With this it will be convenient to discuss the following:
Amendment 100, in clause 30, page 29, line 33, leave out “had regard to” and insert “complied with”.
This amendment provides stronger compliance with the code of practice on the disclosure of information.
Amendment 99, in clause 32, page 30, line 13, at end insert—
‘(1A) In determining whether to make regulations under section 29, 30 or 31 the appropriate national authority must ensure that—
(a) the sharing of information authorised by the regulations is minimised to what is strictly necessary,
(b) the conduct authorised by the regulations to achieve the “specified objective” is proportionate to what is sought to be achieved by that conduct,
(c) a Privacy Impact Assessment compliant with the relevant code of practice of the Information Commissioner’s Office has taken place and been made publicly available,
(d) the proposed measures have been subject to public consultation for a minimum of 12 weeks, and responses have been given conscientious consideration.
(1B) As soon as is reasonably practicable after the end of three years beginning with the day on which the regulations come into force, the relevant Minister must review its operation for the purposes of deciding whether these should be amended or repealed.
(1C) Before carrying out the review the relevant Minister must publish the criteria by reference to which that determination will be made.
(1D) In carrying out the review the relevant Minister must consult—
(a) the Information Commissioner, and
(b) open the review to public consultation for a minimum of 12 weeks, and demonstrate that responses have been given conscientious consideration.”
This amendment seeks to reduce the risk of successful legal challenges. Challenges are often made on grounds of privacy and this would amend that to increase privacy safeguards.
Amendment 96, in clause 32, page 30, line 33, at end insert—
‘(3A) A particular person identified in personal information disclosed under sections 29, 30 or 31 is able to request to a specified person under subsection 29(1) that the personal information is modified and corrected if necessary.”
Amendment 95, in clause 32, page 30, line 34, leave out
“(including a body corporate)”
“, a group of persons, a private company or a publicly traded company irrespective of their size and revenue, but”.
Amendment 105, in clause 35, page 32, line 31, leave out “have regard to” and insert “comply with”.
I am very grateful to my hon. Friend the Member for Cardiff West for giving me some much-needed time off. I do not wish to disappoint the Minister by not being as brief as we were earlier, but I am not sorry, because part 5 really does require some further scrutiny. I think the Government know that it was not ready for Committee, not least because they have tabled several dozen amendments to it, but also because the codes of practice were not in good enough shape last week, according to the Information Commissioner, but were published just a few days later—some civil servants were clearly working overtime in the intervening period.
Clause 29 allows specified persons to share data for a specified objective. All national authorities will be enabled to lay regulations through secondary legislation for exactly what those data-sharing arrangements will be and what they will be for. In doing so, this clause lays out that they will be required to ensure the secure handling of information and to have regard to the codes of practice. Our amendments seek to strengthen this and to ensure that anyone involved in the sharing of data under these new powers is in full compliance with the codes of practice that were published last week.
I want to be very clear here: the Opposition do not oppose the Government’s sharing data among themselves to improve policy making and public services, but we must get this absolutely right and we are still a long way away from that, given the state of the current proposals. This is a key point: the public support the sharing of data to better enable the Government to provide services and to better enable the public to make use of those services, but public trust is fragile and has been rocked in recent years by varying degrees of incompetence in managing those data. Before Government Members point out that previous Labour Administrations were just as guilty, I should say that I fully accept that. This is not a political but rather an administrative point, which is why such proposals need to proceed with the utmost caution.
The Information Commissioner produced a very instructive report on this very point, which is extremely important to this part of the Bill, because it demonstrates the circumstances in which the public are happy for their data to be shared. The commonly recurring themes of what the public want regarding data could not be clearer: they want control over their data; they want to know what organisations are doing with those data; and they want to understand the different purposes and benefits of sharing their data. In that context, 63% of people agreed that they had lost control over the way in which their data are being used. This demonstrates that if there is to be sharing of data, which we support, there must be very clearly defined safeguards based on consent and transparency.
This part of the Bill gives considerable powers to Government to share data, but there are essentially no safeguards built in to ensure privacy, data protection, proportionality and a whole host of other principles that should sit alongside data sharing. It is vital that these reforms go ahead and we are completely in favour of effective data sharing across Government to achieve public sector efficiencies, value for money, improved public sector services, take-up of benefits for the most vulnerable, such as the warm home discount or free school meals, and, most importantly, an improved experience for those who use public services.
The Minister for Digital and Culture claimed in an evidence session that the safeguards are in the Bill, but that is simply not the case. I would be grateful if the Parliamentary Secretary, Cabinet Office outlined what safeguards he thinks there are. As I, a relatively amateur observer, as well as those who are much more expert in the matter read it, the safeguards are to be added at a later date, written up by the Government and consulted on with people whom the Government deem fit to consult. Furthermore, there is absolutely nothing the public sector does that is not covered by the clause. I would be grateful, therefore, if the Minister gave give us a single example that that—I quote from the clause—for the purposes of
“the improvement of the well-being of individuals or households”, or of improving
“the contribution made by them to society”, would not deliver.
The codes that were published last week gave examples of objectives that would fall foul of those criteria, including those that are punitive. It is useful to see the examples, but it is of concern that the Bill does not explicitly exclude a punitive objective. The codes also include examples of objectives that are too general rather than too specific, and it would help if the Minister said exactly where the line about what is too specific is drawn. Improving levels of safety in a neighbourhood is given as an example of an objective that is too general, but would reducing the number of burglaries in a neighbourhood, for example, be specific enough?
The Government have stated that the proposed powers are to support:
“The delivery of better targeted and more efficient public services to citizens; The detection and prevention of fraud against the public sector and citizens to manage debt more effectively; and better research and official statistics to inform better decision-making.”
Of course, no one could disagree with any of that and the majority of respondents and, in fact, all the witnesses we saw two weeks ago, agreed with the purpose of the proposals. However, as the Government’s summary of responses to their consultation, “Better use of Data in Government” stated:
“The majority of responses were supportive of the proposals and the need to ensure appropriate safeguards, accountability and transparency are in place to build trust with citizens on the usage of their data.”
Crucially for the purposes of the debate, several respondents favoured such measures being in primary legislation as opposed to codes of practice.
Not only are the objectives not limited in the Bill, but the bodies that can share or receive data are not particularly limited. Subsection (3) states:
“A person specified in regulations under subsection (2) must be—
(a) a public authority, or
(b) a person providing services to a public authority.”
The Government’s consultation set out that they intend to proceed with proposals to enable non-public sector organisations that fulfil a public function on behalf of a public authority to be in scope of the powers. They said, in response to their consultation:
“We will strictly define the circumstances and purposes under which data sharing will be allowed, together with controls to protect the data within the Code of Practice. We will set out in the Code of Practice the need to identify any conflicts of interest that a non-public authority may have and factor that information in the decision-making”.
It seems pretty comforting that the Government will strictly define the circumstances and clearly identify conflicts of interest. It is right that they do that, given that the majority of the respondents supported the proposals,
“as long as appropriate strict controls are in place to safeguard citizen data against misuse.”
Again, I quote from the Government’s consultation.
It is good to see the shadow Minister back in her place. She is making an excellent start to this section of the debate, pulling out many of the key issues. I am afraid that the ministerial team might not like the scrutiny that the process is supposed to provide—and essentially does. The point about transparency is critical and there is a confidential submission that points out that transparency does not prevent people from doing anything; it simply requires them to be accountable for what they do. We have recently seen the case of HMRC outsourcing to Concentrix the ability to collect tax credits. Data from another source were used, and we all know the damage that can be done when that is not done well.
I am grateful for that intervention. I am very aware of the Concentrix case and will come on to it shortly.
On the inclusion of non-public sector authorities and the Government’s intention to strictly define the circumstances and purposes under which data sharing with such organisations will be allowed, their statement of intent was clear. However, only one paragraph in the 101-page draft code mentions non-public sector organisations. That paragraph says that an assessment should be made of any conflicts of interest that the non-public authority may have but it does not give any examples of what those conflicts of interest might look like, so perhaps the Minister will elaborate on that when he responds. It states that a data-sharing agreement should identify whether any unintended risks are involved in disclosing data to the organisation—the risk regarding Concentrix was just highlighted—but the code of practice does not list any examples or set out how specified persons might go about ascertaining those. It also states that non-public authorities can only participate in a data-sharing agreement once their sponsoring public authority has assessed their systems and procedures to be appropriate for the secure handling of data, but it does not give any sense of what conditions they will be measured against or how officials should assess them.
That is not the kind of reassurance that was provided in the Government’s consultation response. Given that these are draft codes, I hope the Minister will take what I have said away and improve them, not least because of the recent scandal relating to the US multinational company, Concentrix, which was contracted by HMRC to investigate tax credit error and fraud. Concentrix sent letters to individuals—mostly working single mothers across the country receiving tax credits—in what was essentially a large-scale phishing exercise. Not only did it get things catastrophically wrong by cancelling benefits that it should not have cancelled and leaving working mothers destitute over many weeks and months in some cases, but it performed serious data breaches in sending multiple letters to the wrong individuals and disclosing personal information.
We have made it very clear that the Bill could have done with considerably more work before it was brought before the House. I understand that the civil servant who wrote part 5 has now left, or is in the verge of leaving, the employ of the civil service, so there is even more reason for us to work cross party and with expert organisations on improving the proposals.
As I have said, public trust in Government handling of data is not strong. Unfortunately, the public have not been given any reason to put their concerns to rest. The recent National Audit Office report, “Protecting information across government”, revealed the prevalence of weak controls on the protection and management of personal information in Government. Any continuation of the existing poor information management identified by the NAO, or the further weakening of cyber-security and data protection implied by part 5, is likely to have negative economic and social impacts.
As the Information Commissioner’s Office commented:
“It is important that any provisions that may increase data sharing inspire confidence in those who will be affected. Our research shows that the public are concerned about who their data is shared with and reflects concerns that they have lost control over how their information is used. Even apparently well-meaning sharing of data such as GP patient records for research purposes can arouse strong opinions.”
This is an important time to strengthen cyber-security and the minimisation and protection of data, which is why it is so important to get this part of the Bill right. A huge prize is on offer, but this has the potential of going the way of the care.data scandal. Frankly, it is astonishing that neither Ministers nor civil servants have learnt their lessons from that very regrettable episode, because there was absolutely nothing wrong with the principle of care.data either; it attempted to achieve exactly the kind of aims as the Bill’s reforms.
The idea was to create a database of medical records showing how individuals have been cared for across the GP and hospital sectors. Researchers believed that the information would be vital in helping them to develop new treatments as well as assessing the performance of NHS services. The records would be pseudo-anonymised, meaning that the identifiable data would be taken out. Indeed, they would just contain the patient’s age range, gender and the area they lived in. However, researchers could apply for the safeguards to be lifted in exceptional circumstances, such as during an epidemic. That would have needed the Health Secretary’s permission.
The concept had the backing of almost the entire medical community, many charities and some of the most influential patient groups. The UK’s leading doctors told us how access to so many NHS records would help them to understand the causes of disease, quickly spot the side effects of new drugs and detect outbreaks of infectious diseases.
The problem with care.data was that the advantages and the principles upon which the data would be shared were simply not communicated by the Government or by NHS England, and so it attracted the criticism of bodies as disparate as the British Medical Association, the privacy campaign group Big Brother Watch and the Association of Medical Research Charities. Such was the botched handling of the publicity surrounding care.data that, by April 2014, the launch was aborted. However, it emerged the following June that nearly 1 million people who had opted out of the database were still having their confidential medical data shared with third parties, because the Health and Social Care Information Centre had not processed their requests.
A review by the National Data Guardian, Dame Fiona Caldicott, found that care.data had caused the NHS to lose the trust of patients, and recommended a rethink. That prompted the then Life Sciences Minister, George Freeman, to announce that the scheme was being scrapped altogether, even though £7.5 million had already been spent on constructing a database, printing leaflets, setting up a patient information helpline and researching public attitudes to data sharing.
The Caldicott review established a set of Caldicott principles, with the primary one being that the public as well as the professionals should be involved in data-sharing arrangements. Dame Fiona Caldicott proposed a simple model that gives people the option to opt out of any of their information being used for purposes beyond care. She said:
“We made it slightly more complicated by saying it was worth putting to the public the choice of having two separate groups of information to opt out of – [those being] research and information used for running the health service. If you put all of the possible uses of data currently in the system together and asked people to opt in or out of that, it’s actually asking them to make a choice about a very big collection of information. [People] may want to have the possibility of saying, ‘Yes, I’d like my data to be used for the possibility of research, but I don’t want it to be used for running the health service’.”
She also made it very clear that the benefits of data sharing and what it means need to be communicated clearly to the public, as there is a lot of confusion around how the data are shared.
Absolutely nothing has changed since that disaster and the subsequent review, so it is concerning not to see those basic principles included in the Bill. I am interested to hear the Minister’s response to those principles laid out by the National Data Guardian. The public need to be able to trust organisations that handle their data and they need to retain control over those data. Both those things are essential to build confidence and encourage participation in the digital economy. The principles have been debated over the past several years at the European level, and we should be told here and now—today—whether the Government intend to implement the EU’s General Data Protection Regulation. If they are, why is the Bill not compliant with it?
The new EU GDPR and the law enforcement directive were adopted in May and will take effect from May 2018. The GDPR includes stronger provisions on: processing only the minimum data needed; consent; requirements on clear privacy notices; explicit requirements for data protection by design and by default; and on carrying out data protection impact assessments.
Although the Government’s arrangements for exiting the European Union have yet to be decided, it seems likely that the GDPR will take effect before the UK leaves, so the Government will have to introduce national level derogations prior to its implementation. If that is the case, there will have to be a thorough consideration of the impact of the new legal framework on all aspects of the Bill affecting data sharing, including implementation arrangements. Indeed, as the Information Commissioner said when giving evidence to the Committee two weeks ago:
“There may be some challenges between the provisions and the GDPR… There would ?be a need to carefully review the provisions of this Bill against the GDPR to ensure that individuals could have the right to be forgotten, for example, so that they could ask for the deletion of certain types of data, as long as that was not integral to a service.”––[Official Report, Digital Economy Public Bill Committee,
The GDPR states that data are lawfully processed only if consent has been given by the individual, which is completely lacking in this section of the Bill. It also gives data subjects that right to withdraw consent at any time:
“It shall be as easy to withdraw as to give consent.”
Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased or no longer used for processing.
Part 5 makes little mention of security or privacy, or how such data sharing will comply with obligations around informed consent and the ability to revoke consent. It is not explained, for example, how it will be possible for a citizen to revoke consent if data have been copied and passed on to third parties, particularly if it was done without their knowledge. Once digital data are held by third parties and no longer under the control of their original owner, it will be difficult to know who has a copy and equally difficult for a citizen to revoke consent to the access and use of such data.
In fact, the Bill makes no mention of consent at all, and the codes are clearly not designed to support a consent-based model. If that is not the case, we would be grateful if the Minister confirmed on exactly what principles the codes were designed and what principles should always be adhered to, in his opinion, when sharing data. In the consultation, the Government said that the following principles should apply:
“no building of new, large, and permanent databases, or collecting more data on citizens; no indiscriminate sharing of data within Government; no amending or weakening of the Data Protection Act; and safeguards that apply to a public authority’s data (such as HMRC) apply to the data once it is disclosed to another public authority (i.e. restrictions on further disclosure and sanctions for unlawful disclosure).”
If the Government hold those principles so dear, why were they not included in the Bill? Where are the principles for transparency, security, necessity, data minimisation and proportionality?
Further issues with the lack of safeguards in primary legislation include the fact that privacy must only be considered; it is not a right. There is no reference anywhere to the role of data protection officers, who are critical for public bodies; that is surely an oversight given the requirements on data protection officers in the general data protection regulation. There is also no mention at all of transparency, which is particularly conspicuous by its absence. The Bill completely lacks any requirement for transparency about what data flows already exist and what new ones will be established. Care.data was only an exception insofar as it hit the public domain first.
We will table a new clause later in the Bill that will make transparency mandatory in a public register of data sharing agreements. Full transparency helps build trust in the process, so the details do not matter. If there is no transparency, there can be no trust in the process. Transparency must be absolutely central to the process, alongside privacy and security. We would argue that it is the most important principle on which the proposals should be built.
The Government seemed to agree during the public consultation and design of their proposals, but I am afraid that we simply do not trust the Government’s current data practices, if the concerns raised by ex-Government employees tasked with improving those practices are anything to go by. Last summer, the Government Digital Service experienced a mass walkout over the Cabinet Office’s failure to get to grips with Government digitisation. We heard from the former head of that service during an evidence session about his deep concerns about the proposals. Those concerns were expressed by an individual whose job it was to promote data sharing around Government to improve public service delivery.
We want the Government to produce a register on data sharing arrangements. We are pleased to see audits mentioned in the codes of practice, but I do not believe that they would actually be possible, based on the current practices that abound across Government. A named day question was asked of the Cabinet Office last week about whether it had an audit of the data sharing arrangements across Government. Although the deadline for the answer to that question was yesterday, we have yet to hear whether the Government even know who is sharing what across Government, how they are doing it, why they are doing it and how the data are being secured and protected—never mind what ISDN lines run to each Department, enabling other agencies, other organisations and perhaps even other Governments to look up data held by Government.
We will come back to those points during later debates, but I hope that the Minister can assure us, in relation to clause 29, that he is getting a grip on the issue, particularly given the significant new powers that the clause imparts to the Government. The Government consultation said:
“Transparency was a key recurring theme raised by citizens and representatives from across the range of sectors. The view expressed was that trust could be built by ensuring that citizens could understand what data was being accessed, how it was being used and for what purposes.”
However, the public have not yet even seen the draft codes of practice, as they have not been made available on the parliamentary or Government websites. It puts the more than two-year consultation process to shame that we cannot even invite debate from the public on this vital part of the Bill. Ministers claim that the legislation resulted from the open policy-making process, but we heard from several witnesses that that was not actually the case. Many were surprised, to say the least, by the proposals published in the Bill, as they bore no relation to the discussions or proposals put before them as part of that process. One organisation’s written evidence is incredibly damning. It states:
“The Cabinet Office misled everyone involved, wasted a vast amount of time and goodwill, and went ahead with doing what they were going to do anyway. At the very last minute, they vastly expanded the scope of the work, with the only material provided in non-aural form being the presentation title and the department of the civil servant presenting. The process ignored the hard problems, and did whatever the Cabinet Office wished to do in the first place.”
Order. May I gently assist the hon. Lady by saying that I am not sure she has referred to her amendments much yet? She is making an excellent clause stand part speech. This will certainly now be the clause stand part debate, but it might help the Committee if she came on to her amendments as soon as possible.
Of course. Thank you very much, Mr Streeter.
Our amendments would ensure that the codes of practice, which have been vastly improved over the past week, are statutory. It is important that the principles and safeguards outlined so far are included and are statutory. That is what I have been alluding to so far in my speech. It seems pointless for civil servants to have put all this work into the codes for them merely to be regarded, rather than statutorily complied with. The codes must be improved further, and we hope that Ministers and officials will work with the industry and organisations to do just that, but we want to see them referenced properly in the legislation and properly complied with. Anything less means that the powers enabled in the clause dwarf any safeguards or checks included in the codes.
Amendment 99, in my name and that of my hon. Friend the Member for Cardiff West, would help to build trust in the Government’s data-sharing provisions—trust that has been rocked over a number of years. That trust is absolutely essential if this extension of the Government’s data-sharing powers is to be effective. It is worth noting again that the draft regulations allow a significant extension of data-sharing powers with a significant number of Departments. That extension is rightly set within defined and strict criteria, but some of the definitions contained within those criteria are at best vague.
Subsection (8) of clause 29 allows for the sharing of data if it is of defined “benefit” to the individual or households. Subsection (9) allows for the sharing of data if it
“has as its purpose the improvement of the well-being of individuals or households.”
While the extension is ostensibly for tightly defined reasons, those reasons are in fact so broad that they could refer to anything at all.
We again come back to the point about public trust. The public want to know why their data are being shared and that it is strictly necessary. Amendment 99 would help build that trust by ensuring that, under clauses 29, 30 and 31,
“the sharing of information authorised by the regulations is minimised to what is strictly necessary…the conduct authorised by the regulations to achieve the “specified objective” is proportionate…” and that
“a Privacy Impact Assessment…has taken place”.
The amendment would require the Minister to establish a review that consults the Information Commissioner and the public on the effectiveness of the measures. The amendment would require the Minister, after a three-year period, to review the operation of these provisions to decide whether they should be amended or repealed.
A similar measure is included in the Bill in the provisions relating to data sharing for the purposes of the collection of public debt, so it is puzzling that it is not included in this part, too, as these provisions are so much broader and just as risky, if not riskier. Individuals are right to be anxious about their sensitive data being shared. The amendment would allow for the public to be reassured that their data are being handled within the strictest confines.
Amendment 96 would give individuals a right to access and correct their own data. Empowering citizens to have access to and control over their own personal data and how they are used would clearly help improve data quality. Citizens could see, correct and maintain their own records. Data need to work for people and society. Citizens need to be actively engaged in how their data are secured, accessed and used. Again, that needs to be put on the face of the Bill.
Part 5 does not make clear how proposals to data share comply with the Government policy of citizens’ data being under their own control, as set out in paragraph 3 of the UK Government’s technology code of practice. Indeed, the proposals appear to weaken citizens’ control over their personal data in order for public bodies and other organisations to share their data. Weakening controls on the protection of their data is likely to undermine trust in the Government and make citizens less willing to share their data, challenging the move towards digital government and eroding the data insights needed to better inform policy making and related statistical analysis. That type of organisation-centred, rather than citizen-centred, approach characterised the failure of the top-down imposition of care.data in the NHS. That is why we tabled these amendments.
It is an honour to serve under your chairmanship, Mr Streeter, and to be standing here making my Committee debut. The hon. Member for Sheffield, Heeley is obviously new to the business as well, and I hope to follow her example. She has been gracious and proportionate in holding the Government to account. I hope we can have a full and frank exchange—hopefully, a rapid one—as we move through part 5.
The Government share information every day. Like every organisation, we rely on information to deliver the support and services that everybody relies on. These proposals will not do anything radical. They are simple measures designed to provide legal clarity in uncontroversial areas. The hon. Lady said that the Bill’s objectives are too broad, but I am afraid I disagree. We have made available draft regulations that set out three clear objectives, which are constrained and meet the criteria. I believe it is possible to strike a balance between the regulations and the evidence to set out specific objectives on identifying individuals and households that have multiple disadvantages, improving fuel poverty schemes and helping citizens retune their televisions when the broadcasting frequency is changed in a couple of years’ time.
The hon. Lady mentioned some specific examples. I want to turn to the fuel poverty schemes. When we look at those several years down the line, I genuinely believe that we will be proud to have sat here and legislated in a Committee that introduced data-sharing measures that enable, for instance, a significant number of vulnerable people to benefit from the warm home discount scheme. At the moment, about 15% of warm home discount scheme recipients are classed as fuel poor, according to the Government’s definition. By utilising Government-held data on property characteristics to benefit the recipients, we estimate that that figure could be at least tripled. That could mean that an additional 750,000 fuel poor households receive a £140 rebate off their electricity bill each year.
We know that some vulnerable households miss out on the warm home discount because they need to apply and they either do not know the scheme exists or, for one reason or another, are unable to complete an application. Our proposed changes could result in the majority of the 2.1 million recipients receiving the rebate automatically. It will come straight off their energy bills without the need to apply. That is simply an extension of the data-sharing measures that already exist in the Pensions Act 2014 for pension credit. It is evolution, not revolution.
That example clearly sets out how we will require data to be shared among Government organisations and for there to be a flag to suppliers of eligible customers. In that instance, we will require the suppliers to use data only to support customers. Each objective will require a business case setting out the purpose and participants, which will be approved by Ministers and subject to parliamentary scrutiny.
I note that we are debating clause 29 stand part as well as the amendments, so after talking generally about part 5, let me move on to the clause. I believe that these powers do not erode citizens’ privacy rights. They will operate within the existing data protection framework. The new powers explicitly provide that information cannot be disclosed if it contravenes the Data Protection Act 1998 or part 1 of the Regulation of Investigatory Powers Act 2000. Further, they are carefully constrained to allow information to be shared only for specified purposes and in accordance with the 1998 Act’s privacy principles.
The new codes of practice, which the hon. Lady mentioned—I have been assured that they are on the parliamentary website—have been developed to provide guidance to officials in sharing information under the new powers in respect to public service delivery, fraud and debt, civil registration, research and statistics. The codes are consistent with the Information Commissioner’s data sharing code of practice. Transparency and fairness are at the heart of the guidance. Privacy impact assessments will need to be published, and privacy notices issued, to ensure that citizens’ data are held transparently. I was delighted that the Information Commissioner wrote to the Committee on
“Transparency is key to building people’s trust and confidence in the government’s use of their data. I am pleased to see that further safeguards such as references in some of the codes to the mandatory implementation and publication of privacy impact assessments (PIAs), and reference to my privacy notices code of practice, have been highlighted in the Bill’s codes of practice.”
The Information Commissioner also said that she wanted the privacy impact notices to be included in the Bill, and the codes to be explicitly subordinate to her code on data-sharing practices. Will the Minister confirm that those codes are indeed subordinate? Will he also explain why the codes are not included in the Bill if they are so central to the process?
I will come to the second point later. On the Information Commissioner’s desire to include privacy impact assessments, it is clear to me from her letter that she is now content with the situation as it stands:
“I am content that the codes all now reference and better align with the guidance on sharing personal data set out in our statutory code and include effective safeguards to protect people’s information.”
The Information Commissioner was referring to the codes being improved since she gave evidence to the Committee. Later in that letter, which I think the Minister has in his hand, she goes on to say that she stands by the other evidence, both the oral evidence that she gave the Committee and her written evidence, which included her view that privacy impact notices should be in the Bill.
The Information Commissioner also mentions that, on privacy impact assessments and with reference to her privacy notices code of practice:
“This will build in transparency at two levels:—”
in the current situation—
“greater accountability through the publication of PIAs and timely and clear information for individuals so they can understand what is going to happen to their data.”
The Government remain committed to working with the Information Commissioner’s Office. When it came to the evidence sessions, I was aware of the fact that we had a long process discussion around the codes of practice and when their publication dates were due. It was very important for me, as a Minister, to ensure that we had the confidence of the ICO going forward and that we could publish those draft codes. We will continue those conversations.
When looking at putting the codes or privacy impact assessments in the Bill, it comes back to the key point of being able to continue that conversation when it comes to a transformational technology that we may not even know exists at the moment and that may radically change our ability to look at how we data share. At the moment we are looking at specified portals through which we will data share for the benefit of the most vulnerable in society, but there may be a new technology that allows the Government to expand our scope. If that new technology comes into being and we write the codes and privacy impact assessments into the Bill, we will have the chilling effect of ossifying the practice; it will impact on our ability to adapt and to be able to look at new technology, to move fast and to realise the opportunities that we may have to data share for the benefit of the most vulnerable in society.
I completely agree that we should not tie ourselves down in the Bill, particularly to technology. It came through loud and clear from the evidence sessions that part 5 seems to tie us to a very outdated approach to data sharing. It does not talk about data access; we heard that an awful lot in the evidence sessions. The Bill goes against the Minister’s own guidance on that. We should look not at bulk sharing, which takes us back to when we had filing cabinets or were sending across spreadsheets and databases on USB sticks, but at using application programming interfaces and canonical datasets, on which the Cabinet Office is leading the way. I would appreciate it if the Minister commented on that.
The hon. Lady highlights the argument I am trying to make, which is that the data-sharing measures in the Bill are proportionate, constrained and there to ensure that we can bring public confidence with us, which she mentioned. That is why we have highlighted specific portals through which we will be able to share Government information across Departments. In future, there will be secondary legislation powers to review and expand that, but there will be a whole process for which we need scrutiny.
That is why the Bill is so important: by highlighting how we can help those most in need and how, when it comes to data and consent, some people are in circumstances, by virtue of being in deprived communities or particularly vulnerable, of not knowing that they can benefit from their data being shared. It is the Government’s responsibility to act in this particular area to ensure that data are shared for the benefit of the most vulnerable. That is why the Bill is designed as it is. We have the secondary regulations in place, limited as they are at the moment, going through impact assessments and everything that we need to ensure that we have a proportionate response to sharing data.
I fully appreciate what the hon. Lady said but I hope that she will accept that the Government have pulled out all the stops to ensure that we can take public confidence with us. That is why, for instance, under clause 33, new criminal sanctions have been developed to protect information shared under the new powers in respect of public service delivery, fraud, debt and research, so those convicted of offences could face a maximum penalty of up to two years imprisonment for illegal data sharing, a heavy fine or both.
No statutory restrictions that currently exist on sharing of data, such as in the Adoption and Children Act 2002, will be affected by these data measures. When it comes to audits, which the hon. Lady mentioned, data-sharing agreements entered into under the power will set out a governance structure of how audits will take place. This structure will oversee the arrangement and what participating bodies are required to do under data sharing. The Information Commissioner’s Office also has a general power to conduct audits, including compulsory audits of Departments and organisations to check that they are complying with the law in relation to the handling of personal information. All bodies are required to comply with the ICO’s request for assistance so that it can determine whether data have been processed lawfully in data-sharing arrangements. The ICO can pursue criminal proceedings where necessary.
Will the Minister confirm that every Department that undergoes a data-sharing arrangement will complete a full audit of all data-sharing arrangements in that Department? Will that be available under the Freedom of Information Act?
On the individual point of audit, I will have to write to the hon. Lady. I will further consider her amendments and speak about them when we discuss three-year reviews. I want to ensure that bodies sharing information under the public service delivery power, for instance, strictly observe and follow codes of practice. Although I welcome the intention of the amendments, I think they are unnecessary. The Bill sets out the key conditions for disclosing and using information, including what can be shared by whom and for what purposes. We followed the common approach taken by the Government to set out details of how data are shared in the code of practice.
I want to return to the hon. Lady’s question of whether we use “have regard to” or “comply with”. The wording, “have regard to” already follows common practice in legislation, as illustrated in section 25 of the Immigration Act 2016 and section 77 of the Children and Families Act 2014. As the power covers a range of public authorities and devolved territories we want the flexibility that I mentioned about how the powers are to be operated, so that we can learn what works and adapt the code as necessary. To put it into the Bill, as I mentioned, would hamper that ability to adapt for future purposes. If bodies fail to adhere to the code, the Minister will make regulations that remove their ability to share information under that power, as is indicated, indeed, in part 11 of the code of practice, which states:
“Government departments will expect public authorities wishing to participate in a data sharing arrangement to agree to adhere to the code before data is shared. Failure to have regard to the Code may result in your public authority or organisation being removed from the relevant regulations and losing the ability to disclose, receive and use information under the powers”.
Amendment 106 requires the Minister to run a public consultation for a minimum of 12 weeks before issuing or reissuing a code of practice. The code of practice is essentially a technical document that sets out procedures and best practice with guidance produced by the ICO and Her Majesty’s Government. Clause 35 requires the Minister to consult the Information Commissioner and other persons, as the Minister thinks appropriate. I think that that strikes a good balance. Indeed, as I mentioned, we have been working closely with the ICO to ensure that there is confidence in the codes and the Information Commissioner states:
“I am pleased to report that significant progress has been made since my evidence session and I am content that my main concerns about the codes have now been addressed”.
I think it is very important to put that on record.
I welcome the Minister to his place. He comes across, to me, as rather bullish now, despite the damning evidence we heard over a very condensed couple of days. Does he think that he has cracked it now, that these codes of practice are all fit for purpose and that we should be sufficiently reassured?
The codes of practice remain in draft form and obviously we are in Committee having a discussion around the nature of what is in the codes of practice. We had criticisms last week of, “Where are the codes of practice?” We were still in the process of a conversation about the codes of practice with the Information Commissioner’s Office to ensure that the Information Commissioner was content. If she is content with the codes of practice as they currently stand, I am not one to go against the ICO. I am not saying that that is a form of complacency, although maybe the hon. Gentleman is, but I trust the ICO’s decision and am confident in its ability to deliver on the codes as they currently stand.
I thank the Minister for that mildly reassuring answer that the codes of practice are a work in progress. We welcome that, but in the spirit of helping improve them, I hope that he will consider some of the feedback from Big Brother Watch, which I thought gave the Committee excellent advice. Although Big Brother Watch recognises that the draft codes published by the UK Statistics Authority on research and statistics are detailed and comprehensive, it says that the draft codes published by the Cabinet Office and the Home Office are the polar opposite, offering very little detail or clarity.
The codes are quite extensive in terms of being able to provide the material information that is there. They have gone through an extensive process. Although we had evidence from certain critical witnesses drawn by Opposition Members, there was also significant support for data-sharing measures and the ability to have flexibility through the codes.
As for considering how to go forward, the codes are now published—the hon. Gentleman can read them for himself—and the ICO is now content with the codes. That is a great position from which the Government intend to move forward. In terms of whether the codes are comprehensive, it is set out that the Government have a duty to consult the ICO and territorial Ministers. That is important, and we are following a process and a journey over which the Bill has been developed for a number of years. We are content that we are on track.
I welcome the intention of amendment 99 that only the minimum and necessary information is shared under the power to achieve the objective. The principles are set out in the Data Protection Act 1998. The public service delivery power will need to operate in compliance with the 1998 Act. The principle of data minimisation is also strongly embedded in the code of practice, to which specified persons who use the power must have regard.
In addition, the public service delivery power is intended to act as a more conventional gateway to allow public authorities to share information without the need for central oversight by Whitehall. It is important to reflect on that. Rather than having the dead hand of Whitehall overlooking a measure that should allow for local flexibility and local freedom, we expect a large number of local authorities to use the power to deliver their troubled families programmes. A central monitoring power could impose significant resourcing burdens, which we felt were unnecessary given the intended positive outcomes for citizens. On that basis, we feel that the amendment is unnecessary.
Amendment 95 intends to modify the definition of “personal information”. The definition in the Bill is consistent with section 39 of the Statistics and Registration Service Act 2007, which relates to the confidentiality of personal information. It has been drafted with that consistency in mind. The amendment proposes a definition that includes a vague group of persons. We believe it unsuitable because of its vagueness, and it risks causing confusion.
Amendment 96 requires that data subjects be allowed to request and correct as necessary personal information relating to them that is disclosed under the public service delivery powers. The amendment is unnecessary because the data subject already has those rights under the Data Protection Act 1998. In addition, the impact of such an amendment on public authorities would be significant. An assessment would need to be made of how many requests could be made to public authorities, and of the resulting resourcing requirements in terms of staff and any supporting technical infrastructure. Work would also need to be carried out to ensure that we can verify the identity of individuals requesting access to data and assess the risk of corrections and modifications to data held being made for the purposes of committing fraud.
I understand the intention of the amendments, and I hope that the hon. Member for Sheffield, Heeley will understand that the Government believe that progress has been made, as well as provision for ensuring that the sharing of data is proportionate. The regard for individuals’ privacy is central to the Bill and is set out in the code of practice, and the Government have put in place measures to work with the ICO and other civil society groups on that. I urge her to withdraw the amendment.
I want to make a small point about part 5, chapter 1, clause 29. There is one small glaring omission that the Government ought to look at and which has been raised by my local authorities. In Hyndburn, we have what the Minister will understand as a two-tier authority. We have a district council and a shire council as opposed to, in metropolitan areas, a unitary council. The Minister is probably wondering where this is going: when light is thrown on an example, some of the problems begin to be seen.
My shire authority wanted to increase the uptake of free school meals but a lot of the data on constituents in the borough of Rossendale and the borough of Hyndburn, which I represent, are held by the local district authority. That includes data on council tax benefit, housing benefit and numerous other small interventions carried out by the district council. A unitary council does not have that problem. It can share data and resolve such problems. It can identify people and send out public information to potential recipients—beneficiaries—of free school meals, who trigger the pupil premium.
I will give an example of how that problem is inflated. We currently have free school meals for everyone aged between four and seven, so parents see no reason to come forward and register their children for the meals, which then does not trigger the pupil premium. In a unitary authority, relevant information in other council departments would be readily available, but in my two-tier authority, the chief executive of Lancashire county council says to me, “We want to increase the uptake of free school meals, particularly for four to seven-year-olds, because we want to trigger the pupil premium, but we can’t find potential recipients. We have some data on people who may use some of our services and may be entitled and some people who we could disseminate public information to, but there is a whole tranche of people we can’t see—we are blind to them, they are just not on our radar. There is no scope for us to see who they are.” That is because, of course, it is Hyndburn borough council and Rossendale borough council that have an interface with those people—they come into their offices regarding a plethora of issues—and those people may well benefit from free school meals. In this case, however, they will not benefit if their children are aged between four and seven so, again, they are not likely to see the connection.
My upper-tier authority, Lancashire county council, cannot access the relevant information that my local authority, Hyndburn borough council has, but a unitary authority does not face that issue. That is not fair or reasonable. It is not conducive to public policy. It is not reaching the target audiences that the Government themselves want to reach. This Government brought in the pupil premium and they want to push that policy, yet the absence of data sharing between upper and lower-tier authorities prevents Government policy from being pursued and creates an unfair situation.
So I left my chief executive’s office at Lancashire county council and travelled the distance to meet the chief executive of my local district council, who fully understood the problem, and we were able, in some way, to get that public information out to the relevant people. There was no direct contact, however, and those issues are problematic when they should not be. I believe that the Government should look at the clause, and look at that inequity. It is not right. It is not good for the delivery of public policy. Clearly, it creates barriers to reaching some people while others can be reached. The Government ought to come back with something that exempts local authorities, because without a shadow of a doubt there should be parity between unitary authorities and two-tier shire and upper county council districts.
I hope the Government come back and create that level playing field—that parity of opportunity—for the Government to be able to pursue their own policies through local government mechanisms without this barrier impinging on those very same Government policies, which are probably not reaching the people they ought to reach because of this inequity and this element that is missing from the Bill.
I ask the Minister to take a deep look at this issue, to create parity and to bring forward something that will bring my two local authorities together and not create a barrier between the two, and certainly not create this iniquitous situation whereby unitary authorities are able to deliver these public services but my two chief executives cannot deliver them to the very people who ought to be receiving them.
To respond to the hon. Gentleman on his specific point, we will update the lists of bodies able to share information of the public service delivery power, and the PSD power allows for new objectives to be added by regulations if they meet the conditions specified in primary legislation. So the issue of the pupil premium, which he mentioned, may be one of the many worthy purposes for which new objectives could be created.
I would like also to draw the hon. Gentleman’s attention to the disclosure of information in the draft regulations, which I hope will reassure him. Paragraphs 21 and 22 of schedule 1 to the Bill refer to the organisations that will be sharing data, or that will be permitted to do so once they have applied to do so, including the county councils of England, the district councils in England and even the council of the Isles of Scilly. We recognise that there is that local government fracture that he mentioned and we hope that when it comes to data-sharing measures we will be able to heal that.
It was disappointing not to hear the Minister mention the General Data Protection Regulation and explain why this legislation has not been written in compliance with it, or my points about non-public sector authorities. I hope that he can return to those issues later in his remarks.
On the point about the Information Commissioner, in her evidence she supported statutory codes of practice. She also recommended that Parliament should review all aspects of data-sharing, and not just the clauses relating to fraud, after an appropriate time, which is what informed our amendment.
As our amendment says, we would also like the codes to make it clear that good cyber-security practice should not be about data sharing and that it should be about leaving the data with their original owner. I hope that the Minister will return to those issues when he comments on later stages of the Bill.
With that in mind, I beg to ask leave to withdraw the amendment.