Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateViscount Younger of Leckie
Main Page: Viscount Younger of Leckie (Conservative - Excepted Hereditary)Department Debates - View all Viscount Younger of Leckie's debates with the Department for Science, Innovation & Technology
(7 months, 4 weeks ago)
Grand CommitteeMy Lords, it has been a privilege to be at the ringside during these three groups. I think the noble Baroness, Lady Sherlock, is well ahead on points and that, when we last left the Minister, he was on the ropes, so I hope that to avoid the knock- out he comes up with some pretty good responses today, especially as we have been lucky enough to have the pleasure of reading Hansard between the second and third groups. I think the best phrase that noble Baroness had was the “astonishing breadth” of Clause 128 and Schedule 11 that we explored with horror last time. I very much support what she says.
The current provisions seem to make the code non-mandatory, yet we discovered they are without “reasonable suspicion”, the words that are in the national security legislation—fancy having the Home Office as our model in these circumstances. Does that not put the DWP to shame? If we have to base best practice on the Home Office, we are in deep trouble.
That aside, we talked about “filtering” and “signals” last time. The Minister used that phrase twice, I think, and we discovered about “test and learn”. Will all that be included in the code?
All this points to the fragility and breadth of this schedule. It has been dreamt up in an extraordinarily expansive way without considering all the points that the noble Lord, Lord Anderson, has mentioned, including the KC’s opinion, all of which point to the fact that this schedule is going to infringe Article 8 of the European Convention on Human Rights. I hope the Minister comes up with some pretty good arguments.
My final question relates to the impact assessment–or non-impact assessment. The Minister talked about the estimate of DWP fraud, which is £6.4 billion. What does the DWP estimate it will be after these powers are implemented, if they are ever implemented? Should we not have an idea of the DWP’s ambitions in this respect?
My Lords, this has been a somewhat shorter debate than we have been used to, bearing in mind Monday’s experience. As with the first two groups debated then, many contributions have been made today and I will of course aim to answer as many questions as I can. I should say that, on this group, the Committee is primarily focusing on the amendments brought forward by the noble Baroness, Lady Sherlock, and I will certainly do my very best to answer her questions.
From the debate that we have had on this measure, I believe that there is agreement in the Committee that we must do more to clamp down on benefit fraud. That is surely something on which we can agree. In 2022-23, £8.3 billion was overpaid due to fraud and error in the benefit system. We must tackle fraud and error and ensure that benefits are paid to those genuinely entitled to the help. These powers are key to ensuring that we can do this.
I will start by answering a question raised by the noble Lord, Lord Anderson—I welcome him to the Committee for the first time today. He described himself as a “surveillance nerd”, but perhaps I can entreat him to rename himself a “data-gathering nerd”. As I said on Monday, this is not a surveillance power and suggesting that it is simply causes unnecessary worry. This is a power that enables better data gathering; it is not a surveillance or investigation power.
The third-party data measure does not allow the DWP to see how claimants spend their money, nor does it give the DWP access to millions of people’s bank accounts, as has been inaccurately presented. When the DWP examines the data that it receives from third parties, this data may suggest that there is fraud or error and require a further review. This will be done through our normal, regular, business-as-usual processes to determine whether incorrect payments are indeed being made. This approach is not new. As alluded to in this debate, through the Finance Act 2011, Parliament has already determined that this type of power is proportionate and appropriate, as HMRC already owns similar powers regarding banking institutions and third parties in relation to all taxpayers.
I listened very carefully to the noble Lord and will, however, take back his points and refer again to our own legal team. I think the point was made about the legality of all this. It is a very important point that he has made with all his experience, and I will take it back and reflect on it.
I take the Minister’s point and I will settle for the appellation “investigatory powers nerd”; I am quite happy with that. Does the Minister agree with me, however, that the legal difficulty —we see this with the other bulk powers already in our law—is that Article 8 of the European convention locks in not when a human eye gets stuck into the detail, but as soon as a machine harvests the data in bulk? Most of that data relates to people in respect of whom there could be no possible suspicion. Satisfying the requirements of necessity and proportionality must be done even at that stage. I understand that that is awkward and I am sure a lot of people would prefer that it was otherwise, but that is, as I understand it, the law. That renders the distinction that the Minister seeks to draw between data gathering and surveillance perhaps slightly difficult to maintain.
If I may just answer that question from the noble Lord, Lord Anderson; I think it is important to take one question at a time.
I have every sympathy with what the noble Lord has said. As I mentioned on Monday, points could easily raised about that—I think it may have been the noble Baroness, Lady Kidron, who raised points about computers and their robustness. This is the very point that we agree with. It is incredibly important and we have started already to draw up a proper code of practice to work with the banks on how this will actually work. We need continued time to work these issues through. I also made the point on Monday that, at the end of the day, a human being will be there—must be there—to determine where we go from there.
In relation to the code of practice, which I am glad the Minister mentioned, we have just seen the Investigatory Powers (Amendment) Bill through this place. It makes some relatively minor changes to the powers of the intelligence agencies to harvest data in bulk and, to ensure the orderly passage of that Bill through both Houses of Parliament, the key excerpts of the draft code of practice were made available before Committee in either House to enable it to be properly scrutinised. We seem to have left it terribly late in the day still to be talking about a draft code of practice on this Bill, which we have not even seen. Can the Minister assure us that before we come to Report, that code of practice will be available in draft?
Indeed, I was going to come on to that later in my remarks, particularly to address the points raised by the noble Baroness, Lady Sherlock. We need the necessary time to continue to develop this code of practice, and that is particularly important in respect of this measure. The answer is no, I cannot guarantee to have the code of practice ready by Report. Indeed, I am saying that it will be ready sometime in the summer. It is important to make that point but also a further one, which is that there are many instances, as the noble Lord will know, when a code of practice is finalised and brought forward after the primary legislation is brought through, and this is one of those cases. That is not abnormal but normal. The noble Lord may not like it but there is considerable precedent for that to happen.
I have a question. I am slightly puzzled about the difference between data collection and surveillance. Surely the collection and gathering of data would be to enable officials to survey someone’s bank account. If that is not the case, what is the purpose of collecting the data if not to interrogate the behaviour of an individual to understand how their money is being brought in and spent, so that the department can exercise some judgment over whether the individual is revealing the truth about their income and outgoings?
Indeed, I think we are going back to the debates that we had on Monday. However, this chimes with a question from the noble Lord, Lord Clement-Jones, so it might be helpful briefly to rehearse what we are doing here and to be clear about the limitations and the checks and balances on the power that we are bringing forward.
As per paragraph 1(2) of Schedule 11 to the draft legislation, the DWP can use this power only for the purposes of checking whether someone is eligible for the benefit that they are receiving. In practice, this means that the DWP will request information only on specific criteria, which I laid out on Monday, linked to benefit eligibility rules, which, if met may—I emphasise “may”—indicate fraud or error. If accounts do not match these criteria, no data will be shared with the DWP. The effect of paragraphs 1 and 2 of the draft legislation is that the DWP can ask for data only where there is this three-way relationship between the DWP, the third party and the recipient of the payment. In addition, the DWP can ask for data only from third parties designated in secondary legislation, subject to the affirmative procedure. There are debates to come as further reassurance to your Lordships.
As per paragraph 4(2) of Schedule 11 to the draft legislation, the power does not allow the DWP to share personal information with third parties, which means that the power can be used only with third parties who are able to identify benefit recipients independently. Just to add further to this, we are obliged, under Article 5(1)(c) of the UK GDPR, to ask only for the minimum of information to serve our purposes. In accordance with the DWP’s existing commitments on the use of automation, no automatic benefit decisions will be taken based on any information supplied by third parties to the DWP. As I said earlier and on Monday, a human will always be involved in decision-making. I hope that helps.
I am sorry to interrupt the noble Viscount, but I just want to be clear about what he is saying in relation to the code of practice, which obviously is at the heart of this section of the debate, although there will be other things to come. Am I right that he said—obviously he has to cover himself—that there is a chance that the Report stage of this Bill might be entered into before we have sight of the draft code of practice? He makes the point that that is not an unusual occasion. I understand that—we have both served in Parliament long enough to know that that is the case—but this is clearly an issue on which the Committee has made very strong representations to the Government. Will he do what is in his power to make sure that we do not enter Report without seeing at least an early draft, if that is possible, of the code of practice?
I will certainly take that back. I do not want to make any commitments today. I have already set out our stall as to where we are. I make the further point—I am perhaps repeating myself—that given the sensitivities that there clearly are, which I have been listening to carefully, it is important that this code of practice is developed at a pace that is right for what is needed, in bringing those involved along and making sure that it is right, secure, safe and with all the safeguards involved. It is quite a serious piece of work, as noble Lords would expect me to say. I will take that back. I will certainly not be able to guarantee to produce anything before Report, which may disappoint the noble Lord, but at least I have gone as far as I can. I hope that that is helpful.
I am grateful to the noble Viscount. This is just a thought, but we are happy to help, as we often have done in the past on other Bills. If there is any opportunity for us to be shown early drafts, to give some help and assurance to the noble Viscount that he is on the right track, I am sure that that would be accepted.
I appreciate the tone of the noble Lord and, if there is anything that comes from behind me before I conclude my remarks, to be helpful, I will certainly do that.
Our debates on this measure have covered many issues. This group, as mentioned earlier, focuses primarily on the operational delivery of the power, so it would be quite good to move on. Just before I do, for the benefit of the noble Lord, Lord Anderson, in terms of the late introduction—his words—of this measure, as mentioned on Monday the DWP published a fraud plan in May 2022, where it outlined a number of new powers that it would seek to secure when parliamentary time allowed. In the parliamentary time available, DWP has prioritised our key third-party data-gathering measure, which will help it to tackle one of the largest causes of fraud and error in the welfare system. That is a short version of what I said on Monday, but I hope that it might be helpful.
Before I turn to the amendments, it might be helpful to set out how the legislation will frame the delivery of this measure. When we issue a request for data to a third party or, as it is set out, an account information notice or AIN, which is in the Bill, we can only ask it to provide data where it may help the DWP to establish whether benefits have been properly paid in accordance with the rules relating to those benefits. As mentioned earlier, this is defined clearly at paragraph 1(2) of the new schedule. This is where the data that DWP receives may signal—to use the word raised by the noble Lord, Lord Clement-Jones—potential fraud and error. The noble Lord asked for further clarification on that point. To be clear, a signal of fraud and error is where the rules of benefit eligibility appear not to be met. For example, this might be where a claimant has more capital than the benefit rules allow. As I made clear on Monday, all benefits and payments have rules that determine eligibility, which Parliament has agreed are the right rules in its consideration of other social security legislation. To issue an AIN, we must also have designated a third party in affirmative regulations, which need to be passed by both Houses.
As has been covered, we can also only request data from third parties where there is this relationship, which I will not repeat again and which I think the Committee will be familiar with. Our intention is to designate banks and financial institutions as the first third parties that we can approach, enabling us to request information on accounts only held in the UK. Just to clarify that point, we will not be able to request information on overseas accounts.
On the question raised by the noble Baroness, Lady Sherlock, on examples of non-financial organisations that the power could appropriately be used on, we will bring forward regulations to specify the data holders in scope. I hope that this is helpful. In the first instance, this will be, as mentioned, banks and financial institutions. The power also has potential use cases with other third parties, such as housing or childcare providers, but, just to reassure the Committee, this would be subject to further parliamentary approval.
I am grateful to the Minister—I am just trying to catch up. On the point that he made about regulations, I imagine that the power to prescribe the descriptions of persons to whom an account information notice may be sent comes under paragraph 1(1) of the schedule. I think that that is what he was saying. In paragraph 2, on the content of the account information notices, there is a reference to
“other specified information relating to the holders of those accounts, and … such further information in connection with those accounts as may be specified”.
Does that simply mean anything specified in the account information notice or is there a power to make regulations that will limit the types of information that can be specified in an AIN?
Again, I hope that I might have covered this earlier. If I read the noble Lord’s question correctly, the definitions will need to be debated by both Houses. I have made clear what we are bringing in at the moment for banks and financial institutions, but this will need to be looked at by both Houses in future. I hope that that is clear.
I apologise; I did not make myself clear. I think that we are on entirely the same wavelength on the persons to whom an information notice can be given; the Minister has reassured us that they will be specified in regulations and considered by both Houses. My question relates to the content of an account information notice under paragraph 2 and the very broad references to “other specified information”, “such further information” and so on. I did not read that as a regulation-making power. I rather assume that the discretion over the choice of information that is specified remains entirely at large. If the Minister is saying that there will be regulations that will specify the information that an AIN can include, hence mitigating the breadth of paragraph 2, I would be glad if he could make that clear.
My understanding —with his experience, I am sure that the noble Lord will be ahead of me on this—is that this is defined. We define it pretty clearly in paragraph 1(2). In the interests of time, I will reflect on what he has asked and will be absolutely sure to add this to the letter that I pledged to write on Monday—it is getting bigger by the moment, as I fully expected.
My Lords, as I asked only four questions, I want to try to nail each one as we go. I am grateful to the Minister. Before we leave the matter of the kind of organisations to which this applies, I think that he is saying that the Bill would allow the DWP to request information from any kind of organisation, including phone companies, which I asked about specifically. The kinds of organisations are to be specified in regulations, which the Government will bring forward, initially naming financial institutions. By virtue of further regulations, could they extend that to anything—to Garmin, the people who monitor your runs, to gyms and to anyone else? Is that correct?
That is correct. I hope indeed that it provides some reassurance that extending it to the banks and financial institutions initially is deliberately designed to be narrow. It would be subject to both Houses to debate other areas beyond those. I am coming on to address that. The noble Baroness asked about phone companies. Simply put, we will be able to designate the third parties that fit within the provisions of this legislation where they hold information that would help us to verify whether someone meets the eligibility criteria for the benefit that they are receiving. However, ultimately, it would be for Parliament to decide whether a third party can be designated under this power, as we must bring affirmative regulations forward to do this. We have that power.
To be clear, they already have some information about claimants or recipients. Does this Bill make any difference to that information? Can they already use the information that they have for these purposes, for example the name and address of a claimant’s bank account, or does this Bill extend the use of information to other information that they already have?
Indeed, that is correct. I hope that is helpful and gives the noble Lord reassurance. To clarify, we have our normal business-as-usual processes so, where we are able to—with the restriction of not at present being able to use the banks and financial institutions as a conduit—we have those powers. However, obviously, as has been made clear by the ICO, there is no alternative to needing the help of banks and financial institutions to go further in tackling the ever-greater sophistication of fraud.
The noble Baroness, Lady Sherlock, asked whether we could issue an AIN to a bank other than that into which the benefit is paid. The answer is no. The power is exercisable only in respect of a matching account that meets the criteria in an AIN and receives a benefit payment. If this is not the case, the Secretary of State cannot require them to supply that information.
When it comes to issuing an AIN, DWP will be able to exercise these powers only for payments for which it is responsible. This means that DWP cannot exercise this power with some benefits that fall under the legislation, such as child benefit, as was mentioned on Monday. I know that the noble Baroness, Lady Sherlock, raised this issue. As I committed to do on Monday, I will provide in writing more detail on the scope of the measure and on these limitations, which will require more time.
I will also ensure that my letter is clear on how the measure will impact appointees, joint claims and other such accounts. I am well aware that a number of questions were asked about this matter on Monday but, in the interests of time, I will move on.
I turn to proofs of concept. I also want to speak about our approach to delivery, in particular how we plan to test delivery before we gradually scale up operational delivery; I am aware of the time, but I hope that the Committee will indulge me. Our planned period of “test and learn” will build on our learning from our two previous proofs of concept, which we conducted in 2017 and 2022. These demonstrated the effectiveness of this approach and contributed to the OBR’s certification that the measure will save up to £600 million over the next five years.
The two proofs of concept that I mention are important. I hope that the Committee will be interested to read the results, which demonstrate why we need to do this. Without further ado, let me say that I will set out the details of these two examples in the letter as well, which will, I hope, be helpful.
The noble Lord, Lord Vaux, who is in his place, the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Sherlock, spoke about the regulatory impact assessment on Monday. I just want to use this time to reassure them on that. More information on these proofs are contained within the RIA, which was, as noble Lords will know, green-rated by the RPC.
On “test and learn”, we have a clear view on how this power may work. We are already working with third parties in readiness to commence the formal “test and learn” period in early 2025 and preparing the code of practice in advance of that. I will come on to that in just a second—in fact, I will come on to it right now, given the time. I shall refer to Amendments 225 to 232 in the name of the noble Baroness, Lady Sherlock.
To support the delivery of this measure, we will produce the code of practice to help define how the measure will work, with explanations. I assure the noble Baroness and the Committee that the code of practice is already in development; we are working positively with around eight leading financial institutions through an established working group that meets regularly to shape the code. We are fully committed to continuing that work; I think I covered the timing of that earlier in my remarks. Accepting Amendments 225 and 226 in the name of the noble Baroness would therefore, we believe, have minimal effect. I am clear that DWP will produce a code of practice, which will be consulted on; I have also set out the sort of detail that it will contain. Accepting them may also potentially restrict our ability to develop the code of practice further as we understand more from “test and learn”.
Because we are developing this collaboratively with banks, I am not yet in a position to share the draft code, as I mentioned; I have given certain reassurances on that. However, I can say that it will provide guidance on issues such as the nature of the power and to whom it will apply. It will also provide information on safeguards, cover data security responsibilities and provide information on the appeals processes should a third party wish to dispute a request. We will engage with SSAC, to help the noble Baroness, Lady Sherlock, as we bring forward the affirmative regulations. On balance, I believe that the best course is to consult on the code of practice rather than rushing to define it now.
I am most grateful to the Minister. There is one question, so I apologise if he answered it and I did not quite pick it up. I specifically asked if these powers would allow the DWP to devise criteria designed to identify if a claimant was in fact living with another adult. With the appropriate regulation, would the powers allow it to do that?
That is one of the questions that I can now answer. The power will allow this, in so far as it pertains to helping the Secretary of State establish whether the benefits are being paid properly, as with paragraph 1(2) of new Schedule 3B. Rules around living together are relevant only to some benefits. That is a very short answer, but I could expand on it.
May I add to the very long letter? I have been sitting here worrying about this idea that one of the “signals” will be excess capital and then there are matching accounts. If the matching account has more capital—for example, the person who has a connected account is breaking the £16,000 or £6,000—does that signal trigger some sort of investigation?
That is a very fair question, and I hope that I understand it correctly. I can say that the limit for the DWP is that it can gain only from what the third party produces. Whatever goes on behind the doors of the third party is for them and not us. Whether there is a related account and how best to operate is a matter for the bank to decide. We may therefore end up getting very limited information, in terms of the limits of our powers. I hope that helps, but I will add some more detail in the letter.
My Lords, the Minister extolled the green-rated nature of this impact assessment. In the midst of all that, did he answer my question?
I asked about the amount of fraud that the Government plan to detect, on top of the £6.4 billion in welfare overpayments that was detected last year.
The figure that we have is £600 million but, again, I will reflect on the actual question that we are looking to address—the actual amount of fraud in the system.
The Minister is saying that that figure is not to be found in this green-rated impact assessment, which most of us find to be completely opaque.
I will certainly take that back, but it is green rated.
My Lords, the Minister was kind enough to mention me a little earlier. Can I just follow up on that? In the impact assessment, which I have here, nowhere can I find the £600 million figure, nor can I find anywhere the costs related to this. There will be a burden on the banks and clearly quite a burden on the DWP, actually, if it has got to trawl through this information, as the noble Viscount says, using people rather than machines. The costs are going to be enormous to save, it would appear, up to £120 million per year out of £6.4 billion per year of fraud. It does seem odd. It would be really helpful to have those cost numbers and to understand in what document they are, because I cannot find in the impact assessment where these numbers are.
I hope I can help both noble Lords. Although I must admit that I have not read every single page, I understand that the figure of £500 million is in the IA.
Yes, £500 million. I mentioned £600 million altogether; that was mentioned by the OBR, which had certified this, and by the way, that figure was in the Autumn Statement.
My Lords, has not that demonstrated the disproportionality of these measures?
The noble Viscount explained in response to the noble Lord, Lord Anderson, that at every stage where the powers are going to be expanded, it would come back as an affirmative regulation. I might have been a bit slow about this, but I have been having a look and I cannot see where it says that. Perhaps he could point that out to me, because that would provide some reassurance that each stage of this is coming back to us.
I understand, very quickly, that it is in paragraph 1(1), but again, in the interests of time, maybe we could talk about that outside the Room.
Could the Minister clarify: was that paragraph 1(1)?
I can reassure the noble Lord that that is the case, yes.
I do not know whether I can help. I agree with the noble Baroness: I do not think it is very clear from paragraph 1(1) that there is a regulation-making power. However, if you look at paragraph 5 of the new schedule, there is a reference there to regulations under paragraph 1(1) as well as two other paragraphs of the schedule. That is the rather tortuous route by which I came to the conclusion that the Minister is quite right.
I reassure noble Lords that is correct—it is paragraph 1(1). It may be rather complex, but it is in there, just to reassure all noble Lords.
I am sorry to keep coming back, but did the Minister give us the paragraph in the impact assessment that referred to £500 million?
No, I did not, but that is something which surely we can deal with outside the Room. However, I can assure noble Lords that it is in there.
My Lords, I thank the Minister for his attempts to answer my questions and those of many noble Lords. I will not detain the Committee for very long at all.
I am grateful to know that there will be a code and that it will be consulted on. Given that, it would have saved an awful lot of trouble if the Government had simply not put “may” in the Bill in the first place—that would have cut out a whole loop of this. I am very grateful to know that that is there. I agree with the Minister that we all want to know about and to clamp down on fraud and error; the question is one of proportionality.
When the Minister comes to write—I realise that this letter is turning into “War and Peace”, but it will make us all come to Report in a much better place if we can get a clearer answer to many of these questions— I still wonder whether he properly answered the question from the noble Lord, Lord Anderson, about the legality of these powers, because the point about when they engage is crucial. The Minister is still coming back to a distinction between the gathering of the data and what the DWP will do using its existing “business as usual” powers, to investigate. I think the point the noble Lord was making is that the question of legality engages at the point of that data gathering, not at the point at which it is used, if I am correct. I am not sure that the Minister answered that—I am not inviting him to do it now—but I specifically suggest that he takes advice on that point before we come back on Report.
The other issue is that, if the Government have come in so late in the day introducing these powers into the Bill, it would have been better to have draft regulations before Report at the first stage. The Minister thinks the code can be available in the summer, but the summer is fast approaching so I see no reason why the usual channels could not accommodate the date for Report to allow us to go past the date for producing a draft code if the Government wish to. I realise that they may not wish to, but it must be perfectly possible—unless the Minister knows something I do not about a likely date of a general election, presumably we should still have time to do that. So I commend that thought to him.
However, we also know that a lot of the constraints he has described will happen solely in regulations. Everybody in this Committee is aware of the limitations of the capacity of both Houses to do anything about regulations. We cannot amend them here. The Government will bring them forward, but the capacity of us to do anything about that is small, so that is not as much of an assurance as it would be in other circumstances.
Finally, what I am left with is that these powers could do anything from something that might sound very proportionate to something that might sound entirely disproportionate, and we simply have not heard anything that enables us to make a judgment early enough to know where that is contained. I therefore ask the Government to think again before Report about ways in which they might provide assurance about a more contained and proportionate approach to these measures.
Since we are in Committee, in the meantime, I thank all noble Lords for their work on this and the Minister for his response. Before I beg leave to withdraw, I see that the Minister is intervening on me now, which is a joyful change.
Before the noble Baroness sits down, I want to say one very important thing. As ever with Bills, there is an opportunity to engage, and I pledge right now to engage with all noble Lords who wish to, and we would like to as well, on these particular measures, to provide, I hope, further reassurances to those that I have given. I hope there is some acceptance that I have given some reassurances.
My Lords, I am sure that on behalf of the Committee I can thank the Minister for that generous offer, and we look forward to taking it up. In the meantime, I beg leave to withdraw the amendment.