Data Protection and Digital Information Bill
Viscount Camrose ExcerptsWednesday 27th March 2024
(2 years ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-III Third marshalled list for Grand Committee - (25 Mar 2024)
Baroness Jones of Whitchurch (Lab)
My Lords, I thank all noble Lords who have contributed to this debate. We have had a major common theme, which is that any powers exercised by the Secretary of State in Clause 14 should be to enhance, rather than diminish, the protections for a data subject affected by automated decision-making. We have heard some stark and painful examples of the way in which this can go wrong if it is not properly regulated. As noble Lords have said, this seems to be regulation on automated decision-making by the backdoor, but with none of the protections and promises that have been made on this subject.
Our Amendment 59 goes back to our earlier debate about rights at work when automated decision-making is solely or partly in operation. It provides an essential underpinning of the Secretary of State’s powers. The Minister has argued that ADM is a new development and that it would be wrong to be too explicit about the rules that should apply as it becomes more commonplace, but our amendment cuts through those concerns by putting key principles in the Bill. They are timeless principles that should apply regardless of advances in the adoption of these new technologies. They address the many concerns raised by workers and their representatives, about how they might be disfranchised or exploited by machines, and put human contact at the heart of any new processes being developed. I hope that the Minister sees the sense of this amendment, which will provide considerable reassurance for the many people who fear the impact of ADM in their working lives.
I draw attention to my Amendments 58 and 73, which implement the recommendations of the Delegated Powers and Regulatory Reform Committee. In the Bill, the new Articles 22A to 22D enable the Secretary of State to make further provisions about safeguards when automated decision-making is in place. The current wording of new Article 22D makes it clear that regulations can be amended
“by adding or varying safeguards”.
The Delegated Powers Committee quotes the department saying that
“it does not include a power to remove safeguards provided in new Article 22C and therefore cannot be exercised to weaken the protections”
afforded to data subjects. The committee is not convinced that the department is right about this, and we agree with its analysis. Surely “vary” means that the safeguards can move in either direction—to improve or reduce protection.
The committee also flags up concerns that the Bill’s amendments to Sections 49 and 50 of the Data Protection Act make specific provision about the use of automated decision-making in the context of law enforcement processing. In this new clause, there is an equivalent wording, which is that the regulations may add or vary safeguards. Again, we agree with its concerns about the application of these powers to the Secretary of State. It is not enough to say that these powers are subject to the affirmative procedure because, as we know and have discussed, the limits on effective scrutiny of secondary legislation are manifest.
We have therefore tabled Amendments 58 and 73, which make it much clearer that the safeguards cannot be reduced by the Secretary of State. The noble Lord, Lord Clement-Jones, has a number of amendments with a similar intent, which is to ensure that the Secretary of State can add new safeguards but not remove them. I hope the Minister is able to commit to taking on board the recommendations of the Delegated Powers Committee in this respect.
The noble Baroness, Lady Kidron, once again made the powerful point that the Secretary of State’s powers to amend the Data Protection Act should not be used to reduce the hard-won standards and protections for children’s data. As she says, safeguards do not constitute a right, and having regard to the issues is a poor substitute for putting those rights back into the Bill. So I hope the Minister is able to provide some reassurance that the Bill will be amended to put these hard-won rights back into the Bill, where they belong.
I am sorry that the noble Lord, Lord Holmes, is not here. His amendment raises an important point about the need to build in the views of the Information Commissioner, which is a running theme throughout the Bill. He makes the point that we need to ensure, in addition, that a proper consultation of a range of stakeholders goes into the Secretary of State’s deliberations on safeguards. We agree that full consultation should be the hallmark of the powers that the Secretary of State is seeking, and I hope the Minister can commit to taking those amendments on board.
I echo the specific concerns of the noble Lord, Lord Clement-Jones, about the impact assessment and the supposed savings from changing the rules on subject access requests. This is not specifically an issue for today’s debate but, since it has been raised, I would like to know whether he is right that the savings are estimated to be 50% and not 1%, which the Minister suggested when we last debated this. I hope the Minister can clarify this discrepancy on the record, and I look forward to his response.
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
I thank the noble Lords, Lord Clement-Jones and Lord Knight, my noble friend Lord Holmes and the noble Baronesses, Lady Jones, Lady Kidron and Lady Bennett—
Viscount Camrose (Con)
I apologise to my noble friend. I cannot be having a senior moment already—we have only just started. I look forward to reading that part in Hansard.
I can reassure noble Lords that data subjects still have the right to object to solely automated decision-making. It is not an absolute right in all circumstances, but I note that it never has been. The approach taken in the Bill complements the UK’s AI regulation framework, and the Government are committed to addressing the risks that AI poses to data protection and wider society. Following the publication of the AI regulation White Paper last year, the Government started taking steps to establish a central AI risk function that brings together policymakers and AI experts with the objective of identifying, assessing and preparing for AI risks. To track identified risks, we have established an initial AI risk register, which is owned by the central AI risk function. The AI risk register lists individual risks associated with AI that could impact the UK, spanning national security, defence, the economy and society, and outlines their likelihood and impact. We have also committed to engaging on and publishing the AI risk register in spring this year.
Lord Clement-Jones (LD)
I am processing what the Minister has just said. He said it complements the AI regulation framework, and then he went on to talk about the central risk function, the AI risk register and what the ICO is up to in terms of guidance, but I did not hear that the loosening of safeguards or rights under Clause 14 and Article 22 of the GDPR was heralded in the White Paper or the consultation. Where does that fit with the Government’s AI regulation strategy? There is a disjunct somewhere.
Viscount Camrose (Con)
I reject the characterisation of Clause 14 or any part of the Bill as loosening the safeguards. It focuses on the outcomes and by being less prescriptive and more adaptive, its goal is to heighten the levels of safety of AI, whether through privacy or anything else. That is the purpose.
On Secretary of State powers in relation to ADM, the reforms will enable the Government to further describe what is and is not to be taken as a significant effect on a data subject and what is and is not to be taken as meaningful human—
Baroness Harding of Winscombe (Con)
I may be tired or just not very smart, but I am not really sure that I understand how being less prescriptive and more adaptive can heighten safeguards. Can my noble friend the Minister elaborate a little more and perhaps give us an example of how that can be the case?
Viscount Camrose (Con)
Certainly. Being prescriptive and applying one-size-fits-all measures for all processes covered by the Bill encourages organisations to follow a process, but focusing on outcomes encourages organisations to take better ownership of the outcomes and pursue the optimal privacy and safety mechanisms for those organisations. That is guidance that came out very strongly in the Data: A New Direction consultation. Indeed, in the debate on a later group we will discuss the use of senior responsible individuals rather than data protection officers, which is a good example of removing prescriptiveness to enhance adherence to the overall framework and enhance safety.
Baroness Kidron (CB)
This seems like a very good moment to ask whether, if the variation is based on outcome and necessity, the Minister agrees that the higher bar of safety for children should be specifically required as an outcome.
Viscount Camrose (Con)
I absolutely agree about the outcome of higher safety for children. We will come to debate whether the mechanism for determining or specifying that outcome is writing that down specifically, as suggested.
Baroness Kidron (CB)
I am sure the Minister knew I was going to stand up to say that, if it is not part of the regulatory instruction, it will not be part of the outcome. The point of regulation is to determine a floor— never a ceiling—below which people cannot go. Therefore, if we wish to safeguard children, we must have that floor as part of the regulatory instruction.
Viscount Camrose (Con)
Indeed. That may well be the case, but how that regulatory instruction is expressed can be done in multiple ways. Let me continue; otherwise, I will run out of time.
Baroness Jones of Whitchurch (Lab)
I am having a senior moment as well. Where are the outcomes written? What are we measuring this against? I like the idea; it sounds great—management terminology—but I presume that it is written somewhere and that we could easily add children’s rights to the outcomes as the noble Baroness suggests. Where are they listed?
Lord Clement-Jones (LD)
I am sorry, but I just do not accept that intervention. This is one of the most important clauses in the whole Bill and we have to spend quite a bit of time teasing it out. The Minister has just electrified us all in what he said about the nature of this clause, what the Government are trying to achieve and how it fits within their strategy, which is even more concerning than previously. I am very sorry, but I really do not believe that this is the right point for the Whip to intervene. I have been in this House for 25 years and have never seen an intervention of that kind.
Viscount Camrose (Con)
Let me make the broad point that there is no single list of outcomes for the whole Bill but, as we go through clause by clause, I hope the philosophy behind it, of being less prescriptive about process and more prescriptive about the results of the process that we desire, should emerge—not just on Clause 14 but as the overall philosophy underlying the Bill. Regulation-making powers can also be used to vary the existing safeguards, add additional safeguards and remove additional safeguards added at a later date.
On the point about having regard, it is important that the law is drafted in a way that allows it to adapt as technology advances. Including prescriptive requirements in the legislation reduces this flexibility and undermines the purpose of this clause and these powers to provide additional legal clarity when it is deemed necessary and appropriate in the light of the fast-moving advances in and adoption of technologies relevant to automated decision-making. I would like to reassure noble Lords that the powers can be used only to vary the existing safeguards, add additional ones and remove them. They cannot remove any of the safeguards written into the legislation.
Amendments 53 to 55 and 69 to 71 concern the Secretary of State powers relating to the terms “significant decisions” and “meaningful human involvement”. These powers enable the Secretary of State to provide a description of decisions that do or do not have a significant effect on data subjects, and describe cases that can be taken to have, or not to have, meaningful human involvement. As technology adoption grows and new technologies emerge, these powers will enable the Government to provide legal clarity, if and when deemed necessary, to ensure that people are protected and have access to safeguards when they matter most. In respect of Amendment 59A, Clause 50 already provides for an overarching requirement for the Secretary of State to consult the ICO and other persons the Secretary of State considers appropriate before making regulations under the UK GDPR, including for the measures within Article 22.
Also, as has been observed—I take the point about the limitations of this, but I would like to make the point anyway—any changes to the regulations are subject to the affirmative procedure and so must be approved by both Houses. As with other provisions of the Bill, the ICO will seek to provide organisations with timely guidance and support to assist them in interpreting and applying the legislation. As such, I would ask the noble Lord, Lord Clement Jones, and my noble friend Lord Holmes—were he here—not to press their amendments.
Amendment 57 in the name of the noble Baroness, Lady Kidron, seeks to ensure that, when exercising regulation-making powers in relation to the safeguards in Article 22 of the UK GDPR, the Secretary of State should uphold the level of protection that children are entitled to in the Data Protection Act 2018. As I have said before, Clause 50 requires the Secretary of State to consult the ICO and other persons he or she considers appropriate. The digital landscape and its technologies evolve rapidly, presenting new challenges in safeguarding children. Regular consultations with the ICO and stakeholders ensure that regulations remain relevant and responsive to emerging risks associated with solely automated decision-making. The ICO has a robust position on the protection of children, as evidenced through its guidance and, in particular, the age-appropriate design code. As such, I ask the noble Baroness not to press her amendment.
Amendments 58, 72 and 73 seek to prevent the Secretary of State varying any of the safeguards mentioned in the reformed clauses. As I assured noble Lords earlier, the powers in this provision can be used only to vary the existing safeguards, add additional safeguards and remove additional safeguards added by regulation in future; there is not a power to remove any of the safeguards.
Baroness Kidron (CB)
I apologise for breaking the Minister’s flow, especially as he had moved on a little, but I have a number of questions. Given the time, perhaps he can write to me to answer them specifically. They are all designed to show the difference between what children now have and what they will have under the Bill.
I have to put on the record that I do not accept what the Minister just said—that, without instruction, the ICO can use its old instruction to uphold the current safety for children—if the Government are taking the instruction out of the Bill and leaving it with the old regulator. I ask the Minister to tell the Committee whether it is envisaged that the ICO will have to rewrite the age-appropriate design code to marry it with the new Bill, rather than it being the reason why it is upheld. I do not think the Government can have it both ways where, on the one hand, the ICO is the keeper of the children, and, on the other, they take out things that allow the ICO to be the keeper of the children in this Bill.
Viscount Camrose (Con)
I absolutely recognise the seriousness and importance of the points made by the noble Baroness. Of course, I would be happy to write to her and meet her, as I would be for any Member in the Committee, to give—I hope—more satisfactory answers on these important points.
As an initial clarification before I write, it is perhaps worth me saying that the ICO has a responsibility to keep guidance up to date but, because it is an independent regulator, it is not for the Government to prescribe this, only to allow it to do so for flexibility. As I say, I will write and set out that important point in more detail.
Amendment 59 relates to workplace rights. I reiterate that the existing data protection legislation and our proposed reforms—
Baroness Jones of Whitchurch (Lab)
Has the Minister moved on from our Amendments 58 and 59? He was talking about varying safeguards. I am not quite sure where he is.
Viscount Camrose (Con)
It is entirely my fault; when I sit down and stand up again, I lose my place.
We would always take the views of the DPRRC very seriously on that. Clearly, the Bill is being designed without the idea in mind of losing or diminishing any of those safeguards; otherwise, it would have simply said in the Bill that we could do that. I understand the concern that, by varying them, there is a risk that they would be diminished. We will continue to find a way to take into account the concerns that the noble Baroness has set out, along with the DPRRC. In the interim, let me perhaps provide some reassurance that that is, of course, not the intention.
Viscount Camrose
Member’s explanatory statement
This amendment of a heading is consequential on the amendment in my name to clause 14, page 28, line 19.
Viscount Camrose
Member’s explanatory statement
This technical amendment adjusts the wording of new section 50B(1) of the Data Protection Act 2018 to refer to “sensitive processing”, rather than “sensitive personal data”, to reflect the terms of section 35(8) of that Act.
Viscount Camrose (Con)
I feel under amazing pressure to get the names right, especially given the number of hours we spend together.
I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Kidron, for tabling Amendments 74 to 78, 144 and 252 in this group. I also extend my thanks to noble Lords who have signed the amendments and spoken so eloquently in this debate.
Amendments 74 to 78 would place a legislative obligation on public authorities and all persons in the exercise of a public function to publish reports under the Algorithmic Transparency Recording Standard—ATRS—or to publish algorithmic impact assessments. These would provide information on algorithmic tools and algorithm-assisted decisions that process personal data in the exercise of a public function or those that have a direct or indirect public effect or directly interact with the general public. I remind noble Lords that the UK’s data protection laws will continue to apply throughout the processing of personal data.
The Government are already taking action to establish the necessary guard-rails for AI, including to promote transparency. In the AI regulation White Paper response, we announced that the use of the ATRS will now become a requirement for all government departments and the broader public sector. The Government are phasing this in as we speak and will check compliance accordingly, as DSIT has been in contact with every department on this issue.
In making this policy, the Government are taking an approach that provides increasing degrees of mandation of the ATRS, with appropriate exemptions, allowing them to monitor compliance and effectiveness. The announcement in the White Paper response has already led to more engagement from across government, and more records are under way. The existing process focuses on the importance of continuous improvement and development. Enshrining the standard into law prematurely, amid exponential technological change, could hinder its adaptability.
More broadly, our AI White Paper outlined a proportionate and adaptable framework for regulating AI. As part of that, we expect AI development and use to be fair, transparent and secure. We set out five key principles for UK regulators to interpret and apply within their remits. This approach reflects the fact that AI systems are not unregulated and need to be compliant with existing regulatory frameworks, including employment, human rights, health and safety and data protection law.
For instance, the UK’s data protection legislation imposes obligations on data controllers, including providers and users of AI systems, to process personal data fairly, lawfully and transparently. Our reforms in this Bill will ensure that, where solely automated decision-making is undertaken—that is, ADM without any meaningful human involvement that has significant effects on data subjects—data subjects will have a right to the relevant safeguards. These safeguards include being provided with information on the ADM that has been carried out and the right to contest those decisions and seek human review, enabling controllers to take suitable measures to correct those that have produced wrongful outcomes.
Lord Clement-Jones (LD)
My Lords, I wonder whether the Minister can comment on this; he can write if he needs to. Is he saying that, in effect, the ATRS is giving the citizen greater rights than are ordinarily available under Article 22? Is that the actual outcome? If, for instance, every government department adopted ATRS, would that, in practice, give citizens a greater degree of what he might put as safeguards but, in this context, he is describing as rights?
Viscount Camrose (Con)
I am very happy to write to the noble Lord, but I do not believe that the existence of an ATRS-generated report in and of itself confers more rights on anybody. Rather, it makes it easier for citizens to understand how their rights are being used, what rights they have, or what data about them is being used by the department concerned. The existence of data does not in and of itself confer new rights on anybody.
Lord Clement-Jones (LD)
I understand that, but if he rewinds the reel he will find that he was talking about the citizen’s right of access, or something of that sort, at that point. Once you know what data is being used, the citizen has certain rights. I do not know whether that follows from the ATRS or he was just describing that at large.
Viscount Camrose (Con)
As I said, I will write. I do not believe that follows axiomatically from the ATRS’s existence.
On Amendment 144, the Government are sympathetic to the idea that the ICO should respond to new and emerging technologies, including the use of children’s data in the development of AI. I assure noble Lords that this area will continue to be a focus of the ICO’s work and that it already has extensive powers to provide additional guidance or make updates to the age-appropriate design code, to ensure that it reflects new developments, and a responsibility to keep it up to date. The ICO has a public task under Article 57(1)(b) of the UK GDPR to
“promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing”.
It is already explicit that:
“Activities addressed specifically to children shall receive specific attention”.
That code already includes a chapter on profiling and provides guidance on fairness and transparency requirements around automated decision-making.
Taking the specific point made by the noble Baroness, Lady Kidron, on the contents of the ICO’s guidance, while I cannot speak to the ICO’s decisions about the drafting of its guidance, I am content to undertake to speak to it about this issue. I note that it is important to be careful to avoid a requirement for the ICO to duplicate work. The creation of an additional children’s code focused on AI could risk fragmenting approaches to children’s protections in the existing AADC—a point made by the noble Baroness and by my noble friend Lady Harding.
Lord Bassam of Brighton (Lab)
I have a question on this. If the Minister is arguing that this should be by way of amendment of the age-related code, would there not be an argument for giving that code some statutory effect?
Baroness Kidron (CB)
On that point, I think that the Minister said—forgive me if I am misquoting him —risk, rules and rights, or some list to that effect. While the intention of what he said was that we have to be careful where children are using it, and the ICO has to make them aware of the risks, the purpose of a code—whether it is part of the AADC or stand-alone—is to put those responsibilities on the designers of service products and so on by default. It is upstream where we need the action, not downstream, where the children are.
Viscount Camrose (Con)
Yes, I entirely agree with that, but I add that we need it upstream and downstream.
For the reasons I have set out, the Government do not believe that it would be appropriate to add these provisions to the Bill at this time without further detailed consultation with the ICO and the other organisations involved in regulating AI in the United Kingdom. Clause 33—
Baroness Kidron (CB)
Can we agree that there will be some discussions with the ICO between now and Report? If those take place, I will not bring this point back on Report unnecessarily.
Viscount Camrose (Con)
Yes, I am happy to commit to that. As I said, we look forward to talking with the noble Baroness and others who take an interest in this important area.
Clause 33 already includes a measure that would allow the Secretary of State to request the ICO to publish a code on any matter that she sees fit, so this is an issue that we could return to in the future, if the evidence supports it, but, as I said, we consider the amendments unnecessary at this time.
Finally, Amendment 252 would place a legislative obligation on the Secretary of State regularly to publish address data maintained by local authorities under open terms—that is, accessible by anyone for any purpose and for free. High-quality, authoritative address data for the UK is currently used by more than 50,000 public and private sector organisations, which demonstrates that current licensing arrangements are not prohibitive. This data is already accessible for a reasonable fee from local authorities and Royal Mail, with prices starting at 1.68p per address or £95 for national coverage.
Baroness Bennett of Manor Castle (GP)
Some 50,000 organisations access that information, but does the Government have any data on it? I am not asking for it now, but maybe the Minister could go away and have a look at this. We have heard that other countries have opened up this data. Are they seeing an increase? That is just a number; it does not tell us how many people are denied access to the data.
Viscount Camrose (Con)
We have some numbers that I will come to, but I am very happy to share deeper analysis of that with all noble Lords.
There is also free access to this data for developers to innovate in the market. The Government also make this data available for free at the point of use to more than 6,000 public sector organisations, as well as postcode, unique identifier and location data available under open terms. The Government explored opening address data in 2016. At that time, it became clear that the Government would have to pay to make this data available openly or to recreate it. That was previously attempted, and the resulting dataset had, I am afraid, critical quality issues. As such, it was determined at that time that the changes would result in significant additional cost to taxpayers and represent low value for money, given the current widespread accessibility of the data. For the reasons I have set out, I hope that the noble Lords will withdraw their amendments.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for his response. There are a number of different elements to this group.
The one bright spot in the White Paper consultation is the ATRS. That was what the initial amendments in this group were designed to give a fair wind to. As the noble Lord, Lord Bassam, said, this is designed to assist in the adoption of the ATRS, and I am grateful for his support on that.
Baroness Jones of Whitchurch (Lab)
My Lords, I thank all noble Lords who have contributed to this very wide-ranging debate. Our amendments cover a lot of common ground, and we are in broad agreement on most issues, so I hope noble Lords will bear with me if I primarily focus on the amendments that I have tabled, although I will come back to other points.
We have given notice of our intention to oppose Clause 16 standing part of the Bill which is similar to Amendment 80 tabled by the noble Lord, Lord Clement-Jones, which probes why the Government have found it necessary to remove the requirement that companies outside the UK should appoint a representative within the UK. The current GDPR rules apply to all those active in the UK market, regardless of whether their organisation is based or located in the UK. The intention is that the representative will ensure UK compliance and act as a primary source of contact for data subjects. Without this clause, data subjects will be forced to deal with overseas data handlers, with all the cultural and language barriers that might ensue. There is no doubt that this will limit their rights to apply UK data standards.
In addition, as my colleagues in the Commons identified, the removal of the provisions in Clause 16 was not included in the Government’s consultation, so stakeholders have not had the chance to register some of the many practical concerns that they feel will arise from this change. There is also little evidence that compliance with Article 27 is an unnecessary barrier to responsible data use by reputable overseas companies. Again, this was a point made by the noble Lord, Lord Clement-Jones. In fact, the international trend is for more countries to add a representative obligation to their data protection laws, so we are becoming outriders on the global stage.
Not only is this an unnecessary change but, compared to other countries, it will send a signal that our data protection rights are being eroded in the UK. Of course, this raises the spectre of the EU revisiting whether our UK adequacy status should be retained. It also has implications for the different rules that might apply north and south of the border in Ireland so, again, if we are moving away from the standard rules applied by other countries, this has wider implications that we need to consider.
For many reasons, I challenge the Government to explain why this change was felt to be necessary. The noble Lord, Lord Clement-Jones, talked about whether the cost was really a factor. It did not seem that there were huge costs, compared to the benefits of maintaining the current system, and I would like to know in more detail why the Government are doing this.
Our Amendments 81 and 90 seek to ensure that there is a definition of “high-risk processing” in the Bill. The current changes in Clauses 17 and 20 have the effect of watering down data controllers’ responsibilities, from carrying out data protection impact assessments to assessing high-risk processing on the basis of whether it was necessary and what risks are posed. But nowhere does it say what constitutes high-risk processing—it is left to individual organisations to make that judgment—and nowhere does it explain what “necessary” means in this context. Is it also expected to be proportionate, as in the existing standards? This lack of clarity has caused some consternation among stakeholders.
The Equality and Human Rights Commission argues that the proposed wording means that
“data controllers are unlikely to go beyond minimum requirements”,
so the wording needs to be more explicit. It also recommends that
“the ICO be required to provide detailed guidance on how ‘the rights and freedoms of individuals’ are to be considered in an Assessment of High Risk Processing”.
More crucially, the ICO has written to Peers, saying that the Bill should contain a list of
“activities that government and Parliament view as high-risk processing, similar to the current list set out at Article 35(3) of the UK GDPR”.
This is what our Amendments 81 and 90 aim to achieve. I hope the Minister can agree to take these points on board and come back with amendments to achieve this.
The ICO also makes the case for future-proofing the way in which high-risk processing is regulated by making a provision in the Bill for the ICO to further designate high-risk processing activities with parliamentary approval. This would go further than the current drafting of Clause 20, which contains powers for the ICO to give examples of high-risk profiling, but only for guidance. Again, I hope that the Minister can agree to take these points on board and come back with suitable amendments.
Our Amendments 99, 100 and 102 specify the need for wider factors in the proposed risk assessment list to ensure that it underpins our equality laws. Again, this was an issue about which stakeholders have raised concerns. The TUC and the Institute for the Future of Work make the point that data protection impact assessments are a crucial basis for consultation with workers and trade unions about the use of technology at work, and this is even more important as the complexities of AI come on stream. The Public Law Project argues that, without rigorous risk and impact analysis, disproportionate and discriminatory processes could be carried out before the harm comes to light.
The Equality and Human Rights Commission argues that data protection impact assessments
“provide a key mechanism for ensuring equality impacts are assessed when public and private sector organisations embed AI systems in their operations”.
It specifically recommends that express references in Article 35(7) of GDPR to “legitimate interests” and
“the rights and freedoms of data subjects”,
as well as the consultation obligations in Article 35(2), should be retained. I hope that the Minister can agree to take these recommendations on board and come back with suitable amendments to ensure that our equalities legislation is protected.
Our Amendments 106 and 108 focus on the particular responsibilities of data controllers to handle health data with specific obligations. This is an issue that we know, from previous debates, is a major cause for concern among the general public, who would be alarmed if they thought that the protections were being weakened.
The BMA has raised concerns that Clauses 20 and 21 will water down our high standards of data governance, which are necessary when organisations are handling health data. As it says,
“Removing the requirement to conduct a thorough assessment of risks posed to health data is likely to lead to a less diligent approach to data protection for individuals”.
It also argues that removing the requirement for organisations to consult the ICO on high-risk processing is,
“a backward step from good governance … when organisations are processing large quantities of sensitive health data.
Our amendments aim to address these concerns by specifying that, with regard to specific cases, such as the handling of health data, prior consultation with the ICO should remain mandatory. I hope that the Minister will see the sense in these amendments and recognise that further action is needed in this Bill to maintain public trust in how health data is managed for individual care and systemwide scientific development.
I realise that we have covered a vast range of issues, but I want to touch briefly on those raised by the noble Baroness, Lady Kidron. She is right that, in particular, applications of risk assessments by public bodies should be maintained, and we agree with her that Article 35’s privacy-by-design requirements should be retained. She once again highlighted the downgrading of children’s rights in this Bill, whether by accident or intent, and we look forward to seeing the exchange of letters with the Minister on this. I hope that we will all be copied in and that the Minister will take on board the widespread view that we should have more engagement on this before Report, because there are so many outstanding issues to be resolved. I look forward to the Minister’s response.
Viscount Camrose (Con)
I thank the noble Baronesses, Lady Kidron and Lady Jones, and the noble Lord, Lord Clement-Jones, for their amendments, and I look forward to receiving the letter from the noble Baroness, Lady Kidron, which I will respond to as quickly as I can. As everybody observed, this is a huge group, and it has been very difficult for everybody to do justice to all the points. I shall do my best, but these are points that go to the heart of the changes we are making. I am very happy to continue engaging on that basis, because we need plenty of time to review them—but, that said, off we go.
The changes the Government are making to the accountability obligations are intended to make the law clearer and less prescriptive. They will enable organisations to focus on areas that pose high risks to people resulting, the Government believe, in improved outcomes. The new provisions on assessments of high-risk processing are less prescriptive about the precise circumstances in which a risk assessment would be required, as we think organisations are best placed to judge whether a particular activity poses a high risk to individuals in the context of the situation.
However, the Government are still committed to high standards of data protection, and there are many similarities between our new risk assessment measures and the previous provisions. When an organisation is carrying out processing activities that are likely to pose a high risk to individuals, it will still be expected to document that processing, assess risks and identify mitigations. As before, no such document would be required where organisations are carrying out low-risk processing activities.
One of the main aims of the Bill is to remove some of the UK GDPR’s unnecessary compliance burdens. That is why organisations will be required to designate senior responsible individuals, keep records of processing and carry out the risk assessments above only when their activities pose high risks to individuals.
Lord Clement-Jones (LD)
The noble Viscount is very interestingly unpacking a risk-based approach to data protection under the Bill. Why are the Government not taking a risk-based approach to their AI regulation? After all, the AI Act approaches it in exactly that way.
Viscount Camrose (Con)
That is a very interesting question, but I am not sure that there is a read-across between the AI Act and our approach here. The fundamental starting point was that, although the provisions of the original GDPR are extremely important, the burdens of compliance were not proportionate to the results. The overall foundation of the DPDI is, while at least maintaining existing levels of protection, to reduce the burdens of demonstrating or complying with that regulation. That is the thrust of it—that is what we are trying to achieve—but noble Lords will have different views about how successful we are being at either of those. It is an attempt to make it easier to be safe and to comply with the regulations of the DPDI and the other Acts that govern data protection. That is where we are coming from and the thrust of what we are trying to achieve.
I note that, as we have previously discussed, children need particular protection when organisations are collecting and processing their personal data.
Baroness Jones of Whitchurch (Lab)
I did not interrupt before because I thought that the Minister would say more about the difference between high-risk and low-risk processing, but he is going on to talk about children. One of my points was about the request from the Information Commissioner—it is very unusual for him to intervene. He said that a list of high-risk processing activities should be set out in the Bill. I do not know whether the Minister was going to address that important point.
Viscount Camrose (Con)
I will briefly address it now. Based on that letter, the Government’s view is to avoid prescription and I believe that the ICO’s view— I cannot speak for it—is generally the same, except for a few examples where prescription needs to be specified in the Bill. I will continue to engage with the ICO on where exactly to draw that line.
Lord Clement-Jones (LD)
My Lords, I can see that there is a difference of opinion, but it is unusual for a regulator to go into print with it. Not only that, but he has set it all out in an annexe. What discussion is taking place directly between the Minister and his team and the ICO? There seems to be quite a gulf between them. This is number 1 among his “areas of ongoing concern”.
Viscount Camrose (Con)
I do not know whether it is usual or unusual for the regulator to engage in this way, but the Bill team engages with the Information Commissioner frequently and regularly, and, needless to say, it will continue to do so on this and other matters.
Children need particular protection when organisations are collecting and processing their personal data, because they may be less aware of the risks involved. If organisations process children’s personal data, they should think about the need to protect them from the outset and design their systems and processes with this in mind.
Before I turn to the substance of what the Bill does with the provisions on high-risk processing, I will deal with the first amendment in this group: Amendment 79. It would require data processors to consider data protection-by-design requirements in the same way that data controllers do, because there is a concern that controllers may not always be able to foresee what processors do with people’s data for services such as AI and cloud computing.
However, under the current legislation, it should not be for the processor to determine the nature or purposes of the processing activity, as it will enter a binding controller-processor agreement or contract to deliver a specific task. Processors also have specific duties under the UK GDPR to keep personal data safe and secure, which should mean that this amendment is not necessary.
I turn to the Clause 16 stand part notice, which seeks to remove Clause 16 from the Bill and reinstate Article 27, and Amendment 80, which seeks to do the same but just in respect of overseas data controllers, not processors. I assure the noble Lord, Lord Clement-Jones, that, even without the Article 27 representative requirement, controllers and processors will still have to maintain contact and co-operation with UK data subjects and the ICO to comply with the UK GDPR provisions. These include Articles 12 to 14, which, taken together, require controllers to provide their contact details in a concise, transparent, intelligible and easily accessible form, using clear and plain language, particularly for any information addressed specifically to a child.
By offering firms a choice on whether to appoint a representative in the UK to help them with UK GDPR compliance and no longer mandating organisations to appoint a representative, we are allowing organisations to decide for themselves the best way to comply with the existing requirements for effective communication and co-operation. Removing the representative requirement will also reduce unnecessary burdens on non-UK controllers and processors while maintaining data subjects’ safeguards and rights. Any costs associated with appointing a representative are a burden on and a barrier to trade. Although the variety of packages made available by representative provider organisations differ, our assessments show that the cost of appointing representatives increases with the size of a firm. Furthermore, there are several jurisdictions that do not have a mandatory or equivalent representative requirement in their data protection law, including other countries in receipt of EU data adequacy decisions.
Lord Clement-Jones (LD)
Nevertheless, does the Minister accept that quite a lot of countries have now begun the process of requiring representatives to be appointed? How does he account for that? Does he accept that what the Government are doing is placing the interests of business over those of data subjects in this context?
Viscount Camrose (Con)
No, I do not accept that at all. I would suggest that we are saying to businesses, “You must provide access to the ICO and data subjects in a way that is usable by all parties, but you must do so in the manner that makes the most sense to you”. That is a good example of going after outcomes but not insisting on any particular process or methodology in a one-size-fits-all way.
Baroness Jones of Whitchurch (Lab)
The Minister mentioned the freedom to choose the best solution. Would it be possible for someone to be told that their contact was someone who spoke a different language to them? Do they have to be able to communicate properly with the data subjects in this country?
Viscount Camrose (Con)
Yes—if the person they were supposed to communicate with did not speak English or was not available during reasonable hours, that would be in violation of the requirement.
I apologise if we briefly revisit some of our earlier discussion here, but Amendment 81 would reintroduce a list of high-risk processing activities drawn from Article 35 of the UK GDPR, with a view to helping data controllers comply with the new requirements around designating a senior responsible individual.
The Government have consulted closely with the ICO throughout the development of all the provisions in the Bill, and we welcome its feedback as it upholds data subjects’ rights. We recognise and respect that the ICO’s view on this issue is different to the Government’s, but the Government feel that adding a prescriptive list to the legislation would not be appropriate for the reasons we have discussed. However, as I say, we will continue to engage with it over the course of the passage of the Bill.
Some of the language in Article 35 of the UK GDPR is unclear and confusing, which is partly why we removed it in the first place. We believe organisations should have the ability to make a judgment of risk based on the specific nature, scale and context of their own processing activities. We do not need to provide prescriptive examples of high-risk processing on the face of legislation because any list could quickly become out of date. Instead, to help data controllers, Clause 20 requires the ICO to produce a document with examples of what the commissioner considers to be high-risk processing activities.
I turn to Clause 17 and Amendment 82. The changes we are making in the Bill will reduce prescription by removing the requirement to appoint a data protection officer in certain circumstances. Instead, public bodies and other organisations carrying out high-risk processing activities will have to designate a senior responsible individual to ensure that data protection risks are managed effectively within their organisations. That person will have flexibility about how they manage data protection risks. They might decide to delegate tasks to independent data protection experts or upskill existing staff members, but they will not be forced to appoint data protection officers if suitable alternatives are available.
The primary rationale for moving to a senior responsible individual model is to embed data protection at the heart of an organisation by ensuring that someone in senior management takes responsibility and accountability for it if the organisation is a public body or is carrying out high-risk processing. If organisations have already appointed data protection officers and want to keep an independent expert to advise them, they will be free to do so, providing that they also designate a senior manager to take overall accountability and provide sufficient support, including resources.
Amendment 83, tabled by the noble Baroness, Lady Kidron, would require the senior responsible individual to specifically consider the risks to children when advising the controller on its responsibilities. As drafted, Clause 17 of the Bill requires the senior responsible individual to perform a number of tasks or, if they cannot do so themselves, to make sure that they are performed by another person. They include monitoring the controller’s compliance with the legislation, advising the controller of its obligations and organising relevant training for employees who carry out the processing of personal data. Where the organisation is processing children’s data, all these requirements will be relevant. The senior responsible individual will need to make sure that any guidance and training reflects the type of data being processed and any specific obligations the controller has in respect of that data. I hope that this goes some way to convincing the noble Baroness not to press her amendment.
Lord Clement-Jones (LD)
The Minister has not really explained the reason for the switch from the DPO to the new system. Is it another one of his “We don’t want a one-size-fits-all approach” arguments? What is the underlying rationale for it? Looking at compliance costs, which the Government seem to be very keen on, we will potentially have a whole new cadre of people who will need to be trained in compliance requirements.
Viscount Camrose (Con)
The data protection officer—I speak as a recovering data protection officer—is tasked with certain specific outcomes but does not necessarily have to be a senior person within the organisation. Indeed, in many cases, they can be an external adviser to the organisation. On the other hand, the senior responsible individual is a senior or board-level representative within the organisation and can take overall accountability for data privacy and data protection for that organisation. Once that accountable person is appointed, he or she can of course appoint a DPO or equivalent role or separate the role among other people as they see fit. That gives everybody the flexibility to meet the needs of privacy as they see fit, but not necessarily in a one-size-fits-all way. That is the philosophical approach.
Lord Clement-Jones (LD)
Does the Minister accept that the SRI will have to cope with having at least a glimmering of an understanding of what will be a rather large Act?
Viscount Camrose (Con)
Yes, the SRI will absolutely have to understand all the organisation’s obligations under this Act and indeed other Acts. As with any senior person in any organisation responsible for compliance, they will need to understand the laws that they are complying with.
Amendment 84, tabled by the noble Lord, Lord Clement-Jones, is about the advice given to senior responsible individuals by the ICO. We believe that the commissioner should have full discretion to enforce data protection in an independent, flexible, risk-based and proportionate manner. The amendment would tie the hands of the regulator and force them to give binding advice and proactive assurance without full knowledge of the facts, undermining their regulatory enforcement role.
Baroness Jones of Whitchurch (Lab)
The Minister has reached his 20 minutes. We nudged him at 15 minutes.
Lord Harlech (Con)
My Lords, just for clarification, because a number of questions were raised, if the Committee feels that it would like to hear more from the Minister, it can. It is for the mood of the Committee to decide.
Baroness Jones of Whitchurch (Lab)
As long as that applies to us on occasion as well.
Viscount Camrose (Con)
I apologise for going over. I will try to be as quick as possible.
I turn now to the amendments on the new provisions on assessments of high-risk processing in Clause 20. Amendments 87, 88, 89, 91, 92, 93, 94, 95, 97, 98 and 101 seek to reinstate requirements in new Article 35 of the UK GDPR on data protection impact assessments, and, in some areas, make them even more onerous for public authorities. Amendment 90 seeks to reintroduce a list of high-risk processing activities drawn from new Article 35, with a view to help data controllers comply with the new requirements on carrying out assessments of high-risk processing.
Amendment 96, tabled by the noble Baroness, Lady Kidron, seeks to amend Clause 20, so that, where an internet service is likely to be accessed by children, the processing is automatically classed as high risk and the controller must do a children’s data protection impact assessment. Of course, I fully understand why the noble Baroness would like those measures to apply automatically to organisations processing children’s data, and particularly to internet services likely to be accessed by children. It is highly likely that many of the internet services that she is most concerned about will be undertaking high-risk activities, and they would therefore need to undertake a risk assessment.
Under the current provisions in Clause 20, organisations will still have to undertake risk assessments where their processing activities are likely to pose high risks to individuals, but they should have the ability to assess the level of risk based on the specific nature, scale and context of their own processing activities. Data controllers do not need to be directed by government or Parliament about every processing activity that will likely require a risk assessment, but the amendments would reintroduce a level of prescriptiveness that we were seeking to remove.
Clause 20 requires the ICO to publish a list of examples of the types of processing activities that it considers would pose high risks for the purposes of these provisions, which will help controllers to determine whether a risk assessment is needed. This will provide organisations with more contemporary and practical help than a fixed list of examples in primary legislation could. The ICO will be required to publish a document with a list of examples that it considers to be high-risk processing activities, and we fully expect the vulnerability age of data subjects to be a feature of that. The commissioner’s current guidance on data protection impact assessments already describes the use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or offering internet services directly to children as examples of high-risk processing, although the Government cannot of course tell the ICO what to include in its new guidance.
Similarly, in relation to Amendments 99, 100 and 102 from the noble Baroness, Lady Jones, it should not be necessary for this clause to specifically require organisations to consider risks associated with automated decision-making or obligations under equalities legislation. That is because the existing clause already requires controllers to consider any risks to individuals and to describe
“how the controller proposes to mitigate those risks”.
I am being asked to wrap up and so, in the interests of time, I shall write with my remaining comments. I have no doubt that noble Lords are sick of the sound of my voice by now.
Baroness Kidron (CB)
My Lords, I hope that no noble Lord expects me to pull all that together. However, I will mention a couple of things.
With this group, the Minister finally has said all the reasons why everything will be different and less. Those responsible for writing the Minister’s speeches should be more transparent about the Government’s intention, because “organisations are best placed to determine what is high-risk”—not the ICO, not Parliament, not existing data law. Organisations are also for themselves. They are “best placed to decide on their representation”, whether it is here or there and whether it speaks English or not, and they “get to decide whether they have a DPO or a senior responsible individual”. Those are three quotes from the Minister’s speech. If organisations are in charge of the bar of data protection and the definition of data protection, I do believe that this is a weakening of the data protection regime. He also said that organisations are responsible for the quality of their risk assessment. Those are four places in this group alone.
At the beginning, the noble Baroness, Lady Harding, talked about the trust of consumers and citizens. I do not think that this engenders trust. The architecture is so keen to get rid of ways of accessing rights that some organisations may have to have a DPO and a DPIA—a doubling rather than a reducing of burden. Very early on—it feels a long time ago—a number of noble Lords talked about the granular detail. I tried in my own contribution to show how very different it is in detail. So I ask the Minister to reflect on the assertion that you can take out the detail and have the same outcome. All the burden being removed is on one side of the equation, just as we enter into a world in which AI, which is built on people’s data, is coming in the other direction.
I will of course withdraw my amendment, but I believe that Clauses 20, 18 and the other clauses we just discussed are deregulation measures. That should be made clear from the Dispatch Box, and that is a choice that the House will have to make.
Before I sit down, I do want to recognise one thing, which is that the Minister said that he would work alongside us between now and Report; I thank him for that, and I accept that. I also noted that he said that it was a responsibility to take care of children by default. I agree with him; I would like to see that in the Bill. I beg leave to withdraw my amendment.
Lord Bassam of Brighton (Lab)
As the noble Lord, Lord Clement-Jones, explained, his intention to oppose the question that Clause 19 stands part seeks to retain the status quo. As I read Section 62 of the Data Protection Act 2016, it obliges competent authorities to keep logs of their processing activities, whether they be for collection, alteration, consultation, disclosure, combination or the erasing of personal data. The primary purpose is for self-monitoring purposes, largely linked to disciplinary proceedings, as the noble Lord said, where an officer has become a suspect by virtue of inappropriately accessing PNC-held data.
Clause 19 removes the requirement for a competent authority to record a justification in the logs only when consulting or disclosing personal data. The Explanatory Note to the Bill explains this change as follows:
“It is … technologically challenging for systems to automatically record the justification without manual input”.
That is not a sufficiently strong reason for removing the requirement, not least because the remaining requirements of Section 62 of the Data Protection Act 2018 relating to the logs of consultation and disclosure activity will be retained and include the need to record the date and time and the identity of the person accessing the log. Presumably they will be able to be manually input, so why remove the one piece of data that might, in an investigation of abuse or misuse of the system, be useful in terms of evidence and self-incrimination? I do not understand the logic behind that at all.
I rather think the noble Lord, Lord Clement-Jones, has an important point. He has linked it to those who have been unfortunate enough to be AIDS sufferers, and I am sure that there are other people who have become victims where cases would be brought forward. I am not convinced that the clause should stand part, and we support the noble Lord in seeking its deletion.
Viscount Camrose (Con)
This is a mercifully short group on this occasion. I thank the noble Lord, Lord Clement-Jones, for the amendment, which seeks to remove Clause 19 from the Bill. Section 62 of the Data Protection Act requires law enforcement agencies to record when personal data has been accessed and why. Clause 19 does not remove the need for police to justify their processing; it simply removes the ineffective administrative requirement to record that justification in a log.
The justification entry was intended to help to monitor and detect unlawful access. However, the reality is that anyone accessing data unlawfully is very unlikely to record an honest justification, making this in practice an unreliable means of monitoring misconduct or unlawful processing. Records of when data was accessed and by whom can be automatically captured and will remain, thereby continuing to ensure accountability.
In addition, the National Police Chiefs’ Council’s view is that this change will not hamper any investigations to identify the unlawful processing of data. That is because it is unlikely that an individual accessing data unlawfully would enter an honest justification, so capturing this information is unlikely to be useful in any investigation into misconduct. The requirements to record the time, date and, as far as possible, the identity of the person accessing the data will remain, as will the obligation that there is lawful reason for the access, ensuring that accountability and protection for data subjects is maintained.
Police officers inform us that the current requirement places an unnecessary burden on them as they have to update the log manually. The Government estimate that the clause could save approximately 1.5 million policing hours, representing a saving in the region of £46.5 million per year.
I understand that the amendment relates to representations made by the National AIDS Trust concerning the level of protection for people’s HIV status. As I believe I said on Monday, the Government agree that the protection of people’s HIV status is vital. We have met the National AIDS Trust to discuss the best solutions to the problems it has raised. For these reasons, I hope the noble Lord will not oppose Clause 19 standing part.
Lord Clement-Jones (LD)
I thank the Minister for his response, but he has left us tantalised about the outcome of his meeting. What is the solution that he has suggested? We are none the wiser as a result of his response.
This pudding has been well over-egged by the National Police Chiefs’ Council. Already, only certain senior officers and the data protection leads in police forces have access to this functionality. There will continue to be a legal requirement to record the time and date of access. They are required to follow a College of Policing code of practice. Is the Minister really saying that recording a justification for accessing personal data is such an onerous requirement that £46.5 million in police time will be saved as a result of this? Over what period? That sounds completely disproportionate.
The fact is that the recording of the justification, whether or not it is false and cannot be relied upon as evidence, is rather useful because it is evidence of police misconduct in relation to inappropriately accessing personal data. They are actually saying: “We did it for this purpose”, when it clearly was not. I am not at all surprised that the National AIDS Trust is worried about this. The College of Policing code of practice does not mention logging requirements in detail. It references them just once in relation to automated systems that process data.
I am extremely grateful to the noble Lord, Lord Bassam, for what he had to say. It seems to me that we do not have any confidence on this side of the House that removing this requirement provides enough security that officers will be held to account if they share an individual’s special category data inappropriately. I do not think the Minister has really answered the concerns, but I beg leave to withdraw my objection to the clause standing part.
Baroness Jones of Whitchurch (Lab)
My Lords, I, too, will be relatively brief. I thank the noble Baroness, Lady Kidron, for her amendments, to which I was very pleased to add my name. She raised an important point about the practice of web scrapers, who take data from a variety of sources to construct large language models without the knowledge or permission of web owners and data subjects. This is a huge issue that should have been a much more central focus of the Bill. Like the noble Baroness, I am sorry that the Government did not see fit to use the Bill to bring in some controls on this increasingly prevalent practice, because that would have been a more constructive use of our time than debating the many unnecessary changes that we have been debating so far.
As the noble Baroness said, large language models are built on capturing text, data and images from infinite sources without the permission of the original creator of the material. As she also said, it is making a mockery of our existing data rights. It raises issues around copyright and intellectual property, and around personal information that is provided for one purpose and commandeered by web scrapers for another. That process often happens in the shadows, whereby the owner of the information finds out only much later that their content has been repurposed.
What is worse is that the application of AI means that material provided in good faith can be distorted or corrupted by the bots scraping the internet. The current generation of LLMs are notorious for hallucinations in which good quality research or journalistic copy is misrepresented or misquoted in its new incarnation. There are also numerous examples of bias creeping into the LLM output, which includes personal data. As the noble Baroness rightly said, the casual scraping of children’s images and data is undermining the very essence of our existing data protection legislation.
It is welcome that the Information Commissioner has intervened on this. He argued that LLMs should be compliant with the Data Protection Act and should evidence how they are complying with their legal obligations. This includes individuals being able to exercise their information rights. Currently, we are a long way from that being a reality and a practice. This is about enforcement as much as giving guidance.
I am pleased that the noble Baroness tabled these amendments. They raise important issues about individuals giving prior permission for their data to be used unless there is an easily accessible opt-out mechanism. I would like to know what the Minister thinks about all this. Does he think that the current legislation is sufficient to regulate the rise of LLMs? If it is not, what are the Government doing to address the increasingly widespread concerns about the legitimacy of web scraping? Have the Government considered using the Bill to introduce additional powers to protect against the misuse of personal and creative output?
In the meantime, does the Minister accept the amendments in the name of the noble Baroness, Lady Kidron? As we have said, they are only a small part of a much bigger problem, but they are a helpful initiative to build in some basic protections in the use of personal data. This is a real challenge to the Government to step up to the mark and be seen to address these important issues. I hope the Minister will say that he is happy to work with the noble Baroness and others to take these issues forward. We would be doing a good service to data citizens around the country if we did so.
Viscount Camrose (Con)
I thank the noble Baroness, Lady Kidron, for tabling these amendments. I absolutely recognise their intent. I understand that they are motivated by a concern about invisible types of processing or repurposing of data when it may not be clear to people how their data is being used or how they can exercise their rights in respect of the data.
On the specific points raised by noble Lords about intellectual property rather than personal data, I note that, in their response to the AI White Paper consultation, the Government committed soon to provide a public update on their approach to AI and intellectual property, noting the importance of greater transparency in the use of copyrighted material to train models, as well as labelling and attribution of outputs.
Amendment 103 would amend the risk-assessment provisions in Clause 20 so that any assessment of high-risk processing would always include an assessment of how the data controller would comply with the purpose limitation principle and how any new processing activity would be designed so that people could exercise their rights in respect of the data at the time it was collected and at any subsequent occasion.
I respectfully submit that this amendment is not necessary. The existing provisions in Clause 20, on risk assessments, already require controllers to assess the potential risks their processing activities pose to individuals and to describe how those risks would be mitigated. This would clearly include any risk that the proposed processing activities would not comply with the data protection principles—for example, because they lacked transparency—and would make it impossible for people to exercise their rights.
Similarly, any assessment of risk would need to take account of any risks related to difficulties in complying with the purpose limitation principle—for example, if the organisation had no way of limiting who the data would be shared with as a result of the proposed processing activity.
According to draft ICO guidance on generative AI, the legitimate interests lawful ground under Article 6(1)(f) of the UK GDPR can be a valid lawful ground for training generative AI models on web-scrape data, but only when the model’s developer can ensure that they pass the three-part test—that is, they identify a legitimate interest, demonstrate that the processing is necessary for that purpose and demonstrate that the individual’s interests do not override the interest being pursued by the controller.
Controllers must consider the balancing test particularly carefully when they do not or cannot exercise meaningful control over the use of the model. The draft guidance further notes that it would be very difficult for data controllers to carry out their processing activities in reliance on the legitimate interests lawful ground if those considerations were not taken into account.
Viscount Camrose
“(3) In Schedule 7—(a) Part 1 contains minor and consequential amendments, and(b) Part 2 contains transitional provision.”Member’s explanatory statement
This amendment is consequential on the amendment in my name inserting amendments of section 119A of the Data Protection Act 2018 into Schedule 7 to the Bill.
Viscount Camrose (Con)
My Lords, UK law enforcement authorities processing personal data for law enforcement purposes currently use internationally based companies for data processing services, including cloud storage. The use of international processors is critical for modern organisations and law enforcement is no exception. The use of these international processors enhances law enforcement capabilities and underpins day-to-day functions.
Transfers from a UK law enforcement authority to an international processor are currently permissible under the Data Protection Act 2018. However, there is currently no bespoke mechanism for these transfers in Part 3, which has led to confusion and ambiguity as to how law enforcement authorities should approach the use of such processors. The aim of this amendment is to provide legal certainty to law enforcement authorities in the UK, as well as transparency to the public, so that they can use internationally based processors with confidence.
I have therefore tabled Amendments 110, 117 to 120, 122 to 129 and 131 to provide a clear, bespoke mechanism in Part 3 of the Data Protection Act 2018 for UK law enforcement authorities to use when transferring data to their contracted processors based outside the UK. This will bring Part 3 into line with the UK GDPR while clarifying the current law, and give UK law enforcement authorities greater confidence when making such transfers to their contracted processors for law enforcement purposes.
We have amended Section 73—the general principles for transfer—to include a specific reference to processors, ensuring that international processors can be a recipient of data transfers. In doing so, we have ensured that the safeguards within Chapter 5 that UK law enforcement authorities routinely apply to transfers of data to their international operational equivalents are equally applicable to transfers to processors. We are keeping open all the transfer mechanisms so that data can be transferred on the basis of an applicable adequacy regulation, the appropriate safeguards or potentially the special circumstances.
We have further amended Section 75—the appropriate safeguards provision—to include a power for the ICO to create, specifically for Part 3, an international data transfer agreement, or IDTA, to complement the IDTA which it has already produced to facilitate transfers using Article 46(2)(d) of the UK GDPR.
In respect of transfers to processors, we have disapplied the duty to inform the Information Commissioner about international transfers made subject to appropriate safeguards. As such, a requirement would be out of line with equivalent provisions in the UK GDPR. There is no strong rationale for complying with the provision, given that processors are limited in what they can do with data because of the nature of their contracts and that it would be unlikely to contribute to the effective functioning of the ICO.
Likewise, we have also disapplied the duty to document such transfers and to provide the documentation to the commissioner on request. This is because extending these provisions would duplicate requirements that already exist elsewhere in legislation, including in Section 61, which has extensive recording requirements that enable full accountability to the ICO.
We have also disapplied the majority of Section 78. While it provides a useful function in the context of UK law enforcement authorities transferring to their international operational equivalents, in the law enforcement to international processor context it is not appropriate because processors cannot decide to transfer data onwards on their own volition. They can only do so under instruction from the UK law enforcement authority controller.
Instead, we have retained the general prohibition on any further transfers to processors based in a separate third country by requiring UK law enforcement authority controllers to make it a condition of a transfer to its processor that data is only to be further transferred in line with the terms of the contract with or authorisation given by the controller, and where the further transfer is permitted under Section 73. We have also taken the opportunity to tidy up Section 77 which governs transfers to non-relevant authorities, relevant international organisations or international processors.
In respect of Amendment 121, tabled by the noble Lord, Lord Clement-Jones, on consultation with the Information Commissioner, I reassure the noble Lord that there is a memorandum of understanding between the Home Office and the Information Commissioner regarding international transfers approved by regulations, which sets out the role and responsibilities of the ICO. As part of this, the Home Office consults the Information Commissioner at various stages in the process. The commissioner, in turn, provides independent assurance and advice on the process followed and on the factors taken into consideration.
I understand that this amendment also relates to representations made by the National AIDS Trust. Perhaps the simplest thing is merely to reference my earlier remarks and commitment to engage with the National AIDS Trust ongoing. I beg to move that the government amendments which lead this group stand part of the Bill.
Lord Clement-Jones (LD)
My Lords, very briefly, I thank the Minister for unpacking his amendments with some care, and for giving me the answer to my amendment before I spoke to it—that saves time.
Obviously, we all understand the importance of transfers of personal data between law enforcement authorities, but perhaps the crux of this, and the one question in our mind is, what is—perhaps the Minister could remind us—the process for making sure that the country that we are sending it to is data adequate? Amendment 121 was tabled as a way of probing that. It would be extremely useful if the Minister can answer that. This should apply to transfers between law enforcement authorities just as much as it does for other, more general transfers under Schedule 5. If the Minister can give me the answer, that would be useful, but if he does not have the answer to hand, I am very happy to suspend my curiosity until after Easter.
Viscount Camrose (Con)
I thank the noble Lord, Lord Clement-Jones, for his amendment and his response, and I thank the noble Lord, Lord Bassam. The mechanism for monitoring international transfers was intended to be the subject for the next group in any case, and I would have hoped to give a full answer. I know we are all deeply disappointed that it looks as if we may not get to that group but, if the noble Lord is not willing to wait until we have that debate, I am very happy to write.
Data Protection and Digital Information Bill
Viscount Camrose ExcerptsMonday 25th March 2024
(2 years ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-III Third marshalled list for Grand Committee - (25 Mar 2024)
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
My Lords, I rise to speak to Amendments 11, 12, 13, 14, 15, 16, 17 and 18 and to whether Clauses 5 and 7 should stand part of the Bill. In doing so, I thank the noble Lord, Lord Clement-Jones, and the noble Baronesses, Lady Jones and Lady Kidron, for their amendments. The amendments in the group, as we have heard, relate to Clauses 5 and 7, which make some important changes to Article 6 of the UK GDPR on the lawfulness of processing.
The first amendment in the group, Amendment 11, would create a new lawful ground, under Article 6(1) of UK GDPR, to enable the use of personal data published by public bodies with a person’s consent and to enable processing by public bodies for the benefit of the wider public. The Government do not believe it would be necessary to create additional lawful grounds for processing in these circumstances. The collection and publication of information on public databases, such as the list of company directors published by Companies House, should already be permitted by existing lawful grounds under either Article 6(1)(c), in the case of a legal requirement to publish information, or Article 6(1)(e) in the case of a power.
Personal data published by public bodies can already be processed by other non-public body controllers where their legitimate interests outweigh the rights and interests of data subjects. However, they must comply with their requirements in relation to that personal data, including requirements to process personal data fairly and transparently. I am grateful to the noble Lord, Lord Clement-Jones, for setting out where he thinks the gaps are, but I hope he will accept my reassurances that it should already be possible under the existing legislation and will agree to withdraw the amendment.
On Clause 5, the main objectives introduce a new lawful ground under Article 6(1) of the UK GDPR, known as “recognised legitimate interests”. It also introduces a new annexe to the UK GDPR, in Schedule 1 to the Bill, that sets out an exhaustive list of processing activities that may be undertaken by data controllers under this new lawful ground. If an activity appears on the list, processing may take place without a person’s consent and without balancing the controller’s interests against the rights and interests of the individual: the so-called legitimate interests balancing test.
The activities in the annexe are all of a public interest nature, for example, processing of data where necessary to prevent crime, safeguarding national security, protecting children, responding to emergencies or promoting democratic engagement. They also include situations where a public body requests a non-public body to share personal data with it to help deliver a public task sanctioned by law.
The clause was introduced as a result of stakeholders’ concerns raised in response to the public consultation Data: A New Direction in 2021. Some informed us that they were worried about the legal consequences of getting the balancing test in Article 6(1)(f) wrong. Others said that undertaking the balancing test can lead to delays in some important processing activities taking place.
As noble Lords will be aware, many data controllers have important roles in supporting activities that have a public interest nature. It is vital that data is shared without delay where necessary in areas such as safeguarding, prevention of crime and responding to emergencies. Of course, controllers who share data while relying on this new lawful ground would still have to comply with wider requirements of data protection legislation where relevant, such as data protection principles which ensure that the data is used fairly, lawfully and transparently, and is collected and used for specific purposes.
In addition to creating a new lawful ground of recognised legitimate interests, Clause 5 also clarifies the types of processing activities that may be permitted under the existing legitimate interests lawful ground under Article 6(1)(f) of the UK GDPR. Even if a processing activity does not appear on the new list of recognised legitimate interests, data controllers may still have grounds for processing people’s data without consent if their interests in processing the data are not outweighed by the rights and freedoms that people have in relation to privacy. Clause 5(9) and (10) makes it clear this might be the case in relation to many common commercial activities, such as intragroup transfers.
Baroness Jones of Whitchurch (Lab)
My Lords, may I just revisit that with the Minister? I fear that he is going to move on to another subject. The Delegated Powers Committee said that it thought that the Government had not provided strong enough reasons for needing this power. The public interest list being proposed, which the Minister outlined, is quite broad, so it is hard to imagine the Government wanting something not already listed. I therefore return to what the committee said. Normally, noble Lords like to listen to recommendations from such committees. There is no strong reason for needing that extra power, so, to push back a little on the Minister, why, specifically, is it felt necessary? If it were a public safety interest, or one of the other examples he gave, it seems to me that that would come under the existing list of public interests.
Viscount Camrose (Con)
Indeed. Needless to say, we take the recommendations of the DPRRC very seriously, as they deserve. However, because this is an exhaustive list, and because the technologies and practices around data are likely to evolve very rapidly in ways we are unable currently to predict, it is important to retain as a safety measure the ability to update that list. That is the position the Government are coming from. We will obviously continue to consider the DPRRC’s recommendations, but that has to come with a certain amount of adaptiveness as we go. Any addition to the list would of course be subject to parliamentary debate, via the affirmative resolution procedure, as well as the safeguards listed in the provision itself.
Clause 50 ensures that the ICO and any other interested persons should be consulted before making regulations.
Amendments 15, 16, 17 and 18 would amend the part of Clause 5 that is concerned with the types of activities that might be carried out under the current legitimate interest lawful ground, under Article 6(1)(f). Amendment 15 would prevent direct marketing organisations relying on the legitimate interest lawful ground under Article 6(1)(f) if the personal data being processed related to children. However, the age and vulnerability in general of data subjects is already an important factor for direct marketing organisations when considering whether the processing is justified. The ICO already provides specific guidance for controllers carrying out this balancing test in relation to children’s data. The fact that a data subject is a child, and the age of the child in question, will still be relevant factors to take into account in this process. For these reasons, the Government consider this amendment unnecessary.
Baroness Kidron (CB)
My Lords, am I to take it from that that none of the changes currently in the Bill will expose children on a routine basis to direct marketing?
Viscount Camrose (Con)
As is the case today and will be going forward, direct marketing organisations will be required to perform the balancing test; and as in the ICO guidance today and, no doubt, going forward—
Baroness Kidron (CB)
I am sorry if I am a little confused—I may well be—but the balancing test that is no longer going to be there allows a certain level of processing, which was the subject of the first amendment. The suggestion now is that children will be protected by a balancing test. I would love to know where that balancing test exists.
Viscount Camrose (Con)
The balancing test remains there for legitimate interests, under Article 6(1)(f).
Amendment 16 seeks to prevent organisations that undertake third-party marketing relying on the legitimate interest lawful ground under Article 6(1)(f) of the UK GDPR. As I have set out, organisations can rely on that ground for processing personal data without consent when they are satisfied that they have a legitimate interest to do so and that their commercial interests are not outweighed by the rights and interests of data subjects.
Clause 5(4) inserts in Article 6 new paragraph (9), which provides some illustrative examples of activities that may constitute legitimate interests, including direct marketing activities, but it does not mean that they will necessarily be able to process personal data for that purpose. Organisations will need to assess on a case-by-case basis where the balance of interest lies. If the impact on the individual’s privacy is too great, they will not be able to rely on the legitimate interest lawful ground. I should emphasise that this is not a new concept created by this Bill. Indeed, the provisions inserted by Clause 5(4) are drawn directly from the recitals to the UK GDPR, as incorporated from the EU GDPR.
I recognise that direct marketing can be a sensitive—indeed, disagreeable—issue for some, but direct marketing information can be very important for businesses as well as individuals and can be dealt with in a way that respects people’s privacy. The provisions in this Bill do not change the fact that direct marketing activities must be compliant with the data protection and privacy legislation and continue to respect the data subject’s absolute right to opt out of receiving direct marketing communications.
Amendment 17 would make sure that the processing of employee data for “internal administrative purposes” is subject to heightened safeguards, particularly when it relates to health. I understand that this amendment relates to representations made by the National AIDS Trust concerning the level of protection afforded to employees’ health data. We agree that the protection of people’s HIV status is vital and that it is right that it is subject to extra protection, as is the case for all health data and special category data. We have committed to further engagement and to working with the National AIDS Trust to explore solutions in order to prevent data breaches of people’s HIV status, which we feel is best achieved through non-legislative means given the continued high data protection standards afforded by our existing legislation. As such, I hope that the noble Lord, Lord Clement-Jones, will agree not to press this amendment.
Amendment 18 seeks to allow businesses more confidently to rely on the existing legitimate interest lawful ground for the transmission of personal data within a group of businesses affiliated by contract for internal administrative purposes. In Clause 5, the list of activities in proposed new paragraphs (9) and (10) are intended to be illustrative of the types of activities that may be legitimate interests for the purposes of Article 6(1)(f). They are focused on processing activities that are currently listed in the recitals to the EU GDPR but are simply examples. Many other processing activities may be legitimate interests for the purposes of Article 6(1)(f) of the UK GDPR. It is possible that the transmission of personal data for internal administrative purposes within a group affiliated by contract may constitute a legitimate interest, as may many other commercial activities. It would be for the controller to determine this on a case-by-case basis after carrying out a balancing test to assess the impact on the individual.
Finally, I turn to the clause stand part debate that seeks to remove Clause 7 from the Bill. I am grateful to the noble Lord, Lord Clement-Jones, for this amendment because it allows me to explain why this clause is important to the success of the UK-US data access agreement. As noble Lords will know, that agreement helps the law enforcement agencies in both countries tackle crime. Under the UK GDPR, data controllers can process personal data without consent on public interest grounds if the basis for the processing is set out in domestic law. Clause 7 makes it clear that the processing of personal data can also be carried out on public interest grounds if the basis for the processing is set out in a relevant international treaty such as the UK-US data access agreement.
The agreement permits telecommunications operators in the UK to disclose data about serious crimes with law enforcement agencies in the US, and vice versa. The DAA has been operational since October 2022 and disclosures made by UK organisations under it are already lawful under the UK GDPR. Recent ICO guidance confirms this, but the Government want to remove any doubt in the minds of UK data controllers that disclosures under the DAA are permitted by the UK GDPR. Clause 7 makes it absolutely clear to telecoms operators in the UK that disclosures under the DAA can be made in reliance on the UK GDPR’s public tasks processing grounds; the clause therefore contributes to the continued, effective functioning of the agreement and to keeping the public in both the UK and the US safe.
For these reasons, I hope that the noble Lord, Lord Clement-Jones, will agree to withdraw his amendment.
Lord Clement-Jones (LD)
My first reaction is “Phew”, my Lords. We are all having to keep to time limits now. The Minister did an admirable job within his limit.
I wholeheartedly support what the noble Baronesses, Lady Kidron and Lady Harding, said about Amendments 13 and 15 and what the noble Baroness, Lady Jones, said about her Amendment 12. I do not believe that we have yet got to the bottom of children’s data protection; there is still quite some way to go. It would be really helpful if the Minister could bring together the elements of children’s data about which he is trying to reassure us and write to us saying exactly what needs to be done, particularly in terms of direct marketing directed towards children. That is a real concern.
Lord Clement-Jones (LD)
My Lords, it is a pleasure to follow the noble Baroness, Lady Harding and Lady Bennett, after the excellent introduction to the amendments in this group by the noble Baroness, Lady Jones. The noble Baroness, Lady Harding, used the word “trust”, and this is another example of a potential hidden agenda in the Bill. Again, it is destructive of any public trust in the way their data is curated. This is a particularly egregious example, without, fundamentally, any explanation. Sir John Whittingdale said that a future Government
“may want to encourage democratic engagement in the run up to an election by temporarily ‘switching off’ some of the direct marketing rules”.—[Official Report, Commons, 29/11/2023; col. 885.]
Nothing to see here—all very innocuous; but, as we know, in the past the ICO has been concerned about even the current rules on the use of data by political parties. It seems to me that, without being too Pollyannaish about this, we should be setting an example in the way we use the public’s data for campaigning. The ICO, understandably, is quoted as saying during the public consultation on the Bill that this is
“an area in which there are significant potential risks to people if any future policy is not implemented very carefully”.
That seems an understatement, but that is how regulators talk. It is entirely right to be concerned about these provisions.
Of course, they are hugely problematic, but they are particularly problematic given that it is envisaged that young people aged 14 and older should be able to be targeted by political parties when they cannot even vote, as we have heard. This would appear to contravene one of the basic principles of data protection law: that you should not process more personal data than you need for your purposes. If an individual cannot vote, it is hard to see how targeting them with material relating to an election is a proportionate interference with their privacy rights, particularly when they are a child. The question is, should we be soliciting support from 14 to 17 year-olds during elections when they do not have votes? Why do the rules need changing so that people can be targeted online without having consented? One of the consequences of these changes would be to allow a Government to switch off—the words used by Sir John Whittingdale—direct marketing rules in the run-up to an election, allowing candidates and parties to rely on “soft” opt-in to process data and make other changes without scrutiny.
Exactly as the noble Baroness, Lady Jones, said, respondents to the original consultation on the Bill wanted political communications to be covered by existing rules on direct marketing. Responses were very mixed on the soft opt-in, and there were worries that people might be encouraged to part with more of their personal data. More broadly, why are the Government changing the rules on democratic engagement if they say they will not use these powers? What assessment have they made of the impact of the use of the powers? Why are the powers not being overseen by the Electoral Commission? If anybody is going to have the power to introduce the ability to market directly to voters, it should be the Electoral Commission.
All this smacks of taking advantage of financial asymmetry. We talked about competition asymmetry with big tech when we debated the digital markets Bill; similarly, this seems a rather sneaky way of taking advantage of the financial resources one party might have versus others. It would allow it to do things other parties cannot, because it has granted itself permission to do that. The provisions should not be in the hands of any Secretary of State or governing party; if anything, they should be in entirely independent hands; but, even then, they are undesirable.
Viscount Camrose (Con)
My Lords, I thank the noble Baroness, Lady Jones, for tabling her amendments. Amendment 19 would remove processing which is necessary for the purposes of democratic engagement from the list of recognised legitimate interests. It is essential in a healthy democracy that registered political parties, elected representatives and permitted participants in referendums can engage freely with the electorate without being impeded unnecessarily by data protection legislation.
The provisions in the Bill will mean that these individuals and organisations do not have to carry out legitimate interest assessments or look for a separate legal basis. They will, however, still need to comply with other requirements of data protection legislation, such as the data protection principles and the requirement for processing to be necessary.
On the question posed by the noble Baroness about the term “democratic engagement”, it is intended to cover a wide range of political activities inside and outside election periods. These include but are not limited to democratic representation; communicating with electors and interested parties; surveying and opinion gathering; campaigning activities; activities to increase voter turnout; supporting the work of elected representatives, prospective candidates and official candidates; and fundraising to support any of these activities. This is reflected in the drafting, which incorporates these concepts in the definition of democratic engagement and democratic engagement activities.
The ICO already has guidance on the use of personal data by political parties for campaigning purposes, which the Government anticipate it will update to reflect the changes in the Bill. We will of course work with the ICO to make sure it is familiar with our plans for commencement and that it does not benefit any party over another.
On the point made about the appropriate age for the provisions, in some parts of the UK the voting age is 16 for some elections, and children can join the electoral register as attainers at 14. The age of 14 reflects the variations in voting age across the nation; in some parts of the UK, such as Scotland, a person can register to vote at 14 as an attainer. An attainer is someone who is registered to vote in advance of their being able to do so, to allow them to be on the electoral roll as soon as they turn the required age. Children aged 14 and over are often politically engaged and are approaching voting age. The Government consider it important that political parties and elected representatives can engage freely with this age group—
Lord Bassam of Brighton (Lab)
I am interested in what the Minister says about the age of attainers. Surely it would be possible to remove attainers from those who could be subject to direct marketing. Given how young attainers could be, it would protect them from the unwarranted attentions of campaigning parties and so on. I do not see that as a great difficulty.
Viscount Camrose (Con)
Indeed. It is certainly worth looking at, but I remind noble Lords that such communications have to be necessary, and the test of their being necessary for someone of that age is obviously more stringent.
Lord Bassam of Brighton (Lab)
But what is the test of necessity at that age?
Viscount Camrose (Con)
The processor has to determine whether it is necessary to the desired democratic engagement outcome to communicate with someone at that age. But I take the point: for the vast majority of democratic engagement communications, 14 would be far too young to make that a worthwhile or necessary activity.
Lord Bassam of Brighton (Lab)
As I recall, the ages are on the electoral register.
Viscount Camrose (Con)
I am not aware one way or the other, but I will happily look into that to see what further safeguards we can add so that we are not bombarding people who are too young with this material.
Lord Kamall (Con)
May I make a suggestion to my noble friend the Minister? It might be worth asking the legal people to get the right wording, but if there are different ages at which people can vote in different parts of the United Kingdom, surely it would be easier just to relate it to the age at which they are able to vote in those elections. That would address a lot of the concerns that many noble Lords are expressing here today.
Baroness Harding of Winscombe (Con)
I agree with the noble Baroness, but with one rider. We will keep coming back to the need for children to have a higher level of data protection than adults, and this is but one of many examples we will debate. However, I agree with her underlying point. The reason why I support removing both these clauses is the hubris of believing that you will engage the electorate by bombarding them with things they did not ask to receive.
Viscount Camrose (Con)
A fair number of points were made there. I will look at ages under 16 and see what further steps, in addition to being necessary and proportionate, we can think about to provide some reassurance. Guidance would need to be in effect before any of this is acted on by any of the political parties. I and my fellow Ministers will continue to work with the ICO—
Baroness Kidron (CB)
I am sorry to press the Minister, but does the Bill state that guidance will be in place before this comes into effect?
Viscount Camrose (Con)
I am not sure whether it is written in the Bill. I will check, but the Bill would not function without the existence of the guidance.
Lord Bassam of Brighton (Lab)
I am sorry to drag this out but, on the guidance, can we be assured that the Minister will involve the Electoral Commission? It has a great deal of experience here; in fact, it has opined in the past on votes for younger cohorts of the population. It seems highly relevant to seek out its experience and the benefits of that.
Viscount Camrose (Con)
I would of course be very happy to continue to engage with the Electoral Commission.
We will continue to work with the ICO to make sure that it is familiar with the plans for commencement and that its plans for guidance fit into that. In parts of the UK where the voting age is 18 and the age of attainment is 16, it would be more difficult for candidates and parties to show that it was necessary or proportionate to process the personal data of 14 and 15 year-olds in reliance on the new lawful ground. In this context, creating an arbitrary distinction between children at or approaching voting age and adults may not be appropriate; in particular, many teenagers approaching voting age may be more politically engaged than some adults. These measures will give parties and candidates a clear lawful ground for engaging them in the process. Accepting this amendment would remove the benefits of greater ease of identification of a lawful ground for processing by elected representatives, candidates and registered political parties, which is designed to improve engagement with the electorate. I therefore hope that the noble Baroness, Lady Jones, will withdraw her amendment.
I now come to the clause stand part notice that would remove Clause 114, which gives the Secretary of State a power to make exceptions to the direct marketing rules for communications sent for the purposes of democratic engagement. As Clause 115 defines terms for the purposes of Clause 114, the noble Baroness, Lady Jones, is also seeking for that clause to be removed. Under the current law, many of the rules applying to electronic communications sent for commercial marketing apply to messages sent by registered political parties, elected representatives and others for the purposes of democratic engagement. It is conceivable that, after considering the risks and benefits, a future Government might want to treat communications sent for the purposes of democratic engagement differently from commercial marketing. For example, in areas where voter turnout is particularly low or there is a need to increase engagement with the electoral process, a future Government might decide that the direct marketing rules should be modified. This clause stand part notice would remove that option.
We have incorporated several safeguards that must be met prior to regulations being laid under this clause. They include the Secretary of State having specific regard to the effect the exceptions could have on an individual’s privacy; a requirement to consult the Information Commissioner and other interested parties, as the Secretary of State considers appropriate; and the regulations being subject to parliamentary approval via the affirmative procedure.
For these reasons, I hope that the noble Baroness will agree to withdraw or not press her amendments.
Baroness Jones of Whitchurch (Lab)
My Lords, I am pleased that I have sparked such a lively debate. When I tabled these amendments, it was only me and the noble Lord, Lord Clement-Jones, so I thought, “This could be a bit sad, really”, but it has not been. Actually, it has been an excellent debate and we have identified some really good issues.
As a number of noble Lords said, the expression “democratic engagement” is weasel words: what is not to like about democratic engagement? We all like it. Only when you drill down into the proposals do you realise the traps that could befall us. As noble Lords and the noble Baroness, Lady Bennett, rightly said, we have to see this in the context of some of the other moves the Government are pursuing in trying to skew the electoral rules in their favour. I am not convinced that this is as saintly as the Government are trying to pretend.
The noble Baroness, Lady Harding, is absolutely right: this is about trust. It is about us setting an example. Of all the things we can do on data protection that we have control over, we could at least show the electorate how things could be done, so that they realise that we, as politicians, understand how precious their data is and that we do not want to misuse it.
I hope we have all knocked on doors, and I must say that I have never had a problem engaging with the electorate, and actually they have never had a problem engaging with us. This is not filling a gap that anybody has identified. We are all out there and finding ways of communicating that, by and large, I would say the electorate finds perfectly acceptable. People talk to us, and they get the briefings through the door. That is what they expect an election campaign to be about. They do not expect, as the noble Baroness, Lady Harding, said, to go to see their MP about one thing and then suddenly find that they are being sent information about something completely different or that assumptions are being made about them which were never the intention when they gave the information in the first place. I just feel that there is something slightly seedy about all this. I am sorry that the Minister did not pick up a little more on our concerns about all this.
There are some practical things that I think it was helpful for us to have talked about, such as the Electoral Commission. I do not think that it has been involved up to now. I would like to know in more detail what its views are on all this. It is also important that we come back to the Information Commissioner and check in more detail what his view is on all this. It would be nice to have guidance, but I do not think that that will be enough to satisfy us in terms of how we proceed with these amendments.
The Minister ultimately has not explained why this has been introduced at this late stage. He is talking about this as though conceivably, in the future, a Government might want to adopt these rules. If that is the case, I respectfully say that we should come back at that time with a proper set of proposals that go right through the democratic process that we have here in Parliament, scrutinise it properly and make a decision then, rather than being bounced into something at a very late stage.
I have to say that I am deeply unhappy at what the Minister has said. I will obviously look at Hansard, but I may well want to return to this.
Viscount Camrose
“(c) the nature of the processing, including whether it is processing described in Article 9(1) (processing of special categories of personal data) or Article 10(1) (processing of personal data relating to criminal convictions etc);”Member's explanatory statement
This technical amendment changes new Article 8A(2)(c) of the UK GDPR so that it refers to processing rather than personal data, reflecting the terms of Articles 9(1) and 10(1).
Viscount Camrose (Con)
My Lords, I rise to speak to a series of minor and technical, yet necessary, government amendments which, overall, improve the functionality of the Bill. I hope the Committee will be content if I address them together. Amendments 20, 42, 61 and 63 are minor technical amendments to references to special category data in Clauses 6 and 14. All are intended to clarify that references to special category data mean references to the scope of Article 9(1) of the UK GDPR. They are simply designed to improve the clarity of the drafting.
I turn now to the series of amendments that clarify how time periods within the data protection legal framework are calculated. For the record, these are Amendments 136, 139, 141, 149, 151, 152, 176, 198, 206 to 208, 212 to 214, 216, 217, 253 and 285. Noble Lords will be aware that the data protection legislation sets a number of time periods or deadlines for certain things to happen, such as responding to subject access requests; in other words, at what day, minute or hour the clock starts and stops ticking in relation to a particular procedure. The Data Protection Act 2018 expressly applies the EU-derived rules on how these time periods should be calculated, except in a few incidences where it is more appropriate for the UK domestic approach to apply, for example time periods related to parliamentary procedures. I shall refer to these EU-derived rules as the time periods regulation.
In response to the Retained EU Law (Revocation and Reform) Act 2023, we are making it clear that the time periods regulation continues to apply to the UK GDPR and other regulations that form part of the UK’s data protection and privacy framework, for example, the Privacy and Electronic Communications (EC Directive) Regulations 2003. By making such express provision, our aim is to ensure consistency and continuity and to provide certainty for organisations, individuals and the regulator. We have also made some minor changes to existing clauses in the Bill to ensure that application of the time periods regulation achieves the correct effect.
Secondly, Amendment 197 clarifies that the requirement to consult before making regulations that introduce smart data schemes may be satisfied by a consultation before the Bill comes into force. The regulations must also be subject to affirmative parliamentary scrutiny to allow Members of both Houses to scrutinise legislation. This will facilitate the rapid implementation of smart data schemes, so that consumers and businesses can start benefiting as soon as possible. The Government are committed to working closely with business and wider stakeholders in the development of smart data.
Furthermore, Clause 96(3) protects data holders from the levy that may be imposed to meet the expenses of persons and bodies performing functions under smart data regulations. This levy cannot be imposed on data holders that do not appear capable of being directly affected by the exercise of those functions.
Amendment 196 extends that protection to authorised persons and third-party recipients on whom the levy may also be imposed. Customers will not have to pay to access their data, only for the innovative services offered by third parties. We expect that smart data schemes will deliver significant time and cost savings for customers.
The Government are committed to balancing the incentives for businesses to innovate and provide smart data services with ensuring that all customers are empowered through their data use and do not face undue financial barriers or digital exclusion. Any regulations providing for payment of the levy or fees will be subject to consultation and to the affirmative resolution procedure in Parliament.
Amendments 283 and 285 to Schedule 15 confer a general incidental power on the information commission. It will have the implied power to do things incidental to or consequential upon the exercise of its functions, for example, to hold land and enter into agreements. This amendment makes those implicit powers explicit for the avoidance of doubt and in line with standard practice. It does not give the commission substantive new powers. I beg to move.
Lord Kamall (Con)
My Lords, I know that these amendments were said to be technical amendments, so I thought I would just accept them, but when I saw the wording of Amendment 283 some alarm bells started ringing. It says:
“The Commission may do anything it thinks appropriate for the purposes of, or in connection with, its functions”.
I know that the Minister said that this is stating what the commission is already able to do, but I am concerned whenever I see those words anywhere. They give a blank cheque to any authority or organisation.
Many noble Lords will know that I have previously spoken about the principal-agent theory in politics, in which certain powers are delegated to an agency or regulator, but what accountability does it have? I worry when I see that it “may do anything … appropriate” to fulfil its tasks. I would like some assurance from the Minister that there is a limit to what the information commission can do and some accountability. At a time when many of us are asking who regulates the regulators and when we are looking at some of the arm’s-length bodies—need I mention the Post Office?—there is some real concern about accountability.
I understand the reason for wanting to clarify or formalise what the Minister believes the information commission is doing already, but I worry about this form of words. I would like some reassurance that it is not wide-ranging and that there is some limit and accountability to future Governments. I have seen this sentiment across the House; people are asking who regulates the regulators and to whom are they accountable.
Lord Bassam of Brighton (Lab)
My Lords, I have been through this large group and, apart from my natural suspicion that there might be something dastardly hidden away in it, I am broadly content, but I have a few questions.
On Amendment 20, can the Minister conform that the new words “further processing” have the same meaning as the reuse of personal data? Can he confirm that Article 5(1)(b) will prohibit this further processing when it is not in line with the original purpose for which the data was collected? How will the data subject know that is the case?
On Amendment 196, to my untutored eye it looks like the regulation-making power is being extended away from the data holder to include authorised persons and third-party recipients. My questions are simple enough: was this an oversight on the part of the original drafters of that clause? Is the amendment an extension of those captured by the effect of the clause? Is it designed to achieve consistency across the Bill? Finally, can I assume that an authorised person or third party would usually be someone acting on behalf of an agent of the data holder?
I presume that Amendments 198, 212 and 213 are needed because of a glitch in the drafting—similarly with Amendment 206. I can see that Amendments 208, 216 and 217 clarify when time periods begin, but why are the Government seeking to disapply time periods in Amendment 253 when surely some consistency is required?
Finally—I am sure the Minister will be happy about this—I am all in favour of flexibility, but Amendment 283 states that the Information Commissioner has the power to do things to facilitate the exercise of his functions. The noble Lord, Lord Kamall, picked up on this. We need to understand what those limits are. On the face of it, one might say that the amendment is sensible, but it seems rather general and broad in its application. As the noble Lord, Lord Kamall, rightly said, we need to see what the limits of accountability are. This is one of those occasions.
Viscount Camrose (Con)
I thank the noble Lords, Lord Kamall and Lord Bassam, for their engagement with this group. On the questions from the noble Lord, Lord Kamall, these are powers that the ICO would already have in common law. As I am given to understand is now best practice, they are put on a statutory footing in the Bill as part of best practice with all Bills. The purpose is to align with best practice. It does not confer substantial new powers but clarifies the powers that the regulator has. I can also confirm that the ICO was and remains accountable to Parliament.
Lord Kamall (Con)
I am sorry to intervene as I know that noble Lords want to move on to other groups, but the Minister said that the ICO remains accountable to Parliament. Will he clarify how it is accountable to Parliament for the record?
Viscount Camrose (Con)
The Information Commissioner is directly accountable to Parliament in that he makes regular appearances in front of Select Committees that scrutinise the regulator’s work, including progress against objectives.
The noble Lord, Lord Bassam, made multiple important and interesting points. I hope he will forgive me if I undertake to write to him about those; there is quite a range of topics to cover. If there are any on which he requires answers right away, he is welcome to intervene.
Lord Bassam of Brighton (Lab)
I want to be helpful to the Minister. I appreciate that these questions are probably irritating but I carefully read through the amendments and aligned them with the Explanatory Notes. I just wanted some clarification to make sure that we are clear on exactly what the Government are trying to do. “Minor and technical” covers a multitude of sins; I know that from my own time as a Minister.
Viscount Camrose (Con)
Indeed. I will make absolutely sure that we provide a full answer. By the way, I sincerely thank the noble Lord for taking the time to go through what is perhaps not the most rewarding of reads but is useful none the less.
Baroness Kidron (CB)
On the question of the ICO being responsible to Parliament, in the then Online Safety Bill and the digital markets Bill we consistently asked for regulators to be directly responsible to Parliament. If that is something the Government believe they are, we would like to see an expression of it.
Viscount Camrose (Con)
I would be happy to provide such an expression. I will be astonished if that is not the subject of a later group of amendments. I have not yet prepared for that group, I am afraid, but yes, that is the intention.
Lord Clement-Jones (LD)
My Lords, it is a pleasure to follow the noble Lord, Lord Sikka. He raised even more questions about Clause 9 than I ever dreamed of. He has illustrated the real issues behind the clause and why it is so important to debate its standing part, because, in our view, it should certainly be removed from the Bill. It would seriously limit people’s ability to access information about how their personal data is collected and used. We are back to the dilution of data subject rights, within which the rights of data subject access are, of course, vital. This includes limiting access to information about automated decision-making processes to which people are subject.
A data subject is someone who can be identified directly or indirectly by personal data, such as a name, an ID number, location data, or information relating to their physical, economic, cultural or social identity. Under existing law, data subjects have a right to request confirmation of whether their personal data is being processed by a controller, to access that personal data and to obtain information about how it is being processed. The noble Lord, Lord Sikka, pointed out that there is ample precedent for how the controller can refuse a request from a data subject only if it is manifestly unfounded or excessive. The meaning of that phrase is well established.
There are three main ways in which Clause 9 limits people’s ability to access information about how their personal data is being collected and used. First, it would lower the threshold for refusing a request from “manifestly unfounded or excessive” to “vexatious or excessive”. This is an inappropriately low threshold, given the nature of a data subject access request—namely, a request by an individual for their own data.
Secondly, Clause 9 would insert a new mandatory list of considerations for deciding whether the request is vexatious or excessive. This includes vague considerations, such as
“the relationship between the person making the request (the ‘sender’) and the person receiving it (the ‘recipient’)”.
The very fact that the recipient holds data relating to the sender means that there is already some form of relationship between them.
Thirdly, the weakening of an individual’s right to obtain information about how their data is being collected, used or shared is particularly troubling given the simultaneous effect of the provisions in Clause 10, which means that data subjects are less likely to be informed about how their data is being used for additional purposes other than those for which it was originally collected, in cases where the additional purposes are for scientific or historical research, archiving in the public interest or statistical purposes. Together, the two clauses mean that an individual is less likely to be proactively told how their data is being used, while it is harder to access information about their data when requested.
In the Public Bill Committee in the House of Commons, the Minister, Sir John Whittingdale, claimed that:
“The new parameters are not intended to be reasons for refusal”,
but rather to give
“greater clarity than there has previously been”.—[Official Report, Commons, Data Protection and Digital Information Bill Committee, 16/5/23; cols. 113-14.]
But it was pointed out by Dr Jeni Tennison of Connected by Data in her oral evidence to the committee that the impact assessment for the Bill indicates that a significant proportion of the savings predicted would come from lighter burdens on organisations dealing with subject access requests as a result of this clause. This suggests that, while the Government claim that this clause is a clarification, it is intended to weaken obligations on controllers and, correspondingly, the rights of data subjects. Is that where the Secretary of State’s £10 billion of benefit from this Bill comes from? On these grounds alone, Clause 9 should be removed from the Bill.
We also oppose the question that Clause 12 stand part of the Bill. Clause 12 provides that, in responding to subject access requests, controllers are required only to undertake a
“reasonable and proportionate search for the personal data and other information”.
This clause also appears designed to weaken the right of subject access and will lead to confusion for organisations about what constitutes a reasonable and proportionate search in a particular circumstance. The right of subject access is central to individuals’ fundamental rights and freedoms, because it is a gateway to exercising other rights, either within the data subject rights regime or in relation to other legal rights, such as the rights to equality and non-discrimination. Again, the lowering of rights compared with the EU creates obvious risks, and this is a continuing theme of data adequacy.
Clause 12 does not provide a definition for reasonable and proportionate searches, but when introducing the amendment, Sir John Whittingdale suggested that a search for information may become unreasonable or disproportionate
“when the information is of low importance or of low relevance to the data subject”.—[Official Report, Commons, 29/11/23; col. 873.]
Those considerations diverge from those provided in the Information Commissioner’s guidance on the rights of access, which states that when determining whether searches may be unreasonable or disproportionate, the data controller must consider the circumstances of the request, any difficulties involved in finding the information and the fundamental nature of the right of access.
We also continue to be concerned about the impact assessment for the Bill and the Government’s claims that the new provisions in relation to subject access requests are for clarification only. Again, Clause 12 appears to have the same impact as Clause 9 in the kinds of savings that the Government seem to imagine will emerge from the lowering of subject access rights. This is a clear dilution of subject access rights, and this clause should also be removed from the Bill.
We always allow for belt and braces and if our urging does not lead to the Minister agreeing to remove Clauses 9 and 12, at the very least we should have the new provisions set out either in Amendment 26, in the name of the noble Baroness, Lady Jones of Whitchurch, or in Amendment 25, which proposes that a data controller who refuses a subject access request must give reasons for their refusal and tell the subject about their right to seek a remedy. That is absolutely the bare minimum, but I would far prefer to see the deletion of Clauses 9 and 12 from the Bill.
Viscount Camrose (Con)
As ever, I thank noble Lords for raising and speaking to these amendments. I start with the stand part notices on Clauses 9 and 36, introduced by the noble Lord, Lord Clement-Jones. Clauses 9 and 36 clarify the new threshold to refuse or charge a reasonable fee for a request that is “vexatious or excessive”. Clause 36 also clarifies that the Information Commissioner may charge a fee for dealing with, or refuse to deal with, a vexatious or excessive request made by any persons and not just data subjects, providing necessary certainty.
Lord Sikka (Lab)
I apologise for intervening, but the Minister referred to resources. By that, he means the resources for the controller but, as I said earlier, there is no consideration of what the social cost may be. If this Bill had already become law, how would the victims of the Post Office scandal have been able to secure any information? Under this Bill, the threshold for providing information will be much lower than it is under the current legislation. Can the Minister say something about how the controllers will take social cost into account or how the Government have taken that into account?
Viscount Camrose (Con)
First, on the point made by the noble Lord, Lord Bassam, it is not to be argumentative—I am sure that there is much discussion to be had—but the intention is absolutely not to lower the standard for a well-intended request.
Sadly, a number of requests that are not well intended are made, with purposes of cynicism and an aim to disrupt. I can give a few examples. For instance, some requests are deliberately made with minimal time between them. Some are made to circumvent the process of legal disclosure in a trial. Some are made for other reasons designed to disrupt an organisation. The intent of using “vexatious” is not in any way to reduce well-founded, or even partially well-founded, attempts to secure information; it is to reduce less desirable, more cynical attempts to work in this way.
Lord Bassam of Brighton (Lab)
But the two terms have a different legal meaning, surely.
Viscount Camrose (Con)
The actual application of the terms will be set out in guidance by the ICO but the intention is to filter out the more disruptive and cynical ones. Designing these words is never an easy thing but there has been considerable consultation on this in order to achieve that intention.
Lord Clement-Jones (LD)
My Lords—sorry; it may be that the Minister was just about to answer my question. I will let him do so.
Viscount Camrose (Con)
I will have to go back to the impact assessment but I would be astonished if that was a significant part of the savings promised. By the way, the £10.6 billion—or whatever it is—in savings was given a green rating by the body that assesses these things; its name eludes me. It is a robust calculation. I will check and write to the noble Lord, but I do not believe that a significant part of that calculation leans on the difference between “vexatious” and “manifestly unfounded”.
Lord Clement-Jones (LD)
It would be very useful to have the Minister respond on that but, of course, as far as the impact assessment is concerned, a lot of this depends on the Government’s own estimates of what this Bill will produce—some of which are somewhat optimistic.
Lord Clement-Jones (LD)
The noble Baroness, Lady Jones, has given me an idea: if an impact assessment has been made, clause by clause, it would be extremely interesting to know just where the Government believe the golden goose is.
Viscount Camrose (Con)
I am not quite sure what is being requested because the impact assessment has been not only made but published.
Viscount Camrose (Con)
I see—so noble Lords would like an analysis of the different components of the impact assessment. It has been green-rated by the independent Regulatory Policy Committee. I have just been informed by the Box that the savings from these reforms to the wording of SARs are valued at less than 1% of the benefit of more than £10 billion that this Bill will bring.
Lord Clement-Jones (LD)
That begs the question of where on earth the rest is coming from.
Viscount Camrose (Con)
Which I will be delighted to answer. With this interesting exchange, I have lost in my mind the specific questions that the noble Lord, Lord Sikka, asked but I am coming on to some of his other ones; if I do not give satisfactory answers, no doubt he will intervene and ask again.
I appreciate the further comments made by the noble Lord, Lord Sikka, about the Freedom of Information Act. I hope he will be relieved to know that this Bill does nothing to amend that Act. On his accounting questions, he will be aware that most SARs are made by private individuals to private companies. The Government are therefore not involved in that process and do not collect the kind of information that he described.
Following the DPDI Bill, the Government will work with the ICO to update guidance on subject access requests. Guidance plays an important role in clarifying what a controller should consider when relying on the new “vexatious or excessive” provision. The Government are also exploring whether a code of practice on subject access requests can best address the needs of controllers and data subjects.
On whether Clause 12 should stand part of the Bill, Clause 12 is only putting on a statutory footing what has already been established—
Lord Sikka (Lab)
My apologies. The Minister just said that the Government do not collect the data. Therefore, what is the basis for changing the threshold? No data, no reasonable case.
Viscount Camrose (Con)
The Government do not collect details of private interactions between those raising SARs and the companies they raise them with. The business case is based on extensive consultation—
Lord Sikka (Lab)
I hope that the Government have some data about government departments and the public bodies over which they have influence. Can he provide us with a glimpse of how many requests are received, how many are rejected at the outset, how many go to the commissioners, what the cost is and how the cost is computed? At the moment, it sounds like the Government want to lower the threshold without any justification.
Viscount Camrose (Con)
As I say, I do not accept that the threshold is being lowered. On the other hand, I will undertake to find out what information can be reasonably provided. Again, as I said, the independent regulatory committee gave the business case set out a green rating; that is a high standard and gives credibility to the business case calculations, which I will share.
The reforms keep reasonable requests free of charge and instead seek to ensure that controllers can refuse or charge a reasonable fee for requests that are “vexatious or excessive”, which can consume a significant amount of time and resources. However, the scope of the current provision is unclear and, as I said, there are a variety of circumstances where controllers would benefit from being able confidently to refuse or charge the fee.
Lord Sikka (Lab)
The Minister used the phrase “reasonable fee”. Can he provide some clues on that, especially for the people who may request information? We have around 17.8 million individuals living on less than £12,570. So, from what perspective is the fee reasonable and how is it determined?
Viscount Camrose (Con)
“Reasonable” would be set out in the guidance to be created by the ICO but it would need to reflect the costs and affordability. The right of access remains of paramount importance in the data protection framework.
Lastly, as I said before on EU data adequacy, the Government maintain an ongoing dialogue with the EU and believe that our reforms are compatible with maintaining our data adequacy decisions.
For the reasons I have set out, I am not able to accept these amendments. I hope that noble Lords will therefore agree to withdraw or not press them.
Baroness Jones of Whitchurch (Lab)
My Lords, I can also be relatively brief. I thank all noble Lords who have spoken and the noble Baroness, Lady Harding, and the noble Lord, Lord Clement-Jones, for their amendments, to many of which I have added my name.
At the heart of this debate is what constitutes a disproportionate or impossibility exemption for providing data to individuals when the data is not collected directly from data subjects. Amendments 29 to 33 provide further clarity on how exemptions on the grounds of disproportionate effort should be interpreted —for example, by taking into account whether there would be a limited impact on individuals, whether they would be caused any distress, what the exemptions were in the first place and whether the information had been made publicly available by a public body. All these provide some helpful context, which I hope the Minister will take on board.
I have also added my name to Amendments 27 and 28 from the noble Baroness, Lady Harding. They address the particular concerns about those using the open electoral register for direct marketing purposes. As the noble Baroness explained, the need for this amendment arises from the legal ruling that companies using the OER must first notify individuals at their postal addresses whenever their data is being used. As has been said, given that individuals already have an opt-out when they register on the electoral roll, it would seem unnecessary and impractical for companies using the register to follow up with individuals each time they want to access their data. These amendments seek to close that loophole and return the arrangements back to the previous incarnation, which seemed to work well.
All the amendments provide useful forms of words but, as the noble Baroness, Lady Harding, said, if the wording is not quite right, we hope that the Minister will help us to craft something that is right and that solves the problem. I hope that he agrees that there is a useful job of work to be done on this and that he provides some guidance on how to go about it.
Viscount Camrose (Con)
I thank my noble friend Lady Harding for moving this important amendment. I also thank the cosignatories—the noble Lords, Lord Clement-Jones and Lord Black, and the noble Baroness, Lady Jones. As per my noble friend’s request, I acknowledge the importance of this measure and the difficulty of judging it quite right. It is a difficult balance and I will do my best to provide some reassurance, but I welcomed hearing the wise words of all those who spoke.
I turn first to the clarifying Amendments 27 and 32. I reassure my noble friend Lady Harding that, in my view, neither is necessary. Clause 11 amends the drafting of the list of cases when the exemption under Article 14(5) applies but the list closes with “or”, which makes it clear that you need to meet only one of the criteria listed in paragraph (5) to be exempt from the transparency requirements.
I turn now to Amendments 28 to 34, which collectively aim to expand the grounds of disproportionate effort to exempt controllers from providing certain information to individuals. The Government support the use of public data sources, such as the OER, which may be helpful for innovation and may have economic benefits. Sometimes, providing this information is simply not possible or is disproportionate. Existing exemptions apply when the data subject already has the information or in cases where personal data has been obtained from someone other than the data subject and it would be impossible to provide the information or disproportionate effort would be required to do so.
We must strike the right balance between supporting the use of these datasets and ensuring transparency for data subjects. We also want to be careful about protecting the integrity of the electoral register, open or closed, to ensure that it is used within the data subject’s reasonable expectations. The exemptions that apply when the data subject already has the information or when there would be a disproportionate effort in providing the information must be assessed on a case-by-case basis, particularly if personal data from public registers is to be combined with other sources of personal data to build a profile for direct marketing.
These amendments may infringe on transparency—a key principle in the data protection framework. The right to receive information about what is happening to your data is important for exercising other rights, such as the right to object. This could be seen as going beyond what individuals might expect to happen to their data.
The Government are not currently convinced that these amendments would be sufficient to prevent negative consequences to data subject rights and confidence in the open electoral register and other public registers, given the combination of data from various sources to build a profile—that was the subject of the tribunal case being referenced. Furthermore, the Government’s view is that there is no need to amend Article 14(6) explicitly to include the “reasonable expectation of the data subjects” as the drafting already includes reference to “appropriate safeguards”. This, in conjunction with the fairness principle, means that data controllers are already required to take this into account when applying the disproportionate effort exemption.
The above notwithstanding, the Government understand that the ICO may explore this question as part of its work on guidance in the future. That seems a better way of addressing this issue in the first instance, ensuring the right balance between the use of the open electoral register and the rights of data subjects. We will continue to work closely with the relevant stakeholders involved and monitor the situation.
Baroness Harding of Winscombe (Con)
I wonder whether I heard my noble friend correctly. He said “may”, “could” and “not currently convinced” several times, but, for the companies concerned, there is a very real, near and present deadline. How is my noble friend the Minister suggesting that deadline should be considered?
Viscount Camrose (Con)
On the first point, I used the words carefully because the Government cannot instruct the ICO specifically on how to act in any of these cases. The question about the May deadline is important. With the best will in the world, none of the provisions in the Bill are likely to be in effect by the time of that deadline in any case. That being the case, I would feel slightly uneasy about advising the ICO on how to act.
Lord Clement-Jones (LD)
My Lords, I am not quite getting from the Minister whether he has an understanding of and sympathy with the case that is being made or whether he is standing on ceremony on its legalities. Is he saying, “No, we think that would be going too far”, or that there is a good case and that guidance or some action by the ICO would be more appropriate? I do not get the feeling that somebody has made a decision about the policy on this. It may be that conversations with the Minister between Committee and Report would be useful, and it may be early days yet until he hears the arguments made in Committee; I do not know, but it would be useful to get an indication from him.
Viscount Camrose (Con)
Yes. I repeat that I very much recognise the seriousness of the case. There is a balance to be drawn here. In my view, the best way to identify the most appropriate balancing point is to continue to work closely with the ICO, because I strongly suspect that, at least at this stage, it may be very difficult to draw a legislative dividing line that balances the conflicting needs. That said, I am happy to continue to engage with noble Lords on this really important issue between Committee and Report, and I commit to doing so.
On the question of whether Clause 11 should stand part of the Bill, Clause 11 extends the existing disproportionate effort exemption to cases where the controller collected the personal data directly from the data subject and intends to carry out further processing for research purposes, subject to the research safeguards outlined in Clause 26. This exemption is important to ensure that life-saving research can continue unimpeded.
Research holds a privileged position in the data protection framework because, by its nature, it is viewed as generally being in the public interest. The framework has various exemptions in place to facilitate and encourage research in the UK. During the consultation, we were informed of various longitudinal studies, such as those into degenerative neurological conditions, where it is impossible or nearly impossible to recontact data subjects. To ensure that this vital research can continue unimpeded, Clause 11 provides a limited exemption that applies only to researchers who are complying with the safeguards set out in Clause 26.
The noble Lord, Lord Clement-Jones, raised concerns that Clause 11 would allow unfair processing. I assure him that this is not the case, as any processing that uses the disproportionate effort exemption in Article 13 must comply with the overarching data protection principles, including lawfulness, fairness and transparency, so that even if data controllers rely on this exemption they should consider other ways to make the processing they undertake as fair and transparent as possible.
Finally, returning to EU data adequacy, the Government recognise its importance and, as I said earlier, are confident that the proposals in Clause 11 are complemented by robust safeguards, which reinforces our view that they are compatible with EU adequacy. For the reasons that I have set out, I am unable to accept these amendments, and I hope that noble Lords will not press them.
Baroness Harding of Winscombe (Con)
My Lords, I am not quite sure that I understand where my noble friend the Minister is on this issue. The noble Lord, Lord Clement-Jones, summed it up well in his recent intervention. I will try to take at face value my noble friend’s assurances that he is happy to continue to engage with us on these issues, but I worry that he sees this as two sides of an issue—I hear from him that there may be some issues and there could be some problems—whereas we on all sides of the Committee have set out a clear black and white problem. I do not think they are the same thing.
I appreciate that the wording might create some unintended consequences, but I have not really understood what my noble friend’s real concerns are, so we will need to come back to this on Report. If anything, this debate has made it even clearer to me that it is worth pushing for clarity on this. I look forward to ongoing discussions with a cross-section of noble Lords, my noble friend and the ICO to see if we can find a way through to resolve the very real issues that we have identified today. With that, and with thanks to all who have spoken in this debate, I beg leave to withdraw my amendment.
Viscount Camrose (Con)
As ever, I thank the noble Baroness, Lady Jones, and the noble Lord, Lord Clement-Jones, for their detailed consideration of Clause 14, and all other noble Lord who spoke so well. I carefully note the references to the DWP’s measure on fraud and error. For now, I reassure noble Lords that a human will always be involved in all decision-making relating to that measure, but I note that this Committee will have a further debate specifically on that measure later.
The Government recognise the importance of solely automated decision-making to the UK’s future success and productivity. These reforms ensure that it can be responsibly implemented, while any such decisions with legal or similarly significant effects have the appropriate safeguards in place, including the rights to request a review and to request one from a human. These reforms clarify and simplify the rules related to solely automated decision-making without watering down any of the protections for data subjects or the fundamental data protection principles. In doing so, they will provide confidence to organisations looking to use these technologies in a responsible way while driving economic growth and innovation.
The Government also recognise that AI presents huge opportunities for the public sector. It is important that AI is used responsibly and transparently in the public sector; we are already taking steps to build trust and transparency. Following a successful pilot, we are making the Algorithmic Transparency Reporting Standard—the ATRS—a requirement for all government departments, with plans to expand this across the broader public sector over time. This will ensure that there is a standardised way for government departments proactively to publish information about how and why they are using algorithms in their decision-making. In addition, the Central Digital and Data Office—the CDDO—has already published guidance on the procurement and use of generative AI for the UK Government and, later this year, DSIT will launch the AI management essentials scheme, setting a minimum good practice standard for companies selling AI products and services.
Lord Clement-Jones (LD)
My Lords, could I just interrupt the Minister? It may be that he can get an answer from the Box to my question. One intriguing aspect is that, as the Minister said, the pledge is to bring the algorithmic recording standard into each government department and there will be an obligation to use that standard. However, what compliance mechanism will there be to ensure that that is happening? Does the accountable Permanent Secretary have a duty to make sure that that is embedded in the department? Who has the responsibility for that?
Viscount Camrose (Con)
That is a fair question. I must confess that I do not know the answer. There will be mechanisms in place, department by department, I imagine, but one would also need to report on it across government. Either it will magically appear in my answer or I will write to the Committee.
The CDDO has already published guidance on the procurement and use of generative AI for the Government. We will consult on introducing this as a mandatory requirement for public sector procurement, using purchasing power to drive responsible innovation in the broader economy.
I turn to the amendments in relation to meaningful involvement. I will first take together Amendments 36 and 37, which aim to clarify that the safeguards mentioned under Clause 14 are applicable to profiling operations. New Article 22A(2) already clearly sets out that, in cases where profiling activity has formed part of the decision-making process, controllers have to consider the extent to which a decision about an individual has been taken by means of profiling when establishing whether human involvement has been meaningful. Clause 14 makes clear that a solely automated significant decision is one without meaningful human involvement and that, in these cases, controllers are required to provide the safeguards in new Article 22C. As such, we do not believe that these amendments are necessary; I therefore ask the noble Baroness, Lady Jones, not to press them.
Turning to Amendment 38, the Government are confident that the existing reference to “data subject” already captures the intent of this amendment. The existing definition of “personal data” makes it clear that a data subject is a person who can be identified, directly or indirectly. As such, we do not believe that this amendment is necessary; I ask the noble Lord, Lord Clement-Jones, whether he would be willing not to press it.
Amendments 38A and 40 seek to clarify that, for human involvement to be considered meaningful, the review must be carried out by a competent person. We feel that these amendments are unnecessary as meaningful human involvement may vary depending on the use case and context. The reformed clause already introduces a power for the Secretary of State to provide legal clarity on what is or is not to be taken as meaningful human involvement. This power is subject to the affirmative procedure in Parliament and allows the provision to be future-proofed in the wake of technological advances. As such, I ask the noble Baronesses, Lady Jones and Lady Bennett, not to press their amendments.
Viscount Camrose (Con)
I am not sure I agree with that characterisation. The ATRS is a relatively new development. It needs time to bed in and needs to be bedded in on an agile basis in order to ensure not only quality but speed of implementation. That said, I ask the noble Lord to withdraw his amendment.
Lord Clement-Jones (LD)
The Minister has taken us through what Clause 14 does and rebutted the need for anything other than “solely”. He has gone through the sensitive data and the special category data aspects, and so on, but is he reiterating his view that this clause is purely for clarification; or is he saying that it allows greater use of automated decision-making, in particular in public services, so that greater efficiencies can be found and therefore it is freeing up the public sector at the expense of the rights of the individual? Where does he sit in all this?
Viscount Camrose (Con)
As I said, the intent of the Government is: yes to more automated data processing to take advantage of emerging technologies, but also yes to maintaining appropriate safeguards. The safeguards in the present system consist—if I may characterise it in a slightly blunt way—of providing quite a lot of uncertainty, so that people do not take the decision to positively embrace the technology in a safe way. By bringing in this clarity, we will see an increase not only in the safety of their applications but in their use, driving up productivity in both the public and private sectors.
Lord Bassam of Brighton (Lab)
My Lords, I said at the outset that I thought this was the beginning of a particular debate, and I was right, looking at the amendments coming along. The theme of the debate was touched on by the noble Baroness, Lady Bennett, when she talked about these amendments, in essence, being about keeping humans in the loop and the need for them to be able to review decisions. Support for that came from the noble Baroness, Lady Kidron, who made some important points. The point the BMA made about risking eroding trust cut to what we have been talking about all afternoon: trust in these processes.
The noble Lord, Lord Clement-Jones, talked about this effectively being the watering down of Article 22A, and the need for some core ethical principles in AI use and for the Government to ensure a right to human review. Clause 14 reverses the presumption of that human reviewing process, other than where solely automated decision-making exists, where it will be more widely allowed, as the Minister argued.
However, I am not satisfied by the responses, and I do not think other Members of your Lordships’ Committee will be either. We need more safeguards. We have moved from one clear position to another, which can be described as watering down or shifting the goalposts; I do not mind which, but that is how it seems to me. Of course, we accept that there are huge opportunities for AI in the delivery of public services, particularly in healthcare and the operation of the welfare system, but we need to ensure that citizens in this country have a higher level of protection than the Bill currently affords them.
At one point I thought the Minister said that a solely automated decision was a rubber-stamped decision. To me, that gave the game away. I will have to read carefully what he said in Hansard¸ but that is how it sounded, and it really gets our alarm bells ringing. I am happy to withdraw my amendment, but we will come back to this subject from time to time and throughout our debates on the rest of the Bill.
Lord Clement-Jones (LD)
My Lords, I will speak to my Amendment 48. By some quirk of fate, I failed to sign up to the amendments that the noble Lord, Lord Bassam, so cogently introduced. I would have signed up if I had realised that I had not, so to speak.
It is a pleasure to follow the noble Baroness, Lady Kidron. She has a track record of being extremely persuasive, so I hope the Minister pays heed in what happens between Committee and Report. I very much hope that there will be some room for manoeuvre and that there is not just permanent push-back, with the Minister saying that everything is about clarifying and us saying that everything is about dilution. There comes a point when we have to find some accommodation on some of these areas.
Amendments 48 and 49 are very similar—I was going to say, “Great minds think alike”, but I am not sure that my brain feels like much of a great mind at the moment. “Partly” or “predominantly” rather than “solely”, if you look at it the other way round, is really the crux of what I think many of us are concerned about. It is easy to avoid the terms of Article 22 just by slipping in some sort of token human involvement. Defining “meaningful” is so difficult in these circumstances. I am concerned that we are opening the door to something that could be avoided. Even then, the terms of the new clause—we will have a clause stand part debate on Wednesday, obviously—put all the onus on the data subject, whereas that was not the case previously under Article 22. The Minister has not really explained why that change has been made.
I conclude by saying that I very much support Amendment 41. This whole suite of amendments is well drafted. The point about the Equality Act is extremely well made. The noble Lord, Lord Holmes, also has a very good amendment here. It seems to me that involving the ICO right in the middle of this will be absolutely crucial—and we are back to public trust again. If nothing else, I would like explicitly to include that under Clause 14 in relation to Article 22 by the time this Bill goes through.
Viscount Camrose (Con)
I thank noble Lords and the noble Baroness for their further detailed consideration of Clause 14.
Let me take first the amendments that deal with restrictions on and safeguards for ADM and degree of ADM. Amendment 41 aims to make clear that solely automated decisions that contravene any part of the Equality Act 2010 are prohibited. We feel that this amendment is unnecessary for two reasons. First, this is already the case under the Equality Act, which is reinforced by the lawfulness principle under the present data protection framework, meaning that controllers are already required to adhere to the Equality Act 2010. Secondly, explicitly stating in the legislation that contravening one type of legislation is prohibited—in this case, the Equality Act 2010—and not referring to other legislation that is also prohibited will lead to an inconsistent approach. As such, we do not believe that this amendment is necessary; I ask the noble Baroness, Lady Jones, to withdraw it.
Amendment 44 seeks to limit the conditions for special category data processing for this type of automated decision-making. Again, we feel that this is not needed given that a set of conditions already provides enhanced levels of protection for the processing of special category data, as set out in Article 9 of the UK GDPR. In order to lawfully process special category data, you must identify both a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9. Furthermore, where an organisation seeks to process special category data under solely automated decision-making on the basis that it is necessary for contract, in addition to the Articles 6 and 9 lawful bases, they would also have to demonstrate that the processing was necessary for substantial public interest.
Similarly, Amendment 45 seeks to apply safeguards when processing special category data; however, these are not needed as the safeguards in new Article 22C already apply to all forms of processing, including the processing of special category data, by providing sufficient safeguards for data subjects’ rights, freedoms and legitimate interests. As such, we do not believe that these amendments are necessary; I ask the noble Baroness, Lady Jones, not to press them.
Baroness Kidron (CB)
Can the Minister give me an indication of the level at which that kicks in? For example, say there is a child in a classroom and a decision has been made about their ability in a particular subject. Is it automatic that the parent and the child get some sort of read-out on that? I would be curious to know where the Government feel that possibility starts.
Viscount Camrose (Con)
In that example, where a child was subject to a solely ADM decision, the school would be required to inform the child of the decision and the reasons behind it. The child and their parent would have the right to seek a human review of the decision.
Baroness Kidron (CB)
We may come on to this when we get to edtech but a lot of those decisions are happening automatically right now, without any kind of review. I am curious as to why it is on the school whereas the person actually doing the processing may well be a technology company.
Viscount Camrose (Con)
It may be either the controller or the processor but for any legal or similarly significant decision right now—today—there is a requirement before the Bill comes into effect. That requirement is retained by the Bill.
In line with ICO guidance, children need particular protection when organisations collect and process their personal data because they may be less aware of the risks involved. If organisations process children’s personal data they should think about the need to protect them from the outset and should design their systems and processes with this in mind. This is the case for organisations processing children’s data during solely automated decision-making, just as it is for all processing of children’s data.
Building on this, the Government’s view is that automated decision-making has an important role to play in protecting children online, for example with online content moderation. The current provisions in the Bill will help online service providers understand how they can use these technologies and strike the right balance between enabling the best use of automated decision-making technology while continuing to protect the rights of data subjects, including children. As such, we do not believe that the amendment is necessary; I ask the noble Baroness if she would be willing not to press it.
Amendments 48 and 49 seek to extend the Article 22 provisions to “predominantly” and “partly” automated decision-making. These types of processing already involve meaningful human involvement. In such instances, other data protection requirements, including transparency and fairness, continue to apply and offer relevant protections. As such, we do not believe that these amendments are necessary; I ask the noble Baroness, Lady Jones, and the noble Lord, Lord Clement-Jones, if they would be willing not to press them.
Amendment 50 seeks to ensure that the Article 22C safeguards will apply alongside, rather than instead of, the transparency obligations in the UK GDPR. I assure the noble Baroness, Lady Jones, that the general transparency obligations in Articles 12 to 15 will continue to apply and thus will operate alongside the safeguards in the reformed Article 22. As such, we do not believe that this amendment is necessary; I ask the noble Baroness if she would be willing not to press it.
The changes proposed by Amendment 52A are unnecessary as Clause 50 already provides for an overarching requirement for the Secretary of State to consult the ICO and other persons that the Secretary of State considers appropriate before making regulations under the UK GDPR, including for the measures within Article 22. Also, any changes to the regulations are subject to the affirmative procedure so must be approved by both Houses of Parliament. As with other provisions of the Bill, the ICO will seek to provide organisations with timely guidance and support to assist them in interpreting and applying the legislation. As such, we do not believe that this amendment is necessary and, if he were here, I would ask my noble friend Lord Holmes if he would be willing not to press it.
Amendments 98A and 104A are related to workplace rights. Existing data protection legislation and our proposed reforms provide sufficient safeguards for automated decision making where personal data is being processed, including in workplaces. The UK’s human rights law, and existing employment and equality laws, also ensure that employees are informed and consulted about any workplace developments, which means that surveillance of employees is regulated. As such, we do not believe that these amendments are necessary and I ask the noble Baroness not to move them.
Lord Clement-Jones (LD)
I hear what the Minister said about the workplace algorithmic assessment. However, if the Government believe it is right to have something like an algorithmic recording standard in the public sector, why is it not appropriate to have something equivalent in the private sector?
Viscount Camrose (Con)
I would not say it is not right, but if we want to make the ATRS a standard, we should make it a standard in the public sector first and then allow it to be adopted as a means for all private organisations using ADM and AI to meet the transparency principles that they are required to adopt.
Lord Clement-Jones (LD)
So would the Minister not be averse to it? It is merely so that the public sector is ahead of the game, allowing it to show the way and then there may be a little bit of regulation for the private sector.
Viscount Camrose (Con)
I am not philosophically averse to such regulation. As to implementing it in the immediate future, however, I have my doubts about that possibility.
Lord Bassam of Brighton (Lab)
My Lords, this has been an interesting and challenging session. I hope that we have given the Minister and his team plenty to think about—I am sure we have. A lot of questions remain unanswered, and although the Committee Room is not full this afternoon, I am sure that colleagues reading the debate will be studying the responses that we have received very carefully.
I am grateful to the noble Baroness, Lady Kidron, for her persuasive support. I am also grateful to the noble Lord, Lord Clement-Jones, for his support for our amendments. It is a shame the noble Lord, Lord Holmes, was not here this afternoon, but I am sure we will hear persuasively from him on his amendment later in Committee.
The Minister is to be congratulated for his consistency. I think I heard the phrase “not needed” or “not necessary” pretty constantly this afternoon, but particularly with this group of amendments. He probably topped the lot with his response on the Equality Act on Amendment 41.
I want to go away with my colleagues to study the responses to the amendments very carefully. That being said, however, I am happy to withdraw Amendment 41 at this stage.
Viscount Camrose
Member's explanatory statement
This technical amendment adjusts the wording of new Article 22B(1) of the UK GDPR to reflect the terms of Article 9(1).
Artificial Intelligence (Regulation) Bill [HL]
Viscount Camrose ExcerptsFriday 22nd March 2024
(2 years ago)
Lords ChamberRead Full debate Artificial Intelligence (Regulation) Bill [HL] 2023-24 View all Artificial Intelligence (Regulation) Bill [HL] 2023-24 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
I join my thanks to those of others to my noble friend Lord Holmes for bringing forward this Bill. I thank all noble Lords who have taken part in this absolutely fascinating debate of the highest standard. We have covered a wide range of topics today. I will do my best to respond, hopefully directly, to as many points as possible, given the time available.
The Government recognise the intent of the Bill and the differing views on how we should go about regulating artificial intelligence. For reasons I will now set out, the Government would like to express reservations about my noble friend’s Bill.
First, with the publication of our AI White Paper in March 2023, we set out proposals for a regulatory framework that is proportionate, adaptable and pro-innovation. Rather than designing a new regulatory system from scratch, the White Paper proposed five cross-sectoral principles, which include safety, transparency and fairness, for our existing regulators to apply within their remits. The principles-based approach will enable regulators to keep pace with the rapid technological change of AI.
The strength of this approach is that regulators can act now on AI within their own remits. This common-sense, pragmatic approach has won endorsement from leading voices across civil society, academia and business, as well as many of the companies right at the cutting edge of frontier AI development. Last month we published an update through the Government’s response to the consultation on the AI White Paper. The White Paper response outlines a range of measures to support existing regulators to deliver against the AI regulatory framework. This includes providing further support to regulators to deliver the regulatory framework through a boost of more than £100 million to upskill regulators and help unlock new AI research and innovation.
As part of this, we announced a £10 million package to jump-start regulators’ AI capabilities, preparing and upskilling regulators to address the risks and to harness the opportunities of this defining technology. It also includes publishing new guidance to support the coherent implementation of the principles. To ensure robust implementation of the framework, we will continue our work to establish the central function.
Let me reassure noble Lords that the Government take mitigating AI risks extremely seriously. That is why several aspects of the central function have already been established, such as the central AI risk function, which will shortly be consulting on its cross-economy AI risk register. Let me reassure the noble Lord, Lord Empey, that the AI risk function will maintain a holistic view of risks across the AI ecosystem, including misuse risks, such as where AI capabilities may be leveraged to undermine cybersecurity.
Specifically on criminality, the Government recognise that the use of AI in criminal activity is a very important issue. We are working with a range of stakeholders, including regulators, and a range of legal experts to explore ways in which liability, including criminal liability, is currently allocated through the AI value chain.
In the coming months we will set up a new steering committee, which will support and guide the activities of a formal regulator co-ordination structure within government. We also wrote to key regulators, requesting that they publish their AI plans by 30 April, setting out how they are considering, preparing for and addressing AI risks and opportunities in their domain.
As for the next steps for ongoing policy development, we are developing our thinking on the regulation of highly capable general-purpose models. Our White Paper consultation response sets out key policy questions related to possible future binding measures, which we are exploring with experts and our international partners. We plan to publish findings from this expert engagement and an update on our thinking later this year.
We also confirmed in the White Paper response that we believe legislative action will be required in every country once the understanding of risks from the most capable AI systems has matured. However, legislating too soon could easily result in measures that are ineffective against the risks, are disproportionate or quickly become out of date.
Finally, we make clear that our approach is adaptable and iterative. We will continue to work collaboratively with the US, the EU and others across the international landscape to both influence and learn from international development.
I turn to key proposals in the Bill that the noble Lord has tabled. On the proposal to establish a new AI authority, it is crucial that we put in place agile and effective mechanisms that will support the coherent and consistent implementation of the AI regulatory framework and principles. We believe that a non-statutory central function is the most appropriate and proportionate mechanism for delivering this at present, as we observe a period of non-statutory implementation across our regulators and conduct our review of regulator powers and remits.
In the longer term, we recognise that there may be a case for reviewing how and where the central function has delivered, once its functions have become more clearly defined and established, including whether the function is housed within central government or in a different form. However, the Government feel that this would not be appropriate for the first stage of implementation. To that end, as I mentioned earlier, we are delivering the central function within DSIT, to bring coherence to the regulatory framework. The work of the central function will provide clarity and ensure that the framework is working as intended and that joined-up and proportionate action can be taken if there are gaps in our approach.
We recognise the need to assess the existing powers and remits of the UK’s regulators to ensure they are equipped to address AI risks and opportunities in their domains and to implement the principles consistently and comprehensively. We anticipate having to introduce a statutory duty on regulators requiring them to have due regard to the principles after an initial period of non-statutory implementation. For now, however, we want to test and iterate our approach. We believe this approach offers critical adaptability, but we will keep it under review; for example, by assessing the updates on strategic approaches to AI that several key regulators will publish by the end of April. We will also work with government departments and regulators to analyse and review potential gaps in existing regulatory powers and remits.
Like many noble Lords, we see approaches such as regulatory sandboxes as a crucial way of helping businesses navigate the AI regulatory landscape. That is why we have funded the four regulators in the Digital Regulation Cooperation Forum to pilot a new, multiagency advisory service known as the AI and digital hub. We expect the hub to launch in mid-May and will provide further details in the coming weeks on when this service will be open for applications from innovators.
One of the principles at the heart of the AI regulatory framework is accountability and governance. We said in the White Paper that a key part of implementation of this principle is to ensure effective oversight of the design and use of AI systems. We have recognised that additional binding measures may be required for developers of the most capable AI systems and that such measures could include requirements related to accountability. However, it would be too soon to mandate measures such as AI-responsible officers, even for these most capable systems, until we understand more about the risks and the effectiveness of potential mitigations. This could quickly become burdensome in a way that is disproportionate to risk for most uses of AI.
Let me reassure my noble friend Lord Holmes that we continue to work across government to ensure that we are ready to respond to the risks to democracy posed by deep fakes; for example, through the Defending Democracy Taskforce, as well as through existing criminal offences that protect our democratic processes. However, we should remember that AI labelling and identification technology is still at an early stage. No specific technology has yet been proven to be both technically and organisationally feasible at scale. It would not be right to mandate labelling in law until the potential benefits and risks are better understood.
Noble Lords raised the importance of protecting intellectual property, a profoundly important subject. In the AI White Paper consultation response, the Government committed to provide an update on their approach to AI and copyright issues soon. I am confident that, when we do so, it will address many of the issues that noble Lords have raised today.
In summary, our approach, combining a principles-based framework, international leadership and voluntary measures on developers, is right for today, as it allows us to keep pace with rapid and uncertain advances in AI. The UK has successfully positioned itself as a global leader on AI, in recognition of the fact that AI knows no borders and that its complexity demands nuanced international governance. In addition to spearheading thought leadership through the AI Safety Summit, the UK has supported effective action through the G7, the Council of Europe, the OECD, the G5, the G20 and the UN, among other bodies. We look forward to continuing to engage with all noble Lords on these critical issues as we continue to develop our regulatory approach.
Data Protection and Digital Information Bill
Viscount Camrose ExcerptsWednesday 20th March 2024
(2 years ago)
Grand CommitteeRead Full debate Data Protection and Digital Information Bill 2022-23 View all Data Protection and Digital Information Bill 2022-23 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 30-I(b) Amendments for Grand Committee (Supplementary to the Marshalled List) - (20 Mar 2024)
Lord Bassam of Brighton (Lab)
As I was saying, it is important for the framework on data protection that we take a precautionary approach. I hope that the Minister will this afternoon be able to provide a plain English explanation of the changes, as well as giving us an assurance that those changes to definitions do not result in watering down the current legislation.
We broadly support Amendments 1 and 5 and the clause stand part notice, in the sense that they provide additional probing of the Government’s intentions in this area. We can see that the noble Lord, Lord Clement-Jones, is trying with Amendment 1 to bring some much-needed clarity to the anonymisation issue and, with Amendment 5, to secure that data remains personal data in any event. I suspect that the Minister will tell us this afternoon that that is already the case, but a significant number of commentators have questioned this, since the definition of “personal data” is seemingly moving away from the EU GDPR standard towards a definition that is more subjective from the perspective of the controller, processor or recipient. We must be confident that the new definition does not narrow the circumstances in which the information is protected as personal data. That will be an important standard for this Committee to understand.
Amendment 288, tabled by the noble Lord, Lord Clement- Jones, seeks a review and an impact assessment of the anonymisation and identifiability of data subjects. Examining that in the light of the EU GDPR seems to us to be a useful and novel way of making a judgment over which regime better suits and serves data subjects.
We will listen with interest to the Minister’s response. We want to be more than reassured that the previous high standards and fundamental principles of data protection will not be undermined and compromised.
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
I thank all noble Lords who have spoken in this brief, interrupted but none the less interesting opening debate. I will speak to the amendments tabled by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones; I note that I plan to that form of words quite a lot in the next eight sessions on this Bill. I thank them for tabling these amendments so that we can debate what are, in the Government’s view, the significant benefits of Clause 1.
In response to the points from the noble Lord, Lord Clement-Jones, on the appetite for the reforms in the Bill, we take very seriously the criticisms of the parties that he mentioned—the civil society groups—but it is important to note that, when the Government consulted on these reforms, we received almost 3,000 responses. At that time, we proposed to clarify when data would be regarded as anonymous and proposed legislating to confirm that the test for whether anonymous data can be reidentified is relative to the means available to the controller to reidentify the data. The majority of respondents agreed that greater clarity in legislation would indeed be beneficial.
As noble Lords will know, the UK’s data protection legislation applies only to personal data, which is data relating to an identified or identifiable living individual. It does not apply to non-personal, anonymous data. This is important because, if organisations can be sure that the data they are handling is anonymous, they may be able to more confidently put it to good use in important activities such as research and product development. The current data protection legislation is already clear that a person can be identified in a number of ways by reference to details such as names, identification numbers, location data and online identifiers, or via information about a person’s physical, genetic, mental, economic or cultural characteristics. The Bill does not change the existing legislation in this respect.
With regard to genetic information, which was raised by my noble friend Lord Kamall and the noble Lord, Lord Davies, any information that includes enough genetic markers to be unique to an individual is personal data and special category genetic data, even if names and other identifiers have been removed. This means that it is subject to the additional protections set out in Article 9 of the UK GDPR. The Bill does not change this position.
However, the existing legislation is unclear about the specific factors that a data controller must consider when assessing whether any of this information relates to an identifiable living person. This uncertainty is leading to inconsistent application of anonymisation and to anonymous data being treated as personal data out of an abundance of caution. This, in turn, reduces the opportunities for anonymous data to be used effectively for projects in the public interest. It is this difficulty that Clause 1 seeks to address by providing a comprehensive statutory test on identifiability. The test will require data controllers and processors to consider the likelihood of people within or outside their organisations reidentifying individuals using reasonable means. It is drawn from recital 26 of the EU GDPR and should therefore not be completely unfamiliar to most organisations.
I turn now to the specific amendments that have been tabled in relation to this clause. Amendment 1 in the name of the noble Lord, Lord Clement-Jones, would reiterate the position currently set out in the UK GDPR and its recitals: where individuals can be identified without the use of additional information because data controllers fail to put in place appropriate organisational measures, such as technical or contractual safeguards prohibiting reidentification, they would be considered directly identifiable. Technical and organisational measures put in place by organisations are factors that should be considered alongside others under new Section 3A of the Data Protection Act when assessing whether an individual is identifiable from the data being processed. Clause 1 sets out the threshold at which data—and, therefore, personal data—is identifiable and clarifies when data is anonymous.
On the technical capabilities of a respective data controller, these are already relevant factors under current law and ICO guidance in determining whether data is personal. This means that the test of identifiability is already a relative one today in respect of the data controller, the data concerned and the purpose of the processing. However, the intention of the data controller is not a relevant factor under current law, and nor does Clause 1 make it a factor. Clause 1 merely clarifies the position under existing law and follows very closely the wording of recital 26. Let me state this clearly: nothing in Clause 1 introduces the subjective intention of the data controller as a relevant factor in determining identifiability, and the position will remain the same as under the current law and as set out in ICO guidance.
In response to the points made by the noble Lord, Lord Clement-Jones, and others on pseudonymised personal data, noble Lords may be aware that the definition of personal data in Article 4(1) of the UK GDPR, when read in conjunction with the definition of pseudonymisation in Article 4(5), makes it clear that pseudonymised data is personal data, not anonymous data, and is thus covered by the UK’s data protection regime. I hope noble Lords are reassured by that. I also hope that, for the time being, the noble Lord, Lord Clement-Jones, will agree to withdraw his amendment and not press the related Amendment 5, which seeks to make it clear that pseudonymised data is personal data.
Amendment 4 would require the Secretary of State to assess the difference in meaning and scope between the current statutory definition of personal data and the new statutory definition that the Bill will introduce two months after its passing. Similarly, Amendment 288 seeks to review the impact of Clause 1 six months after the enactment of the Bill. The Government feel that neither of these amendments is necessary as the clause is drawn from recital 26 of the EU GDPR and case law and, as I have already set out, is not seeking to substantially change the definition of personal data. Rather, it is seeking to provide clarity in legislation.
Lord Bassam of Brighton (Lab)
I follow the argument, but what we are suggesting in our amendment is some sort of impact assessment for the scheme, including how it currently operates and how the Government wish it to operate under the new legislation. Have the Government undertaken a desktop exercise or any sort of review of how the two pieces of legislation might operate? Has any assessment of that been made? If they have done so, what have they found?
Viscount Camrose (Con)
Obviously, the Bill has been in preparation for some time. I completely understand the point, which is about how we can be so confident in these claims. I suggest that I work with the Bill team to get an answer to that question and write to Members of the Committee, because it is a perfectly fair question to ask what makes us so sure.
In the future tense, I can assure noble Lords that the Department for Science, Innovation and Technology will monitor and evaluate the impact of this Bill as a whole in the years to come, in line with cross-government evaluation guidance and through continued engagement with stakeholders.
The Government feel that the first limb of Amendment 5 is not necessary given that, as has been noted, pseudonymised data is already considered personal data under this Bill. In relation to the second limb of the amendment, if the data being processed is actually personal data, the ICO already has powers to require organisations to address non-compliance. These include requiring it to apply appropriate protections to personal data that it is processing, and are backed up by robust enforcement mechanisms.
That said, it would not be appropriate for the processing of data that was correctly assessed as anonymous at the time of processing to retrospectively be treated as processing of personal data and subject to data protection laws, simply because it became personal data at a later point in the processing due to a change in circumstances. That would make it extremely difficult for any organisation to treat any dataset as anonymous and would undermine the aim of the clause, significantly reducing the potential to use anonymous data for important research and development activities.
Lord Bassam of Brighton (Lab)
My Lords, we on the Labour Benches have become co-signatories to the amendments tabled by the noble Baroness, Lady Kidron, and supported by the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Harding. The noble Baroness set out very clearly and expertly the overarching purpose of retaining the level of protection currently afforded by the Data Protection Act 2018. Amendments 2 and 3 specifically stipulate that, where data controllers know, or should reasonably know, that a user is a child, they should be given the data protection codified in that Act. Amendment 9 takes it a stage further and includes children’s data in the definition of sensitive personal data, and gives it the benefit of being treated to a heightened level of protection—quite rightly, too. Finally, Amendment 290—the favourite of the noble Lord, Lord Clement-Jones—attempts to hold Ministers to the commitment made by Paul Scully in the Commons to maintain existing standards of data protection carried over from that 2018 Act.
Why is all this necessary? I suspect that the Minister will argue that it is not needed because Clause 5 already provides for the Secretary of State to consider the impact of any changes to the rights and freedoms of individuals and, in particular, of children, who require special protection.
We disagree with that argument. In the interests of brevity and the spirit of the recent Procedure Committee report, which says that we should not repeat each other’s arguments, I do not intend to speak at length, but we have a principal concern: to try to understand why the Government want to depart from the standards of protection set out in the age-appropriate design code—the international gold standard—which they so enthusiastically signed up to just five or six years ago. Given the rising levels of parental concern over harmful online content and well-known cases highlighting the harms that can flow from unregulated material, why do the Government consider it safe to water down the regulatory standards at this precise moment in time? The noble Baroness, Lady Kidron, valuably highlighted the impact of the current regulatory framework on companies’ behaviour. That is exactly what legislation is designed to do: to change how we look at things and how we work. Why change that? As she has argued very persuasively, it is and has been hugely transformative. Why throw away that benefit now?
My attention was drawn to one example of what can happen by a briefing note from the 5Rights Foundation. As it argued, children are uniquely vulnerable to harm and risk online. I thought its set of statistics was really interesting. By the age of 13, 72 million data points have already been collected about children. They are often not used in children’s best interests; for example, the data is often used to feed recommender systems and algorithms designed to keep attention at all costs and have been found to push harmful content at children.
When this happens repeatedly over time, it can have catastrophic consequences, as we know. The coroner in the Molly Russell inquest found that she had been recommended a stream of depressive content by algorithms, leading the coroner to rule that she
“died from an act of self-harm whilst suffering from depression and the negative effects of online content”.
We do not want more Molly Russell cases. Progress has already been made in this field; we should consider dispensing with it at our peril. Can the Minister explain today the thinking and logic behind the changes that the Government have brought forward? Can he estimate the impact that the new lighter-touch regime, as we see it, will have on child protection? Have the Government consulted extensively with those in the sector who are properly concerned about child protection issues, and what sort of responses have the Government received?
Finally, why have the Government decided to take a risk with the sound framework that was already in place and built on during the course of the Online Safety Act? We need to hear very clearly from the Minister how they intend to engage with groups that are concerned about these child protection issues, given the apparent loosening of the current framework. The noble Baroness, Lady Harding, said that this is hard-fought ground; we intend to continue making it so because these protections are of great value to our society.
Viscount Camrose (Con)
I am grateful to the noble Baroness, Lady Kidron, for her Amendments 2, 3, 9 and 290 and to all noble Lords who have spoken, as ever, so clearly on these points.
All these amendments seek to add protections for children to various provisions in the Bill. I absolutely recognise the intent behind them; indeed, let me take this opportunity to say that the Government take child safety deeply seriously and agree with the noble Baroness that all organisations must take great care, both when making decisions about the use of children’s data and throughout the duration of their processing activities. That said, I respectfully submit that these amendments are not necessary for three main reasons; I will talk in more general terms before I come to the specifics of the amendments.
First, the Bill maintains a high standard of data protection for everybody in the UK, including—of course—children. The Government are not removing any of the existing data protection principles in relation to lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, accuracy, data security or accountability; nor are they removing the provisions in the UK GDPR that require organisations to build privacy into the design and development of new processing activities.
The existing legislation acknowledges that children require specific protection for their personal data, as they may be less aware of the risks, consequences and safeguards concerned, and of their rights in relation to the processing of personal data. Organisations will need to make sure that they continue to comply with the data protection principles on children’s data and follow the ICO’s guidance on children and the UK GDPR, following the changes we make in the Bill. Organisations that provide internet services likely to be accessed by children will need to continue to comply with their transparency and fairness obligations and the ICO’s age-appropriate design code. The Government welcome the AADC, as Minister Scully said, and remain fully committed to the high standards of protection that it sets out for children.
Secondly, some of the provisions in the Bill have been designed specifically with the rights and safety of children in mind. For example, one reason that the Government introduced the new lawful ground of recognised legitimate interest in Clause 5, which we will debate later, was that some consultation respondents said that the current legislation can deter organisations, particularly in the voluntary sector, from sharing information that might help to prevent crime or protect children from harm. The same goes for the list of exemptions to the purpose limitation principle introduced by Clause 6.
There could be many instances where personal data collected for one purpose may have to be reused to protect children from crime or safeguarding risks. The Bill will provide greater clarity around this and has been welcomed by stakeholders, including in the voluntary sector.
Viscount Camrose (Con)
While some provisions in the Bill do not specifically mention children or children’s rights, data controllers will still need to carefully consider the impact of their processing activities on children. For example, the new obligations on risk assessments, record keeping and the designation of senior responsible individuals will apply whenever an organisation’s processing activities are likely to result in high risks to people, including children.
Thirdly, the changes we are making in the Bill must be viewed in a wider context. Taken together, the UK GDPR, the Data Protection Act 2018 and the Online Safety Act 2023 provide a comprehensive legal framework for keeping children safe online. Although the data protection legislation and the age-appropriate design code make it clear how personal data can be processed, the Online Safety Act makes clear that companies must take steps to make their platforms safe by design. It requires social media companies to protect children from illegal, harmful and age-inappropriate content, to ensure they are more transparent about the risks and dangers posed to children on their sites, and to provide parents and children with clear and accessible ways to report problems online when they do arise.
After those general remarks, I turn to the specific amendments. The noble Baroness’s Amendments 2 and 3 would amend Clause 1 of the Bill, which relates to the test for assessing whether data is personal or anonymous. Her explanatory statement suggests that these amendments are aimed at placing a duty on organisations to determine whether the data they are processing relates to children, thereby creating a system of age verification. However, requiring data controllers to carry out widespread age verification of data subjects could create its own data protection and privacy risks, as it would require them to retain additional personal information such as dates of birth.
The test we have set out for reidentification is intended to apply to adults and children alike. If any person is likely to be identified from the data using reasonable means, the data protection legislation will apply. Introducing one test for adults and one for children is unlikely to be workable in practice and fundamentally undermines the clarity that this clause seeks to bring to organisations. Whether a person is identifiable will depend on a number of objective factors, such as the resources and technology available to organisations, regardless of whether they are an adult or a child. Creating wholly separate tests for adults and children, as set out in the amendment, would add unnecessary complexity to the clause and potentially lead to confusion.
Lord Bassam of Brighton (Lab)
As I understand it, the basis on which we currently operate is that children get a heightened level of protection. Is the Minister saying that that is now unnecessary and is captured by the way in which the legislation has been reframed?
Viscount Camrose (Con)
I am saying, specifically on Clause 1, that separating the identifiability of children and the identifiability of adults would be detrimental to both but particularly, in this instance, to children.
Amendment 9 would ensure that children’s data is included in the definition of special category data and is subject to the heightened protections afforded to this category of data by Article 9 of the UK GDPR. This could have unintended consequences, because the legal position would be that processing of children’s data would be banned unless specifically permitted. This could create the need for considerable additional legislation to exempt routine and important processing from the ban; for example, banning a Girl Guides group from keeping a list of members unless specifically exempted would be disproportionate. However, more sensitive data such as records relating to children’s health or safeguarding concerns would already be subject to heightened protections in the UK GDPR, as soon as the latter type of data is processed.
I am grateful to the noble Baroness, Lady Kidron, for raising these issues and for the chance to set out why the Government feel that children’s protection is at least maintained, if not enhanced. I hope my answers have, for the time being, persuaded her of the Government’s view that the Bill does not reduce standards of protection for children’s data. On that basis, I ask her also not to move her Amendment 290 on the grounds that a further overarching statement on this is unnecessary and may cause confusion when interpreting the legislation. For all the reasons stated above, I hope that she will now reconsider whether her amendments in this group are necessary and agree not to press them.
Lord Bassam of Brighton (Lab)
Can I press the Minister more on Amendment 290 from the noble Baroness, Lady Kidron? All it does is seek to maintain the existing standards of data protection for children, as carried over from the 2018 Act. If that is all it does, what is the problem with that proposed new clause? In its current formulation, does it not put the intention of the legislation in a place of certainty? I do not quite get why it would be damaging.
Viscount Camrose (Con)
I believe it restates what the Government feel is clearly implied or stated throughout the Bill: that children’s safety is paramount. Therefore, putting it there is either duplicative or confusing; it reduces the clarity of the Bill. In no way is this to say that children are not protected—far from it. The Government feel it would diminish the clarity and overall cohesiveness of the Bill to include it.
Lord Clement-Jones (LD)
My Lords, not to put too fine a point on it, the Minister is saying that nothing in the Bill diminishes children’s rights, whether in Clause 1, Clause 6 or the legitimate interest in Clause 5. He is saying that absolutely nothing in the Bill diminishes children’s rights in any way. Is that his position?
Baroness Harding of Winscombe (Con)
Can I add to that question? Is my noble friend the Minister also saying that there is no risk of companies misinterpreting the Bill’s intentions and assuming that this might be some form of diminution of the protections for children?
Viscount Camrose (Con)
In answer to both questions, what I am saying is that, first, any risk of misinterpreting the Bill with respect to children’s safety is diminished, rather than increased, by the Bill. Overall, it is the Government’s belief and intention that the Bill in no way diminishes the safety or privacy of children online. Needless to say, if over the course of our deliberations the Committee identifies areas of the Bill where that is not the case, we will absolutely be open to listening on that, but let me state this clearly: the intent is to at least maintain, if not enhance, the safety and privacy of children and their data.
Lord Bassam of Brighton (Lab)
My Lords, that creates another question, does it not? If that is the case, why amend the original wording from the 2018 Act?
Viscount Camrose (Con)
Sorry, the 2018 Act? Or is the noble Lord referring to the amendments?
Lord Bassam of Brighton (Lab)
Why change the wording that provides the protection that is there currently?
Viscount Camrose (Con)
Okay. The Government feel that, in terms of the efficient and effective drafting of the Bill, that paragraph diminishes the clarity by being duplicative rather than adding to it by making a declaration. For the same reason, we have chosen not to make a series of declarations about other intentions of the Bill overall in the belief that the Bill’s intent and outcome are protected without such a statement.
Baroness Kidron (CB)
My Lords, before our break, the noble Baroness, Lady Harding, said that this is hard-fought ground; I hope the Minister understands from the number of questions he has just received during his response that it will continue to be hard-fought ground.
I really regret having to say this at such an early stage on the Bill, but I think that some of what the Minister said was quite disingenuous. We will get to it in other parts of the Bill, but the thing that we have all agreed to disagree on at this point is the statement that the Bill maintains data privacy for everyone in the UK. That is a point of contention between noble Lords and the Minister. I absolutely accept and understand that we will come to a collective view on it in Committee. However, the Minister appeared to suggest—I ask him to correct me if I have got this wrong—that the changes on legitimate interest and purpose limitation are child safety measures because some people are saying that they are deterred from sharing data for child protection reasons. I have to tell him that they are not couched or formed like that; they are general-purpose shifts. There is absolutely no question but that the Government could have made specific changes for child protection, put them in the Bill and made them absolutely clear. I find that very worrying.
I also find it worrying, I am afraid—this is perhaps where we are heading and the thing that many organisations are worried about—that bundling the AADC in with the Online Safety Act and saying, “I’ve got it over here so you don’t need it over there” is not the same as maintaining the protections for children from a high level of data. It is not the same set of things. I specifically said that this was not an age-verification measure and would not require it; whatever response there was on that was therefore unnecessary because I made that quite clear in my remarks. The Committee can understand that, in order to set a high bar of data protection, you must either identify a child or give it to everyone. Those are your choices. You do not have to verify.
I will withdraw the amendment, but I must say that the Government may not have it both ways. The Bill cannot be different or necessary and at the same time do nothing. The piece that I want to leave with the Committee is that it is the underlying provisions that allow the ICO to take action on the age-appropriate design code. It does not matter what is in the code; if the underlying provisions change, so does the code. During Committee, I expect that there will be a report on the changes that have happened all around the world as a result of the code, and we will be able to measure whether the new Bill would be able to create those same changes. With that, I beg leave to withdraw my amendment.
Baroness Jones of Whitchurch (Lab)
My Lords, I am grateful to all noble Lords who have spoken on this group. Amendment 6 to Clause 2, tabled by the noble Lord, Lord Clement-Jones, rightly tests the boundaries on the use of personal data for scientific research and, as he says, begins to ask, “What is the real purpose of this clause? Is it the clarification of existing good practice or is it something new? Do we fully understand what that new proposition is?”
As he said, there is particular public concern about the use of personal health data where it seems that some private companies are stretching the interpretation of “the public good”, for which authorisation for the use of this data was initially freely given, to something much wider. Although the clause seeks to provide some reassurance on this, we question whether it goes far enough and whether there are sufficient protections against the misuse of personal health data in the way the clause is worded.
This raises the question of whether it is only public health research that needs to be in the public interest, which is the way the clause is worded at the moment, because it could equally apply to research using personal data from other public services, such as measuring educational outcomes or accessing social housing. There is a range of uses for personal data. In an earlier debate, we heard about the plethora of data already held on people, much of which individuals do not understand or know about and which could be used for research or to make judgments about them. So we need to be sensitive about the way this might be used. It would be helpful to hear from the Minister why public health research has been singled out for special attention when, arguably, it should be a wider right across the board.
Noble Lords have asked questions about the wider concerns around Clause 2, which could enable private companies to use personal data to develop new products for commercial benefit without needing to inform the data subjects. As noble Lords have said, this is not what people would normally expect to be described as “scientific research”. The noble Baroness, Lady Kidron, was quite right that it has the potential to be unethical, so we need some standards and some clear understanding of what we mean by “scientific research”.
That is particularly important for Amendments 7 and 132 to 134 in the name of the noble Lord, Lord Clement-Jones, which underline the need for data subjects to be empowered and given the opportunity to object to their data being used for a new purpose. Arguably, without these extra guarantees—particularly because there is a lack of trust about how a lot of this information is being used—data subjects will be increasingly reluctant to hand over personal data on a voluntary basis in the first place. It may well be that this is an area where the Information Commissioner needs to provide additional advice and guidance to ensure that we can reap the benefits of good-quality scientific research that is in the public interest and in which the citizens involved can have absolute trust. Noble Lords around the Room have stressed that point.
Finally, we have added our names to the amendments tabled by the noble Baroness, Lady Kidron, on the use of children’s data for scientific research. As she rightly points out, the 2018 Act gave children a higher standard of protection on the uses for which their data is collected and processed. It is vital that this Bill, for all its intents to simplify and water down preceding rights, does not accidentally put at risk the higher protection agreed for children. In the earlier debate, the Minister said that he believed it will not do so. I am not sure that “believe” is a strong enough word here; we need guarantees that go beyond that. I think that this is an issue we will come back to again and again in terms of what is in the Bill and what guarantees exist for that protection.
In particular, there is a concern that relaxing the legal basis on which personal data can be processed for scientific research, including privately funded research carried out by commercial entities, could open the door for children’s data to be exploited for commercial purposes. We will consider the use of children’s data collected in schools in our debate on a separate group but we clearly need to ensure that the handling of pupils’ data by the Department for Education and the use of educational apps by private companies do not lead to a generation of exploited children who are vulnerable to direct marketing and manipulative messaging. The noble Baroness’s amendments are really important in this regard.
I also think that the noble Baroness’s Amendment 145 is a useful initiative to establish a code of practice on children’s data and scientific research. It would give us an opportunity to balance the best advantages of children’s research, which is clearly in the public and personal interest, with the maintenance of the highest level of protection from exploitation.
I hope that the Minister can see the sense in these amendments. In particular, I hope that he will take forward the noble Baroness’s proposals and agree to work with us on the code of practice principles and to put something like that in the Bill. I look forward to his response.
Viscount Camrose (Con)
I thank the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Jones, for this series of amendments.
I will first address Amendment 6, which seeks to amend Clause 2. As the noble Lord said, the definitions created by Clause 2, including “scientific research purposes”, are based on the current wording in recital 159 to the UK GDPR. We are changing not the scope of these definitions but their legal status. This amendment would require individual researchers to assess whether their research should be considered to be in the public interest, which could create uncertainty in the sector and discourage research. This would be more restrictive than the current position and would undermine the Government’s objectives to facilitate scientific research and empower researchers.
We have maintained a flexible scope as to what is covered by “scientific research” while ensuring that the definition is still sufficiently narrow in that it can cover only what would reasonably be seen as scientific research. This is because the legislation needs to be able to adapt to the emergence of new areas of innovative research. Therefore, the Government feel that it is more appropriate for the regulator to add more nuance and context to the definition. This includes the types of processing that are considered—
Lord Clement-Jones (LD)
I am sorry to interrupt but it may give the Box a chance to give the Minister a note on this. Is the Minister saying that recital 159 includes the word “commercial”?
Viscount Camrose (Con)
I am afraid I do not have an eidetic memory of recital 159, but I would be happy to—
Lord Clement-Jones (LD)
That is precisely why I ask this question in the middle of the Minister’s speech to give the Box a chance to respond, I hope.
Viscount Camrose (Con)
Researchers must also comply with the required safeguards to protect individuals’ privacy. All organisations conducting scientific research, including those with commercial interests, must also meet all the safeguards for research laid out in the UK GDPR and comply with the legislation’s core principles, such as fairness and transparency. Clause 26 sets out several safeguards that research organisations must comply with when processing personal data for research purposes. The ICO will update its non-statutory guidance to reflect many of the changes introduced by this Bill.
Scientific research currently holds a privileged place in the data protection framework because, by its nature, it is already viewed as generally being in the public interest. As has been observed, the Bill already applies a public interest test to processing for the purpose of public health studies in order to provide greater assurance for research that is particularly sensitive. Again, this reflects recital 159.
In response to the noble Baroness, Lady Jones, on why public health research is being singled out, as she stated, this part of the legislation just adds an additional safeguard to studies into public health ensuring that they must be in the public interest. This does not limit the scope for other research unrelated to public health. Studies in the area of public health will usually be in the public interest. For the rare, exceptional times that a study is not, this requirement provides an additional safeguard to help prevent misuse of the various exemptions and privileges for researchers in the UK GDPR. “Public interest” is not defined in the legislation, so the controller needs to make a case-by-case assessment based on its purposes.
On the point made by the noble Lord, Lord Clement-Jones, about recitals and ICO guidance, although we of course respect and welcome ICO guidance, it does not have legislative effect and does not provide the certainty that legislation does. That is why we have done so via this Bill.
Amendment 7 to Clause 3 would undermine the broader consent concept for scientific research. Clause 3 places the existing concept of “broad consent” currently found in recital 33 to the UK GDPR on a statutory footing with the intention of improving awareness and confidence for researchers. This clause applies only to scientific research processing that is reliant on consent. It already contains various safeguards. For example, broad consent can be used only where it is not possible to identify at the outset the full purposes for which personal data might be processed. Additionally, to give individuals greater agency, where possible individuals will have the option to consent to only part of the processing and can withdraw their consent at any time.
Clause 3 clarifies an existing concept of broad consent which outlines how the conditions for consent will be met in certain circumstances when processing for scientific research purposes. This will enable consent to be obtained for an area of scientific research when researchers cannot at the outset identify fully the purposes for which they are collecting the data. For example, the initial aim may be the study of cancer, but it later becomes the study of a particular cancer type.
Furthermore, as part of the reforms around the reuse of personal data, we have further clarified that when personal data is originally collected on the basis of consent, a controller would need to get fresh consent to reuse that data for a new purpose unless a public interest exemption applied and it is unreasonable to expect the controller to obtain that consent. A controller cannot generally reuse personal data originally collected on the basis of consent for research purposes.
Turning to Amendments 132 and 133 to Clause 26, the general rule described in Article 13(3) of the UK GDPR is that controllers must inform data subjects about a change of purposes, which provides an opportunity to withdraw consent or object to the proposed processing where relevant. There are existing exceptions to the right to object, such as Article 21(6) of the UK GDPR, where processing is necessary for research in the public interest, and in Schedule 2 to the Data Protection Act 2018, when applying the right would prevent or seriously impair the research. Removing these exemptions could undermine life-saving research and compromise long-term studies so that they are not able to continue.
Regarding Amendment 134, new Article 84B of the UK GDPR already sets out the requirement that personal data should be anonymised for research, archiving and statistical—RAS—purposes unless doing so would mean the research could not be carried through. Anonymisation is not always possible as personal data can be at the heart of valuable research, archiving and statistical activities, for example, in genetic research for the monitoring of new treatments of diseases. That is why new Article 84C of the UK GDPR also sets out protective measures for personal data that is used for RAS purposes, such as ensuring respect for the principle of data minimisation through pseudonymisation.
The stand part notice in this group seeks to remove Clause 6 and, consequentially, Schedule 2. In the Government’s consultation on data reform, Data: A New Direction, we heard that the current provisions in the UK GDPR on personal data reuse are difficult for controllers and individuals to navigate. This has led to uncertainty about when controllers can reuse personal data, causing delays for researchers and obstructing innovation. Clause 6 and Schedule 2 address the existing uncertainty around reusing personal data by setting out clearly the conditions in which the reuse of personal data for a new purpose is permitted. Clause 6 and Schedule 2 must therefore remain to give controllers legal certainty and individuals greater transparency.
Amendment 22 seeks to remove the power to add to or vary the conditions set out in Schedule 2. These conditions currently constitute a list of specific public interest purposes, such as safeguarding vulnerable individuals, for which an organisation is permitted to reuse data without needing consent or to identify a specific law elsewhere in legislation. Since this list is strictly limited and exhaustive, a power is needed to ensure that it is kept up to date with future developments in how personal data is used for important public interest purposes.
Baroness Kidron (CB)
I am interested that the safeguarding requirement is already in the Bill, so, in terms of children, which I believe the Minister is going to come to, the onward processing is not a question of safeguarding. Is that correct? As the Minister has just indicated, that is already a provision.
Viscount Camrose (Con)
Just before we broke, I was on the verge of attempting to answer the question from the noble Baroness, Lady Kidron; I hope my coming words will do that, but she can intervene again if she needs to.
I turn to the amendments that concern the use of children’s data in research and reuse. Amendment 8 would also amend Clause 3; the noble Baroness suggests that the measure should not apply to children’s data, but this would potentially prevent children, or their parents or guardians, from agreeing to participate in broad areas of pioneering research that could have a positive impact on children, such as on the causes of childhood diseases.
On the point about safeguarding, the provisions on recognised legitimate interests and further processing are required for safeguarding children for compliance with, respectively, the lawfulness and purpose limitation principles. The purpose limitation provision in this clause is meant for situations where the original processing purpose was not safeguarding and the controller then realises that there is a need to further process it for safeguarding.
Research organisations are already required to comply with the data protection principles, including on fairness and transparency, so that research participants can make informed decisions about how their data is used; and, where consent is the lawful basis for processing, children, or their parents or guardians, are free to choose not to provide their consent, or, if they do consent, they can withdraw it at any time. In addition, the further safeguards that are set out in Clause 26, which I mentioned earlier, will protect all personal data, whether it relates to children or adults.
Amendment 21 would require data controllers to have specific regard to the fact that children’s data requires a higher standard of protection for children when deciding whether reuse of their data is compatible with the original purpose for which it was collected. This is unnecessary because the situations in which personal data could be reused are limited to public interest purposes designed largely to protect the public and children, in so far as they are relevant to them. Controllers must also consider the possible consequences for data subjects and the relationship between the controller and the data subject. This includes taking into account that the data subject is a child, in addition to the need to generally consider the interests of children.
Amendment 23 seeks to limit use of the purpose limitation exemptions in Schedule 2 in relation to children’s data. This amendment is unnecessary because these provisions permit further processing only in a narrow range of circumstances and can be expanded only to serve important purposes of public interest. Furthermore, it may inadvertently be harmful to children. Current objectives include safeguarding children or vulnerable people, preventing crime or responding to emergencies. In seeking to limit the use of these provisions, there is a risk that the noble Baroness’s amendments might make data controllers more hesitant to reuse or disclose data for public interest purposes and undermine provisions in place to protect children. These amendments could also obstruct important research that could have a demonstrable positive impact on children, such as research into children’s diseases.
Amendment 145 would require the ICO to publish a statutory code on the use of children’s data in scientific research and technology development. Although the Government recognise the value that ICO codes can play in promoting good practice and improving compliance, we do not consider that it would be appropriate to add these provisions to the Bill without further detailed consultation with the ICO and the organisations likely to be affected by the new codes. Clause 33 of the Bill already includes a measure that would allow the Secretary of State to request the ICO to publish a code on any matter that it sees fit, so this is an issue that we could return to in the future if the evidence supports it.
Baroness Kidron (CB)
I will read Hansard very carefully, because I am not sure that I absolutely followed the Minister, but we will undoubtedly come back to this. I will ask two questions. Earlier, before we had a break, in response to some of the early amendments in the name of the noble Lord, Lord Clement-Jones, the Minister suggested that several things were being taken out of the recital to give them solidity in the Bill; so I am using this opportunity to suggest that recital 38, which is the special consideration of children’s data, might usefully be treated in a similar way and that we could then have a schedule that is the age-appropriate design code in the Bill. Perhaps I can leave that with the Minister, and perhaps he can undertake to have some further consultation with the ICO on Amendment 145 specifically.
Viscount Camrose (Con)
With respect to recital 38, that sounds like a really interesting idea. Yes, let us both have a look and see what the consultation involves and what the timing might look like. I confess to the Committee that I do not know what recital 38 says, off the top of my head. For the reasons I have set out, I am not able to accept these amendments. I hope that noble Lords will therefore not press them.
Returning to the questions by the noble Lord, Lord Clement-Jones, on the contents of recital 159, the current UK GDPR and EU GDPR are silent on the specific definition of scientific research. It does not preclude commercial organisations performing scientific research; indeed, the ICO’s own guidance on research and its interpretation of recital 159 already mention commercial activities. Scientific research can be done by commercial organisations—for example, much of the research done into vaccines, and the research into AI referenced by the noble Baroness, Lady Harding. The recital itself does not mention it but, as the ICO’s guidance is clear on this already, the Government feel that it is appropriate to put this on a statutory footing.
Lord Clement-Jones (LD)
My Lords, that was intriguing. I thank the Minister for his response. It sounds as though, again, guidance would have been absolutely fine, but what is there not to like about the ICO bringing clarity? It was quite interesting that the Minister used the phrase “uncertainty in the sector” on numerous occasions and that is becoming a bit of a mantra as the Bill goes on. We cannot create uncertainty in the sector, so the poor old ICO has been labouring in the vineyard for the last few years to no purpose at all. Clearly there has been uncertainty in the sector of a major description, and all its guidance and all the work that it has put in over the years have been wholly fruitless, really. It is only this Government that have grabbed the agenda with this splendid 300-page data protection Bill that will clarify this for business. I do not know how much they will have to pay to get new compliance officers or whatever it happens to be, but the one thing that the Bill will absolutely not create is greater clarity.
I am a huge fan of making sure that we understand what the recitals have to say, and it is very interesting that the Minister is saying that the recital is silent but the ICO’s guidance is pretty clear on this. I am hugely attracted by the idea of including recital 38 in the Bill. It is another lightbulb moment from the noble Baroness, Lady Kidron, who has these moments, rather like with the age-appropriate design code, which was a huge one.
We are back to the concern, whether in the ICO guidance, the Bill or wherever, that scientific research needs to be in the public interest to qualify and not have all the consents that are normally required for the use of personal data. The Minister said, “Well, of course we think that scientific research is in the public interest; that is its very definition”. So why does only public health research need that public interest test and not the other aspects? Is it because, for instance, the opt-out was a bit of a disaster and 3 million people opted out of allowing their health data to be shared or accessed by GPs? Yes, it probably is.
Do the Government want a similar kind of disaster to happen, in which people get really excited about Meta or other commercial organisations getting hold of their data, a public outcry ensues and they therefore have to introduce a public interest test on that? What is sauce for the goose is sauce for the gander. I do not think that personal data should be treated in a particularly different way in terms of its public interest, just because it is in healthcare. I very much hope that the Minister will consider that.
Baroness Jones of Whitchurch (Lab)
My Lords, I am also pleased to support these amendments in the name of the noble Baroness, Lady Kidron, to which I have added my name. I am hugely enthusiastic about them, too, and think that this has been a lightbulb moment from the noble Baroness. I very much thank her for doing all of this background work because she has identified the current weakness in the data protection landscape: it is currently predicated on an arrangement between an individual and the organisation that holds their data.
That is an inherently unbalanced power construct. As the noble Baroness said, as tech companies become larger and more powerful, it is not surprising that many individuals feel overwhelmed by the task of questioning or challenging those that are processing their personal information. It assumes a degree of knowledge about their rights and a degree of digital literacy, which we know many people do not possess.
In the very good debate that we had on digital exclusion a few weeks ago, it was highlighted that around 2.4 million people are unable to complete a single basic task to get online, such as opening an internet browser, and that more than 5 million employed adults cannot complete essential digital work tasks. These individuals cannot be expected to access their digital data on their own; they need the safety of a larger group to do so. We need to protect the interests of an entire group that would otherwise be locked out of the system.
The noble Baroness referred to the example of Uber drivers who were helped by their trade union to access their data, sharing patterns of exploitation and subsequently strengthening their employment package, but this does not have to be about just union membership; it could be about the interests of a group of public sector service users who want to make sure that they are not being discriminated against, a community group that wants its bid for a local grant to be treated fairly, and so on. We can all imagine examples of where this would work in a group’s interest. As the noble Baroness said, these proposals would allow any group of people to assign their rights—rights that are more powerful together than apart.
There could be other benefits; if data controllers are concerned about the number of individual requests that they are receiving for data information—and a lot of this Bill is supposed to address that extra work—group requests, on behalf of a data community, could provide economies of scale and make the whole system more efficient.
Like the noble Baroness, I can see great advantages from this proposal; it could lay the foundation for other forms of data innovation and help to build trust with many citizens who currently see digitalisation as something to fear—this could allay those fears. Like the noble Lord, Lord Clement-Jones, I hope the Minister can provide some reassurance that the Government welcome this proposal, take it seriously and will be prepared to work with the noble Baroness and others to make it a reality, because there is the essence of a very good initiative here.
Viscount Camrose (Con)
I thank the noble Baroness, Lady Kidron, for raising this interesting and compelling set of ideas. I turn first to Amendments 10 and 35 relating to data communities. The Government recognise that individuals need to have the appropriate tools and mechanisms to easily exercise their rights under the data protection legislation. It is worth pointing out that current legislation does not prevent data subjects authorising third parties to exercise certain rights. Article 80 of the UK GDPR also explicitly gives data subjects the right to appoint not-for-profit bodies to exercise certain rights, including their right to bring a complaint to the ICO, to appeal against a decision of the ICO or to bring legal proceedings against a controller or processor and the right to receive compensation.
The concept of data communities exercising certain data subject rights is closely linked with the wider concept of data intermediaries. The Government recognise the existing and potential benefits of data intermediaries and are committed to supporting them. However, given that data intermediaries are new, we need to be careful not to distort the sector at such an early stage of development. As in many areas of the economy, officials are in regular contact with businesses, and the data intermediary sector is no different. One such engagement is the DBT’s Smart Data Council, which includes a number of intermediary businesses that advise the Government on the direction of smart data policy. The Government would welcome further and continued engagement with intermediary businesses to inform how data policy is developed.
Lord Clement-Jones (LD)
I am sorry, but the Minister used a pretty pejorative word: “distort” the sector. What does he have in mind?
Viscount Camrose (Con)
I did not mean to be pejorative; I merely point out that before embarking on quite a far-reaching policy—as noble Lords have pointed out—we would not want to jump the gun prior to consultation and researching the area properly. I certainly do not wish to paint a negative portrait.
Viscount Camrose (Con)
It is a moment at which I cannot set a firm date for a firm set of actions, but on the other hand I am not attempting to punt it into the long grass either. The Government do not want to introduce a prescriptive framework without assessing potential risks, strengthening the evidence base and assessing the appropriate regulatory response. For these reasons, I hope that for the time being the noble Baroness will not press these amendments.
The noble Baroness has also proposed Amendments 147 and 148 relating to the role of the Information Commissioner’s Office. Given my response just now to the wider proposals, these amendments are no longer necessary and would complicate the statute book. We note that Clause 35 already includes a measure that will allow the Secretary of State to request the Information Commissioner’s Office to publish a code on any matter that she or he sees fit, so this is an issue we could return to in future if such a code were deemed necessary.
Lord Clement-Jones (LD)
My Lords, I am sorry to keep interrupting the Minister. Can he give us a bit of a picture of what he has in mind? He said that he did not want to distort things at the moment, that there were intermediaries out there and so on. That is all very well, but is he assuming that a market will be developed or is developing? What overview of this does he have? In a sense, we have a very clear proposition here, which the Government should respond to. I am assuming that this is not a question just of letting a thousand flowers bloom. What is the government policy towards this? If you look at the Hall-Pesenti review and read pretty much every government response—including to our AI Select Committee, where we talked about data trusts and picked up the Hall-Pesenti review recommendations —you see that the Government have been pretty much positive over time when they have talked about data trusts. The trouble is that they have not done anything.
Viscount Camrose (Con)
Overall, as I say and as many have said in this brief debate, this is a potentially far-reaching and powerful idea with an enormous number of benefits. But the fact that it is far-reaching implies that we need to look at it further. I am afraid that I am not briefed on long-standing—
Lord Clement-Jones (LD)
May I suggest that the Minister writes? On the one hand, he is saying that we will be distorting something—that something is happening out there—but, on the other hand, he is saying that he is not briefed on what is out there or what the intentions are. A letter unpacking all that would be enormously helpful.
Viscount Camrose (Con)
I am very happy to write on this. I will just say that I am not briefed on previous government policy towards it, dating back many years before my time in the role.
Viscount Camrose (Con)
It was even further. Yes, I am very happy to write on that. For the reasons I have set out, I am not able to accept these amendments for now. I therefore hope that the noble Baroness will withdraw her amendment.
Medical Research Techniques
Viscount Camrose Excerpts(2 years ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Baroness Bennett of Manor Castle
To ask His Majesty’s Government what steps they are taking to promote the use of human-specific medical research techniques, such as “organ-on-a-chip” and computer modelling, in place of animal testing.
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
The Government provide significant funding for the development of these technologies through UKRI, primarily to the National Centre for the Replacement, Reduction and Refinement of Animals in Research. We are doubling our investment in this area next year to £20 million and this summer the Government will publish a plan to accelerate the development, validation and uptake of methods to reduce reliance on the use of animals in science.
Baroness Bennett of Manor Castle (GP)
I thank the noble Lord the Minister for his Answer, but of course animal testing is not working well. Less than 6% of cancer drugs proceed past the first small phase 1 trials, and more than 99% of Alzheimer’s drugs have failed. There are some very exciting possibilities, such as the liver-on-a-chip device that correctly identified 87% of drugs that caused liver toxicity after they passed animal tests. Many other countries are racing ahead on this: the USA has passed the FDA Modernization Act, the Netherlands has a transition programme and India has new rules for drug trials. Do we not need to go much further and look towards legislative change and a much bigger injection of funds to see real progress if we are to be world-leading in the future in this biotechnology field?
Viscount Camrose (Con)
That is a wide-ranging question, and I will do my best to cover some of those points. With respect to the effectiveness of clinical trials, on the whole they cannot take place without toxicology trials and most of those, sadly, have to be done on animals. We very much welcome any technology that allows for in silico methods of assessing toxicology and it is true that more of those are emerging, but they have to be validated in order to be assumed safe and usable in clinical trials.
Lord Clement-Jones (LD)
My Lords, the Government produced a previous report on a road map for non-animal technologies from six UK government funders, including MRC, EPSRC and Innovate UK way back in 2015. How will they ensure that this new road map does not get left on the shelf again? Will DSIT set up an independent strategic advisory board with the key stakeholders to provide direction and oversight, as suggested by the RSPCA?
Viscount Camrose (Con)
DSIT continues to be led on its approach to creating non-animal methods in clinical trials, toxicology trials and so on by the UK’s NC3Rs—the National Centre for the Replacement, Refinement and Reduction of Animals in Research—for toxicology and other scientific research, and that continues. There was a decrease of 10% in animal testing from the previous year, according to our most recent records, and that will continue. DSIT meanwhile has no plans to add a new oversight executive body to those already in existence.
Lord Turnberg (Lab)
My Lords, I express an interest as a past chairman of NC3Rs. During the time I was chairman, we saw a marked reduction in the number of animals used in research, and that continues with certain types of animals, such as dogs, cats and so on. It is essential, though, for new drugs to be tested on animals and regulatory authorities rely on that. Is there anything we can do to help those authorities relax a little?
Viscount Camrose (Con)
First, let me pay tribute to the work of the NC3Rs, which is an extremely important body. Nobody feels comfortable doing a lot of animal tests; they simply are necessary for human safety in too many cases. For example, UK REACH follows the last-resort principle where, as far as possible, it is able to waive animal tests for chemicals. That kind of work will further accelerate the work of the NC3Rs.
Lord Kamall (Con)
My Lords, the noble Baroness, Lady Bennett, spoke about other countries that were looking at alternatives to animal testing. What conversations has my noble friend’s department had with other countries on how they can encourage more alternatives to animal testing?
Viscount Camrose (Con)
DSIT continues to engage on life sciences research with a wide range of other countries, including countries that have tried to accelerate further. Recently, in particular, the Netherlands and the United States have not always been able to succeed in their goals of accelerating the date by which non-animal methods of research become the only way forward. On the other hand, steady progress towards the greater use of non-animal methods through the three Rs seems to be bearing fruit, albeit not as fast as anybody would like.
Baroness Hayman of Ullock (Lab)
My Lords, we know that there is a fast-growing global market for human-specific technologies. The size of that global market in 2023 was around $2 billion, so it is huge. Does the Minister have any views on the economic potential of human-specific technologies for the UK as a leader in this field?
Viscount Camrose (Con)
Yes, indeed; the economic potential is absolutely enormous. As with any medical devices, they need to be put through proper pharma-covigilance procedures, validation and testing, to make sure that by the time we are ready for clinical trials, all the toxicology testing has been properly done. Where it is possible to find an alternative to animal testing, that should always be followed. We always aim to use the minimum number of animals for the scientific benefit to be achieved and minimise the potential harm to animals for that benefit.
Baroness Bennett of Manor Castle (GP)
My Lords, in responding to me the Minister referred to the apparent necessity of animals for toxicity tests. Of course, the case I had cited was one where liver drugs had passed animal toxicity tests and then were found to have problems with a human-specific technology. Canada has passed a Bill to phase out animal-based chemical toxicity testing and the European Commission is committed to developing a road map in that direction. As the noble Baroness on the Front Bench said, human-specific technologies have enormous potential. Will the Government look at getting an Act to provide a framework so that the UK could get ahead in this area and end toxicology testing on animals, as other countries are looking to do?
Viscount Camrose (Con)
The noble Baroness mentioned an Act—there are widespread protections under the Animals (Scientific Procedures) Act. We have the three-tier licensing system, including significant training and assessment for licensees, and a range of other safeguards. Different jurisdictions are taking a range of approaches to this; I am not aware of any jurisdiction that has yet been able to set a timeline for the absolute removal of animal tests because, sadly, they do remain critical for the development of medicines.
AI: “Nudify” Apps
Viscount Camrose Excerpts(2 years, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Baroness Owen of Alderley Edge
To ask His Majesty’s Government whether they plan to prohibit “nudify” apps which create intimate images of other people using artificial intelligence without their consent.
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
My Lords, the Online Safety Act introduced new offences which criminalised the sharing of, or threatening to share, intimate images, including deepfakes, without consent. Where individuals create these images using any kind of technology and share or threaten to share them online, they may be committing an offence. The Act will additionally give online platforms new duties to tackle this content by removing it, including where it has been created via AI apps.
Baroness Owen of Alderley Edge (Con)
I thank my noble friend the Minister for his Answer. There has been a huge increase in the use of nudify apps and the creation of deepfake porn since the Law Commission stated that it was less sure that the level of harm caused by the making of these images and videos was serious enough to criminalise. Does my noble friend agree that the making of these images and videos without a person’s consent does in fact cause serious harm, regardless of whether a person is aware of it, and that, if allowed to continue, represents a real threat to all women?
Viscount Camrose (Con)
I start by acknowledging that the creation of intimate image deepfakes using AI or other means is abusive and deeply distressing to anyone concerned and very disturbing to all of us. The Law Commission consulted widely on this, looking at the process of taking, making, possessing and sharing deepfakes, and its conclusion was that the focus of legislative effort ought to be on sharing, which it now is. That said, this is a fast-moving space. The capabilities of these tools are growing rapidly and, sadly, the number of users is growing rapidly, so we will continue to monitor that.
Lord Browne of Ladyton (Lab)
My Lords, the applications referred to in the excellent Question put by the noble Baroness, Lady Owen, represent a dangerous and overwhelmingly misogynistic trend of non-consensual deepfake pornography. They are able to be developed and distributed only because of advances in AI, and sit alongside the use of deepfakes for political disinformation and fraud. Polling suggests public ambivalence towards AI but near unanimity around deepfakes, with 80% of people supporting a ban, according to a recent YouGov survey. Cloud computing and services hosting AI models are essential for deepfake creation, and the fact that all major cloud suppliers have a presence in the UK empowers our Government uniquely to enforce best practice. Does the Minister agree that our regulatory system should not merely ban deepfakes but go further, imposing upon the developers a duty to show how and in what way they are applying existing techniques and restrictions that could prevent their creation in the first place?
Viscount Camrose (Con)
An outright ban on the creation of any deepfake material presents a number of challenges, but obviously I applaud the sentiment behind the question. With respect particularly to deepfakes involved in intimate image abuse, we are clearly putting in place the offence of sharing, whether as part of the new intimate image abuse offences in the Online Safety Act that commenced two weeks ago, as part of the Criminal Justice Bill shortly to come before your Lordships’ House, or indeed under the existing child sexual exploitation and abuse offences. There are severe penalties for the sharing of intimate image abuse deepfakes, but it is a fast-moving space and we have to continue to monitor it.
Lord Clement-Jones (LD)
My Lords, it is quite clear that simply banning the sharing of these deepfakes is not sufficient. This is an issue that concerns us all, whether in relation to sexual images, fraud or misinformation. Can the Government not overcome their reluctance to regulate AI? What evidence would persuade them to go further and make sure that the creators of these deepfakes are liable?
Viscount Camrose (Con)
As regards the overall regulation of AI, I hope that noble Lords have had a chance to peruse the Government’s response to the AI White Paper consultation. It makes the argument very clearly that there will come a time when it is right to legislate to create binding rules on all creators of AI. When that time comes, due to the policies that we are putting in place, we will have an agreed risk register informing us. We will have set up monitoring and evaluation techniques, again gathering evidence. We will have working relationships with the AI labs, defined procedures for the creation of AI, and regulators trained to regulate AI within their own sectors. That means that, when we do regulate AI, it will be done in a targeted and sophisticated way, on the basis of evidence.
Lord Bassam of Brighton (Lab)
My Lords, the Government have been far too complacent on this issue. During the passage of the then Online Safety Bill, we warned a number of times that, given that this is a fast-moving technology, as the Minister says, the Government needed to get ahead of the game. Given the proliferation of these ghastly images and the appalling impact this has on people’s lives, does the Minister now agree that neither the emergence of these apps nor their misuse is surprising? If that is the case, why did the Government not broaden the scope of their amendments when they had the opportunity to do so? Will the Minister now look for ways in which we can plug the gaps that are clearly emerging?
Viscount Camrose (Con)
As the noble Lord said, it is a fast-moving space, and that requires an adaptive, agile response in legislating for it. That is the approach that we are taking. As to the argument that we can now see that it is not working, I am not sure that that is the case. The intimate image abuse offences commenced on 31 January—two weeks ago. I am pleased to see that, yesterday, we had our first cyberflashing conviction under those provisions. Using an evidence base, looking forward, we will have to consider carefully what is working before we go ahead and implement further bans.
Baroness Foster of Aghadrumsee (Non-Afl)
My Lords, during the last Assembly election in Northern Ireland, two female candidates from either side of the community in Northern Ireland were targeted with deepfake porn, which was solely designed to damage their chances in that election. We know the number of people who will be going to the polls in the next year. Surely the Minister and the Government need to work with the Electoral Commission to raise this issue, because it is a very important issue in democracy for female candidates.
Viscount Camrose (Con)
I absolutely agree, and the instance that the noble Baroness described is deplorable. I am pleased to say two things very briefly. First, the sharing she describes now carries, as a base offence, up to six months in prison; if, as in the case the noble Baroness put forward, the sharing is designed for the purposes of malice or gaining sexual gratification, that sentence goes up to two years. That regime is now live. On elections, we have set up the Defending Democracy Taskforce, with a new unit implemented last year specifically dedicated to safeguarding the election against such threats.
Baroness Chakrabarti (Lab)
My Lords, the noble Baroness, Lady Owen, asked a Question that was forensic, specific, nimble and agile—all adjectives that the Minister keeps using: “Why not ban these nudify apps?”. Why not ban the tools of the wicked trade, rather than waiting for individuals to misuse them? What is the positive use of this? Is it that big tech is now so deep in our politics that we do not dare regulate this technology to make sure that it is not used for ill?
Viscount Camrose (Con)
The reason the making is not banned is that the sharing is banned, and the reason we did that is that Law Commission—as set out very clearly in its document—made the argument that this was the most appropriate way to have a coherent and effective body of law preventing this deplorable misuse of technologies.
The Archbishop of York
My Lords, it would be very helpful if the Minister could explain. If I heard him correctly, he said that sharing has a six month ban but for malicious sharing it could be up to two years. Could he explain what non-malicious use would be?
Viscount Camrose (Con)
There is a base offence in the law of sharing intimate images without consent or the reasonable belief of consent. That can extend to two years if the intent is to cause alarm, distress or humiliation, or if the purpose is to gain sexual gratification. Crucially, there is an offence of threatening to share these materials which also carries a two-year penalty.
Combating Disinformation: Freedom of Expression
Viscount Camrose Excerpts(2 years, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Strasburger (LD) [V]
My Lords, I draw the attention of the House to my role as chair of Big Brother Watch and beg leave to ask the Question standing in my name on the Order Paper.
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
Preserving individuals’ rights to freedom of expression underpins all the Government’s work on tackling disinformation. This right is upheld by the Online Safety Act, which protects freedom of expression by addressing only the most egregious forms of disinformation, ensuring that people can engage in free debate and discussion online. Under the Act, when putting in place safety measures to fulfil their duties, companies are also required to consider and implement safeguards for freedom of expression.
Lord Strasburger (LD) [V]
I thank the Minister for his reply. Last year, Big Brother Watch exposed worrying overreach by the Counter Disinformation Unit in its attempts to prevent legitimate criticism of the Government by MPs, journalists and academics. Following the Government’s apology, could the Minister tell the House what, if anything, has changed, apart from the unit’s name? Could he please explain why the Government refuse to allow the Intelligence and Security Committee to oversee the work of what is now called the National Security Online Information Team?
Viscount Camrose (Con)
First, the Counter Disinformation Unit has indeed changed its name to the National Security Online Information Team, to better reflect its role. I am not aware of the apology to which the noble Lord refers, but I will look into it. I have not heard of it. The NSOIT, as it is now called, does not target individuals, particularly not politicians or journalists. It does not even go after individual pieces of content but looks for trends across all items of content online. I will look into this case for an apology, but I am surprised by it because I am not aware of it.
Baroness Chakrabarti (Lab)
My Lords, the Question of the noble Lord, Lord Strasburger, requires a little further interrogation, because that report by Big Brother Watch suggested that during the pandemic, politicians, journalists and civil society campaigners from across the political spectrum were personally targeted for critiquing the Government’s handling of the pandemic. Given that report and these legitimate concerns, it would be very kind if the Minister and his colleagues would look into this further and write to the noble Lord, Lord Strasburger, and, indeed, to anyone else affected.
Viscount Camrose (Con)
Yes, I am very happy to write any such letter. I confirm now in front of the House that the function of the NSOIT, formerly the Counter Disinformation Unit, is to analyse attempts to artificially manipulate the information environment for purposes of national security. It is not its function—and never has been its function, regardless of its name—to go after individuals, whether they are politicians, journalists, or anybody else. It looks for at-scale attempts to manipulate the information environment.
Lord Clement-Jones (LD)
My Lords, it is clear we need to be assured that the rather concerning activities reported about the CDU treating political criticism as disinformation are no longer practised by NSOIT. Can the Minister explain where we can find a copy of NSOIT’s policies? Can he confirm whether it has a policy to prohibit it from flagging lawful domestic speech for terms of service violations to social media companies?
Viscount Camrose (Con)
Information on NSOIT is posted on GOV.UK, and I am happy to share that location with the noble Lord. I can confirm not only that it is not the role of NSOIT or the CDU to go after any individuals, regardless of their political belief, but that it never has been. NSOIT looks for large-scale attempts to pollute the information environment, generally as a result of threats from foreign states. I am happy to say in front of the House that the idea that its purpose is also to go after, in some ways, those who disagree politically with the Government is categorically false.
Lord Bassam of Brighton (Lab)
My Lords, the issue is much more complex than that. I am concerned that the unit to which the Minister referred seems to be concerned only about security issues now. In December, I asked the Minister about the rise of political deepfakes, which often originate from overseas and have the potential to undermine trust in political leaders and our wider democratic processes. With the Data Protection and Digital Information Bill currently before the House already containing measures on what the Government call “democratic engagement”, can I tempt the Minister to bring forward new anti-deepfake provisions to help preserve the integrity of our upcoming general election—and not just our election in a year of big elections?
Viscount Camrose (Con)
Indeed. It is worth reminding the House that close to 2 billion people will go to the polls over this calendar year. A great many of those elections in which they participate will come under attack from malign foreign influences. Therefore, we have implemented the Defending Democracy Taskforce, chaired by the Security Minister, which set up a new unit last year specifically dedicated to safeguarding our coming election, whenever it may be. It continues to engage with various committees of Parliament and with the Electoral Commission. We will look carefully at any proposals on deepfake provisions in the DPDI Bill. Deepfakes are already illegal today if they violate either the foreign interference offence or the false communications offence.
Lord Fox (LD)
My Lords, my noble friend Lord Strasburger asked about the parliamentary scrutiny of the unit. Does the Minister understand that, if there were to be proper scrutiny of the unit, some of the words that he uses to try to placate your Lordships’ House would have deeper resonance? Can he tell us why the ISC is not scrutinising the unit?
Viscount Camrose (Con)
NSOIT is indeed scrutinised by Ministers; it sits within DSIT and then Ministers, as we see, come before this House to explain matters. As a national security team, I dare say that we would have some concerns about a standing report to Parliament about its activities, but I can continue to reassure the House on its role.
Lord Kirkhope of Harrogate (Con)
My Lords, can my noble friend the Minister explain how this very interesting unit is comprised? Who are the members of the unit and from where do they come?
Viscount Camrose (Con)
The unit comprises civil servants who sit within DSIT, and it occasionally makes use of external consulting services. It adjusts its size and membership from within the DSIT team according to the nature of the threat at any given moment.
Baroness Fox of Buckley (Non-Afl)
My Lords, on transparency: we would not know about the Counter Disinformation Unit if it was not for Big Brother Watch, which we owe great thanks for its service on that. The Minister seems to know what disinformation is. Can the Government tell us how they identify what is to be labelled as disinformation? Who checks the fact checkers? For example, BBC Verify seems keen to expose everybody else’s disinformation but seems blind to its own egregious examples of inaccurate information.
Viscount Camrose (Con)
Well, the Government are clear, as is NSOIT, that disinformation refers to the deliberate attempt to mislead by placing falsehoods into the information environment. As part of the Civil Service, NSOIT would have robust internal measures to verify and check its own work, and indeed it reports regularly across government and to Ministers.
Lord Kamall (Con)
My Lords, can my noble friend the Minister explain what guidance is given to the unit to distinguish between disinformation and difference of opinion?
Viscount Camrose (Con)
Disinformation is a deliberate falsehood. A difference of opinion is generally something of democratic importance or of journalistic or pluralistic importance, which it is very important to protect and which the Online Safety Act took very considerable measures to safeguard over its passage.
Baroness Jones of Moulsecoomb (GP)
My Lords, does this unit check on government disinformation such as the Rwanda Bill?
Viscount Camrose (Con)
I do not believe that this unit has been working on the Rwanda Bill.
Lord Pannick (CB)
My Lords, if this unit consists of civil servants and external advisers, why is it impermissible for its work to be supervised by a parliamentary committee composed of privy counsellors?
Viscount Camrose (Con)
It was set up as an internal part of DSIT. It reports to Ministers and Ministers provide the oversight. I take the point, but it is a national security institution and, as such, the Government have a strong preference for not allowing it openly to share national security information for fear of benefiting those who wish us harm.
Digital Exclusion (Communications and Digital Committee Report)
Viscount Camrose Excerpts(2 years, 1 month ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
I start by sincerely thanking my noble friend Lady Stowell for tabling what we must all agree is a deeply important debate on this far-ranging and critical subject of digital exclusion, which we know affects millions of people across the UK, with costs to them as individuals and, as has been pointed out, to all society. I hope to be able to reassure noble Lords on most of the very wide range of points that were made, but I look forward to continuing the dialogue. As has been observed, this is not a problem that will go away overnight, but I hope some of the things I will put forward will provide some reassurance in the meantime.
Let me take a step back by way of introduction. Our transition to the digital age in the last two decades has brought with it a period of extraordinary change. The fourth industrial revolution has transformed our economies, our public services and our day-to-day lives. We can expect that change to continue as technology continues to develop, bringing with it opportunities that would have been unimaginable for previous generations.
On the whole, the UK is well positioned to seize those opportunities by taking the lead in technological innovation. We are able to do this because, among other things, we are building on a proud history of technological development that takes us right up to the present day, from Sir Tim Berners-Lee and the world wide web to pioneers such as Dr Katalin Karikó and Dr Drew Weissman, who led the world in the development of the Covid-19 vaccine.
Across the country, we have a wealth of science and tech expertise. We are home to four of the world’s top 10 universities, and in 2022 we became only the third country in the world to have a tech sector valued at over $1 trillion. It is important that we continue this tradition of leading technological development through digital transformation. Not only will it help us boost productivity and increase all kinds of operational efficiency but, if we manage the transition properly, these innovations can deliver wider social benefits too: we can connect communities, reduce loneliness, and make public services easier and faster to access.
But—and there is always a but at this point—we absolutely must recognise the deep, genuine concern that some will be left behind. This is something that I personally, and the Government overall, take very seriously. That is why we do not want just to drive progress in tech; we want to do so responsibly and ensure that the tech we develop improves all lives across the country. Tackling digital exclusion is a fundamental part of this and a complex issue. No one department can solve this challenge; it will require close collaboration across government.
Digital exclusion negatively affects people’s lives. Individuals who are digitally excluded are less likely to be in well-paying jobs. They have worse health outcomes and overall lower quality of life. As a result, digital exclusion creates new inequalities and exacerbates existing ones, making it difficult to participate fully in society.
Rising living costs have also made it more difficult for people to afford devices and internet access, which will increase digital exclusion. Some 18.7 million people—that is 35% of us in the UK—feel that increases in the cost of living are impacting their ability to go online, and 11.5 million—22% of people in the UK—have already taken steps to reduce the costs associated with going online by seeking alternative solutions such as libraries, community centres or, indeed, as we heard, churches for free access.
The Government have been clear that ensuring that no one is left behind in the digital age is a priority and consider that credible steps have been taken to offer needed support. Encouraging more people to engage and stay online requires overcoming the barriers to access, skills, motivation and trust. Digitally excluded people also require continued support to ensure that these barriers remain lowered, and this is what we continue to focus on across government.
I thank noble Lords on the Communications and Digital Committee for their important work on the digital exclusion inquiry last year. Since the committee’s report was published, we have established, again as a number of noble Lords observed, a new interministerial group to drive progress and accountability on digital inclusion priorities across government, to set clear objectives and to monitor delivery. I thank the noble Lord, Lord Clement-Jones, and can confirm that the Minister for Tech and the Digital Economy, Saqib Bhatti, is responsible for digital inclusion and that is why he is in the position of chairing the group. The group met for the first time in September, and departments agreed to undertake departmental mapping exercises to drive work on digital inclusion. With the group meeting, as has been said, every six months, this is the first step of many in a cross-government effort.
Lord Clement-Jones (LD)
Does the noble Lord believe that meeting once every six months is adequate?
Viscount Camrose (Con)
The crux of the work is done at departmental level and that feels to me more like a board meeting. So, yes, I think that set-up makes logical sense, but we will watch with interest and adapt as necessary.
Many noble Lords raised points about a new digital inclusion strategy. As the Secretary of State for Science, Innovation and Technology said to the committee on Tuesday, the Government are focusing their resources on delivery—on the doing rather than on the writing of the new strategy. The key themes for the last strategy on digital inclusion—access, skills, motivation and trust—are still relevant today. I will point to some of this action as I go through my speech.
I agree with the point that the noble Lord, Lord Foster, made very well: the digital strategy should and does include the basis for digital inclusion. The 2022 digital strategy outlined work across government that will promote digital inclusion, including broadband rollout across the UK, essential digital skills support and legislation to tackle online harms, now the Online Safety Act. I thank the noble Baroness, Lady Jones, for raising the issue of who in government is working on digital inclusion, and my noble friend Lady Stowell for asking about the relationship between teams working on AI. My department has various teams, from the newly named Responsible Technology Adoption Unit, formerly the Centre for Data Ethics and Innovation, to AI skills feeding in to work on digital inclusion. This is alongside teams working on telecom skills and the tech sector. Given its varied nature, there are teams across government that work on policy linked to digital inclusion, including the Department for Culture, Media and Sport’s work with libraries, the Department for Work and Pensions’ work on unemployment and the Department for Education’s work on digital skills. There is a new official-level working group that sits across government to support this cross-cutting work.
Starting with the issue of access, I will focus on the affordability and availability of telecom services. UK consumers have access to one of the most competitive telecom markets in Europe. The cost of a gigabyte of data, at 50p in the UK, is less than half that of the average price in the EU, at £1.18. The headline cost of an average broadband package and mobile service has actually decreased since 2019.
Prices have fallen, but usage has increased: the average household broadband connection uses 53% more data today than it did in 2019. Mobile data consumption has increased 25% year on year. We have been working hard to ensure that people have the access to the internet and broadband that they need. In March 2021, we launched Project Gigabit, our £5 billion mission to deliver fast, reliable broadband to the hardest-to-reach parts of the UK, areas that would have otherwise been left out of commercial gigabit rollout plans without government subsidy.
In 2021, the Department for Culture, Media and Sport, in partnership with the charities AbilityNet and Good Things Foundation, launched the £2.5 million digital lifeline fund. The fund aimed to reduce the digital exclusion of people with learning disabilities by providing free devices, data and digital support to over 5,000 people with learning disabilities who cannot afford to get online.
To support children with access to devices, the Department for Education has also delivered over 1.95 million laptops and tablets to schools, trusts, local authorities and further education providers for disadvantaged children and young people since 2020. This is part of a £520 million government investment to support access to remote education and online social care services.
Once again, I thank the noble Lord, Lord Clement-Jones, for his valuable contribution and for raising the broadband universal service obligation, which the Government introduced in March 2020. This gives everyone the legal right to request a decent and affordable broadband connection of at least 10 megabits per second. The broadband universal service obligation is a safety net, providing a minimum level of service to participate in society and the economy, based on information provided by Ofcom. Given the significant changes to the broadband market since the USO was designed in 2019, we want to take this opportunity to review the broadband USO and ensure it remains relevant and up to date with the current technical standards required in practice, reflects the current and future market environment, and delivers on the policy principles set out by the Government when it was established. In October last year, the Government published a consultation on reviewing the broadband universal service obligation, and a response to it will be published in due course.
I also thank the noble Baroness, Lady Armstrong, and the noble Lord, Lord Lipsey, for their thoughtful contributions, which noted the importance of social tariffs provided by telecoms companies, and the right reverend Prelate the Bishop of Bristol for her well-made point on affordability. We recognise that cost is a barrier for many. As I have noted, prices in the UK are falling and the Government have worked closely with the telecoms industry to ensure the provision of low-cost, high-quality fixed and mobile tariffs, also known as social tariffs, for those on universal credit as well as other means-tested benefits. There is of course a balance to be struck between ensuring investment in UK telecoms infrastructure and ensuring that services remain affordable.
We have established a pro-investment, pro-competition environment and remain committed to the idea that a competitive market will deliver the best outcomes for all consumers. Social tariffs are now available from 27 providers, up from 10 in November 2022, from the likes of BT, Sky and Virgin Media and across 99% of the UK. We have seen an increase in uptake of almost 160% since September 2022, but I am afraid to say that this represents just 8% of total eligible households. I absolutely acknowledge that we need to make more progress and we will continue to look at how to accelerate that.
Lord Clement-Jones (LD)
Perhaps the Minister can give us just a little more detail. Is there any movement towards auto-enrolment and the kind of ideas that have come out of the committee?
Viscount Camrose (Con)
Yes, but I am going to have to write because that would be a multi-bullet point communication.
There is also the timely issue of contract price rises. We appreciate that households across the country are struggling with their bills because of the rise in the cost of living, and that price rises in any services will be unwelcome. That is why it is essential that important clauses within telecoms contracts, such as in-contract price rises, are clear and transparent. Consumers need to be aware of what they are agreeing to when taking up a broadband or mobile contract.
In December, Ofcom completed its review of inflation-linked in-contract price rises and launched a consultation that would end CPI and RPI increases, replacing them with a clear pounds and pence figure for what consumers will pay. For the avoidance of doubt, social tariffs do not incur in-contract prices rises.
I draw noble Lords’ attention to the commitments made by industry bosses in June 2021 to support their customers. The sector agreed to allow consumers facing financial difficulties to enter into affordable payment plans or move to cheaper plans without penalty. We have been clear that any customer who believes they are facing digital exclusion can contact their provider to discuss the support that might be available.
On VAT, as noted by the noble Lord, Lord Young, it is important to remember that decisions to deviate from the standard VAT rate of 20% have to be considered carefully and based on clear evidence, as lowering tax in one place can mean raising tax in another. Taxation policy is kept under review, and we would be happy to receive evidence of the benefits of reducing VAT on social tariffs.
In addition to the provision of social tariffs, we have increased access to gigabit internet. Approximately 80% of UK premises can now access gigabit-capable broadband—a huge leap forward from 2019, when coverage was just 6%. We are on track to meet our target of 85% coverage by 2025. We will continue to expand our mobile network too. By 2025, we will have 95% coverage through the shared rural network, and we are aiming for the majority of the population to have access to 5G signal by 2027, via the 5G Testbeds and Trials Programme.
Government cannot, and should not, be expected to tackle the issue of digital inclusion alone. We call on private sector organisations to prioritise digital inclusion in their business, which they could do by joining device donation schemes, for example. We encourage telecoms providers to continue to provide social tariffs and advertise them to eligible households. We encourage companies to adhere to the public sector bodies accessibility regulations and other government accessibility guidance, which are published and freely available online, for their websites and other publicly available information.
I thank the noble Baroness, Lady Jones, and my noble friend Lady Stowell for their thoughtful contributions and for raising the important issue of high-quality localised hubs, including libraries and banking hubs. Banking hubs are a voluntary initiative provided by the UK’s largest high street banks. I agree that it is imperative that banks and building societies recognise the needs of all their customers, including those who need to use in-person services. Over 100 banking hubs have been announced so far, and the Government hope to see these hubs open as soon as possible.
Around 2,900 public libraries in England provide a trusted network of accessible locations, with staff, volunteers, free wifi funded by the Department for Culture, Media and Sport, public PCs, and assisted digital access to a wide range of digital services. My noble friend Lady Sanderson’s An Independent Review of English Public Libraries, published in January, called for the establishment of formal links between digital-by-default public services, particularly health services and libraries, to ensure the provision of one-to-one support. In his response to my noble friend Lady Sanderson, my noble friend Lord Parkinson committed to exploring her recommendations further, as part of the development of the Government’s libraries strategy, due to be published in 2024. The noble Baroness, Lady Jones, asked for a date for that, but I will have to come back to her with the timelines, as I do not have that detail.
On access to support for those seeking work, Jobcentre Plus work coaches can provide support to eligible claimants who are not online with financial support to buy six-month broadband connections. This is administered by the Department for Work and Pensions through the flexible support fund. This cross-government approach is working to reach millions of people across the UK and to provide necessary access for the digital age.
We know that, in addition to access, the right skills are needed, as many noble Lords rightly pointed out, to be able to use and take advantage of digital content and services. Digital skills are central to the jobs of today and the workforce of tomorrow. Ensuring that the workforce has the digital skills for the future is important to meet the UK’s ambition to be a global science and tech superpower.
I thank the noble Baroness, Lady Jones, for raising the skills gap. Tackling the digital skills gap and the shortage of digital workers across the economy cannot be done by government alone, which is why the Government launched the Digital Skills Council in June 2022, bringing together government and industry to strengthen the digital workforce. The council is focused on addressing industry’s current and future demand for digital skills, including through digital apprenticeships and by increasing the amount of business-led upskilling.
I thank the noble Baroness, Lady Jones, for raising also the role of the employer to support training staff. More than 80% of those who will be in the 2030 workforce are already in the workforce today. Given the need to continually refresh digital skills, upskilling existing workers with workplace training be essential. We have put employers at the heart of our apprenticeship system, empowering them to design the standards they need. Employers in the digital sector have developed 30 apprenticeship standards in digital. These high-quality apprenticeships are in a wide range of occupations and emerging technologies, including data scientist, software developer, cybersecurity and artificial intelligence specialist.
The noble Baroness, Lady Jones, also raised investment and support for young people. For children and young people, we are supporting and inspiring the next generation of technologists. It is crucial that we challenge perceptions of what being in a tech career is all about if we are to attract diverse and high-quality talent into our digital workforce. To achieve this, we are working closely with the Department for Education, industry and academia through the Digital and Computing Skills Education Taskforce, launched last summer to increase the numbers of students choosing digital and tech educational pathways into tech careers.
We are also working in partnership with industry and other government departments to inspire and engage students before they make key subject choices at GCSE and A-level—for example, through the CyberFirst programme, which encompasses technology-focused initiatives, from free online extracurricular learning to national competitions and bursaries. This includes DSIT’s Cyber Explorers programme, launched in February 2022, which seeks to support the teaching of computing in schools and to inspire young people aged 11 to 14 to take up computer science for GCSE and the opportunities that a career in cybersecurity can offer. Over 60,000 students are registered across nearly 2,500 schools.
I thank my noble friend Lord Holmes for his question on the national curriculum. In addition to the programmes that I have just outlined, the DfE introduced computing as a statutory national curriculum subject in 2014 from key stages 1 to 4. In addition to this, we are investing a total over the Parliament of £3.8 billion in skills in England by 2024-25 and, in October, we quadrupled the scale of skills bootcamps.
I thank the noble Baroness, Lady Jones, for raising the essential digital skills framework. The Department for Education has used that framework as the basis for the national standards for essential digital skills of 2019, which set out the skills that the qualifications funded and that the adult digital statutory entitlement must cover.
I thank the noble Baroness, Lady Lane-Fox, for her important question on the links to community groups. These really are an important part of the digital inclusion landscape. The Department for Education funds community learning and other non-regulated learning, such as building confidence in essential digital skills for learners who are not ready to take a qualification.
I reassure noble Lords that I am almost at the point of closing. The secondary barriers of trust and motivation must be tackled to have a true, positive impact on digital inclusion, but these are harder to measure. We recognise that some people are hesitant to access online services for fear that they may become victims of fraud, or that it is an unsafe environment. We have introduced the Product Security and Telecommunications Infrastructure Act, which will come into force in April this year.
Lord Foster of Bath (LD)
My Lords, I know that time is very short, but I asked about the accountability of the cross-Whitehall group being set up. We know that it is going to meet only once every six months. One assumes that it will receive at each meeting a report of progress that has been made in a wide range of areas in the preceding six months. Could the Minister at least agree that copies of the report that will be received by the group will be made public to Members of Parliament?
Viscount Camrose (Con)
I can take that up with the chair of the group, my colleague Minister Bhatti, to understand his intentions for assuring accountability.
I once again sincerely thank my noble friend Lady Stowell for securing today’s debate, and all noble Lords who have spoken so well and clearly on this absolutely critical subject. With that, I conclude my remarks.
Horizon Europe
Viscount Camrose Excerpts(2 years, 2 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Baroness McIntosh of Hudnall (Lab)
My Lords, on behalf of my noble friend Lord Stansgate, and at his request, I beg leave to ask the Question standing in his name on the Order Paper.
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
Our bespoke Horizon association deal means that UK researchers can now fully participate on the same terms as researchers from other associated countries. The Government want UK academics, researchers and businesses to seize the opportunities presented by participation in Horizon Europe. Yesterday, the Government continued our push to maximise UK participation with the launch of a campaign to encourage UK businesses, academics and researchers to apply to Horizon Europe.
Baroness McIntosh of Hudnall (Lab)
My Lords, I thank the Minister for a very optimistic prospect, but as he knows, negotiations for the UK to rejoin Horizon were protracted and quite difficult. While there was great relief in the research community when they were eventually successful—he may have heard the Government’s Chief Scientific Adviser Dame Angela McLean talking about this on the “Today” programme this morning—there is ground for the UK to make up. Now that we have rejoined, is the Minister confident that UK-led research bids in this new round will attract their fair share of available funding? Is he aware of any difficulties there might be with visa arrangements for EU researchers who might want or need to come work in the UK? Can he also tell the House whether the Government are formally represented in EU ministerial discussions about Horizon Europe?
Viscount Camrose (Con)
I thank the noble Baroness for her questions and will try to cover as much of the material as possible. First, I am pleased to say that we look forward to welcoming Commissioner Ivanova to the UK the week after next, when we will discuss many of these matters. In fact, I will be participating the following week at a ministerial meeting on Horizon in Brussels. It is historically exceptional for associate countries to attend at ministerial level, so I think it demonstrates good will on all sides. Meanwhile, we are pursuing a wide programme of activities to maximise participation. That includes supporting SMEs and others who would not traditionally have worked with Horizon, as well as a campaign launched yesterday and ministerial engagement. We remain optimistic, but, as I have said in this House, the damage has been done by protracted absence.
Lord Johnson of Marylebone (Con)
My Lords, there are seven years of uncertainty to recover from, but better late than never. I strongly welcome the Government’s pump-priming on behalf of applicants to Horizon Europe. In assessing the value for money of the programme, how important do the Government think it is that Switzerland also rejoins, and what efforts are they making to support Bern in that objective?
Viscount Camrose (Con)
A range of other countries, as the noble Lord said, are also joining on an associate basis; Horizon is the largest programme of its type anywhere in the world. The total value of the programme is £80 billion over two years, and we consider that rejoining represents a significant opportunity for us following the uncertainty of our period of non-association. As to engagement with Bern, I am afraid that I do not have an answer for the noble Lord, but I will look into it; it sounds like a valuable contribution we could make.
Baroness Smith of Newnham (LD)
My Lords, I pay tribute to the noble Viscount, Lord Stansgate, in his absence for persistently bringing the issue of Horizon Europe to your Lordships’ House. Today, obviously, we can be very glad that the UK has rejoined, and I declare my interest as a professor of European politics at Cambridge and as having previously received money from European Union research funding. Clearly, as an academic, I am delighted that we are back in, but how much is this blitz of information about rejoining Horizon Europe costing the Government and how far have we lost out by being an associate member and not a full member? As the Minister said, we are now treated like other associate members; what does that mean in practice?
Viscount Camrose (Con)
I echo the noble Baroness’s remarks about the noble Viscount, Lord Stansgate. Being an associate member in practice allows us access to all Horizon calls from 2024 onwards, with the very small-in-volume exceptions of EIC funds or what the EU has determined to be strategically sensitive areas, including quantum. I should add that we and the EU have publicly committed to working towards opening even those small areas up, so we would have very full access to the Horizon programme.
Lord Hannay of Chiswick (CB)
My Lords, will the Minister accept welcome for the campaign launched by the Government today to catch up with what was lost? Does he recognise that many of these programmes are multiannual, spanning quite a period, and that it would therefore be a great help if the Government could make it clear that their intention is that we should continue to be an associate member of Horizon beyond the duration of the present programme?
Viscount Camrose (Con)
Yes, indeed. I very much recognise the value of the Horizon programme. Of course, any Horizon programme beyond the current one does not exist yet, except conceptually in the minds of all the current participants, but obviously we would look very favourably at participating as and when its terms were made clear.
Lord Winston (Lab)
My Lords, until Brexit, it was clear that the United Kingdom was second only to the United States in research in science, engineering and medicine. Can the Minister be kind enough to tell the House what assessment the Government have made of the impact of the loss of the Horizon programme in terms of citations and publications?
Viscount Camrose (Con)
As I have said in this House before, there is no doubt that our period of non-association with the Horizon programme did lasting damage. We have to focus now on repairing that damage. It is very difficult to put a number in currency on the value of that and I am not sure I would know where to begin. I absolutely acknowledge that the damage was real and is going to take a very conscious effort to fix.
Lord Patel (CB)
My Lords, it is good that from 1 January 2024 we are now associate members of Horizon, with the benefits it will bring, including the citation levels, but the Treasury withdrew £1.6 billion of funding that was earmarked for research during the time when we were negotiating joining Horizon Europe, and I understand from a further report published recently that a further £1 billion was removed. Can the Minister confirm that that is not the case?
Viscount Camrose (Con)
As is absolutely normal practice, money ring-fenced for a purpose to which it does not go is, in order to keep budgets taut and realistic, returned to the Treasury, but that in no way indicates an intention to diminish our spend on science and R&D. The Government remain committed to spending £20 billion a year on R&D by the 2024-25 spending review.
Baroness Jones of Whitchurch (Lab)
My Lords, what proportion of Horizon-funded projects are now led by UK research institutions compared to our previous well-known standing in the European research field?
Viscount Camrose (Con)
We have only very recently reassociated to Horizon, so we will not know who bid under the Horizon 2024 programme, or who the leader is or who has been successful, for, on average, six to nine months between making the proposal and receiving word, but at that time I will keep this House up to date on that important question.
Lord Trees (CB)
My Lords, today is World Neglected Tropical Diseases Day. Historically, EU Horizon research funding has been hugely valuable in supporting British scientists at our world-class biomedical institutions to collaborate with Asian, African, South American and European scientists to tackle neglected tropical diseases and diseases such as malaria. Can the Minister reassure the House that with our associate membership there will still be the possibility of funding those collaborative arrangements with the global South, with scientists in Africa, Asia and South America, in order to tackle these terrible neglected tropical diseases which threaten the most disadvantaged populations in the world but also our public health?
Viscount Camrose (Con)
Yes, absolutely. I thank the noble Lord for bringing up such an important and interesting area of science. I can confirm that our associate membership of Horizon would give us access to any and all Horizon calls alongside any other EU member or associate member, provided they are not designated as strategically significant, which those tropical diseases would not be.
Cancer Research: Funding Gap
Viscount Camrose Excerpts(2 years, 2 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Hunt of Kings Heath
To ask His Majesty’s Government what assessment they have made of the analysis by Cancer Research UK projecting a £1 billion funding gap for cancer research.
The Parliamentary Under-Secretary of State, Department for Science, Innovation and Technology (Viscount Camrose) (Con)
The Government remain fully committed to tackling cancer by investing in cutting-edge cancer research. We invested almost £122 million into cancer research in 2022-23 via the National Institute for Health and Care Research, while UK Research and Innovation invests around £200 million annually. We work closely with research funders, industry, the NHS and charities to drive earlier diagnosis and improved therapies. We are confident that the Government’s unwavering commitment will lead to continued improvements for cancer patients.
Lord Hunt of Kings Heath (Lab)
My Lords, I am grateful to the Minister, particularly in relation to his final comment about long-term investment. He will be aware that around 62% of all publicly funded research on cancer comes from the charitable sector. The last few years have been incredibly tough for the sector in raising money. As an example, over the past five years Cancer Research UK has seen a 19% drop in real terms in the amount it can invest in cancer research. It argues that we are in danger of losing about £1 billion of investment into cancer research over the next ten years, and has called for a commission on sustainable biomedical research task force to look at how government, the charitable sector and other funders can collectively fill that gap. Are the Government sympathetic to that?
Viscount Camrose (Con)
Yes, entirely, and I thank the noble Lord for raising this very important issue. I pay tribute to the very important and good work done by Cancer Research UK. If its analysis—I am familiar with its basic thrust—has a flaw, it is that it makes an assumption about an ongoing linear link between the number of cancer sufferers over the year and direct government and charity sector support. This assumption neglects to bring in, first, the close work done between the Government, businesses—through business co-funding—and others, and, secondly, the growing, extensive, important research that is relevant to cancer but not specifically associated with it. In particular, many of us are familiar with the work done on radiology in AI. It is not cancer-specific but is certainly likely to help the cause of improving cancer outcomes.
Lord Carter of Haslemere (CB)
My Lords, according to Cancer Research UK, the US Government spend five times as much per citizen on cancer research as the UK Government. Why do the Government spend so much less?
Viscount Camrose (Con)
I am not familiar with this analysis, but it is very difficult to understand exactly how much is spent on cancer research, for the reason I gave earlier: so much cancer research is in areas adjacent or relevant to cancer without being specifically tagged as “cancer research”. For instance, in October 2023 the Prime Minister announced a new £100 million fund for the AI life sciences accelerator mission, which will have beneficial outcomes on cancer but is not tagged directly to cancer.
Lord Allan of Hallam (LD)
My Lords, I am sure the Minister receives regular representations from potential investors in medical research in the UK about what they need from the Department of Health and Social Care. Will he share with the House, and with his neighbour on the Front Bench, their key asks from the UK medical system and how he ensures a cross-government approach to entice in the maximum amount of investment?
Viscount Camrose (Con)
Indeed: it is so important to have not only a cross-government approach but a cross-sectoral approach. The Government work closely with academic, industry, charitable and other stakeholders. The crux of this is the healthcare missions of the Office for Life Sciences. The OLS cancer mission aims to show leadership in oncology innovation by developing further the approach first successfully used in the Vaccine Taskforce. Among other things, it has implemented the UK cancer research strategy forum, which brings together bodies of all kinds that are active in cancer research to ensure that they are effectively co-ordinated in today’s research and in future directions.
Lord Drayson (Lab)
My Lords, UK citizens willingly volunteer to allow excellent initiatives such as UK Biobank, Genomics England and Our Future Health to generate databases of health data that are excellent for cancer research. These databases are a sovereign UK asset funded by taxpayers, yet we allow the IP to leak abroad without any meaningful contribution to Treasury coffers. When will the Government implement an effective commercialisation policy to ensure that this leakage of wealth is stopped and directed to help fund cancer research?
Viscount Camrose (Con)
I cannot comment directly on leakage of either information or wealth. I noted with great interest the latest report of the Tony Blair Institute that was publicised over the weekend, which argued that we should put our healthcare data on a commercial setting for this purpose. I am not familiar with any individual allegation of leakage or undue movement of data out of the country, but I am willing to look into it and take it up with ministerial colleagues.
Lord Stevens of Birmingham (CB)
I declare my interest as chair of Cancer Research UK. One of the most important international research partnerships in cancer science is the Cancer Grand Challenges, which bring together CRUK, the US Government, the French Government, the Dutch and the Spanish, but not yet the British Government. I invite the Minister to consider joining the club and using the March Budget as an opportunity to stump up the membership fees.
Viscount Camrose (Con)
I once again pay tribute to Cancer Research UK. It is a tremendous organisation doing great work. I will look into the scheme the noble Lord brings up and take it up with ministerial colleagues.
The Lord Bishop of London
My Lords, as the noble Lord, Lord Stevens, will know, Cancer Research reported in its 2023 researcher survey that while 98% of respondents said that collaboration with EU-based scientists is important, 79% said that since Brexit it had been harder to begin new collaborations with EU-based researchers and scientists. What steps are the Government taking to prioritise collaboration between the EU and the UK in this area, especially with compatibility with the EU clinical trials regulatory framework?
Viscount Camrose (Con)
As we have just rejoined the Horizon programme as an associate, I am pleased to say that our collaboration with friends and colleagues in the EU will pick up considerably. I very much look forward to answering a Question in this House tomorrow on that exact subject.
Baroness Jones of Whitchurch (Lab)
My Lords, the Lord O’Shaughnessy review concluded that the UK is falling behind its peers in the internationally competitive marketplace for commercial clinical trials. Many in the research and entrepreneurial community are concerned that our most innovative researchers are going abroad. What is being done to persuade them to stay in this country?
Viscount Camrose (Con)
The Government and academic institutions countrywide are very focused on making sure that the country remains an attractive place to conduct research. We have four of the world’s top 10 universities in this country—a significant research base. We believe and hope that we are an outstanding place to come to live and work as a researcher. There is no doubt that we will need a significant influx of researchers if we are to meet our scientific ambitions as a nation. We continue to monitor our generous points-based immigration scheme to make sure that we can continue to attract the brightest and best.
Lord Patel (CB)
My Lords, much of the research, including cancer research, is carried out by universities. For that, the university has to spend money to build up infrastructure. That money mainly comes from the quality-related research or QR funding and the CRSF funding, the charity research support fund, both of which have declined, particularly as charity research funding increases and the government support does not. Is it the Government’s intention to increase QR funding in line with inflation and the CRSF?
Viscount Camrose (Con)
It is certainly the Government’s intention to maximise the results of conducting cancer research in universities and elsewhere. I think particularly that we do not give enough emphasis to our collaborations with business; in that respect I point to our work with BioNTech, which aims to provide 10,000 patients with immunotherapies by 2030, or the NHS-Galleri trial. As to the specific instance of the QR increase, I will happily write to the noble Lord.