In moving this amendment, I apologise that my noble friend Lady Hayter is unable to be present and has asked me to speak on her behalf. I will also speak to Amendments 84AHNB, 84AHNC and 84AHND. I start by making it clear that we on this side support the broad thrust and intent of Midata, which is to give consumers increased access to their personal data in a portable, electronic format so that they can use this data to gain insights into their own behaviour, and make more informed choices about products and services. However, to make Midata work and to build consumer confidence in it, there are concerns which we raised in Committee and which our amendments seek to address.
Confidence is key, here as in many other places, and a smart way to ensure that users can trust the use and care of their data is through a redress scheme. Not only does this give comfort in itself—people know where to go if they have a complaint about the provision, cost or use of their data—but it serves two other functions. One is that any regulated person using the logo of a particular redress scheme also signifies some assurance of quality and regulation to the user. The second, more significant function, is that a body of evidence accrues via such a complaints scheme of the sorts of problems or the particular regulated persons which are causing concerns. Given that the Information Commissioner uses a risk and evidence based approach to his work, he is highly reliant on evidence—both of the extent and detriment of any problems—and these are best captured by an accessible and effective complaint or ombudsman scheme.
I start with Amendment 84AHNA, which would require regulated and possibly authorised persons to join a redress scheme. This would not entail setting up a whole new redress body, as there are plenty of other high-quality ombudsmen covering a range of sectors who could be approved under this Bill. Without our amendment, the Bill covers high-level enforcement, but with customers able to bring an action for breach of regulations only before a court or tribunal or, under Section 13 of the Data Protection Act, to claim compensation through the courts. That is a pretty
unrealistic hurdle for individual consumers. Hence our call for a redress scheme for individual complaints. Knowing a redress scheme is available if things go wrong would give consumers the confidence to harness the empowering potential of Midata.
Amendment 84AHNB deals with the costs of complying with requests. At present, the charges reflect costs to the data supplier. Our amendment is about costs to consumers: after all it is their personal data that they want released. Charges must not dissuade consumers from engaging in the Midata programme. The EU data protection directive uses the phrase “without excessive ... expense”, but given that not everyone is familiar with that directive, it should be added to the Bill.
Amendment 84AHNC deals with strengthened consumer protections. There are risks from Midata, especially as combining datasets into a whole-person view, poses risks to privacy and identity. Secondly, because Midata will see multiple parties including the consumer assume responsibility for data at different points, liability becomes complex, with the risk that consumers will be left exposed. Thirdly, legitimate businesses offering third party services could incentivise consumers to provide data which might otherwise not be accessible.
Fourthly, there is the risk of misuse of data. Businesses and third parties might, for example, sell on and share data with their affiliates or engage in uninvited cross-selling and marketing. Finally and pervasively, there is security. ID fraud is a real risk as it would be easy to build a picture of an individual, drawing on different information sources. Given that data protection is already of huge concern for consumers, an assurance of security is essential for Midata to succeed and benefit consumers, who will need to be confident they are sharing their data only with trustworthy service providers. We ask the Secretary of State to consult widely to develop protections to ensure that the consumer interest is represented alongside those of regulated and authorised persons. We know that the Information Commissioner would welcome being included on this list.
7.45 pm
Amendment 84AHND, seeks to protect customer data. This arises from specific concerns that the Bill does not reflect the security risks inherent in providing third parties with access to customers’ banking details. The aim of Midata is to help consumers to effectively shop around by greater access to charges and fees on services provided, in this case, by a bank. However information in bank and credit card statements already reveals a vast amount of personal information, far beyond the data from mobile phones or energy providers. While customers might be able to use such data to make informed decisions, there could be data protection risks to consumers if they provide such information to third parties. Our proposals therefore seek to strengthen third-party arrangements to ensure customer data will be protected. Banks are bound by the common law duty of bankers’ confidentiality, which extends to all information relating to customers, their accounts and transactions with the bank, and by the Data Protection Act. However, if customers engage a third party to
analyse their data, these contractual arrangements alleviate the data protection issues for banks. This means that customers would be relying on the quality of the third party’s security protocols.
Such third parties who seek to process customer data released under Midata should therefore be subject to increased regulation. Under Section 41A of the Data Protection Act, our amendment would extend the enhanced regime of inspection and enforcement by the Information Commissioner’s Office to third parties who receive customer data. While the Government already have the powers to make this change, this amendment would ensure they exercise these powers. I beg to move.