My Lords, it is a great pleasure to follow the right reverend Prelate, who has touched on one of the points that have attracted most attention since the Bill was published and began to generate comment. I also hope that the committee of the noble Lord, Lord Jay, might be able to give us some kind of report and assessment on GDPR because, while I think the Bill is important in its own right, it is quite awkward to discuss it in the absence of a very important part of the regulations that will apply in this country or any assessment of the linkages or potential disparities that may exist between the two. I beg that the committee might consider this a priority.
I think the House will agree that this is an important use of legislation, and its scope is—necessarily, I think—very large. There is no real activity in society these days that does not generate data that is processed in some way. Because of the scale of data creation—the figures are extraordinary—usage continues to grow exponentially and personal data is extremely bound up in all that. All of us are affected by the data world. It is increasingly obvious that the functioning of the economy and of public services depends on the availability, accuracy and security of data. It is also key to wealth creation. It has become very clear in the series of strategies that the Government are producing at the moment that data lies absolutely at the heart of the way in which this country will be able to make its way forward and remain a prosperous society, and therefore that we have to get the regulation of data right. It is the basis on which we will advance general knowledge and welfare in society.
The Government have produced a Bill that enables us to tackle detail, and it is the detail on which this House will focus in later stages. It is impossible in a discussion of this kind to do justice to all the angles. I shall in later stages want to focus on the cyber and national security elements, but today I shall focus on what I regard as a potential opportunity, provided we get the regulatory framework right. That is research, which has not featured much so far in our deliberations.
The abundance of datasets that society simply has not had before opens up to us the possibility of types of research which can lead us to enormous discovery and greater beneficial activity and welfare. For instance, it will enable medicine to be put on an essentially personalised rather than generic basis, and the UK should have a huge advantage in the longitudinal data that the NHS possesses, which no other country can rival. It ought to be something where we can make a real pitch for both advancing welfare and increasing wisdom, knowledge and wealth in our society. Obviously, that depends on the use of data being proper and the regulation of it not getting in the way, which is not a theoretical issue. Existing legislation, which largely comes from the EU, combined with the way in which the precautionary principle has sometimes been applied, means that some kinds of trials in some fields in this country have now become so difficult to conduct within the EU that companies engaging in them have decamped elsewhere—often to the United States—to the intellectual and commercial impoverishment of Europe. That is a practical illustration of how important it is to get the balance between trying to regulate against abuse and the opportunities that you should leave open.
As the UK leaves the EU, it will be essential—I use the word “essential”—for the UK to be able to demonstrate adequacy. I hope the Government will assure us on that point and produce the necessary regulatory framework to enable it to happen. Some very big issues here have already been mentioned and I will not repeat them. Adequacy does not mean that the UK should simply cut and paste all EU legal provisions where reliance on national law and derogations are real options in front of us. There are some where we should be availing themselves of them. Nor do we need to make privacy safeguards—which are very important—so demanding that they become self-defeating, standing in the way of benefiting patients, in the case of medicine, and the community more generally.
The Government have made it clear that they want the Bill to support research, which is extraordinarily welcome. I hope that when she replies, the Minister will be able to say something about how the Government will approach the changes that will be needed to deal with research issues in the UK. The Bill classes universities as public bodies, and universities lie at the core of the research community. It is fair enough for universities to be classed as public bodies—that is what they are—but the legislation then denies them the right to invoke public interest, or even legitimate interest, as a basis for their research, and thus obliges them to seek explicit consent when using data at every stage of processing. This becomes very onerous if you are doing a long study. That may on the face of it seem reasonable but, in practice, it can do real harm. The whole point of research is that often at the outset it cannot be 100% certain where it may lead or whether further processing or trials may be necessary. You can get a situation in which unexpected and unplanned-for research is available and could yield real dividends. That is especially true of interventional research. If, as a result of wanting to take it to a further stage, the data processing demands that there should be another round of explicit consent, you get into a situation whereby universities—unlike some of the public bodies in government, which do not have to follow this procedure—have to go round again to all those who offered their personal data in the first place. Seeking the consent of holders of the data anew may simply not be possible, especially in long-term research projects. People move house or become incapable; they also die.
Even if those problems can be overcome—and I think they are real—there is a question of proportionality. Why make consent so onerous that it makes research too difficult in practice and too costly to engage in? There needs to be greater proportionality on this issue and greater alignment between the various bodies that use data in this way, and there needs to be some alternative to consent as the basis for engaging in some kinds of research. Numerous government mechanisms are available, not least ethics committees, which are a key component of modern research and could provide the necessary safeguards against abuse. I recognise that there need to be safeguards, but I suggest that we should use some imagination in how they could be brought about.
In this country, we are very rich in research conducted by voluntary, not-for-profit and charitable bodies. They often supplement what the public sector and universities are unable or unwilling to do, but they do not find a place in this legislation, which posits that all research of value is conducted by “professional bodies”—a definition that excludes many organisations doing valuable work under the terms of the existing law. That law is to be tightened up, which may create difficulties. I am associated with one such organisation, and I want to give a tiny illustration of the problems that arise as a result of being outside the field of professional bodies.
I am involved with an organisation called Unique, which deals with rare genetic disorders, whereby datasets to be useful have to be gathered globally. The number of people with those afflictions is so tiny in any given population that you have to go across the globe to connect useful datasets, which means in turn that you come up against some of the provisions that govern transnational transmission of data. However, the rarity of such individual disorders also makes every patient’s data precious to other affected individuals, because it is potentially a very tight community. No other organisation is dealing with that affliction in that way, and Unique can give support and advice to otherwise lonely parents and their equally isolated medics, who turn to Unique for information about alike cases. There is a network there.
By insisting on onerous consent regimes, we are in danger of disabling such organisations from continuing their pioneering work. In Unique, it is not uncommon for parents who have not been in touch for a long time suddenly to turn to it with a request for help. Try telling families, many of whom are not in the UK but are in third countries, who are coping with the daily stress of caring for a disabled child or adult, that they must be sure to keep up online with the stringent requirements of UK data legislation and that failing to do so will mean that they run the severe risk of no longer being able to get the kind of individualised attention and support that they seek from the very organisations set up to help them. The problem is that the law will lay down the need for the regular reconsultation and re-consent of individuals in very precise ways, and that such individuals might not reply, not understanding the potential hazards involved in failing to do so. One might say that data anonymisation might solve the problem. It solves some problems, but it creates new ones in an organisation set up for certain purposes where the idea is that one fellow sufferer can help another. So piling difficulties on small organisations—there are other difficulties that I have not even mentioned—might lead ultimately to an unwanted outcome, which will be a reduction in effectiveness.
I am not pleading for essential provisions on privacy to be disregarded. That would not be a sensible plea. However, I suggest that we are still in the foothills of the data-driven world and, while it is right to demand rigorous standards and strict enforcement, that is not the same as passing narrow and inflexible legislation that will have unwanted and unnecessary side-effects. The research base of this country needs a wider base for lawful consent and this legislation should recognise that not all valuable research fits into normal categories. I would like the Government to think about the possibility that they should allow for the creation of governance and accountability regimes that will fit special circumstances—and I am sure that we will come across others as we go through this legislation. The existence of the Information Commissioner should not result just in enforcing the law effectively and well; it should provide an opportunity for creativity under her auspices and the ability to create variations on governance regimes where they are needed.