My Lords, on behalf of my noble friend Lord Clement-Jones and myself I beg to move Amendment 25YX and will speak to the other amendments in this group, which are all about
limiting disclosure—but, I want to stress, limiting it in what we regard as an appropriate way, accepting that there are benefits in information sharing but perhaps with more of an eye to privacy considerations than are in the Bill.
The first of the amendments would provide that disclosure of information should be only to the extent necessary and proportionate in connection with public service delivery. This is both because we regard “no more disclosure than is necessary and proportionate” as being important but also, in this context, because disclosure goes outside and beyond public authorities. We have tabled similar amendments to clauses dealing with debt, fraud and research.
In evidence to the Public Bill Committee, the Information Commissioner wrote:
“Proportionality and necessity are key to ensuring data sharing complies with data protection and human rights law”,
and that,
“the Bill does not directly correlate with these concepts”.
Our amendments would put these notions in the Bill. The ICO also commented on bulk data sharing. She wrote:
“As more data is shared ever more widely … big data analytics are used in complex and unexpected ways”.
Our Amendment 28CB would require the civil registration official to be satisfied that disclosure is proportionate to the recipient’s requirement.
Bulk data sharing is so significant that we think it should be reviewed after three years. Amendment 28CF refers particularly to the review covering public attitudes, the use of the powers, the availability of alternative mechanisms, and security considerations.
Amendment 26A takes us to a point that I raised in Committee. We would like to understand what is meant by individuals’ and households’ contribution to society in the context of improving their well-being. This is a condition for disclosure. What is additional in this phrase to the health and social and economic well-being provided for elsewhere in the clause? The expression is paternalistic and judgmental—and, probably more importantly for this purpose, it suggests a concern more for an advantage to society than to the individual or household. That goes against the thrust of the data sharing for public services, which is framed as being for the benefit of individuals and households.
We are also concerned that the exceptions to the protections include the prevention of anti-social behaviour. In Committee, the Minister said that people have a right to be protected against such behaviour. We would not argue against that, but “balance” is a term often used from that Dispatch Box and we think that the balance here is right out of kilter. Protection against anti-social behaviour is very different from protection against serious physical harm and so on. By definition—the definition being that there is a provision elsewhere—anti-social behaviour is not criminal behaviour.
The Government have explained this, as I said at the previous stage, but we do not believe that they have justified it. Nor have they justified exceptions for any crime, which is why our amendments would limit crime here to serious crime, which we have defined using the definition used in the Investigatory Powers Act.
I have to say that not a lot of Clause 36 would fall within the DPA “vital interests” provision.
Next, in Committee we asked about the use of the definition of personal information rather than building on the DPA’s personal data. The Minister told the Committee that to the extent that personal information is not governed by the DPA,
“we still expect that information will be handled in accordance with that framework because of the requirements of the codes of practice”.—[Official Report, 6/2/17; col. 1259.]
Indeed, it would be the codes of practice, not the statute. Our Amendment 28AU is an opportunity for the Minister to answer the Information Commissioner’s observation that there is a gap here. There are compensatory safeguards under the DPA—they apply under the DPA but seem not to apply under the Bill.
We remain concerned that an individual whose information is disclosed should be informed. My noble friend Lady Janke referred to the transparency that is necessary for public trust in the process. I completely agree with that. The Minister was concerned that, if a fraud were being investigated, you would not go out and tell the alleged fraudster what you were doing. I hope that the amendment answers that point, because it is a relatively narrow situation that should not preclude doing what is right more generally.
Amendment 28BM has been tabled to seek an explanation of Clause 40(4), in particular its wording,
“similar to that made by section 38”.
Clause 38 gives powers to HMRC and, as I read it, HMRC will have powers to lift restrictions on disclosure. So, under Clause 40, does this mean that a specified person has a power to lift the restrictions? That does not seem right to me. I have undoubtedly misunderstood it—but, if I have done so, perhaps one or two other people would misunderstand it, too.
Amendment 39 is rather different: a sunrise clause—it could have been a sunset—to explore further how all this fits with the new rules that will come into effect in May 2018, when we will still be in the EU, under the EU general data protection regulation and the law enforcement directive. The GDPR will strengthen provisions on processing only the minimum data, on privacy notices with explicit requirements for data protection by design and default, and on data protection impact assessments.
We were assured in Committee that Part 5 is “compatible”—that was the word used—with the GDPR. Thinking about that afterwards, I wondered whether that meant that Part 5 was not inconsistent but possibly not as wide as the GDPR. We were told:
“When the regulation comes into direct force, we”—
that is, the Government—
“will look at the provisions of the Act and the codes of practice to ensure that they are consistent with it”.—[Official Report, 6/2/17; col. 1490.]
Given that there will be a need to share certain data with other EU states after the date when we leave, how will all this be done? I hope that the Minister can share with the House the Government’s proposals for checking that there is more than just consistency and that, more particularly, nothing is left out. I beg to move.
8.45 pm