The Committee consisted of the following Members:
Chair: James Gray
† Burden, Richard (Birmingham, Northfield) (Lab)
† Burghart, Alex (Brentwood and Ongar) (Con)
Coffey, Ann (Stockport) (Lab)
† Davies, Mims (Eastleigh) (Con)
† Elliott, Julie (Sunderland Central) (Lab)
† Fletcher, Colleen (Coventry North East) (Lab)
† Gyimah, Mr Sam (Minister for Universities, Science, Research and Innovation)
† Hoare, Simon (North Dorset) (Con)
† Letwin, Sir Oliver (West Dorset) (Con)
† Marsden, Gordon (Blackpool South) (Lab)
† Masterton, Paul (East Renfrewshire) (Con)
Platt, Jo (Leigh) (Lab/Co-op)
† Rowley, Lee (North East Derbyshire) (Con)
† Smith, Owen (Pontypridd) (Lab)
† Syms, Sir Robert (Poole) (Con)
† Wilson, Phil (Sedgefield) (Lab)
† Wragg, Mr William (Hazel Grove) (Con)
Jack Dent, Committee Clerk
† attended the Committee
First Delegated Legislation Committee
Monday 2 July 2018
[James Gray in the Chair]
Higher Education and Research Act 2017 (Cooperation and Information Sharing) Regulations 2018
Contrary to my normal practice—I am a small “c” conservative about this—I will reluctantly allow gentlemen to remove their jackets, if they wish.
I beg to move,
That the Committee has considered the Higher Education and Research Act 2017 (Cooperation and Information Sharing) Regulations 2018 (S.I. 2018, No. 607).
It is a great pleasure to serve under your chairmanship, Mr Gray. Thank you for your radical innovation, although I will keep my jacket on out of respect for the Chair.
I welcome the opportunity for the Committee finally to discuss the regulations, because, as may be apparent in what I say, they have caused considerable concern in respect of student protections and in particular the way in which they rather blithely appear to allow the sharing of private data, particularly with private companies. That is not easily explained by the so-called explanatory memorandum, although I await enlightenment from the Minister, and the purposes for which the data may be used remain rather open and vague.
Last autumn, the then Minister for Digital and the Creative Industries, who is now the Secretary of State for Digital, Culture, Media and Sport, spoke about the importance of giving the public more control over their data under new UK data protection laws, with the introduction of the Data Protection Bill. However, the lack of transparency in the regulations does not indicate that that was even considered, at least in spirit, by the Department for Education, or indeed the Universities Minister, who is here to respond.
Just weeks after the Government made a fanfare about the new Data Protection Act 2018, which was supposed to give people more control over their data and how it is used, they are passing regulations into law that could ride roughshod over students’ data rights. The regulations were to have been rushed through Parliament in three weeks—including the Whitsun recess—under the negative procedure. In fact, this statutory instrument came into effect without scrutiny, which is not uncommon in this House, but on the whole ought to be avoided, particularly in such sensitive areas. Only when the Opposition tabled an early-day motion to pray against the regulations and the shadow Leader of the House, my hon. Friend the Member for Walsall South (Valerie Vaz) raised the matter at business questions did we finally get this debate.
It is disappointing that the Government tried to force the regulations through using the negative procedure, because as paragraph 7.1 of the explanatory memorandum confirms:
“The enabling legislation for HEFCE did not restrict cooperation or information sharing in the same way as the Act does for the OfS.”
Given that the Office for Students will operate a very different structure from the Higher Education Funding Council for England, why did we not have an automatic right to debate the regulations?
On 13 October 2016, at the 12th sitting of the Higher Education and Research Bill Committee, my hon. Friend the Member for City of Durham (Dr Blackman-Woods) and I raised significant concerns about how students’ personal data might be handled under the new structures. In discussing what at the time were clauses 71 and 72, I said:
“these clauses would give the state access to all university applicants’ full data in perpetuity, for users who would only be defined as ‘researchers’ and without ‘research’ being defined at all; that might be capable of being changed under the direction of the Secretary of State. Therefore”—
this is the generic point that I wish to address in the context of the regulations—
“there are significant concerns that the safeguards need to be stronger to ensure that the clauses are not misused by others and that scope changes are not made in the future.”
I went on to say that, under those proposals,
“there is a possibility that the entire nation’s education data from the age of two to 19 could be joined to university data, which of course is then joined to Her Majesty’s Revenue and Customs”,
and so on.—[Official Report, Higher Education and Research Public Bill Committee, 13 October 2016; c. 455.]
I also said during that sitting that this is a complex and difficult area, but if there are genuine, legitimate concerns, the precautionary principle should generally apply. I still hold to that principle. However, the Government are underpinning the regulations without that automatic assessment. They are passing the regulations seemingly without doing a data protection impact assessment or a human rights assessment, which would have considered privacy. Will the Minister confirm that the regulations will go through a privacy impact assessment and an assessment of their impact on human rights, and if not, why not?
Our questions over the regulations are particularly important in the current climate, in which the public have high concerns around personal data exploitation by large companies and publicly produced assets being passed into commercial hands. The lack of limitation in the type of data that may be shared under the regulations runs contrary to what 37,000 students told a UCAS survey in 2015. Applicants’ responses showed an overwhelming preference for remaining in direct control of their personal data, with 90% agreeing—more than 20 times the number who disagreed—that they should be asked in some shape or form before their personal data was provided. That number is likely to have increased in the time since the survey, given that concerns about data sharing have been spread more widely across the mainstream media. It is therefore no wonder that the vice-president of higher education at the National Union of Students, Amatey Doku, has expressed his concern that
“a decision for OfS to share students’ data with third parties was being snuck through parliament.”
We now have the opportunity to look at what is actually being said. In that context, part 5 of the Digital Economy Act 2017 removed horizontal data-sharing safeguards between Government Departments or bodies, meaning that, once students’ data has been provided, via the course provider, to Pearson or the OFS—both are named in the regulations—that data may be shared with any number of other bodies. How is a student or staff member supposed to be able to understand where their personal data has been processed? Under the general data protection regulation and the new Data Protection Act 2018, what is it within their rights to know? I would be grateful if the Minister could explain that relatively briefly and, if he cannot, perhaps he will write to members of the Committee.
It is to the Minister’s credit that he has made a great play of being the Minister for students since he came into post. He went on a listening tour of universities—
I apologise. I look forward to further details of the Minister’s travels through the summer and into the autumn. However, the point is well made. The Minister has been on that listening tour and has said that he wants to engage with students about all their concerns, yet he has failed to engage with one of their concerns—student data protection, as I have just described —when arguably the effect of the regulations will be to leave that data open to exploitation. The Committee needs proper and clear assurances on that.
In view of those concerns, I tabled a series of written questions on the implications of the regulations last week, even before the Committee had been scheduled. The Minister replied that section 63 of the Higher Education and Research Act 2017, to which the regulations refer,
“does not place limitations on the type of information that may be provided, and therefore it could include personal data.”
That is extremely concerning and has the potential to be misused. The response went on to say:
“These regulations allow data sharing, they do not oblige it. In practice, the OfS considers that it is unlikely that personal data would routinely be shared with non-government bodies under these regulations. They are in place for circumstances where the OfS or the organisation has identified serious concerns (such as fraud or malpractice) by a provider or its students.”
The particular examples that were listed are reasonable, but frankly that is not enough to ensure that the general principle holds. It is not adequate to say, “As you were.” This is a new organisation that is still finding its feet and it is not operating to HEFCE criteria, as the explanatory memorandum explains and as the Minister’s predecessor, the hon. Member for Orpington (Joseph Johnson), was at pains to emphasise throughout the passage of the Bill. Safer and stronger safeguards are needed.
I was also disappointed at the answer the Minister gave to a further question I asked about whether his Department had consulted universities, student bodies or UCAS on the powers relating to confidential data that are conferred under the regulations. Despite my being quite specific in that question, the Minister and his civil servants—who presumably drafted the answer—failed to answer it. They responded:
“Policy officials have worked closely with colleagues in the Office for Students (OfS) to determine what historical, and new, information sharing requirements may be required to ensure the OfS can do its job well, including protecting the interest of students and taxpayers. Officials and Ministers have regular meetings and interactions with universities and student bodies, and work closely with UCAS.”
Observant members of the Committee will note that there is no causal relationship between that last sentence and the previous one. I hope my concerns are unjustified and that I am being ungenerous on this occasion, but will the Minister let me know if his Department specifically consulted UCAS or the NUS on the issues in the statutory instrument before passing it?
When the Minister was made aware—if, indeed, he was made aware—of the strong concerns and sentiments about student data, he could have instructed his officials to redraft the statutory instrument to list the specific types of information that may be shared with each organisation listed. What specific guarantees is he prepared to give now—or in writing to the Committee, if he wishes—to assuage the strong legitimate concerns about this process? Surely the processes and purposes should be explicit, necessary and proportionate, and should have regard to the capacity of the organisation. For example, Pearson is a provider of higher national certificate and higher national diploma exams. It should be specified why the weights and measures body will receive information and what information it may receive. The Student Loans Company and HMRC are also named in the schedule as relevant persons to receive this data. Similarly, it should be set out explicitly why that is a necessity. Can the Minister assure us that the data will be used for narrowly administrative purposes, or will it be available for other uses?
As the responses to my written questions also noted, the collaboration agreements have not yet been published. Will the Minister tell us when they are likely to be published? There seem to be no plans to publish the data-sharing agreements, as was confirmed in the answer to written question 156351. Why is that the case? The crux of the matter is that it should be fundamental to transparency that if there are no commercial consequences of the statutory instrument—as I understand officials have tried to reassure people—the Government do not have the usual excuse or option of praying in aid commercial confidentiality to conceal the agreement.
As the organisers of the lobby group DefendDigitalMe said prior to this Committee, data-sharing agreements made in secret with the Department for Education do not have a recent good track record. The data-sharing agreements that were made secret in July 2015 were discovered only by civil society campaigners, who had to fight for their release for six months. They revealed the monthly arrangement that still continues—the sharing of children’s names, home addresses, gender and dates of birth for the purposes of immigration enforcement and specifically to support the hostile environment. I say that not to imply that the regulations will be used in any shape or form for those purposes, but it demonstrates why there should be a low level of trust in how Departments use such personal data.
Despite the Information Commissioner having told the DFE that collecting governors’ nationality data, which began in 2016, was excessive, that it should respect the data protection principles of necessity and proportionality, and that it should end that collection, it continues to do so. I am obliged, therefore, to ask the Minister whether he or his Department has spoken to the Information Commissioner’s Office about the requirements for the regulator in respect of the types of data that may be shared through the regulations. If he has not, will he do so very soon so that the implications for all students can be known?
To preserve public and professional trust, the use of personal data from the sector must be transparent and safe, and alert to the future. We must prevent third-party prescribed persons from being exploited by mission creep by Government Departments, without any reference to safeguards. The powers in the information duties of section 64 of the 2017 Act permit the bodies to share data with the Government, and explicitly with the Secretary of State for Education. Will data be passed from Pearson, for example, to other Departments, and if so, which ones? What are the boundaries of the information? That should surely be set out in legislation. If the safeguards are not on a statutory footing, there is limited value in any assurance, whether from this Minister or any other Minister, that the use of potentially named records will not be changed at the whim of policy or by a future Government.
It is unclear whether what the Department is doing is necessary to create a new and very broad legal basis for the purposes of data sharing—compared with, say, a contract—or whether it is seeking to legitimise existing data-sharing practices around the denial of funding, which may previously have avoided scrutiny.
The other concern raised with us by DefendDigitalMe, a non-partisan data privacy and digital rights group led by parents and teachers, is that the track record in the US of Pearson, one of the organisations to which this information will be supplied, has included selling student data as part of company assets. Such data could be used in predictive tools to exclude certain students from certain UK institutions and courses, or unduly to influence applicants’ decision making and choices, based on Pearson’s corporate values and view of the world. That might not be a view that I or the Minister share, but it is a legitimate concern to raise.
People in third-party organisations and in the Government change and move on. What is left standing, however, is the legisation. How the information is used will depend not on what is said, but on what the legislation says. This knowledge could potentially give unprecedented commercial access to confidential student data, and with it knowledge of the potential access routes into education, course content, and completion and destination data. If that happens, it could constitute preferential treatment and give enormous commercial and competitive advantage over other companies. How will the Government prevent that in practice, having passed this statutory instrument, now and in the future? Why have other bodies not been afforded the same privilege?
Pearson has suggested that it will share personal data with the OFS when its stakeholders have identified red flags or serious concerns, such as fraud or malpractice by a provider or its students. That data sharing is from Pearson to the OFS. Why is a data-sharing agreement necessary and proportionate for that purpose?
I also have severe concerns about sharing data with the Student Loans Company, after its well-publicised problems in the past year. While I appreciate that there is a need for it in certain extreme circumstances where there is potential fraudulent activity, there are significant worries about its capability appropriately to handle this data. I think it is legitimate for us to raise continuing concerns about its capacity to handle further responsibility in the context of this statutory instrument.
The Minister will be well aware that the Student Loans Company has recently been subjected to a scathing report by the National Audit Office on its organisational and management failings. As far as I am aware, the Student Loans Company, despite the allegations about the management and leadership of the previous chief executive, whose contract was terminated, still does not have a permanent chief executive. Will the Minister update us on the recruitment process?
The lack of proper co-operation between the SLC and HMRC has also led to significant overpayments of debts by students. That is part of an ongoing trend in which the amount being overpaid by graduates increases year on year. The Student Loans Company also left a number of student nurses in a difficult financial situation earlier this year. I make all these points, Mr Gray, because they reflect strongly on whether the safeguards in the statutory instrument are appropriate to all the various organisations. What guarantees can the Minister give the Committee about this process?
We do not intend to oppose the regulations, because we understand that there are aspects of them that simply cannot be brought to a halt, but we have grave misgivings about the way in which they have been presented and the rather cavalier way in which assurances have been given. We look to the Minister to come back with significant assurances, either today or subsequently. My final question to him is whether there is any proposal to review the effectiveness or otherwise of the regulations. I would have preferred it if there had been a sunset clause in the regulations, but we do not have the ability to insert one.
It is a pleasure to serve under your chairmanship, Mr Gray, and to avail myself of your dispensation to take off my jacket. I welcome the opportunity to discuss these regulations and the important issue of how and why the OFS may share information with other organisations. I note the concerns that have been raised, but I hope to reassure hon. Members as I go through my speech.
First, I will set out why these regulations are needed and how they will benefit students and taxpayers. The regulations will allow the OFS to do its job well. They replicate, and in some cases improve on, the arrangements that HEFCE and the Office for Fair Access had in place. In fact, the Higher Education and Research Act 2017 and these regulations provide greater protection, with more scrutiny, control and transparency over information sharing than before, as the enabling legislation for HEFCE and OFFA did not place controls on co-operation and information sharing in the same way that HERA does for the OFS.
These regulations are firmly in the students’ interest. They enable information to be shared in order to allow the OFS to prevent potential wrongdoing, address quality concerns and deal appropriately with concerns about the management and governance of higher education providers. They also allow the OFS to address concerns about students’ experiences of higher education. I am sure hon. Members will agree that those are all important things for the OFS to do—things it would not be able to do properly if these regulations were not put in place. I am sure they will also agree that the OFS should be able to look into suspected fraud. These regulations enable it to do so by sharing information with the Student Loans Company. I am also sure everyone will agree that the OFS should be able to engage appropriately on concerns about the treatment of students, for example by alerting the Office of the Independent Adjudicator to systemic issues, to inform its work dealing with individual complaints. I could continue with that list.
These regulations allow the right bodies to address the right issues. For example, they allow HMRC to investigate suspicions of inappropriate tax exemption claims, the Competition and Markets Authority to examine issues relating to competition law, and the Charity Commission to respond to potential breaches of charity law. They also enable the OFS to work with other bodies to improve data quality and to promote co-operation and collaborative working practices, all of which will ultimately improve the running and functioning of the higher education sector in the interest of students.
It is important to note that the regulations do not oblige the OFS to share information. It has been said today, and has recently been assumed in the media, that the regulations will somehow open the floodgates to the immediate sharing of large quantities of personal data. However, I emphasise that the regulations do not oblige the OFS to share any information or to co-operate with any of the bodies named in the regulations; they simply make doing so possible, where appropriate. It will be for the OFS, or the Secretary of State in some cases, to decide when to do so. Such decisions must be made in the context of the general duties and functions of the OFS, as set out in primary legislation.
Furthermore, although the information shared could be at provider, course or student level, in practice it will usually be at provider or course level. Any data would be shared only in particular circumstances—where there was a particular concern and for a particular purpose—and with strong protections in place. In fact, privacy was a key theme of the speech made by the hon. Member for Blackpool South, as was how the OFS will ensure that data is used for its intended purpose. These are clearly important considerations, and I reassure Members that there will be strong protections in place regarding data sharing. For example, any information sharing will be subject to strict data protection laws governing its use.
In fact, the primary legislation makes it absolutely clear that data protection laws must be complied with when sharing any personal data. The regulations do nothing to undermine the requirements of the new general data protection regulation, with which the OFS and the bodies it co-operates with will be required to comply. The OFS will publish online its collaboration agreements with other bodies, and will state where data-sharing agreements are in place.
The OFS might need to share information with another body as part of a joint investigation. In such cases, the OFS will also create a bespoke data-sharing agreement that will state what data will be shared—about whom and for what purpose—and how it will be processed and kept secure. The OFS will only ever share data with precisely those who need to see it, and will only ever share with them precisely what they need to see to resolve a particular issue. In addition, the OFS will always consider whether a data privacy impact assessment is needed, and will carry one out where appropriate before any information sharing that could impact on personal privacy.
The sharing of personal data with private companies has been mentioned. For clarity, the only for-profit company specified in the regulations is Pearson, which is included because it awards HND and HNC qualifications and for no other reason. I reassure the Committee that the OFS will only share information with Pearson if it had concerns about a provider of HNDs and HNCs. The OFS will not share information with Pearson for any other reason, and it will certainly not share personal data with Pearson for Pearson’s profit. As I have already mentioned, any such data sharing will be underpinned by a bespoke, GDPR-compliant data-sharing agreement, to ensure that the data is used for its intended purposes. The OFS will take very seriously its responsibility to protect data privacy.
Several other questions have been asked, notably on the progress of recruiting a new chief executive of the Student Loans Company. The recruitment process for a permanent chief executive officer is almost complete, with an announcement expected in the coming weeks. On communicating with the Information Commissioner about the types of data that will be shared, it will be for the OFS—when it is clear what types of data might be shared—to comply with its duties under GDPR, which may involve conversations with the Information Commissioner as appropriate.
We are all concerned about transparency. As I have said, the regulations provide greater scrutiny, control and transparency than previously. It is good practice under GDPR that when personal data is shared, the OFS will go through everything—from the nature, scope, context and purpose of the sharing, to any risk and the mitigation of those factors. That will be done.
On students’ right to know, the OFS will tell them before it shares data, where appropriate. It may not do so when concerns regard an investigation of wrongdoing, as that may jeopardise that investigation. It is, however, much more likely that data shared will be at provider or course level. No specific contact was made with UCAS and the NUS, but the OFS regulatory framework consultation asked the sector for views on the principles of how the OFS engages with other bodies, and officials and Ministers—including me—have regular meetings and interactions with both bodies.
I hope the Committee will be reassured by those points. I welcome the continued interest in scrutiny of our higher education reforms and policy. This debate has focused on the regulations and raised important issues regarding what, when, why and how the OFS shares data with others. I hope I have reassured the Committee that that will be done carefully, with strong privacy protections in place, and that data will be used only for its intended purposes.
The regulations are essential to allow the OFS to do its job well, in the interests of students. They will ensure that it can work appropriately with others to address any concerns about quality, student experience and the management and governance of our higher education system. I hope, therefore, that the Committee agrees that the regulations are ultimately to the benefit of students and our university system as a whole.
I thank the Minister for giving those details and the courteous way in which he addressed my concerns. He says, perfectly reasonably, that the regulations will allow the OFS to do its job well and to give firmer, greater protections. The Opposition would not argue with that in any shape or form. However, the devil is in the detail and there is still a question mark over how effective the OFS will be in progressing these matters. Only time will tell. To say that the OFS is “not obliged” to share leaves a very grey area. After all, on the whole, legislation is supposed to be based on the principle of what might go wrong, rather than that of what might go right, and it should at least give clear, strong safeguards. There is some way to go in that respect.
It was good to hear the Minister’s assurance that information sharing will be subject to data protection laws and, indeed, the general data protection agreements with which we have all been grappling in recent weeks. They came into effect in May, whereas the Act to which the statutory instrument applies was set in place 18 months ago or more, so it remains perfectly legitimate to scrutinise the extent to which that Act is consonant with those provisions.
I hope that the Minister’s comments about HND and HNC qualifications with Pearson will be of some comfort to those concerned. He said there has been no specific contact with the OFS and UCAS, which I still think is an omission. He also said that it is for the OFS to discuss such matters with the Information Commissioner as and when it embarks on the process, but that would be a little late in the day. Given the importance of the issue and the way in which it will develop, not least with the expansion of the digital transmission of data, I would have thought it important that his departmental officials should, at least at some point, have had conversations with the Information Commissioner. I may take that up separately with the Information Commissioner.
I still believe that the privacy impact assessment should have assessed human rights and that the issue will require considerable scrutiny. Of course, that will have to be applied by other Committees of the House, not this one. With those words, I confirm that we will not oppose the measure.
Question put and agreed to.
That the Committee has considered the Higher Education and Research Act 2017 (Cooperation and Information Sharing) Regulations 2018 (S.I. 2018, No. 607).