My Lords, as I explained in Grand Committee, the idea behind the powers and Midata is simple: to give consumers the right to request their existing consumption and transaction data back from their suppliers in a portable, electronic format. I remind the House that this data already exist. We are not talking about collecting new data here.
In addressing Amendment 84AHNA, I reassure the noble Baroness, Lady Hayter, and the noble Lord, Lord Stevenson, who is speaking to this amendment, that I agree with them both that customers need to be protected from data misuse. Service providers under Midata must comply with all existing data security and protection rules. There are well-established complaint and redress schemes through the Information Commissioner’s Office in the core sectors where ombudsmen already operate. Data controllers must notify the Information Commissioner of data processing under Section 17 of that Act. Failure to do so is an offence.
However, there may be a need for further measures. This is why a consumer protection and trust work stream has been established under the Midata programme. A number of working groups made up of privacy experts, business, regulators and consumer groups are looking at a wide range of consumer issues. They have been tasked with identifying and recommending existing best practices and, where appropriate, new approaches that may be needed to ensure the security of individuals’ data. The groups are due to report in summer and any recommendations that they propose may need to be reflected in enforcement provisions made under these powers.
The role of third parties is important. Where citizens choose to provide data to a third party, or provide authorisation for a third party to request data on their behalf, the Data Protection Act applies. Under that Act, data controllers do not need to comply with a request for data unless they are satisfied that the requesting party has authority to access it. The consumer protection and trust working groups are looking at a wide range of issues that could emerge in a new Midata world and the Government will want to take their advice before acting. Their recommendations might include kitemarks, accreditation processes and complaint handling and redress schemes, as well as other proposals. The Government do not want to pre-empt any recommendations by setting out detailed protection measures in the Bill.
Turning to Amendment 84AHNB, I reassure noble Lords that the aim of our provision is to make data more accessible. We believe that Clause 75(5)(b)(ii) will have much the same effect as the limitation put forward by the noble Baroness, Lady Hayter, and the noble Lord, Lord Stevenson. The Government expect data to be provided back to consumers cheaply, and ideally for free, but businesses may initially incur additional costs in making data available electronically and the power allows businesses to charge to recoup their only cost. Noble Lords may be reassured to know that data that have been so far released under the Midata voluntary programme have been provided to customers free of charge.
On Amendment 84AHNC, I would like to deal with proposed new subsection (6A)(a) first. As I have said, businesses do not need to comply with a request for data unless they are satisfied that there is a valid claim of access under the DPA. Mechanisms that might enable this are being considered in the working groups, so this is still a matter under consideration. However, it is clear from our discussions with data controllers that they will not be willing to release data to third parties unless fully satisfied that it represents a legitimate request from an authorised party. The methodology may vary by sector but the additional measures proposed in this amendment do not appear necessary at this time.
In her proposed new subsection (6A)(b), the noble Baroness, Lady Hayter, has raised an interesting point but the Data Protection Act already affords protections in this area. I recognise the concerns in this respect, particularly around the possible actions of nefarious or rogue operators. However, access to Midata would not alter the current data protection law and any criminal activity could be dealt with appropriately, as it is now. In relation to proposed new subsection (6B), we are working with privacy experts, businesses, regulators and consumer groups in the working groups that I have mentioned. Legislation would be introduced only after a period of public consultation. Scope will exist in any regulations to place conditions on accessing data by authorised persons. Therefore, I believe the specific provisions set out in the amendment to be unnecessary.
Finally, Amendment 84AHND would extend the Information Commissioner’s powers of compulsory entry and audit to the private sector for the first time. This is primarily a matter for the Ministry of Justice and I am not convinced that such a major departure from current policy can be justified here. Its most likely effect would be to stifle innovation. As a result, services that help people to analyse their data will not be developed or may be withdrawn. The ICO already has investigation powers to require information from the private sector; we believe that these are sufficient in this case.
I would like to come back to the noble Lord, Lord Stevenson, on his assertion about claiming compensation through the courts. I think he deemed that to be unrealistic, but the power does provide for a non-court redress route. This could include empowering the ICO to address Midata complaints, if that helps the noble Lord. In the light of my responses, I ask the noble
Lord, Lord Stevenson, on behalf of the noble Baroness, Lady Hayter, to withdraw the amendment that she tabled.