Louise Haigh

- Hansard -

Copy Link

- - Excerpts

These are further amendments tabled by my hon. Friend the Member for Cardiff West and me to make the codes of practice, on which officials have obviously worked so hard and which were developed in consultation with the Information Commissioner, legally binding. With your permission, Mr Stringer, I will come to specific issues about the data-sharing measures and fraud during debate on clause stand part.

I appreciate what the Minister said about sanctions being enforced on those authorities that do not have regard to the code of practice, but it says on the front page of the code:

“The contents of this Code are not legally binding”;

it merely

“recommends good practice to follow when exercising the powers set out in the Bill.”

That is not really a strong enough message to send to officials and all those involved in data-sharing arrangements. I would be interested to hear examples from the Minister of when it would be considered reasonable not to follow the code, as I assume that that is why he does not want to build it into primary legislation. I know that he will tell me that his real reason is that he wants to future-proof the codes. That is all well and good, but the Bill is already outdated. One witness wrote to us in evidence:

“Part 5 seems to imply an approach to ‘data sharing’ modelled on the era of filing cabinets and photocopiers when—quite literally—the only way to make data available to others was to send them a duplicate physical copy. Modern technology has already rendered the need for such literal ‘data sharing’ obsolete: data can now be used without copying it to others and without compromising security and privacy.”

Furthermore, data sharing is not defined, either legally or technically, in the Bill or in the codes of practice. Does data sharing mean data duplication—copying and distribution—or does it mean data access, or alternatives such as attribute exchange or claim confirmation? These are all quite different things, with their own very distinct risk profiles, and in the absence of any definition, the term “data sharing” is ambiguous at best and potentially damaging in terms of citizens’ trust, cyber-security and data protection. Let me give an example: there is a significant difference between, and different security risk associated with, distributing personal information to third parties, granting them controlled and audited one-time access for the purpose of a specific transaction, or simply confirming that a person is in debt or is or is not eligible for a particular benefit, without revealing any of their detailed personal data.

What is more, there is no reference in the clause to identity and how officials, citizens, or organisations, or even devices and sensors, will be able to prove who they are and their entitlement to access specific personal data. Without this, it is impossible to share data securely, since it will not be possible to know with whom data are being shared and whether they are an appropriate person or organisation to have access to those data. Security audits, of who has accessed which data, when and why, require a trusted identity framework to ensure that details of who has been granted access to data are accurately recorded. Presumably, it will also be mandatory to implement good practice security measures, such as protecting monitoring, preventing in real time inappropriate attempts at data access, and flagging such attempts, to enable immediate mitigating action to be taken.

As I said on Tuesday, all these details are moot, as are the codes of practice and indeed the Information Commissioner Office’s excellent code of practice, if the existence and detail of data sharing is not known about to be challenged; hence the need for a register, as set out in new clause 35. That is why we have tabled our amendments and we would like the Minister to give serious consideration to the inclusion of these important principles and safeguards in the Bill. We are not talking about detailed regulations, we are certainly not talking about holding back technological advances, and we are not talking about the “dead hand of Whitehall”, as the Minister said on Tuesday. We are talking about vital principles that should be in primary legislation, alongside any new powers to share information. The most important of those principles is transparency, which is exactly what new clause 35 speaks to. It would require public authorities to enter in a public register all data disclosures across Government.

The Minister did not know the detail of the audits that are mentioned in the codes of practice. We really need more detail on those audits, as it may well satisfy us in our request for this register. Will all data-sharing agreements be kept in a single place in each Department, updated as data are shared and disclosed across Government, with Government agencies and with non-public sector organisations? Will these additional agencies keep similar audits and—crucially—will those audits be publicly available? Also, will the audits include the purpose of the disclosure, the specific data to be disclosed, how the data were transferred, how the data are stored and for how long, how the data are deleted at the end of that time frame, what data controllers and processors are involved in the sharing of that data, and any other restrictions on the use of further disclosure of that data?

If we have, in a single place, data-sharing amendments, as this amendment would establish, the public can see and trust how their data are being used and for what purpose. They can understand why they are getting a letter from Concentrix about Her Majesty’s Revenue and Customs, or why they have been targeted for a warm home scheme, and—crucially—they can correct or add to any information on themselves that is wrongly held.

Louise Haigh

- Hansard -

Copy Link

- - Excerpts

I completely agree, and I believe that the gov.uk Notify service would be an excellent means by which to go about that. I hope that the Minister will consider it.

Louise Haigh

- Hansard -

Copy Link

- - Excerpts

Absolutely. This is where the Government often miss a trick: the interrelationship between FOI and open data could drive significant efficiencies across the Government and provide citizens and the data community with valuable data, including data that are valuable to the digital economy. I appreciate that our amendment might not be perfectly drafted, but I hope that the Minister will give serious consideration to the proactive publication of these audits and of all data-sharing arrangements across the Government.

Louise Haigh

- Hansard -

Copy Link

- - Excerpts

Exactly. The data belong to them; that is exactly right. They should not have to jump over legalistic hurdles to find out how and why the Government are using data that should belong to them, and the Bill completely turns the view that they should not have to do so on its head. I take the Minister’s point about the amendment not being properly drafted. We will go away and redraft it and we will absolutely return to this issue on Report. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.