Information Sharing Code of Practice: Code of Practice for public authorities disclosing information under Chapters 1, 3 and 4 (Public Service Delivery, Debt and Fraud) of Part 5 of the Digital Economy Act 2017
Research Code of Practice and Draft Accreditation Criteria
Data Sharing Code of Practice: Code of practice for civil registration officials disclosing information under section 19AA of the Registration Service Act 1953
Statistics Statement of Principles and Draft Code of Practice on changes to data systems
Motions to Approve
That the draft Regulations and Codes of Practice laid before the House on 17 and 21 May be approved.
Relevant documents: 32nd Report from the Secondary Legislation Scrutiny Committee
My Lords, the purpose of these draft regulations is to allow information sharing between specified bodies for specific purposes. They also seek to make an amendment to the Digital Economy Act 2017. In addition, six codes of practice and one statement of principles associated with Chapters 1 to 5 and 7 of Part 5 of the Digital Economy Act 2017 have been consolidated into four instruments, to be approved by a resolution of each House.
Turning first to the draft regulations, the public service delivery power supports the improvement or targeting of public services. The powers are designed to give public services the information needed to provide early intervention or, where possible, prevent the problems that reduce people’s life chances. In order to exercise the public service delivery power, government must set specific purposes for data sharing via regulations. Those purposes must meet specific criteria defined in the primary legislation. These draft regulations seek to establish four specific objectives for data sharing under the public service delivery power to address “multiple disadvantages”, including fuel poverty and water poverty, and to provide targeted assistance in retuning televisions following spectrum changes.
We have worked closely with colleagues across the UK Government and the devolved Administrations to ensure that these powers have a UK-wide reach. However, due to the absence of a functioning Assembly in Northern Ireland, the data-sharing powers in relation to fraud, debt and public service delivery have not been commenced to cover Northern Ireland at this time.
I am sure that noble Lords will agree that the Government have a clear duty to support the citizens we serve and to ensure that the most vulnerable in society get the help they need. The formulation of each of the public service delivery objectives has been guided by this principle. Data sharing is a vital and effective way of identifying individuals and households experiencing problems which reduce their life chances.
I shall set out some details of the objectives in the regulations. The first concerns multiple disadvantages. The regulations would allow for data sharing between specified public authorities to help identify individuals or households which face two or more disadvantages. By disadvantages, I mean factors which, in combination with each other, limit the life chances of individuals or households—for example, by affecting people’s health or emotional well-being, or their social and economic chances. The objective was initially developed to support the troubled families programme, which supports the identification of families across England, but it is also intended to be available for similar programmes across the UK.
The second objective relates to television retuning. In order to meet the increasing demand for mobile data, the Government have agreed to fund up to £600 million so that the 700 megahertz band, which is currently used for digital terrestrial television, can be allocated for mobile broadband. As a result of the clearing of the band, approximately 150,000 households may need either to replace or realign their aerial to continue receiving all available channels. These powers will help identify those who are on certain benefits and require further support to ensure that they continue to receive digital terrestrial television services.
Thirdly, the fuel poverty objective will provide a gateway for specified public bodies to share information between themselves to help them identify households living in fuel poverty and ensure that those households get the support they need. It will also enable specified public bodies to flag those who are eligible to energy suppliers. The aim is to enable more vulnerable households and families to receive automatic rebates in the same way as over 1 million pensioners do through the warm home discount scheme. However, these rebates can take place only if the state can inform energy suppliers which of their customers should receive them.
The fourth objective concerns water poverty. Similarly, this would allow the sharing of information between public authorities to help identify those who might be living in water poverty and help ensure that they receive the support they need. The information could be shared by public authorities with water and sewerage companies to help them better target their support schemes, such as social tariffs, as allowed by powers in the Digital Economy Act.
Secondly, I turn to the amendment to the Digital Economy Act 2017. The Act specifies the conditions for disclosure of information to energy suppliers. One condition is that information disclosed under these powers must be used by the recipient in connection with a specified support scheme. The amendment seeks to enable information to be shared to identify vulnerable customers at risk of fuel poverty for coverage by price protection—a safeguard tariff. Five million vulnerable households are already protected by a safeguard tariff and we are keen to ensure that the delivery of such protections is assisted by the ability of suppliers to match customer data with the data held by government, as appropriate.
Those are the details of the regulations. The codes of practice provide details to practitioners on how information-sharing powers under the Digital Economy Act 2017 must be operated. The four instruments which have been laid before Parliament are: the Information sharing code of practice: public service delivery, debt and fraud; the Civil Registration Data Sharing Code of Practice; the Research Code of Practice and Accreditation Criteria; and the Statistics Statement of Principles and Code of Practice on changes to data systems.
All public authorities and other participants using the information-sharing powers in Part 5 of the Digital Economy Act must have regard to the relevant code before any information is shared. Failure to have regard to the relevant code might result in a public authority or organisation losing the ability to disclose, receive and use information under the powers of the Digital Economy Act 2017. The codes also explain the criminal sanctions for unlawfully disclosing personal information under the Act.
We worked with other government departments, the devolved Administrations and the Information Commissioner’s Office, as well as civil society groups with privacy interest, in developing the codes. All five instruments were subject to a six-week public consultation in the autumn of 2017 ahead of their being laid in May this year. They were also made available in draft form to parliamentarians to consider during the Committee stage of the Digital Economy Bill in November 2016. These efforts helped to ensure that the right balance was struck between supporting practitioners to ensure that they are able to make use of the powers, and building in safeguards to protect individuals’ privacy and prevent the unlawful disclosure of data. I commend these regulations and codes of practice to the House, and I beg to move.
My Lords, I start with an apology. Because of the way in which these items of business have been scheduled—or perhaps I should say not scheduled—I might have to leave before I hear the Minister’s response. He is aware of that and I am very grateful for his indulgence in that respect, which will make me feel even guiltier when he hears what I have to say.
I am indebted to medConfidential for many of the points I shall make and to the noble Lord, Lord Freyberg, who takes a keen interest in these matters but cannot be present today.
The essence of what I have to say is that these regulations and codes should be withdrawn. In summary, earlier this month the Secondary Legislation Scrutiny Committee published a report on these draft regulations made under Part 5 of Chapter 1 of the Digital Economy Act, as the Minister explained. The DCMS offered assurances that the codes of practice were consistent with each other and drafted to be compliant with the new Data Protection Act 2018 and the latest standards of best practice. However, subsequently it replaced the standards with a new set under a different name—the data ethics framework—so the codes as laid do not reflect current DCMS guidance. In our view, this invalidates the whole of our debate.
I will go through the details. The Secondary Legislation Scrutiny Committee drew the digital government regulations to the special attention of the House. The DCMS told the committee that the codes were to the,
“the latest standards of best practice for information sharing, including the ‘Data Science Ethical Framework’”.
That is at paragraph 9 of the committee’s report. As the SLSC says:
“In their response, DCMS have also offered assurances that these codes of practice are consistent with each other and have been drafted to be compliant with the new Data Protection Act 2018 and the latest standards of best practice for information sharing, including the ‘Data Science Ethical Framework’”.
The committee’s report was finalised on a Tuesday and printed the following Thursday. On the Wednesday, the DCMS replaced the “latest” standards with a new set under a different name, the data ethics framework. Quite apart from the concerns raised by the committee, when the DCMS gave its response to the committee it surely must have known that a new framework was due the following day to replace the one to which it referred, and that its assurances would therefore be untrue even before they were printed.
The current codes reference the Data Science Ethical Framework, which predates the Data Protection Act and the GDPR. By that fact alone, these DCMS codes cannot be approved. They are, by definition, out of date following legislation on which the DCMS and the Minister himself led.
As the Minister described, a number of groups were consulted on the draft codes in the middle of last year, and while there is consensus from all sides that the codes are improved as a result of that constructive engagement, those consultations were before the Government surprised everyone with the proposal for a “framework for data processing by government” in the Data Protection Act—before the guidance changes due to the GDPR had fully begun, before the Government announced that the Data Science Ethical Framework was in need of replacement, and certainly before the DCMS launched the replacement with a new name last week. The department assured Parliament that,
“these codes of practice are consistent with each other”,
but it cannot assert they will be compliant with other codes, as yet unlaid and unwritten by the Information Commissioner. What the Information Commissioner does should be up to the Information Commissioner. She should not have her hands tied by her sponsor department.
It is particularly important that these codes and the regulations are withdrawn given that the first issuance of the codes is under the affirmative procedure for approval of the House and future updates will be under the negative procedure.
I have a few other questions. Where is the framework for data processing by government included at the last minute by Ministers in Committee on the Data Protection Bill? There is still no clarity as to what the Government plan to do with it, only that it is not the Data Science Ethical Framework nor the data ethics framework. It is, however, yet another government data framework that must be taken into account. The passage of the Data Protection Act 2018 necessitates updates to many ICO codes. Late in the day, the DCMS chose to introduce its new framework for data processing by government, which surely must be the governing instrument for these codes, but, as I said earlier, it has provided no clarity on how this will operate.
The department seems to be offering nothing other than assurances of compliance when one looks through the codes. It talks of consultation with the ICO. Has the ICO confirmed publicly that these codes are compliant with the GDPR, the new Data Protection Act and the ICO guidance?
According to recent announcements from University College London Hospitals NHS Foundation Trust, it is conducting artificial intelligence trials internally for issues of direct benefit to it. This shows not only that the NHS is beginning to understand the power of data and digital tools, but that this can be done in-house for public benefit and that there are viable alternatives to handing data to and sharing data with multinational companies. What are the Government doing more broadly across the NHS to ensure that there is full recognition across the NHS?
The Digital Economy Act affords the Secretary of State considerable powers to make use of publicly controlled data, which is of considerable concern in some quarters. The key concern is the scope for different departments to share and then link datasets, such as sharing health data from the Department of Health and Social Care with the Home Office to identify illegal immigrants, as stated in recent headlines. What is the scope and/or limitation for the Secretary of State to share publicly controlled data with private entities? Is this likely to inform the introduction of so-called “data trusts”?
Then, of course, there is the question of whether any of the codes is fit for the future in terms of technology. In particular, what are the duties of transparency and explainability where datasets are used to construct artificial intelligence solutions, algorithms and the like for government purposes? What consultation was engaged in this respect? There appears to be no reference in any of the codes to this. Should we not wait for the data ethics and innovation centre to give its guidance on these matters involving the Government and their deployment of artificial intelligence?
In the light of the above, it is clear that neither these regulations nor the codes are fit for purpose. Will the Government withdraw them before placing replacement codes before the House? Will the Minister confirm that the codes will be compliant with any yet-to-be-written Information Commissioner codes? Will they be confirmed as such by the Information Commissioner? Sadly, I will not hear the Minister’s reply but I very much hope that it is a full one.
My Lords, far be it from me to get the Minister off that hook. It is always humbling to be in the presence of those who have seen the heat of the day and borne the burdens of bringing some complicated pieces of legislation on to our statute book. Perhaps we can all breathe a sigh of relief as we notice the noble Lord, Lord Clement-Jones, depart from his place.
I will restrict my remarks, since I was not in possession of the briefing that the noble Lord had, to the observations I made on the simple basis of reading these papers. It was a jolly weekend and some good bedtime reading—150 pages on a very complicated matter—but as far as the regulations themselves are concerned, it seemed mildly reassuring that multiple disadvantages, such as television retuning, fuel poverty and water poverty, were all to be held in view with a view to ensuring that people who might suffer in these areas had their suffering minimised as far as possible. One million vulnerable energy consumers might qualify for help. From this side of the House, we cannot particularly grumble at that.
The thing that worried me was that, since these are the first tinkerings with or things that ensue from last year’s Digital Economy Act, it is incumbent on us to ensure we monitor very carefully the direction of travel as the Act lives its life and is implemented. For that reason, I find myself again and again wondering whether—while, yes, three years down the line it all has to be embedded and to work itself out—we should not promise ourselves a bit more micromanagement than that as things go along.
I liked the way that liaison with devolved bodies—to ensure that a UK-wide measure is implemented in Wales and Scotland in a way consistent with legal provision—was set out because, with another hat on, when we were arguing the devolution clauses in the EU withdrawal Bill we talked all the time about frameworks within which UK-wide pieces of action would have to be worked out in consultation with, and with consent from, the various interested parties. Here is a lived example, I thought, of how that might work.
I worried about how on earth we would keep together pieces of action that would see nine departments of state share information across their boundaries, as well as the Revenue and 32 local and regional bodies, as we considered how best legitimately to allow these bodies to share information. What kind of computer system do we have in place? We have had such a string of unfortunate experiences of supportive technology for mountainous pieces of government activity going wrong that I just look at this and am glad that it is not me operating it.
Transparency is spoken of again and again from the point of view of citizens, so that they can,
“easily understand what … is being shared and why”.
Let it be said that such a noble objective is to be welcomed. The document further states that we must,
“help make the digital delivery of government services more efficient and effective”—
more efficient, effective, easily understood, transparent and all the rest of it.
In a Question earlier today, we talked about just this whole business of Explanatory Notes being understandable—it is what it says on the tin: “explanatory” should mean explanatory; it should explain things. In this area of digital technology and the sharing of information, data and so on, we can see just how things might go awry, so we need to keep a lid on that one, too.
Reference is made to “robust safeguards”, “secure” transfer, “information-sharing pilots” and so on. All the safeguards are mentioned. I do not have the same reservations as the noble Lord, Lord Clement-Jones; I did not base my scrutiny of these documents on the same evidence as him. On that basis, and with those precautionary words, the regulation passed my scrutiny.
Then I came to the codes. It is always lovely to have the noble Lord, Lord Clement-Jones, here because he will do what I cannot—and it is just nice to know that he is there. We have four codes of practice. I set myself the task of looking at them from two points of view. Once upon a time, I used to mark undergraduate essays and held as two important criteria the structure of the essay and the content. On all those grounds, apart from an exception that I shall talk about in a moment, these codes—since they are aimed at their users—seem admirably succinct and comprehensible.
I also looked at them from the point of view of someone who for 20 years before coming into this position ran what I can only call a small business— £1 million turnover, 10 to 12 staff and 100 volunteers. It was a small business; it was a church. I think of how I started that 20-year period, with a desk reasonably clear and a diary reasonably empty to be able to address the pastoral needs of a group of people, to represent them in the community at large and to go about doing good. Twenty years later, my desk was heaving with regulatory material from one direction or another and, frankly, I was glad to get out at that point. It was astonishing. We had to outsource the work of a compliance officer, because we could not afford to employ one, just to keep up to date with all the things that we were expected to do. So we should bear in mind that some of these things will ask an awful lot of people whose desks are already full of regulatory material from this direction, that direction and the other direction. I do not see any way out of it, but it is worth saying.
I like the codes; they are clear. The explanatory document states that public authorities must follow their code when,
“making changes to their data systems”,
and that the code imposes,
“a duty on data suppliers to consult the UKSA before making changes to the data they collect”.
So they have to anticipate changes, seek the permission of the necessary body and then implement their plans. It is again an area where I see things happening the wrong way round.
Noble Lords will be glad to hear that I am coming to the end of my remarks. On the transparency and comprehensibility criterion, there is one wonderful consideration. Paragraph 9 in the draft information sharing codes states:
“While we consider the terms ‘information’ and ‘data’ to have the same meaning, ‘personal information’ in the Digital Economy Act 2017 has a slightly different meaning to ‘personal data’ in the data protection legislation. In this Code, personal information is information which relates to and identifies a particular person or body corporate (but which does not relate to the internal administrative arrangements of a person who may disclose or receive information under the Digital Economy Act 2017)”.
I then miss out a bit. It continues:
“You need to apply both definitions when you use these powers because you must both observe the requirements for ‘personal information’ under the Digital Economy Act 2017 and make sure that you have also complied with the requirements for ‘personal data’ under the data protection legislation”.
I am glad I do not have to implement that statement. If they have not worked out a way of communicating to us a uniform instruction that takes all those ambiguities into account, I cannot see how they can expect Tom, Dick and Harry around the place to do what they have been unable to do themselves.
There we are. That is enough of a Welsh rant from me; I did not even get in on the Swansea lagoon, which I thought was a load of rubbish as well—I would have liked that one, too. Conscious that the Minister—this man across the Dispatch Box from me is sublimely self-assured—is now impaled on the hook left for him by the departed noble Lord, Lord Clement-Jones, I am happy to register my observations for what they are worth, but in the name of clarity, consistency and monitoring, I urge that those points be taken into consideration.
My Lords, I am grateful to one of the two speakers for remaining and for the points that both have made. If the noble Lord, Lord Griffiths, thinks that was a rant, compared to the noble Lord, Lord Clement-Jones, he is an amateur; I thought he was very reasonable and measured in what he said. I shall go through his points as quickly as I can.
The noble Lord, Lord Griffiths, was correct to point out that we need to help where we can. The measure is to enable public authorities to share information. A key criterion for the Digital Economy Act was that it had to be for the benefit of individuals and households. The noble Lord, Lord Clement-Jones, suggested that, because things were in the wrong order—I will address some of his points shortly—we should withdraw the codes, wait for the Information Commissioner to issue her code and lay the codes again in six to nine months. That will mean that all the good work that is done, which the noble Lord, Lord Griffiths, identified, in using public information to help individual households that are vulnerable or suffering will effectively be put off. For example, on the fuel poverty measure, that would be another winter when we could not use the information to help the public.
On some of the issues raised by the noble Lord about the information shared, I remind him that the information is permissive: it does not have to be shared; it just allows public authorities to do that. They have very clear outlines of what they are able to do; they must have information sharing agreements. The measure merely allows public authorities to do it; there is no compulsion on any of them. It must also be in accordance with the Digital Economy Act and the Data Protection Act. That will give individuals the right—and mean that they can trust—that their information will not be misused, because it is subject also to the GDPR.
In talking about the difference between the Digital Economy Act and the Data Protection Act the noble Lord was a bit confused about paragraph 9. I was surprised—I thought it seemed pretty clear, but I accept that it could be made simpler. What it is really getting at is that the Digital Economy Act referred not just to living people, as the Data Protection Act does, but also includes bodies corporate and distinguishes between the information in those. So we are saying that there is a distinction, and they therefore need to apply both, but when it comes to the information referred to, and referring to individual living people, the Data Protection Act will apply and so will the General Data Protection Regulation. I will send a letter to the noble Lord outlining that paragraph to see if we can explain it. I doubt we will be able to do it in words of one syllable but we will try to make it a bit clearer for him and I will put a copy in the Library. I accept that it is not immediately obvious to a normal person.
I am glad that the noble Lord, in contrast, said that the codes were “clear, succinct and admirable”. I point out, however, that these are not for small businesses but for public authorities. The only time that they would involve a private business is when the private business has been contracted by a public authority to deliver something.
I am grateful to the noble Lord for that clarification—of course, I should have been clear about that myself—but in my small business I did have registration responsibilities, so under one of the codes I would have had to bear some of these things in mind; so there was just a hint of relevance about what I said.
I am grateful for that reminder.
There has been an awful lot of consultation around this. In many ways, this is a model: it has taken about two years of open, public policy-making. The codes were in place in draft while the Act went through Parliament, so parliamentarians of both Houses were able to discuss the codes. They have been amended as a result of that and made clearer, and we have also put in some increased transparency and some review mechanisms. They were consulted on again after the Act was passed: we had a formal consultation again on the codes that are with us today. That included organisations that might have thought to have worried about it, such as privacy groups, so a lot of stakeholders were involved in that.
Coming eventually to the noble Lord, Lord Clement-Jones, his speech was based on a briefing by the only organisation, I think, which had any worries about this. The overwhelming majority of stakeholders that were involved in the consultation were very supportive of these codes.
The noble Lord asked about the statistical methodology. I cannot remember exactly what it was, but I will write to the noble Lord.
The noble Lord, Lord Griffiths, also asked how we will keep track of all this. Of course, there will be a register in place, open and fully searchable by the public. The Information Commissioner has a power of audit, which will be used to keep track of all the data that is shared, and the audit logs will be kept for all data shared under the powers.
The noble Lord talked about transparency: how are we going to monitor and track the impact of this data sharing? Review boards will be established to oversee any non-devolved and England-only information sharing pilots that are set up, and there will also be a review board to advise Ministers and make recommendations on the establishment of new objectives, if there are any. The membership of those review boards will come from across the various data holding departments, as well as the ICO and representatives of civil society. Lastly, the ICO has said that she will carry out an independent review of all the Part 5 powers in two to three years.
Coming to the noble Lord, Lord Clement-Jones, the organisation I referred to that his speech came from is an organisation concerned with healthcare data. I remind noble Lords that, of course, nothing in these regulations today has anything to do with healthcare data: it was explicitly excluded from consideration in the Digital Economy Act. Nevertheless, it has used its worry about this to suggest that we should delay the implementation of these codes. As I said right at the beginning, the reason we do not want to wait, which the noble Lord, Lord Griffiths, mentioned, is that we want to use these powers to help people. I mentioned that we had consulted on them.
The noble Lord had a specific question on how the codes of practice can be compliant with the latest standard of best practice for information sharing under the Data Science Ethical Framework when we published a new set of data ethical standards under the new name Data Ethics Framework on 13 June. The codes’ requirement that users refer to the Data Ethics Framework is not affected by the Government issuing a revision to that framework. We always said that that framework would be changed, and it really is misconceived to say that the drafts should be withdrawn. The same team in DCMS has led the appropriation of the Data Ethics Framework and the co-ordination and drafting of the codes’ practice, and therefore they are drafted to be consistent with the best practice set out in the Data Ethics Framework. So when the Secondary Legislation Scrutiny Committee asked whether the codes are consistent with best practice, yes, they are. The new best practice did indeed come a month after the codes were laid, a day or two after the committee’s report, but they absolutely were consistent and they still are.
To be clear, they were designed to be regularly updated. It is a complete red herring that the name has been changed. The second framework, published on 13 June, was borne in mind when these codes were developed. It builds on the first version, which was widely used. The codes of practice provide details to practitioners on how the data-sharing powers under the Digital Economy Act 2017 must be operated and, by signposting the Data Ethics Framework in the codes, the intention is to augment their impact and help stimulate innovative and responsible use of data.
The other question is whether the legislation requires that these codes of practice must be consistent with the ICO’s Data Sharing Code of Practice. It is true that the ICO has not yet published its new code under the Data Protection Act. The codes are consistent, in the same way as I said about the other one: the same people are dealing with it. We have liaised with the Information Commissioner the whole way along and there is no significance in the fact that the code has not been published yet: when it is published, if by some chance anything in the codes were rendered inconsistent, there is a transitional provision in the Data Protection Act which renders ineffective any part of the code that has thereby become inconsistent. That was deliberately put into the Data Protection Act 2018. We are saying that information sharing under the Digital Economy Act 2017 can lawfully take place before the new ICO code is issued and that during any such period, there will be no ICO code for that Act’s codes to be consistent with. However, in practice those codes have been prepared in collaboration with the ICO, so I can confirm to the noble Lord, Lord Clement-Jones, that that is the case.
Once the ICO is at an advanced stage of developing its new code, we will work with it again to review whether there are any inconsistencies. We would work towards revising our codes if necessary, but we have been working closely with that office, as I said, on the development of codes. As a result, we do not expect to see any significant inconsistencies with its new code when it is prepared.
I may not have been completely clear: the transitional arrangements in the Data Protection Act 2018 ensure that, when the new ICO code is issued, the Digital Economy Act codes will be consistent with it both in the short and the long term. It does this by disapplying any provisions in the Digital Economy Act 2017 codes that are inconsistent with the new ICO codes. We can then make sure that they are consistent, if that were necessary, but the ICO has said that it was pleased to see that the codes of practice referenced new data protection legislation and are consistent with its guidance.
The noble Lord, Lord Clement-Jones, asked whether we will therefore withdraw the codes. For the reasons I have set out, we want to help people who are in vulnerable situations. Subject to your Lordships’ agreement and that of the other place, we do not intend to withdraw the codes.