Lord Mitchell
Main Page: Lord Mitchell (Labour - Life peer)Department Debates - View all Lord Mitchell's debates with the Home Office
Data Protection Bill [HL]
Lord Mitchell ExcerptsTuesday 10th October 2017
(6 years, 6 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts
Lord Mitchell (Non-Afl)
My Lords, the Data Protection Act was introduced in 1998. In those days, Facebook, Google and Uber did not exist, Amazon was barely four years old, Apple was tottering under the imminent threat of bankruptcy, search engines were rudimentary, as was the internet itself, and it would be another nine years until the iPhone would be launched. It was, indeed, a very different world. While I welcome the Bill, it remains a fact that when it becomes an Act next year it will be 20 years since its predecessor was enacted. Information and digital technology are growing exponentially. No other industry in the history of the world has even come close to this rate of growth. Legislation needs to match and anticipate the speed of these developments. Certainly, we cannot wait until 2037 for the next Data Protection Act.
Today I am going to raise three issues, which I would like the Minister to respond to. They all centre on the dominant and predatory behaviour of the American big tech giants. I will give your Lordships a striking example of such behaviour from one of them: Apple. In an ideal world, I would like every Member here who has an iPhone to take it out and turn it on, but that probably contravenes the Standing Orders of your Lordships’ House. So I will do the next best thing: I will set out five iPhone directions and, in the cool of the evening, when noble Lords have Hansard in front of them, they can replicate what I am now going to demonstrate.
Click on Settings, then Privacy, then Location Services. Then scroll all the way down until you see System Services, and then scroll halfway down and click on something called Significant Locations. If you are a little behind the times and do not have iOS 11, it is called Frequent Locations. You will probably be asked for a password. Then you will see History and a list of locations. Click on any one of them. Your Lordships will be staggered by what is revealed: every single location that you have visited in the past month—when you arrived, when you left, how long you stayed—all this very private and confidential information is starkly displayed. Who gave Apple permission to store this information about me on my iPhone? It is the default setting, but Apple never asked me. It will argue, of course, that it is private information and it has no access to it—maybe. If you think about it, the opportunities for snooping on people very close to you are endless and dangerous. Now the latest iPhone, the iPhone 8, has facial recognition. It does not take much imagination to work out how somebody could get access to a close member of your family and find out where they have been for the past month, without their permission to do it.
I think it was the noble Baroness, Lady Kidron, who spoke about Apple and its terms and conditions. She said that they were longer than “Hamlet”. I read that the iTunes terms and conditions were longer than “Macbeth”. Well, “Macbeth” or “Hamlet”, whatever it is, it is an awful lot of words. Of course, you have no opportunity to change those terms and conditions. You either agree or disagree. If you disagree, you cannot use the phone. So what choice do you have?
I see this as typical big tech behaviour. These companies run the world according to their rules, not ours. I have long campaigned against the cavalier approach of big tech companies in all aspects of business and personal life. These include Facebook, Amazon, Microsoft, Google and, of course, Apple. I was going to make some quip about the west-coast climate and the breezes of the west coast, but I guess with the news of the past two days that is probably not a good thing to be doing. Big tech companies have become mega-libertarians, positioning themselves above Governments and other regulators. They say they are good citizens and abide by the law. They have corporate mantras which say, “Do no evil”, but they stash away hundreds of billions of stateless, untaxed dollars. They promote end-to-end encryption. They are disingenuous when foreign Governments try to influence democratic elections. Perhaps they do no evil, but neither are they the model citizens they say they are.
So full marks to EU Commissioner Margrethe Vestager for bringing Apple, Google and Amazon to task, and full marks to President Macron for his efforts to set up an EU-wide equalisation tax to ensure that corporation tax is based on revenue, not creative accounting. I know that this is a DCMS Bill and international taxation is outside the Minister’s brief, but I have heard the Prime Minister criticise these tax dodges by big tech so I ask him or his colleagues in the Treasury: will the Government support the French President in this campaign?
I now turn to another area which is giving me great concern, which is digital health and health information in general. One of the great treasures we have in this country concerns our population’s health records. The NHS has been in existence since 1948 and in those 70 years the data of tens of millions of patients have been amassed. They are called longitudinal data, and they are a treasure trove. Such data can be instrumental in developing drugs and advanced medical treatment. Few other countries have aggregated such comprehensive health data. It puts us in pole position. However, in 2016 Royal Free London NHS Foundation Trust sold its rights to its data to a company called DeepMind, a subsidiary of—yes, noble Lords have guessed it—Google. The records of 1.6 million people were handed over. In June this year, Taunton and Somerset NHS Foundation Trust signed a similar deal with DeepMind. The data are being used to create a healthcare app called Streams, an alert, diagnosis and detection system for acute kidney injury, and who can object to that? However, patients have not consented to their personal data being used in this way.
Ms Elizabeth Denham, the Information Commissioner, has said that the Royal Free should have been more transparent and that DeepMind failed to comply with the existing Data Protection Act, but the issue is much graver than not complying with the Act. I do not know this for sure, but if I had to bet on who negotiated the better deal, Google or the Royal Free, I know where my money would be. DeepMind will make a fortune. I put this to the Minister: does he agree that NHS patient data are a massive national asset that should be protected? Does he agree that this mass of patient data should not be sold outright in an uncontrolled form to third parties? I know the NHS is strapped for cash, but there are many better ways of maximising returns. One way would be for NHS records to be anonymised and then licensed rather than sold outright, as is common with much intellectual property. I also believe that the NHS should have equity participation in the profits generated by the application of this information. After all, to use the vernacular of venture capital, it, too, has skin in the game.
As today’s debate has shown, there are fundamental questions that need to be answered. I have posed three. First, what protection will we have to stop companies such as Apple storing private data without our express permission? Secondly, will the UK support the French President in his quest for an equalisation tax aimed at big tech? Finally, how can we protect key strategic data, such as digital health, from being acquired without our permission by the likes of Google?
Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Lord Mitchell
Main Page: Lord Mitchell (Labour - Life peer)Department Debates - View all Lord Mitchell's debates with the Department for Digital, Culture, Media & Sport
Data Protection Bill [HL]
Lord Mitchell ExcerptsWednesday 10th January 2018
(6 years, 3 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
Lord Mitchell
“(j) maintain a register of publicly controlled personal data of national significance;(k) prepare a code of practice which contains practical guidance in relation to personal data of national significance.(2) For the purposes of sub-sub-paragraphs (j) and (k) of paragraph (1), personal data controlled by public bodies is data of national significance if, in the opinion of the Commissioner, —(a) the data furthers collective economic, social or environmental well-being,(b) the data has the potential to further collective economic, social or environmental well-being in future, and(c) financial benefit may be derived from processing the data or the development of associated software.”
Lord Mitchell (CB)
My Lords, I will also speak to Amendment 108. The points I am addressing were glossed over in Committee, and I now wish to expand on this important issue.
Data is the new oil. This has been said many times in your Lordships’ House, but as each day passes it becomes more true. Without stretching the analogy too far, in our country big data is about to become the 21st-century equivalent of North Sea oil. Because big data has such value, it will come as no surprise to see big tech companies swarming all over it. They have to because it is their lifeline. Many of our public bodies, particularly the NHS, are custodians of massive amounts of data, which big tech is eager to get its hands on. But we as legislators who act for the public good also have a responsibility to ensure that the public are protected and that, simply put, our treasure is not taken from us without clear authority or appropriate recompense. The data the public bodies hold belongs to us all. It is ours—our communal property—and we must tread carefully.
I will make one point as strongly as I can. I am a product of the data revolution; I have been professionally involved in the digital industry for over 50 years. For 40 of those I was an IT serial entrepreneur. This industry has been good to me; I fully understand that the tech sector needs light regulation. I know that at its best the digital revolution is a force for good but, equally, I know the dangers it poses, so I am trying to be cautious in what I propose. We stand at a crossroads. Computing power has reached astronomical capabilities, software is increasingly complex and artificial intelligence is now making dramatic inroads. Plus, we see the exponential availability of digital data. All these have contributed to the creation and brilliance of algorithms. The one thing we know for certain is that these exciting developments will keep on growing at exponential rates. In medicine, for example, new tools are being developed that are already enhancing diagnostic and treatment capabilities that could benefit all manner of healthcare, in particular our ageing population.
I welcome these developments, as I am sure we all do, many of which have come from our own private sector, and we should rejoice at this example of British expertise. However, at the same time we need to strike a balance between the ambitions of 21st century businesses and the responsibility of government to steward assets and resources of national significance so that the proceeds of technological developments benefit us all. My two amendments seek to codify how valuable, publicly controlled personal data is shared with big tech companies, and to ensure that financial returns, combined with wider social, economic and environmental benefits, are optimised.
I can best demonstrate the scale of this issue if I refer to the NHS. Ever since its formation in 1948—maybe they were kept even before that—the NHS has kept records of tens of millions of patients, literally from cradle to grave. These records are either in written form, or increasingly in digital format, but the magnitude of the collected data is huge. Very few countries can match the length and depth of the health records that the NHS is trusted to retain on behalf of the general public. Such data is called longitudinal data and, when it is bundled together, has great commercial value.
At Second Reading I gave the example of a company called DeepMind, which is a British subsidiary of Google. I visited DeepMind, which is an impressive organisation based here in London. It has purchased access to millions of anonymised data records from institutions such as the Royal Free and Moorfields Eye Hospital. It does not buy this data outright—it does not have to. It simply buys access. Such access enables it and companies like it to use very powerful computers and very sophisticated software to process millions of records with the help of artificial intelligence and machine learning.
This synthesising of data using AI capabilities is designed to produce algorithms, and it is these algorithms that become the product that companies such as DeepMind are able to monetise. They do this by selling the algorithms and their consulting services to the likes of pharmaceutical companies and healthcare providers and even back to the NHS itself. It is a global business and very profitable. At the Royal Free, these algorithms are being used to detect the early onset of kidney disease. At Moorfields Eye Hospital, also here in London, spectacular advances have occurred in similarly detecting potential optical problems.
This is data processing used for the benefit and enhancement of all mankind and we should welcome it. However, I am concerned that this precious and unique data is being offered to big tech companies by our public bodies in the absence of clear and consistent guidelines and without asking how best to obtain value for money in the broadest sense of the term.
Having dealt with big tech companies for most of my life, I know that they are staffed with exceptionally clever people and are no slouches at driving hard bargains. Unlike our NHS, they are not consumed with the day-to-day preoccupation of trying to balance their current budgets; with hundreds of billions of dollars in the bank, they can afford to play the long game, and it is easy to see who holds the aces in any negotiation. Put simply, I wish to protect our public bodies and ensure that we do not give away our inheritance. That is why we need to codify how we will obtain value for money from the sharing of data of national significance with the private sector.
My proposal is not just for the NHS and it is not just for now. All public bodies need protection and guidelines today and well into the future. That is why I have introduced my amendments. In Amendment 107B I seek, first, to require the Information Commissioner to maintain a register of publicly controlled personal data of national significance and, secondly, to prepare a code of practice containing practical guidance in relation to personal data of national significance. These are defined in subsection (2). In Amendment 108 I have set out the requirements of the code on personal data of national significance.
Lord Clement-Jones
My Lords, I want briefly to express sympathy with the noble Lord, Lord Mitchell. I share many of his concerns but essentially I think that we should look on the most optimistic side. I hope that he is also really describing the opportunities that can be made available with this kind of data, provided that it is accessible in the way described. I know that the noble Lord takes considerable inspiration from Future Care Capital’s report on intelligence-sharing unleashing the potential of health and care data in the UK to transform outcomes. I thought that it was very good and well considered.
The noble Lord has put down a very important marker today but my one caveat is that I am not sure that there is yet a settled view about how to deal with this kind of data. In Committee we talked about data trusts. In her AI review, Dame Wendy Hall also talked about data trusts. I know that we need to head in a direction that gives us much more assurance about the use of the data in the way that the noble Lord, Lord Mitchell, has described, but I am not sure we have quite reached a consensus around these things to come to the decision that this is the best possible model.
Lord Ashton of Hyde
My Lords, I am grateful to the noble Lord, Lord Mitchell, for taking the time to come and see me to explain these amendments. We had an interesting conversation and I learned a lot—although clearly I did not convince him that they should not be put forward. I am grateful also to the noble Lords, Lord Clement-Jones and Lord Stevenson, who said, I think, that there may be more work to do on this—I agree—and that possibly this is not the right time to discuss these issues because they are broader than the amendment. Notwithstanding that, I completely understand the issues that the noble Lord, Lord Mitchell, has raised, and they are certainly worth thinking about.
These amendments seek to ensure that public authorities—for example, the NHS—are, with the help of the Information Commissioner, fully cognisant of the value of the data that they hold when entering into appropriate data-sharing agreements with third parties. Amendment 107B would also require the Information Commissioner to keep a register of this data of “national significance”. I can see the concerns of the noble Lord, Lord Mitchell. It would seem right that when public authorities are sharing data with third parties, those agreements are entered into with a full understanding of the value of that data. We all agree that we do not want the public sector disadvantaged, but I am not sure that the public sector is being disadvantaged. Before any amendment could be agreed, we would need to establish that there really was a problem.
Opening up public data improves transparency, builds trust and fosters innovation. Making data easily available means that it will be easier for people to make decisions and suggestions about government policies based on detailed information. There are many examples of public transport and mapping apps that make people’s lives easier that are powered by open data. The innovation that this fosters builds world-beating technologies and skills that form the cornerstone of the tech sector in the UK. While protecting the value in our data is important, it cannot be done with a blunt tool, as we need equally to continue our efforts to open up and make best use of government-held data.
In respect of health data, efforts are afoot to find this balance. For example, Sir John Bell proposed in the Life Sciences: Industrial Strategy, published in August last year, that a working group be established to explore a new health technology assessment and commercial framework that would capture the value in algorithms generated using NHS data. This type of body would be more suitable to explore these questions than a code of practice issued by the Information Commissioner, as the noble Lord proposes.
I agree that it is absolutely right that public sector bodies should be aware of the value of the data that they hold. However, value can be extracted in many ways, not solely through monetary means. For example, sharing health data with companies who analyse that data may lead to a deeper understanding of diseases and potentially even to new cures—that is true value. The Information Commissioner could not advise on this.
That sharing, of course, raises ethical issues as well as financial ones and we will debate later the future role and status of the new centre for data ethics and innovation, as the noble Lord, Lord Stevenson, mentioned. This body is under development and I am sure that this House would want to contribute to its development, not least the noble Lord, Lord Clement-Jones, and his Select Committee on Artificial Intelligence.
For those reasons, I am not sure that a code is the right answer. Having heard some of the factors that need to be considered, I hope the noble Lord will not press his amendment.
Perhaps I may offer some further reassurance. If in the future it emerged that a code was the right solution, the Bill allows, at Clause 124, for the Secretary of State to require the Information Commissioner to prepare appropriate codes. If it proves better that the Government should provide guidance, the Secretary of State could offer his own code.
There are technical questions about the wording of the noble Lord’s amendment. I will not go into them at the moment because the issues of principle are more important. However, for the reasons I have given that the code may not be the correct thing at the moment, I invite him to withdraw his amendment.
Lord Mitchell
My Lords, I thank all noble Lords for their contributions to this short debate. I also thank the Minister for agreeing to see me prior to the Recess and for his comments today. However, this is an issue of precision—and we need precision on the statute book. All that has been suggested to me, which is that it can be found elsewhere or will be looked at in the future, does not give the definitive answer we require. That is why I would like to test the opinion of the House.
Lord Mitchell
“Code on personal data of national significance
The Commissioner must prepare a code of practice which contains—(a) best practice guidance in relation to information sharing agreements between publicly funded data controllers and third parties;(b) guidance in relation to the calculation of value for money where publicly funded data controllers enter into information sharing agreements with third parties;(c) guidance about securing financial benefits from the sharing of such personal data with third parties for the purposes of processing or developing associated software, and(d) such other guidance as the Commissioner considers appropriate to promote best practice in the sharing and processing of personal data of national significance.”