My Lords, I start with an apology. Because of the way in which these items of business have been scheduled—or perhaps I should say not scheduled—I might have to leave before I hear the Minister’s response. He is aware of that and I am very grateful for his indulgence in that respect, which will make me feel even guiltier when he hears what I have to say.
I am indebted to medConfidential for many of the points I shall make and to the noble Lord, Lord Freyberg, who takes a keen interest in these matters but cannot be present today.
The essence of what I have to say is that these regulations and codes should be withdrawn. In summary, earlier this month the Secondary Legislation Scrutiny Committee published a report on these draft regulations made under Part 5 of Chapter 1 of the Digital Economy Act, as the Minister explained. The DCMS offered assurances that the codes of practice were consistent with each other and drafted to be compliant with the new Data Protection Act 2018 and the latest standards of best practice. However, subsequently it replaced the standards with a new set under a different name—the data ethics framework—so the codes as laid do not reflect current DCMS guidance. In our view, this invalidates the whole of our debate.
I will go through the details. The Secondary Legislation Scrutiny Committee drew the digital government regulations to the special attention of the House. The DCMS told the committee that the codes were to the,
“the latest standards of best practice for information sharing, including the ‘Data Science Ethical Framework’”.
That is at paragraph 9 of the committee’s report. As the SLSC says:
“In their response, DCMS have also offered assurances that these codes of practice are consistent with each other and have been drafted to be compliant with the new Data Protection Act 2018 and the latest standards of best practice for information sharing, including the ‘Data Science Ethical Framework’”.
The committee’s report was finalised on a Tuesday and printed the following Thursday. On the Wednesday, the DCMS replaced the “latest” standards with a new set under a different name, the data ethics framework. Quite apart from the concerns raised by the committee, when the DCMS gave its response to the committee it surely must have known that a new framework was due the following day to replace the one to which it referred, and that its assurances would therefore be untrue even before they were printed.
The current codes reference the Data Science Ethical Framework, which predates the Data Protection Act and the GDPR. By that fact alone, these DCMS codes cannot be approved. They are, by definition, out of date following legislation on which the DCMS and the Minister himself led.
As the Minister described, a number of groups were consulted on the draft codes in the middle of last year, and while there is consensus from all sides that the codes are improved as a result of that constructive engagement, those consultations were before the Government surprised everyone with the proposal for a “framework for data processing by government” in the Data Protection Act—before the guidance changes due to the GDPR had fully begun, before the Government announced that the Data Science Ethical Framework was in need of replacement, and certainly before the DCMS launched the replacement with a new name last week. The department assured Parliament that,
“these codes of practice are consistent with each other”,
but it cannot assert they will be compliant with other codes, as yet unlaid and unwritten by the Information Commissioner. What the Information Commissioner does should be up to the Information Commissioner. She should not have her hands tied by her sponsor department.
It is particularly important that these codes and the regulations are withdrawn given that the first issuance of the codes is under the affirmative procedure for approval of the House and future updates will be under the negative procedure.
I have a few other questions. Where is the framework for data processing by government included at the last minute by Ministers in Committee on the Data Protection Bill? There is still no clarity as to what the Government plan to do with it, only that it is not the Data Science Ethical Framework nor the data ethics framework. It is, however, yet another government data framework that must be taken into account. The passage of the Data Protection Act 2018 necessitates updates to many ICO codes. Late in the day, the DCMS chose to introduce its new framework for data processing by government, which surely must be the governing instrument for these codes, but, as I said earlier, it has provided no clarity on how this will operate.
The department seems to be offering nothing other than assurances of compliance when one looks through the codes. It talks of consultation with the ICO. Has the ICO confirmed publicly that these codes are compliant with the GDPR, the new Data Protection Act and the ICO guidance?
According to recent announcements from University College London Hospitals NHS Foundation Trust, it is conducting artificial intelligence trials internally for issues of direct benefit to it. This shows not only that the NHS is beginning to understand the power of data and digital tools, but that this can be done in-house for public benefit and that there are viable alternatives to handing data to and sharing data with multinational companies. What are the Government doing more broadly across the NHS to ensure that there is full recognition across the NHS?
The Digital Economy Act affords the Secretary of State considerable powers to make use of publicly controlled data, which is of considerable concern in some quarters. The key concern is the scope for different departments to share and then link datasets, such as sharing health data from the Department of Health and Social Care with the Home Office to identify illegal immigrants, as stated in recent headlines. What is the scope and/or limitation for the Secretary of State to share publicly controlled data with private entities? Is this likely to inform the introduction of so-called “data trusts”?
Then, of course, there is the question of whether any of the codes is fit for the future in terms of technology. In particular, what are the duties of transparency and explainability where datasets are used to construct artificial intelligence solutions, algorithms and the like for government purposes? What consultation was engaged in this respect? There appears to be no reference in any of the codes to this. Should we not wait for the data ethics and innovation centre to give its guidance on these matters involving the Government and their deployment of artificial intelligence?
In the light of the above, it is clear that neither these regulations nor the codes are fit for purpose. Will the Government withdraw them before placing replacement codes before the House? Will the Minister confirm that the codes will be compliant with any yet-to-be-written
Information Commissioner codes? Will they be confirmed as such by the Information Commissioner? Sadly, I will not hear the Minister’s reply but I very much hope that it is a full one.