My Lords, I would like to speak to Amendments 213A to 213C, which explore the Government’s commitment to transparency and how people can know about information-sharing agreements that are in place and, looking to the future, how the equivalent of a subject access request could work, explicitly to assist with fraud detection.
I draw the Committee’s attention to the comment from the Delegated Powers and Regulatory Reform Committee at paragraph 52, which noted that, without even allowing for parliamentary scrutiny, the powers in Clause 39 as drafted are as “inappropriately wide” as those in Clause 30, and seem to be deliberately so. Those very wide powers are of great concern. As an increase in digital technology emerges, the public need to be informed to understand how to use the resources available to them—and they need to know how data on them, as citizens, are being used. They must have confidence in the safeguards in place, otherwise we will have a population that increasingly refuses to engage with any kind of data registration.
It is unclear where health issues sit in this Bill. I declare all my interests in relation to health, as in the register. The powers can include, in Clause 30(10)(a), individuals’,
“physical and mental health and emotional well-being”,
That suggests that health data must fall within the remit of this clause, whether held originally by the NHS or whether they are then held by other bodies. It was in an interview that the Government Digital Service director-general gave as an example the large databases between the NHS and the DWP, commenting that these are large databases of citizens’ records and that we really need to be able to match them, which would suggest a read-across between the two. So while there is a prohibition in the Bill on the use of health and social care data for research, the approach may not have a prohibition in relation to data otherwise disclosed. The NHS bodies, for example, hold the data and, although the Secretary of State is not currently listed in the regulations as published, it is difficult to see how the Secretary of State could not be added to regulations at a later point.
7.15 pm
The DWP sometimes requires health data from people that it is dealing with and, effectively, compels them to require the NHS to provide their data. Once the DWP becomes the holder of the data or the data controller, it would fall within the clause as already written. So health information would no longer continue to be excluded from the powers, and the DWP policy, interestingly, although it asks for data from the NHS, does not seem to trust NHS assessments of patients—but I shall not go further down that road at the moment.
When we come to fraud and debt, the powers described in the codes of practice required by Clause 36 provide for partial accountability. The public service delivery powers defined in Clause 30, the single clause that affects most departments, have significantly reduced oversight and, effectively, transparency. Again, the concern was about these being inappropriately wide powers, as reported by the Delegated Powers and Regulatory Reform Committee.
Transparency has to be a fundamental principle when copying citizen’s data—and particularly when copying large portions of citizens’ data en masse. Therefore, it seems strange that it does not appear as a distinct section of the Bill; I ask the Minister to explain why the Government have not put transparency on the face of the Bill. The copying of data between different bodies would be covered by my amendments, as it would require all data-sharing agreements to be included in the public register. As with the NHS digital data release register, this register of data sharing would provide transparency and hence accountability. A code of practice is not enough, and it is not clear how non-adherence to any kind of code of practice would be detected. In Amendment 103, noble Lords have sought detail on a register of data disclosure. On that basis, I ask the Government to confirm that people will have one place where they can find details of the different data-sharing agreements. It is not enough to suggest that people can make a Freedom of Information Act request. Few people would do this, and it will allow organisations wriggle room. The problem is that once vast amounts of data have been shared, they cannot be unshared. A register of agreements would be far more open and would be accessible. After all, it is not how government says that powers will be used but how they could be used in future that causes public concern and hence the need for transparency.
The requirement for people to know their rights leads me to the second point. Can the Government confirm that a digital equivalency of rights will be in place, which will not require burdensome processes for the citizens? Digital equivalency means that government must make sure that people know that their rights are protected, in the same way as currently, in the much more non-digital world. The concern relates to the increasingly complex interdependent data on each person, which can be connected and used, whether to assist that person or otherwise.
My third point relates to the Government’s use of data in the future. It is difficult, or impossible, to foresee the future but we can be pretty sure that the way data are used in 100 months’ time will be similar to the way they will be used in, say, 98 or 99 months’
time. In other words, the best way to know how your data might be used next month is to see how they are being used in the current month or were used in the previous month. What we are talking about is, in effect, a form of subject access request, so I ask the Government to provide the same protections here as the Data Protection Act currently does for other forms of subject access request, and to create digital equivalency.
In health, there has been much concern around the secondary use of medical data, which do not differ fundamentally from the type of data anticipated here. As I explained, there can be a second holder of such data, and they will be desired by other bodies—both public and private. The problems that arose in 2014 with the care.data programme eroded confidence. It is worth noting that the latest Caldicott review calls for a continued, informed conversation with patients about their data. Although I believe the Government have said that Part 5 does not apply to health data, pending the outcome of their response to the review, there is, indeed, concern that health data could be transferred via a third party.
On data that could be used to detect fraud, there seems to be no reason why the standard declaration for this purpose could not cover all lawful anti-fraud activities. Law-abiding citizens could, as with the provision of bank or mobile phone statements, allow transparency here, and this could reduce the opportunity for people to cheat the system. People would then be able to better detect fraudulent activity themselves. Indeed, such an ability would be most helpful for the Office of the Public Guardian which has a large fraud department. It would allow it to directly access data concerning a subject’s finances, which is currently held by a court-appointed or person-appointed deputy, attorney or guardian. This would allow the fraud department to investigate much more effectively as it would not have to seek permission from that appointee, a situation which has allowed fraud to occur in the past. There have been notable examples of difficulties in detecting financial fraud. Amendment 213C may specifically help with such detection.