My Lords, this group includes a wide range of amendments and our debate on it will be one of our key debates on this section of the Bill. Clause 30 allows specified persons to share data for a specified objective. Our amendments seek to define and limit this and to ensure that additional approval is required where there is broadening or leakage
My honourable friend Louise Haigh thoroughly scrutinised this provision in the other place. Certainly, it took me most of Saturday to read what was said in that Committee stage. I do not intend to repeat all the arguments that were made—but I give fair warning that it will take me some time to go through these key elements, given that the principles in these clauses have given rise to concern, certainly in your Lordships’ Delegated Powers and Regulatory Reform Committee.
I start by saying that we on these Benches are completely in favour of effective data sharing across government to achieve public sector efficiencies, value for money, improved public sector services, improved take-up of benefits for the most vulnerable such as the warm home discount, free school meals and, most importantly, an improved experience for those who
use public services. We will come to a lot of those issues in later groups today where we have tabled specific amendments.
The public also support these objectives, but their trust is fragile. In recent years we have seen a number of failures in managing data. The Information Commissioner said in her recent briefing distributed to all noble Lords:
“Transparency and a progressive information rights regime work together to build trust”.
This part of the Bill gives the Government considerable powers to share data. But those building blocks in restoring trust that the Information Commissioner and just about everyone else agree are needed are sadly not mirrored in the Bill. That is the crux of today’s debate.
Instead, the building blocks are covered in regulations and codes of practice. As I said, many, including the Information Commissioner and your Lordships’ DPRRC, have stressed the importance of including such measures in primary legislation as opposed to codes of practice. Having read through all the codes of practice, I sometimes asked myself what we were dealing with. Is this Bill really at the stage of being submitted for parliamentary consideration? So much of it needs further work and further consultation that I really do wonder whether it should be in this House at all at this stage. This is something that we may have to return to.
A specified objective to permit disclosure must meet conditions set out in subsections (6) and (10) of the clause, but they are so all-encompassing that it is difficult to see anything that the public sector does that is not covered by the clause. The published codes give examples of objectives that would fall foul of these criteria, including those that are punitive, and it is useful to see those examples. But it is a real concern that such a clarification of the power is not in the Bill. Why does the Bill not explicitly contain or exclude a punitive objective? What are we avoiding here?
The codes also give examples of objectives that are too general rather than too specific, and it would help if the Minister could say exactly where that line could be drawn. Not only are the objectives not limited in the Bill but the bodies that can share or receive data are not particularly limited either. Subsection (3) states:
“A person specified in regulations under subsection (2) must be … (a) a public authority, or (b) a person providing services to a public authority”.
This is another area that gives people a lot of concern.
In the Government’s original consultation on the Bill, they stated their intention to proceed with proposals to enable non-public sector organisations that fulfil a public function on behalf of a public authority to be in scope of the powers. In that consultation, they said:
“We will strictly define the circumstances and purposes under which data-sharing will be allowed, together with controls to protect the data within the Code of Practice. We will set out in the Code of Practice the need to identify any conflicts of interest that a non-public authority may have and factor that information in the decision-making”.
I read the code of practice. Paragraph 71 refers to this and mentions non-public sector organisations. It says that,
“an assessment should be made of any conflicts of interest that the non-public authority may have”—
but it does not give any examples of what those conflicts of interest might look like. I hope that in his response the Minister will be able to give more examples of what they might look like. We will come back to this issue in our consideration of other groups of amendments to this section.
The code also states that data-sharing agreements should,
“identify whether there are any unintended risks involved with disclosing data”,
to an organisation. In the Commons, my honourable friend Louise Haigh—I congratulate her on this work—raised the behaviour of Concentrix, which was mentioned again on the radio today. It was contracted by HMRC to investigate tax credits and fraud. But the code of practice does not list any examples of risks or set out how specified persons might go about ascertaining them. We heard on the radio today that that contract and the mismanagement of the data has caused huge distress to tens of thousands of people, and that it is ongoing.
The code also states:
“Non-public authorities can only participate in a data sharing arrangement once their sponsoring public authority has assessed their systems and procedures to be appropriate for secure handling data”.
It does not give any sense of what conditions they will be measured against and how officials should assess them. I hope it is not going to be on the same basis that the HMRC gave the contract to Concentrix. It is that that we need to know about. This draft code—and I will keep coming back to it—is in an extremely draft form and needs substantially more work done on it. I hope that the noble Lord will assure us that these codes will be revised and I hope that, within the revisions, he will acknowledge that substantial improvements will be made.
4 pm
This is an important time to strengthen cybersecurity and the minimisation and protection of data, which is why it is so important that we get this part of the Bill right. The new EU GDPR and the law-enforcement directive that were adopted in May will come into effect from May 2018. I am very grateful to the noble Lord for distributing the huge bundle of factsheets. I took the time to read them. I was interested that, in the factsheet Q and A circulated to noble Lords, in answer to the question of whether the new powers in the Bill are compliant with the GDPR, we are told that they are “consistent” with the codes. I am not sure I quite understand what is meant by “compliant” and “consistent”. It could be that a lot more work has to be done.
The GDPR includes stronger provisions on processing only the minimum data needed, consent, requirements on clear privacy notices, explicit requirements for data protection by design and by default and on carrying out data protection impact assessments. Indeed, as the Information Commissioner said when she gave evidence to the Commons Bill Committee:
“There may be some challenges between the provisions and the GDPR … There would be a need to carefully review the provisions of this Bill against the GDPR to ensure that individuals … have the right to be forgotten, for example, so that they could
ask for the deletion of certain types of data, as long as that was not integral to a service”.—[Official Report, Commons, Digital Economy Bill Committee, 13/10/16; cols. 112-13]
At the moment this Bill makes no mention of consent and the codes are clearly not designed to support a consent-based model. In the other place, Chris Skidmore, the Minister asserted that,
“these powers do not erode citizens’ privacy rights. They will operate within the existing data protection framework. The new powers explicitly provide that information cannot be disclosed if it contravenes the Data Protection Act 1998 or part 1 of the Regulation of Investigatory Powers Act 2000. Further, they are carefully constrained to allow information to be shared only for specified purposes and in accordance with the 1998 Act’s privacy principles … The codes are consistent with the … data sharing code of practice. Transparency and fairness are at the heart of the guidance”.—[Official Report, Commons, Digital Economy Bill Committee, 25/10/16; col. 312]
We need to be reassured about this because we are not actually dealing with all the information. We do not have before us the finalised codes—at least I hope we do not, because they are totally inadequate. We need to know more and I think that these probing amendments lay down some very clear markers about how we should proceed with caution in relation to this Bill.
In her evidence the Information Commissioner advised that additional safeguards were needed in the Bill. She recommended that the Government should consider an addition to the Bill that would make it clear that the codes of practice established under Part 5 should be consistent with the ICO’s statutory data sharing code and so forth. She was pleased that the Government had accepted her recommendation—and of course there are now references to her statutory data-sharing code in the data-sharing chapters. It will certainly help to put the consideration for the protection of privacy at the centre of any data-sharing initiative.
We have all received this brief, which is fairly strong in terms of the direction of travel. The commissioner welcomed the references to the privacy impact assessments, but she said that she was still,
“strongly in favour of having reference to them in the Bill”.
The commissioner said that she,
“welcomes the Government’s positive commitment to … address this issue”,
and that:
“Constructive discussions are at an advanced stage”,
and work is taking place with regard to the codes of practice. But when will we get further information from the Government about these possible changes? Will we be presented with key elements of principle in amendments from the Government on Report or even later, when we will not have the same opportunity that we have today to probe, seek explanations and ask questions? It will be a very different sort of forum, and not one that will enable us to satisfy our concerns.
On the issue of timeframes and consultation, whatever revisions are made to the codes, we want to be satisfied. I know that we have tabled further amendments on this issue in terms of consultation, but we need in this first group to understand what those timeframes really mean.
I now turn to the Delegated Legislation Committee’s report. I do not think that I have seen such strong language from a committee that has not had a response
from the Government. I assume that the Minister will tell us that they have received the report and are considering it—but how long will that consideration take? When will we know what the Government’s response is to it? I will not read out the committee’s full report, but we have tabled amendments. There is one specific recommendation. The committee felt that it was inappropriate for Ministers to have the “untrammelled” powers given by Clause 30 that would allow them to prescribe extensively. That sort of language needs to be responded to today in detail. I look forward to hearing the Minister’s response.
At the end of the day, we tabled this amendment and we want to emphasise that we need an explanation from the Government about why these powers are needed and what safeguards will be in place. If we do not get that explanation, we will need safeguards on the face of the Bill. I beg to move.