Data Protection and Digital Information Bill
Lord Anderson of Ipswich ExcerptsWednesday 24th April 2024
(1 week, 4 days ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-VII Seventh marshalled list for Grand Committee - (23 Apr 2024)
Baroness Sherlock (Lab)
My Lords, in moving Amendment 225, I will speak to the other amendments in this group. They cover two issues: first, the code of practice, which features in Part 2 of new Schedule 3B, inserted by the Bill into the Social Security Administration Act 1992. Paragraph 6(1) of new Schedule 3B says:
“The Secretary of State may issue a code of practice in connection with account information notices”.
Amendment 225 would change “may” to “must”. Paragraph 6(2) mentions some matters that a code “may” include and Amendment 226 would change that “may” to “must”.
Amendment 227 would ensure that a code of practice includes the criteria to be used by the Secretary of State in determining whether to issue account information notices—I will come back to criteria shortly. Amendment 230 would require the Government to consult on the draft code of conduct with consultees including the Social Security Advisory Committee and organisations that would have to comply with account information notices. Amendment 231 would require the code of practice and any revisions to it to be approved by both Houses of Parliament. The Secretary of State would still be able to withdraw a code of practice, but the ability to issue notices would lapse if no code were in force. Amendments 228, 229 and 232 are consequential.
The other matter covered in this group is how the Government report to Parliament on these notices. Amendment 233 amends new Schedule 3B to provide for annual reporting to Parliament on the use of account information notices. As well as requiring the provision of statistics around the use of such notices during the previous financial year, the amendment would compel the Secretary of State to outline his or her views on the proportionality and effectiveness of notices. I hope that the need for these amendments is self-evident. Ministers are proposing to take new powers of astonishing breadth, which will involve the ability to search the bank accounts of tens of millions of our citizens, most of whom will have done nothing wrong. There is still very little detail about how these powers could be, or will be, used.
I will address two particular sets of issues. The first is criteria. Paragraph 2 of new Schedule 3B explains that banks have to return information about matching accounts. As well as specifying the identity of the account holders, they have to meet certain risk criteria. The Bill, the Explanatory Memorandum and briefings always talk in terms of examples of those criteria, usually around capital limits or time abroad. But my understanding, which may be wrong—I invite the Minister to correct me if I am—is that the criteria could be anything related to eligibility for the benefits in question.
For example, the eligibility for some benefits includes being a single parent. Paragraph 2(2)(a) of new Schedule 3B says that an account information notice
“may require information relating to a person who holds a matching account even if the person does not claim a relevant benefit”.
On our last day in Committee, we established that that directly related to appointees, but that made me wonder whether it could apply to anybody else. For example, we also established that a notice could cover a joint account where one of the holders is the person to whom the benefit is paid and the other is not. Would this power allow DWP to ask banks to search for any accounts linked to any single parent and to examine those accounts for evidence that they and the other holder of a joint account might be living together? Would these powers allow DWP to devise any criteria designed to identify whether a claimant was living with another adult? To be clear, I am not asking whether it intends to do that or whether it knows how to do that. I am just asking whether it would be permissible. Is this a category of thing that it could do under the powers in the Bill?
Related to that, could DWP issue notices to a bank other than that into which the benefit is paid? Again, we have heard that the intention is to go only to the bank into which the benefit is paid, but I want to know specifically: does this Bill gives DWP the power to do that or would it need additional primary legislation to do it?
Secondly, the Bill does not say that notices can be given only to banks. It says that they can be given only to a “person of prescribed description”. The Information Commissioner said:
“I have been unable to identify where such persons are prescribed and the provision itself is silent on the matter”.
It is therefore unclear which organisations will be in scope of the power or how this will be determined. Can the Minister tell us any more about who will be covered and how that will be determined? Who could be subject to a notice? A bank or a building society could be, clearly, but could a credit union, a Christmas club savings scheme or any other financial body?
Paragraph 58 of the impact assessment on this part of the Bill says:
“This measure is drafted broadly to ensure it is future-proofed against future changes and innovation, particularly in the financial services sector, i.e. in Fintech and Crypto, and enable DWP to apply this measure to non-financial organisations in future if it is deemed appropriate and proportionate”.
Can the Minister give the Committee an example of a non-financial organisation that could be appropriate? Specifically, could this apply to, for example, phone companies? Given the open-ended nature of the powers being taken, one way for Ministers to give reassurance to both the Committee and the wider public would be to ensure that DWP is constrained by a clear and transparent code of practice over which Parliament has oversight and that it reports to Parliament on the way it is using these powers. If the Minister does not like the approach in this amendment, perhaps he could offer the Committee other forms of assurance in this area. I beg to move.
Lord Anderson of Ipswich (CB)
My Lords, I apologise to the Committee that duties elsewhere in the House prevented me from attending the last two debates on Monday and so from speaking to the amendments that I had tabled and signed. However, I have read the Official Report with care.
I cannot pretend to be a data protection nerd, or even a social security nerd, like some speakers in those debates, but I hope that I pass muster as a surveillance nerd, having written for the Home Secretary two of the reports that informed the Investigatory Powers Act 2016 and, more recently, a report that informed the Investigatory Powers (Amendment) Bill, which I see is to be given Royal Assent tomorrow.
I support all the amendments in the name of the noble Baroness, Lady Sherlock, in this group. Of course there must be a code of practice. Of course it must be consulted on and scrutinised. I would add that that of course we could not contemplate passing this schedule into law until we have seen and studied it. An annual report of the sort that accompanies the reasonable suspicion power to issue financial institution notices, exercised by HMRC under Schedule 36 to the Finance Act 2008, would also be useful. For example, it is from the last of those reports, dated January 2024, that I learned that these reasonable suspicion tax information powers were now being used to obtain location data—something that it had previously been said would not be done.
Dan Squires, one of the authors of the legal opinion that I know was referred to on Monday, is not only a King’s Counsel but a deputy High Court judge and a genuine expert in this area. He and his junior, Aidan Wills, point in that opinion to the personal nature of some of the data that could be harvested under the proposed power and advise that Schedule 11 does not come close to the safeguards required for compliance with Article 8. They refer in particular to the striking lack of clarity about the grounds on which and the circumstances in which the proposed power can be used, as well as to the absence of both independent authorisation and independent oversight. They point out that, although saving up to £600 million over five years is a very important objective, it weighs no more heavily—indeed, probably less heavily—than the normal justifications for obtaining information in bulk: protecting national security and the prevention and detection of serious crime. Their opinion is well referenced, persuasive and consistent with the view on proportionality expressed by both the Information Commissioner and the Constitution Committee, on which I sit.
On Monday, the Minister referred to the power in Schedule 23 to the Finance Act 2011 to obtain certain data items from particular classes of data holder—for example, employers and land agents. So I had a look at that schedule and the data-gathering regulations under its paragraph 1. The power would appear to apply only to certain tightly defined items, such as payments made by the employer or arising from use of land. There would appear to be a noticeable contrast with location data, personal spending habits and so on, which fall within the scope of the powers in this schedule, as they are written in the Bill. Both HMRC and the Home Office operate under powers tightly defined in legislation. Assurances that those powers will be used in a restrained way, as Justice has commented in its useful briefing on the Bill, simply do not cut it. I am afraid that the law requires the DWP to be subject to the same constraints.
I am concerned: concerned that this important new power was not subject to detailed consultation or even to scrutiny by a Commons Bill Committee, where useful evidence could have been heard; concerned that it could even have been contemplated that so vague a power might be in the Bill and not accompanied by a code of practice; concerned about the absence of an independent approval and oversight mechanism, equivalent to the Office for Communications Data Authorisations and the Investigatory Powers Commissioner’s Office; and concerned that, if we do not get this potentially valuable power right from the start, it will immediately be subject to legal challenges, which will swiftly render it unusable.
If, as I believe, Schedule 11 is currently unfit for purpose, is there time to rescue it? I have a couple of practical suggestions. First, I saw the investigatory powers unit from the Home Office when it happened to be in the House yesterday, and I wondered if there might be utility in it comparing notes with the Bill team about these types of powers and their attendant safeguards.
Secondly, I hope the Government appreciate the significance—at least to us nerds in the Committee—of the legal analysis of Dan Squires KC and Aidan Wills. If we are to be told that it is mistaken, which would certainly be unusual, I for one would like to see that backed up by an opinion from a lawyer of equivalent stature, whether at the GLD or independent counsel, explaining precisely and persuasively why Mr Squires and Mr Wills are wrong. Otherwise, and without significant change of the type identified in the opinion, I am afraid I am not inclined to give this schedule the benefit of the doubt.
I signed up to the stand part notice of the noble Baroness, Lady Kidron, thinking it would at least be a platform to think about what amendments to the schedule might be needed. The more I read the schedule and the more I hear about it, the more I am driven to the conclusion that, if we do not see substantial change, opposing the schedule may be the way that we have to go at the next stage.
Lord Davies of Brixton (Lab)
In the two previous groups, I raised pension credit, and it is notable that the noble Viscount the Minister has not responded on that point. As such, my automatic assumption is that he believes that the implementation of these powers will deter people from seeking pension credit, which is contrary to the Government’s declared policy to encourage people. I mention that in passing, given this opportunity.
My other moan is about the impact assessment; there is none. I do not like the impact assessment that we have. It is a totally impenetrable and meaningless document, which is clearly there just as a matter of form rather than as a serious attempt to try to inform participants in these debates about what is in the Bill and what impact it will have on people and organisations.
My specific points are broadly in line with the points raised by UK Finance, the overall organisation for financial organisations, including banks and insurance companies, which continues to have serious concerns about these provisions. I think we should listen carefully to what it says. In particular, if we are going to have these powers then, in line with the amendments tabled by my noble friend Lady Sherlock, we have to make sure that they are introduced in an effective way that appreciates the vulnerabilities of customers.
The Parliamentary Under-Secretary of State, Department for Work and Pensions (Viscount Younger of Leckie) (Con)
My Lords, this has been a somewhat shorter debate than we have been used to, bearing in mind Monday’s experience. As with the first two groups debated then, many contributions have been made today and I will of course aim to answer as many questions as I can. I should say that, on this group, the Committee is primarily focusing on the amendments brought forward by the noble Baroness, Lady Sherlock, and I will certainly do my very best to answer her questions.
From the debate that we have had on this measure, I believe that there is agreement in the Committee that we must do more to clamp down on benefit fraud. That is surely something on which we can agree. In 2022-23, £8.3 billion was overpaid due to fraud and error in the benefit system. We must tackle fraud and error and ensure that benefits are paid to those genuinely entitled to the help. These powers are key to ensuring that we can do this.
I will start by answering a question raised by the noble Lord, Lord Anderson—I welcome him to the Committee for the first time today. He described himself as a “surveillance nerd”, but perhaps I can entreat him to rename himself a “data-gathering nerd”. As I said on Monday, this is not a surveillance power and suggesting that it is simply causes unnecessary worry. This is a power that enables better data gathering; it is not a surveillance or investigation power.
The third-party data measure does not allow the DWP to see how claimants spend their money, nor does it give the DWP access to millions of people’s bank accounts, as has been inaccurately presented. When the DWP examines the data that it receives from third parties, this data may suggest that there is fraud or error and require a further review. This will be done through our normal, regular, business-as-usual processes to determine whether incorrect payments are indeed being made. This approach is not new. As alluded to in this debate, through the Finance Act 2011, Parliament has already determined that this type of power is proportionate and appropriate, as HMRC already owns similar powers regarding banking institutions and third parties in relation to all taxpayers.
I listened very carefully to the noble Lord and will, however, take back his points and refer again to our own legal team. I think the point was made about the legality of all this. It is a very important point that he has made with all his experience, and I will take it back and reflect on it.
Lord Anderson of Ipswich (CB)
I take the Minister’s point and I will settle for the appellation “investigatory powers nerd”; I am quite happy with that. Does the Minister agree with me, however, that the legal difficulty —we see this with the other bulk powers already in our law—is that Article 8 of the European convention locks in not when a human eye gets stuck into the detail, but as soon as a machine harvests the data in bulk? Most of that data relates to people in respect of whom there could be no possible suspicion. Satisfying the requirements of necessity and proportionality must be done even at that stage. I understand that that is awkward and I am sure a lot of people would prefer that it was otherwise, but that is, as I understand it, the law. That renders the distinction that the Minister seeks to draw between data gathering and surveillance perhaps slightly difficult to maintain.
Viscount Younger of Leckie (Con)
If I may just answer that question from the noble Lord, Lord Anderson; I think it is important to take one question at a time.
I have every sympathy with what the noble Lord has said. As I mentioned on Monday, points could easily raised about that—I think it may have been the noble Baroness, Lady Kidron, who raised points about computers and their robustness. This is the very point that we agree with. It is incredibly important and we have started already to draw up a proper code of practice to work with the banks on how this will actually work. We need continued time to work these issues through. I also made the point on Monday that, at the end of the day, a human being will be there—must be there—to determine where we go from there.
Lord Anderson of Ipswich (CB)
In relation to the code of practice, which I am glad the Minister mentioned, we have just seen the Investigatory Powers (Amendment) Bill through this place. It makes some relatively minor changes to the powers of the intelligence agencies to harvest data in bulk and, to ensure the orderly passage of that Bill through both Houses of Parliament, the key excerpts of the draft code of practice were made available before Committee in either House to enable it to be properly scrutinised. We seem to have left it terribly late in the day still to be talking about a draft code of practice on this Bill, which we have not even seen. Can the Minister assure us that before we come to Report, that code of practice will be available in draft?
Viscount Younger of Leckie (Con)
Indeed, I was going to come on to that later in my remarks, particularly to address the points raised by the noble Baroness, Lady Sherlock. We need the necessary time to continue to develop this code of practice, and that is particularly important in respect of this measure. The answer is no, I cannot guarantee to have the code of practice ready by Report. Indeed, I am saying that it will be ready sometime in the summer. It is important to make that point but also a further one, which is that there are many instances, as the noble Lord will know, when a code of practice is finalised and brought forward after the primary legislation is brought through, and this is one of those cases. That is not abnormal but normal. The noble Lord may not like it but there is considerable precedent for that to happen.
Viscount Younger of Leckie (Con)
I appreciate the tone of the noble Lord and, if there is anything that comes from behind me before I conclude my remarks, to be helpful, I will certainly do that.
Our debates on this measure have covered many issues. This group, as mentioned earlier, focuses primarily on the operational delivery of the power, so it would be quite good to move on. Just before I do, for the benefit of the noble Lord, Lord Anderson, in terms of the late introduction—his words—of this measure, as mentioned on Monday the DWP published a fraud plan in May 2022, where it outlined a number of new powers that it would seek to secure when parliamentary time allowed. In the parliamentary time available, DWP has prioritised our key third-party data-gathering measure, which will help it to tackle one of the largest causes of fraud and error in the welfare system. That is a short version of what I said on Monday, but I hope that it might be helpful.
Before I turn to the amendments, it might be helpful to set out how the legislation will frame the delivery of this measure. When we issue a request for data to a third party or, as it is set out, an account information notice or AIN, which is in the Bill, we can only ask it to provide data where it may help the DWP to establish whether benefits have been properly paid in accordance with the rules relating to those benefits. As mentioned earlier, this is defined clearly at paragraph 1(2) of the new schedule. This is where the data that DWP receives may signal—to use the word raised by the noble Lord, Lord Clement-Jones—potential fraud and error. The noble Lord asked for further clarification on that point. To be clear, a signal of fraud and error is where the rules of benefit eligibility appear not to be met. For example, this might be where a claimant has more capital than the benefit rules allow. As I made clear on Monday, all benefits and payments have rules that determine eligibility, which Parliament has agreed are the right rules in its consideration of other social security legislation. To issue an AIN, we must also have designated a third party in affirmative regulations, which need to be passed by both Houses.
As has been covered, we can also only request data from third parties where there is this relationship, which I will not repeat again and which I think the Committee will be familiar with. Our intention is to designate banks and financial institutions as the first third parties that we can approach, enabling us to request information on accounts only held in the UK. Just to clarify that point, we will not be able to request information on overseas accounts.
On the question raised by the noble Baroness, Lady Sherlock, on examples of non-financial organisations that the power could appropriately be used on, we will bring forward regulations to specify the data holders in scope. I hope that this is helpful. In the first instance, this will be, as mentioned, banks and financial institutions. The power also has potential use cases with other third parties, such as housing or childcare providers, but, just to reassure the Committee, this would be subject to further parliamentary approval.
Lord Anderson of Ipswich (CB)
I am grateful to the Minister—I am just trying to catch up. On the point that he made about regulations, I imagine that the power to prescribe the descriptions of persons to whom an account information notice may be sent comes under paragraph 1(1) of the schedule. I think that that is what he was saying. In paragraph 2, on the content of the account information notices, there is a reference to
“other specified information relating to the holders of those accounts, and … such further information in connection with those accounts as may be specified”.
Does that simply mean anything specified in the account information notice or is there a power to make regulations that will limit the types of information that can be specified in an AIN?
Viscount Younger of Leckie (Con)
Again, I hope that I might have covered this earlier. If I read the noble Lord’s question correctly, the definitions will need to be debated by both Houses. I have made clear what we are bringing in at the moment for banks and financial institutions, but this will need to be looked at by both Houses in future. I hope that that is clear.
Lord Anderson of Ipswich (CB)
I apologise; I did not make myself clear. I think that we are on entirely the same wavelength on the persons to whom an information notice can be given; the Minister has reassured us that they will be specified in regulations and considered by both Houses. My question relates to the content of an account information notice under paragraph 2 and the very broad references to “other specified information”, “such further information” and so on. I did not read that as a regulation-making power. I rather assume that the discretion over the choice of information that is specified remains entirely at large. If the Minister is saying that there will be regulations that will specify the information that an AIN can include, hence mitigating the breadth of paragraph 2, I would be glad if he could make that clear.
Viscount Younger of Leckie (Con)
My understanding —with his experience, I am sure that the noble Lord will be ahead of me on this—is that this is defined. We define it pretty clearly in paragraph 1(2). In the interests of time, I will reflect on what he has asked and will be absolutely sure to add this to the letter that I pledged to write on Monday—it is getting bigger by the moment, as I fully expected.
Viscount Younger of Leckie (Con)
I can reassure the noble Lord that that is the case, yes.
Lord Anderson of Ipswich (CB)
I do not know whether I can help. I agree with the noble Baroness: I do not think it is very clear from paragraph 1(1) that there is a regulation-making power. However, if you look at paragraph 5 of the new schedule, there is a reference there to regulations under paragraph 1(1) as well as two other paragraphs of the schedule. That is the rather tortuous route by which I came to the conclusion that the Minister is quite right.
Viscount Younger of Leckie (Con)
I reassure noble Lords that is correct—it is paragraph 1(1). It may be rather complex, but it is in there, just to reassure all noble Lords.
Data Protection and Digital Information Bill
Lord Anderson of Ipswich ExcerptsMonday 15th April 2024
(2 weeks, 6 days ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-IV(a) Amendment for Grand Committee (Supplementary to the Fourth Marshalled List) - (15 Apr 2024)
Lord Clement-Jones (LD)
That was a very good conclusion to the response from the noble Lord, Lord Bethell—urging a Minister to lean in. I have not heard that expression used in the House before, but it is excellent because, faced with a Home Office Minister, I am sure that is the kind of behaviour that we can expect imminently.
Last time we debated issues relating to national security and data protection, the noble Lord, Lord Ashton, was the responsible Minister and I had the support of the noble Lord, Lord Paddick. Now I have the Minister all to myself on Amendments 135A to 135E and the stand part notices on Clauses 28 to 30. These Benches believe that, as drafted, these clauses fall foul of the UK’s obligations under the ECHR, because they give the Home Secretary too broad a discretion and do not create sufficient safeguards to prevent their misuse.
Under the case law of the European Court of Human Rights, laws that give unfettered or overly broad discretion to the Government to interfere with privacy will violate the convention, because the laws must be sufficiently specific to prevent abuses of power. This means they must make sure that, any time they interfere with the privacy of people in the UK, they obey the law, have a goal that is legitimate in a democratic society and do only what is truly necessary to achieving that goal. The court has repeatedly stressed that this is what the rule of law means; it is an essential principle of democracy.
Despite multiple requests from MPs, and from Rights and Security International in particular, the Government have also failed to explain why they believe that these clauses are necessary to safeguard national security. So far, they have explained only why these new powers would be “helpful” or would ensure “greater efficiency”. Those justifications do not meet the standard that the ECHR requires when the Government want to interfere with our privacy. They are not entitled to do just anything that they find helpful.
Under Clause 28(7), the Home Secretary would be able to issue a national security certificate to tell the police that they do not need to comply with many important data protection laws and rules that they would otherwise have to obey. For instance, a national security certificate would give the police immunity when they commit crimes by using personal data illegally. It would also exempt them from certain provisions of the Freedom of Information Act 2000. The Bill would expand what counts as an intelligence service for the purposes of data protection law—again, at the Home Secretary’s wish. Clause 29 would allow the Home Secretary to issue a designation notice, allowing law enforcement bodies to take advantage of the more relaxed rules in the Data Protection Act 2018, otherwise designed for the intelligence agencies whenever they collaborate with the security services.
Both the amended approach to national security certificates and the new designation notice regime would be unaccountable. The courts would not be able to review what the Government are doing and Parliament might therefore never find out. National security certificates are unchallengeable before the courts, meaning that the police and the Home Secretary would be unaccountable if they abused those powers. If the Home Secretary says that the police need to use these increased—and, in our view, unnecessary—powers in relation to national security, his word will be final. This includes the power to commit crimes.
As regards designation notices, the Home Secretary is responsible for approving and reviewing their use. Only a person who is directly affected by a designation notice will be able to challenge it, yet the Home Secretary would have the power to keep the notice secret, in which case how could anybody know that the police had been snooping on their lives under this law?
Clauses 28 to 30 could, in our view, further violate the UK’s obligations under the Human Rights Act 1998 and the European Convention on Human Rights because they remove the courts’ role in reviewing how the Government use their surveillance power. The European Court of Human Rights has ruled in the past that large aspects of the law previously governing the UK’s surveillance powers were unlawful because they gave the Government too much discretion and lacked important safeguards to prevent misuse. Clauses 28 to 30 could be challenged on similar grounds, and the court has shown that it is willing to rule on these issues. These weaknesses in the law could also harm important relationships that the UK has with the EU as regards data adequacy, a subject that we will no doubt discuss in further depth later this week.
The Government argue that the clauses create a simplified legal framework that would improve the efficiency of police operations when working with the intelligence services. This is far from meeting the necessity standard under the ECHR.
The Government have frequently used the Fishmongers’ Hall and Manchester Arena attacks to support the idea that Clauses 28 to 30 are desirable. However, a difference in data protection regimes was not the issue in either case; instead, the problem centred around failures in offender management, along with a lack of communication between the intelligence services and local police. The Government have not explained how Clauses 28 to 30 would have prevented either incident or why they think these clauses are necessary to prevent whatever forms of violence the Government regard as most likely to occur in the future. The Government have had sufficient opportunity to date to explain the rationale for these clauses, yet they have so far failed to do so. For these reasons, we are of the view that Clauses 28 to 30 should not stand part of the Bill.
However, it is also worth putting down amendments to try to tease out additional aspects of these clauses, so Amendments 135A and 135D would put proportionality back in. It is not clear why the word “proportionality” has been taken out of the existing legislation. Similarly, Amendment 135B attempts to put back in the principles that should underpin decisions. Those are the most troubling changes, since they seem to allow for departure from basic data protection principles. These were the principles that the Government, during the passage of the Data Protection Act 2018, assured Parliament would always be secure. The noble Lord, Lord Ashton of Hyde, said:
“People will always have the right to ensure that the data held about them is fair and accurate, and consistent with the data protection principles”.—[Official Report, 10/10/17; col. 126.]
Thirdly, on the introduction of oversight by a judicial commissioner for Clause 28 certificates, now seems a good time to do that. During the passage of the Data Protection Act through Parliament, there was much debate over the Part 2 national security exemption for general processing in Section 26 and the national security certificates in Section 27. We expressed concern then but, sadly, the judicial commissioner role was not included. This is a timely moment to suggest that again.
Finally, on increasing the oversight of the Information Commissioner under Amendment 135E, I hope that this will be an opportunity for the Minister, despite the fact that I would prefer to see Clauses 28 to 30 not form part of the Bill, to explain in greater detail why they are constructed in the way they are and why the Home Office believes that it needs to amend the legislation in the way it proposes. I beg to move.
Lord Anderson of Ipswich (CB)
My Lords, I come to this topic rather late and without the star quality in this area that has today been attributed to the noble Lord, Lord Kirkhope. I acknowledge both the work of Justice in helping me to understand what Clause 28 does and the work of the noble Lord, Lord Clement-Jones, in formulating the probing amendments in this group. I echo his questions on Clause 28. I will focus on a few specific matters.
First, what is the difference between the existing formulation for restricting data protection rights “when necessary and proportionate” to protect national security and the new formulation,
“when required to safeguard national security”?
What is the purpose of that change? Does “required” mean the same as “necessary” or something different? Do the restrictions not need to be proportionate any more? If so, why? Could we have a practical example of what the change is likely to mean in practice?
Secondly, why is it necessary to expand the number of rights and obligations from which competent law enforcement authorities can be exempted for reasons of national security? I can understand why it may for national security reasons be necessary to restrict a person’s right to be informed, right of access to data or right to be notified of a data breach, as under the existing law, but Clause 28 would allow the disapplication of some very basic principles of data protection law—including, as I understand it, the right to have your data processed only for a specified, explicit and legitimate purpose, as well as the right to have decisions made about you not use solely automated methods.
Thirdly, as the noble Lord, Lord Clement-Jones, asked, why is it necessary to remove the powers of the Information Commissioner to investigate, to enter and inspect, and, where necessary, to issue notices? I appreciate that certificates will remain appealable to the Upper Tribunal by the person directly affected, applying judicial review principles, but that is surely not a substitute for review by the skilled and experienced ICO. Apart from anything else, the subject is unlikely even to know that they have been affected by the provisions, given that a certificate would exempt law enforcement from having to provide information to them. That is precisely why the oversight of a commissioner in the national security area is so important.
As for Clauses 29 and 30, I am as keen as anybody to improve the capabilities for the joint processing of data by the police and intelligence agencies. That was a major theme of the learning points from the London and Manchester attacks of 2017, which I helped to formulate in that year and on which I reported publicly in 2019. A joint processing regime certainly sounds like a good idea in principle but I would be grateful if the Minister could confirm which law enforcement competent authorities will be subject to this new regime. Are they limited to Counter Terrorism Policing and the National Crime Agency?
Lord Anderson of Ipswich (CB)
The Minister left us on a tantalising note. He was unable to say whether the law enforcement organisations affected by these clauses will be limited to Counter Terrorism Policing and the NCA or whether they will include others as well. I am rather at a loss to think who else might be included. Do we really have to wait for the affirmative regulations before we can be told about that? It seems pretty important. As the Minister knows well, there are quite a few precedents—following some recent ones—for extending to those bodies some of the privileges and powers that attach to the intelligence agencies. I suspect that a number of noble Lords might be quite alarmed if they felt that those powers or privileges were being extended more widely—certainly without knowing, or at least having some idea, in advance to whom they might be extended.
While I am on my feet and causing mischief for the Minister, may I return to the rather lawyerly question that I put to him? I do not think I had an answer about the formulation in new Section 78A, which talks about an exemption applying
“if exemption from the provision is required for the purposes of safeguarding national security”.
What does “required” mean? Does it simply mean the same as “necessary”—in which case, why not stick with that? Or does it mean something else? Does it mean that someone has required or requested it? It could be a pretty significant difference and this is a pretty significant ambiguity in the Bill. If the Minister is not willing to explain it now, perhaps he will feel able to write to us to explain exactly what is meant by replacing the well-worn phrase “necessary and proportionate” with “required”.
Lord Sharpe of Epsom (Con)
I thank the noble Lord for that. It is a lawyerly question and, as he knows, I am not a lawyer. With respect, I will endeavour to write and clarify on that point, as well as on his other good point about the sorts of authorities that we are talking about.
Advanced Artificial Intelligence
Lord Anderson of Ipswich Excerpts(9 months, 2 weeks ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Anderson of Ipswich (CB)
My Lords, machine learning models, most famously AlphaFold, have a well-known role in the discovery of useful drugs. Drugs need to be safe, so open-source toxicity datasets are used to screen new molecules and discard those which are predicted to be toxic—a justly celebrated benefit of artificial intelligence.
On a darker note, suppose that a bad actor wishes to create a new nerve agent. They could take an open-source generative model and set it to work with the same toxicity dataset but with the instruction to seek out, rather than avoid, molecular structures predicted to be toxic. There will be false positives and the molecule, once identified, would still have to be synthesised, but it is now feasible to find multiple previously unknown chemical warfare agents with little more than a computer and an internet connection—as shown in a recent paper published after some agonising, and as footnoted in last month’s thought-provoking Blair/Hague report.
Crimes, as well as threats to national security, can be facilitated by AI techniques. Take high-value spear phishing, historically a labour-intensive enterprise. The diffusion of efficient and scalable AI systems will allow more actors to carry out such attacks, at a higher rate and volume, on targets who can be researched by data extraction attacks or scraping social media and can be more cunningly deceived with the help of speech synthesis systems and fake images. Similar disinformation techniques will no doubt be used by others to diminish our capacity to know what is real, and thus to threaten our democracy.
Democracy is not a suicide pact; accordingly, those who protect us from serious crime and threats to our security must themselves be able to use AI, subject to legal constraints founded on civil liberties and set by Parliament. My independent review of the Investigatory Powers Act, concentrating particularly on the work of the UK’s intelligence community, UKIC, was presented to the Prime Minister in April and quietly published last month. As part of this most timely debate, which I congratulate my noble friend Lord Ravensdale on securing, I will summarise three of its conclusions.
First, as one would hope, UKIC makes use of AI. It underlies existing capabilities such as cyber defence against malicious actors and the child abuse image database. UKIC has for many years employed machine learning automation techniques such as image-to-text conversion, language translation, audio processing and the use of classifiers to pick information of interest out of huge datasets. Models can be trained on labelled content to detect imagery of national security concern, such as weapons, allowing the work of human analysts to be focused on the most promising images. Other techniques of significant potential value include speech to text and speaker identification.
Secondly, UKIC itself, and those entrusted with its oversight, are alert to the ethical dilemmas. IPCO’s Technology Advisory Panel—a body recommended in my bulk powers review of 2016 and ably led by the computer scientist Professor Dame Muffy Calder—is there to guide the senior judicial commissioners who, quite rightly, have the final say on the issue of warrants. The CETaS research report published in May, Privacy Intrusion and National Security in the Age of AI, sets out the factors that could determine the intrusiveness of automated analytic methods. Over the coming years, the focus on how bulk data is acquired and retained may further evolve, under the influence of bulk analytics and AI, towards a focus on how it is used. Perhaps the Information Commissioner’s Office, which already oversees the NCA’s use of bulk datasets, will have a role.
Thirdly, in a world where everybody is using open-source datasets to train large language models, UKIC is uniquely constrained by Part 7 of the Investigatory Powers Act 2016. I found that these constraints—designed with different uses in mind, and comparable to the safeguards on far more intrusive powers such as the bulk interception of communications—impinge in certain important contexts on UKIC’s agility, on its co-operation with commercial partners, on its ability to recruit and retain data scientists, and, ultimately, on its effectiveness. My conclusion was that a lighter-touch regime should be applied, with the consent of a judicial commissioner, to certain categories of dataset in respect of which there is a low or no expectation of privacy. That would require a Bill to amend the IPA. I do not always welcome Home Office Bills, but I hope this one will come sooner rather than later.