Data Protection and Digital Information Bill – in the House of Commons at 1:20 pm on 29 November 2023.
Any exemptions from these Principles must be specified via the “Exceptional Circumstances Principle”. (See Principle 9).
1 User Control Principle
Statement of Principle: “I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them.”
1.1 An Identity Provider or Service Provider must ensure any collection, use or disclosure of IdA data in, or from, an Identity Assurance Service is approved by each particular Service User who is connected with the IdA data.
1.2 There should be no compulsion to use the Identity Assurance Service and Service Providers should offer alternative mechanisms to access their services. Failing to do so would undermine the consensual nature of the service.
2 Transparency Principle
Statement of Principle: “Identity assurance can only take place in ways I understand and when I am fully informed.”
2.1 Each Identity Provider or Service Provider must be able to justify to Service Users why their IdA data are processed. Ensuring transparency of activity and effective oversight through auditing and other activities inspires public trust and confidence in how their details are used.
2.2 Each Service User must be offered a clear description about the processing of IdA data in advance of any processing. Identity Providers must be transparent with users about their particular models for service provision.
2.3 The information provided includes a clear explanation of why any specific information has to be provided by the Service User (e.g. in order that a particular level of identity assurance can be obtained) and identifies any obligation on the part of the Service User (e.g. in relation to the User’s role in securing his/her own identity information).
2.4 The Service User will be able to identify which Service Provider they are using at any given time.
2.5 Any subsequent and significant change to the processing arrangements that have been previously described to a Service User requires the prior consent or approval of that Service User before it comes into effect.
2.6 All procedures, including those involved with security, should be made publicly available at the appropriate time, unless such transparency presents a security or privacy risk. For example, the standards of encryption can be identified without jeopardy to the encryption keys being used.
3 Multiplicity Principle
Statement of Principle: “I can use and choose as many different identifiers or identity providers as I want to.”
3.1 A Service User is free to use any number of identifiers that each uniquely identifies the individual or business concerned.
3.2 A Service User can use any of his identities established with an Identity Provider with any Service Provider.
3.3 A Service User shall not be obliged to use any Identity Provider or Service Provider not chosen by that Service User; however, a Service Provider can require the Service User to provide a specific level of Identity Assurance, appropriate to the Service User’s request to a Service Provider.
3.4 A Service User can choose any number of Identity Providers and where possible can choose between Service Providers in order to meet his or her diverse needs. Where a Service User chooses to register with more than one Identity Provider, Identity Providers and Service Providers must not link the Service User’s different accounts or gain information about their use of other Providers.
3.5 A Service User can terminate, suspend or change Identity Provider and where possible can choose between Service Providers at any time.
3.6 A Service Provider does not know the identity of the Identity Provider used by a Service User to verify an identity in relation to a specific service. The Service Provider knows that the Identity Provider can be trusted because the Identity Provider has been certified, as set out in GPG43 – Requirements for Secure Delivery of Online Public Services (RSDOPS).
4 Data Minimisation Principle
Statement of Principle: “My interactions only use the minimum data necessary to meet my needs.”
4.1 Identity Assurance should only be used where a need has been established and only to the appropriate minimum level of assurance.
4.2 Identity Assurance data processed by an Identity Provider or a Service Provider to facilitate a request of a Service User must be the minimum necessary in order to fulfil that request in a secure and auditable manner.
4.3 When a Service User stops using a particular Identity Provider, their data should be deleted. Data should be retained only where required for specific targeted fraud, security or other criminal investigation purposes.
5 Data Quality Principle
Statement of Principle: “My interactions only use the minimum data necessary to meet my needs.”
5.1 Service Providers should enable Service Users (or authorised persons, such as the holder of a Power of Attorney) to be able to update their own personal data, at a time at their choosing, free of charge and in a simple and easy manner.
5.2 Identity Providers and Service Providers must take account of the appropriate level of identity assurance required before allowing any updating of personal data.
6 Service User Access and Portability Principle
Statement of Principle: “I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want.”
6.1 Each Identity Provider or Service Provider must allow, promptly, on request and free of charge, each Service User access to any IdA data that relates to that Service User.
6.2 It shall be unlawful to make it a condition of doing anything in relation to a Service User to request or require that Service User to request IdA data.
6.3 The Service User must be able to require an Identity Provider to transfer his personal data, to a second Identity Provider in a standard electronic format, free of charge and without impediment or delay.
7 Certification Principle
Statement of Principle: “I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements.”
7.1 As a baseline control, all Identity Providers and Service Providers will be certified against a shared standard. This is one important way of building trust and confidence in the service.
7.2 As part of the certification process, Identity Providers and Service Providers are obliged to co-operate with the independent Third Party and accept their impartial determination and to ensure that contractual arrangements—
• reinforce the application of the Identity Assurance Principles
• contain a reference to the independent Third Party as a mechanism for dispute resolution.
7.3 In the context of personal data, certification procedures include the use of Privacy Impact Assessments, Security Risk Assessments, Privacy by Design concepts and, in the context of information security, a commitment to using appropriate technical measures (e.g. encryption) and ever improving security management. Wherever possible, such certification processes and security procedures reliant on technical devices should be made publicly available at the appropriate time.
7.4 All Identity Providers and Service Providers will take all reasonable steps to ensure that a Third Party cannot capture IdA data that confirms (or infers) the existence of relationship between any Participant. No relationships between parties or records should be established without the consent of the Service User.
7.5 Certification can be revoked if there is significant non-compliance with any Identity Assurance Principle.
8 Dispute Resolution Principle
Statement of Principle: “If I have a dispute, I can go to an independent Third Party for a resolution.”
8.1 A Service User who, after a reasonable time, cannot, or is unable, to resolve a complaint or problem directly with an Identity Provider or Service Provider can call upon an independent Third Party to seek resolution of the issue. This could happen for example where there is a disagreement between the Service User and the Identity Provider about the accuracy of data.
8.2 The independent Third Party can resolve the same or similar complaints affecting a group of Service Users.
8.3 The independent Third Party can co-operate with other regulators in order to resolve problems and can raise relevant issues of importance concerning the Identity Assurance Service.
8.4 An adjudication/recommendation of the independent Third Party should be published. The independent Third Party must operate transparently, but detailed case histories should only be published subject to appropriate review and consent.
8.5 There can be more than one independent Third Party.
8.6 The independent Third Party can recommend changes to standards or certification procedures or that an Identity Provider or Service Provider should lose their certification.
9 Exceptional Circumstances Principle
Statement of Principle: “Any exception has to be approved by Parliament and is subject to independent scrutiny.”
9.1 Any exemption from the application of any of the above Principles to IdA data shall only be lawful if it is linked to a statutory framework that legitimises all Identity Assurance Services, or an Identity Assurance Service in the context of a specific service. In the absence of such a legal framework then alternative measures must be taken to ensure, transparency, scrutiny and accountability for any exceptions.
9.2 Any exemption from the application of any of the above Principles that relates to the processing of personal data must also be necessary and justifiable in terms of one of the criteria in Article 8(2) of the European Convention of Human Rights: namely in the interests of national security; public safety or the economic well-being of the country; for the prevention of disorder or crime; for the protection of health or morals, or for the protection of the rights and freedoms of others.
9.3 Any subsequent processing of personal data by any Third Party who has obtained such data in exceptional circumstances (as identified by Article 8(2) above) must be the minimum necessary to achieve that (or another) exceptional circumstance.
9.4 Any exceptional circumstance involving the processing of personal data must be subject to a Privacy Impact Assessment by all relevant “data controllers” (where “data controller” takes its meaning from the Data Protection Act).
9.5 Any exemption from the application of any of the above Principles in relation to IdA data shall remain subject to the Dispute Resolution Principle.”
Amendment 220, in schedule 1, page 141, leave out from line 21 to the end of line 36 on page 144.
This amendment would remove from the new Annex 1 of the UK GDPR provisions which would enable direct marketing for the purposes of democratic engagement. See also Amendment 218.
Government amendments 266 to 277.
Government amendments 208 to 211.
Amendment 15, in schedule 5, page 154, line 2, at end insert—
“(g) the views of the Information Commission on suitability of international transfer of data to the country or organisation.”
This amendment requires the Secretary of State to seek the views of the Information Commission on whether a country or organisation has met the data protection test for international data transfer.
Amendment 14, page 154, line 25, at end insert—
“5. In relation to special category data, the Information Commissioner must assess whether the data protection test is met for data transfer to a third country or international organisation.”
This amendment requires the Information Commission to assess suitability for international transfer of special category data to a third country or international organisation.
Amendment 13, page 154, line 30, leave out “ongoing” and insert “annual”.
This amendment mandates that a country’s suitability for international transfer of data is monitored on an annual basis.
Amendment 16, in schedule 6, page 162, line 36, at end insert—
“(g) the views of the Information Commission on suitability of international transfer of data to the country or organisation.”
This amendment requires the Secretary of State to seek the views of the Information Commission on whether a country or organisation has met the data protection test for international data transfer in relation to law enforcement processing.
Government amendment 212.
Amendment 231, in schedule 13, page 202, line 33, at end insert—
“(2A) A person may not be appointed under sub-paragraph (2) unless the Science, Innovation and Technology Committee of the House of Commons has endorsed the proposed appointment.”
This amendment would ensure that non-executive members of the Information Commission may not be appointed unless the Science, Innovation and Technology Committee has endorsed the Secretary of State’s proposed appointee.
Government amendments 213 to 216.
The current one-size-fits-all, top-down approach to data protection that we inherited from the European Union has led to public confusion, which has impeded the effective use of personal data to drive growth and competition, and to support key innovations. The Bill seizes on a post-Brexit opportunity to build on our existing foundations and create an innovative, flexible and risk-based data protection regime. This bespoke model will unlock the immense possibilities of data use to improve the lives of everyone in the UK, and help make the UK the most innovative society in the world through science and technology.
I want to make it absolutely clear that the Bill will continue to maintain the highest standards of data protection that the British people rightly expect, but it will also help those who use our data to make our lives healthier, safer and more prosperous. That is because we have convened industry leaders and experts to co-design the Bill at every step of the way. We have held numerous roundtables with both industry experts in the field and campaigning groups. The outcome, I believe, is that the legislation will ensure our regulation reflects the way real people live their lives and run their businesses.
I am grateful to the Minister for giving way so early. Oxford West and Abingdon has a huge number of spin-offs and scientific businesses that have expressed concern that any material deviation on standards, particularly European Union data adequacy, would entangle them in more red tape, rather than remove it. He says he has spoken to industry leaders. Have he and his Department assessed the risk of any deviation? Is there any associated cost to businesses from any potential deviation? Who is going to bear that cost?
I share the hon. Lady’s appreciation of the importance of data adequacy with the European Union. It is not the case that we have to replicate every aspect of GDPR to be assessed as adequate by the European Union for the purposes of data exchange. Indeed, a number of other countries have data adequacy, even though they do not have precisely the same framework of data protection legislation.
In drawing up the measures in the Bill, we have been very clear that we do not wish to put data adequacy at risk, and we are confident that nothing in the Bill does so. That is not only my view; it is the view of the expert witnesses who gave evidence in Committee. It is also the view of the Information Commissioner, who has been closely involved in all the measures before us today. I recognise the concern, but I do not believe it has any grounds.
The Minister says, “We do not wish”. Is that a guarantee from the Dispatch Box that there will be absolutely no deviation that causes a material difference for businesses on EU data adequacy? Can he give that guarantee?
I can guarantee that there is nothing in the Government’s proposals that we believe puts data adequacy at risk. That is not just our view; it is the view of all those we have consulted, including the Information Commissioner. He was previously the information commissioner in New Zealand, which has its own data protection laws but is, nevertheless, recognised as adequate by the EU. He is very familiar with the process required to achieve and keep data adequacy, and it is his view, as well as ours, that the Bill achieves that objective.
We believe the Government amendments will strengthen the fundamental elements of the Bill and reflect the Government’s commitment to unleashing the power of data across our economy and society. I have already thanked all the external stakeholders who have worked with us to ensure that the Bill functions at its best. Taken together, we believe these amendments will benefit the economy by £10.6 billion over the next 10 years. That is more than double the estimated impact of the Bill when it was introduced in the spring.
Will the Minister confirm that no services will rely on digital identity checks?
I will come on to that, because we have tabled a few amendments on digital verification and the accreditation of digital identity.
We are proposing a voluntary framework. We believe that using digital identity has many advantages, and those will become greater as the technology improves, but there is no compulsory or mandatory element to the use of digital identity. I understand why the hon. Lady raises that point, and I am happy to give her that assurance.
Before my right hon. Friend moves on to the specifics of the Government amendments, may I ask him about something they do not yet cover? The Bill does not address the availability of data to researchers so that they can assist in the process of, for example, identifying patterns in online safety. He will know that there was considerable discussion of this during the passage of the Online Safety Act 2023, when a succession of Ministers said that we might return to the subject in this Bill. Will he update the House on how that is going? When might we expect to see amendments to deal with this important area?
It is true that we do not have Government amendments to that effect, but it is a central part of the Bill that we have already debated in Committee. Making data more available to researchers is, indeed, an objective of the Bill, and I share my right hon. and learned Friend’s view that it will produce great value. If he thinks more needs to be done in specific areas, I would be very happy to talk to him further or to respond in writing.
There are quite a number of technical amendments, as Sir Chris Bryant observed. I will start with the UK-US data access agreement, which permits telecommunications operators in the UK to share information about serious crimes with law enforcement agencies in the US, and vice versa.
Government new clause 6 makes it clear that the UK-US data access agreement, and other specified international treaties, can provide a basis for processing under several grounds in the UK GDPR. This agreement has been operational since October 2022, and disclosures made under it are not prevented by the current data protection legislation. However, the measures contained in the new clause will make it absolutely clear to telecoms operators in the UK that the data access agreement provides an appropriate legal basis for processing personal data, special category data and criminal offences data under the relevant provisions in the UK GDPR.
We have also tabled an amendment to ensure that, following the loss of the EU general principle of proportionality at the end of 2023 as a result of the Retained EU Law (Revocation and Reform) Act 2023, controllers continue to need only to carry out a reasonable and proportionate search for information when responding to a subject access request. While controllers should make the best possible efforts to locate all the information requested by a data subject, there are occasions when this might be unreasonable or disproportionate, such as when the information is of low importance or of low relevance to the data subject. In those circumstances, it is important to continue to allow controllers to limit the efforts they make when searching for information, and this position reflects existing domestic case law. The amendment simply provides greater legal certainty for controllers.
Turning to the Information Commissioner’s Office codes of practice, we have listened to concerns about the perceived impact of the approval powers on the independence of regulators, so we are amending the Bill to remove the veto power on the contents of ICO statutory codes of practice. It was previously proposed that the power should be held by the Secretary of State. [Interruption.] I welcome the expression of enthusiasm for this amendment from the hon. Member for Rhondda.
This amendment balances regulatory independence with democratic accountability and reaffirms the Government’s commitment to the independence of our regulatory framework, and it is supported by the ICO. The amendment introduces a new process for the approval of ICO statutory codes of practice, and it provides that the Information Commissioner must consider recommendations from the Secretary of State about a code of practice prior to the code being laid before Parliament. Critically, the Information Commissioner will not be bound by the Secretary of State’s recommendations.
We are also introducing an amendment to clarify the ways in which the ICO can serve notices, and to remove the outdated requirement for the ICO to obtain consent before serving notices by email. This amendment will enable the ICO to enforce the UK’s data protection regime more effectively, particularly against overseas businesses, and it mirrors the arrangements that a number of other regulators already have.
Although most data controllers do the right thing and respond to subject access requests in a satisfactory way, some disputes end up in court, so we have tabled an amendment that will enable a court to require information from a controller to assess whether it should have been provided as part of the original response, while ensuring that the information is not disclosed to the claimant until it has been determined whether or not they are entitled to it.
Dawn Butler mentioned the digital identity verification schemes in part 2. The UK digital identity and attributes trust framework sets out baseline rules that organisations must follow to become a Government-approved digital verification service provider. However, in some cases where people may choose to use digital identity products, such as when applying for a mortgage or completing pre-employment checks, digital verification service providers may need to follow rules in addition to those within the trust framework in order to meet sector-specific requirements. Our amendment enables additional rules, which are described as “supplementary codes” in the Bill, to be approved by the Government, against conditions set out in the trust framework. Organisations will be able to prove that the digital verification services they offer are certified against supplementary codes, as well as the trust framework, by having a note included in the digital verification service register.
Let me turn to one or two examples, covering both the right-to-rent and right-to-work checks. It is essential that the employment and private rental sectors are provided with robust and secure processes to ensure that the identity checking parts of their onboarding processes are secure, efficient and effective. The Home Office will use the amended part 2 powers I have just explained to make secondary legislation that means that when an employer or landlord is using the services of a digital verification service provider, they do so from the register of digital verification service providers established under part 2 of the Bill. That does not change the already established processes available to employers and landlords. In fact, 41 providers have already been certified to perform digital right-to-work and right-to-rent checks, in line with the existing version of the UK digital identity and attributes trust framework, to which I have referred. The amendments will provide confidence and security to employers and landlords that the service providers they are using are certified. Our ongoing engagement with the sector tells us that the use of digital identity service providers is a welcome development, as it represents a more cost-effective practice than manual checks of physical documents.
Providers of public electronic communications services, such as companies that provide a mobile phone contract, are currently required to report all personal data breaches to the Information Commissioner within 24 hours. Our amendment eases burdens on industry by giving more time for those data controllers to report data breaches; they will now have to be reported without undue delay and, where feasible, no later than 72 hours after the breach. This change will allow organisations to gather more detailed information about the breach before the reporting deadline and allow the ICO to focus its efforts on assessing that information once it has been achieved.
On disclosure for the purposes of archiving in the public interest, the Government recognise the importance of archives in permanently preserving Britain’s rich history for long-term social benefit. We also know that archivists currently have very little agency to dictate what lawful ground was used when obtaining personal data from a wide range of sources. We are therefore amending the Bill to ensure that a controller is able to reuse personal data for the purpose of archiving in the public interest, regardless of the lawful ground the personal data was originally collected on. That will be particularly helpful for archivists that are not public authorities and are therefore unable to use a public task lawful ground for their processing. We have worked closely with the National Archives in bringing forward our amendment.
I come to the issue of foreign convictions, particularly those relating to counter-terrorism policing. We intend to amend the Bill to ensure that counter-terrorism policing can continue to protect British citizens by retaining biometrics received from international partners in a more efficient way. Currently, the police can hold biometrics indefinitely for people who have a conviction for shoplifting in the UK but not for convicted terrorists abroad. Our amendment that will enable the indefinite retention of an individual’s fingerprints and DNA profile for national security purposes where that person has a foreign conviction that is equivalent to a conviction in England, Wales or Northern Ireland. Counter-terrorism policing can retain those biometrics without the need to apply for a national security determination. Our amendment brings the Counter-Terrorism Act 2008 into alignment with other legislation governing biometric retention.
We are making changes to the way that counter-terrorism policing can retain biometrics shared via Interpol. It will now be able to retain biometric data in national security-related cases for as long as the relevant Interpol notice remains in force, rather than needing to submit a national security determination, which can present significant operational challenges for counter-terrorism policing. That will bring the UK into line with the rules under which all Interpol members retain and use those same biometrics. Our amendment was requested and is welcomed by counter-terrorism policing, the independent reviewer of terrorism legislation, the Office of the Biometrics Commissioner and the security services, and I thank them for their co-operation on this aspect of the Bill.
Broadly speaking, we support this measure. What negotiations and discussions has the Minister had about red notices under Interpol and the abuse of them, for instance by the Russian state? We have concerns about decent people being maltreated by the Russian state through the use of red notices. Are those concerns conflicted by the measure that the Government are introducing?
As the hon. Gentleman knows, I strongly share his view about the need to act against abuse of legal procedures by the Russian state. As he will appreciate, this aspect of the Bill emanated from the Home Office. However, I have no doubt that my colleagues in the Home Office will have heard the perfectly valid point he makes. I hope that they will be able to provide him with further information about it, and I will draw the matter to their attention.
I wish to say just a few more words about the biometric material received from our international partners, as a tool in protecting the public from harm. Sometimes, counter-terrorism police receive biometrics from international partners with identifiable information. Under current laws, they are not allowed to retain these biometrics unless they were taken in the past three years. That can make it harder for our counter-terrorism police to carry out their job effectively. That is why we are making changes to allow the police to take proactive steps to pseudonymise biometric data received from international partners—obviously, that means holding the material without including information that identifies the person—and hold indefinitely under existing provisions in the Counter-Terrorism Act information that identifies the person it relates to. Again, those changes have been requested by counter-terrorism police and will support them to better protect the British public.
The national underground asset register, or NUAR, is a digital map that will improve both the efficiency and safety of underground works, by providing secure access to privately and publicly owned location data about the pipes and cables beneath our feet. This will underpin the Government’s priority to get the economy growing by expediting projects such as new roads, new houses and broadband roll-out—the hon. Gentleman and I also share a considerable interest in that.
The NUAR will bring together valuable data from more than 700 public and private sector organisations about the location of underground utilities assets. This will deliver £490 million per year of economic growth, through increased efficiency, reduced asset strikes and reduced disruptions for citizens and businesses. Once operational, the running of the register will be funded by those who benefit most. The Government’s amendments include powers to, through regulations, levy charges on apparatus owners and request relevant information. The introduction of reasonable charges payable by those who benefit from the service, rather than the taxpayer, will ensure that the NUAR is a sustainable service for the future. Other amendments will ensure that there is the ability to realise the full potential of this data for other high-value uses, while respecting the rights of asset owners.
Is any consideration given to the fact that that information could be used by bad actors? If people are able to find out where particular cables or pipes are, they also have the ability to find weakness in the system, which could have implications for us all.
I understand the hon. Lady’s point. There would need to be a legitimate purpose for accessing such information and I am happy to supply her with further detail about precisely how that works.
The hon. Lady intervenes at an appropriate point, because I was about to say that the provision will allow the National Underground Asset Register service to operate in England and Wales. We intend to bring forward equivalent provisions as the Bill progresses in the other House, subject to the usual agreements, to allow the service to operate in Northern Ireland, but the Scottish Road Works Commissioner currently maintains its own register. It has helped us in the development of the NUAR, so the hon. Lady may like to talk to the Scottish Road Works Commissioner on that point.
I turn to the use of data for the purposes of democratic engagement, which is an issue of considerable interest to Members of the House. The Bill includes provisions to facilitate the responsible use of personal data by elected representatives, registered political parties and others for the purposes of “democratic engagement”. We have tabled further related amendments for consideration today, including adding a fuller definition of what constitutes “democratic engagement activities” to help the reader understand that term wherever it appears in the legislation.
The amendments provide for former MPs to continue to process personal data following a successful recall petition, to enable them to complete urgent casework or hand over casework to a successor, as they do following the Dissolution of Parliament. For consistency, related amendments are made to the definitions used in provisions relating to direct marketing for the purposes of democratic engagement.
Finally, hon. Members may be aware that the Data Protection Act 2018 currently permits registered political parties to process sensitive political opinions data without consent for the purposes of their political activities. The exemption does not however currently apply to elected representatives, candidates, recall petitioners and permitted participants in referendums. The amendment addresses that anomaly and allows those individuals to benefit from the same exemption as registered political parties.
Is the Minister prepared to look at how the proposals in the Bill and the amendments align with relevant legislation passed in the Scottish Government? A number of framework Bills to govern the operation of potential future referendums on a variety of subjects have been passed, particularly the Referendums (Scotland) Act 2020. It is important that there is alignment with the definitions used in the Bill, such as that for “a permitted participant”. Will he commit to looking at that and, if necessary, make changes to the Bill at a later stage in its progress, in discussion with the Scottish Government?
I am happy to look at that, as the hon. Gentleman suggests. I hope the changes we are making to the Bill will provide greater legal certainty for MPs and others who undertake the processing of personal data for the purposes of democratic engagement.
The Bill starts and ends with reducing burdens on businesses and, above all, on small businesses, which account for over 99% of UK firms. In the future, organisations will need to keep records of their processing activities only when those activities are likely to result in a high risk to individuals. Some organisations have queried whether that means they will have to keep records in relation to all their activities if only some of their processing activities are high risk. That is not the Government’s intention. To maximise the benefits to business and other organisations, the amendments make it absolutely clear that organisations have to keep records only in relation to their high-risk processing activities.
The Online Safety Act 2023 took crucial steps to shield our children, and it is also important that we support grieving families who are seeking answers after tragic events where a child has taken their own life, by removing obstacles to accessing social media information that could be relevant to the coroner’s investigations.
We welcome such measures, but is the Minister aware of the case of Breck Bednar, who was groomed and then murdered? His family is campaigning not just for new clause 35 but for measures that go further. In that case, the coroner would have wanted access to Breck’s online life but, as it currently stands, new clause 35 does not provide what the family needs without a change to widen the scope of the amendment to the Online Safety Act. Will the Minister look at that? I think it will just require a tweak in some of the wording.
I understand the concerns of the hon. Lady. We want to do all that we can to support the bereaved parents of children who have lost their lives. As it stands, the amendment will require Ofcom, following notification from a coroner, to issue information notices to specified providers of online services, requiring them to hold data they may have relating to a deceased child’s use of online services, in circumstances where the coroner suspects the child has taken their own life, which could later be required by a coroner as relevant to an inquest.
We will continue to work with bereaved families and Members of the other place who have raised concerns. During the passage of the Online Safety Act, my noble colleague Lord Parkinson of Whitley Bay made it clear that we are aware of the importance of data preservation to bereaved parents, coroners and others involved in investigations. It is very important that we get this right. I hear what the hon. Lady says and give her an assurance that we will continue to work across Government, with the Ministry of Justice and others, in ensuring that we do so.
The hon. Member for Rhondda made reference to proposed new schedule 1, relating to improving our ability to identify and tackle fraud in the welfare system. I am grateful for the support of the Minister for Disabled People, Health and Work, my hon. Friend Tom Pursglove. In 2022-23, the Department for Work and Pensions overpaid £8.3 billion in fraud and error. A major area of loss is the under-declaration of financial assets, which we cannot currently tackle through existing powers. Given the need to address the scale of fraud and error in the welfare system, we need to modernise and strengthen the legal framework, to allow the Department for Work and Pensions to keep pace with change and stand up to future fraud challenges.
As I indicated earlier, the fraud plan, published in 2022, contains a provision outlining the DWP’s intention to bring forward new powers that would boost access to data held by third parties. The amendment will enable the DWP to access data held by third parties at scale where the information signals potential fraud or error. That will allow the DWP to detect fraud and error more proactively and protect taxpayers’ money from falling into the hands of fraudsters.
My reading of the proposed new schedule is that it gives the Department the power to look into the bank accounts of people claiming the state pension. Am I right about that?
The purpose of the proposed new schedule is narrowly focused. It will ensure that where benefit claimants may also have considerable financial assets, that is flagged with the DWP for further examination, but it does not allow people to go through the contents of people’s bank accounts. It is an alarm system where financial institutions that hold accounts of benefit claimants can match those against financial assets, so where it appears fraud might be taking place, they can refer that to the Department.
But it does include the state pension, doesn’t it?
I am surprised that the Opposition regard this as something to question. Obviously, they are entitled to seek further information, but I would hope that they share the wish to identify where fraud is taking place and take action against it. This is about claimants of benefits, including universal credit—
The state pension will not currently be an area of focus for the use of these powers.
The House of Commons Library makes it absolutely clear that the Bill, if taken forward in the way that the Government are proposing at the moment, does allow the Government to look at people in receipt of state pensions. That is the case, is it not?
I can tell the hon. Gentleman that it is not the case that the DWP intends to focus on the state pension—and that is confirmed by my hon. Friend the Member for Corby. This is specifically about ensuring that means-related benefit claimants are eligible for the benefits for which they are currently claiming. In doing that, the identification and the avoidance of fraud will save the taxpayer a considerable amount of money.
I think everybody in the House understands the importance of getting this right. We all want to stop fraud in the state system. That being said, this is the only time that I am aware of where the state seeks the right to put people under surveillance without prior suspicion, and therefore such a power has to be restricted very carefully indeed. As we are not going to have time to debate this properly today, is my right hon. Friend open to having further discussion on this issue when the Bill goes to the Lords, so that we can seek further restrictions? I do not mean to undermine the effectiveness of the action; I just want to make it more targeted.
I am very grateful to my right hon. Friend for his contribution, and I share his principled concern that the powers of the state should be limited to those that are absolutely necessary. Those who are in receipt of benefits funded by the taxpayer have an obligation to meet the terms of those benefits, and this provision is one way of ensuring that they do so. My hon. Friend the Member for Corby has already said that he would be very happy to discuss this matter with my right hon. Friend further, and I am happy to do the same if that is helpful to him.
All I can say to the right hon. Gentleman is that the Government have made it clear that there is no intention to focus on claimants of the state pension. That is an undertaking that has been given. I am sure that Ministers from the DWP would be happy to give further evidence to the right hon. Gentleman, who may well wish to look at this further in his Committee.
Finally, I wish to touch on the framework around smart data, which is contained in part 3 of the Bill. The smart data powers will extend the Government’s ability to introduce smart data schemes, building on the success of open banking, which is the UK’s most developed data sharing scheme, with more than 7 million active users. The amendments will support the Government’s ability to meet their commitment, first, to provide open banking with a long-term regulatory framework, and, secondly, to establish an open data scheme for road fuel prices. It will also more generally strengthen the toolkit available to Government to deliver future smart data schemes.
The amendments ensure that the range of data and activities essential to smart data schemes are better captured and more accurately defined. That includes types of financial data and payment activities that are integral to open banking. The amendments, as I say, are complicated and technical and therefore I will not go into further detail.
I will give way to my hon. Friend as I know that he has taken a particular interest, and is very knowledgeable, in this area.
The Minister is very kind. I just wanted to pick up on his last point about smart data. He is right to say that the provisions are incredibly important and potentially extremely valuable to the economy. Can he just clarify a couple of points? I want to be clear on Government new clause 27 about interface bodies. Does that apply to the kinds of new data standards that will be required under smart data? If it does, can he please clarify how he will make sure that we do not end up with multiple different standards for each sector of our economy? It is absolutely in everybody’s interests that the standards are interoperable and, to the greatest possible extent, common between sectors so that they can talk to each other?
I do have a note on interface bodies, which I am happy to include for the benefit of my hon. Friend. However, he will be aware that this is a technical and complicated area. If he wants to pursue a further discussion, I would of course be happy to oblige. I can tell him that the amendments will ensure that smart data schemes can replicate and build on the open banking model by allowing the Government to require interface bodies to be set up by members of the scheme. Interface bodies will play a similar role to that of the open banking implementation entity, developing common standards on arrangements for data sharing. Learning from the lessons and successes of the open banking regime, regulations will be able to specify the responsibilities and requirements for interface bodies and ensure appropriate accountability to regulators. I hope that that goes some way to addressing the point that he makes, but I would be happy to discuss it further with him in due course.
I believe these amendments will generally improve the functioning of the Bill and address some specific concerns that I have identified. On that basis, I commend them to the House.
As I am feeling generous, I shall start with the nice bits where we agree with the Government. First, we completely agree with the changes to the Information Commissioner’s Office, strengthening the ICO’s enforcement powers, restructuring the ICO and providing a clearer framework of objectives. As the Minister knows, we have always been keen to strengthen the independence of the ICO and we were concerned that the Government were taking new interventionist powers—that is quite a theme in this Bill—in clause 33, so we welcome Government amendment 45, which achieves a much better balance between democratic oversight and ICO independence, so we thank the Minister for that.
Labour also welcomes part 2 of the Bill, as amended in Committee, establishing a digital verification framework. My concern, however, is that the Government have underestimated the sheer technicality of such an endeavour, hence the last-minute requirement for tens of Government amendments to this part of the Bill, which I note the Minister keeps on referring to as being very technical and therefore best to be debated in another place at another time with officials present. Under Government amendment 52, for example, different rules will be established for different digital verification services, and I am not quite sure whether that will stand the test of the House of Lords.
We warmly welcome and support part 3 of the Bill, which has just been referred to by John Penrose and the Minister, and its provisions on smart data. Indeed, we and many industry specialists have been urging the Government to go much faster in this particular area. The potential for introducing smart data schemes is vast, empowering consumers to make financial decisions that better suit them, enabling innovation and delivering better products and services. Most notably, that has already happened in relation to financial services. Many people will not know that that is what they are using when they use a software that is accessing several different bank accounts, but that is what they are doing.
In the autumn statement, the Government pledged to kickstart a smart data big bang. One area where smart data has been most effective is in open finance—it is right that we expand these provisions into new areas to have a greater social impact—but, to quote the Financial Conduct Authority, it should be implemented there
“in a proportionate phased manner, ideally driven by consideration of credible consumer propositions and use-cases.”
Furthermore, the FCA does not think that a big bang approach to open finance is feasible or desirable. Nevertheless, many of the Government amendments to the suite of smart data provisions are technical, and indicate a move in the right direction. In particular, we hope that, with smart data enabling greater access by consumers to information about green options and net zero, we will be able to help the whole of the UK to move towards net zero.
I want to say a few words on part 4, on cookies and nuisance calls. We share a lot of the Government’s intentions on tackling those issues and the births and deaths register. As a former registrar, I would like to see tombstoning—the process of fraudulently adopting for oneself the name of a child who has died—brought to an end. That practice is enabled partly because the deaths register does not actually register the death of an individual named on the births register, which I hope will at some point be possible.
Despite the Government’s having sat on the Bill for almost 18 months, with extensive consultations, drafts, amendments and carry-over motions, there are still big practical holes in these measures that need to be addressed. Labour supports the Government’s ambitions to tackle nuisance calls, which are a blight on people’s lives—we all know that. However, I fear that clause 89, which establishes a duty to notify the ICO of unlawful direct marketing, will make little or no difference without the addition of Labour amendments 7 and 8, which would implement those obligations on electronic communications companies when the guidance from the ICO on their practical application has been clearly established. As the Bill stands, that is little more than wishful thinking.
Unfortunately, the story is the same on tackling cookies. We have a bunch of half-baked measures that simply do not deliver as the public will expect them to and the Government would like them to. We all support reducing cookie fatigue; I am sure that every hon. Member happily clicks “Accept all” whenever cookies comes up—[Interruption.] Well, some Members are much more assiduous than I am in that regard. But the wise Members of the House know perfectly well that the problem is that it undermines the whole purpose of cookies. We all support tackling it because clicking a new cookie banner every time we load a web page is a waste of everybody’s time and is deeply annoying.
However, the Government’s proposed regulation 6B gives the Secretary of State a blank cheque to make provisions as they see fit, without proper parliamentary scrutiny. That is why we are unhappy with it and have tabled amendment 6, which would remove those powers from the Bill as they are simply not ready to enter the statute book. Yet again I make the point that the Bill repeatedly and regularly gives new powers to the Secretary of State. Sure, they would be implemented by secondary legislation—but as we all know, secondary legislation is unamendable and therefore subject to much less scrutiny. These are areas in which the state is taking significant powers over the public and private individuals.
Let me deal with some of the Labour party’s amendments. First, I take subject access requests. The Government have repeatedly been in the wrong place on those, I am afraid, ever since the introduction of the first iteration of the DPDI Bill under Nadine Dorries, when they tried to charge people for access to their own data. Fortunately, that has now gone the way of Nadine Dorries. [Interruption.] I note that the Minister smiled at that point. We still have concerns about the Government’s plans to change the thresholds for refusing subject access requests from “manifestly unfounded or excessive” to “vexatious or excessive”. The Equality and Human Rights Commission, Reset, the TUC and Which? have all outlined their opposition to the change, which threatens to hollow out what the Government themselves admit is a “critical transparency mechanism”.
We have tabled two simple amendments. Amendment 2 would establish an obligation on any data controller refusing a subject access request to provide evidence of why a request has been considered vexatious or excessive. Organisations should not be allowed to just declare that a request is vexatious or excessive and so ascribe a motive to the data subject in order to refuse to provide their data, perhaps simply because of the inconvenience to the organisation.
The Government will try to tell me that safeguards are in place and that the data subject can make appropriate complaints to the organisation and the ICO if they believe that their request has been wrongly refused. But if we take the provisions set out in clause 9 to extend the time limits on subject access requests, add the advantage for companies of dither and delay when considering procedural complaints, and then add the additional burden on a data subject of having to seek out the ICO and produce evidence and an explanation of their request as well as the alleged misapplication of the vexatious or excessive standard, we see that people could easily be waiting years and years before having the right to access their own data. I cannot believe that, in the end, that is in the interests of good government or that it is really what the Government want.
Despite public opposition to the measures, the Government are also now going further by introducing at this stage amendments that further water down subject access request protections. Government new clauses 7 and 9, which the Minister did not refer to—in fact, he only mentioned, I think, a bare tenth of the amendments he wants us to agree this afternoon—limit a data subject’s entitlement to their own data to the controller’s ability to conduct a “reasonable and proportionate” search. But what is reasonable and proportionate? Who determines what has been a reasonable and proportionate search? The new clauses drive a coach and horses through the rights of people to access their own data and to know who is doing what with their information. That is why Labour does not support the changes.
I come to one of the most important issues for us: high-risk processing, which, as the term suggests, is of most concern when it comes to the rights of individuals. I was pleased but perplexed to see that the Government tabled amendments to new clause 30 that added further clarity about the changed provisions to record keeping for the purposes of high-risk processing. I was pleased because it is right that safeguards should be in place when data processing is deemed to be of high risk, but I was perplexed because the Government do not define high-risk processing in the Bill—in fact, they have removed the existing standard for high-risk processing from existing GDPR, thereby leaving a legislative lacuna for the ICO to fill in. That should not be up to the ICO. I know that the ICO himself thinks that it should not be up to him, but a matter for primary legislation.
Our amendment 1 retains a statutory definition of high-risk processing as recommended by the ICO in his response to the Bill, published in May. He said:
“the detail in Article 35 (3) was a helpful and clear legislative backstop.”
That is why he supports what we are suggesting. Our amendment 4 would also clarify those individual rights even further, by again providing the necessary definition of what constitutes high risk, within the new provisions concerning the responsibilities of senior responsible individuals for data processing set out in clause 15.
I turn to automated decision making, which has the potential to deliver increasingly personalised and efficient services, to increase productivity, and to reduce administrative hurdles. While most of the world is making it harder to make decisions exclusively using ADM, clause 12 in the Bill extends the potential for automated decision making in the UK. Yet countless research projects have shown that automated decision making and machine decision making are not as impartial or blind as they sound. Algorithms can harbour and enhance inbuilt prejudices and injustices. Of course we cannot bury our heads in the sand and pretend that the technology will not be implemented or that we can legislate it out of use; we should be smart about ADM and try to unlock its potential while mitigating its potential dangers. Where people’s livelihoods are at risk or where decisions are going to have a significant impact, it is essential that extra protections are in place allowing individuals to contest decisions and secure human review as a fundamental backstop.
Our amendment 5 strikes a better balance by extending the safeguarding provisions to include significant decisions that are based both partly and solely on automated processing; I am very hopeful that the Government will accept our amendment. That means greater safeguards for anybody subject to an automated decision-making process, however that decision is made. It cannot just be a matter of “the computer says no.”
I think the Minister is slightly surprised that we are concerned about democratic engagement, but I will explain. The Bill introduces several changes to electoral practices under the guise of what the Government call “democratic engagement”, most notably through clauses 86 and 87. The former means that any political party or elected representative could engage in direct marketing relying on a soft opt-in procedure, while clause 87 allows the Secretary of State to make any future exemptions and changes to direct marketing rules for the very unspecified purposes of “democratic engagement”.
The Ada Lovelace Institute and the Internet Advertising Bureau have raised concerns about that, and in Committee Labour asked the Minister what the Government had in mind. He rather gave the game away when he wrote to my hon. Friend Stephanie Peacock, to whom I pay tribute for the way she took the Bill through the Committee:
“A future government may want to encourage democratic engagement in the run up to an election by temporarily ‘switching off’ some of the direct marketing rules.”
Switching off the rules ahead of an election—does anyone else smell a rat?
The Government ask us to trust them, but when they change the rules on voting, refuse automatic registration of voters and dramatically increase the amount that they can spend on a general election, all to benefit their own party interest, forgive me if I worry that they are trying to slip yet another change through just before an election that will enable the Tories to mine people’s information for votes. That is why I am doubly suspicious of clauses 86 and 87. The first seems to make legal a practice that I suspect several Conservative MPs are already engaged in: using data acquired as an MP for the wholly different purpose of seeking re-election as a candidate. The second is a major power grab by the Secretary of State, enabling them to change the direct marketing rules for elections with the bare minimum of scrutiny.
Clause 86 should be rewritten to remove the soft opt-in in provisions for political parties and elected representatives, and clause 87 should be scrapped. The changes were not supported by the majority of respondents to the Government’s initial consultation, who wanted the Privacy and Electronic Communications (EC Directive) Regulations 2003 rules to be upheld, and they will not be supported by Labour today. In addressing Government amendment 256, the Minister offered a supposed explanation of what “democratic engagement” means, but it was basically literally anything that anybody could do in a political party or as an elected representative. I do not think that he clarified it; if anything, he just extended it.
I will refer briefly to amendment 45, tabled by Robin Millar, who was in his place a moment ago—[Interruption.] Ah, he has moved. Of course interoperability of data in the health service between all the different parts of the United Kingdom is devoutly to be wished for. In fact, it would be quite nice if GP surgeries were able to have full interoperability between one another. I was told the other day that we have 3.1 million residents in Wales, but something like 9 million patient records, which suggests that something is not quite right. There is a similar number, I think, for England, Wales and Northern Ireland, so of course we need to get to a place of greater interoperability.
I am nervous about the amendment, simply because the Welsh Government have not been consulted. I do not know about the Scottish Government or others. I do not want to stir the devolution pot in a way that is unhelpful, so we will abstain on the amendment. The hon. Member is looking pregnant with something; I do not know whether he intends to intervene.
indicated dissent.
He does not—great.
Finally, new schedule 1 would grant the Secretary of State the power to require banks or other financial institutions to provide the bank account data—unspecified—of any recipient of benefits to identify
“cases which merit further consideration to establish whether relevant benefits are being paid or have been paid in accordance with the enactments and rules of law relating to those benefits.”
It is a very broad and, I would argue, poorly delineated power. My understanding from the Commons Library, although I note that the Minister was unable to answer the question properly, is that it includes the bank accounts of anyone in the UK in receipt, or having been in receipt, of state pension, universal credit, working tax credit, child tax credit, child benefit, pension credit, jobseeker’s allowance or personal independence payment.
The Minister says that the Government do not intend to go down some of those routes at the moment, but why, in that case, are they seeking that power? They could have come to us with a much more tightly written piece of legislation, and we would have been able to help them draft it properly. The proposed new schedule would mean that millions of bank accounts could be trawled without the Department for Work and Pensions, as Mr Davis referred to, even suspecting anything untoward before it asked for the information. The 19-page new schedule, which was tabled on the last day for consideration, would grant powers to the Government without our having any opportunity to scrutinise it line by line, assess its implications or hear evidence from expert witnesses.
We should of course be tackling fraud. The Government have completely lost control of fraud in recent years, with benefit fraud and error skyrocketing to £8.3 billion in the last financial year. The Minister seemed to think that it was a good thing that he could cite that figure. The year before, it was even higher—a record £8.7 billion. On the Conservative party’s watch, the percentage of benefit expenditure lost to fraud has more than trebled since Labour was last in power.
Let me be absolutely clear: Labour will pursue the fraudsters, the conmen and the claimants who try to take money from the public purse fraudulently or illegally. That includes those who have defrauded the taxpayer over personal protective equipment contracts, or have not declared their full income to His Majesty’s Revenue and Customs. My constituents in the Rhondda know that defrauding the taxpayer is one of the worst forms of theft. It is theft from all of us. It undermines confidence in the system that so many rely on. It angers people when they abide by the rules and they see others swinging the lead and getting away with it.
I back 100% any attempt to tackle fraud in the system, and we will work with the Government to get the legislation right, but this is not the way to do it, because it is not proper scrutiny. The Minister with responsibility for this matter, the Minister for Disabled People, Health and Work, who is present in the Chamber, is not even speaking in the debate. The Government are asking us to take a lot on trust, as we saw from the questions put earlier to the Minister for Data and Digital Infrastructure, so I have some more questions for him that I hope he will be able to answer.
As I understand it, the Government did a test project on this in 2017—all of six years ago—so what on earth have they been doing all this while? When was the new schedule first drafted, and why did the Minister not mention it in the discussions that he and I had two weeks ago? How many bank accounts does it potentially apply to? The Government already have powers to seek bank details where they suspect fraud, so precisely how will the new power be used? I have been told that the Government will not use the power until 2027. Is that right? If so, how on earth did they come to the figure of a £600 million saving—that was the figure that they gave yesterday, but I note that the Minister said £500 million earlier—in the first five years?
What will the cost be to the banks and financial institutions? What kind of information will the Government seek? Will it include details of where people have shopped, banked or travelled, or what they have spent their money on? The Government say that they will introduce a set of criteria specifying the power. When will that be introduced, how wide in scope will it be, what assessments will accompany it, and will it be subject to parliamentary scrutiny?
There is clearly significant potential to use data to identify fraud and error. That is something that Labour is determined to do, but it is vital that new measures are used fairly and proportionately. The Department for Work and Pensions says that its ability to test for unfair impacts across protected characteristics is limited, and the National Audit Office has also warned that machine learning risks bias towards certain vulnerable people or groups with protected characteristics. Without proper safeguards in place, the changes could have significant adverse effects on the most vulnerable people in society.
On behalf of the whole Labour party, I reiterate the offer that I made to the Government yesterday. We need to get this right. We will work with Ministers to get it right, and I very much hope that we can organise meetings after today, if the Bill passes, to ensure that the debates in the Lords are well informed and that we get to a much better understanding of what the Government intend and how we can get this right. If we get it wrong, we will undermine trust in the whole data system and in Government.
Broadly speaking, Labour supports the changes in the Bill that give greater clarity and flexibility to researchers, tech platforms and public service providers, with common-sense changes to data protection where it is overly rigid, but the Government do not need to water down essential protections for data subjects to do that. Our amendments set out clearly where we diverge from the Government and how Labour would do things differently.
By maintaining subject access request protections, establishing a definition of high-risk processing on the face of the Bill, and defending the public from automated decision making that encroaches too significantly on people’s lives, a Bill with Labour’s amendments would unlock the new potential for data that improves public services, protects workers from data power imbalances and delivers cutting-edge scientific research, while also building trust for consumers and citizens. That is the data protection regime the UK needs and that is the protection a Labour Government would have delivered.
Before I speak to my new clause, I want to address one or two of the things that the Opposition spokesman, Sir Chris Bryant, just raised. By not accepting his motion to recommit the Bill to a Committee, we have in effect delegated large parts of the work on this important Bill to the House of Lords. I say directly to the Whip on the Treasury Bench that, when the Bill comes back to the Commons in ping-pong, I recommend that the Whips Office allows considerable time for us to debate the changes that the Lords makes. At the end of the day, this House is responsible to our constituents and these issues will have a direct impact on them, so we ought to have a strong say over what is done with respect to this Bill.
New clause 43 in my name is entitled “Right to use non-digital verification services”. Digitisation has had tremendous benefits for society. Administrative tasks that once took weeks or even years can now be done in seconds, thanks to technology, but that technology has come with considerable risks as well as problems of access. The internet is an equaliser in many ways; I can access websites and services in East Yorkshire in the same way that we do here. I can send and receive money, contact friends and family, organise families, do work, and do all sorts of other things that we could not once do.
However, the reality is more nuanced. Some people lack the technological literacy or simply the hardware to get online and make the most of what is out there—think of elderly people, the homeless and those living on the breadline. As with many things, those groups risk being left behind by the onward march of technology through no fault of their own. Indeed, some people do not want to go fully online. Many people who are perfectly au fait with the latest gadgets are none the less deeply concerned about the security of their data, and who can blame them?
My bank account has been accessed from Israel in the past. My online emails have been broken into during political battles of one sort or another. These things are risky. I hope nobody in the Chamber has forgotten the Edward Snowden revelations about the National Security Agency and GCHQ, which revealed a vast network of covert surveillance and data gathering by Government agencies from ordinary online activity, and the sharing of private information without consent. More recently, we have heard how Government agencies monitored people’s social media posts during the pandemic, and data trading by private companies is an enormous and lucrative industry.
What is more, as time passes and the rise of artificial intelligence takes hold, the ability to make use of central databases is becoming formidable. It is beyond imagination, so people are properly cautious about what data they share and how they share it. For some people—this is where the issue is directly relevant to this Bill—that caution will mean avoiding the use of digital identity verification, and for others that digital verification is simply inaccessible. The Bill therefore creates two serious problems by its underlying assumptions.
Already it is becoming extremely difficult for people to live anything approaching a normal life if they are not fully wired into the online network. If they cannot even verify who they are without that access, what are they supposed to do? That is why I want to create a right to offline verification and, in effect, offline identification. We saw earlier this year what can happen when someone is excluded from basic services, with the planned closure of Nigel Farage’s bank account. That case was not related to identification, but it made clear how much of an impact such exclusion can have on someone’s life. Those who cannot or do not wish to verify their identity digitally could end up in the same position as Farage and many others who have seen their access to banking restricted for unfair reasons.
The rise of online banking, although a great convenience for many, must not mean certain others being left out. We are talking about fairly fundamental rights here. Those people who, by inclination or otherwise, find it preferable or easier to stick to old-fashioned ways must not be excluded from society. My amendment would require that all services requiring identity verification offer a non-digital alternative, ensuring that everyone, regardless of who they are, will have the same access.
That non-digital alternative could take a number of forms. It could simply mean working with the Post Office to allow people to verify their identity in person, or having people post in copies of their existing identity documents, passports, driving licences and the like. The specific route is not the most important thing; what matters is that people have a choice and are not coerced into providing the data through digital means, whether their reason is concern about their privacy or something else.
Some may worry about what that means for digital-only services such as some of the so-called challenger banks, but there is nothing to stop such services remaining online and simply outsourcing the non-digital alternative for verification to a trusted third party with physical capacity. It is only right that those banks, like everyone else, offer services to everyone, regardless of how they want to prove who they are. It may well be—in fact I think it is quite likely—that a series of organisations such as solicitors, banks and other institutions go into the business of providing physical rather than online verification.
Some 20 years ago, in the face of opposition in this place and in the country at large, the Blair Government abandoned identity cards. The reason the cards were opposed was the central control of a single piece of data about individuals. It was not about the card, but about the central control of data. That problem still applies today and people should still worry about it.
This Bill marks another step into the rapidly advancing new world of technology. It is crucial that we get this right now. If we make presumptions in this Bill that lead to people having to depend on online identification, we will create problems down the road that we have not foreseen. I say to the Minister on the Front Bench that I will not press my new clause to a vote this time, but I hope the Government will look properly at creating that right during the Bill’s passage through the Lords. It seems to me a perfectly sensible and intelligent thing for the Government to undertake.
The last point I want to make relates to the issues that the Minister for Disabled People, Health and Work, my hon. Friend Tom Pursglove, raised. To be fair to him, he raised them with me before they came to the House, and I agree with him that something like what he is proposing is necessary, but it needs to be really severely constrained. There are already commercial methods for doing some of the things he wants to do that are less intrusive than what the Government have proposed. Again, I hope we can talk to him in the interim between the Bill clearing this House and its going to the Lords. I am sure that the Opposition have got the same aims here: to get an outcome that is fair to ordinary people but protects the taxpayer from the massive frauds that the Minister is trying to stop.
It is difficult to know where to start. The Minister described this as a Brexit opportunities Bill. Of course, Brexit was supposed to be about this place taking back control. It was to be the triumph of parliamentary sovereignty over faceless Brussels bureaucrats, the end of red tape and regulations, and the beginning of a glorious new era of freedom unencumbered by all those complicated European Union rules and requirements that did silly things like keeping people safe and protecting their human rights.
Yet here we are with 200 pages of new rules and regulations and a further 160 pages of amendments. This time last week, the amendment paper was 10 pages long; today it is 15 times that and there is barely any time for any kind of proper scrutiny. Is this what Brexit was for: to hand the Government yet more sweeping powers to regulate and legislate without any meaningful oversight in this place? To create additional burdens on businesses and public services, just for the sake of being different from the European Union? The answer to those questions is probably yes.
I will speak briefly to the SNP amendments, but I will also consider some of the most concerning Government propositions being shoehorned in at the last minute in the hope that no one will notice. How else are we supposed to treat Government new schedule 1? The Minister is trying to present it as benign, or even helpful, as if it had been the Government’s intention all along to grant the DWP powers to go snooping around in people’s bank accounts, but if it has been so long in coming, as he said, why is it being added to the Bill only now? Why was it not in the original draft, or even brought to Committee, where there could at least have been detailed scrutiny or the opportunity to table further amendments?
Of course there should be action to tackle benefit fraud—we all agree on that—but the DWP already has powers, under section 109B of the Social Security Administration Act 1992, to issue a notice to banks to share bank account information provided that they have reasonable grounds to believe that an identified, particular person has committed, or intends to commit, a benefit offence. In other words, where there is suspicion of fraud, the DWP can undertake checks on a claimant’s account. Incidentally, there should also be action to tackle tax evasion and tax fraud. The Government evidently do not require from the Bill any new powers in that area, so we can only assume that they are satisfied that they have all the powers they need and that everything possible is being done to ensure that everybody pays the tax that they owe.
The powers in new schedule 1 go much further than the powers that the DWP already has. By their own admission, the Government will allow the DWP to carry out—proactively, regularly, at scale and on a speculative basis—checks on the bank accounts and finances of claimants. The new schedule provides little in the way of safeguards or reassurances for people who may be subject to such checks. The Secretary of State said that
“only a minimum amount of data will be accessed and only in instances which show a potential risk of fraud and error”.
In that case, why is the power needed at all, given that the Government already have the power to investigate where there is suspicion of fraud? And how can only “a minimum amount” of data be accessed when the Government say in the same breath that they want to be able to carry out those checks proactively and at scale.
My hon. Friend probably shares my concern that we are moving into a new era in which the bank account details of people claiming with the DWP must be shared as a matter of course. That is the only reason I can see for such sweeping amendments, which will impact on so many people.
There is a huge risk. It is clear that the Government’s starting point is very often to avoid giving people the social security and welfare support that they might need to live a dignified life. We know that the approach in Scotland is incredibly different.
That is the thing: as with so much of this Bill, there is a good chance that minority groups or people with protected characteristics will find themselves most at risk of those checks and of coming under the proactive suspicion of the DWP. As we said when moving the committal motion, we have not had time to seek properly to interrogate that point. In his attempts to answer interventions, the Minister kind of demonstrated why scrutiny has been so inadequate. At the same time, the Government’s own Back Benchers, including Mr Davis, Mr Fysh and others, are tabling quite thoughtful amendments—that is never a great sign for a Government. The Government should not be afraid of the kinds of safeguards and protections that they are proposing.
The SNP amendments look to remove the most dangerous and damaging aspects of the Bill—or, at the very least, to amend them slightly. Our new clause 44 and amendment 229 would have the effect of transferring the powers of the Surveillance Camera Commissioner to the Investigatory Powers Commissioner. That should not be all that controversial. Professor William Webster, a director of the Centre for Research into Information, Surveillance and Privacy, has warned that the Bill, as it stands, does not provide adequate mechanisms for the governance and oversight of surveillance cameras. The amendment would ensure that oversight is retained, the use of CCTV continues to be regulated, and public confidence in such technologies is strengthened, not eroded. CCTV is becoming more pervasive in the modern world—not least with the rise of video doorbells and similar devices that people can use in their own personal circumstances—so it is concerning that the Government are seeking to weaken rather than strengthen protections in that area.
The SNP’s amendment 222 would leave out clause 8, and our amendment 223 would leave out clause 10, removing the Government’s attempts to crack down on subject access requests. The effect of those clauses might, in the Government’s mind, remove red tape from businesses and other data-controlling organisations, but it would do so at the cost of individuals’ access to their own personal data. That is typified by the creation of a new and worryingly vague criterion of “vexatious or excessive” as grounds to refuse a subject access request. Although that might make life easier for data controllers, it will ultimately place restrictions on data subjects’ ability to access what is, we must remember, their data. There have been attempts—not just throughout Committee stage, but even today from the Opposition—to clarify exactly the thresholds for “vexatious and excessive” requests. The Government have been unable to answer, so those clauses should not be allowed to stand.
Amendment 224 also seeks to leave out clause 12, expressing the concerns of many stakeholders about the expansion in scope of automated decision making, alongside an erosion of existing protections against automated decision making. The Ada Lovelace Institute states that:
“Against an already-poor landscape of redress and accountability in cases of AI harms, the Bill’s changes will further erode the safeguards provided by underlying regulation.”
There is already significant and public concern about AI and its increasingly pervasive impact.
Clause 12 fails to offer adequate protections against automated decision making. An individual may grant consent for the processing of their data—indeed, they might have no choice but to do so—but that does not mean that they will fully understand or appreciates how that data will be processed or, importantly, how decisions will be made. At the very least, the Government should accept our amendment 225, which would require the controller to inform the data subject when an automated decision has been taken in relation to the data subject. I suspect, however, that that is unlikely—just as it is unlikely that the Government will accept Labour amendments 2 and 5, which we are happy to support—so I hope the House will have a chance to express its view on clause 12 as a whole later on.
The SNP’s amendments 226, 227 and 228 would have the effect of removing clauses 26, 27 and 28 respectively. Those clauses give the Home Secretary significant new powers to authorise the police to access personal data, and a power to issue a “national security” certificate telling the police that they do not need to comply with many important data protection laws and rules that they would otherwise have to obey, which would essentially give police immunity should they use personal data in a way that would otherwise be illegal—and they would no longer need to respond to requests under the Freedom of Information Act 2000. We have heard no explanation from the Government for why they think that the police should be allowed to break the law and operate under a cover of darkness.
The Bill will also expand what counts as an “intelligence service” for the purposes of data protection law. Again, that would be at the Home Secretary’s discretion, with a power to issue a designation notice allowing law enforcement bodies to take advantage of the more relaxed rules in the Data Protection Act 2018—otherwise designed for the intelligence agencies—whenever they are collaborating with the security services. The Government might argue that that creates a simplified legal framework, but in reality it will hand massive amounts of people’s personal information to the police, including the private communications of people in the UK and information about their health histories, political beliefs, religious beliefs and private lives.
Neither the amended approach to national security certificates nor the new designation notice regime would be reviewable by the courts, and given that there is no duty to report to Parliament, Parliament might never find out how and when the powers have been used. If the Home Secretary said that the police needed to use those increased powers in relation to national security, his word would be final. That includes the power to handle sensitive data in ways that would otherwise, under current legislation, be criminal.
The Home Secretary is responsible for both approving and reviewing designation notices. Only a person who is directly affected by such a notice will be able to challenge it, yet the Home Secretary would have the power to keep the notice secret, meaning that those affected would not even know about it and could not possibly challenge it. Those are expansive broadenings not just of the powers of the secretary of state, but of the police and security services. The Government have not offered any meaningful reassurance about how those powers will be applied or what oversight will exist, which is why our amendments propose scrapping those clauses entirely.
There remain other concerns about many aspects of the Bill. The British Medical Association and the National AIDS Trust have both raised questions about patients’ and workers’ right to privacy. The BMA calls the Bill
“a departure from the existing high standards of data protection for health data”.
We welcome the amendments to that area, particularly amendment 11, tabled by Kate Osborne, which we will be happy to support should it be selected for a vote.
I am afraid that I have to echo the concerns expressed by the Labour Front-Bench spokesman, Sir Chris Bryant, about new clause 45, which was tabled by Robin Millar. That clause perhaps has laudable aims, but it is the view of the Scottish National party that it is not for this place to legislate in that way, certainly not without consultation and ideally not without consent from the devolved authorities. We look forward to hearing the hon. Member for Aberconwy make his case, but I do not think we are in a position to support his new clause at this time.
The theme of an erosion of public confidence in data handling and the use of artificial intelligence comes through in many of the stakeholder responses to the Bill. That is precisely the opposite of what the Government say they set out to do. The claims of massive savings from reduced red tape also do not stand up to scrutiny: the Government’s own impact assessment says that companies will save just £82 a year on average as a result of the reforms that the Bill introduces.
We echo some of the official Opposition’s concerns about the Bill’s democratic engagement clauses. It is important for parties, candidates and elected Members to have clarity about their position in relation to the handling of personal data, but that should not be at the expense of the rights of voters to have their personal data duly protected. As I said to the Minister in an intervention, I hope he will look at the definition of “permitted participant” in clause 88(1) and schedule 1, taking account of legislation that has been passed by the Scottish Parliament, and expand it from having the same meaning as in the Political Parties, Elections and Referendums Act 2000 to include the definitions in the Referendums (Scotland) Act 2020.
On the whole, there is far too much in the Bill, and far too little time to interrogate it all properly. Removing some of the most pernicious clauses or making amendments here and there would fundamentally do little to reduce the many risks that the Bill presents to individuals’ rights to privacy and to have their data protected from prying eyes—in Government or elsewhere—and the costs and pressures on businesses and third-sector organisations trying to comply with the regime. The Government have tabled significant new powers at the last minute through new clauses and schedules that, by definition, cannot have had the scrutiny they deserve. As such, although in principle we can support sensible amendments from both sides of the House, we will oppose many of the Government’s new clauses and schedules, and—especially given that the House has decided not to recommit the Bill for further scrutiny—I expect we will also oppose it on Third Reading.
It is a pleasure to follow the hon. Members who have spoken in this very important debate. I declare an interest: I am the chair of the all-party parliamentary group on digital identity, so I have a particular interest in the ramifications of data as it relates to identity, but also in wider concepts—some of which we have heard about today—such as artificial intelligence and how our data might be used in the future.
I share quite a lot of the concerns that we have heard from both sides of the House. There is an awful lot more work to be done on the detail of the Bill, thinking about its implications for individuals and businesses; how our systems work and how our public services interact with them; and how our security and police forces interact with our data. I hope that noble Members of the other place will think very hard about those things, and I hope my right hon. Friend the Minister will meet me to discuss some of the detail of the Bill and any useful new clauses or amendments that the Government might introduce in the other place. I completely agree that we do not have much time today to go through all the detail, with a substantial number of new clauses having been added in just the past few days.
I will speak specifically to some of the amendments that stand in my name. Essentially, they are in two groupings: one group deals with the operations of the trust framework for the digital verification service, which I will come back to, and the other general area is the Henry VIII-style powers that the Bill gives to Ministers. Those powers fundamentally alter the balance that has been in place since I was elected as a Member of Parliament in terms of how individuals and their data relate to the state.
On artificial intelligence, we are at a moment in human evolution where the decisions that we make—that scientists, researchers and companies make about how they use data—are absolutely fundamental to the operation of so many areas of our lives. We need to be incredibly careful about what we do to regulate AI and think about how it operates. I am concerned that we have large tech companies whose business model for decades has been nothing other than to use people’s data to create products for their own benefit and that of their shareholders. During the passage of the Online Safety Act 2023, we debated very fully in this House what the implications of the algorithms they develop might be for our children’s health, for example.
I completely agree with the Government that we should be looking for ways to stamp out fraud, and should think about how harms of various kinds are addressed. However, we need to be mindful of the big risk that fears and beliefs that are not necessarily true about different potential harms might lead us to regulate, or to guide the operations of companies and others, in such a way that we create real problems. We are talking about very capable artificial intelligence systems, and also about artificial intelligence systems that claim to be very capable but are inherently flawed. The big tech companies are almost all championing and sponsoring large language models for artificial intelligence systems that are trained on data. Those companies will lobby Ministers all the time, saying, “We want you to enable us to get more and more of people’s data,” because that data is of business value to them.
Given the Henry VIII powers that exist in the Bill, there is a clear and present danger that future Ministers— I would not cast aspersions on the current, eminent occupant of the Front Bench, who is a Wykehamist to boot—may be tempted or persuaded in the wrong direction by the very powerful data-generated interests of those big tech firms. As such, my amendments 278 and 279 are designed to remove from the Bill what the Government are proposing: effectively, that Ministers will have the power to totally recategorise what kinds of data can legitimately be shared with third parties of one kind or another. As I mentioned, that fundamentally changes the balance between individuals and the state.
Through amendment 280 and new schedule 3, I propose that when Ministers implement the trust framework within the digital verification service, that framework should be based on principles that have been accepted for the eight years since I was elected—in particular, those used by the Government in establishing the framework around its Verify online identity service for public services. That framework should be used in the context of the Bill to think about what decision-makers should be taking into account. It is a system of principles that has been through consultation and has been broadly accepted. It is something that the ICO accepts and champions, and it would be entirely right and not at all a divergence from our current system to put those principles in place.
What I would say about the legitimate interest recognition extension—the Henry VIII power—is that there are already indications in the Bill about what will be recategorised. It gives an idea of just how broad the categorisations could be, and therefore how potentially dangerous it will be if that process is not followed or is not correctly framed—for example, in relation to direct marketing. Direct marketing can mean all sorts of things, but it is essentially any type of direct advertising in any mode using personal data to target advertising, and I think it is really dangerous to take such a broad approach to it.
Before companies share data or use data, they should have to think about what the balance is between a legitimate interest and the data rights, privacy rights and all the other rights that people may have in relation to their data. We do not want to give them a loophole or a way out of having to think about that. I am very pro-innovation and pro-efficiency, but I do not believe it is inefficient for companies and users or holders of data to have to make those basic balancing judgments. It is no skin off their nose at all. This should be something we uphold because these interests are vital to our human condition. The last thing we want is an artificial intelligence model—a large language model—making decisions about us, serving us with things based on our personal data and even leaking that personal data.
I highlight that only yesterday or the day before, a new academic report was produced showing that some of the large language models were leaking personal data on which they had been trained, even though the companies say that that is impossible. The researchers had managed to get around the alignment guardrails that these AI companies said they had in place, so we cannot necessarily believe what the big tech companies say the behaviour of these things is going to be. At the end of the day, large language models, which are just about statistics and correlations, cannot tell us why they have done something or anything about the chain of causality behind such a situation, and they inherently get things wrong. Anyone making claims that they are reliable or can be relied on to handle personal data is, I think, completely wrong. I hope that noble Lords and Ladies will think carefully about that matter and re-table amendments similar to mine.
New clause 27 and the following new clauses that the Government have tabled on interface bodies show the extent to which these new systems—and decisions about new systems—and how they interface with different public services and other bodies are totally extensible within the framework of the Bill, without further regard to minorities or to law, except in so far as there may be a case for judicial review by an individual or a company. That really is the only safeguard that there will be under these Henry VIII clauses. The interface body provisions talk about authorised parties being able to share data. We have heard how the cookie system is very bad at the moment at effectively reflecting what individuals’ true preferences might or might not be about their personal data. It is worth highlighting the thoughtful comments we heard earlier about ways in which people can make more of a real-time decision about particular issues that may be relevant to them, but about which they may not have thought at all when they authorised such a decision in a dark or non-thinking moment, often some time before.
I want to say a little more about the operations of the digital verification services system. My amendments 242 to 250 deal with the way in which those operations occur. We should think about whether it is correct that the Minister should in effect just be able to make up whatever the fee system might be. I think that is a problem, and it is something that members of the industries engaged in digital ID, for example, have raised with me. There are some issues about how people or companies may be deregistered from the verification system and the trust mark that will supposedly be put in place by this new Government registration process. That could actually be very serious for an individual, and if they are suddenly said not to be trusted, it could be of massive import to them. There should be some process for thinking about and consulting on how such deregistration decisions are made, what avenues for challenge there may be and so on. I hope those in the other place will think very hard about those things, too.
I know that Ministers have thought about DVS as a voluntary system, rather than something absolutely required in law for everybody handling data. However, we all know that systems that are set up to establish trust become very difficult for someone who wants to run a business or to do things, because if they do not have the trust mark, that will become a real issue. It is also a very simple step from such a system to having a fully regulated body. Even if it is not ostensibly a fully regulated body in law, there would be a chilling effect for those who do not have the trust mark, so I think that is really important to think about properly.
The final amendment of mine that I want to speak to is amendment 281 on zero-knowledge proofs. Many people in the country will not know what they are, and I know about them only because I have been engaged in thinking about digital systems, digital assets, blockchains and all the technical aspects of that for some time. In essence, they are a way that digital systems can share data status—in other words, knowing what someone’s data status is—with each other, third parties and so on, without any risk that that data would be transmitted or seen by anybody else. It is of particular use in relation to privacy and the rights to privacy that we have talked about before.
As currently drafted, the Bill does not differentiate the processing of data in a way that does not expose the data or the status of the data relative to the holders of data from processes that do so. It would be highly valuable if such decentralised systems—zero-knowledge systems—of proof of particular data status were specifically excluded from the legislation, so that it is very clear that they will not fall under potential regulation or the potential chilling effect. The side benefit is that we would also avoid the inevitable centralisation that would otherwise occur of particular big data holders or big data operators that can afford to be registered and do all such things.
I finish by urging the Government to think hard about this stuff. It might seem troublesome, and they might want to forge ahead and do innovative things and all the rest of it, but this is such a serious moment in our history as a species. The way that data is handled is now fundamental to basic human rights and, I would increasingly argue, to the human condition. People such as the likes of Sam Altman and so on in the US are openly talking about AI integration with humans and the acceleration of AI. A big debate is going on between those who want to accelerate things and those who want to decelerate them. It will be accelerated, because we cannot stop researchers and scientists doing things, but if we put the wrong frameworks in place, and allow the wrong data to be shareable in the wrong way, that could have huge consequences for us.
I say to those in the other place as well as to those on the Front Benches that we have not been able to go through this in detail, but we should think about it incredibly hard. It might seem an esoteric and arcane matter, but it is not. People might not currently be interested in the ins and out of how AI and data work, but in future you can bet your bottom dollar that AI and data will be interested in them. I urge the Government to work with us to get this right.
I have now to announce the result of today’s deferred Division on the Draft Strikes (Minimum Service Levels: NHS Ambulance Services and the NHS Patient Transport Service) Regulations 2023. The Ayes were 297 and the Noes were 166, so the Ayes have it.
[The Division list is published at the end of today’s debates.]
I rise to speak specifically to Government new clause 34 and connected Government amendments which, as we have been reminded, give Ministers power to inspect the bank accounts of anyone claiming a social security benefit. I think it has been confirmed that that includes child benefit and the state pension, as well as universal credit and all the others. Extremely wide powers are being given to Ministers.
The Minister told us that the measure is expected to save some half a billion pounds over the next five years. I was pleased that the Minister for Disabled People, Health and Work was present at the start of the debate, although he is not now in his place and the Department for Work and Pensions is not hearing the concerns expressed about this measure. The Minister for Data and Digital Infrastructure told us that the Minister for Disabled People, Health and Work will not be not speaking in the debate, so we will not hear what the DWP thinks about these concerns.
We have also been told—I had not seen this assurance—that these powers will not be used for a few years. If that is correct, I am completely mystified by why this is being done in such a way. If we had a few years to get these powers in place, why did the Government not wait until there was some appropriate draft legislation that could be properly scrutinised, rather than bringing such measures forward now with zero Commons scrutiny and no opportunity for that to occur? There will no doubt be scrutiny in the other place, but surely a measure of this kind ought to undergo scrutiny in this House.
I chair the Work and Pensions Committee and we have received substantial concerns about this measure, including from Citizens Advice. The Child Poverty Action Group said that
“it shouldn’t be that people have fewer rights, including to privacy, than everyone else in the UK simply because they are on benefits.”
I think that sums up what a lot of people feel, although it appears to be the position that the Government are now taking. It is surprising that the Conservative party is bringing forward such a major expansion of state powers to pry into the affairs of private citizens, and particularly doing so in such a way that we are not able to scrutinise what it is planning. As we have been reminded, the state has long had powers where there were grounds for suspecting that benefit fraud had been committed. The proposal in the Bill is for surveillance where there is absolutely no suspicion at all, which is a substantial expansion of the state’s powers to intrude.
Annabel Denham, deputy comment editor at The Daily Telegraph warned in The Spectator of such a measure handing
“authorities the power to snoop on people’s bank accounts.”
I suspect that the views expressed there are more likely to find support on the Conservative Benches than on the Labour Benches, so I am increasingly puzzled by why the Government think this is an appropriate way to act. I wonder whether the fact that there have been such warnings prompted Ministers into rushing through the measure in this deeply unsatisfactory way, without an opportunity for proper scrutiny, because they thought that if there had been parliamentary scrutiny there would be substantial opposition from the Conservative Benches as well as from the Labour Benches. It is difficult to understand otherwise why it is being done in this way.
As we have been reminded, new clause 34 will give the Government the right to inspect the bank account of anyone who claims a state pension, which is all of us. It will give the Government the right to look into the bank account of every single one of us at some point during our lives, without suspecting that we have ever done anything wrong, and without telling us that they are doing it. The Minister said earlier that the powers of the state should be limited to those absolutely necessary, and I have always understood that to be a principle of the Conservative party. Yet on the power in the new clause to look into the bank account of everybody claiming a state pension, he was unable to give us any reason why the Government should do such a thing, or why they would ever need to look into the bank accounts of people—everybody—claiming a state pension. What on earth would the Government need to do that for? The entitlement to the state pension is not based on income, savings or anything like that, so why would the Government ever wish to do that?
If we cannot think of a reason why the Government would want to do that, why are they now taking the power to enable them to do so? I think that all of us would agree, whatever party we are in, that the powers of the state should be limited to those absolutely necessary. The power in the new clause is definitely not absolutely necessary. Indeed, no one has been able to come up with any reason for why it would ever be used.
There is something called a production order. If somebody was under investigation for benefit fraud, an application could be made before a court for the production of bank accounts. If it was a matter of suspected fraud, there is already a mechanism available.
Yes, there is a clear and long-established right in law for the DWP to look into people’s bank accounts if there is a suspicion of fraud. This power is giving the Department the ability to look into the bank accounts of people where there is no suspicion at all. All of us at some point in our lives claim a social security benefit, and we are giving the Government the power to look into our bank accounts with this measure.
The Minister rightly mentioned that the idea first appeared in a DWP paper in May last year. That spoke of the need to balance this power against people’s right to privacy and to ensure that the new power was appropriate, was no more than necessary and had the right checks in place. Those proposals, having been mooted in May of last year, should have been published. We should have been able to see what exactly the proposals were. There should then have been an opportunity for discussion. They should have been consulted on, and there was plenty of time between last May and now to do all that.
Instead, the first we saw of this measure was last week, and there has been no consultation at all since that initial mooting of the idea in May last year. If the Minister can give any explanation for why that dreadful course of behaviour and procedure has been followed, we would all be interested. It seems to me incapable of being defended.
The amendment gives the Government extremely broad powers, with no checks in place, and it has been done in a way that minimises parliamentary scrutiny of what is proposed. I find it very hard to see how that can possibly be defended. No doubt the Minister will tell us that at some point there will be some document setting out checks and balances and so on, but that needs to be part of this scrutiny. It should not be that the Government take it all away to come back in a few months’ time to tell us how they will constrain the use of this power.
Finally, it occurs to me that the power being introduced could be used to establish benefit eligibility for people who do not currently claim benefits. We know, for example, that a large number of people do not claim pension credit, but are eligible for it. A lot of the information about whether they are entitled to pension credit is already held in the public sector, and in local councils in particular. If it were possible to check whether people had less than the threshold savings level, that could help in establishing eligibility for pension credit automatically. Can the Minister tell us whether that is intended with this proposal?
I rise to speak to new clause 1 in my name and that of other colleagues. Earlier this year, I met with members of Leicestershire Police Federation, who raised concerns about elements of the Data Protection Act 2018 that were imposing unnecessary and burdensome redaction obligations on police forces. I thank the national Police Federation for its tireless campaigning on this issue, particularly Ben Hudson of Suffolk police, and I thank my hon. Friend Peter Aldous for all he has done in this area. I thank them for much of the information I will share today.
As I explained in Committee, part 3 of the 2018 Act implemented the law enforcement directive and made provision for data processing by competent authorities, including police forces and the Crown Prosecution Service, for law enforcement purposes. Paragraph (4) of the enforcement directive emphasised that the
“free flow of personal data between competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences…should be facilitated while ensuring a high level of protection of personal data.”
However, part 3 of the 2018 Act contains no provision at all to facilitate the free flow of personal data between the police and the CPS. Instead, it imposes burdensome obligations on the police, requiring them to redact personal data from information transferred to the CPS. Those obligations are only delaying and obstructing the expeditious progress of the criminal justice system and were not even mandated by the law enforcement directive.
The problem has arisen due to chapter 2 of part 3 of the 2018 Act, which sets out six data protection principles that apply to data processing by competent authorities for law enforcement purposes. Section 35(1) states:
“The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.”
Section 35(2) states:
“The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either—
(a) the data subject has given consent to the processing for that purpose, or
(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority.
The Police Federation has said that it is unlikely that section 35(2)(a) will apply in this context. It has also said that in the case of 35(2)(b), the test of whether the processing is “necessary” is exacting, requiring a competent authority to apply its mind to the proportionality of processing specific items of personal data for the particular law enforcement purpose in question.
Under sections 35(3) to 35(5), where the processing is “sensitive processing”, an even more rigorous test applies, requiring among other things that the processing is
“strictly necessary for the law enforcement purpose” in question. Section 37 states:
“The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.”
For the purposes of the 2018 Act, the Crown Prosecution Service and each police force are separate competent authorities and separate data controllers. Therefore, as set out in section 34(3), the CPS and each police force must comply with the data protection principles. A transfer of information by a police force to the CPS amounts to the processing of personal data.
The tests of “necessary” and “strictly necessary” under the first and third data protection principles require a competent authority to identify and consider each and every item of personal data contained within the information that it is intended to process and to consider whether it is necessary for that item of personal data to be processed in the manner intended. The impact of this is that when preparing a case file for a charging decision from the CPS, the police must spend huge amounts of time and resources analysing information that has been gathered by investigating officers in order to identify every item of personal data. They then have to decide whether it is necessary or, in many cases strictly necessary, for the CPS to consider each item of personal data when making its charging decision, and to redact every item of personal data that does not meet that test.
The National Police Chiefs’ Council and the CPS have produced detailed guidance on this redaction process. It emphasises that the 2018 Act is a legal requirement and that the police and the CPS do not have any special relationship that negates the need to redact and protect personal information. The combination of the requirements of the guidance and of the Act represent a huge amount of administrative work for police officers, resulting in hours of preparing appropriate redactions. Furthermore, such work is inevitably carried out by relatively junior officers who have no particular expertise in data protection, and much of it may never be used by the CPS if the matter is not charged or if the defendant pleads guilty before trial. Nationally, about 25% of cases that are submitted to the CPS are not charged. A significant proportion of that time and money could be saved if the redaction of personal data by the police occurred after, rather than before, a charging decision has been made by the CPS.
The burden that this is placing on police forces was highlighted in the 2022 “Annual Review of Disclosure” by the Attorney General’s Office, which heard evidence from police that
“redaction of material for disclosure is placing a significant pressure on resources”.
It also found that one police force had invested £1 million in a disclosure specialist team solely to deal with redaction. In its report on policing priorities, the Home Affairs Committee stated:
“The National Police Chiefs’ Council and the College of Policing said this ‘labour-intensive’ process ‘ties up police resources for a protected period of time’, meaning investigations take longer, and possibly adds to the likelihood of victims withdrawing their support for a case. The College noted that the problem has become worse as digital devices such as phones and laptops have developed ever greater storage capacity, meaning there is more data for the police to process and redact. Disparities in digital capabilities across the 43 local forces also exacerbate the problem.”
The report went on to say:
“Lengthy and inefficient redaction processes and protracted investigations are neither effective nor fair on either victims or suspects. The handling of case files needs to comply with data protection laws. However, ensuring that the requirements are proportionate and that forces have the digital capacity to meet such requirements efficiently is an urgent issue that needs addressing. More needs to be done to pilot solutions and get the balance right.”
Furthermore, the Police Federation and the National Police Chiefs’ Council estimate that the cost nationally of the redaction exercise is over £5.6 million per annum. There is no disputing that there is a clear issue here, and I welcome that this has been acknowledged by Ministers I have been engaging with, including the Minister for Crime, Policing and Fire, my right hon. Friend Chris Philp; the former Home Secretary, my right hon. and learned Friend Suella Braverman; and the Minister for Data and Digital Infrastructure, Sir John Whittingdale. Only last week, the latter emphasised to me the Government’s support for reform.
Indeed, the autumn statement last week highlighted the Government’s commitment to boosting public sector productivity by running an ambitious public sector productivity programme with all Departments to reimagine the way public services are delivered. The focus of that will be on
“reducing the amount of time our key frontline workers, including police, doctors, and nurses, spend on administrative tasks”.
That is to ensure that they can spend more time delivering for the public. Arguably, the current process of data redaction is the biggest unnecessary administrative task keeping police officers away from the frontline, so reform needs to be implemented urgently.
My new clause lays out a blueprint for that reform and would insert a proposed new section into the 2018 Act to exempt the police service and the CPS from complying with the first data protection principle—except in so far as that principle requires processing to be fair—or with the third data protection principle when preparing a case file for submission to the CPS for a charging decision, thereby facilitating the free flow of personal data between the police and the CPS. If the CPS decided to charge, the case file would be returned to the police to carry out the redaction exercise before there was any risk of the file being disclosed to any person or body other than the CPS. In the 25% of cases in which the CPS decides not to charge, the unredacted file would simply be deleted by the CPS.
My new clause would have no obvious disadvantages, as the security of the personal data would not be compromised and the necessary redactions would still be undertaken once a charging decision had been made. Furthermore, providing material unredacted to the CPS pre-charge would not impact the timeliness of the process in any way, as the police would still be providing the same material to the CPS as they would have done previously, just unredacted.
I know from my conversations with Ministers that there are a few questions from a number of sources about whether legislative change is the best way to tackle the issues surrounding redaction. To that, the Police Federation has said that
“the hope is that the CPS will set out, within their charging advice, what material they intend to rely upon and, therefore, only the required material will have to be redacted by the police. This would be done in line with the maximum time of service set out within the ‘Better case management handbook Jan 23’, which states that service is required no less than five days before the hearing. So we must accept that there may be a slight delay in the CPS being able to serve their case on the defence at the point of charge. But the time in which it will take police forces to apply for a charging decision to the CPS will be far quicker without the need for redact. Thus, stopping defendants being on bail or under ‘released under investigation’ status for as long as they currently are and victims of crime waiting less time for charging decisions.”
In addition, the Police Federation has highlighted that while auto-redaction software will help to mitigate the current issues, it will not recover all policing capacity in respect of redaction. Officers will still need to review the item to consider what auto-redaction parameters need applying, otherwise police could risk ending up with mass over-redaction, and having to check to ensure nothing has been missed. The real benefit for auto-redaction software will come post-charge, especially if the CPS states exactly what material it intends to use or disclose.
I also appreciate that the Government feel they cannot support my amendment because of three technical legal points, and I would like to summarise the Police Federation’s response to this, based on advice from its leading counsel who are experienced in the field of data protection and privacy.
The Government’s first objection is that there are provisions in the 2018 Act, other than the first and third data protection principles, that
“in effect require the material concerned to be reviewed and redacted”.
The two examples given by the Home Office were the sixth data protection principle and section 44. The sixth data protection principle—data security—does not require case files to be redacted. The same standard of
“appropriate technical or organisational measures” is required whether case files are redacted before or after the CPS has made a charging decision. The Police Federation’s leading counsel has pointed out that section 44(4) of the Act already contains potentially relevant restrictions on a data subject’s rights. Those restrictions during an investigation would be consistent with an amendment providing for the police to redact any given case file only after the CPS has decided to charge.
On the Home Office’s second objection, that a broader amendment
“may be problematic for the ICO and international stakeholders”,
the legal experts have highlighted that the proposed new clause seeks only to determine the respective responsibilities of the police and the CPS in the processing involved in preparing and submitting a case file to the CPS for a charging decision. It would not remove any substantive protection or the obligation to review and redact the personal data in case file material. It simply provides for such review and redaction by the police after—rather than before—a charging decision has been made. The law enforcement directive, on which the relevant part of the 2018 Act was based, would have permitted that when the Act was passed, and I am told there is no legal reason why it cannot be introduced now.
On the Home Office’s third objection, that other privacy laws might require the police to review and redact case files even if the 2018 Act were amended in the manner suggested by the Police Federation, the legal experts have pointed out that data protection legislation does not generally seek to regulate other privacy-protecting laws. The impact of the Act on journalism is a good example, as the journalism exemption in part 5 of schedule 2 does not seek to regulate the common-law tort of misuse of private information. Data protection legislation should be appropriately calibrated in a particular area even if other legal rules may also have a role in that area. At present, the data protection obligations give rise to the problem. The legal experts believe that it is mere speculation whether other legal rules might give rise to a similar problem if those obligations were amended.
It is crucial that we do everything possible to ease the administrative burden on police officers, to free up thousands of policing hours and get police back on to the frontline, supporting communities and tackling crime. My new clause would go a long way to achieving that, by facilitating the free flow of personal data between the police and the CPS, which would speed up the criminal justice process and reduce the burden on the taxpayer—a stated aim of the Government. How disheartening it must be for a police officer to take time and patience redacting data only to find that the case does not go forward, as occurs in 25% of cases. Common sense must prevail.
I rise to speak to the six amendments that I have tabled to the Bill. I am grateful to Mr Speaker for selecting amendment 11, which I will press to a vote. It is an extremely important amendment that I hope will unite Members across the House, and I thank Patrick Grady for confirming his party’s support for it.
I add mine and that of the Labour party, too.
I thank my hon. Friend for that.
I have been contacted by many people and organisations about issues with the Bill. The British Medical Association and the National AIDS Trust have serious concerns, which I share, about the sharing of healthcare data and the failure to consider the negative impact of losing public trust in how the healthcare system manages data.
The Bill is an opportunity to adapt the UK’s data laws to strengthen accountability and data processing, but it currently fails to do so. It provides multiple Henry VIII powers that will enable future Secretaries of State to avoid parliamentary scrutiny and write their own rules. It undermines the independence of the Information Commissioner’s Office in a way that provides less protection to individuals and gives more power to the Government to restrict and interfere with the role of the commissioner.
The Government’s last-minute amendments to their own Bill, to change the rules on direct marketing in elections and give themselves extensive access to the bank accounts of benefit claimants, risk alienating people even further. I hope the House tells Ministers that it is entirely improper—in fact, it is completely unacceptable—for the Government to make those amendments, which require full parliamentary scrutiny, at this late stage.
We know people already do not trust the Government with NHS health data. The Bill must not erode public trust even more. We have seen concerns about data with GP surgeries and the recent decision to award Palantir the contract for the NHS’s federated data platform. A 2019 YouGov survey showed that only 30% of people trust the Government to use data about them ethically. I imagine that figure is much lower now. How do the Government plan to establish trust with the millions of people on pension credit, state pension, universal credit, child benefit and others whose bank accounts—millions of bank accounts—they will be able to access under the Bill? As my hon. Friend Sir Chris Bryant and others have asked, legislative powers already exist where benefit fraud is suspected, so why is the amendment necessary?
My amendment 11 seeks to ensure that special category data, such as that relating to a person’s health, is adequately protected in workplace settings. As the Bill is currently worded, it could allow employers to share an employee’s personal data within their organisation without a justifiable reason. The health data of all workers will be at risk if the amendment falls. We must ensure that employees’ personal data, including health data, is adequately protected in workplace settings and not shared with individuals who do not need to process it.
The National AIDS Trust is concerned that the Bill’s current wording could mean that people’s HIV status can be shared without their consent in the workplace, using the justification that it is “necessary for administrative purposes”. That could put people living with HIV at risk of harassment and discrimination in the workplace. The sharing of individuals’ HIV status can lead to people living with HIV experiencing further discrimination and increase their risk of harassment or even violence.
I am concerned about the removal of checks on the police processing of an individual’s personal data. We must have such checks. The House has heard of previous incidents involving people living with HIV whose HIV status was shared without their consent by police officers, both internally within their police station and in the wider communities they serve. Ensuring that police officers must justify why they have accessed an individual’s personal data is vital for evidence in cases of police misconduct, including where a person’s HIV status is shared inappropriately by the police or when not relevant to an investigation into criminal activity.
The Bill is not robust enough on the transfer of data internationally. We need to ensure that there is a mandated annual review of the data protection test for each country so that the data protection regime is secure, and that people’s personal data, such as their LGBTQ+ identity or HIV status, will not be shared inappropriately. LGBTQ+ identities are criminalised in many countries, and the transfer of personal data to those countries could put an individual, their partner or their family members at real risk of harm.
I have tabled six amendments, which would clarify what an “administrative purpose” is when organisations process employees’ personal data; retain the duty on police forces to justify why they have accessed an individual’s personal data; ensure that third countries’ data protection tests are reviewed annually; and ensure that the Secretary of State seeks the views of the Information Commissioner when assessing other countries’ suitability for the international transfer of data. I urge all Members to vote for amendment 11, and I urge the Government and the other place to take on board all the points raised in today’s debate and in amendments 12 to 16 in my name.
I rise to speak to new clause 2, which, given its low number, everyone will realise I tabled pretty early in the Bill’s passage. It addresses the smart data clauses that sit as a block in the middle of the Bill.
It is wonderful to see the degree of cross-party support for the smart data measures. The shadow Minister’s remarks show that the Labour Front Bench have drunk deeply from the Kool-Aid, in the same way as the rest of us. It is vital that the measures move forward as fast and as safely as possible, because they have huge potential for our economy and our GDP growth. As the Minister rightly said, they seek to build on the undoubted world-leading success of our existing position in open banking.
My new clause is fairly straightforward, and I hope that the Minister will elaborate in his closing remarks on the two further measures that it seeks, which I and a number of other people urged the Secretary of State to take in a letter back in July. To underline the breadth of support for the measures, the letter was signed by the chief data and analytics officer of the NatWest Group, leading figures in the Financial Data and Technology Association, the co-founder and chief executive officer of Ozone API, the director general of the Payments Association, the founder and chief executive of Icebreaker One—who is, incidentally, now also chair of the Smart Data Council—the founder of Open Banking Excellence, and the CEO of the Investing and Saving Alliance. I am making not only a cross-party point, but a point that has widespread support among the very organisations involved in smart data, and particularly the open banking success that we all seek to replicate.
If we are to replicate our success in open banking across other parts of our economy, we need two things to be true. First, we must make sure that all data standards applied in other sectors are interoperable with the data standards that already exist in open banking. The point is that data standards will be different in each sector, because each sector’s data is held in different ways, in different places and by different people, under different foundational legal powers, but they must all converge on a set of standards that means that health data can safely and securely talk to, say, energy data or banking data.
Following on from my earlier intervention, when the Minister was talking about Government new clause 27, if we are to have data standards that allow different bits of data to be exchanged safely and securely, it is essential that we do not end up with siloed standards that do not interoperate and that cannot talk to each other, between the different sectors. Otherwise, we will completely fail to leverage our existing lead in open banking, and we will effectively have to reinvent the wheel from scratch every time we open up a new sector.
I hope that, by the time the Minister responds to the various points raised in this debate, inspiration will have struck and he will be able to confirm that, although we might have different data standards, it is the Government’s intention that those standards will all be interoperable so that we avoid the problem of balkanisation, if I can put it that way. I hope he will be able to provide us with a strong reassurance in that direction.
The second point encapsulated in new clause 2 deals with the following situation. Let us suppose that I am an app company that is currently successful in open banking. I have a piece of middleware in the open banking ecosystem, but I fancy being able to take what I have done successfully—it is world-leading in open banking—and roll it out to other sectors of the economy. I might want to produce a health, energy or other app to profit—or to provide services—from the Government’s plans to roll out smart data across the rest of the economy. I therefore need to know which sectors are going to be done and in what order. Otherwise, as I walk into the office on Monday morning, needing to go up to my development team, I do not know whether I will be telling them to do the energy development, the water development or the open smart data development for online retail first.
All I need, therefore, is a Gantt chart or a timetable—we can call it what we will; I just need something that tells me which sectors, in what order and by what dates, so that I can make sure that my app is ready on those launch dates in order to be able to profit from this. So I was delighted to see the Government’s autumn statement of a week or 10 days ago, in paragraph 4.28 of the Green Book, talking about, as those on the Labour Front Bench have mentioned,
“a Smart Data Big Bang” covering “seven sectors”. That is wonderful—absolutely super—but I ask, “Which seven sectors, and when?” If the Minister is able to clarify that, or at the very least say when the Government are going to publish the timetable naming the sectors and the dates on which each sector will be ready, he will be doing international investors in our country and our existing successful, world-leading organisations—
I agree with the hon. Gentleman on this, but quite a lot of steps need to be taken here. For instance, we might need to mandate standards on smart meters in order to be able to take advantage of these measures. We have not been given any kind of plans so far—unless he has seen something.
I wish I had seen something, because then I would be able to pull my amendment or inform the House. I have not seen something, and I think such a plan is essential, not just for Members in the Chamber this afternoon, but for all those investors, business leaders and app developers. That would allow them to work out the critical path, whatever the minimum viable products might be and everything else that is going to be necessary, and by what date, for the sectors they are aiming for. So the hon. Gentleman is absolutely right in what he says, and it is vital that if the Minister cannot come up with the timetable this afternoon, he can at least come up with a timetable for the timetable, so that we all know when the thing will be available and the rest of the open banking industry can work out how it is going to become an “open everything” industry and in what order, and by what time.
So this is fairly straightforward. There are promising signs, both in the autumn statement and in the Government’s new clause 27, but further details need to be tied down before they can be genuinely useful. I am assuming, hoping and praying that the Minister will be able to provide some of those reassurances and details when he makes his closing remarks, and I will therefore be able to count this as a probing amendment and push it no further. I am devoutly hoping that he will be able to make that an easier moment for me when he gets to his feet.
I apologise to right hon. and hon. Members for any confusion that my movements around the Chamber may have created earlier, Mr Deputy Speaker.
New clause 45 is about the comparability and interoperability of health data across the UK. I say to Sir Chris Bryant, the Opposition spokesman, that I have never been called pregnant before—that is a new description—but I will return to his point shortly in these brief remarks. There are three important reasons worth stating why data comparability is important. The first is that it empowers patients. The publication of standardised outcomes gives patients the ability to make informed choices about their treatment and where they may choose to live. Secondly, it strengthens care through better professional decision making. It allows administrators to manage resources and scientists to make interpretations of the data they receive. Thirdly, comparable data strengthens devolution, administration and policy making in the health sector. Transparent and comparable data is essential for that and ensures that we, as politicians, are accountable to voters for the quality of services in our area.
We could have an academic and philosophical discussion about this, but what brings me to table new clause 45 is the state of healthcare in north Wales. We have a health board that has been in special measures for the best part of eight years, and I have to wonder if that would be the case if the scrutiny of it were greater. One of the intentions of devolution was to foster best practice, but in order for that to happen we need comparability, which has not proved to be the case in the health sector.
For example, NHS Scotland does not publish standard referral to treatment times. Where it does, it does not provide averages and percentiles, but rather the proportion of cases meeting Scotland-only targets. In Wales, RTTs are broadly defined as the time spent waiting between a referral for a procedure and getting that procedure. In England, only consultant-led pathways are reported, but in Wales some non-consultant-led pathways are included, such as direct access diagnostics and allied health professional therapies, such as physiotherapy and osteopathy, which inevitably impact waiting times.
On cancer waiting times, England and Scotland have a target of a test within six weeks. However, there are different numbers of tests—eight north and 15 south of the border—and different measures for when the period ends—until the last test is completed in England or until the report is written up in Scotland. Those who understand health matters will make better sense of what those differences mean, but I simply make the observation that there are differences.
In Wales, the way we deal with cancer waiting times is different. Wales starts its 62-day treatment target from the date the first suspicion is raised by any health provider, whereas in England the 62-day target is from the date a specialist receives an urgent GP referral. Furthermore, in Wales routine referrals reprioritised as “urgent, with suspicion of cancer” are considered to be starting a new clock.
What can be done about this and why does it require legislation? New clause 45 may seem familiar to hon. Members because it was first brought forward as an amendment to the Health and Care Bill in 2022. It was withdrawn with the specific intention of giving the Government the time to develop a collaborative framework for sharing data with the devolved Administrations. I pay tribute to all four Governments, the Office for National Statistics and officials for their work since then.
Notwithstanding that work, on
“You are entirely right that statistics is a devolved responsibility and therefore the data that are collected for administrative purposes in different parts of the United Kingdom differ. We have found it very difficult recently to collect comparable data for different administrations across the UK on the health service, for example.”
On working more closely with the devolved Administrations’ own statistical authorities, he said:
“We have been working very hard to try to get comparable data. Comparable data are possible in some areas but not in others. Trying to get cancer outcomes—” as I have just referred to—
“is very difficult because they are collected in different ways… While statistics is devolved, I do not have the ability to ensure that all data are collected in a way that is comparable. We work really hard to make comparable data as best as possible, but at the moment I have to be honest that not all data can be compared.”
Mr Deputy Speaker, new clause 45 was brought forward as a constructive proposal. I believe that it is good for the patients, good for the professionals who work on their healthcare, and good for our own accountability. I do not think that this House would be divided on grounds of compassion or common sense. I thank all those Members who have supported my new clause and urge the Government to legislate on this matter. Today was an opportunity for me to discuss the issues involved, but I shall not be moving my new clause.
With the leave of the House, I call the Minister to wind up the debate.
I thank all hon. Members who have contributed to the debate. I believe that these matters are important, if sometimes very complicated and technical. My hon. Friend Mr Fysh was absolutely right to stress how fundamentally important they are, and they will become more so.
I also thank the shadow Minister for identifying the areas where we are in agreement. We had a good Committee stage with his colleague, Stephanie Peacock, where we agreed on the overall objectives of the Bill. It is welcome that the shadow Minister has supported us, particularly on the amendment that we moved this afternoon on the powers of the Information Commissioner’s Office, the provisions relating to digital verification services, and smart data. There were, however, some areas on which we will not agree.
Let me begin by addressing the main amendments that the hon. Gentleman has moved. Amendment 1 relates to high-risk processing. It is the case that one of the main aims of the Bill is to remove some of the UK GDPR’s unnecessary compliance burdens. That is why organisations will be required to designate only senior responsible individuals to carry out risk assessments and keep records of processing when their activities pose high risks to individuals. The amendments that the hon. Gentleman is proposing would reintroduce a prescriptive list of high-risk processing activities drawn from article 35 of the UK GDPR. We find that some of the language in article 35 is unclear and confusing, which is partly why we removed it in the first place. We think organisations should have the ability to make a judgment of risk based on the specific nature, scale and context of their own processing activities. We do not need to provide prescriptive examples of high-risk processing in the legislation, because any list could quickly become out of date. Instead, to help data controllers, clause 18 of the Bill requires the ICO to produce a document with examples of what the commissioner considers to be high-risk processing.
But the Minister has already indicated that, basically, he will come forward with exactly the same list as is in the legislation that the Government are amending. All that is happening is that, in the Bill, the Information Commissioner will be doing what the Government or the House could be doing, and this is the one area where the Government disagree with the Information Commissioner.
As I say, the Government do not believe that it is necessary to have a prescriptive list in the Bill. We feel that it is better that individuals make a judgment based on their assessment of the risk, with the guidance of the Information Commissioner.
Moving to the shadow Minister’s second amendment, the Government agree that controllers should not be able to refuse a request without proper thought or consideration. That is why the existing responsibilities of controllers to facilitate requests from data subjects as the default has not changed and why the new article 12A also ensures that the burden of proof for a request meeting the vexatious or excessive threshold remains with the controller. The Government believe that is sufficient, and stipulating that evidence must be provided each time a request is refused may not be appropriate in all circumstances and would likely bring further burdens for controllers. On that basis, we oppose that amendment.
On amendment 5, the safeguards set out in reformed article 22 of the UK GDPR ensure that individuals are able to seek human intervention when significant decisions about them are taken solely through automated means with no meaningful human involvement.
Partly automated decisions already involve meaningful human involvement, so there is no need to extend the safeguards in article 22 to all forms of automated decision making. In such instances, other data protection requirements continue to apply and offer relevant protections to data subjects, as set out in the broader UK data protection regime. Those protections include lawfulness, fairness, transparency and accountability.
Amendment 218, which the hon. Member for Rhondda tabled along with amendments 219 and 220, gives us the opportunity to debate the democratic engagement provisions in the Bill. Amendments 218 and 219 would remove clauses 87 and 88, which give the Secretary of State a power to make exceptions to the privacy and electronic communications regulations direct marketing provisions on communications sent for the purposes of democratic engagement.
We have no immediate plans to use the regulation powers, but it is conceivable that future Governments might want to treat communications sent for the purposes of democratic engagement differently from those for commercial marketing. We would lose the option to do that if the regulation-making powers were removed. Before laying any regulations under the clause, the Secretary of State would need to consult the Information Commissioner and have specific regard to the effect that further exceptions could have.
I turn to the measure relating to the powers of the Department for Work and Pensions, raised by Sir Stephen Timms, who is Chair of the Work and Pensions Committee, and Patrick Grady, who speaks for the Scottish National party. We believe that this targeted and limited measure will enable us to identify fraudulent benefit claims and, as a result, will save the taxpayer a significant amount of money.
On the specific point of whether the powers should be targeted on individual benefits rather than more generally, I should say that at the moment fraud and error in state pensions, for instance, is near zero. The Government intend to target the benefits power where there is clear evidence of fraudulent activity. We are including all benefits to make sure that state pensions stay that way.
My understanding was that the level of fraud among state pension claims was indeed extremely small. The Minister said earlier that the Government should take powers only where they are absolutely necessary; I think he is now saying that they are not necessary in the case of people claiming a state pension. Is he confident that that bit of this power—to look into the bank account of anybody claiming a state pension—is absolutely necessary?
What I am saying is that the Government’s intention is to use the power only when there is clear evidence or suggestion that fraud is taking place on a significant scale. The Government simply want to retain the option to amend that should future evidence emerge; that is why the issue has been left open.
The trouble is that this is not about amending. The Government describe the relevant benefits in part 5 of proposed new schedule 3B, within new schedule 1, which is clear that pensions are included. The Minister has effectively said at the Dispatch Box that the Government do not need to tackle fraud in relation to pensions; perhaps it would be a good idea for us to all sit down and have a meeting to work out a more sensible set of measures to tackle fraud where it is necessary, rather than giving unending powers to the Government.
I agree, to the extent that levels of fraud in state pensions being currently nearly zero, the power is not needed in that case. However, the Government wish to retain an option should the position change in the future. But I am happy to take the hon. Gentleman up on his request on behalf of my hon. Friend the Minister for Disabled People, Health and Work, with whom he has already engaged. I am sure that the right hon. Member for East Ham will want to examine the issue further in the Work and Pensions Committee, which he chairs. It will undoubtedly also be subject to further discussions in the other place. We are certainly open to further discussion.
The right hon. Member for East Ham also raised the question of commencement. I can tell him that the test and learn phase will begin in 2025, with a steady roll-out to full-scale delivery by 2030. I am sure that he will want to examine these matters further.
The amendment tabled by my right hon. Friend Mr Davis focuses on digital exclusion. The Bill provides for the use of secure and inclusive digital identities across the economy. It does not force businesses or individuals to use them. Individual choice is integral to our approach. As the Bill makes clear, digital verification services can be provided only at the request of the individual. Where people want to use a digital verification service, the Government are committed to ensuring that available products and services are secure and privacy-focused. That is to be achieved through the high standards set out in the trust framework.
The trust framework also outlines how services can improve inclusion, and requires services to publish an annual inclusion monitoring report. There are businesses that operate only in the digital sphere, such as some online banks and energy companies, as I think has been acknowledged. We feel that to oblige them to offer manual document checking would place obligations on businesses that go beyond the Government’s commitment to do only what is necessary to enable the digital market to grow.
On amendment 224 from the Scottish National party, solely automated decision making that produces legal or similarly significant effects on individuals was not entirely prohibited previously under the UK’s data protection legal framework. The rules governing article 22 are confusing and complex, so clause 12 clarifies and simplifies the rules related to solely automated decision making, and will reduce barriers to responsible data use, help to drive innovation, and maintain high standards of data protection. The reforms do not water down any of the protections to data subjects offered under the broader UK data protection regime—that is, UK GDPR and the Data Protection Act 2018.
On the other amendment tabled by the SNP, amendment 229, effective independent oversight of surveillance camera systems is crucial to public trust. The oversight framework is complex and confusing for the police and public because of substantial duplication between the surveillance camera commissioner functions and the code, which covers police and local authorities in England and Wales only, and the ICO and data protection legislation. The Bill addresses that, following public consultation, through abolishing the surveillance camera commissioner and code.
The amendment tabled by the hon. Member for Glasgow North would negate that by retaining the code and transferring the surveillance camera commissioner functions to the investigatory powers commissioner. It would also blur the lines between overt and covert surveillance, which the investigatory powers commissioner oversees. Those two types of surveillance have distinct legislation and oversight, mainly because covert surveillance is generally considered to be significantly more intrusive.
On amendment 222, it is important to be clear that the ability to refuse or charge a reasonable fee for a request already exists, and clause 8 does not place new restrictions on reasonable requests from data subjects. The Government believe that it is proportionate to allow controllers to refuse or charge a reasonable fee for vexatious or excessive requests, and a clearer provision enables controllers to focus time and resources on responding to reasonable requests instead.
Amendments 278 and 279, tabled by my hon. Friend the Member for Yeovil, would remove the new lawful ground of recognised legitimate interests, which the Bill will add to article 6 of UK GDPR. Amendment 230 accepts that there is merit in retaining the recognised legitimate interests list, but would make any additions to it subject to a super-affirmative parliamentary procedure. It is true that the Bill removes the need for non-public-sector organisations to do a detailed legitimate interests assessment in relation to a small number of processing activities. Those include activities relating for example to the safeguarding of children, crime prevention and responding to emergencies. We heard from stakeholders that the need to do an assessment and the fear of getting it wrong could sometimes delay or deter those important processing activities from taking place. Future Governments would not be able to add new activities to the list lightly; clause 5 of the Bill already makes it clear that the Secretary of State must carefully consider the rights and interests of people, and in particular the special protection needed for children, before adding anything new to the list. Any new regulations would also need to be approved via the affirmative resolution procedure.
My hon. Friend the Member for Yeovil has tabled a large number of other amendments, which are complicated in nature. I have written to him in some detail setting out the Government’s response to each of those, but if he wishes to pursue further any of the points contained therein I would be very happy to have further discussions with him.
I would like to comment on the amendments by several of my colleagues that I wish I was in a position to be able to support. In particular, my hon. Friend Jane Hunt has been assiduous in pursuing her point both in the Bill Committee and in this debate. The problem she identifies is without question a very real one, and she set out in some detail how it is massively increasing the burden on the police, which clearly we would wish to reduce wherever possible.
I have had meetings with Home Office Ministers, as my hon. Friend has, and they absolutely identify that problem and share her wish. While we welcome her intent, the problem is that we do not think that her amendment as drafted would achieve her aims of removing the burden of redaction. To do so would require the amendment and exception of more principles than those identified in the amendment. Indeed, it would require the amendment of more laws than just the Data Protection Act 2018.
The Government are absolutely committed to reducing the burden on the police, but it is obviously important that, if we do so, we do it right, and that the solution works comprehensively. We are therefore actively working on ways to better address the issue, including through improved process, new technology, guidance and legislation. I am very happy to continue to work with her on achieving the aim that we all share and so too, I know, are colleagues in the Home Office.
With respect to the amendments tabled by my hon. Friend John Penrose, as I indicated, we absolutely share his enthusiasm for smart data and ensuring that the powers within the Bill are implemented in a timely manner, with interoperability at their core. While I agree that we can only fully realise the benefits of smart data schemes if they enable interoperability, different sectors will have different levels of existing digital infrastructure and capability. Thus, we could inadvertently hinder the success of future schemes if we mandated the use of one universal set of standards based, for instance, on those used in open banking.
The Government will ensure that interoperability is central to the development of smart data schemes. To support our thinking, we are working with industry and regulators in the Smart Data Council to identify the technical infrastructure that needs to be replicated. With regard to the timeline—or even the timeline for a timeline—that my hon. Friend asked for, I recognise that it is important to build investor, industry and consumer confidence by outlining the Government’s planned timeline.
My hon. Friend is right to highlight the Chancellor’s comments in the autumn statement, where we set out plans to kick-start the smart data big bang, and our ambition for using those powers across seven sectors. At this stage I am afraid I am not able to accept his amendment, but it is our intention to set out those plans in more detail in the coming months. I know the Under-Secretary of State for Business and Trade, my hon. Friend Kevin Hollinrake and I will be happy to work with him to do so.
The aim of the amendment tabled by Kate Osborne was to clarify that, when special category data of employees such as health data is transferred between members of a group of undertakings for internal administrative purposes on grounds of legitimate interests, the conditions and safeguards outlined in schedule 1 of the Data Protection Act should apply to that processing. The Government agree with the sentiment of her amendment, but consider that it is unnecessary. The current legal framework already requires controllers to identify an exemption under article 9 of the UK GDPR if they are processing special category data. Those exemptions are supplemented by the conditions and safeguards outlined in schedule 1. Under those provisions, employers can process special category data where processing is necessary to comply with obligations under employment law. We do not therefore consider the amendment necessary.
Finally, I turn to new clause 45, tabled by my hon. Friend Robin Millar. The Government are absolutely committed to improving the availability of comparable UK-wide data. He, too, has been assiduous in promoting that cause, and we are very happy to work with him. We are extremely supportive of the principle underlying his amendment. He is right to point out that people have the right to know the extent of Labour’s failings with the NHS in Wales, as he pointed out, and his new clause sends an important message on our commitment to better data. I can commit to working at pace with him and the UK Statistics Authority to look at ways in which we may be able to implement the intentions of his amendment and bring forward legislative changes following those discussions.
On that basis, I commend the Government amendments to the House.
Question put and agreed to.
New clause 6 accordingly read a Second time, and added to the Bill.
For the benefit of all Members, we are before the knife, so we will have to go through a sequence of procedures. It would help me, the Clerk and the Minister if we had a degree of silence. This will take a little time, and we need to be able to concentrate.