Data Protection and Digital Information (No. 2) Bill (Sixth sitting)

Debate between John Whittingdale and Chi Onwurah
John Whittingdale Portrait The Minister for Data and Digital Infrastructure (Sir John Whittingdale)
- Hansard - -

Clauses 48 to 52 provide the Secretary of State with powers and duties relating to the governance and oversight of digital identities in the UK. Those functions will be carried out by the office for digital identities and attributes. I can tell the hon. Member for Newcastle upon Tyne Central that the office is a team of civil servants in the Department for Science, Innovation and Technology. The office will oversee certified organisations that provide trusted digital verification services, to ensure that the purpose of the legislation is being upheld as the market develops.

Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab)
- Hansard - - - Excerpts

I appreciate the Minister’s clarification that the office will be a group of civil servants, but I do not see that set out in the Bill, in the clause that we are currently debating. Am I wrong?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

As the office is an internal body, within the Department, I do not think that it would necessarily be specifically identified in the legislation in that way. If there is any more information on that, I will be happy to provide it to the hon. Lady in a letter, but the office is not a separate body to the Department.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for providing greater clarification, but if the office is not a separate body, it cannot be claimed to be independent of Government, which means that the governance of digital verification services is not independent. Will he confirm that?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

This is a function that will operate within Government. I do not think that it is one where there is any specific need for particular independence, but as I said, I am happy to supply further details about precisely how it will operate if that is helpful to the hon. Lady.

Let me move on from the precise operation of the body. Clause 53 sets out requirements for certified digital verification service providers in relation to obtaining top-up certificates where the Secretary of State revises and republishes the DVS trust framework.

Clause 48 provides that the Secretary of State must establish and maintain a register of digital verification service providers. The register must be made publicly available. The Secretary of State is required to add a digital verification service provider to the register, provided that it has met certain requirements. To gain a place on the register, the provider must first be certified against the trust framework by an accredited conformity assessment body. Secondly, the provider must have applied to be registered in line with the Secretary of State’s application requirements under clause 49. Thirdly, the provider must pay any fee set by the Secretary of State under the power in clause 50.

The United Kingdom Accreditation Service accredits conformity assessment bodies as competent to assess whether a digital verification service meets the requirements set out in the trust framework. That, of course, is an arm’s length body. Assessment is by independent audits, and successful DVS providers are issued with a certificate.

The Secretary of State is prohibited from registering a provider if it has not complied with the registration requirements. An application must be rejected if it is based on a certificate that has expired, has been withdrawn by the issuing body, or is required to be ignored under clause 53 because the trust framework rules have been amended and the provider has not obtained a top-up certificate in time. The Secretary of State must also refuse to register a DVS provider if the provider was removed from the register through enforcement powers under clause 52 and reapplies for registration while still within the specified removal period.

Clause 48(7) provides definitions for “accredited conformity assessment body”, “the Accreditation Regulation”, “conformity assessment body” and “the UK national accreditation body”.

Clause 49 makes provision for the Secretary of State to determine the form of an application for registration in the digital verification services register, the information that an application needs to contain, the documents to be provided with an application and the manner in which an application is to be submitted.

Clause 50 allows the Secretary of State to charge providers a fee on application to be registered in the DVS register. The fee amount is to be determined by the Secretary of State. The clause also allows the Secretary of State to charge already registered providers ongoing fees. The amount and timing of those fees are to be determined by the Secretary of State.

Clauses 51 and 52 confer powers and duties on the Secretary of State in relation to the removal of persons from the register. Clause 51 places a duty on the Secretary of State to remove a provider from the register if certain conditions are met. That will keep the register up to date and ensure that only providers that hold a certificate to prove that they adhere to the standards set in the framework are included in the register. Clause 52 provides a power to the Secretary of State to remove a provider from the register if the Secretary of State is satisfied that the provider is failing to provide services in accordance with the trust framework, or if it has failed to provide the Secretary of State with information as required by a notice issued under clause 58. Clause 52 also contains safeguards in respect of the use of that power.

Clause 53 applies where the Secretary of State revises and republishes the DVS trust framework to include a new rule or to change an existing rule and specifies in the trust framework that a top-up certificate will be required to show compliance with the new rule from a specified date.

I hope that what I have set out is reasonably clear, and on that basis I ask that clauses 48 to 53 stand part of the Bill.

Stephanie Peacock Portrait Stephanie Peacock (Barnsley East) (Lab)
- Hansard - - - Excerpts

As has been mentioned, a publicly available register of trusted digital verification services is welcome; as a result, so is this set of clauses. A DVS register of this kind will improve transparency for anyone wanting to use a DVS service, as they will be able to confirm easily and freely whether the organisation that they hope to use complies with the trust framework.

However, the worth of the register relies on the worth of the trust framework, because only by getting the trust framework right will we be able to trust those that have been accredited as following it. That will mean including enough in the framework to assure the general public that their rights are protected by it. I am thinking of things such as data minimisation and dispute resolution procedures. I hope that the Department will consider embedding principles of data rights in the framework, as has been mentioned.

As with the framework, the detail of these clauses will come via secondary legislation, and careful attention must be paid to the detail of those measures when they are laid before Parliament. In principle, however, I have no problem with the provisions of the clauses. It seems sensible to enable the Secretary of State to determine a fee for registration, to remove a person from the register upon a change in circumstances, or to remove an organisation if it is failing to comply with the trust framework. Those are all functions that are essential to the register functioning well, although any fees should of course be proportionate to keep market barriers low and ensure that smaller players continue to have access. That facilitates competition and innovation.

Similarly, the idea of top-up certificates seems sensible. Members on both sides of the House have agreed at various points on the importance of future-proofing a Bill such as this, and the digital verification services framework should have space for modernisation and adaptation where necessary. Top-up certificates will allow for the removal of any organisation that is already registered but fails to comply with new rules added to the framework.

The detail of these provisions will be analysed as and when the regulations are introduced, but I will not object to the principle of an accessible and transparent register of accredited digital verification services.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for clarifying the role of the office for digital identities and attributes. Some of the comments I made on clause 46 are probably more applicable here, but I will not repeat them, as I am sure the Committee does not want to hear them a second time. However, I ask the Minister to clarify the process. If a company objects to not being approved for registration or says that it has followed the process set out by the Secretary of State but the Secretary of State does not agree, or if a dispute arises for whatever reason, what appeal process is there, if any, and who is responsible for resolving disputes? That is just one example of the clarity that is necessary for an office of this kind.

Will the Minister clarify the dispute resolution process and whether the office for digital identities and attributes will have a regulatory function? Given the lack of detail on the office, I am concerned about whether it will have the necessary powers and resources. How many people does the Minister envisage working for it? Will they be full-time employees of the office, or will they be job sharing with other duties in his Department?

My other questions are about something I raised earlier, to which the Minister did not refer: international co-operation and regulation. I imagine there will be instances where companies headquartered elsewhere want to offer digital verification services. Will there be compatibility issues with digital verification that is undertaken in other jurisdictions? Is there an international element to the office for digital identities and attributes?

Everyone on the Committee agrees that this is a very important area, and it will only get more important as digital verification becomes even more essential for our everyday working lives. What discussions is the Minister having with the Department for Business and Trade about the kind of market that we might expect to see in digital verification services and ensuring that it is competitive, diverse and across our country?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

I look forward to debating the detail of the framework with the hon. Member for Barnsley East when it comes forward, but the hon. Member for Newcastle upon Tyne Central raised a couple of specific points. As I said, the new office for digital identities and attributes will be in the Department for Science, Innovation and Technology, and it will work on a similar basis to that of the office for product safety and standards, which operates within the Department for Business and Trade.

However, I should make it clear that the office for digital identities and attributes is not a regulator, because the use of digital identities is not mandatory, so it does not have investigatory or enforcement powers. It is not our intention for it to be able to levy fines or resolve individual complaints. Further down the line, as the market develops, it may be decided that it should be housed permanently in an independent body or as an arm’s length body, but that is for consideration in due course. It will start off within the Department.

I will come back to the hon. Member for Newcastle upon Tyne Central with more detail about dispute resolution. I take her point; I am not sure how often what she describes is likely to happen, but clearly it is sensible at least to take account of it.

--- Later in debate ---
John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

Clauses 58 to 60 set out powers and duties conferred upon the Secretary of State in relation to the exercise of her governance and oversight functions under part 2.

Clause 58 enables the Secretary of State to issue a written notice that requires accredited conformity assessment bodies or registered DVS providers to provide information reasonably required by the Secretary of State to exercise functions under part 2. The notice must state why the information is required. It may also state what information is required, the form in which it should be provided, when it should be provided and the place to which it should be provided. Any notice given to a provider must also inform the provider that they may be removed from the DVS register if they fail to comply with the notice.

The power is subject to certain safeguards. Information does not have to be disclosed if to do so would breach clause 55 in relation to HMRC data or data protection legislation, or if disclosure is prohibited by the relevant parts of the Investigatory Powers Act 2016. Information does not need to be disclosed if doing so would reveal an offence that would expose a person to criminal proceedings. That does not apply to offences mentioned relating to false statements.

Clause 59 gives the Secretary of State the power to make regulations specifying that another person is able to exercise her functions under part 2. This clause enables us to move the governance and oversight functions of the Secretary of State to a third party if appropriate.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for giving way. Before he moves on to clause 60, can he set out, perhaps giving an example, where it might be appropriate to use the power in clause 59 to make arrangements for another person to take on these functions, or in what circumstances he envisages it being used?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

We are obviously at a very early stage in the development of this market. At the moment, it is felt right that oversight should rest with the Secretary of State, but it may be that as the market grows and develops there will need to be the oversight via a separate body. The clause keeps the power available to the Secretary of State to delegate the function if he or she chooses to do so.

Clause 60 requires the Secretary of State to publish an annual report on the functioning of this part. The first report must be published within 12 months of clause 47, the DVS trust framework clause, coming into force. The reports will help to ensure that the market continues to meet the needs of DVS providers, public authorities, regulators, civil society and individuals. I commend the clauses to the Committee.

Data Protection and Digital Information (No. 2) Bill (Fifth sitting)

Debate between John Whittingdale and Chi Onwurah
John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

We now come to the provisions in the Bill relating to the powers of the Information Commissioner. Clause 27 will introduce a new strategic framework for the Information Commissioner when carrying out his functions under data protection legislation. The framework contains a principal data protection objective and a number of general duties.

The legislation does not currently provide the commissioner with a framework of strategic objectives to help to prioritise activities and resources, evaluate performance and be held accountable by stakeholders. Instead, the commissioner is obliged to fulfil a long list of tasks and functions without a clear strategic framework to guide his work.

The clause introduces a principal objective for the commissioner, first to secure an appropriate level of protection for personal data, taking into account the interests of data subjects, controllers and others along with matters of general public interest, and secondly to promote public trust and confidence in the processing of personal data. This principal objective will replace section 2(2) of the Data Protection Act 2018.

Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab)
- Hansard - - - Excerpts

How does the Minister think the words

“an appropriate level of protection for personal data”

should be understood by the Information Commissioner? Is it in the light of the duties that follow, or what?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

Obviously that is a matter for the Information Commissioner, but that is the overriding principal objective. I am about to set out some of the other objectives that the clause will introduce, but it is made very clear that the principal objective is to ensure the appropriate level of protection. Precisely how the Information Commissioner interprets “appropriate level of protection” is a matter for him, but I think it is fairly clear what that should entail, as he himself set out in his evidence.

As I have said, clause 27 introduces new duties that the commissioner must consider where they are relevant to his work in carrying out data protection functions: the desirability of promoting innovation and competition; the importance of the prevention, investigation, detection and prosecution of criminal offences; the need to safeguard public security and national security; and, where necessary, the need to consult other regulators when considering how the ICO’s work may affect economic growth, innovation and competition. There is also the statement of strategic priorities, which is introduced by clause 28. However, as I have indicated to the hon. Member for Newcastle upon Tyne Central, the commissioner will be clear that his primary focus should be to achieve the principal objective.

Clause 27 also introduces new reporting requirements for the commissioner in relation to the strategic framework. The commissioner will be required to publish a forward-looking strategy outlining how he intends to meet the new principal objective and duties, as well as pre-existing duties in the Deregulation Act 2015 and the Legislative and Regulatory Reform Act 2006.

Finally, the commissioner will be required to publish a review of what he has done to comply with the principal objective, and with the new and existing duties, in his annual report.

--- Later in debate ---
Stephanie Peacock Portrait Stephanie Peacock
- Hansard - - - Excerpts

Clause 46 defines digital verification services. Central to the definition, and to the framing of the debate on part 2, is the clarification that they are

“services that are provided at the request of an individual”.

That is a crucial distinction: digital verification services and the kinds of digital identity that they enable are not the same as any kind of Government-backed digital ID card, let alone a compulsory one. As we will discuss, it is important that any such services are properly regulated and can be relied on. However, the clause seems to set out a sensible definition that clarifies that all such services operate at individual request and are entirely separate from universal or compulsory digital identities.

I will speak in more depth about clause 47. As we move towards an increasingly digitally focused society, it makes absolute sense that someone should be able, at their own choice, to prove their identity online as well as in the physical world. Providing for a trusted set of digital verification services would facilitate just that, allowing people to prove with security and ease who they are for purposes including opening a bank account or moving house, akin to using physical equivalents like a passport or a proof of address such as a utility bill. It is therefore understandable that the Government, building on their existing UK digital identity and attributes trust framework, want to legislate so that the full framework can be brought into law when it is ready.

In evidence to the Committee, Keith Rosser highlighted the benefits that a digital verification service could bring, using his industry of work and employment as a live case study. He said:

“The biggest impact so far has been on the speed at which employers are able to hire staff”––[Official Report, Data Protection and Digital Information (No. 2) Public Bill Committee, 10 May 2023; c. 52, Q112.]

In a study of 70,000 hires, the digital identity route took an average time of three minutes and 30 seconds, saving about a week compared with having to meet with an employer in person to provide physical documents. That has benefits not only to the individuals, who can start work a week earlier, but to the wider economy, since the same people will start contributing to taxation and their local economy a week earlier too.

Secondly, Keith identified that digital verification could open up remote jobs to people living in areas where employment opportunities are harder to come by. In theory, someone living in my constituency of Barnsley East could be hired in a role that would previously have been available only in London, thanks to their ability to prove who they are without ever having to meet their employer in person.

In the light of those benefits, as well as the potential reduction in fraud from cutting down on the usability of fake documents, in principle it seems only logical to support a framework that would allow trusted digital verification services to flourish. However, the key is to ensure that the framework breeds the trust necessary to make it work. In response to the digital identity call for evidence in 2019, the Government identified that a proportion of respondents were concerned about their privacy when it came to digital verification, saying that without assurances on privacy protections it would be hard to build trust in those systems. It is therefore curious that the Government have not accompanied their framework with any principles to ensure that services are designed and implemented around user needs and that they reflect important privacy and data protection principles.

Can the Minister say why the Government have not considered placing the nine identity assurance principles on the statute book, for example, to be considered when legislating for any framework? Those principles were developed by the Government’s own privacy and consumer advisory group back in 2014; they include ensuring that identity assurance can take place only where consent, transparency, multiplicity of choice, data minimisation and dispute resolution procedures are in place. That would give people the reassurance to trust that the framework is in keeping with their needs and rights, as well as those of industry.

Furthermore, can the Minister explain whether the Government intend to ensure that digital verification will not be the only option in any circumstance, making it mandatory? As Big Brother Watch points out, digital identity is not a practical or desired option, particularly for vulnerable or marginalised groups. Elderly people may not be familiar with such technology, while others might be priced out of it, especially given the recent rise in the cost of broadband and mobile bills attached to inflation. Although we must embrace the opportunities that technology can provide in identity verification, there must also be the ability to opt out and use offline methods of identification where needed, or we will risk leaving people out of participating in key activities such as jobseeking.

Finally, I look forward to hearing more about the governance of digital verification services and the framework. The Bill does not provide a statutory basis for the new office for digital identities and attributes, and there is therefore no established body for the functions related to the framework. It is important that when the new office is established, there is good communication from Government about its powers, duties, functions and funding model. After all, the framework and the principles it supports are only as strong as their enforcement.

Overall, I do not wish to stand in the way of this part of the Bill, with the caveat that I am keen to hear from the Minister on privacy protections, on the creation of the new office and on ensuring that digital verification is the beginning of a new way of verifying one’s identity, not the end of any physical verification options.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

It is a pleasure to follow my hon. Friend the Member for Barnsley East. I have some general comments, which I intend to make now, on the digital verification services framework introduced and set out in clause 46. I also have some specific comments on subsequent clauses; I will follow your guidance, Mr Hollobone, if it is your view that my comments relate to other clauses and should be made at a later point.

Like my hon. Friend, I recognise the importance of digital verification services and the many steps that the Government are taking to support them, but I am concerned about the lack of coherence between the steps set out in the Bill and other initiatives, consultations and activities elsewhere in Government.

As my hon. Friend said, the Government propose to establish an office for digital identities and attributes, which I understand is not a regulator as such. It would be good to have clarity on the position, as there is no discussion in the Bill of the duties of the new office or any kind of mechanisms for oversight or appeal. What is the relationship between the office for digital identities and attributes and this legislation? The industry has repeatedly called for clarity on the issue. I think we can all agree that a robust and effective regulatory framework is important, particularly as the Bill confers broad information-gathering powers on the Secretary of State. Will the Minister set out his vision and tell us how he sees the services being regulated, what the governance model will be, how the office—which will sit, as I understand it, in the Department for Science, Innovation and Technology—will relate to this legislation, and whether it will be independent of Government?

Will the Minister also help us to understand the relationship between the digital verification services set out in the Bill and other initiatives across Government on digital identity, such as the Government Digital Service’s One Login service, which we understand will be operated across Government services, and the initiatives of the Home Office’s fraud strategy? Is there a relationship between them, or are they separate initiatives? If they are separate, might that be confusing for the sector? I am sure the Minister will agree that we in the UK are fortunate to have world leaders in digital verification, including iProov, Yoti and Onfido. I hope the Minister agrees that for those organisations to continue their world-leading role, they need clarification and understanding of the direction of Government and how this legislation relates to that direction.

Finally, I hope the Minister will agree that digital identity is a global business. Will he say a few words about how he has worked with, or is working with, other countries to ensure that the digital verification services model set out in this legislation is complementary to other services and interoperable as appropriate, and that it builds on the learnings of other digital verification services?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

I am grateful to the hon. Member for Barnsley East for setting out the Opposition’s general support for the principle of moving towards the facilitation of digital verification services. She set out some of the benefits that such services can provide, and I completely echo her points on that score. I reiterate the central point that none of this is mandatory: people can choose to use digital verification services, but there is no intention to make them compulsory.

The trust framework has been set out with a wide number of principles and standards, to which privacy is central. The hon. Member for Barnsley East is right that that will be necessary to obtain trust from people seeking to use the services. She and the hon. Member for Newcastle upon Tyne Central have both set out detailed questions about the operation of the new office and the work alongside other Government Departments. I would like to respond to their points but, given that we are about to break, we could accept the general principle of this clause and then discuss them, no doubt in greater detail, in the debate on subsequent clauses. Will the Committee accept this clause with the assurance that we will address a lot of the issues just raised as we come to subsequent clauses in this part of the Bill?

Question put and agreed to.

Clause 46 accordingly ordered to stand part of the Bill.

Ordered, That further consideration be now adjourned. —(Steve Double.)

Data Protection and Digital Information (No. 2) Bill (Third sitting)

Debate between John Whittingdale and Chi Onwurah
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I appreciate the Minister’s clarification. He has just said that the test of identification would apply when sharing the data with another authority. However, once that has been done, the test no longer applies. Does he accept that it is possible for data to be shared that could not by this test reasonably be identified but that, over time, in a different authority, could reasonably be identified, without the data subject having any redress?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

If data is shared and then held by a new controller, it will be still subject to the same protections even though it has been transferred from the original. It is important that there should be the ability to continue to apply protection no matter what technology evolves over the course of time, but it will still be subject to the same protection and, of course, still be enforceable through the Information Commissioner.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Would it be subject to the same protection if it was transferred abroad?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

Again, yes, it will. It will be transferred abroad only if we are satisfied that the recipient will impose the same level of protection that we regard as necessary in this country.

Question put and agreed to.

Clause 1 accordingly ordered to stand part of the Bill.

Clause 2

Meaning of research and statistical purposes

Data Protection and Digital Information (No. 2) Bill (Fourth sitting)

Debate between John Whittingdale and Chi Onwurah
John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

The Government absolutely share hon. Members’ view of the importance of transparency. We agree that individuals who are subject to automated decision making should be made aware of it and should have information about the available safeguards. However, we feel that those requirements are already built into the Bill via article 22C, which will ensure that individuals are provided with information as soon as is practicable after such decisions have been taken. This will need to include relevant information that an individual would require to contest such decisions and seek human review of them.

The reforms that we propose take an outcome-focused approach to ensure that data subjects receive the right information at the right time. The Information Commissioner’s Office will play an important role in elaborating guidance on what that will entail in different circumstances.

Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab)
- Hansard - - - Excerpts

If I understood the Minister correctly, he said that decision subjects are a subset of data subjects. Can he envisage any circumstances in which a decision subject is not included within the group “data subjects”?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

It is certainly our view that anybody who is affected by an automated decision made on the basis of data held about individuals themselves becomes a data subject, so I think the answer to the honourable Lady’s question is no. As I said, the Information Commissioner’s Office will provide guidance in this area. If such a situation does arise, obviously it will need to be considered.The hon. Members for Barnsley East and for Glasgow North West asked about making information available to all those affected, and about safeguards, which we think are contained within the requirements under article 22C.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I rise to speak briefly in support of the amendment tabled by my hon. Friend the Member for Barnsley East and to emphasise the points that she made regarding the importance of putting forward a vision for the protection of workers as the nature of working environments change. That is part of what the amendment’s “digital information principles at work” seek to do. I declare an interest: I worked for Ofcom as head of technology before coming to this House. That work highlighted to me the importance of forward-looking regulation. As my hon. Friend set out, artificial intelligence is not forward looking; it is here with us and in the workplace.

Many technological changes have made work more accessible to more people: covid showed us that we could work from many different locations—indeed, Parliament successfully worked from many locations across the country. Technological changes have also made work more productive, and companies and public sector organisations are taking advantage of that increase in productivity. But some technologies have accelerated bad employment practices, driven down standards and damaged the wellbeing of workers—for example, workplace surveillance technologies such as GPS tracking, webcam monitoring and click monitoring, which encroach on workers’ privacy and autonomy. My constituents often say that they feel that technology is something that is done to them, rather than something that has their consent and empowers them.

It is important, as I am sure that the Minister will agree, that working people welcome and embrace the opportunities that technology can bring, both for them and for the companies and organisations they work for, but that cannot happen without trust in those technologies. For that, there need to be appropriate regulation and safeguards. Surely the Minister must therefore agree that it is time to bring forward a suite of appropriate principles that follows amendment’s principle of

“a fair, inclusive and trustworthy digital environment at work.”

I hope that he cannot disagree with any of that.

If we are to get ourselves out of the economic stagnation and lack of growth of the last 10 or 13 years, we need to build on new technologies and productivity, but we cannot do that without the support and trust of people in the workforce. People must feel that their rights—new rights that reflect the new environment in the workplace—are safeguarded. I hope that the Minister will agree that the principles set out in the amendment are essential to building that trust, and to ensuring a working environment in which workers feel protected and able to benefit from advances in technology.

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

I am grateful to the hon. Members for Barnsley East and for Newcastle upon Tyne Central for setting out the thinking behind the amendment. We share the view, as the hon. Member for Newcastle upon Tyne Central has just said, that those who are subject to artificial intelligence and automated decision making need to have trust in the process, and there need to be principles underlying the way in which those decisions are taken. In each case, the contributions go above and beyond the provision in the Bill. On what we are proposing regarding data protection, the changes proposed in clause 11 will reinforce and provide further clarification, as I have said, in respect of the important safeguards for automated decision making, which may be used in some workplace technologies. These safeguards ensure that individuals are made aware of and can seek human intervention on significant decisions that are taken about them through solely automated means. The reforms to article 22 would make clear employer obligations and employee rights in such scenarios, as we debated in the earlier amendments.

On the wider question, we absolutely recognise that the kind of deployment of technology in the workplace shown in the examples that have already been given needs to be considered across a wide range of different regulatory frameworks in terms of not just data protection law, but human rights law, legal frameworks regarding health and safety and, of course, employment law.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his comments. I note that he castigates us, albeit gently, for tabling an amendment to this data protection Bill, while he argues that there is a need for wider legislation to enshrine the rights he apparently agrees with. When and where will that legislation come forward? Does he recognise that we waited a long time and listened to similar arguments about addressing online harms, but have ended up in a situation where—in 2023—we still do not have legislation on online harms? My question is: if not now, when?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

As I was Chair of the Culture, Media and Sport Committee in 2008 when we published a report calling for legislation on online safety, I recognise the hon. Lady’s point that these things take a long time—indeed, far too long—to come about. She calls for action now on governance and regulation of the use of artificial intelligence. She will know that last month the Government published the AI regulation White Paper, which set out the proposals for a proportionate outcomes-focused approach with a set of principles that she would recognise and welcome. They include fairness, transparency and explainability, and we feel that this has the potential to address the risks of possible bias and discrimination that concern us all. As she knows, the White Paper is currently out to consultation, and I hope that she and others will take advantage of that to respond. They will have until 21 June to do so.

I assure the hon. Lady and the hon. Member for Barnsley East that the Government are keenly aware of the need to move swiftly, but we want to do so in consultation with all those affected. The Bill looks at one relatively narrow aspect of the use of AI, but certainly the Government’s general approach is one that we are developing at pace, and we will obviously respond once the consultation has been completed.

Information Commissioner (Remuneration)

Debate between John Whittingdale and Chi Onwurah
Monday 7th June 2021

(2 years, 9 months ago)

General Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
John Whittingdale Portrait Mr Whittingdale
- Hansard - -

I thank the hon. Member for Newcastle upon Tyne Central for the helpful way in which she has raised some perfectly valid questions, which I will do my best to address. I will begin by joining her in thanking the outgoing Information Commissioner, Elizabeth Denham, who I think I appointed in my previous capacity a few years ago.

It is worth reminding the Committee, which I did not do in my opening address, that Elizabeth Denham’s salary is £180,000, which was a single supplement at the time of her appointment. Without today’s motion, the salary of the incoming commissioner would fall back from £180,000 to £164,000. The hon. Lady’s questions about how it compares with the rate of inflation and with the pay of public sector workers are valid, but we need to set this in context. The proposed increase would take the current salary from £180,000 to £200,000, but without the motion it would come back down again.

Of course, we all understand that these are difficult times for many people. A lot of our constituents will look at these huge salaries and say, “That’s more than I could ever dream of getting; surely £164,000 is an awful lot of money.” But the truth is that we are operating in an incredibly globally competitive area, where the skills we need are in short supply, and where people who possess those skills can command huge salaries. We have had some very good applicants, and I suspect that whichever of them ends up getting the job will be getting a pay cut from what they are currently earning.

The hon. Lady made a number of comparisons. It is difficult to equate different regulators or international regimes, but the Italian Data Protection Authority pays its head €240,000, while the Office of the Australian Information Commissioner commands a salary of £272,000, so the amount we are paying is by no means at the top of the scale. The hon. Lady mentioned Ofcom, which pays about £330,000. Executives on the Financial Conduct Authority get between £380,000 and £550,000, and Network Rail’s chair gets £310,000. Although I fully recognise that we are asking the taxpayer to meet a considerable salary, it is by no means the highest, if we look at other regulators. It reflects the critical importance of data for our economic growth.

The hon. Lady referred to the national data strategy. We published the results of a consultation on the national data strategy at the same time the ICO published its data sharing code. We will be going on to consider what additional changes might be made to try to remove some of the barriers that I have spoken about. The ICO will play a critical part in this area.

There are new responsibilities that, as I said, did not exist before Britain ceased to be a member of the European Union. The hon. Lady rightly referred to the importance of data adequacy. I hope we will very shortly reach the final agreement that the UK will maintain data adequacy with the European Union. One of the new opportunities is to look at potentially signing new data adequacy agreements with third countries. That is something that, at the moment, the EU does, but very slowly. As a third country, we now have that ability. In the consideration of whether we can reach an agreement, the ICO will play an absolutely critical role.

The hon. Lady referred to nuisance calls. One needs to differentiate to some extent between what are termed nuisance calls—people ringing somebody up and trying to persuade them to make claims or whatever that they do not need—and scams that try to persuade people to put something on their computer that will allow some criminal to access all their personal financial information. The two are obviously closely related, but one is very firmly within the remit of the ICO and the other is, to some extent, within the remit of law enforcement and the Home Office. Obviously, they all need to work together very closely, and that is happening. At the moment, scams and fraud are probably causing more distress and anxiety, whereas a few years ago it was mortgage protection policy claims and other types of nuisance calls that we all experience. As I say, they are working together very closely on that. The Home Office, which leads on that, intends to say more about that very shortly.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his comments. I just want it to be clear that although he is right to say that it is possible, and indeed important, to distinguish between nuisance calls and scams, they both share the characteristic that somebody has got hold of a person’s data, phone number and something about them, so a nuisance call can lead to a scam, depending on how much personal data they have. All the mobile networks, for example, have one text number that people can text if they get a nuisance call. There is also Action Fraud. The ICO has a relevant page on one of its websites. I want to emphasise to the Minister the point that this is very complex and individual citizens do not know what to do in response to nuisance calls—there is not a sufficiently shared understanding of that—so to say that the ICO is addressing either of these is actually an overstatement.

John Whittingdale Portrait Mr Whittingdale
- Hansard - -

I completely agree that more needs to be done, and I think action is being taken now. The hon. Lady is right that there is a lot of confusion about where to go to report receipt of a nuisance or scam call—I have done that myself. Although Ofcom monitors, it does not deal with individuals. The ICO has a reporting mechanism, but an individual does not necessarily know whether anything ever happens if they do report. Action Fraud is where they should go if it is a claim of fraud.

All I will say to the hon. Lady is that I am very aware that there is a lack of public confidence and that it needs to be addressed. As I have said, discussions are going on between the ICO, the Department for Culture, Media and Sport, the Home Office and, as the hon. Lady rightly identifies, the telecoms companies. I think that there is almost certainly more that can be done there, and I believe that we will be saying more about that very shortly. This is another reason why the ICO plays a critically important role, both in supporting economic growth and technical innovation in our economy and in providing protection for citizens against the abuse of their data or, as in this case, what we recognise are highly distressing calls—either nuisance calls or, worse, scams.

I will end by repeating that the ICO is a very important office, and it is going to get more important over time. That means we need to have an outstanding person at the head of it. The hon. Lady asked when we will announce the person’s identity. I can say that we are very far advanced. I hope that we will be in a position to make that announcement very shortly. Of course, once we do, it will need to be confirmed by the relevant Select Committee. That process will already be in train. I am sure that the new Information Commissioner will also be delighted to discuss these things with the hon. Lady once he or she is in place.

Question put and agreed to.

Resolved,

That the Committee has considered the motion:

That, from 1 November 2021—

(1) the Information Commissioner shall be paid a salary of £200,000 per annum and pension benefits in accordance with the standard award for the civil service pension scheme;

(2) all previous resolutions relating to the salary and pension of the Information Commissioner shall cease to have effect.

draft Data Protection Privacy and electronic communications (amendment etc.) (EU exit) regulations 2020

Debate between John Whittingdale and Chi Onwurah
Wednesday 25th November 2020

(3 years, 4 months ago)

General Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
John Whittingdale Portrait Mr Whittingdale
- Hansard - -

I am grateful to the hon. Lady for indicating that the Opposition do not intend to oppose the regulations and for her remarks. I am tempted to say that we should stop meeting like this, but I think we may be doing so again in further Committees.

The hon. Lady and I absolutely agree about the importance of data in fuelling economic growth and innovation. She does not like the expression “new oil” in that context, and I understand why, but I am not sure that her suggestion about people going around excreting a trail of data was much more preferable an analogy. Nevertheless, data is of increasing importance, and the Government are keen to ensure that we reap the maximum benefit from it to create an economy driven by innovation and growth, based on the free flow of data. At the same time, we absolutely recognise the importance of data protection, which is, as she said, underpinned by GDPR, a set of EU regulations.

The hon. Lady referred to the fact that we are still in negotiation with the EU Commission about adequacy. In our view, there is no reason that we should not be granted adequacy—after all, our data protection regime is one that the EU formulated—but that is a matter ultimately for the Commission to decide. Certainly, the time left before the end of the transition period is reducing and this is therefore challenging, but we are still optimistic that it can be achieved. We have indicated to business that it is sensible to put in place the mechanisms necessary to ensure that data can continue to flow from the EU to the UK should adequacy not be achieved.

I am sure the Committee would have been disappointed if the hon. Lady had not mentioned Schrems II, which we all think about a great deal. Schrems II resulted in some quite tricky decisions, not just for the UK, because we are bound by the Schrems II judgment that negated the privacy shield, but it creates equal challenges for the EU, which is something the EU is working on; the Information Commissioner’s Office is still in conversation; and we hope to find a mechanism to allow the flow of data between EU member states, the UK and the USA to continue.

The hon. Lady is right that, even if we achieve adequacy, this is an ongoing process. We would not be negotiating as hard as we are to achieve adequacy if we intended to do anything shortly afterwards that resulted in our losing it again. On the other hand, we wish to take advantage of the fact that we will be responsible for our own data protection regime, and we wish to explore ways to facilitate the flow of data between companies and to drive growth forward. That is an opportunity, since we will no longer be bound by the Court of Justice of the European Union rulings, although in terms of adequacy decisions we will need to watch developments in the EU. Should those rulings change things, there might be implications for its attitude to our adequacy.

We certainly have no intention of doing anything that results in a loss of adequacy. The national data strategy mentioned by the hon. Lady is intended to consult very widely all those who potentially have an interest in the matter—companies that use data, privacy campaigners, stakeholders and so on—to find ways in which we might improve the UK’s data regime. She referred to the Opposition’s suggestion of a digital charter. I hope she has responded to the national data strategy, as we are obviously interested in any ideas that she has.

On trade agreements, which the hon. Lady also talked about, it is true that, for instance, the UK-Japan trade agreement contains data provisions that go beyond the EU-Japan agreement, and we regard that as a considerable achievement. However, nothing in the agreement undermines the data protection regime in this country. Indeed, the agreement makes it absolutely clear that both sides are able to maintain a legal framework that provides for the protection of personal information. The trade agreement with Japan will, we hope, result in a freer flow of data between the UK and Japan, but at the same time not undermine GDPR and our existing protection.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his responses and his genuinely seeking to answer my questions, which is something of an experience for me. We have an agreement with Japan, which means data will be allowed to go to Japan. Japan has an agreement with the US, so data is allowed to go to the US. That undermines our conditions on data flowing from the UK to the US if they do not meet the European Union adequacy rules. That is what I meant by a back door.

John Whittingdale Portrait Mr Whittingdale
- Hansard - -

I understand the hon. Lady’s concern, but I do not think it is justified. There is nothing forcing any company to transfer data from the UK to Japan or any other third country. We seek to remove unnecessary obstacles that impede that flow, but that does not undermine the requirements on UK-based companies to comply with the existing data protection regime. Indeed, that is spelt out clearly in the agreement. We do not believe that that is a risk, but it is something we continue to attach priority to, and we will keep it in mind for the future trade agreements that we are hopeful of striking.

I hope I am answering the points that the hon. Lady made. The point she made at the end of her remarks was about the obligations on the tech platforms, and she talked about disinformation and fake news. As she will be aware, the Secretary of State had a recent roundtable specifically to talk about the efforts made by the tech platforms to address the problem of disinformation about a potential covid vaccine. She will also know that the issue of obligations on tech platforms will be addressed through the online harms legislation that we still expect in the near future.

I hope I have answered the hon. Lady’s questions and I commend the regulations to the Committee.

Question put and agreed to.

Draft Audiovisual Media Services (Amendment) (Eu Exit) Regulations 2020

Debate between John Whittingdale and Chi Onwurah
Tuesday 17th November 2020

(3 years, 4 months ago)

General Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
John Whittingdale Portrait Mr Whittingdale
- Hansard - -

I was smiling simply because after the catalogue of failure and disaster that the hon. Lady recounted in describing the SI, she then said that the Opposition will not oppose it, which obviously I welcome very much.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I must say as respectfully as I can that there are many catalogues of disaster and inadequacy in the Government’s legislative framework, so we are not, unfortunately, able to address each of them given the time that remains before the end of the transition period.

John Whittingdale Portrait Mr Whittingdale
- Hansard - -

Nevertheless, I welcome the Opposition’s decision not to vote against the SI.

I agree with a number of the points raised by the hon. Lady. She is right that particularly in the past few months, when, sadly, so many people have been forced to remain at home, the internet generally, but VSPs in particular have become a much greater feature of people’s lives. I have been known to watch and even go along with Mr Wicks, although that may be hard for some to believe, but I have done so, as have many in this country. Educational provision online, as well as entertainment, have been really important in getting us through this.

The hon. Lady is right that although VSPs and the internet generally offer a lot of benefit, there are harmful aspects, which the Government are keen to address. We share her concern about the rising reports of the number of incidents of child abuse online, and we are determined to tackle that. She will be aware that the Secretary of State recently had a meeting with the big platforms to discuss how to address the problem of anti-vaccine misinformation. I am pleased that the platforms have agreed to take action to ensure that nobody can profit from such material, and to remove it as quickly as possible.

Things are going on, but this particular set of regulations is, as the hon. Lady knows, required under the terms of the withdrawal Act, because the regulations were introduced during the transition period, and therefore we are required to put them into UK law. We believe that they are important in that they ensure that Ofcom has full responsibility for regulating VSPs. She is right that the regulations do not go far enough, and that there are certain deficiencies. She specifically highlighted the issue of jurisdiction. Because the regulations are derived from a new directive it is not surprising that the force of that directive is to impose EU regulations. Ofcom, as currently the regulator within scope of the regulations, regulates those platforms that are established in the UK, and those platforms that are established elsewhere in the EU are regulated by the relevant country regulator there.

The hon. Lady mentioned in particular TikTok. It is an interesting one because it is established in China, but it does have a presence in quite a number of EU countries. At the moment, it is not yet been determined which country should have responsibility for the EU regulation of TikTok, but undoubtedly one of the member states will have that role.

The hon. Lady spoke about how the regulations do not take back control and how we are still subject to EU regulation. At the end of the transition period, we will no longer be bound by the decisions of regulators elsewhere in Europe. At the moment we recognise that in each case the EU regulates the platforms or providers in a particular country, and we trust it to do that. That will not be the case after the transition period comes to an end, and we will be introducing further legislation, as the hon. Lady said. Under that legislation, Ofcom will have responsibility for the regulation of all those providing services into the UK. That will go further than the scope of the existing AVMS regulations. To that extent, the regulations we are debating are a stopgap. They are intended to ensure that the European standard of regulation continues to apply after the end of the transition period, but we intend to go further and to ensure that any platforms that are providing content to UK consumers come within the scope the UK regulatory regime.

That will be achieved through the online harms Bill. The hon. Lady has drawn attention to the fact that that legislation is some time in the coming, and she is right to that extent. I would simply say that it is absolutely essential that we get it right. She pointed out that this is an area where technology is developing very fast, and we need to ensure that legislation is forward-looking and can take account of future developments. It is vital that we put in place a regulatory regime that protects vulnerable people, young people particularly, from illegal and harmful content. At the same time, we want to be very conscious not to inhibit the growth of technology companies and innovation in the digital sector, which the Government are keen to encourage. Equally, we need to safeguard freedom of speech, freedom of expression and to provide proper safeguards to ensure that professional journalistic content is not caught up in the regulatory regime.

The Government are determined to meet those objectives. It is still the case that the Government will be publishing a response to the consultation paper very shortly, and that we will be introducing draft legislation next year. The hon. Lady referred to the need to consult, and I can promise her that we are already consulting widely, and will continue to do so. I have regular discussions with all the various stakeholders, as does my colleague the Minister for Digital and Culture. Consumer groups will certainly have the opportunity to make their voice known.

Although I recognise the hon. Lady’s unhappiness that this SI is a mere EU regulation that does not go as far as she would like and, indeed, as we would like, I can reassure that we will be bringing forward UK legislation to establish a pioneering UK regime very shortly. On that basis, I invite the Committee to approve the regulations.

Question put and agreed to.

Draft Communications Act (e-Commerce) (EU Exit) Regulations 2020

Debate between John Whittingdale and Chi Onwurah
Tuesday 20th October 2020

(3 years, 5 months ago)

General Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
John Whittingdale Portrait Mr Whittingdale
- Hansard - -

I am most grateful to the hon. Lady. It is always slightly alarming for a Minister to discover that the Opposition spokesperson is actually highly qualified on the subject being discussed—[Laughter.] She raises a number of very valid points.

First, I agree with the hon. Lady and welcome her recognition that premium rate services are not always malicious or designed to con people out of their money. They actually perform valuable services. They contribute a substantial amount to the economy and, as she said, they play an extremely important role in raising money for charity, which we are very keen to support.

Like the hon. Lady, I am of course aware of the dark side of premium rate phone messaging. While she was adjudicating on the “Richard and Judy” case, when she was at Ofcom, I recall that I was chairing the Culture, Media and Sport Select Committee in this House, where we summoned ITV to account for some of its practices, which was making it a lot of money in ways that I think most people thought were not entirely appropriate, and indeed resulted in ITV being fined a considerable sum.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I do not mean to dwell on “Richard and Judy” for too long in this Committee. To clarify, because of the way in which the regulatory regime was set up, I did not actually adjudicate on it, but we did develop the recommendations that led to stronger regulation of premium rates.

John Whittingdale Portrait Mr Whittingdale
- Hansard - -

I congratulate the hon. Lady on her efforts at that time. She is right that this area obviously continues to evolve, and it is important that we maintain appropriate regulation and keep it up to date. I can tell her that the Phone-paid Services Authority is currently reviewing the code to strengthen standards across the market. It tends to try to prevent harm before it occurs. It actually issued a consultation document in February and is now drafting a revised code, which we expect shortly.

I said that we expect little or no immediate change for most businesses in this country. The hon. Lady raised the impact on business. I should of course make clear that this statutory instrument does not actually have any bearing on UK businesses; UK businesses will be outside the scope of the country of origin principle as a result of our leaving the European Union transition period at the end of December. The SI is creating the level playing field so that EEA-based businesses come within the scope of UK regulation, which they would not otherwise do unless we brought in these changes.

The hon. Lady asked what evidence we have on the impact on business. It is quite difficult. We have calculated that something like 75,000 businesses are potentially in the scope of the regulations, but for the vast majority of those, the difference will be relatively minor. They are already compliant with UK regulation, and UK regulation is in most cases is similar, if not identical, to that pertaining in other EU member states. The one piece of evidence we had was the Phone-paid Services Authority’s estimation of the number of derogation requests it gets each year from other EU member states, which is just a handful each year, indicating the small number of cases in which the regulations in another EEA member state are different from those that apply in the UK. On that basis, we are relatively confident that the number of companies that will have to make changes is relatively small.

We have sought to communicate. We have been engaging with sectors for at least the last six months, to alert them to this change when it comes. The Cabinet Office is conducting a communications campaign. Of course, in this case, this is not dependent on whether the UK obtains a comprehensive free trade agreement with the European Union, since we do not actually wish to maintain the country of origin principle. At the end of the transition period, it will no longer apply, whether or not negotiations on a comprehensive agreement achieve a successful outcome.

We have not published an impact assessment for the reasons I say—it is difficult to assess in detail how these changes will work—but on the evidence I suggested, we are confident that the number of affected businesses will be small, not substantial. However, it will be the responsibility of businesses in the future, if they wish to operate in another EEA member state, to ensure that they are compliant with the regulations that apply there.

Finally, the hon. Lady raised the online harms legislation which, while a little way removed from the subject we are debating, is nevertheless a matter of great importance. I can tell her—she will have heard this before, but I say it with absolute confidence—that we will publish the Government’s full response to the White Paper consultation very shortly. It is almost in a state where it is ready for publication, and it is still our intention to introduce legislation to enact it early next year. We absolutely share her view that the matter is extremely important. We are determined to make the UK the safest place in which to conduct online activities and to do as much as possible to protect our children, and also to ensure that our regulatory framework is up to date and encourages innovation and growth, while at the same time installing the necessary safeguards.

I am grateful to the hon. Lady for indicating that the Opposition will not oppose the regulations, so I invite the Committee to approve them.

Question put and agreed to.

Britain in the World

Debate between John Whittingdale and Chi Onwurah
Monday 13th January 2020

(4 years, 2 months ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
John Whittingdale Portrait Mr Whittingdale
- Hansard - -

I am grateful to my hon. Friend, because he brings me on to the issue that I wanted to raise—

John Whittingdale Portrait Mr Whittingdale
- Hansard - -

But before doing so I will give way to the hon. Lady.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

The right hon. Gentleman is being generous. I fear that the hon. Member for Isle of Wight (Bob Seely) is confusing gravity with geography. Of course, it is entirely possible to trade with nations around the world, but the issue in today’s integrated supply chains is the speed with which parts can be delivered into advanced automated manufacturing. Is the right hon. Gentleman arguing that it is equally quick and efficient to get a part from Chicago as it is to get it from Munich, for example?

John Whittingdale Portrait Mr Whittingdale
- Hansard - -

I understand the hon. Lady’s argument, but this is not a binary choice. I want us to have a strong trading agreement with the European Union, and I am confident that we will obtain that under this Government, but that does not exclude us from also having much stronger trading relationships with other countries around the world.