Disclosure of information to reduce debt owed to the public sector

Digital Economy Bill – in a Public Bill Committee at 12:00 pm on 27th October 2016.

Alert me about debates like this

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy) 12:00 pm, 27th October 2016

I beg to move amendment 190, in clause 40, page 39, line 21, leave out “have regard, in particular, to” and insert “must comply with”.

With this it will be convenient to discuss the following: amendment 191, in clause 44, page 42, line 8,  leave out “have regard to” and insert “comply with”.

Amendment 192, in clause 52, page 49, line 8, leave out “have regard to” and insert “comply with”.

Amendment 193, in clause 60, page 55, line 20, leave out “have regard to” and insert “comply with”.

Amendment 194, in clause 67, page 66, line 15, leave out “have regard to” and insert “comply with”.

Amendment 198, in clause 82, page 80, line 18, at end insert

“and only after the codes of practice required under sections 35, 44, 52 and 60 have been approved by a resolution of each House of Parliament.”

New clause 35—Public register of data disclosures—

‘(1) No disclosure by a public authority under Part 5 shall be lawful unless detailed by an entry in a public register.

(2) Any entry made in a public register under subsection (1) shall be disclosed to another person only for the purposes set out in this Part.

(3) Each entry in the register must contain, or include information on—

(a) the uniform resource locator of the entry,

(b) the purpose of the disclosure,

(c) the specific data to be disclosed,

(d) the data controllers and data processors involved in the sharing of the data,

(e) any exchange of letters between the data controllers on the disclosure,

(f) any other information deemed relevant.

(4) In this section, “uniform resource locator” means a standardised naming convention for entries made in a public register.

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

These are further amendments tabled by my hon. Friend the Member for Cardiff West and me to make the codes of practice, on which officials have obviously worked so hard and which were developed in consultation with the Information Commissioner, legally binding. With your permission, Mr Stringer, I will come to specific issues about the data-sharing measures and fraud during debate on clause stand part.

I appreciate what the Minister said about sanctions being enforced on those authorities that do not have regard to the code of practice, but it says on the front page of the code:

“The contents of this Code are not legally binding”; it merely

“recommends good practice to follow when exercising the powers set out in the Bill.”

That is not really a strong enough message to send to officials and all those involved in data-sharing arrangements. I would be interested to hear examples from the Minister of when it would be considered reasonable not to follow the code, as I assume that that is why he does not want to build it into primary legislation. I know that he will tell me that his real reason is that he wants to future-proof the codes. That is all well and good, but the Bill is already outdated. One witness wrote to us in evidence:

“Part 5 seems to imply an approach to ‘data sharing’ modelled on the era of filing cabinets and photocopiers when—quite literally—the only way to make data available to others was to send them a duplicate physical copy. Modern technology has already rendered the need for such literal ‘data sharing’ obsolete: data can now be used without copying it to others and without compromising security and privacy.”

Furthermore, data sharing is not defined, either legally or technically, in the Bill or in the codes of practice. Does data sharing mean data duplication—copying and distribution—or does it mean data access, or alternatives such as attribute exchange or claim confirmation? These are all quite different things, with their own very distinct risk profiles, and in the absence of any definition, the term “data sharing” is ambiguous at best and potentially damaging in terms of citizens’ trust, cyber-security and data protection. Let me give an example: there is a significant difference between, and different security risk associated with, distributing personal information to third parties, granting them controlled and audited one-time access for the purpose of a specific transaction, or simply confirming that a person is in debt or is or is not eligible for a particular benefit, without revealing any of their detailed personal data.

What is more, there is no reference in the clause to identity and how officials, citizens, or organisations, or even devices and sensors, will be able to prove who they are and their entitlement to access specific personal data. Without this, it is impossible to share data securely, since it will not be possible to know with whom data are being shared and whether they are an appropriate person or organisation to have access to those data. Security audits, of who has accessed which data, when and why, require a trusted identity framework to ensure that details of who has been granted access to data are accurately recorded. Presumably, it will also be mandatory to implement good practice security measures, such as protecting monitoring, preventing in real time inappropriate attempts at data access, and flagging such attempts, to enable immediate mitigating action to be taken.

As I said on Tuesday, all these details are moot, as are the codes of practice and indeed the Information Commissioner Office’s excellent code of practice, if the existence and detail of data sharing is not known about to be challenged; hence the need for a register, as set out in new clause 35. That is why we have tabled our amendments and we would like the Minister to give serious consideration to the inclusion of these important principles and safeguards in the Bill. We are not talking about detailed regulations, we are certainly not talking about holding back technological advances, and we are not talking about the “dead hand of Whitehall”, as the Minister said on Tuesday. We are talking about vital principles that should be in primary legislation, alongside any new powers to share information. The most important of those principles is transparency, which is exactly what new clause 35 speaks to. It would require public authorities to enter in a public register all data disclosures across Government.

The Minister did not know the detail of the audits that are mentioned in the codes of practice. We really need more detail on those audits, as it may well satisfy us in our request for this register. Will all data-sharing agreements be kept in a single place in each Department, updated as data are shared and disclosed across Government, with Government agencies and with non-public sector organisations? Will these additional agencies keep similar audits and—crucially—will those audits be publicly available? Also, will the audits include the purpose of the disclosure, the specific data to be disclosed, how the data were transferred, how the data are stored and for how long, how the data are deleted at the end of that time frame, what data controllers and processors are involved in the sharing of that data, and any other restrictions on the use of further disclosure of that data?

If we have, in a single place, data-sharing amendments, as this amendment would establish, the public can see and trust how their data are being used and for what purpose. They can understand why they are getting a letter from Concentrix about Her Majesty’s Revenue and Customs, or why they have been targeted for a warm home scheme, and—crucially—they can correct or add to any information on themselves that is wrongly held.

Photo of Drew Hendry Drew Hendry Shadow SNP Westminster Group Leader (Transport)

Does the hon. Lady agree that, if there is an opportunity to access a proactive notification service that indicates to the member of public that their data are being used and for what purpose, that should be included in any future consideration of this matter?

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

I completely agree, and I believe that the gov.uk Notify service would be an excellent means by which to go about that. I hope that the Minister will consider it.

Photo of Graham Jones Graham Jones Labour, Hyndburn

My hon. Friend is making a valid point, which I referenced in my point about getting on the bus and the destination. She is suggesting that individuals have rights to own their information; there is a register that they could accept. This is the journey that we have to make. It is about empowering the individual. My hon. Friend is making a powerful point. I am pleased that the Opposition are making this point, because it needs to be made. The future will be about individual ownership of information. I hope that my hon. Friend prosecutes the argument as well as she can.

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

The point is vital and it is the point that was made earlier in our proceedings. Unless we get this right at this stage, it will become a scandal that the Government will then have to deal with and it will hold back progress on sharing data, as we saw with the care.data scandal. We do not want to see the Government embroiled in another scandal like that and we hope that they heed our warnings in order to avoid one in the future.

The objective behind the register is that it could be considered an amnesty for all existing data-sharing projects, with the disclosure assisting understanding of the problem and improving public trust. Let us not kid ourselves that the Bill covers the only data sharing that happens across Government. In a recent interview with Computer Weekly, the new director of the Government Digital Service, Kevin Cunnington, said:

“The real work is going on in”

places such as “Leeds and Manchester”—I would disagree with him on that point for a start, because we are not fans of Leeds in Sheffield—

“as well as London. We need to be part of that. The example I use is where DWP now runs a whole set of disability benefits. It would be incredibly helpful if DWP had selected and consensual access to some of”—

those people’s—

“medical data. Right now, NHS Digital and DWP are having that conversation in Leeds and we’re not in the conversation. Why wouldn’t GDS be in a conversation like that? If we’re going to be, we’ve got to be in Leeds—we can’t do that from here.”

We know that that conversation is happening between the DWP and the NHS—despite assurances that sharing of health and social care information is not happening across Government—only because a random official mentioned it in a random interview, so I ask this question again: does the Minister have an audit of data-sharing agreements and arrangements across Government, or is it the case, as I fear it is, that not only do the public not know which data are shared across Government, for what purpose and how they are stored, but Ministers do not know either?

Photo of Calum Kerr Calum Kerr Shadow SNP Westminster Group Leader (Environment and Rural Affairs), Shadow SNP Westminster Group Leader (Digital)

The hon. Lady is making an excellent point. What this cuts back to is the underlying theme of transparency. Rather than the Government acting in a paternal way—“We’ll do what is best for the citizens”—they should be transparent and make it clear to citizens why and where data are being used.

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

That is exactly the kind of attitude that underpins these elements of the Bill: “Trust us. We’ll sort it out. Give us your data. No problem. We’re going to share them freely and fairly.” The Government may well do. The problem is that the public do not have that trust in them. As I said on Tuesday, this is not a party political point. The previous Labour Government were not up to scratch in handling data either. This is not a party political attack at all. It is a genuine attempt to get these proposals in the best shape possible, to aid Government digitisation and deliver efficient public services.

Just as the Government give taxpayers a summary of how their tax money has been spent so they should give citizens information on how they have used data on them. If there is transparency through a register, there can be an informed conversation about whether a data disclosure will solve the problems that it claims to. There has been data sharing to prevent fraud for decades and a complete absence of audited and accurate results from that work. Arguing that current data sharing has not prevented fraud and so there should be more data sharing equates to doing the same thing over and again and expecting a different result.

The amendment is vital to restore and build on public trust in the Government handling of data. It is not in my nature to call on my constituents to trust this Government, but if they enacted the amendment, I absolutely would. I would be able to tell my constituents in good faith that they were right to trust their data to this or any future Government, because they and the data community could see exactly how and why their data were being used and exert some control over it. If the Government do not heed this lesson now, I am afraid that they will learn the hard way when things go the way of care.data or worse, as they inevitably will.

Photo of Chris Skidmore Chris Skidmore Parliamentary Under-Secretary (Cabinet Office) 12:15 pm, 27th October 2016

I thank the hon. Lady for her speech, and I appreciate the caution with which she approaches the subject. We have been determined that our definition of data sharing should be in the ICO’s code of practice, and we have adopted that definition in our own draft code. We will comply with ICO’s best practice, which of course means keeping careful records of all data-sharing agreements. We already keep registers of data sharing by Department, and they are FOI-able. We need to take public confidence with us. We will not allow data to be shared with a public authority that does not have appropriate systems in place.

To reassure those whom the hon. Lady seeks to assure that their data can be shared without any compromise to individual security, I will take a journey through the data sharing code of practice. When we come to establish some of the fraud elements, it will be an incremental process. Debt and fraud data-sharing pilots will be set up, and the UK Government are establishing a review group to oversee UK-wide and England-only data sharing under the fraud and debt powers. The review will be responsible for collating the evidence that will inform the Minister’s review of the operations powers as required under the Bill after three years. Devolved Administrations will establish their own Government structure for the oversight of data-sharing arrangements within their respective devolved territories.

Following that, a request to initiate a pilot under the debt and fraud powers must be sent to the appropriate review groups in the territory, accompanied by a business case. The business case must detail its operational period, the nature of the fraud and debt recovery being addressed, the purpose of the data share and how its effectiveness will be measured. Absolutely rock-solid requirements need to be put in place. For instance, the public service delivery debt and fraud powers require a number of documents to be produced as part of the case for a pilot.

Those documents will be a business case for the data-sharing arrangement, which can be collated by all the organisations involved; data-sharing agreements; and a security plan. Furthermore, as part of any formal data-sharing agreements with public authorities that grant access to information, security plans should include storage arrangements to ensure that information is stored in a robust, proportionate and rigorously tested manner and assurances that only people who have a genuine business need—

Photo of Graham Jones Graham Jones Labour, Hyndburn

The Minister is making an argument to which I would extend my previous comments. He is arguing that there will be security because we will have a data repository—it will inevitably be a single data repository—with secure firewalls around it. However, the architectural principle for which he is arguing is that all data will be kept in one place. From a security perspective, that is the most dangerous way to store data. To return to why Estonia leads the world, there is a distribution—

Order. That is an intervention. I am quite happy if the hon. Gentleman wants to catch my eye, but interventions should be short. I have been very lenient with that one.

Photo of Chris Skidmore Chris Skidmore Parliamentary Under-Secretary (Cabinet Office)

To return to the security angle, we must have assurances that only people with a genuine business need to see the personal information involved in a data-sharing arrangement will have access to it; confirmation of who will notify in the event of any security breach; and procedures in place to investigate the cause of any security breach. Paragraph 104 of the code suggests:

“You should ensure that data no longer required is destroyed promptly and rendered irrecoverable. The same will apply to data derived or produced from the original data, except where section 33 of the DPA applies (in relation to data processed for research purposes).”

At all times, we want to ensure that public confidence is taken forward with the pilots. They will be put in place only once all the boxes have been ticked. Paragraph 108 of the code states:

“You should make it easy for citizens to access data sharing arrangements and provide information so that the general public can understand what information is being shared and for what purposes. You should communicate key findings or the benefits to citizens derived from data sharing arrangements to the general public to support a better public dialogue on the use of public data.”

Security is not discretionary. Amendment 190 would not reinforce that requirement. It is not a question of compliance with systems in place. Instead, there must be adequate systems in place and Ministers must have regard to those systems to ensure they meet the essential security specifications that the Government demand.

Amendments 191 to 194 concern the codes of practice and present a similar discussion to the one we had about using “have regard to” or “compliance to”. The powers cover a range of public authorities in devolved areas, and we want to ensure flexibility in how powers will be operated, so that we can learn from what works and adapt the code as necessary. If bodies fail to adhere to the code, the Minister will make regulations to remove their ability to share information under the power as set out in paragraph 11 of the code of practice.

As I mentioned, the requirement to have regard to the code of practice does not mean that officials have discretion to disregard the code at will. They will be expected to follow the code or they will lose their ability to share data. There could be exceptional reasons why it is reasonable to depart from the requirements of the code. To fix a rigid straitjacket creates a system of bureaucracy where officials must follow processes that run contrary to logic. This is standard drafting language adopted for the above reasons in the Immigration Act 2016, the Children and Families Act 2014 and the Protection of Freedoms Act 2012, to name a few recent pieces of legislation.

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

It is welcome to hear how detailed and extensive these audits will be. If they are subject to the Freedom of Information Act 2000, will the Minister consider proactively publishing them anyway, so that we can be assured that they are all kept in one place and that data sharing happens only in accordance with data-sharing arrangements that are in the public domain?

Photo of Chris Skidmore Chris Skidmore Parliamentary Under-Secretary (Cabinet Office)

When we set up new data-sharing arrangements, we must remember that the ICO and the devolved Administrations must be consulted and that the powers must go before Parliament again. We will have further scrutiny when considering the regulations under the affirmative procedure for secondary legislation.

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

Given that the arrangements have to go through all the obstacles that the Minister has just outlined, I do not understand why not then include them in a central register, so that they are all in one place. We could then be confident that not just those cases in the Bill but all data sharing across the Government is made public and people can have confidence in how and why their data are being used and shared.

Photo of Chris Skidmore Chris Skidmore Parliamentary Under-Secretary (Cabinet Office)

The hon. Lady refers to new clause 35, so I would now like to address that and take her points on board. This is about informing the public about what information is being shared by public authorities and for what reason.

The Bill’s provisions already include a number of commitments to transparency and proportionality, which I have already discussed in disclosing information by public authorities. There is a consistent requirement to uphold the Data Protection Act, including its privacy principles that govern the secure, fair and transparent processing of information.

We require the publishing of privacy impact assessments and privacy notices as set out in paragraph 82 of the code of practice. The research power requires the UK Statistics Authority, as the accrediting body, to maintain and publish a register of all persons and organisations it has accredited, and they can be removed under clause 61(5), which mandates that a withdrawal of accreditation will take place if there has been a failure to have regard to the code of practice.

The requirements of the new clause would inevitably create a new set of administrative burdens, which in turn would carry significant cost implications. It is not clear how the uniform resource locator referred to would be agreed upon, or what assessment has been made of the administrative changes that may be required across the public sector. The requirement might have an unintended consequence. For example, it is possible that including information on the specific data to be disclosed would raise difficult questions about whether the public register would interfere with the duty of confidentiality or breach the provisions of the Data Protection Act. Some of the new powers—in particular, the research provisions—would involve the sharing of non-identifying information, so it is not clear how citizens would understand from a register which datasets contain information relating to them or any particular group of reasons.

The key purpose of the new powers is to simplify the legal landscape to enable public authorities to do their job more effectively and deliver better outcomes for the citizen. The new clause, however well intentioned—I respect the hon. Lady’s point—risks working against that purpose and I therefore invite her to withdraw it.

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

The Opposition drafted the amendments and I accept that they may not be perfect, but the principle behind the idea of a data register is impossible to argue with. If the Minister claims that these audits will be done thoroughly and that they will be subject to the Freedom of Information Act anyway, I see no reason why they should not be proactively published, so that the public and Opposition Members can have full confidence that everything in the codes of practice, which are not statutory, is being properly adhered to.

Photo of Chris Matheson Chris Matheson Labour, City of Chester

Does my hon. Friend concur that a proactive publication might be a lot more cost-effective than chasing after hundreds or, indeed, thousands of FOI requests?

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

Absolutely. This is where the Government often miss a trick: the interrelationship between FOI and open data could drive significant efficiencies across the Government and provide citizens and the data community with valuable data, including data that are valuable to the digital economy. I appreciate that our amendment might not be perfectly drafted, but I hope that the Minister will give serious consideration to the proactive publication of these audits and of all data-sharing arrangements across the Government.

Photo of Drew Hendry Drew Hendry Shadow SNP Westminster Group Leader (Transport)

There are existing mechanisms across Europe whereby information can be given to the public proactively. Does the hon. Lady agree that the public should not have to go through the process of making an FOI request—they should not have to go through all that hassle—to get the information that pertains to them and their lives?

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

Exactly. The data belong to them; that is exactly right. They should not have to jump over legalistic hurdles to find out how and why the Government are using data that should belong to them, and the Bill completely turns the view that they should not have to do so on its head. I take the Minister’s point about the amendment not being properly drafted. We will go away and redraft it and we will absolutely return to this issue on Report. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

As I have already set out, the Opposition broadly support the objectives outlined in the clause, but, as we have said on several occasions, those objectives must be set within strict safeguards to enable the better management of services.

Indeed, the open data policy process, which has been referenced several times, was a practical and commendable way in which to establish key principles for data to be handled, and to seek the views of industry experts. It is just a shame that it was completely ignored.

Polls show that the public consistently approve of the better use of data across Departments to help to improve customer service; nobody could really dispute that. However, our concerns are not related to the broader principle but to the practicality of these measures.

As we heard in the evidence we received, if these new powers are used appropriately in the management of debt, they could help put a stop to aggressive, unco-ordinated approaches from Government agencies to debt. There is little doubt that debt collection for central Government Departments leaves a lot to be desired. Vulnerable citizens facing multiple hardships are being pursued in a way that is to the detriment of the overall policy of reducing debt.

Citizens Advice said in its evidence to the Committee that there has been a big growth in demand for help with debt, as policies such as the bedroom tax and complex tax credit arrangements are pushing people, through no fault of their own, into debt. The Government’s haphazard approach often compounds matters and creates perverse outcomes, whereby thousands of individuals who are claiming exactly what they should be claiming are targeted in profiling exercises, which amount to nothing short of a mass Government-sponsored phishing exercise. Such an exercise has no place in necessary Government efforts to reduce error.

Shocking research by the charity StepChange has found that these aggressive debt collection methods have resulted in Government Departments having the dubious accolade of being second, behind bailiffs and ahead of mobile phone companies, in the list of those organisations that are considered most likely to treat debtors unfairly.

Again, there is little doubt that the Government’s move to help Departments to better share necessary information on debt could help reduce the unco-ordinated approach that currently harms debtors. However, there are two problems. First, as we have heard, the Government’s debt collection process is flawed and suffers from a lack of trust; and, secondly, the clause will furnish the Government with an extension of their power in matching data, yet this year alone the Government have demonstrated an abysmal failure to match their powers to their responsibility to the users of their services. That leaves public trust hanging by a thread.

The Minister mentioned Concentrix earlier—an outsourcer I am particularly obsessed with, and an example of how data matching can go wrong and how the safeguards surrounding the match can be completely ineffective. The Government used credit reference data and data from the electoral roll to target tax credit claimants for error and fraud. Individuals were accused of cohabiting, and their benefits were withdrawn as a result. One 19-year-old girl was accused of failing to declare that she had a 74-year-old partner, even though the man was dead. One of my constituents had her tax credits stopped while she was in a coma, and another young woman went without her benefits because Concentrix assumed that living in a Joseph Rowntree Housing Trust property meant she was shacked up with a 19th-century philanthropist.

I noticed earlier this week that HMRC is up for Civil Service World’s Analysis and Use of Evidence award. If HMRC is the best the civil service currently has to offer in the use of data, we should be seriously concerned about giving it any more powers. As well as failing the hard-working vulnerable people HMRC is supposed to serve, that contract failed on an incredible scale. Concentrix breached its performance standards on more than 120 occasions in less than a year, 90% of mandatory reconsiderations were found to be successful, thousands of people had their tax credits arbitrarily withdrawn, causing severe financial hardship, and letters containing the details of individuals’ claims and why they need to prove they are entitled to tax credits were addressed to the wrong people. Those breaches of data security demonstrate the high stakes involved for the Government with these data-sharing powers.

Although HMRC has done the right thing in announcing that it will not renew that contract, we need to investigate how that happened in the first place and ensure it never happens again. The Government cannot repeatedly get this wrong when chasing error and fraud in the tax credit system and the other areas that these clauses address. There is absolutely nothing to prevent them from employing another private sector contractor, tasking it with relentlessly chasing down cash and enabling it to match data from across central Government Departments with publicly available information and build a picture of individuals and who to target.

Subsection (3)(a) seems to allow for such profiling, which could have a range of unintended and severe consequences. It gives the authority the power to take action not only to collect debt but to identify it. That important distinction extends the power of the Crown. If hon. Members think that is a hypothetical concern, they should take a look at the contract between Concentrix and HMRC, which is not a unique contract in the public sector. Under the section entitled “data analytics and matching requirements”, it says,

“The authority requires that the contractor, as part of the error and fraud compliance service, provide and apply a data matching and analytics solution to enhance the Authority’s own risk and profiling capability”.

The Minister said that the codes will be updated if the GDPR is followed in May 2018, but the Bill will be statutorily non-compliant with the GDPR, which explicitly bans the use of data for profiling.

The contract with Concentrix clearly failed, and the firm was not fit to conduct checks of that kind, but that raises chilling questions about the further extension of data-sharing powers and what can be legally provided to private companies to pursue people legitimately claiming housing benefit, child tax credits or any other benefit. The codes of practice and the legislation are very clear that personal information should be used only for the purpose for which it was disclosed, but if that purpose is so broad a power, that gives no comfort to those of us who think that their sensitive data could be used to target them.

The draft regulations provide that the Home Office, the Lord Chancellor, the Justice Department and other Crown authorities can share information for the purpose of tackling error and fraud. It would help if the Government assured us that the data will be shared only when debt has already been identified to speed up the process. The Government should rule out the type of profiling conducted by Concentrix, which led to the targeting of individuals based on erroneous data. If the power is extended to give companies such as Concentrix access to data from not only HMRC but other Government Departments and local authorities, they could build up such a picture.

However, it is clearly not only private sector outsourcing that is of concern—the public sector has shown itself to have serious flaws in the management of personal information and in debt collection. In recent years, cuts to departmental budgets and staff numbers and increasing demands from citizens for online public services have changed the way Government collect, store and manage information. The many drivers for that change include successive IT and digital strategies since 2010. We need to ensure that the Government as a whole improve their data-sharing practices. That is why we will come back to our amendment, which would make reporting a data breach to the Information Commissioner mandatory if it has met a number of conditions. We simply cannot have personal data being breached and the Information Commissioner and the individual not being informed if it is serious.

We are broadly in favour of the power set out in the clause, but we have serious concerns about its use, even within the bounds of the purpose for which it is disclosed. We are concerned that the power will be used to identify debt, as the Bill clearly states, and we would be grateful for reassurance from the Minister.

Photo of Chris Skidmore Chris Skidmore Parliamentary Under-Secretary (Cabinet Office)

Good debt management is a key part of achieving the Government’s fiscal policy objectives. Clause 40 provides a permissive power that will enable information to be shared for the purposes of identifying, collecting, or taking administrative or legal action as a result of debt owed to the Government. With more than £24 billion of debt owed to the Government, the problem is clearly significant.

Public authorities need to work together more intelligently to ensure that more efficient management of debt occurs. We believe that the new power will assist in achieving that. By enabling the efficient sharing of information to allow appropriate bodies to draw on a wider source of relevant data, informed decisions can be made about a customer’s circumstances and their ability to pay. Sharing information across organisational boundaries will help the Government to understand the scale of the issues individuals are facing, and where vulnerable customers are identified, they can be given appropriate support and advice.

Citizens Advice stated:

“This new power is an opportunity to advance the fairness and professionalisation agenda in government debt collection…Sharing data between debt collecting departments will create improved opportunities for better treatment of people in vulnerable situations, and must be matched with fairer and more effective dispute resolution processes.”

The Government agree with that and have worked with non-fee paying debt advice agencies to develop fairness principles to accompany the power, which are included in annex A of the code of practice.

It is important to dwell on the principles that organisations will adhere to, which state:

“Pilots operating under the new data sharing power should aim to use relevant data to help to differentiate between: A customer who cannot pay their debt because of vulnerability or hardship…; A customer who is in a position to pay their debts but who may need additional support; and A customer who has the means to pay their debt, but chooses not to pay - so public authorities, and private bodies acting on their behalf, can assess which interventions could best be used to recover the debt”,

and that:

“Pilots must be conscious of the impact debt collection practices have on vulnerable customers and customers in hardship”.

The principles go on to cover:

“Using relevant sources of data and information to make informed decisions about a customer's individual circumstances and their ability to pay.”

That process could include:

“An assessment of income versus expenditure to create a tailored and affordable repayment plan based on in work and out of work considerations, including the ability to take irregular income into account; and consideration of the need for breathing space to seek advice, or forbearance, in cases of vulnerability and hardship…Where a vulnerable customer is identified, they should be given appropriate support and advice, which may include signposting to non-fee paying debt advice agencies.”

Photo of Louise Haigh Louise Haigh Shadow Minister (Culture, Media and Sport) (Digital Economy)

I would be grateful if the Minister confirmed that those pilots and the powers enabled in the Bill will apply only to individuals already identified as being in debt, and that they will not seek to profile individuals who may or may not be in debt.

Photo of Chris Skidmore Chris Skidmore Parliamentary Under-Secretary (Cabinet Office)

Yes, I can confirm that. Moving forward, I reassure the Committee that we will continue to work closely with Citizens Advice and StepChange to look at fairness in Government debt management processes. Only HMRC and DWP have full reciprocal debt data-sharing gateways in place, under the Welfare Reform Act 2012. This power will help level the playing field for specified public authorities by providing a straightforward power to share data for clearly outlined purposes. Current data-sharing arrangements are time-consuming and complex to set up, and significantly limit the ability of public authorities to share debt data. This power will help facilitate better cross-Government collaboration that will help drive innovation to improve debt management. The clause will provide a clear power for specified public authorities to share data for those purposes, and will remove the existing complications and ambiguities over what can and cannot be shared and by whom.

Photo of Chris Matheson Chris Matheson Labour, City of Chester

The Minister may have just clarified the point I was seeking to tease out of him. The problems that my hon. Friend the Member for Sheffield, Heeley described show that, far from helping people with debt, the agencies acting on behalf of the Government have created debt that did not exist previously by misusing Government data. The Minister may have just assured us that that will not be the case. If the Minister is really concerned about reducing Government debt, perhaps the Government should have not chopped in half the number of HMRC tax inspectors and instead gone after the people who owe the Government tax.

Question put and agreed to.

Clause 40 accordingly ordered to stand part of the Bill.

Clause 41