My Lords, I thank the Minister for introducing this new provision. We consider that the concept behind the Midata initiative is very worthy. We note that when it was launched, the heading of the BIS press release was:
“New power to boost consumers’ access to data”.
It seemed to be a welcome initiative and we applaud the Government’s role in pushing for voluntary initiatives on giving consumers access to their own purchasing and transactional data.
We also recognise that there is a need to put some of this on a statutory basis so that all providers of goods and services can, in time, be required to provide that access. But the act of putting this on a legal basis forces us to consider, and provide for, the complications that could arise. I am sure that the Minister will be aware of the very strong objection of the British Retail Consortium to this initiative. However, he may also want to note that the consumer organisation, Consumer Focus, while admiring the supposed right, has some serious anxieties about it. We risk the fact that what should be an improved consumer service may actually have issues that have not been dealt with fully on both security and privacy. Some of these arise already, both with the way in which providers keep individual data for their own purpose and in the voluntary schemes of provision to customers that are being introduced without statutory backing.
Once those schemes are required by the Government, then surely the Government and Parliament have a duty to ensure that consumer protection is built into
the process. The new service that will be required of providers by law will involve issues of personal data transmission, data storage, multiple combination and multiple access, which means that the process must have built into it security and minimisation of risk to consumers’ privacy and disclosure of identity. Such precautions will also need to be accompanied by systems of identifying liability and responsibility for redress and absolute clarity about how one goes about seeking that redress.
At the moment, data on the purchases and transactions are largely held by the direct provider, although they are also often sold on or combined with other data. Under Midata, consumers will also have access but there will be greater potential for the selling on and combining of data. Hence, liability, clarity on liability and redress systems are essential. If the system works, the Midata providers must be required to adhere to the highest security and data protection standards. Consumers need to know that Midata providers meet those high standards; so there must be easy identification of those who have been designated as trustworthy providers. It is presumably the Government’s contention that this will be done by secondary legislation, but unless the principles are written clearly in primary legislation, it will be difficult to judge whether those systems can work.
Amendment 58D deals with enforcement of the duty to disclose, but it includes no provision for complaint, mediation, arbitration or redress should that obligation be carried out in a way that endangers or threatens to endanger privacy and security of data. We know that the Information Commissioner is designated as enforcer, at least until the Government decide otherwise, but there is no provision for an ombudsman or for ADR coverage for this. On the Information Commissioner, I have great admiration for the difficult job that both he and his predecessor have done but I seek some confirmation that the Minister is confident that that role is appropriate to fall to the Information Commissioner. He does, of course, already have to make difficult judgments between transparency and data protection, but there are particular dimensions here. I am curious to know whether he even wants this job. Perhaps the Government could also give us some assurance about what additional resources will he get in order to carry it out. The Government themselves seem a bit hesitant as to whether the Information Commissioner is the best-placed person, as they have allowed scope for designating some other body. I do not know whether the Government had something else in mind, or whether it was just a fail-safe provision.
Going back to Amendment 58C, there is also the associated issue of what kind of information and what kind of access is covered. There are many ways in which we purchase goods and conduct our financial transactions. Does this cover the web-based data and transaction services—social media, free apps and online platforms that facilitate transactions between parties? Obvious examples are eBay and Amazon—all different, but all using and storing online consumer data. Because of the conglomerate nature of many retail providers across many markets, there is an issue of how this data is shared even within a company and what the legitimate and non-legitimate boundaries are of such sharing.
In the course of the Financial Services Bill, my noble friend Lord Whitty raised the issue of whether consumer data collected by Tesco, and recorded on their Club Cards, from its retail sales could be used by Tesco’s banking arm to establish creditworthiness. Some Chinese walls are already required within banks and financial institutions. The new Financial Services Act, however, does not require that, in the case of a bank owned by a non-financial institution, there must be such Chinese walls—although the Government did write into the Bill, now an Act, a reserve power to make that requirement. Tesco and financial services are simply as a potential example of this. It has not yet happened. More concretely, in America there have been issues with Walmart and its banking arm.
With consumer data now required, or potentially required, under this Midata clause, to be parcelled up neatly on an individual basis rather than aggregated or earmarked for future marketing as is more usually the case, the possibility for data sharing increases significantly. There is also the issue of companies which are major traders in this country but owned overseas, some in the four areas designated as priority by the Government for this legislation.
Could the Minister tell us how far privacy and data protection can be guaranteed beyond UK boundaries? The sectors chosen—energy, mobile phones and financial institutions—are dominated by major companies and feature oligopolistic markets. However, there are small providers, and there will be even more in other sectors to which these provisions will be extended in due course. Provisions which are not onerous for large retailers—banking and telecoms giants, for example—could be very onerous for smaller retailers and even smaller financial institutions. We understand that the legislation has no exclusions for smaller companies. Again, perhaps the Minister could confirm whether that is the case.
We would also like to ask the Government about their choice of sector priorities. The amendment links together information on individuals held by the provider and held on behalf of the consumer. At present these are legally very different. Data, such as that held by Tesco on its Club Cards, are the clear property of the providing company, as is most data on purchases. However, transactional data held with banks on savings or debt are the property of the consumer and subject to strict privacy and disclosure requirements. As we see it, under Midata, the distinction between those two is blurred.
There are also issues about the kind of data disclosable and the format of that disclosure. The intention, as the Minister outlined, is to provide in electronic machine-readable form data requested by the customer. The customer must be able to request all purchasing and transactional data for a period of at least a year in order to be able to draw rational conclusions and make rational decisions on, for example, changing the pattern of purchase or switching suppliers, which has been suggested. That needs to be specified.
4.15 pm
It is not clear whether consumers can be charged, directly or indirectly, for the data. Does the Minister intend to specify that in regulations? The Midata
initiative could lead to better consumer information and more rational decisions. However, the format in which it is provided may itself be limiting and, as a result, may benefit only those who already are the best informed and most capable of making decisions on switching. However, many more vulnerable and older consumers will have difficulty in using only machine-readable information. Surely, it should be possible for consumers to require disclosure in whatever is the most convenient format for them. Indeed, information on alternatives in order to provide an objective basis for switching between suppliers is equally essential. We therefore argue that a broader strategy is perhaps needed that prioritises data on more vulnerable consumers rather than those already most enabled.
My final point relates to the choice of priority sectors selected by the Government to which the law should initially apply—energy, mobile phones, current accounts and credit cards. The first two categories, energy and mobile phones, are among the areas of highest consumer complaint, and ones where the experience of switching does not always bring the desired benefit. Both categories are idiosyncratic in their methods of contracting and billing, but at least consumers are used to seeing bills on paper or in electronic format. They therefore have some historic but perhaps not always understandable data available for comparison purposes. It seems sensible to prioritise those two areas because there is a lot of consumer concern. However, current accounts and credit cards may be rather different. Information on these is for the most part already accessible via the internet or is requestable on paper. There are more pressing areas where no information is available to the customer, although a lot is available to the provider. Retail sales in multiple supermarkets is one obvious example of where weekly, if not daily, consumer decisions are made.
The other area that should be mentioned is the public sector. In many cases, transactions are non-monetary—although some, such as taxation and social security, are financial. Other transactions, such as in the NHS or social services, are recorded but not available to us. In America, the federal government sector is taking the lead in disclosure on request of individual transactional information and requiring the private sector to follow. Why is there no such government lead here?
The Government may say that much of what I am asking will be dealt with in regulations, but where in the Bill is the hook on which these new regulations could be made? Can the Minister indicate the broad form he intends them to take? I hope that he was not being a little overoptimistic when he talked about a whole lot of new enterprises being set up as a result. I hope that they will not be enterprises that charge consumers and add an extra layer of cost, rather than put the data directly into consumers’ hands, which is what I thought was the intention.
There are serious data protection issues in this, and some comfort from the Minister would assist us.