Data Protection Bill [ Lords ] (Fifth sitting) Debate
Full Debate: Read Full DebateMargot James
Main Page: Margot James (Conservative - Stourbridge)Department Debates - View all Margot James's debates with the Home Office
(6 years, 8 months ago)
Public Bill CommitteesI beg to move amendment 122, in schedule 13, page 194, line 36, leave out from beginning to end of line 4 on page 195.
This amendment is consequential on the omission of Clause 121 (see Amendment 47).
Amendment 122 and clause 121 deal with measures inserted into the Bill with the intention of protecting and valuing certain personal data held by the state—an issue championed by Lord Mitchell, to whom I am grateful for taking the time to come to see me to further explain his amendments, and for giving me the opportunity to explain how we plan to address the issues he raised.
Lord Mitchell’s amendments require the Information Commissioner to maintain a register of publicly controlled data of national significance and to prepare a code of practice that contains practical guidance in relation to personal data of national significance, which is defined as data that, in the Commissioner’s opinion,
“has the potential to further…economic, social or environmental well-being”
and
“financial benefit…from processing the data or the development of associated software.”
Lord Mitchell has made it clear that his primary concern relates to the sharing of health data by the NHS with third parties. He believes that some information sharing agreements have previously undervalued NHS patient data, and that the NHS, along with other public authorities, needs additional guidance on optimising the benefits derived from such sharing agreements.
We agree that the NHS is a prime state asset, and that its rich patient data records have great potential to further medical research. Its data could be used to train systems using artificial intelligence to diagnose patients’ conditions, to manage risk, to target services and to take pre-emptive and preventive action—all developments with huge potential. I have discussed this matter with ministerial colleagues; not only do we want to see these technological developments, but we want the NHS, if it is to make any such deals, to make fair deals. The benefits of such arrangements are often not exclusively monetary.
NHS patient data is only ever used within the strict parameters of codes of practice and the standards set out by the National Data Guardian and other regulatory bodies. We of course recognise that we must continue in our efforts to make the best use of publicly held data, and work is already being carried out to ensure that the value of NHS patient data is being fully recognised. NHS England and the Department of Health and Social Care have committed to working with representatives of the public and of industry to explore how to maximise the benefits of health and care data for patients and taxpayers.
Lord Mitchell’s provision in clause 121 proposes that the commissioner publish a code of practice. However, if there is a problem, a code would seem to be an unduly restrictive approach. Statutory codes are by necessity prescriptive, and this is an area where the public may benefit from a greater degree of flexibility than a code could provide in practice, especially to encourage innovation in how Government use data to the benefit of both patients and taxpayers.
The Government are releasing public data to become more transparent and to foster innovation. We have released more than 40,000 non-personal datasets. Making the data easily available means that it will be easier for people to make other uses of Government-collected data, including commercial exploitation or to better understand how government works and to hold the Government to account. The benefits of each data release are quite different, and sometimes they are unknown until later. Lord Mitchell’s primary concern is health data, but can guidance on how that is used be equally applicable to the vast array of data we release? Such guidance would need to be so general that it would be useless.
Even if we stay focused on NHS data and what might help to ensure that the value of it is properly exploited, Lord Mitchell’s proposal has some significant problems. First, by definition, data protection legislation deals with the protection of personal data, not general data policy. Companies who enter into data sharing agreements with the NHS are often purchasing access to anonymised patient data—that is to say, not personal data. Consequently, the code in clause 121 cannot bite. Secondly, maintaining a register of data of national significance is problematic. In addition to the obvious bureaucratic burden of identifying the data that would fall under the definition, generating a list of data controllers who hold data of national significance is likely to raise a number of security concerns. The NHS has been the victim of cyber- attacks, and we do not want to produce a road map to resist those who want to harm it.
Thirdly, we do not believe that the proposed role is a proper one for the Information Commissioner, and nor does she. It is not a question of legislative enforcement and, although she may offer valuable insight on the issues, such responsibilities do not comfortably fit with her role as regulator of data protection legislation. We have consulted the commissioner on the amendments and she agrees with our assessment. In her own terms, she considers herself not to be best placed to advise on value for money and securing financial benefits from the sharing of such personal data with third parties. Those matters are far removed from her core function of safeguarding information rights. She adds that others in Government or the wider public sector whose core function it is to drive value from national assets may be a more natural home for providing such best practice advice.
I have the great pleasure of representing a constituency with one of the best medical research facilities in the world. One of the greatest impediments for that facility is getting access to anonymised NHS data for its research. Is the Minister saying that her amendment, which would remove the Lords amendment, would make it easier or more difficult for third parties to access that anonymised data?
I am ill-qualified to answer the hon. Gentleman’s question. Hypothetically, it would probably make it more difficult, but that is not our purpose in objecting to clause 121, which we do not see as being consistent with the role of the Information Commissioner, for the reasons I set out. However, he raises an interesting question.
I agree with Lord Mitchell that the issues that surround data protection policy, particularly with regard to NHS patient data, deserve proper attention both by the Government and by the National Data Guardian for Health and Care, but we have not yet established that there is any evidence of a problem to which his provisions are the answer. We are not sitting on our laurels. As I have already said, NHS England and the Department of Health and Social Care are working to ensure that they understand the value of their data assets. Further work on the Government’s digital charter will also explore this issue. When my right hon. friend the Prime Minister launched the digital charter on 25 January, she made it clear that we will set out principles on the use of personal data.
Amendment 122 removes Lord Mitchell’s amendment from schedule 13. We do this because it is the wrong tool; however, we commit to doing everything we can to ensure that we further explore the issue and find the right tools if needed. [Interruption.] I have just received advice that the amendments will make no difference in relation to the hon. Gentleman’s question, because anonymised data is not personal data.
I commend amendment 122 and give notice that the Government will oppose the motion that clause 121 stand part of the Bill.
I am grateful that the Minister made time to meet my former noble Friend Lord Mitchell. These are important amendments and it is worth setting out the background to why Lord Mitchell moved them and why we give such priority to them.
In 2009-10, we began to have a debate in government about the right approach to those agencies which happen to sit on an enormous amount of important data. The Government operate about 200 to 250 agencies, and some are blessed with data assets that are more valuable than those of others—for example, the Land Registry or Companies House sit on vast quantities of incredibly valuable transactional data, whereas other agencies, such as the Meteorological Office, the Hydrographic Office and Ordnance Survey, sit on sometimes quite static data which is of value. Some of the most successful American companies are based on Government data—for example, The Weather Channel is one of the most valuable and is based on data issued from, I think, the US meteorological survey. A number of Government agencies are sitting on very valuable pots of data.
The debate that we began to rehearse nearly 10 years ago was whether the right strategy was to create public-private partnerships around those agencies, or whether more value would be created for the UK economy by simply releasing that data into the public domain. I had the great pleasure of being Chief Secretary to the Treasury and the Minister for public service reform. While the strong advice inside the Treasury was that it was better to create public-private partnerships because that would release an equity yield up front, which could be used for debt reduction, it was also quite clear to officials in the Cabinet Office and those interested in public service reform more generally that the release of free data would be much more valuable. That is the side of the argument on which we came down.
After the White Paper, “Smarter Government”, that I brought to the House, we began the release of very significant batches of data. We were guided by the arguments of Tim Berners-Lee and Professor Nigel Shadbolt, who were advising us at the time, that this was the right approach and it was very good to see the Government continue with that.
There are still huge data pots locked up in Government which could do with releasing, but the way in which we release them has to have an eye on the way we create value for taxpayers more generally. Beyond doubt, the area of public policy and public operations where we have data that is of the most value is health. The way in which, in the United States, Apple and other companies have now moved into personal health technology in a substantial way betrays the reality that this is going to be a hugely valuable and important market in years to come. If we look at the US venture industry we can see significant investment now going into health technology companies.
The Minister is very generous. From that vantage point in the City, I was able to watch the level of ingenuity, creativity and innovation that was unlocked simply by the Government telling the world, “Here are the assets that are in public hands.” All sorts of ideas were floated for using those assets in a way that was better for taxpayers and public service delivery.
To the best of my knowledge, we do not have a similar data catalogue today. What Lord Mitchell is asking is for Ministers to do some work and create one. They can outsource that task to the Information Commissioner. Perhaps the Information Commissioner is not the best guardian of that particular task, but I am frustrated and slightly disappointed that the Minister has not set out a better approach to achieving the sensible and wise proposals that Lord Mitchell has offered the Government.
The reason why it is so important in the context of the NHS is that the NHS is obviously a complicated place. It is an economy the size of Argentina’s. The last time I looked, if the NHS were a country, it would be the 13th biggest economy on earth. It is a pretty complicated place and there are many different decision makers. Indeed, there are so many decision makers now that it is impossible to get anything done within the NHS, as any constituency MP knows. So how do we ensure that, for example, in our neck of the woods, Queen Elizabeth Hospital Birmingham does not strike its own data sharing agreement with Google or DeepMind? How do we ensure that the NHS in Wales does not go in a particular direction? How do we ensure that the trust across the river does not go in a particular direction? We need to bring order to what is potentially an enormous missed opportunity over the years to come.
The starting point is for the Government, first, to ensure we have assembled a good catalogue of data assets. Secondly, they should take some decisions about whether the organisations responsible for those data assets are destined for some kind of public-private partnership, as they were debating in relation to Companies House and other agencies a couple of years ago, or whether—more wisely—we take the approach of creating a sovereign wealth fund to govern public data in this country, where we maximise the upside for taxpayers and the opportunities for good public service reform.
The example of Hinkley Point and the unfortunate example of the Google partnership with DeepMind, which ran into all kinds of problems, are not good precedents. In the absence of a better, more concrete, lower risk approach from the Government, we will have to defend Lord Mitchell’s wise clause in order to encourage the Government to come back with a better solution than the one set out for us this morning.
I enjoyed the right hon. Gentleman’s speech, as it went beyond some of the detail we are debating here today, but I was disappointed with the conclusion. I did not rest my argument on it being just too difficult to organise such a database as proposed by Lord Mitchell; there are various reasons, chief among them being that we are here to debate personal data. A lot of the databases the right hon. Gentleman referred to as being of great potential value do not contain personal data. Some do, some do not: the Land Registry does not, Companies House does, and so forth. Also, the Information Commissioner has advised that this is beyond her competence and her remit and that she is not resourced to do the job. Even the job of defining what constitutes data of public value is a matter for another organisation and not the Information Commissioner’s Office. That is my main argument, rather than it being too difficult.
Happily, what sits within the scope of a Bill is not a matter for Ministers to decide. First, we rely on the advice of parliamentary counsel, which, along with the Clerks, was clear that this amendment is well within the scope. Secondly, if the Information Commissioner is not the right individual to organise this task—heaven knows, she has her hands full this week—we would have been looking for a Government amendment proposing a better organisation, a better Ministry and a better Minister for the work.
I can only be the Minister I am. I will try to improve. I was not saying that Lord Mitchell’s amendment is not within the scope of the Bill; I was making the point that some of the databases and sources referred to by the right hon. Gentleman in his speech went into the realms of general rather than personal data. I therefore felt that was beyond the scope of the Information Commissioner’s remit.
I share the right hon. Gentleman’s appreciation of the value and the uniqueness of the NHS database. We do not see it just in terms of its monetary value; as the hon. Member for Edinburgh South made clear in his intervention, it has tremendous potential to improve the care and treatment of patients. That is the value we want to realise. I reassure the right hon. Gentleman and put it on record that it is not my place as a Minister in the Department for Digital, Culture, Media and Sport, or the place of the Bill, to safeguard the immensely valuable dataset that is the NHS’s property.
Before the Minister concludes, given that she has focused so much on NHS data, can she update the Committee on the Government’s progress on implementing Dame Fiona Caldicott’s recommendations about health and social care data?
I cannot give an immediate update on that, but I can say that Dame Fiona Caldicott’s role as Data Guardian is crucial. She is working all the time to advise NHS England and the Secretary of State for Health and Social Care on how best to protect data and how it can deliver gains in the appropriate manner. I do not feel that that is the place of the Bill or that it is my role, but I want to reassure the Committee that the Secretary of State for Health and Social Care, to whom I am referring Lord Mitchell, is alive to those issues and concerns. The NHS dataset is a matter for the Department of Health and Social Care.
Amendment 122 agreed to.
Schedule 13, as amended, agreed to.
Clauses 117 and 118 ordered to stand part of the Bill.
Schedule 14 agreed to.
Clauses 119 and 120 ordered to stand part of the Bill.
Clause 121
Code on personal data of national significance
The debate rehearsed in the other place was whether we should acquiesce in a derogation that the Government have exercised to set the age of consent for personal data sharing at 13, as opposed to 16, which other countries have adopted. There was widespread concern that 13 was too young. Many members of the Committee will have experienced pressing the agree button when new terms and conditions are presented to us on our updates to software on phones, or privacy settings presented to us by Facebook; privacy settings, it is now alleged, are not worth the paper that they were not written on.
Debates in the other place centred on what safeguards could be wrapped around children if that derogation were exercised and the age of consent left at 13. With Baroness Kidron, we were keen to enshrine in legislation a step towards putting into operation the objectives of the 5Rights movement. Those objectives, which Baroness Kidron has driven forward over the past few years, are important, but the rights therein are also important. They include not only rights that are enshrined in other parts of the Bill—the right to remove, for example—but important rights such as the right to know. That means that someone has the right to know whether they are being manipulated in some way, shape or form by social media technologies.
One of the most interesting aspects of the debate in the public domain in the past few months has been the revelation that many of the world’s leading social media entrepreneurs do not allow their children to use social media apps, because they know exactly how risky, dangerous and manipulative they can be. We have also heard revelations from software engineers who used to work for social media companies about the way they deliberately set out to exploit brain chemistry to create features of their apps that fostered a degree of addiction. The right to know is therefore very powerful, as is the right to digital literacy, which is another important part of the 5Rights movement.
It would be useful to hear from the Minister of State, who—let me put this beyond doubt—is an excellent Minister, what steps she plans to take to ensure that the age-appropriate design code is set out pretty quickly. We do not want the clause to be passed but then find ourselves in a situation akin to the one we are in with section 40 of the Crime and Courts Act 2013 where, five years down the line, a misguided Secretary of State decides that the world has changed completely and that this bit of legislation should not be commenced.
We would like the Minister to provide a hard timetable— she may want to write to me if she cannot do so today—setting out when we will see an age-appropriate design code. We would also like to hear what steps she will take to consult widely on the code, what work she will do with her colleagues in the Department for Education to ensure that the code includes some kind of ventilation and education in schools so that children actually know what their rights are and know about the aspects of the code that are relevant to them, and, crucially, what steps she plans to take to include children in her consultation when she draws up the code.
This is an important step forward, and we were happy to support it in the other place. We think the Government should be a little more ambitious, which is why we suggest that the rights set out by the 5Rights movement should become part of a much broader and more ambitious digital Bill of Rights for the 21st century, but a start is a start. We are pleased that the Government accepted our amendment, and we would all be grateful if the Minister told us a little more about how she plans to operationalise it.
I thank the right hon. Gentleman for his generous remarks. To recap, the idea that everyone should be empowered to take control of their data is at the heart of the Bill. That is especially important for groups such as children, who are likely to be less aware of the risks and consequences associated with data processing. Baroness Kidron raised the profile of this issue in the other place and won a great deal of support from peers on both sides of that House, and the Government then decided to introduce a new clause on age-appropriate design to strengthen children’s online rights and protections.
Clause 124 will require the Information Commissioner to develop a new statutory code that contains guidance on standards of age-appropriate design for online services that are likely to be accessed by children. The Secretary of State will work in close consultation with the commissioner to ensure that that code is robust, practical and meets children’s needs in relation to the gathering, sharing and storing of their data. The new code will ensure that websites and apps are designed to make clear what personal data of children is collected, how it is used and how both children and parents can stay in control of it. It will also include requirements for websites and app makers on privacy for children under 18.
The right hon. Gentleman cited examples of the consultation he hopes to see in preparation for the code. In developing the code, we expect the Information Commissioner to consult a wide range of stakeholders, including children, parents, persons who represent the interests of children, child development experts and trade associations. The right hon. Gentleman mentioned the Department for Education, and I see no reason why it should not be included in that group of likely consultees.
The commissioner must also pay close attention to the fact that children have different needs at different ages, as well as to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child. The code interlocks with the existing data protection enforcement mechanism found in the Bill and the GDPR. The Information Commissioner considers many factors in every regulatory decision, and non-compliance with that code will weigh particularly heavily on any organisation that is non-compliant with the GDPR. Organisations that wish to minimise their risk will apply the code. The Government believe that clause 124 is an important and positive addition to the Bill.
Will the Minister say a word about the timetable? When can we expect the consultation and code of practice to be put into operation?
There should be no delay to the development of the code and the consultation that precedes it. If I get any additional detail on the timetable, I will write to the right hon. Gentleman.
Question put and agreed to.
Clause 124, as amended, ordered to stand part of the Bill.
Clause 125
Approval of data-sharing, direct marketing and age-appropriate design codes
Amendment made: 49, in clause 125, page 69, line 9, leave out “with the day on which” and insert “when” —(Margot James.)
This amendment is consequential on Amendment 71.
Clause 125, as amended, order to stand part of the Bill.
Clauses 126 to 130 ordered to stand part of the Bill.
Clause 131
Disclosure of information to the Commissioner
Question proposed, That the clause stand part of the Bill.
Clause 131 deals with disclosure of information to the Information Commissioner, and this is probably a good point at which to ask whether the Information Commissioner has the right level of power to access information that is pertinent to her investigations into the misuse of information. Thanks to The Guardian, The New York Times, and particularly the journalist Carole Cadwalladr, we have had the most extraordinary revelations about alleged misbehaviour at Cambridge Analytica over the past couple of years. Indeed, Channel 4 News gave us further insight into its alleged misdemeanours last night.
We have a situation in social media land that the Secretary of State has described as the “wild west”. Some have unfairly called the Matt Hancock app one of the features of that wild west, but I would not go that far, despite its slightly unusual privacy settings. None the less, there is now cross-party consensus that the regulatory environment that has grown up since the 2000 e-commerce directive is no longer fit for purpose. Yesterday, the Secretary of State helpfully confirmed that that directive will be modernised, and we will come on to discuss new clauses that suggest setting a deadline for that.
One deficiency of today’s regulatory environment is the inadequate power that the Information Commissioner currently has to access information that is important for her investigations. We have a wild west, we have hired a sheriff, but we have not given the sheriff the power to do her job of keeping the wild west in order. We now have the ridiculous situation that the Information Commissioner must declare that she is going to court to get a warrant to investigate the servers of Cambridge Analytica, and to see whether any offence has been committed.
If I wanted to hide something from a newspaper and I thought that the newspaper was going to print it inappropriately, I would apply for an emergency injunction to stop the newspaper running it. I do not understand why the Information Commissioner has had to broadcast her intentions to the world, because that has given Cambridge Analytica a crucial period of time in which to do anything it likes, frankly, to its data records. The quality of the Information Commissioner’s investigation must be seriously impaired by the time that it has taken to get what is tantamount to a digital search warrant.
Is the Minister satisfied in her own mind that clause 131 and its associated clauses are powerful enough? Will she say more about the Secretary of State’s declaration to the House last night that he would be introducing amendments to strengthen the Commissioner’s power in the way that she requested? When are we going to see those amendments? Are we going to see them before this Committee rises, or at Report stage? Will there be a consultation on them? Is the Information Commissioner going to share her arguments for these extra powers with us and with the Secretary of State? We want to see a strong sheriff patrolling this wild west, and right now we do not know what the Government’s plan of action looks like.
I just want to recap on what clause 131 is about. It is intended to make it clear that a person is not precluded by any other legislation from disclosing to the commissioner information that she needs in relation to her functions, under the Bill and other legislation. The only exception relates to disclosures prohibited by the Investigatory Powers Act 2016 on grounds of national security. It is therefore a permissive provision enabling people to disclose information to the commissioner.
However, the right hon. Member for Birmingham, Hodge Hill has taken the opportunity to question the powers that the Information Commissioner has at her disposal. As my right hon. Friend the Secretary of State said yesterday in the Chamber, we are not complacent. I want to correct something that the right hon. Member for Birmingham, Hodge Hill said. My right hon. Friend did not say that he would table amendments to the Bill on the matter in question. He did say that we were considering the position in relation to the powers of the Information Commissioner, and that we might table amendments, but we are in the process of considering things at the moment. I presume that that goes for the right hon. Gentleman as well; if not, he would surely have tabled his own amendments by now, but he has not.
The Minister will notice that I have tabled a number of new clauses that would, for example, bring election law into the 21st century. I think that the Secretary of State left the House with the impression yesterday that amendments to strengthen the power of the Information Commissioner would be pretty prompt. It is hard to see another legislative opportunity to put that ambition into effect, so perhaps the Minister will tell us whether we can expect amendments soon.
I can certainly reassure the right hon. Gentleman that we are looking at the matter seriously and, although I cannot commit to tabling amendments, I do not necessarily rule them out. I have to leave it at that for now.
On a more positive note, we should at least acknowledge that, although the Bill strengthens the powers of the Information Commissioner, her powers are already the gold standard internationally. Indeed, we must bear it in mind that the data privacy laws of this country are enabling American citizens to take Cambridge Analytica to court over data breaches.
I want to review some of the powers that the Bill gives the commissioner, but before I do so I will answer a point made by the right hon. Member for Birmingham, Hodge Hill. He said that the commissioner had had difficulties and had had to resort to warrants to pursue her investigation into a political party in the UK and both the leave campaigns in the referendum. She is doing all that under existing data protection law, which the Bill is strengthening. That is encouraging.
I did not want to intervene, but I have been struggling with the matter myself. There are allegations that a significant donor to Leave.EU was supported in that financial contribution by organisations abroad. As I spoke to the Financial Conduct Authority and tabled questions to the Treasury, it was revealed that there were no data sharing gateways between the Electoral Commission and the FCA.
I shall come back to the right hon. Gentleman on the relationship between the Information Commissioner and the FCA. I am sure that the information that he has already ascertained from the Treasury is correct, but there may be other ways in which the two organisations can co-operate, if required. The allegations are very serious and the Government are obviously very supportive of the Information Commissioner as she grapples with the current investigation, which has involved 18 information notices and looks as if it will be backed up by warrants as well. I remind the Committee that that is happening under existing data protection law, which the Bill will strengthen.
Question put and agreed to.
Clause 131 accordingly ordered to stand part of the Bill.