:
Amendment 102, in clause 33, page 31, line 25, leave out “made” and insert “necessary”.
This amendment and amendments 103 and 104 seek to place a stricter requirement to reduce the risk of non-compliance with data protection.
Amendment 103, in clause 33, page 31, line 27, leave out “made” and insert “necessary”.
See the explanatory statement for amendment 102.
Amendment 104, in clause 33, page 31, line 30, leave out “made” and insert “necessary”.
See the explanatory statement for amendment 103.
Louise Haigh
The amendments would restrict the onward disclosure of data. As we know, the public value their data, and the amendments would place a higher test on onward disclosure.
It is important that data disclosures of information as sensitive as we have been discussing are appropriately considered; they must not simply be nodded through. Introducing a principle of necessity would mean that organisations have to make a case, rather than merely tick a box. Crucially, that would help to make the Bill more consistent with existing data protection. As the Information Commissioner’s data sharing code of practice clearly states:
“You should employ ‘need to know’ principles, meaning that other organisations should only have access to your data if they need it, and that only relevant staff within those organisations should have access to the data. This should also address any necessary restrictions on onward sharing of data with third parties.”
The ICO’s data sharing code of practice could not be any clearer. It is designed to protect an individual’s data and to prevent any onward disclosure to the organisations that have access to those data.
The Data Protection Act is also framed in terms of necessity. The ICO’s code of practice states:
“The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract)…The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident…The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.”
The amendments, which would insert the word “necessary”, ask a simple question: why are the exemptions in the Data Protection Act set aside when there is disclosure of confidential personal data for certain public interest purposes? That is already clearly well established. For example, in the context of policing, section 29(3) of the Data Protection Act states that:
“Personal data are exempt from the non-disclosure provisions in any case in which”
the disclosure is for any of the purposes of a criminal investigation, and failure to disclose
“would be likely to prejudice”
that investigation. One element of the application of that exemption from the non-disclosure provisions has the effect of excluding the lawfulness of the disclosure. It therefore protects the disclosing body from action for breach of confidence.
To disclose under the Data Protection Act, there has to be prejudice to an investigation before a disclosure of personal data can occur. Clause 33(2)(e) refers to disclosures
“made for the purposes of a criminal investigation”,
with no test of prejudice. The advantage of the amendments is that they would bring in the word “necessary”. That minor shift would at least ensure that the disclosure of personal data is proportionate.
Similarly, section 35(2) of the Data Protection Act permits disclosure of personal data for legal proceedings without risk of the disclosing party being subject to an action for breach of confidence if the disclosure of personal data
“is necessary… for the purpose of, or in connection with, any legal proceeding”.
In contrast, clause 33(2)(f) does not include the word “necessary” and reduces the threshold of disclosure to one that could facilitate speculative disclosures that could not be made under the Data Protection Act. We would be grateful if the Minister explained why the necessity is removed and why the DPA provisions are not sufficient when personal data are disclosed, but only when it is necessary in connection with any legal proceedings. The amendments would align disclosure with the provisions of the DPA.
The changes to clause 33(2)(h)(i) to (iv) are proposed to make it clear why the DPA is insufficient. Schedule 2(4) permits disclosure of personal data if it
“is necessary in order to protect the vital interests of the data subject.”
Schedule 2(5)(b) allows disclosure that is necessary
“for the exercise of any functions conferred on any person by or under any enactment”.
Can the Minister describe what disclosures of personal data do not fall within those two provisions? The amendments insert the word “necessary” and simply align the disclosure with the Data Protection Act.
Louise Haigh
I am concerned about why the Minister thinks the amendments will provide confusion; they will actually bring the clause into alignment with the Data Protection Act 1998—currently, large swathes of the Bill are not. Personal information is not defined as in the Data Protection Act, and nor are other clauses in this part. With your leave, Mr Streeter, I will test the will of the Committee.
Question put, That the amendment be made.
Chris Skidmore
These are minor and technical amendments to clauses on the code of practice and statements of principles that will be issued under part 5 of the Bill. The amendments will require that the code of practice be consistent with the data sharing code of practice issued by the Information Commissioner under the Data Protection Act 1998, ensuring greater clarity for practitioners and increased transparency for citizens about the relationship between the provisions in the Bill and the DPA. The amendments have been tabled with our conversations with the ICO in mind; we have the Information Commissioner’s confidence that the codes are right. I commend the amendments to the Committee.
Amendment 118 agreed to.
Louise Haigh
I beg to move amendment 106, in clause 35, page 32, line 42, at end insert—
“(ea) the public for a minimum of 12 weeks, and the relevant Minister, must demonstrate that responses have been given conscientious consideration, and”.
The amendment relates simply to the fact that the Opposition would like a full public consultation on the draft codes of practice. A much better version has been put before the Committee, and I understand that it is now on the parliamentary website, but we would like a proper consultation period, not just a consultation with whomever the Government see fit to consult.
Chris Skidmore
Amendment 106 would introduce a requirement for the Minister to publicly consult for a minimum of 12 weeks before issuing or reissuing the code of practice under clause 35.
Many details of the code of practice are drawn from the ICO data sharing code of practice. Others were drawn from two years of open policy making with civil society and other groups. We have just discussed a Government amendment intended to ensure that our codes will be consistent with the ICO’s data sharing code of practice. On that basis, we see no need for a compulsory public consultation before issuing the code, and even less need to make it a requirement in respect of any reissue. Some future changes to the code may be minor. We do not see a need to run a public consultation in those instances—indeed, to do so would be disproportionate in a great number of such cases.
Clause 35 requires that the Minister consult the Information Commissioner and other persons as the Minister thinks appropriate. Those other persons will include civil society groups and experts from the data and technology areas. We will run a full public consultation when a significant revision is expected, such as before the EU data protection regulation comes into effect, which I believe will be in May 2018. The clause as drafted provides the flexibility required. On that basis, the amendment is unnecessary and I invite the hon. Lady to withdraw it.
Louise Haigh
I am pleased to hear that the Government intend to consult on major revisions, and I hope that the draft codes, although much improved, will improve further in Committee, particularly in the areas outlined earlier relating to non-public authorities. As the Government have not listened to many of the recommendations made in their own consultation earlier this year, perhaps it is a futile amendment. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
Louise Haigh
I will just lay some further concerns about the draft codes. Clause 35 requires specified authorities and specified persons to have regard to the code of practice. We have conducted our own mini-consultation. One member of the Government’s own open policy group described the codes of practice as “discursive and poorly constructed”, another as “empty waffle”. Agreement was widespread that they still require significant legal and technical improvements, and that safeguards should be included in the Bill itself.
Part 5’s provisions for personal data sharing enable officials to decide unilaterally when they may access and share citizens’ personal data without consent and for purposes other than that for which it was provided. It raises serious concerns about how the UK will be able to host any EU citizens’ personal data post-Brexit. If UK officials are able to access and use their data without consent, it is highly unlikely that the EU will regard that as approaching anything like “adequacy” with respect to the general data protection regulation.
It is an incredibly worrying aspect of the Bill and the accompanying codes of practice that nowhere do they refer to the EU’s GDPR, which will not come into effect until 2018, as the Minister said, although the Information Commissioner’s Office has stated that organisations must comply with the GDPR if they wish to continue to do business across the EU or with EU citizens’ data. Although we are referring to Government agencies and Departments, there is every likelihood that they will process EU citizens’ data.
Where consent is to be overridden by officials, the approach is not well defined. There is no consideration of or support for alternative approaches, such as empowering citizens to be helped by letting them nominate someone other than officials to act on their behalf, rather than officials doing so. There is inadequate attention to transparency and accountability. We have many lessons to learn from the Estonian Government, as we heard in evidence sessions.
Furthermore, the personal data-sharing code perpetuates errors from the two-year consultation. For example, when the code refers to application programming interfaces, it incorrectly implies that they are a new thing. They are not, with modern web APIs generally recognised as having been in existence since around 2002—hardly state of the art. The code also displays no apparent awareness of, for example, zero knowledge proof, a method by which one party can prove to another that a given statement is true without conveying any information apart from the fact that the statement is true.
For that reason, both technical and legal safeguards must be within the Bill, not the lengthy and vaguely drafted codes of practice relating to personal data. Quite simply, none of the codes contains the safeguards alluded to earlier in the consultation and Bill process. In the interests of time, I simply say to the Minister that we will revisit concerns about the codes of practice. We have serious concerns about the lack of transparency still built into the codes of practice, let alone on the face of the Bill, and we would like some updated technological references in those codes.
Question put and agreed to.
Clause 35, as amended, accordingly ordered to stand part of the Bill.
Clauses 36 and 37 ordered to stand part of the Bill.
Clause 38
Disclosure of information by civil registration officials
Louise Haigh
I beg to move amendment 97, in clause 38, page 36, line 15, at end insert—
‘(2A) An authority or civil registration official requiring the information must specify the reasons for requiring the information to be disclosed.
(2AA) Information disclosed under this section shall not be shared with any other public or private body beyond those specified in subsection (1).”
The Chair
With this it will be convenient to discuss amendment 107, in clause 38, page 36, line 12, leave out from “that” to end of subsection and insert—
“(a) the authority or civil registration official to whom it is disclosed (the “recipient”) requires the information to enable the recipient to exercise one or more of the recipient’s functions and,
(b) the data subjects whose information is being disclosed have given valid consent under data protection legislation.”
This amendment would remove bulk sharing while allowing certificates to be shared to support electronic government services.
Louise Haigh
These provisions, more than any others in relation to civil registration officials, have surprised and confused those involved in the data-sharing proposals and the open data policy-making process, as they were never mentioned in the more than two years of discussion about data sharing in that open policy-making group. In the Government’s consultation response, they said that
“a large number of individual respondents and representatives from civil society stated strong opposition to the proposed power providing the ability for the bulk sharing of data, believing that the power would effectively create an identity database and enable personal data to be shared between public authorities even where there is no public benefit to do so.”
The amendments would address exactly that.
The publicly stated policy intent of the clause is to allow a citizen interacting with the Department to allow that Department to confirm their civil registration information electronically. That could undeniably enable better informed decision making, allocation of resources and service delivery, and would support the modernisation of public services. However, as drafted, the legislation also allows the entire civil registration database to be copied over to arbitrary locations for arbitrary purposes. That is not the same thing as a citizen allowing access when using digital services.
There are further concerns about the clause’s lack of compliance with the Data Protection Act 1998. Civil registration documents will be shared in bulk to improve service delivery where there is a clear and compelling need, according to the Bill. However, “clear and compelling” remains a lower test than the Data Protection Act’s “necessary and proportionate”, and is likely to be challenged. The use of bulk data runs counter to the Centre for the Protection of National Infrastructure guidance, which warns of the risks associated with bulk data, particularly from hostile foreign intelligence services.
The example given by Government that would require the sharing of civil registration data is around child reference numbers, which become national insurance numbers. National insurance numbers used to be attached to child benefit. It worked on the assumption that every parent would claim child benefit for their child and, when that child reached 15 and a half years of age, their national insurance number would be dispatched.
When the Government changed their policy on child benefit and effectively restricted it to parents who earned less than £50,000 per year, that created a potential problem for the assigning of national insurance numbers. The proposals will presumably address the problem by using birth-certificate data to inform who should be issued with NI numbers and when. That seems a perfectly reasonable and sensible method to correct an unintended consequence of the changes to child benefit policy, but can the Minister give us any other examples of when and why such bulk data sharing would ever be necessary or proportionate? The example I have just run through is incredibly specific and I hope that it would not be and is not repeated across Government.