Online Safety Bill
Baroness Neville-Jones ExcerptsMonday 17th July 2023
(9 months, 2 weeks ago)
Lords ChamberRead Full debate Online Safety Act 2023 View all Online Safety Act 2023 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: HL Bill 151-V Fifth marshalled list for Report - (17 Jul 2023)
Baroness Neville-Jones (Con)
My Lords, I just want to reinforce what my noble friend Lord Bethell said about the amendments to which I have also put my name: Amendments 237ZA, 266AA and 272E. I was originally of the view that it was enough to give Ofcom the powers to enforce its own rulings. I have been persuaded that, pace my noble friend Lord Grade, the powers that have been given to Ofcom represent such a huge expansion that the likelihood of the regulator doing anything other than those things which it is obliged to do is rather remote. So I come to the conclusion that an obligation is the right way to put these things. I also agree with what has been said about the need to ensure that subsequent action is taken, in relation to a regulated service if it does not follow what Ofcom has set out.
I will also say a word about researchers. They are a resource that already exists. Indeed, there has been quite a lot of pushing, not least by me, on using this resource, first, to update the powers of the Computer Misuse Act, but also to enlarge our understanding of and ability to have information about the operation of online services. So this is a welcome move on the part of the Government, that they see the value of researchers in this context.
My noble friend Lord Moylan made a good point that the terms under which this function is exercised have to have regard to privacy as well as to transparency of operations. This is probably one of the reasons why we have not seen movement on this issue in the Computer Misuse Act and its updating, because it is intrinsically quite a difficult issue. But I believe that it has to be tackled, and I hope very much that the Government will not delay in bringing forward the necessary legislation that will ensure both that researchers are protected in the exercise of this function, which has been one of the issues, and that they are enabled to do something worth while. So I believe the Minister when he says that the Government may need to bring forward extra legislation on this; it is almost certainly the case. I hope very much that there will not be a great gap, so that we do not see this part of the proposals not coming into effect.
Lord Knight of Weymouth (Lab)
My Lords, we have had an important debate on a range of amendments to the Bill. There are some very important and good ones, to which I would say: “Better late than never”. I probably would not say that to Amendment 247A; I would maybe say “better never”, but we will come on to that. It is interesting that some of this has come to light following the debate on and scrutiny of the Digital Markets, Competition and Consumers Bill in another place. That might reinforce the need for post-legislative review of how this Bill, the competition Bill and the data Bill are working together in practice. Maybe we will need another Joint Committee, which will please the noble Lord, Lord Clement-Jones, no end.
There are many government amendments. The terms of service and takedown policy ones have been signed by my noble friend Lord Stevenson, and we support them. There are amendments on requiring information on algorithms in transparency reports; requiring search to put into transparency reports; how policies on illegal content and content that is harmful for children were arrived at; information about search algorithms; and physical access in an audit to view the operations of algorithms and other systems. Like the noble Baroness, Lady Kidron, I very much welcome, in this section anyway, that focus on systems, algorithms and process rather than solely on content.
However, Amendment 247A is problematic in respect of the trigger words, as the noble Lord, Lord Allan, referred to, of remote access and requiring a demonstration gathering real-time data. That raises a number of, as he said, non-trivial questions. I shall relay what some service providers have been saying to me. The Bill already provides Ofcom with equivalent powers under Schedule 12—such as rights of entry and inspection and extensive auditing powers—that could require them to operate any equipment or algorithms to produce information for Ofcom and/or allow Ofcom to observe the functioning of the regulated service. Crucially, safeguards are built into the provisions in Schedule 12 to ensure that Ofcom exercises them only in circumstances where the service provider is thought to be in breach of its duties and/or under a warrant, which has to have judicial approval, yet there appear to be no equivalent safeguards in relation to this power. I wonder whether, as it has come relatively late, that is an oversight that the Minister might want to address at Third Reading.
The policy intent, as I understand it, is to give Ofcom remote access to algorithms to ensure that service providers located out of the jurisdiction are not out of scope of Ofcom’s powers. Could that have been achieved by small drafting amendments to Schedule 12? In that case, the whole set of safeguards that we are concerned about would be in place because, so to speak, they would be in the right place. As drafted, the amendment appears to be an extension of Ofcom’s information-gathering powers that can be exercised as a first step against a service provider or access facility without any evidence that the service is in breach of its obligations or that any kind of enforcement action is necessary, which would be disproportionate and oppressive.
Given the weight of industry concern about the proportionality of these powers and their late addition, I urge the Minister to look at the addition of further safeguards around the use of these powers in the Bill and further clarification on the scope of the amendment as a power of escalation, including that it should be exercised as a measure of last resort, and only in circumstances where a service provider has not complied with its duty under the Bill or where the service provider has refused to comply with a prior information notice.
Amendment 247B is welcome because it gives the Minister the opportunity to tell us now that he wants to reflect on all this before Third Reading, work with us and, if necessary, come back with a tightening of the language and a resolution of these issues. I know his motivation is not to cause a problem late on in the Bill but he has a problem, and if he could reflect on it and come back at Third Reading then that would be helpful.
I welcome the amendments tabled by the noble Lord, Lord Bethell, on researcher access. This is another area where he has gone to great efforts to engage across the House with concerned parties, and we are grateful to him for doing so. Independent research is vital for us to understand how this new regime that we are creating is working. As he says, it is a UK strength, and we should play to that strength and not let it slip away inadvertently. We will not get the regime right first time, and we should not trust the platforms to tell us. We need access to independent researchers, and the amendments strike a good balance.
We look forward to the Minister deploying his listening ear, particularly to what the noble Baroness, Lady Harding, had to say on backstop powers. When he said in his opening speech that he would reflect, is he keeping open the option of reflecting and coming back at Third Reading, or is he reflecting only on the possibility of coming back in other legislation?
The noble Baroness, Lady Fraser, raised an important issue for the UK regulator, ensuring that it is listening to potential differences in public opinion in the four nations of our union and, similarly, analysing transparency reports. As she says, this is not about reserved matters but about respecting the individual nations and listening to their different voices. It may well be written into the work of Ofcom by design but we cannot assume that. We look forward to the Minister’s response, including on the questions from my noble friend on the consent process for the devolved Administrations to add offences to the regime.
Product Security and Telecommunications Infrastructure Bill
Baroness Neville-Jones ExcerptsTuesday 21st June 2022
(1 year, 10 months ago)
Lords ChamberRead Full debate Product Security and Telecommunications Infrastructure Act 2022 View all Product Security and Telecommunications Infrastructure Act 2022 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 16-I(a) Amendment for Committee (Supplementary to the Marshalled List) - (20 Jun 2022)
Lord Arbuthnot of Edrom (Con)
My Lords, Amendment 16 proposes a statutory defence for ethical hackers. I am grateful to the noble Lord, Lord Clement-Jones, and to the CyberUp campaign, for their help. Again, I declare my interests as chairman of the Information Assurance Advisory Council, chairman of the Thales UK advisory panel and chairman of Electricity Resilience Limited.
The Computer Misuse Act 1990 criminalised unauthorised access to computer systems. The methods used by cybercriminals and cybersecurity professionals are often identical, which is one of the things that makes the drafting of this amendment rather problematic. Usually, criminals do not have permission for what they do, and cybersecurity professionals do, but I am told by the CyberUp campaign that there are occasions on which that permission is difficult or impossible for a cybersecurity professional to get.
At Second Reading, I cited the case of Rob Dyke, who has been through a legal tussle with the Apperta Foundation, which has since been in touch with me to put its side of the story. It is clear that it feels strongly that it was right to pursue Mr Dyke until he gave undertakings that allowed it to drop its litigation. I do not know the rights and wrongs of that, but the Apperta Foundation supports the principles put forward by CyberUp for a legal defence for offences under the Computer Misuse Act.
In any event, the Government are carrying out a review into the 1990 Act. CyberUp’s submission to it sets out that many in the cybersecurity profession do not know whether what they are doing is legal. This is because legislation in 1990 came in before much of what now happens with computers had been thought of—so it inevitably created ambiguities. In the 1990 Act, no consideration was given—I remember because I was there—to web scraping, port scanning or malware denotation, and people are not sure that they are legal. Some of us are not sure quite what they are.
This is why there needs to be certainty for cybersecurity researchers; they need to be able to do things for the public good. We cannot rely on the National Cyber Security Centre for everything, because even the Government cannot keep up with the speed of technological development, as has been mentioned. The CyberUp campaign recognises that legislation also cannot keep up with the speed of change, so it has helped with drafting this amendment not with a view to seeing it enacted—my noble friend will resist it for a number of good reasons—but with a view to eliciting from the Government a statement about how they are getting on with this aspect of the review of the Computer Misuse Act.
One suggestion that the CyberUp campaign makes is that
“legislation to mandate the courts to ‘have regard to’ Home Office or Department for Digital, Culture, Media and Sport … guidance on applying a statutory defence that would, ideally, be based on the framework”
of principles. This includes, first, the prospective benefits of the Act outweighing the prospective harms; secondly, reasonable steps being undertaken to minimise the “risks of causing harm”; thirdly, the actor demonstrably acting “in good faith”; and fourthly, the actor being “able to demonstrate … competence”. Here we may come back to the standards/principle discussion that we had on the first group.
So I expect my noble friend to reject this amendment, but I should be grateful if he could say where the Government’s thinking on the matter is.
Baroness Neville-Jones (Con)
My Lords, I speak in support of this amendment. My noble friend has just said that he doubts that the Government will adopt it, but, like him, I want to know where their thinking has got to.
The Computer Misuse Act is one of the first bits of legislation passed in the cyber era. It is old and out of date, and it is fair to say that it contains actively unhelpful provisions that place in legal jeopardy researchers who are doing work that is beneficial to cybersecurity. That is not a desirable piece of legislation to have on the statute book.
Last year, before the consultation that closed over a year ago, I corresponded with my noble friend Lady Williams. The common-sense reading of her reply was that the Home Office was quite aware that the Computer Misuse Act needed updating. I confess that I am a bit disappointed that, a year after the consultation closed, there still has not been a peep from the Government on this subject—either a draft or a statement of intention. It would be good to know where the Government are going, because it is quite damaging for this legislation as it stands to remain on the statute book: it needs modernisation.
Like my noble friend, I recognise that actually getting the drafting right is tricky and complex. Drafting language that strikes the right balance is not all that easy. But inability to find an ideal outcome is not a good reason for doing nothing, so I live in expectation, because the best must not be the enemy of the good. If the Government do not intend to produce legislation that updates that Act, I should like to see something in this legislation, taking advantage of it, at least to move the dial forward and protect ethical hackers to a greater extent than is the case at the moment.
If the Government are concerned about our drafting, I am sure we would be willing to listen to suggestions on a better formulation. In the absence of that, perhaps the Minister will say when and how the Government intend actually to modify a piece of legislation that has served its time and now needs to be superseded.
The Earl of Erroll (CB)
My Lords, very quickly, I remember well during the passage of the Computer Misuse Act and the Police and Justice Act 2006 trying to tidy up language about hacking tools and so on. It became very complicated and no one could quite work out how to do it, because the same thing could be used by baddies to do one thing and by good people to help maintain systems, et cetera. In the end, I think it went into the Act and they just said, “Well, we won’t prosecute the good guys”. Everyone felt that was a little inadequate. I do not know quite what we are going to do about it but it needs to be looked at. Therefore, this is a good start and I would welcome some discussion around it, because we need something in law to protect the good people as well as to catch the criminals.
Data Protection Bill [HL]
Baroness Neville-Jones Excerpts(5 years, 11 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
My Lords, this group of amendments covers issues that will be familiar to many noble Lords, as it primarily addresses concerns and issues raised in this House last autumn. The Government have remained committed to listening and to improving the Bill. I owe thanks to many noble Lords who brought these issues to our attention.
Commons Amendment 155 would help businesses and other organisations ensure that their boardrooms and senior management levels are truly representative of the workforces they manage and the communities they serve. In November 2016, Sir John Parker published a report which showed that while 14% of the population identified as black, Asian or minority ethnic, only 1.5% of directors in FTSE 100 boardrooms are UK citizens from a minority background. More than half of the FTSE 100 boards are exclusively white. While significant progress has been made in recent years to improve the gender balance in the boardrooms of such companies, the severe underrepresentation of people from minority backgrounds needs to be addressed.
Sir John’s report included a series of recommendations to improve racial and ethnic diversity in the boardroom. He encouraged companies to make better use of executive search firms to identify potential candidates and invite them to be interviewed for managerial vacancies. This amendment would therefore add a new processing condition to Schedule 1 to allow organisations to process personal data about potential candidates’ racial or ethnic origin in identifying suitable candidates for potential managerial positions.
Previously when we discussed the Bill in this House, Thomson Reuters provided a very helpful briefing note setting out how it compiles reports on persons suspected of terrorism, bribery, money laundering, modern slavery and other illegal activities. It then shares this information with the banks to help them avoid engaging with such people and allow them to comply with their regulatory obligations and other internationally recognised guidelines. In response to support for the proposal on all sides, the Government committed to work with Thomson Reuters to bring forward amendments at a later stage of the Bill’s passage. Commons Amendment 158 is the culmination of this work.
I am also pleased to introduce Commons Amendment 160, which would provide for processing by patient support groups, a concern well put by my noble friend Lady Neville-Jones. She spoke movingly on behalf of the patient support group Unique, which manages a register of patients suffering from very rare and sometimes life-limiting chromosomal disorders. Amendment 160 would add a new processing condition to Schedule 1 to provide Unique and groups like it with the legal certainty required for their vital work to continue. I am most grateful to her for her advocacy.
Commons Amendments 162 and 163 relate to data processing for safeguarding purposes. These amendments respond to one tabled on the same issue by the noble Lord, Lord Stevenson, on Report in December. In response to that amendment, I made it clear that the Government were sympathetic to the points raised. These amendments would ensure that sensitive data could be processed without consent in certain circumstances for legitimate safeguarding activities which are in the substantial public interest. The unfortunate reality is that there still exists a great deal of uncertainty under current law about which personal data can be processed for safeguarding purposes. This has resulted, for example, in some organisations withholding information from the police and other law enforcement agencies for fear of breaching data protection law. With these amendments, the Government intend to address this uncertainty by providing relevant organisations with a specific processing condition for processing the most sensitive personal data for safeguarding purposes.
Similarly, a number of other amendments in this group would extend necessary exemptions to certain regulators to ensure that data subjects cannot use data protection laws to undermine their regulatory work. Commons Amendment 178 would provide the Comptroller and Auditor-General of the United Kingdom, and his counterpart in each of the devolved nations, with an exemption from certain provisions of the GDPR where these would be likely to prejudice his statutory functions. Likewise, Amendment 179 would provide an exemption for the Bank of England from the listed GDPR provisions where these could inhibit its ability to exercise its functions. Amendment 183 would provide an exemption for the Scottish Information Commissioner, who regulates freedom of information rather than data protection. Amendment 185 would protect the work of the Financial Conduct Authority and the Prudential Regulation Authority. Amendment 186 would extend the exemptions in Schedule 2 to the Charity Commission’s functions under the Charities Acts of 1992, 2006 and 2011.
The remaining amendments in this group would address more technical issues, ensuring consistency across the Bill. I beg to move.
Baroness Neville-Jones (Con)
My Lords, I thank my noble friend the Minister for the Government having carried these provisions in the Commons. More importantly, the patient support groups for which I spoke are very gratified because they regard these amendments as absolutely vital to their ability to carry on their important work. If I might say so, it is a very satisfactory outcome.
Lord Pannick
My Lords, I welcome Commons Amendment 188 on the confidentiality of legal advice. As the Minister knows, a concern has been raised, long after the 11th hour, about the position of arbitrators. The concern is that the Bill addresses the data protection obligations of judges and lawyers but does not address the data protection position of arbitrators. Arbitration is of course an important legal service, in which this country leads and provides services to the world. All I can do at this stage is to ask the Minister and the Bill team whether they will reflect on this concern, which has been raised not just with me but with him. If he thinks that there is any basis for concern, will he consider using the very extensive powers conferred under the Bill to bring forward regulations to address the issue?
Data Protection Bill [HL]
Baroness Neville-Jones ExcerptsMonday 11th December 2017
(6 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
“Processing by patient support groups
(1) This condition is met if the processing—(a) is necessary for the purpose in accordance with the conditions listed in sub-paragraph (2), and(b) is necessary for reasons of substantial public interest.(2) The processing is carried out— (a) in the course of its legitimate activities with appropriate safeguards by a foundation, association or other not for profit body with a patient support aim, and(b) on condition that—(i) the processing relates solely to the members or former members of the body or to persons who have regular contact with it in connection with its purposes, and(ii) the personal data is not disclosed outside that body without the consent of the data subjects.”
Baroness Neville-Jones (Con)
My Lords, I introduced the same amendment in Committee and do not intend to repeat what I said then. I am glad to say that, since I put down that amendment, there has been a very helpful meeting between DCMS officials, the Genetic Alliance UK and Unique. I very much hope that that meeting will form the basis of a solution on which we can build for Third Reading. I thank my noble friend the Minister for his personal contribution to the progress that we have made.
My understanding is that at that meeting it was accepted that an amendment would have to be brought forward to ensure the legality of the work of patient support groups. My understanding also is that the Government would prefer to do this by their own amendment, and I am certainly very happy to accept that. I also hope that it will be possible to agree such an amendment before Third Reading.
My noble friend has said that he is concerned about defining the scope of the amendment. I certainly accept that that is a legitimate issue. The family of patient support groups is quite large, but I accept that it is right to prevent any amendment becoming a loophole for evasion of the Bill’s provisions. I am conscious of that issue. However, the purpose of the amendment is not controversial and I am happy to look to finding words and drafting that will both safeguard the points that we want to make and provide the right scope for the amendment. It would be highly desirable to be able to deal with this matter in our House.
I hope and trust that my noble friend will be able to confirm that he shares my understanding of the point that we have now reached and that he will be able to give me an assurance at least of best endeavours to present a government amendment at Third Reading. I might say that Genetic Alliance and other patient support groups stand ready to help in any way that they can to meet this deadline.
Lord Clement-Jones
My Lords, I will speak briefly to support the noble Baroness, Lady Neville-Jones, in her amendment. Clearly, this is of great importance to patient groups. I very much hope that the Minister will carry on the good work and come back at Third Reading with something substantive for the benefit of patient organisations that collect vital health information from their members, so that they will not be required to destroy or anonymise data. Without amendment, the Data Protection Bill has the potential to seriously damage the work of these patient support groups and hinder the work of certain public agencies, too, such as Public Health England and NICE—so I very much support the noble Baroness.
Lord Patel
Before the Minister sits down, I thank him and his team immensely for taking on board the concerns that I and others expressed about the interventional medical research that the government amendments will now allow. It cannot be overstated: this will now allow important research, including clinical trials, to be undertaken that will advance medical research in the United Kingdom, making it an attractive place to do such research. I thank him immensely; I am most grateful.
Baroness Neville-Jones
My Lords, I am extraordinarily grateful to noble Lords who have spoken in support of my amendment, and for the comprehension that the Minister has shown for the work of the patient support groups. They will have greatly appreciated hearing how much the Government support what they do.
I very much hope that we can work on an amendment that will both meet the Government’s concerns and effectively cover the work of those organisations, which, as I think the Minister understands, work in difficult circumstances. They stand ready to participate with the Government in getting language that will both cover their concerns and ensure that we do not open the door to those for whom it is not intended. On that basis, I beg leave to withdraw the amendment.
Data Protection Bill [HL]
Baroness Neville-Jones Excerpts(6 years, 5 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Griffiths of Burry Port (Lab)
My Lords, it falls to me to speak to a sequence of amendments from Amendment 35 to Amendment 68. Whereas we have had complicated issues before us in previous discussions on the Bill, most of these are probing and of a much simpler substance. I will proceed with them as best I may.
Amendment 35 is to paragraph 5(1), which states that a condition for substantial public interest is met only when the processing is carried out by the controller, who has,
“an appropriate policy document in place”.
The amendment we propose seems sensible and simple, which is that the policy document should be,
“made available to the data subject without charge”.
We repeat that in Amendment 68 to Part 4 of Schedule 1, where there is discussion of an “appropriate” document.
Amendment 37 probes the protected characteristics of the Equality Act. Whereas in the Bill just a few are mentioned, our amendment asks why all those included in the Equality Act are not in that list. In the amendment we can see the proposed extra categories that would be placed there to complete that list. Once again it seems sensible, having started on that track, to complete that process.
We come next to preventing or detecting unlawful acts. Amendment 38 asks about “a serious” test. We have had conversations with Reuters and a number of amendments are consequent on some of the observations we made in that conversation. Thus with Amendment 39 we would ask the information commissioning officer to clarify that processing must be carried out without the consent of a data subject where,
“a data subject is unlikely to give consent”,
for example to frustrate prevention or detection, where it would involve disproportionate effort to achieve consent or where the nature of the processing means that withdrawal of consent would prejudice prevention or detection of unlawful acts. That probes the extent to which these matters might apply.
Amendment 40 is again a probing amendment on the question of dishonesty, under the heading:
“Protecting the public against dishonesty”.
Perhaps we need to work out how better to define dishonesty. We all know what telling a lie is, but in the days of fake news we can perhaps have different or varying views on this. Perhaps it needs to be tied down a bit more closely.
Amendment 41 refers to protecting members of the public. It is unclear in the schedule whether this extends to protecting businesses from doing business with other businesses that would cause them severe reputational harm because, for example, they engage in modern slavery, bribery or whatever. It might be good to frame the law so it is clear that it involves businesses and members of the public. To skip an amendment for the moment, that ties in with Amendment 44. Paragraph 12 does not expressly allow screening by private companies for the purpose of checking against non-UK terrorist financing or money-laundering laws. Nor does it allow screening to be undertaken to comply with widely recognised guidelines such as those promulgated by the Financial Action Task Force, in which the United Kingdom Government participate. It seems sensible to include that screening in the Bill. The amendment seeks to achieve that.
Amendment 43 is to paragraph 12, which says that the condition of expressing a public interest is met,
“if the processing is necessary for the purposes of making a disclosure in good faith”,
under sections of the Terrorism Act and the Proceeds of Crime Act. Again, it would be nice to tie some of that down with further clarification. That might help us all. Amendment 45 asks about counselling.
That is the rather interesting daisy chain of amendments it falls to me to present. Since this is, for me, a maiden speech on a piece of legislation, nobody would expect it to be contentious, disputational or controversial. In that sense, I offer it for the consideration of the Committee.
Baroness Neville-Jones (Con)
My Lords, I will speak to Amendment 45A in my name. I am advised my Amendment 64 is not in the right place, so I direct the Committee’s attention to Amendment 45A.
Last Monday there was considerable focus in our discussions on the vital need to ensure that legitimate research—especially medical research in the public interest based on the personal data of patients—was not impeded by the terms of this legislation by requiring re-consents that might well be unobtainable. The noble Lord, Lord Patel, spelled out the arguments with great cogency and I do not need to repeat them.
My amendment seeks to ensure that another category of medical activity is not prevented from continuing to give help. I refer to patient support groups. At Second Reading I spoke about Unique, a not-for-profit charity that enables research into, and offers support to, sufferers of rare chromosome disorders and their families. These disorders can and often do result in severe and even profound lifelong disability for which there is no cure.
Since I spoke, many other patient support organisations have been in touch with the same concerns. They support my amendment. They include Genetic Alliance, which comprises 190 organisations giving support to individuals with rare or incurable conditions, such as the Down’s Syndrome Association; the MPS Society, which supports individuals suffering from mucopolysaccharide disease; Alström Syndrome UK; Prader-Willi Syndrome Association; the MND Association for motor neurone disease; Action Duchenne, which supports those suffering from muscular dystrophy; Save Babies Through Screening Foundation, which focuses on infants with Krabbe disease; the Lily Foundation, which supports those with mitochondrial disease; the PCD Family Support Group, for primary ciliary dyskinesia; UKPIPS, Primary Immune-deficiency Patient Support; SMA Support for spinal muscular atrophy; Vasculitis UK; and Annabelle’s Challenge.
All these groups support the amendment I tabled. I could go on; there are others. I have listed them because I do not want it thought that there is in my amendment any suggestion of special pleading for a very small number of organisations. On the contrary, patient support groups are numerous and do unsung but irreplaceable work among individuals and families for whom life can be very hard.
What is the problem with the Bill? Schedule 1 lists a number of circumstances in which the special category of sensitive personal data can be processed without explicit consent for reasons of public interest. But patient support groups do not fall into the categories of organisations that can avail them themselves of this exemption, nor do the purposes for which they collect personal data qualify. This means that the Bill will oblige patient support groups which collect health information from their members either to re-contact everyone from their database to get renewed explicit consent, or to destroy or anonymise any data not re-consented.
On the face of it, this may seem perfectly reasonable, but it takes no account of the real-life situation of the individuals and their families which the patient support groups help. I explained at Second Reading how in reality carers, who may be the other side of the world, may not respond to communications but then, possibly years later, communicate to ask for help or get in touch to help each other. It is certainly wasteful and gratuitously harmful to require such data to be destroyed when it is the very basis on which these groups can offer relevant support. In the case of Unique, experience suggests that up to 50% of existing data would need to be destroyed, having been accumulated over 30 years, and thus lost for current and future research and sufferers. I am sure this cannot be the intended outcome of the Bill.
Anonymisation, which in some circumstances might be an acceptable answer, does not provide a solution in the case of support groups. Matching disease types enables support groups to give informed prognoses to the families of sufferers and to their clinicians, who individually may not have met such a rare condition before. They help with practical advice and put sufferers and their families in touch with each other, thus improving their prospects and relieving distress and loneliness. But to do this, they need access to names and addresses and special-category data of their members, because anonymous data are of absolutely no use in this context.
Medical research would also be the loser as the Bill stands. To take one example, the MND Association, the motor neurone support group, has more than 3,000 blood samples in its collection, cell lines and accompanying clinical information. This database has been and is used in a variety of research projects to look at potential causative genes. Samples will also be used to screen potential drugs. To all this, the personal data of the individuals concerned is essential and it is not guaranteed that they will always be capable of being re-contacted.
In this context, perhaps I may quote from a statement by Public Health England in support of the work of patient support groups:
“We are clear that patient registries, particularly for individuals with less common conditions, are one of the most valuable sources for the care, research and support of patients and their families. In many cases they are the only source of information on some disorders. Some collections stretch back many years. This historical record is essential for longitudinal studies and long term follow up … These searches can only be performed on well curated, identifiable data as people change their names and locations”.
Public Health England goes on to say that the question is about the adequacy of the consent obtained in the first place and whether it meets the enhanced rights of data subjects under the GDPR. Absolutely—there is no argument that the consent at the outset needs to be of a good standard so that subsequent use of personal data can be validly based on it.
My amendment would confine the special provision that I am proposing to members of organisations for specific purposes which I would hope we could all agree lie in the public interest. It would not open the floodgates to a collection of streams of unconsented personal data for undefined purposes. I therefore hope that the Government can agree to my amendment.
Data Protection Bill [HL]
Baroness Neville-Jones ExcerptsTuesday 10th October 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts
Baroness Neville-Jones (Con)
My Lords, it is a great pleasure to follow the right reverend Prelate, who has touched on one of the points that have attracted most attention since the Bill was published and began to generate comment. I also hope that the committee of the noble Lord, Lord Jay, might be able to give us some kind of report and assessment on GDPR because, while I think the Bill is important in its own right, it is quite awkward to discuss it in the absence of a very important part of the regulations that will apply in this country or any assessment of the linkages or potential disparities that may exist between the two. I beg that the committee might consider this a priority.
I think the House will agree that this is an important use of legislation, and its scope is—necessarily, I think—very large. There is no real activity in society these days that does not generate data that is processed in some way. Because of the scale of data creation—the figures are extraordinary—usage continues to grow exponentially and personal data is extremely bound up in all that. All of us are affected by the data world. It is increasingly obvious that the functioning of the economy and of public services depends on the availability, accuracy and security of data. It is also key to wealth creation. It has become very clear in the series of strategies that the Government are producing at the moment that data lies absolutely at the heart of the way in which this country will be able to make its way forward and remain a prosperous society, and therefore that we have to get the regulation of data right. It is the basis on which we will advance general knowledge and welfare in society.
The Government have produced a Bill that enables us to tackle detail, and it is the detail on which this House will focus in later stages. It is impossible in a discussion of this kind to do justice to all the angles. I shall in later stages want to focus on the cyber and national security elements, but today I shall focus on what I regard as a potential opportunity, provided we get the regulatory framework right. That is research, which has not featured much so far in our deliberations.
The abundance of datasets that society simply has not had before opens up to us the possibility of types of research which can lead us to enormous discovery and greater beneficial activity and welfare. For instance, it will enable medicine to be put on an essentially personalised rather than generic basis, and the UK should have a huge advantage in the longitudinal data that the NHS possesses, which no other country can rival. It ought to be something where we can make a real pitch for both advancing welfare and increasing wisdom, knowledge and wealth in our society. Obviously, that depends on the use of data being proper and the regulation of it not getting in the way, which is not a theoretical issue. Existing legislation, which comes largely from the EU, combined with the way in which the precautionary principle has sometimes been applied, means that some kinds of trials in some fields in this country have now become so difficult to conduct within the EU that companies engaging in them have decamped elsewhere—often to the United States—to the intellectual and commercial impoverishment of Europe. That is a practical illustration of how important it is to get the balance between trying to regulate against abuse and the opportunities that you should leave open.
As the UK leaves the EU, it will be essential—I use the word “essential”—for the UK to be able to demonstrate adequacy. I hope the Government will assure us on that point and produce the necessary regulatory framework to enable it to happen. Some very big issues here have already been mentioned and I will not repeat them. Adequacy does not mean that the UK should simply cut and paste all EU legal provisions where reliance on national law and derogations are real options in front of us. There are some where we should be availing themselves of them. Nor do we need to make privacy safeguards—which are very important—so demanding that they become self-defeating, standing in the way of benefiting patients, in the case of medicine, and the community more generally.
The Government have made it clear that they want the Bill to support research, which is extraordinarily welcome. I hope that when she replies, the Minister will be able to say something about how the Government will approach the changes that will be needed to deal with research issues in the UK. The Bill classes universities as public bodies, and universities lie at the core of the research community. It is fair enough for universities to be classed as public bodies—that is what they are—but the legislation then denies them the right to invoke public interest, or even legitimate interest, as a basis for their research, and thus obliges them to seek explicit consent when using data at every stage of processing. This becomes very onerous if you are doing a long study. That may on the face of it seem reasonable but, in practice, it can do real harm. The whole point of research is that often at the outset it cannot be 100% certain where it may lead or whether further processing or trials may be necessary. You can get a situation in which unexpected and unplanned-for research is available and could yield real dividends. That is especially true of interventional research. If, as a result of wanting to take it to a further stage, the data processing demands that there should be another round of explicit consent, you get into a situation whereby universities—unlike some of the public bodies in government, which do not have to follow this procedure—have to go round again to all those who offered their personal data in the first place. Seeking the consent of holders of the data anew may simply not be possible, especially in long-term research projects. People move house or become incapable; they also die.
Even if those problems can be overcome—and I think they are real—there is a question of proportionality. Why make consent so onerous that it makes research too difficult in practice and too costly to engage in? There needs to be greater proportionality on this issue and greater alignment between the various bodies that use data in this way, and there needs to be some alternative to consent as the basis for engaging in some kinds of research. Numerous government mechanisms are available, not least ethics committees, which are a key component of modern research and could provide the necessary safeguards against abuse. I recognise that there need to be safeguards, but I suggest that we should use some imagination in how they could be brought about.
In this country, we are very rich in research conducted by voluntary, not-for-profit and charitable bodies. They often supplement what the public sector and universities are unable or unwilling to do, but they do not find a place in this legislation, which posits that all research of value is conducted by “professional bodies”—a definition that excludes many organisations doing valuable work under the terms of the existing law. That law is to be tightened up, which may create difficulties. I am associated with one such organisation, and I want to give a tiny illustration of the problems that arise as a result of being outside the field of professional bodies.
I am involved with an organisation called Unique, which deals with rare genetic disorders, whereby datasets to be useful have to be gathered globally. The number of people with those afflictions is so tiny in any given population that you have to go across the globe to connect useful datasets, which means in turn that you come up against some of the provisions that govern transnational transmission of data. However, the rarity of such individual disorders also makes every patient’s data precious to other affected individuals, because it is potentially a very tight community. No other organisation is dealing with that affliction in that way, and Unique can give support and advice to otherwise lonely parents and their equally isolated medics, who turn to Unique for information about alike cases. There is a network there.
By insisting on onerous consent regimes, we are in danger of disabling such organisations from continuing their pioneering work. In Unique, it is not uncommon for parents who have not been in touch for a long time suddenly to turn to it with a request for help. Try telling families, many of whom are not in the UK but are in third countries, who are coping with the daily stress of caring for a disabled child or adult, that they must be sure to keep up online with the stringent requirements of UK data legislation and that failing to do so will mean that they run the severe risk of no longer being able to get the kind of individualised attention and support that they seek from the very organisations set up to help them. The problem is that the law will lay down the need for the regular reconsultation and re-consent of individuals in very precise ways, and that such individuals might not reply, not understanding the potential hazards involved in failing to do so. One might say that data anonymisation might solve the problem. It solves some problems, but it creates new ones in an organisation set up for certain purposes where the idea is that one fellow sufferer can help another. So piling difficulties on small organisations—there are other difficulties that I have not even mentioned—might lead ultimately to an unwanted outcome, which will be a reduction in effectiveness.
I am not pleading for essential provisions on privacy to be disregarded. That would not be a sensible plea. However, I suggest that we are still in the foothills of the data-driven world and, while it is right to demand rigorous standards and strict enforcement, that is not the same as passing narrow and inflexible legislation that will have unwanted and unnecessary side-effects. The research base of this country needs a wider base for lawful consent and this legislation should recognise that not all valuable research fits into normal categories. I would like the Government to think about the possibility that they should allow for the creation of governance and accountability regimes that will fit special circumstances—and I am sure that we will come across others as we go through this legislation. The existence of the Information Commissioner should not result just in enforcing the law effectively and well; it should provide an opportunity for creativity under her auspices and the ability to create variations on governance regimes where they are needed.