Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Lord Sikka
Main Page: Lord Sikka (Labour - Life peer)Department Debates - View all Lord Sikka's debates with the Department for Science, Innovation & Technology
Data Protection and Digital Information Bill
Lord Sikka ExcerptsTuesday 19th December 2023
(5 months, 2 weeks ago)
Lords ChamberRead Full debate Data Protection and Digital Information Bill 2022-23 Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: Consideration of Bill Amendments as at 29 November 2023 - large print - (29 Nov 2023)
Lord Sikka (Lab)
My Lords, I join others in welcoming the noble Lord, Lord de Clifford, to this House. I look forward to hearing him in future debates.
This Bill is a large Bill, written in an utterly arcane language which normal people will struggle to understand and follow. Hopefully, the Government will try to write Bills in a better way, otherwise it is hard for people to understand the laws and follow them. I have grave misgivings about some parts of this Bill and I will touch on a couple of these issues, which have already been identified by a number of noble Lords.
George Orwell’s iconic novel Nineteen Eighty-Four, published in 1949, raised the spectre of Big Brother. That nightmare has now been brought to reality by a Conservative Government supposedly rolling back the state. The Government have already undermined the people’s right to protest and to withdraw labour. Now comes snooping and 24/7 surveillance of the bank, building society and other accounts of the sick, disabled, poor, elderly and unfortunate, all without a court order. Over 22.4 million people would be targeted by that surveillance, but the account holders will not be told anything about the frequency and depth of this organised snooping.
In true Orwellian doublespeak, the Government claim that the Bill will
“allow the country to realise new post-Brexit freedoms”.
They link the surveillance to, and are stirring up, people’s fears about benefit fraud, while there is absolutely no surveillance of those receiving public subsidies, those mis-selling financial products, those accused of PPE fraud or even a former Chancellor who abused the tax system. Numerous court judgments have condemned the big accounting firms for selling illegal tax-dodge schemes and robbing the public purse, but despite those judgments no major accounting firm has, under this Government, ever been investigated, fined or prosecuted. None of the accounts of those partners or firms is under surveillance. The Bill is part of a class war: it targets only low-income and middle-income people, while big beasts get government contracts.
Currently, the Department for Work and Pensions can request details of bank accounts and transactions on a case-by-case basis on suspicion of fraudulent activity, but Clause 128 and Schedule 11 give the Government unrestrained powers to snoop. The Government say that the Bill
“would allow regular checks to be carried out on the bank accounts held by benefit claimants to spot increases in their savings which push them over the benefit eligibility threshold, or when people spend more time overseas than the benefit rules allow for. This will help identify fraud”
and
“take action more quickly”.
How prevalent is the benefit fraud that the Government wish to tackle? The Government estimate that, in 2023, they lost £8.3 billion to welfare fraud and errors, 80% of which is attributed to fraud. A government statement issued on 23 November said that, as a result of mass surveillance, benefit fraud would save the public purse
“£600 million over the next five years”.
On 29 November, in a debate in the other place, the Minister mentioned the figure of £500 million and, despite a number of challenges, did not correct that estimate. The Government are hoping that mass snooping will generate savings of £100 million to £120 million a year, but we do not have a breakdown of this saving and do not know how they have arrived at that number. I hope that the number is more reliable than the Government’s estimates of the HS2 costs. To put this into context, the Government are spending nearly £1,200 billion this year and they are introducing snooping to save about £100 million a year.
The snooping of bank accounts suggests that the Government are looking for unusual cash-flow patterns. What that means is that, if anyone gives a lump sum to a loved one for Christmas, a birthday, a holiday or home repairs, and it passes through their bank account, the Government could seize on that as evidence of excess resources and reduce or stop their benefits. Suppose that a poor person pawns some household items for a few pounds and temporarily boosts his or her bank balance. Would that person now be labelled a fraudster and lose benefits? The Government have not looked at the details of what would happen.
Many retirees have a joint bank account with another member of the family or with a friend. Under the Government’s crazy plans, the third party would also be put under surveillance because they happen to have a joint account. Can the Minister explain why people not receiving any social security benefits are to be snooped upon, because they would be caught in this trap?
How will the snoopers distinguish temporary and easily explainable boosts in bank balances from others? My background is that I am an accountant and I have investigated things over the years; I helped the Work and Pensions Committee investigate the collapses of BHS and Carillion. So I hope that the Minister can enlighten me on how all this will be done.
I hope that the Minister can also clarify the scope of the Bill as it applies to recipients of the state pension. The Government have classified it as a benefit, so can the Minister explain why? After all, the amount one gets is determined by the number of years of national insurance contributions. So why is it actually a benefit? The Minister in the other place said:
“I agree, to the extent that levels of fraud in state pensions being currently nearly zero, the power is not needed in that case. However, the Government wish to retain an option should the position change in the future”.—[Official Report, Commons, 29/11/23; col. 912.]
Why do the Government want to snoop on the bank accounts of OAPs when there is hardly any fraud? Do they have some sinister plan to treat the state pension as a means-tested benefit? Perhaps the Minister could confirm or deny that. If he wishes to deny it, can he explain why the Government are targeting retirees? What have they done?
In this House, we have more than our fair share of senior citizens who receive a state pension, and their bank accounts would also be under surveillance. How long before a Government abuse that information to blackmail Members of this House and erode possibilities of scrutinising the Government of the day? It is opening us all up to blackmail, now or in the future.
In the past, the Government assured us that health data would not be sold—but then sold it to corporations, as we heard earlier. How can we trust the Government not to do the same with data collected via snooping on bank accounts? What will they be selling?
The mass surveillance is not subject to any court order. Concerned citizens will not be told, as their right to know will be further eroded by Clause 9. It is for the courts, not Ministers, to decide whether requests for data are vexatious or excessive. Can the Minister provide us with some data on how many requests for information are received by departments each year and what proportion have been declared to be vexatious and excessive by the courts? The Government cannot just say that they are vexatious—I would rather trust the courts.
Clause 9 obstructs government accountability and further erodes the Nolan principles. As a personal example, I fought a five and a half-year battle against the Treasury to learn about the closure of the Bank of Credit and Commerce International in 1991. It was the biggest banking fraud of the 20th century, which has yet to be investigated. I asked the Treasury for some information and was totally fobbed off. I went to the Information Commissioner, who sided with the Treasury. So I went to the courts to get some information, with the possibility that the judges might declare my attempts to learn the truth vexatious and might even impose legal costs on me. Fortunately, that did not happen—I won the case and the Treasury had to release some documents to me.
The information showed that the Conservative Government were covering up money laundering, frauds, the secret funding of al-Qaeda, Saudi intelligence, arms smugglers, murderers and others. The information given to me has never been put on public record by this Government. Can you imagine what will happen now if quests to learn something about banking fraud are simply labelled vexatious and excessive? How will we hold the Government to account? The Bill makes it harder to shine some light on the secret state and I urge the Government to rethink Clause 9.
Finally, I urge the Minister to answer the questions I have raised, so that we can have a better Bill.
Viscount Camrose (Con)
My Lords, I sincerely thank all of today’s speakers for their powerful and learned contributions to a fascinating and productive debate. I very much welcome the engagement in this legislation that has been shown from across the House and such a clear setting out, at this early stage, of the important issues and caveats.
As I said, the Bill reflects the extensive process of consultation that the Government have undertaken, with almost 3,000 responses to the document Data: A New Direction, and the support it enjoys from both the ICO and industry groups. The debate in which we have engaged is a demonstration of noble Lords’ desire to ensure that our data protection regime evolves and works more effectively, while maintaining the highest standards of data protection for all.
I will respond to as many of the questions and points raised as I can. I hope noble Lords will forgive me if, in the interests of time and clarity, I do not name every noble Lord who spoke to every issue. A number of noble Lords expressed the wish that the Government remain open to any and all conversations. Should I inadvertently fail to address any problem satisfactorily, I affirm that I am very willing to engage with all noble Lords throughout the Bill’s passage, recognising its importance and, as the noble Lord, Lord Bassam, said, the opportunity it presents to do great good.
Many noble Lords raised concerns that the Bill does not go far enough to protect personal data rights. This is certainly not our intent. The fundamental data protection principles set out in the UK GDPR—as my noble friend Lord Kirkhope pointed out, they include lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability—remain at the heart of the UK’s data protection regime. Certain kinds of data, such as health data, remain special categories to which extra protections rightly apply. Changes such as requiring a senior responsible individual, rather than a data protection officer, mean that organisations still need to be accountable for how they process personal data but will have more flexibility about how they manage the data protection risks within their organisations.
On other specific points raised on the data protection framework, I agree that the right of access is key to ensuring transparency in data processing. The proposals do not restrict the right of access for reasonable requests for information and keep reasonable requests free of charge. On the creation of the new recognised legitimate interests lawful grounds, evidence from our consultation indicated that some organisations worried about getting the balancing test wrong, while others said that the need to document the outcome of their assessment could slow down important processing activities.
To promote responsible data sharing in relation to a limited number of public interest tasks, the Bill acknowledges the importance of these activities, which include safeguarding, crime prevention and national security, responding to emergencies and democratic engagement, but data controllers should not be required to do a case-by-case balancing test.
On cookies, the Bill will allow the Secretary of State to remove the need for data controllers to seek consent for other purposes in future, when the appropriate technologies to do so are readily available. The aim is to offer the user a clear, meaningful choice that can be made once and respected throughout their use of the internet. However, before any such powers are used, we will consult further to make sure that people are more effectively enabled to use different technology to set their online preferences.
On democratic engagement, extending the exemption allows a limited number of individuals, such as elected representatives and referendum campaigners, to process political opinions data without consent where this is necessary for their political activities. In a healthy democracy, it is not just registered political parties that may need to process political opinions data, and these amendments reflect that reality. This amendment does not remove existing rights. If people do not want their data processed for these purposes, they can ask the controller to stop doing so at any time. Before laying any regulations under this clause, the Government would need to consult the Information Commissioner and other interested parties, as well as gaining parliamentary approval.
I turn now to concerns raised by many about the independence of the regulator, the Information Commissioner. The ICO remains an independent regulator, accountable to Parliament, not the Government, in its delivery of data protection regulation. The Bill ensures it has the powers it needs to remain the guardian of people’s personal data. It can and does produce guidance on what it deems necessary. The Government welcome this and will work closely with it ahead of and throughout the implementation of this legislation.
New powers will also help to ensure that the Information Commissioner is able to access the evidence he needs to inform investigations and has the time needed to discover and respond to representations. This will result in more informed investigations and better outcomes. The commissioner will be able to require individuals to attend interviews only if he suspects that an organisation has failed to comply with or has committed an offence under data protection legislation. This power is based on existing comparable powers for the Financial Conduct Authority and the Competition and Markets Authority. A person is not required to answer a question if it would breach legal professional privilege or reveal evidence of an offence.
As the noble Lord, Lord Clement-Jones, pointed out, EU adequacy was mentioned by almost everybody, and concerns were raised that the Bill would impact our adequacy agreement with the EU. The Government believe that our reforms are compatible with maintaining our data adequacy decisions from the EU. While the Bill removes the more prescriptive elements of the GDPR, the UK will maintain its high standards of data protection and continue to have one of the closest regimes to the EU in the world after our reform. The test for EU adequacy set out by the Court of Justice of the European Union in the cases relating to UK adequacy decisions requires essential equivalence to the level of protection under the GDPR. It does not require a third country to have exactly the same rules as the EU in order to be considered inadequate. Indeed, 14 countries have EU adequacy, including Japan, New Zealand and Canada. All of these nations pursue independent and often more divergent approaches to data protection.
Regarding our national security practices, in 2020 and 2021, the European Commission carried out a thorough assessment of the UK’s legislation and regulatory framework for personal data, including access by public authorities for national security purposes. It assessed that the UK provides an adequate level of data protection. We maintain an ongoing dialogue with the EU and have a positive, constructive relationship. We will continue to engage regularly with the EU to ensure our reforms are understood.
A great many noble Lords rightly commented on AI regulation, or the lack of it, in the Bill. Existing data protection legislation—the UK GDPR and the Data Protection Act 2018—regulate the development of AI systems and other technologies to the extent that there is personal data involved. This means that the ICO will continue to play an important role in applying the AI principles as they relate to matters of privacy and data protection. The Government’s view is that it would not be effective to regulate the use of AI in this context solely through the lens of data protection.
Article 22 of the UK GDPR is currently the primary piece of UK law setting out the requirements related to automated decision-making, and this Bill sets out the rights that data subjects have to be informed about significant decisions that are taken about them through solely automated means, to seek human review of those decisions and to have them corrected. This type of activity is, of course, increasingly AI-driven, and so it is important to align these reforms with the UK’s wider approach to AI governance that has been published in the White Paper developed by the Office for Artificial Intelligence. This includes ensuring terms such as “meaningful human involvement” remain up to date and relevant, and the Bill includes regulation-making powers to that effect. The White Paper on the regulation of AI commits to a principles-based approach that supports innovation, and we are considering how the framework will apply to the various actors in the AI development and deployment life cycle, with a particular focus on foundation models. We are analysing the views we heard during the White Paper consultation. We will publish a response imminently, and we do not want to get ahead of that process at this point.
I turn to the protection of children. Once again, I thank noble Lords across the House for their powerful comments on the importance of protecting children’s data, including in particular the noble Baroness, Lady Kidron. On the very serious issue of data preservation orders, the Government continue to make it clear—both in public, at the Dispatch Box, and in private discussions—that we are firmly on the side of the bereaved parents. We consider that we have acted in good faith, and we all want the same outcomes for these families struck by tragedy. We are focused on ensuring that no parent is put through the same ordeal as these families in the future.
I recognise the need to give families the answers they require and to ensure there is no gap in the law. Giving families the answers they need remains the Government’s motivation for the amendment in the other place; it is the reason we will ensure that the amendment is comprehensive and is viewed as such by the families. I reassure the House that the Government have heard and understand the concerns raised on this issue, and that is why the Secretary of State, along with Justice Ministers, will work with noble Lords ahead of Committee and carefully listen to their arguments on potential amendments.
I also hear the concerns of the right reverend Prelate the Bishop of St Albans, the noble Lord, Lord Vaux, and the noble Baroness, Lady Young, on surveillance, police powers and police access to data. Abolishing the Surveillance Camera Commissioner will not reduce data protection. The role overlaps with other oversight bodies, which is inefficient and confusing for police and the public. The Bill addresses the duplication, which means that the ICO will continue to regulate data processing across all sectors, including policing. The aim is to improve effective independent oversight, which is key to public confidence. Simplification through consolidation improves consistency and guidance on oversight, makes the most of the available expertise, improves organisational resilience, and ends confusing and inefficient duplication.
The Government also have a responsibility to safeguard national security. The reports into events such as the Manchester Arena and Fishmongers’ Hall terrorist incidents have clearly noted that better joined-up working between the intelligence services and law enforcement supports that responsibility. This is why the Bill creates the power for designation notices to be issued, enabling joint controllerships between the intelligence services and law enforcement. The Secretary of State must consider the processing contained in the notice to be required for the purpose of safeguarding national security to grant it. This mirrors the high threshold for interference with the right to privacy under Article 8 of the Human Rights Act, which requires that such interference be in accordance with the law and necessary in a democratic society.
Concerns were raised by, among others, the noble Baronesses, Lady Young and Lady Bennett, and the noble Lords, Lord Sikka and Lord Bassam, on the proportionality of the measure helping the Government to tackle both fraud and error. Despite taking positive steps to reduce these losses, the DWP remains reliant on powers derived from legislation that is in part over 20 years old. The DWP published the fraud plan in May 2022. It set out clearly a number of new powers that it would seek to secure when parliamentary time allowed. Tackling fraud and error in the DWP is a priority for the Government but parliamentary time is tight. In the time available, the DWP has prioritised our key third-party data-gathering measure which will help to tackle one of the largest causes of fraud and error in the welfare system. We remain committed to delivering all the legislation outlined in the DWP’s fraud plan when parliamentary time allows.
To develop and test these new proposals, the DWP has been working closely with the industry, which recognises the importance of modernising and strengthening these powers to enable us to better detect fraud and error in the benefit system. This includes collaboration on the practical design, implementation and delivery of this measure, including establishing a working group with banks and the financial industry. The DWP has also regularly engaged with UK finance as well as individual banks, building societies and fintechs during the development of this measure, and continues to do so. It is of course important that where personal data is involved there are appropriate checks and balances. Organisations have a right to appeal against the requirement to comply with a data notice issued by the DWP.
Through our appeal process, the Government would first seek to resolve all disputes by DWP internal review. If this failed, the appeal would be referred to the First-tier Tax Tribunal, as currently is used in similar circumstances by HMRC. The third-party data-gathering powers that the DWP is taking are only broad to the extent that this ensures that they can be future-proofed. This is because the nature of fraud has changed significantly in recent years and continues to change significantly. The current powers that the DWP has are not sufficient to tackle the new kinds of fraud that we are now seeing in the welfare system. We are including all benefits to ensure that benefits such as state pension retain low rates of fraud. The DWP will of course want to focus this measure on addressing areas with a significant fraud or error challenge. The DWP has set out in its fraud plan how it plans to focus the new powers, which in the first instance will be on fraud in universal credit.
I thank noble Lords, particularly the noble Lord, Lord Vaux, for the attention paid to the department’s impact assessment, which sets out the details of this measure and all the others in the Bill. As he notes, it is substantive and thorough and was found to be such by the Regulatory Policy Committee, which gave it a green rating.
I hope that I have responded to most of the points raised by noble Lords today. I look forward to continuing to discuss these and other items raised.
Lord Sikka (Lab)
I would like some clarification. The Minister in the other place said:
“I agree, to the extent that levels of fraud in state pensions being currently nearly zero, the power is not needed in that case. However, the Government wish to retain an option should the position change in the future”.—[Official Report, Commons, 29/11/23; col. 912.]
Can the noble Viscount explain why the Government still want to focus on recipients of state pension given that there is virtually no fraud? That is about 12.6 million people, so why?
Viscount Camrose (Con)
Although proportionately fraud in the state pension is very low, it is still there. That will not be the initial focus, but the purpose is to future-proof the legislation rather than to have to keep coming back to your Lordships’ House.
Let me once again thank all noble Lords for their contributions and engagement. I look forward to further and more detailed debates on these matters and more besides in Committee. I recognise that there are strong views and it is a wide-ranging Bill, so there will be a lot of meat in our sandwich.
I congratulate the noble Lord, Lord de Clifford, on his perfectly judged maiden speech. I thoroughly enjoyed his description of his background and his valuable contributions on the Bill, and I welcome him to this House.
Finally, on a lighter note, I take this opportunity to wish all noble Lords—both those who have spoken in this debate and others—a very happy Christmas and a productive new year, during which I very much look forward to working with them on the Bill.
Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Lord Sikka
Main Page: Lord Sikka (Labour - Life peer)Department Debates - View all Lord Sikka's debates with the Department for Science, Innovation & Technology
Data Protection and Digital Information Bill
Lord Sikka ExcerptsMonday 25th March 2024
(2 months, 1 week ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-III Third marshalled list for Grand Committee - (25 Mar 2024)
Baroness Jones of Whitchurch (Lab)
My Lords, in moving Amendment 24, I will speak also to Amendment 26. I welcome the amendments in the name of the noble Lord, Lord Clement-Jones.
Together, these amendments go to the heart of questioning why the Government have found it necessary to change the grounds for the refusal of a subject access request from “manifestly unfounded” to “vexatious or excessive”. At the moment, Article 15 of the UK GDPR gives data subjects a right of access to find out what personal information an organisation hold on them, how it is using it and whether it is sharing it. This right of access is key to transparency and often underpins people’s ability to exercise other data rights and human rights; for example, it impacts on an individual’s right to privacy in Article 8 of the ECHR and their right to non-discrimination in Article 40 of the same.
The Equality and Human Rights Commission has raised specific concerns about these proposals, arguing that subject access requests
“are a vital mechanism for data subjects to exercise their fundamental rights to privacy and freedom from discrimination”.
It argues that these rights will be even more vital as AI systems are rolled out, using personal information
“in ways that may be less than transparent to data subjects”.
So we must be suspicious as to why these changes are being made and whether they are likely to reduce the legitimate opportunities for data subjects to access their personal information.
This comes back to the mantra of the noble Lord, Lord Clement-Jones, regarding a number of the clauses we have dealt with and, I am sure, ones we have yet to deal with: why are these changes necessary? That is the question we pose as well. Is it simply to give greater clarity, as the Minister in the Commons claimed; or is it to lighten the burden on business—the so-called Brexit dividend—which would result in fewer applications being processed by data controllers? Perhaps the Minister could clarify whether data subject rights will be weakened by these changes.
In the Commons, the Minister, John Whittingdale, also argued that some data search requests are dispro-portionate when the information is of low importance or low relevance to the data subject. However, who has the right to make that decision? How is a data controller in a position to judge how important the information is to an individual? Can the Minister clarify whether the data controller would have the right to ask the data subject their reasons for requesting the information? This is not permitted under the current regime.
A number of stakeholders have argued that the new wording is too subjective and is open to abuse by data controllers who find responding to such requests, by their very nature, vexatious or excessive. For a busy data operator, any extra work could be seen as excessive. Although the Information Commissioner has said that he is clear how these words should be applied, he has also said that they are open to numerous interpretations. Therefore, there is a rather urgent need for the Information Commissioner to provide clear statutory guidance on the application of the terms, so that only truly disruptive requests can be rejected. Perhaps the Minister can clarify whether this is the intention.
In the meantime, our Amendment 24 aims to remove the easy get-out clause for refusing a request by making it clear that the resources available to the controller should not, by itself, be a reason for rejecting an application for information. There is an inevitable cost involved in processing requests, and we need to ensure that it does not become the standard excuse for denying data subjects their rights. Our Amendment 26 would require the data controller to produce evidence of why a request is considered vexatious or excessive if it is being denied. It should not be possible to assert this as a reason without providing the data subject with a clear and justifiable explanation. Amendment 25, from the noble Lord, Lord Clement-Jones, has a similar intent.
We remain concerned about the changes and the impact they will have on established data and human rights. As a number of stakeholders have argued, access to personal data and its uses underpins so many other rights that can be enforced by law. We should not give these rights away easily or without proper justification. I look forward to hearing what the Minister has to say, but without further clarification in the Bill, I doubt whether our concerns will be assuaged. I beg to move.
Lord Sikka (Lab)
My Lords, I will say a little bit about my intention to delete this clause altogether. Clause 9 significantly changes the data and privacy landscape, and for the worse. The Constitution Committee’s report on the Bill, published on 25 January, noted:
“Clause 9 amends Article 12 of the UK GDPR to broaden the basis for refusal”—
not for enhancing, but for refusal—
“of a data access request by providing more leeway to ‘data controllers’”.
In the world we live in, there is a huge imbalance of power between corporations, governments, public bodies and individuals. People must have a right to know what information is held about them, and how and when it is used. It is vital in order to check abuses and hold powerful elites to account.
The request for information can, at the moment, be wholly or partly denied, depending on the circumstances. It can be refused if it is considered to be manifestly unfounded or manifestly excessive. These phrases, “manifestly unfounded” and “manifestly excessive”, are fairly well understood. There is already a lot of case law on that. Clause 9, however, lowers the threshold for refusing information from “manifestly unfounded or excessive” to “vexatious or excessive”.
Lord Clement-Jones (LD)
If that is the case and this is a dilution, is this where the Government think they will get the savings identified in the impact assessment? It was alleged in the Public Bill Committee that this is where a lot of the savings would come from—we all have rather different views. My first information was that every SME might save about £80 a year then, suddenly, the Secretary of State started talking about £10 billion of benefit from the Bill. Clarification of that would be extremely helpful. There seems to be a dichotomy between the noble Lord, Lord Bassam, saying that this is a way to reduce the burdens on business and the Minister saying that it is all about confident refusal and confidence. He has used that word twice, which is worrying.
Lord Sikka (Lab)
I apologise for intervening, but the Minister referred to resources. By that, he means the resources for the controller but, as I said earlier, there is no consideration of what the social cost may be. If this Bill had already become law, how would the victims of the Post Office scandal have been able to secure any information? Under this Bill, the threshold for providing information will be much lower than it is under the current legislation. Can the Minister say something about how the controllers will take social cost into account or how the Government have taken that into account?
Viscount Camrose (Con)
First, on the point made by the noble Lord, Lord Bassam, it is not to be argumentative—I am sure that there is much discussion to be had—but the intention is absolutely not to lower the standard for a well-intended request.
Sadly, a number of requests that are not well intended are made, with purposes of cynicism and an aim to disrupt. I can give a few examples. For instance, some requests are deliberately made with minimal time between them. Some are made to circumvent the process of legal disclosure in a trial. Some are made for other reasons designed to disrupt an organisation. The intent of using “vexatious” is not in any way to reduce well-founded, or even partially well-founded, attempts to secure information; it is to reduce less desirable, more cynical attempts to work in this way.
Viscount Camrose (Con)
Which I will be delighted to answer. With this interesting exchange, I have lost in my mind the specific questions that the noble Lord, Lord Sikka, asked but I am coming on to some of his other ones; if I do not give satisfactory answers, no doubt he will intervene and ask again.
I appreciate the further comments made by the noble Lord, Lord Sikka, about the Freedom of Information Act. I hope he will be relieved to know that this Bill does nothing to amend that Act. On his accounting questions, he will be aware that most SARs are made by private individuals to private companies. The Government are therefore not involved in that process and do not collect the kind of information that he described.
Following the DPDI Bill, the Government will work with the ICO to update guidance on subject access requests. Guidance plays an important role in clarifying what a controller should consider when relying on the new “vexatious or excessive” provision. The Government are also exploring whether a code of practice on subject access requests can best address the needs of controllers and data subjects.
On whether Clause 12 should stand part of the Bill, Clause 12 is only putting on a statutory footing what has already been established—
Lord Sikka (Lab)
My apologies. The Minister just said that the Government do not collect the data. Therefore, what is the basis for changing the threshold? No data, no reasonable case.
Viscount Camrose (Con)
The Government do not collect details of private interactions between those raising SARs and the companies they raise them with. The business case is based on extensive consultation—
Lord Sikka (Lab)
I hope that the Government have some data about government departments and the public bodies over which they have influence. Can he provide us with a glimpse of how many requests are received, how many are rejected at the outset, how many go to the commissioners, what the cost is and how the cost is computed? At the moment, it sounds like the Government want to lower the threshold without any justification.
Viscount Camrose (Con)
As I say, I do not accept that the threshold is being lowered. On the other hand, I will undertake to find out what information can be reasonably provided. Again, as I said, the independent regulatory committee gave the business case set out a green rating; that is a high standard and gives credibility to the business case calculations, which I will share.
The reforms keep reasonable requests free of charge and instead seek to ensure that controllers can refuse or charge a reasonable fee for requests that are “vexatious or excessive”, which can consume a significant amount of time and resources. However, the scope of the current provision is unclear and, as I said, there are a variety of circumstances where controllers would benefit from being able confidently to refuse or charge the fee.
Lord Sikka (Lab)
The Minister used the phrase “reasonable fee”. Can he provide some clues on that, especially for the people who may request information? We have around 17.8 million individuals living on less than £12,570. So, from what perspective is the fee reasonable and how is it determined?
Viscount Camrose (Con)
“Reasonable” would be set out in the guidance to be created by the ICO but it would need to reflect the costs and affordability. The right of access remains of paramount importance in the data protection framework.
Lastly, as I said before on EU data adequacy, the Government maintain an ongoing dialogue with the EU and believe that our reforms are compatible with maintaining our data adequacy decisions.
For the reasons I have set out, I am not able to accept these amendments. I hope that noble Lords will therefore agree to withdraw or not press them.
Data Protection and Digital Information Bill Debate
Full Debate: Read Full DebateDepartment: Department for Work and Pensions
Lord Sikka
Main Page: Lord Sikka (Labour - Life peer)Department Debates - View all Lord Sikka's debates with the Department for Work and Pensions
Data Protection and Digital Information Bill
Lord Sikka ExcerptsMonday 22nd April 2024
(1 month, 1 week ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-VI Sixth marshalled list for Grand Committee - (18 Apr 2024)
Baroness Chakrabarti (Lab)
What I am advocating to the Committee is that, in terms of our approach in this country to everyone in either category—or to people who are sometimes in both categories because they are, for example, entitled to some universal benefits but none the less must pay tax on their earnings, inheritance or whatever—the appropriate approach is a targeted approach beginning with at least some reasonable suspicion that a person’s financial matters are a cause for concern. Once there is reasonable suspicion—not even hard proof—because of their activities, that should be the trigger for an intrusion into their affairs. We have had that approach to privacy in this country for a very long time; it is the approach that, broadly speaking, is entrenched in Article 8 of the convention. Even if one does not like human rights conventions, it is none the less a tradition that people in this country—not just lawyers—have long understood.
Further, and in reference to the remarks attributed to the noble Lord, Lord Anderson of Ipswich—who is not in his place, which is the reason why I am also risking being sensible—it is absolutely flabbergasting that there are greater checks and balances for investigating matters of national security than for investigating what could be minor benefit fraud. An example is the allegation that the person giving a Christmas present to their pensioner relative or their relative who is not able to work should trigger a response in the algorithm that this is somebody who should no longer be worthy of the benefit or who, worse still, should face criminality or even potential incarceration.
I cannot say how horrified I am that the Government should have proceeded with a measure of this kind even as we still learn about the extent of the injustice perpetrated on the postmasters. After what we are just beginning to understand about the postmasters, I cannot understand why the Government would allow this kind of discriminatory intrusion to be turbocharged by AI and inflict the potential for the same type of injustice—not just for a limited cohort of people who were unfortunate enough to be serving their communities by working as postmasters—on millions of people in the United Kingdom.
This is what Committee on a Bill is for. I will therefore calm myself in the knowledge and belief—and certainly the hope—that, in his response, the Minister will at least offer to meet with Members of the Committee who have put their names to the clause stand part notice from the noble Baroness, Lady Kidron, and with campaigners and experts to hear a little about the detail of the concerns and to compare this provision with the other provisions, as the noble Baroness, Lady Buscombe, suggested in relation to national security, or indeed for tax fraud. Nobody is suggesting that fraud should be perpetrated with impunity, but we must learn from the mistakes of injustices already perpetrated. They are perpetrated because of blanket trust in the authorities and AI and a lack of checks and balances. There were plenty of humans in the loop at the Post Office, but that is not enough. This is a sweeping power that will lead only to intrusion, discrimination and the worst kind of injustice. In the meantime, before that moment even comes, millions of people will live in fear.
Lord Sikka (Lab)
My Lords, I will address, first, the exclusion of Clause 128 and, secondly, Amendment 219 in my name.
I spoke at Second Reading to oppose Clause 128. I was a little too late to put my name to the clause stand part notice in the names of the noble Baronesses, Lady Kidron and Lady Chakrabarti, and the noble Lords, Lord Clement-Jones and Lord Anderson. I would therefore like to address a few things relating to that before I move on.
This clause creates two kinds of citizen: those who are entitled to financial privacy and others who are not entitled to any privacy, just because they happen to be poor, old, sick, disabled, infirm and unfortunate. Hopefully, the Minister can explain the rationale for creating this form of discrimination. This discrimination will particularly affect women, because a lot of women receive social security benefits, and people of colour, who are generally paid poorly and often have to rely upon universal credit and other benefits to make ends meet. Hopefully the Minister will also be able to tell us how this squares with the levelling-up agenda. Certainly this clause does not really provide any fairness at all.
I have received lots of emails and letters and met individuals who are very concerned, as earlier speakers articulated, that they will be made homeless because their landlords will not want their bank accounts to be put under surveillance. What assessment have the Government made of the impact that this clause may have on future homelessness?
Lord Sikka (Lab)
I would be convinced about the Government’s intentions, and would not press this amendment at the next stage, if the Minister can name just one big accounting firm which since 2010, as a result of a court judgment that said it was selling unlawful tax avoidance schemes, has been investigated, fined or prosecuted. If he can give me such an example then I will be convinced that the Government are seriously tackling tax fraud and its enablers.
Viscount Younger of Leckie (Con)
The noble Lord has set me quite a challenge at the Dispatch Box. It is out of scope of today’s session but, having said that, I will reflect on his question afterwards.
I am aware that time is marching on. My noble friend Lord Kamall asked about burdens on banks. We believe that the burdens on banks will be relatively low.
The noble Baroness, Lady Sherlock, made a number of points; I may have to write to her to expand on what I am about to say. Removing the requirement for third parties to provide legible copies of information means that DWP could receive the information but there is a risk that the information is not usable; that is my answer to her points. This could limit the data that DWP receives and prevent us utilising the power in full, which could in turn impact the savings due to be realised from this important measure.
I turn to the final amendments in this group, which were raised by the noble Baroness. They would place requirements on the Secretary of State to issue statements in the House and consult on the code of practice. We will talk more about the code of practice later on in this debate, and I have already made clear my firm opinions on it: we will take it forward and are already working on it. There will be a consultation that will, of course, allow anybody with an interest in this to give their views.
I turn to the number of statements that must be made in the House regarding the practical use of the measures before powers can commence, such as the role that artificial intelligence will play or assurances on any outsourcing of subsequent investigations. This is an important point to make and was raised by other Peers. I want to make it clear that this measure will be rolled out carefully and slowly through a “test and learn” approach from 2025, in conjunction with key third parties. To make these statements in the House would pre-empt the crucial “test and learn” period. I say again that discussions with the third parties are deep and detailed and we are already making progress; this point was made by the noble Lord, Lord Clement-Jones, on the link with banks and third parties.
Importantly, I assure the noble Baroness, Lady Sherlock, that we will not make any automated decisions off the back of this power; this was also raised by the noble Baroness, Lady Kidron. The final decision must and will always involve a human being—a human agent in these cases—and any signals of potential fraud or error will be looked at comprehensively. I am grateful for the remarks of my noble friend Lady Buscombe on this matter.
I know that I have not answered a number of questions. Perhaps I can do so in our debate on another group; otherwise, I certainly wish to answer them fully in a letter. I hope that I have explained clearly, from our perspective, why this power is so important; why it is the right power to take; and how we have carefully designed it, and continue to design it, with the key safeguards in mind. I strongly value the input from all those who have contributed today but I remain unconvinced that the proposed amendments are necessary and strengthen the power beyond the clear safeguards I have set out. With that, I hope that the noble Baroness will not press her opposition to Clause 128.
Viscount Younger of Leckie (Con)
Absolutely; I am keen to make sure that I answer on that. It may be possible to do so in the next group but, if not, I will certainly do so in the form of a precise letter—added to the larger letter that I suspect is coming the noble Lord’s way.
Lord Sikka (Lab)
A number of pensioner groups are watching these proceedings. I have received some messages. They are asking, “When is the Minister going to answer the questions asked about the operation of the surveillance of recipients of the state pension, especially those who have foreign accounts?” I assume that the Minister will clarify that in any subsequent letter to me.
Viscount Younger of Leckie (Con)
Absolutely; the noble Lord will know that I have not managed to answer all the questions. I have tried to bring in everybody on this important and serious debate. The answers will be forthcoming.
Lord Sikka (Lab)
My Lords, I ask the Minister for clarification. The noble Baroness, Lady Sherlock, asked about the number of individuals; I guess it may be 24 million or 25 million. However, from what the Minister has said, the number of bank accounts subject to surveillance would be far greater than that. For example, I receive a state pension and am also a trustee of a small not-for-profit organisation; from what the Minister said, I would be caught, as would that organisation. Landlords and many others could possibly be added. It seems that the number of bank accounts would be far greater than the number of individuals. When he provides the data, can the Minister estimate how many bank accounts and transactions there might be?
Baroness Bennett of Manor Castle (GP)
I will add to that the issue of overseas bank accounts. I cannot see how the British Government can apply this measure to them. Will this not push people to go to overseas bank accounts? Or will the Government try to pursue them through challenger banks—including multiple accounts from one person who may have one original, normal current account here?
Viscount Younger of Leckie (Con)
I know that I said earlier that child benefit was not included. I will clarify that child benefit is not a benefit for which the DWP is responsible or has any functionality for. This measure will be exercised by the DWP Secretary of State, and we cannot use this power for that benefit.
I was in the middle of answering a question from the noble Baroness, Lady Sherlock.
Viscount Younger of Leckie (Con)
I will finish this answer, if I may. The DWP personal information charter lists banks and financial institutions, and other parties, among the parties with which DWP may share data and from which we may receive data. It also lists checking accuracy and preventing and detecting fraud among the purposes for which we may share or receive information.
A claimant will not be notified if their account details have been returned to DWP by a third party as that could alert fraudsters to the criteria, enabling them to evade detection—I think that is a valid point—but they will be notified if a DWP agent determines that a review is required as a result of the information provided by the third party. That notification will be done through the business-as-usual processes.
Moving on to defining working-age payments in legislation, which relates to the final amendment in this group, Amendment 235, which was tabled by the noble Baroness, Lady Sherlock, it would require the Government to specify in regulations the working-age benefits with which this power could be used. As she demonstrated, there is a wide range of benefits and therefore potential avenues for fraudsters to seek or exploit or for error to creep in. That is why it is important that the power enables the department to respond proactively as new fraud risks emerge.
That said, as the noble Baroness knows, the power will not be exercisable in all the benefits she listed—I took note of her long list—such as child benefit, which we have just mentioned, because the legislation is drafted in such a way that it could reasonably be exercised in relation to benefits for which the Secretary of State is responsible. I reassure the noble Baroness, Lady Sherlock, and the Committee that in the first instance, we plan to use this with universal credit, employment and support allowance—ESA, pension credit and housing benefit. That is the way forward.
There may be a number of questions that I have not addressed, but I hope that I have continued to make the case for why this measure is so important and our aim to tackle fraud and error. I continue to make the case that it is proportionate and that proportionate safeguards are in place. With that, I hope the noble Baroness will agree to withdraw her amendment.