My Lords, data is the DNA of modern life. It is integral to almost every aspect of our society and economy, from NHS treatments and bank transactions to social interactions. An estimated 85% of UK businesses handle some form of digital data, and the UK data economy was estimated to represent 6.9% of UK GDP. Data-enabled UK service exports accounted for 85% of total service exports, estimated to be worth £259 billion, but data use in the UK drives productivity benefits of around 0.12%, which is only one minute per worker per day.
We can do much more to drive productivity through data. That is why the Government are presenting the Data (Use and Access) Bill today, to harness the power of data to drive economic growth, support modern digital government and improve people’s lives. The Bill is forecast to generate £10 billion over 10 years, to underpin the Prime Minister’s missions and to fulfil several manifesto commitments; most importantly, it will help everyday processes for people, business and our public services.
The Bill has eight parts, which I will speak to in order. Before I start, I recognise that noble Lords have debated data legislation over a number of years, and many measures in the Bill will be familiar to them, as they are to me. I pay particular tribute to the noble Viscount, Lord Camrose, for his work on these measures in the past. That said, the Government and I have carefully considered the measures to be taken forward in this Bill, and noble Lords will notice several important changes that make the Bill more focused, more balanced and better able to achieve its objectives.
The first three parts are focused on growing the economy. First, we will create the right conditions to set up future smart data schemes. These models allow consumers and businesses to safely share information about themselves with authorised third parties, which can then in turn offer innovative uses, such as personalised market comparisons and financial advice. This measure, which is also a manifesto commitment, will cut costs, give people greater consumer choice and deliver economic benefit. In September this year, more than 11 million people—one in six of the UK population—were already making use of open banking services.
In Part 2, the Bill will legislate on digital verification services, meaning that organisations will be able to receive a trust mark if they are approved as meeting the stringent requirements in the trust framework and appear on the government register. As well as increasing trust in the market, these efficiency gains are expected to boost the UK economy by £4.3 billion over the next decade by doing things such as reducing the time spent completing checks to hire new workers from days to minutes.
Part 3, on the national underground asset register, or NUAR, will place this comprehensive digital map of the underground pipes and cables on a statutory footing. The measures mandate that owners of underground infrastructure, such as water companies or telecoms operators, register their assets on NUAR. This will deliver more than £400 million per year through more efficient data sharing, reduced accidents and delays, and improved worker safety. The proposed measures will also allow this data to be used for additional prescribed use cases, such as improved street work co-ordination, where commercial and national security considerations allow.
My Lords, I welcome the opportunity to speak on this important matter. I am especially grateful to the noble Baroness, Lady Jones of Whitchurch, for her engagement so far with me and my noble friend Lord Camrose, which has been truly helpful with this technically complex Bill. I thank in advance the other speakers and keenly look forward to hearing their—I hope—lucid and insightful commentary on the content of the Bill.
This is a wide-ranging Bill which affects a wide range of policy issues. If well executed, it could bring substantial benefits to individuals and businesses, much like the previous Conservative Government’s Bill, which was so ably championed by my noble friend Lord Camrose. However, if poorly executed, the Bill may result in data vulnerabilities for both individuals and the country as a whole.
We on these Benches are delighted that the Government are taking forward the bulk of the provisions and concepts set out by the previous Conservative Government, in particular the introduction of a national underground asset register, which will make construction and repairs more efficient, reduce the cost and inconvenience of roadworks and, most importantly, make work safer for construction workers; giving Ofcom the ability, when notified by the coroner, to demand that online service providers retain data in the event of a child’s death; reforming and modernising the Information Commissioner’s Office; introducing a centralised digital ID verification framework; allowing law enforcement bodies to make greater use of biometric data for counterterrorism purposes; and—particularly close to my heart—setting data standards in areas such as health to allow the sharing of data and its use for research and AI. All these provisions are necessary and will provide tangible benefits to the people of the UK. Indeed, the data economy is crucial. As the Government have rightly said, it has the potential to add billions in value to the UK economy through opportunities and efficiencies.
My Lords, I declare my interests as chair of the 5Rights Foundation and as an adviser to the Institute for Ethics in AI at Oxford.
I start by expressing my support for the removal of some of the egregious aspects of the last Bill that we battled over, and by welcoming the inclusion of access to data for researchers—although I believe there are some details to discuss. I am extremely pleased finally to see provisions for the coroner’s access to data in cases where a child has died. On that alone, I wish the Bill swift passage.
However, a Bill being less egregious is not sufficient on a subject fundamental to the future of UK society and its prosperity. I want to use my time this afternoon to ask how the Government will not simply make available, but secure the full value of, the UK’s unique datasets; why they do not fully make the UK AI-ready; and why proposals that they did not support in opposition have been included and amendments that they did support have been left out.
We have a unique opportunity, as the noble Lord, Lord Markham, just described, with unique publicly held datasets, such as the NHS’s. At a moment at which the LLMs and LMMs that will power our global future are being built and trained, these datasets hold significant value. Just as Britain’s coal reserves fuelled global industrial transformation, our data reserves could have a significant role to play in powering the AI transformation.
However, we are already giving away access to national data assets, primarily to a handful of US-based tech companies that will make billions selling the products and services built upon them. That creates the spectre of having to buy back drugs and medical innovations that simply would have not been possible without the incalculably valuable data. Reimagining and reframing publicly held data as a sovereign asset accessed under licence, protected and managed by the Government acting as custodian on behalf of UK citizens, could provide direct financial participation for the UK in the products and services built and trained on its data. It could give UK-headquartered innovators and researchers privileged access to nationally held data sets, or to investing in small and medium-sized specialist LLMs, which we will debate later in the week. Importantly, it would not simply monetise UK data but give the UK a seat at the table when setting the conditions for use of that data. What plans do the Government have to protect and value publicly held data in a way that maximises its long-term value and the values of the UK?
My Lords, I remind the House of my interests, particularly in chairing the board of Century-Tech, an AI edtech company— I will have to talk to the noble Baroness, Lady Kidron, about that. I am a director of Educate Ventures Research, which is also an AI-in-education business, and Goodnotes, an AI note-taking app. It is a pleasure to follow the noble Baroness, Lady Kidron. I agreed with most of what she said, and I look forward to working with her on the passage of the Bill.
I guess we are hoping it is third time lucky with a data Bill. I am sure we will hear from all speakers that there is a sense that this is an improved Bill on the previous two attempts. It is a particular joy to see that terrible stuff around DWP data not appearing in this Bill. There is plenty that I welcome in terms of the improvements. Like most speakers, I imagine, I mostly want to talk about what might need further debate and what might be missing, rather than just congratulating my noble friend the Minister on the improvements she and her colleagues have been able to make.
I anticipate that this will not be the only Bill we have on data and AI. It would be really helpful for this Government to rediscover the joys of a White Paper. If we had a document that set out the whole story and the vision, so that we could more easily place this Bill in context, that would be really helpful. This could include where we are with the Matt Clifford action plan, and a very clear aim of data adequacy with the EU regime. I wonder whether, among all the people the Minister said she had been able to talk to about this Bill, she had also spoken to the EU to make sure we are moving in the right direction with adequacy, which has to be resolved by the summer.
Clearly, this is a Bill about data. The Minister said that data is the DNA of modern life. It has achieved a new prominence with the rollout of generative AI, which has captured everyone’s imagination—or entered their nightmares, depending on how you think about it. The Communications and Digital Committee, which I am privileged to serve on, has been thinking about that in respect of the future of news, which we will publish a report on shortly, and of scaling our businesses here in the UK. It is clear that the core ingredients you need are computing power, talent, finance and, of course, data, in order successfully to grow AI businesses here.
My Lords, I, too, welcome the Bill, but there is one matter we should have at the forefront of our minds as we work through it: that it must be implemented and carried through by SMEs and individuals. Regrettably—and I say this as a lawyer—lawyers have become far too expensive. We must appreciate the need to draft legislation and regulatory regimes that are as easy as possible to operate without the benefit of legal advice. If we cannot achieve that, it must be incumbent on the Government and the regulators to set out clearly what the position is, in a way that people can understand. We do not want our SMEs and individual traders to enter into operating under this new regime without being able to understand the law. I fear that this Bill, by its very length, is a good example of how we can overcomplicate things.
The second issue is the protection and transferability of data. The Minister, the noble Lord, Lord Markham, and the noble Baroness, Lady Kidron, have all spoken about the importance and value of data, its transferability and the need to balance correctly the protections and rights of the individual against the importance of being able to use it in research. I want to say a word about the contrasting positions we face in the transferability of data between us and the European Union, and the slightly more difficult and unpredictable situation that may arise between us and the United States. They are the same problem, but they may need addressing in different ways. On the first, I need to be slightly technical, but as the adequacy of our data regime is such an important issue, I hope that noble Lords will forgive me.
I am going to ask the Minister a question, but it is not for answer today; I think it will require a bit more than that. It takes us back to the battles and debates we have had over the last six years in relation to the manner of our withdrawal from the European Union. When we left the EU, we left in place retained EU law. We got rid of the charter, because it was said that all that mattered and was important was embodied in retained EU law. That was almost certainly right, but the problem that I believe has arisen—it is partly complicated by advice contained in the Government’s human rights memorandum attached to the Bill—arises from the effect of the Retained EU Law (Revocation and Reform) Act. I can hear, almost visibly, the sighs—“Are we back to that again?”—and I am so sorry to be dredging this up.
My Lords, it is always rather daunting following the noble and learned Lord, Lord Thomas. I think the safest thing to say, which has the added benefit of being true, is that I agreed with him.
I declare my interests as set out in the register, in particular that I am a member of the Horizon Compensation Advisory Board and the chair of the advisory panel of Thales UK, which makes the British passport. As the noble Lord, Lord Knight, said, this Bill is a wonderful opportunity to talk about everything that is not in it and to discuss further measures that could be included. The noble Baroness, Lady Kidron, mentioned the amendment she moved on 24 April to the predecessor Bill, designed to deal with the presumption that computer evidence is reliable, despite the fact that we all know that it is not. We shall need to come to that presumption in Committee.
I supported the amendment from the noble Baroness in Committee earlier this year, although I accept—as I think she does—that simply returning to the position as it was in 1999, before the presumption existed, may not be the best solution. We need some method, for example, of accepting that breathalysers, on the whole, work as they are intended to do, and that emails, on the whole, work as they are intended to do, and we should not have to get a certificate of accuracy from Microsoft before every trial.
The need to find a solution to the problems so brutally exposed by the Post Office scandal is urgent. In the Post Office cases, in essence, the proper burden of proof was reversed and hearsay evidence that was false was accepted as gospel truth. As a result of Horizon and the appalling human behaviour that accompanied it, the lives of hundreds, perhaps thousands, of postmasters were ruined and the UK and Fujitsu are going to have to pay billions in compensation. So this matter is urgent.
My Lords, it is a feature of your Lordships’ House that certain topics and Bills within them tend to attract a small and very intense group of persons, who get together to talk a language that is not generally understood by the rest of the world—certainly not by the rest of this House—and get down to business with an enthusiasm and attitude which is very refreshing. I am seeing smiles from the other side of the House. This is not meant to be in any way a single-party point—just a very nice example of the way in which the House can operate.
I have already been struck today, as I am sure have others in the group that I am talking about—who know who they are—by the recognition that we have perhaps been a little narrow in our thinking. A couple of the speeches today have brought a new thought and a new sense of engagement with this particular subject and the others we deal with. We need to be aware of that, and I am very grateful to those noble Lords. In addition, I am grateful to the repeating by the noble Lord, Lord Knight, of the speeches he had to make in 2018 and subsequent dates, and also the wonderfully grumpy speech from the noble Baroness, Lady Kidron. We have also got to take into account what we got wrong on joining the European market—which I certainly look forward to. It is a serious point.
I am also very grateful to my noble friend the Minister for setting out the new Government’s vision for data protection, for her letters—which have been very useful—and for her help in setting up the meeting I had with her officials, which I found very useful indeed. Our Minister has done a really good job in getting the Bill ready so quickly. It is good that some of the more egregious measures included in the previous Bill—particularly the changes on direct marketing during elections and the extensive access to bank account details—have gone. There are indeed some good extras as well.
My Lords, like others, I think I am experiencing the same sense of déjà vu that has been referred to. As others said, one of the more welcome aspects of this Bill is that it is not the same as its predecessor, which was introduced by the previous Government and which was mercifully a casualty of the election. Many of us lost far too many hours of our lives on that Bill, which was, frankly, a bad one—others have called it egregious.
So, I am pleased that this Government have clearly taken account of those debates—perhaps some of those hours were not wasted after all—and have produced a slightly slimmed-down version. That, in part, is because some of the old Bill has been removed from this one, but I am afraid it is expected to reappear again; I hate to disappoint the noble Lords, Lord Knight and Lord Stevenson, but we are going to see those DWP bank account access clauses in a separate Bill. However, at least it will be a stand-alone Bill rather than tucked in the background of a two-inch-thick data Bill.
I will start with a general concern which the noble and learned Lord, Lord Thomas, mentioned, which is that of EU data adequacy, which a number of us raised in the context of the last Bill. The helpful letter from the noble Lord, Lord Ricketts, the chair of the European Affairs Committee, dated 22 October to the Secretary of State for Science, Innovation and Technology, sets out very clearly the
“significant extra costs and administrative burdens on businesses and public-sector organisations which share data between the UK and the EU”
that would be incurred if we were to lose that data adequacy ruling, which is due to expire in June 2025—so very soon. I do not think I have seen a response from the Government to that letter, so I would be very interested to hear what the Minister has to say on that. Although this Bill is clearly less contentious than its predecessor and the risk is therefore clearly lower, it is not zero risk, and we need to be careful to ensure that there is nothing in the Bill that risks significantly the loss of that ruling.
6:26 pm
20 of 53 shown
Part 4 relates to the format of the registers of births and deaths, allowing for the first time the possibility of digital registration.
Part 5 is specifically about data protection and privacy, although I stress that this Government are committed to the strongest data privacy protections throughout the Bill. This part of the Bill is the one that the Government and I have most thoroughly revisited. Our objective has been to address the current lack of clarity that impedes the safe development and responsible deployment of new technologies.
We have removed previous measures watering down the accountability framework, along with other measures that risked protections. Since the Bill’s introduction I have spoken to members of industry, civil society and the research community about this, as well as some noble Lords here today, and I am glad to note that these changes have been broadly welcomed. In this context, I would like to say something about AI, which will undoubtedly have a vital role to play in growing the UK’s economy and transforming its public services. This will include the responsible and safe use of solely automated decision-making. However, the rules in Article 22 of the UK GDPR are unclear, which holds us back. Organisations are not confident about when they can make solely automated decisions, nor about what safeguards apply and when. We suffer when this leads to hollow attempts at token human involvement to try to move the goalposts.
The Bill will fix these issues. It writes the safeguards much more clearly. You will have the right to be told about a decision, the right to human intervention, and the right to make representations about it. It specifically provides that human involvement must be meaningful or else it does not count. This—alongside clearer safeguards, the restored accountability framework, and a modernised information commission—will help us strike the right balance between the benefits of this technology being available in more circumstances, and public trust and protection.
Part 6 is on the regulator: the new information commission. This is a new-look regulator—modernised, with clear strategic direction and stronger powers, and still independent. We will bring the information commission in line with regulatory best practice, increase accountability, and enable greater transparency for organisations and the public. It will be empowered to engage effectively with the increasingly complex opportunities and challenges we see in the use of personal data, as well as to ensure high data protection standards and increased public trust.
The Government have worked closely with the ICO on these reforms, and the commissioner noted in his response to the Bill that these changes
“will significantly improve the ICO’s ability to function effectively”
and the
“refreshed governance arrangements will maintain our independence and enhance our accountability”.
Part 7 includes other provisions about the use of or access to data. Clauses on NHS information standards will create consistency across IT systems to enable data sharing. This is a positive step in driving up efficiency in our NHS and will save 140,000 hours of staff time a year. These measures will also improve patient safety; for example, by allowing authorised medical staff to access patient data to provide care in emergencies.
There is a new, fairly technical measure on smart meters, which will provide the Gas and Electricity Markets Authority with flexibility to determine the best process to follow in appointing the successor smart meter communication licensee. These clauses will ensure that the authority is able to appoint a successor in a timely and efficient way that is in the best interests of energy consumers.
Part 7 also includes measures on online safety research, laying the groundwork for crucial research into online harms to help us learn and adapt, to keep the internet safe. This is in addition to measures on data preservation notices to help coroners, or procurators fiscal in Scotland, investigate how online platform use may have had a contributing effect in the tragic death of a child. I thank the noble Lord, Lord Bethell, and the noble Baroness, Lady Kidron, for their campaigning on these important issues, which we supported in opposition. I am pleased to be able to deliver these measures early in the new Parliament.
Finally, Part 8 includes standard final provisions.
As noble Lords can probably tell from the length of that list, this is quite a wide-ranging Bill. However, I hope they will agree that the focus—on growing the economy, supporting modern, digital government, and improving lives—is a lot clearer. In summary, I have three main points to encourage the swift passage of the Bill through the House.
First, I have worked very closely with noble Lords across the House on a number of these measures over the years. I am glad to have been able to make the necessary changes to the legislation in response to our shared concerns. Secondly, we are very keen to implement these changes as soon as possible for our stakeholders—the ICO, business, and the research community, to name but a few—which have all been waiting patiently to see the benefits these reforms will bring. Thirdly and most importantly, the measures in the Bill will make a material, positive difference to people’s lives.
I hope noble Lords will work with me to pass the Bill and ensure that these reforms can bring real benefits to our economy and public services and the UK public. I beg to move.
Therefore, noble Lords will find in us a largely supportive Opposition on this Bill, working constructively to get it through Parliament. However, we on these Benches have some concerns about the Bill, and I am keen to hear the Minister’s response on a number of points.
Many small and medium-sized enterprises control low-risk personal data. Although they must of course take careful measures to manage customer data, many simply do not have the resources to hire or train a data protection officer, particularly with the Government’s recent decision to increase burdens on employer NI. We have concerns that the Bill will disproportionately add to the weight of the requirements on those businesses, without greatly advancing the cause of personal privacy. We should free those SMEs—the bedrock of our economy —from following the same demanding data protection requirements as larger, better-resourced enterprises, which carry far greater risks to personal privacy. We need to allow them to concentrate on running a profitable business rather than jumping through myriad bureaucratic data protection hoops over data that, in many cases, presents little risk to privacy. In short, we need those businesses to be wisely careful but not necessarily hyper-careful.
Many of the Bill’s clauses allow or require mass digitisation of data by the public sector, such as the registers of births and deaths. These measures will improve efficiency and, therefore, save money—something that I think we can all agree is necessary. However, the more data is digitised, the more we present a tempting attack surface to hackers—thieves who steal data for profit by sale on the dark web, ransom or both. Do the Government intend to bring forward legislation that will set out improved cybersecurity recruitments for public bodies that will, because of the Bill, rapidly digitise their datasets? Furthermore, if the Government intend to bring forward additional cybersecurity measures, when do they intend to do so? Any time lag leaves public bodies and the people’s data they control vulnerable to those with malicious intent.
Building on this point, the Bill will also see a rapid increase in the digitisation and sharing of high-risk data across the public and private sectors. There will, for example, be an increase in high-risk data sharing between the NHS and adult social care providers in communities, and a range of private sector companies handling identification data to create a digital ID. Again, the more high-risk data is used, transferred or created, the greater the incentive for hackers to target organisations and bodies. Therefore, I must ask the Minister whether and when the Government intend to bring forward additional cybersecurity measures for public bodies, large businesses, and the minority of SMEs that will handle high-risk data.
Introducing a national underground asset register, or NUAR, will lead to significant benefits for people and developers alike. It will substantially reduce the risk of striking underground infrastructure during development or repairs. This will not only speed up developments and repairs but reduce costs and the risks posed to construction workers. However, having a centralised register of all underground assets, including critical infrastructure, may result in a heightened terror risk. I know this Government, like the previous one, will have devoted considerable thought to this grave risk, and I hope the Minister will set out some of the Government’s approach to mitigating it. In short, how do they intend to ensure the security of NUAR so that there can be no possibility of unauthorised access to our critical infrastructure?
We on this Bench support the Government’s position on automated decision-making, or ADM. It can rapidly increase the speed at which commercial decisions are taken, thus resulting in an increase in sales and profit, improvements to productivity and a better customer experience. AI will be the key underlying technology of almost all ADM. The vast quantity of data and the unfathomable complexity of the algorithms mean that we have to address the AI risks of bias, unfairness, inaccuracy and loss of human agency. Therefore, I think it is wise that we consider amending this Bill to put some of the use of AI in this context on a statutory footing. I hope that the Minister will share the Government’s thoughts on this matter, and I am confident that colleagues across the House will have strong views too.
I end by outlining the opportunities for setting standards for health data. As Health Minister, I would often wax lyrical on how we have the best data in the world, with our ability to link primary and secondary care data with genomic, optical and myriad other data sources going back decades. Add to this the large heterogeneous population and you have, without doubt, the best source of health data in the world. I firmly believe that by setting the data standards we can build in the UK the foundations for a Silicon Valley for the life sciences, which would be a massive benefit to patients, the NHS and the UK economy overall.
We on this Bench largely welcome the Bill, not least because it retains many of the concepts from the previous Conservative Government’s Bill. However, there are important matters that deserve our attention. I look forward to hearing today the views of noble Lords across the House to enable the productive passage of the Bill.
Similarly, the smart data schemes in the Bill do not appear to extend the rights of individual data holders to use their data in productive and creative ways. The Minister will recall an amendment to the previous data Bill, based on the work of associate professor Reuben Binns, that sought to give individuals the ability to assign their data rights to a third party for agreed purposes. The power of data is fully realised only when it is combined. Creating communal rights for UK data subjects could create social and economic opportunities for communities and smaller challenger businesses. Again, this is a missed opportunity to support the Government’s growth agenda.
My second point is that the Bill fails to tackle present-day or anticipated uses of data by AI. My understanding is that the AI Bill is to be delayed until the Government understand the requirements of the new American Administration. That is concerning on many levels, so perhaps the Minister can say something about that when she winds up. Whatever the timing, since data is, as the Minister said, in the DNA of AI infrastructure, why does the Bill so spectacularly fail to ensure that our data laws are AI-ready? As the News Media Association says, the Bill is silent on the most pressing data policy issue of our time: namely, that the unlicensed use of data created by the media and broader creative industries by AI developers represents IP theft on a mass scale.
Meanwhile, a single-sentence petition that says,
“The unlicensed use of creative works for training generative AI is a major, unjust threat to the livelihoods of the people behind those works, and must not be permitted”,
has been signed by nearly 36,000 organisations and individuals from the creative community. This issue was the subject of a cross-party amendment to which Labour put its name, which would have put the voluntary web standards represented by the robots.txt protocol on a mandatory opt-in basis—likely only one of several amendments needed to ensure that web indexing does not become a proxy for theft. In 2022, it was estimated that the UK creative industries generated £126 billion in gross value added to the economy and employed 2.4 million people. Given their importance to our economy, our sense of identity and our soft power, why do we have a data Bill that is silent on data scraping?
In my own area of particular concern, the Bill does not address the impact of generative AI on the lives and rights of children. For example, instead of continuing to allow tech companies to use pupil data to build unproven edtech products based on drill-and-practice learning models—which in any other form is a return to Victorian rote learning but with better graphics—the Bill could and should introduce a requirement for evidence-based, pedagogically sound paradigms that support teachers and pupils. In the recently announced scheme to give edtech companies access to pupil data, I could not see details about privacy, quality assurance or how the DfE intends to benefit from these commercial ventures which could, as in my previous NHS example, end with schools or the DfE having to buy back access to products built on UK pupil data. There is a quality issue, a safety issue and an ongoing privacy issue in our schools, and yet nothing in the Bill.
The noble Baroness and I met to discuss the need to tackle AI-generated sexual abuse, so I will say only that each day that it is legal to train AI models to create child sexual abuse material brings incalculable harm. On 22 May, specialist enforcement officers and I, along with the noble Viscount, Lord Camrose, were promised that the ink was almost dry on a new criminal offence. It cannot be that what was possible on that day now needs many months of further drafting. The Government must bring forward in this Bill the offence of possessing, sharing, creating or distributing an AI file that is trained on or trained to create CSAM, because this Bill is the first possible vehicle to do so. Getting this on the books is a question of conscience.
My third and final point is that the Bill retains some of the deregulatory aspects of its predecessor, while simultaneously missing the opportunity of updating data law to be fit for today. For example, the Bill extends research exemptions in the GDPR to
“any research that can reasonably be described as scientific”,
including commercial research. The Oxford English Dictionary says that “science” is
“The systematic study of the structure and behaviour of the physical and natural world through observation, experimentation, and the testing of theories against the evidence obtained”.
Could the Minister tell the House what is excluded? If a company instructs its data scientists and computing engineers to develop a new AI system of any kind, whether a tracking app for sport or a bot for an airline, is that scientific research? If their behavioural scientists are testing children’s response to persuasive design strategies to extend the stickiness of their products, is that scientific research? If the answer to these questions is yes, then this is simply an invitation to tech companies to circumvent privacy protections at scale.
I hope the noble Baroness will forgive me for saying that it will be insufficient to suggest that this is just tidying up the recitals of the GDPR. Recital 159 was deemed so inadequate that the European Data Protection Supervisor formally published the following opinion:
“the special data protection regime for scientific research is understood to apply where … the research is carried out with the aim of growing society’s collective knowledge and wellbeing, as opposed to serving primarily one or several private interests”.
I have yet to see that the Government’s proposal reflects this critical clarification, so I ask for some reassurance and query how the Government intend to account for the fact that, by putting a recital on the face of the Bill, it changes its status.
In the interests of time, I will put on the record that I have a similar set of issues about secondary processing, recognised legitimate interests, the weakening of purpose limitation, automated decision-making protections and the Secretary of State’s power to add to the list of special category data per Clause 74. These concerns are shared variously by the ODI, the Ada Lovelace Institute, the Law Society, Big Brother Watch, Defend Digital Me, 5Rights, Connected by Data and others. Collectively, these measures look like the Government are paving a runway for tech access to the private data of UK citizens or, as the Secretary of State for DSIT suggested in his interview in the Times last Tuesday, that the Government no longer think it is possible to regulate tech giants at all.
I note the inclusion of a general duty on the ICO to consider the needs of children, but it is a poor substitute for giving children wholesale protection from any downgrading of their existing data rights and protections, especially given the unprecedented obligations on the ICO to support innovation and stimulate growth. As the Ada Lovelace Institute said,
“writing additional pro-innovation duties into the face of the law … places them on an almost equivalent footing to protecting data subjects”.
I am not sure who thinks that tech needs protection from individual data rights holders, particularly children, but unlike my earlier suggestion that we protect our sovereign data assets for the benefit of UK plc, the potential riches of these deregulation measures disproportionately accrue to Silicon Valley. Why not use the Bill to identify and fix the barriers the ICO faces in enforcing the AADC? Why not use it to extend existing children’s privacy rights into educational settings, as many have campaigned for? Why not allow data subjects more freedom to share their data in creative ways? The Data (Use and Access) Bill has little in it for citizens and children.
Finally, but by no means least importantly, is the question of the reliability of computers. At col. GC 576 of Hansard on 24 April 2024, the full tragedy of the postmasters was set out by the noble Lord, Lord Arbuthnot, who is in his place and will say more. The notion that computers are reliable has devastated the lives of postmasters wrongly accused of fraud. The Minister yesterday, in answer to a question from the noble Lord, Lord Holmes, suggested that we should all be “more sceptical” in the face of computer evidence, but scepticism is not legally binding. The previous Government agreed to find a solution, albeit not a return to 1999. If the current Government fail to accept that challenge, they must shoulder responsibility for the further miscarriages of justice which will inevitably follow. I hope the noble Baroness will not simply say that the reliability of computers and the other issues raised are not for this Bill. If they are not, why not? Labour supported them in opposition. If not, then where and how will these urgent issues be addressed?
As I said at the outset, a better Bill is not a good Bill. I question why the Government did not wait a little longer to bring forward a Bill that made the UK AI ready, understood data as critical infrastructure and valued the UK’s sovereign data assets. It could have been a Bill that did more work in reaching out to the public to get their consent and understanding of positive use cases for publicly held data, while protecting their interests—whether as IP holders, communities that want to share data for their own public good or children who continue to suffer at the hands of corporate greed. My hope is that, as we go to Committee, the Government will come forward with the missing pieces. I believe there is a much more positive and productive piece of legislation to be had.
I agree with the noble Baroness, Lady Kidron, that we have a unique asset in our public sector datasets that the US does not have to anything like the same extent—in particular in health, but also in culture and education. It is really important that the Government have a regime, established by this legislation and any other legislation we may or may not know about, to protect and deploy that data to the public benefit and not just the private benefit, be it in large language models or other foundational models of whatever size.
It is then also important to ask, whose data is it? In my capacity as chair of a board of an AI company, I am struck by the fact that our current financial regulation does not allow us to list our data as an asset on our balance sheet. I wonder when we might be able to move in that direction, because it is clearly of some significance to these sorts of businesses. But it is also true that the data I share as a citizen, and have given consent to, should be my data. I should have the opportunity to get it back quite easily and to decide who to share it with, and it should empower me as a citizen. I should be able to hold my own data, and I definitely should not have to pay twice for it: I should not have to pay once through my taxes and then a second time by having to pay for a product that has been generated by the data that I paid for the first time. So I am also attracted to what the noble Baroness said about data as a sovereign asset.
In the same way that both Front-Bench speakers were excited about the national underground asset register, I am equally excited about the smart data provisions in the Bill, particularly in respect of the National Health Service. Unfortunately, my family have been intensive users of the National Health Service over the past year or so, and the extent to which the various elements of our NHS do not talk to each other in terms of data is a tragedy that costs lives and that we urgently need to resolve. If, as a result of this Bill, we can take the glorious way in which I can share my banking data with various platforms in order to benefit myself, and do the same with health data, that would be a really good win for us as a nation. Can the Minister reassure me that the same could be true for education? The opportunity to build digital credentials in education by using the same sort of technology that we use in open banking would also excite me.
I ask the Minister also to think about and deliver on a review of Tell Us Once, which, when I was a Minister in the DWP a long time ago, I was very happy to work on. By using Tell Us Once, on the bereavement of a relative, for example, you have to tell only one part of the public sector and that information then cascades across. That relieves you of an awful lot of difficult admin at a time of bereavement. We need a review to see how this is working and whether we can improve it, and to look at a universal service priority register for people going through bereavement in order to prioritise services that need to pass the message on.
I am concerned that we should have cross-sector open data standards and alignment with international interoperability standards. There is a danger in the Bill that the data-sharing provisions are protected within sectors, and I wonder whether we need some kind of authority to drive that.
It is important to clarify that the phrase used in the first part of the Bill, a
“person of a specified description”,
can include government departments and public bodies so that, for example, we can use those powers for smart data and net-zero initiatives. Incidentally, how will the Government ensure that the supply chains of transformers, processors, computing power and energy are in place to support AI development? How will we publish the environmental impact of that energy use for AI?
There is a lot more I could say, but time marches on. I could talk about digital verification services, direct marketing and a data consent regime, but those are all things to explore in Committee. However, there are two other things that I would briefly like to say before winding up. First, I have spoken before in this House about the number of people who are hired, managed and fired by AI automated decision-making. I fear that, under the Bill as drafted, those people may get a general explanation of how the automated decision-making algorithms are working, when in those circumstances they need a much more personalised explanation of why they have been impacted in this way. What is it about you, your socioeconomic status and the profile that has caused the decision to go the way it has?
Secondly, I am very interested in the role of the Digital Regulation Cooperation Forum in preventing abuse and finding regulatory gaps. I wonder whether, after the perennial calls in this Chamber when debating Bills such as this for a permanent Committee of both Houses to monitor digital regulation, the new Government have a view on that. I know that that is a matter for the usual channels and not Ministers, but it is a really important thing for this House to move on. I am fairly bored with making the case over the past two or three years.
In summary, this is a good Bill but it is a long Bill, and there is lots to do. I wish the Minister good luck with it.
I have looked at various things—I am particularly grateful for the help I have had from Eleonor Duhs of Bates Wells—and I believe there is a problem we need to address. As data adequacy is so important, I will say a word about the detail. At the moment, I think we proceed on the assumption that the UK GDPR, with its numerous references to the data subject’s rights and freedoms, is adequate. The last Government, when dealing with the matter, passed the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations, which said that all the many references in the UK GDPR to these rights are to be read as referring to
“the Convention rights within the meaning of the Human Rights Act”.
The difficulty that has arisen is in paragraph 47 of the Government’s human rights memorandum:
“Where processing is conducted by a public authority and engages a right under the ECHR, that authority must, in accordance with section 6 of the Human Rights Act 1998, ensure that such processing is not incompatible with a convention right”.
Then comes the important sentence:
“Where processing is conducted by a private body, that processing will not usually engage convention rights”.
The important point is that it is generally understood that, save in specific circumstances, the Human Rights Act applies only to state entities and not to private companies. If and where data is being processed by private entities, as the Bill and the market largely envisage, how are we to be sure that our references in the UK GDPR refer to the human rights convention but not to the charter? Having lost EU retained law, how are data privacy and data protections protected when processed by private companies?
I raise this point because it is important that we clarify it. If there is an issue, and I hope the Government will look at this carefully, we will need to amend the Bill to make sure that there can be no doubt that, where data is processed by private companies, the data rights are properly protected as they would have been if we had retained EU law, or if the charter applied. It is a very narrow point but one of fundamental importance as to the Human Rights Act being directed at state actors, by and large, and not private entities. I am sorry to take up a little time on this very general subject, but data protection is so important, and retaining our data adequacy status is, as I have learned over many years, essential to our industry.
We know that, provided we can get our law in order, there is no problem as regards the EU, I hope. We face a much more difficult problem with regard to data dealings with the United States. First, the law is much more complicated and developing at an enormous pace. It is partly federal and partly state. Of course, we have no idea—and I am not going to speculate, because speculation is pointless—what may happen under the new Administration in the United States. One thing we have learned from the EU, particularly the EU AI Act, is that legislating in terms that are hard can produce results that very quickly get out of date. It seems to me that we have to look constructively at finding a way to adapt our legislative framework to what happens in the United States as regards transferability and, more importantly, the protection of our data in respect of the very large American companies. How are we to do this? Do we give Ministers very broad statutory powers? There may, I regret to say, be a case for doing that. It is something that I do not favour. If Ministers are to have such broad statutory powers, how is that power to be made properly accountable to this House?
As the noble Baroness, Lady Kidron, demonstrated, there is no use delaying these decisions until we know what the US regime may be. Maybe the US regime, unlike the EU, will change very rapidly. Bureaucracy has some advantages when you are dealing with it from the outside, but someone who believes in constant change and turmoil is much more difficult to deal with from our legislative point of view. It is a very important aspect of this legislation that we look at how, in the transnational market in data, which is of immense value and importance to us, we protect the British public.
There are loads of other points that one could raise, but I will raise only one, to follow what has just been said. It is of fundamental importance that we examine automated decision-making with the greatest care. Some very good principles have been developed both in the United States, under the current regime, and in Europe. When a decision is made by a machine—that is a rather facile way of describing it; it is made as a result of an algorithmic process—how do we ensure that, first, there is some right to a human intervention and, secondly, and equally importantly, that the person affected understands why the decision has been made? The point that has just been made is very important, because when you get a decision from an individual, you normally have it accompanied by an understanding of the human, plus reasons. This is a very important part of the Bill; it is so important to give confidence about the way forward.
There are many other detailed points, but those are the three principal points I wanted to make. Let us keep it simple, look at the transnational aspects and look at automated decision-making.
The solution may be, as Alistair Kelman has recommended, a set of seven or so detailed statements setting out what has been done to ensure that the computer evidence is reliable. It may be, as a senior and highly respected judge has recommended, a division between complex cases, such as those involving a system such as Horizon, and simple cases, such as those involving breathalysers and emails, with more stringent evidentiary requirements for the complex cases. It may be, as Professor Steven Murdoch has suggested, that documents designed to test the reliability of computer systems should be made available to the other side and be subject to challenge. It may be something else, but this Bill is an opportunity to consider, examine and test those solutions, and another such opportunity may not come along quickly. I repeat: this matter is urgent.
On a different matter, Part 2 of the Bill establishes a regulatory framework for the provision of digital verification services in the UK. We need to be clear that having a clear and verifiable digital identity is a completely different matter from going down the route of identity cards. This is not an identity card Bill. It is an essential method of establishing, if you want or need to have a digital identity, that you are who you say you are and you have the attributes that you say you have. It is a way of establishing relevant facts about yourself without having to produce gas bills. I do not know about other noble Lords, but I find producing gas bills rather tricky now that they are almost all online.
Sometimes the fact you need to establish will be age: to establish that you are allowed to drink or to drive, or that you are still alive, or whatever. Sometimes it will be your address; sometimes it will be your sex. We do not want men going to women’s prisons, nor men who identify as women working in rape crisis centres. Sex is an issue on which it is necessary to have some degree of factual clarity in those circumstances where it matters. The Bill, again, is an opportunity to ensure that this factual clarity exists in the register of births. It will then be for the individual to decide whether to share the information about their sex, age, or whatever.
An organisation called Sex Matters—I am grateful for the briefing—issued a report yesterday pointing out that, at the moment, data verification services are not authoritative, in that they allow people to change their official records to show them as the opposite sex on request. One consequence is that, for example, transgender people risk being flagged up as a synthetic identity risk and excluded, for example, from banking or travel. Another is that illnesses may be misdiagnosed or that medical risks may fail to be identified.
So this Bill is a rare opportunity to put right some things that currently need to be addressed. Those of us speaking today have received a number of helpful briefings from organisations interested in various issues: I have mentioned only a couple. I hope we will take the opportunity given to us by the Bill to take on board several of those proposals.
We have already had some excellent speeches setting out some concerns. I have one major concern about the current Bill and three rather lesser issues which I suspect will need further debate and discussion in Committee. I will cover them quite briefly. My major concern is that, although the Bill has the intention to boost growth and productivity, and also makes a valiant attempt to provide a unified set of rules and regulations on data processing, it may in the process have weakened the protections that we want to see here in the exploitation of personal data. Data, as other noble Lords have said, is of course not just for growth and prosperity. There will be, as we have heard, clear, practical benefits in making data work for the wider social good and for the empowerment of working people. There is huge potential for data to revitalise the public services. Indeed, I liked the point made by the noble Lord, Lord Knight, that data is in some way an asset missing from the balance sheet on many operations, and we need to think carefully about how best we can configure that to make sure that the reality comes to life.
There has been, of course, a huge change. We have moved into the age of AI, but we do not have the Bill in front of us that will deal with that. The GDPR needs a top-to-toe revision so that we can properly regulate data capture, data storage, and how it may be best shared in the public interest. As an example of that, following the Online Safety Act we have a new regulator in Ofcom with the power to regulate technology providers and their algorithmic impacts. The Digital Markets, Competition and Consumers Act has given the Competition and Markets Authority new and innovative powers to regulate commercial interests, which we heard about yesterday at an all-party group. However, this Bill has missed the opportunity to strengthen the role of the ICO so we can provide a third leg capable of regulating the use of data in today’s AI-dominated world. This is a gap that we need to think very carefully about.
I hope my noble friend the Minister will acknowledge that there is a long way to go if this legislation is to earn public confidence and if our data protection regime is to work not just for the tech monopolies but for small businesses, consumers, workers and democracy. We must end the confusion, empower the regulators, and in turn empower Parliament.
There are three specific issues, and I will go through them relatively quickly. The first is on Clauses 67 and 68, already referred to, where the Bill brings in wording from Recital 159 of the GDPR—as we inherited it from the EU. This sets out how the processing of personal data for scientific research purposes should be interpreted. The recital is drafted in extraordinarily broad terms, including
“technological development and demonstration, fundamental research, applied research and privately funded research”.
It specifically mentions that:
“Scientific research purposes should also include studies conducted in the public interest in the area of public health”.
The latest ICO guidance, which contains a couple of references to commercial scientific research, says that such research
“can also include research carried out in commercial settings, and technological development, innovation and demonstration”.
However, we lack a definition, and it is rather curious that the definition of research does exist elsewhere in statute in the UK laws. It is necessary in order to fund the research councils, for example. It is also part of the process of the tax code in order to get research benefits and tax benefits for research. So, we have a definition somewhere else, but somehow the Bill avoids that and tries to go down a clarification route of trying to bring forward into the current legislation that which is already the law—according to those who have drafted it—but which is of course so complicated that it cannot be understood. I think the Government’s thinking is to provide researchers with consistency, and they say very firmly that the Bill does not create any new permissions for using or reusing data for research purposes. In my meeting with officials, they were insistent that these clauses are about fine-tuning the data protection framework, making clarifications and small-scale changes but reducing uncertainties.
I agree that it is helpful to have the key provisions—currently buried, as they are, in the recitals—on the face of the Bill, and it may be that the new “reasonableness” test will give researchers greater clarity. Of course, we also retain the requirement that research must be in the public interest. But surely the issue that we need to address is whether the Bill, by incorporating new language and putting in this new “reasonableness” test, will permit changes to how data held by the NHS, including patients’ medical records, could be used and shared. It may be that the broad definition of “scientific research”, which can be “publicly or privately funded” and “commercial or non-commercial” inadvertently waters down consent protections and removes purpose-limitation safeguards. Without wishing to be too alarmist, we need to be satisfied that these changes will not instigate a seismic change in the rules currently governing NHS data.
It is relevant to note that the Government have stated in a separate way an intention to include in the next NHS 10-year plan significant changes as to how patients’ medical records are held and how NHS data is used. Launching a “national conversation” about the plans, the Secretary of State, my right honourable friend Wes Streeting MP, highlighted a desire to introduce electronic health records called “patient passports” and to work “hand in hand” with the private sector to use data to develop new treatments. He acknowledged that these plans would raise concerns about privacy and about how to get the
“best possible deal for the NHS in return”
for private sector access to NHS data. The details of this are opaque. As currently drafted, the Bill is designed to enable patient passports and sharing of data with private companies, but to my mind it does not address concerns about patient privacy or private sector access to health data. I hope we can explore that further in Committee and be reassured.
My second point concerns the unlicensed use of data created by the media and broader creative industries by developers of the large language models—this has already been referred to. UK copyright law is absolutely clear that AI developers must obtain a licence when they are text or data mining—the technique used to train AI models. The media companies have suggested that the UK Government should introduce provisions to ensure that news publishers and others can retain control over their data; that there must be significant penalties for non-compliance; and that AI developers must be transparent about what data their crawlers have “scraped” from websites—a rather unpleasant term, but that is what they say. Why are the Government not doing much more to stop what seems clearly to be theft of intellectual property on a mass scale, and if not in this Bill, what are their plans? At a meeting yesterday of the APPG which I have already referred to, it was clear that the CMA does not believe that it is the right body to enforce IP law. But if it is not, who is, and if there is a gap in regulatory powers, should this Bill not be used to ensure that the situation is ameliorated?
My third and final point is about putting into statute the previous Government’s commitments about regulating AI, as outlined in the rather good Bletchley declaration. Does my noble friend not agree that it would be at least a major statement of intent if the Bill could begin to address
“the protection of human rights, transparency and explainability, fairness, accountability, regulation, safety, appropriate human oversight, ethics, bias mitigation, privacy and data protection”?
These are all points raised in the Bletchley declaration. We will need to address the governance of AI technologies in the very near future. It does not seem wise to delay, even if the detailed approach has yet to be worked through and consulted upon. At the very least, as has been referred to, we should be picking up the points made by the Ada Lovelace Institute about: the inconsistent powers across regulators; the absence of regulators to enforce the principles such as recruitment and employment, or diffusely regulated areas of public service such as policing; the absence of developer-focused obligations; and the absence and high variability of meaningful recourse mechanisms when things go wrong, as they will.
When my noble friend Lord Knight of Weymouth opened the Second Reading of the last Government’s data protection Bill, he referred to his speech on the Second Reading during the passage of the 2018 Act—so he has been around for a while. He said:
“We need to power the economy and innovation with data while protecting the rights of the individual and of wider society from exploitation by those who hold our data”.—[Official Report, 19/12/23; col. 2164.]
For me, that remains a vision that we need to realise. It concerns me that the Bill will not achieve that.
To that end, I would be grateful if the Minister could explain what assessment the Government have made of the risk of losing the EU data adequacy ruling and, perhaps more importantly, tell us the extent to which the Bill has been discussed with our European counterparts to ensure that there is nothing in it that is concerning them. Clearly, we do not need to and should not follow the letter of the EU data protection rules, but we should at least work with our EU counterparts to ensure that we are not risking the adequacy ruling.
Part 1 deals with so-called smart data. I welcome it but note that it consists mainly of a series of powers to regulate rather than any firm steps, which is a little disappointing. The only current live example of smart data that we have is open banking, which a number of noble Lords have referred to—maybe, one day, we will see a pensions dashboard; who knows? However, open banking has been rather slower to take off than had been hoped. It has been six or seven years since it was first mooted. I urge the Government to carry out a review of why that is, before they start to make the regulations that the Bill proposes around smart data. There are lessons to be learned from open banking, to ensure that what we do with smart data in the future is more successful. The claims that smart data will boost the UK economy by £10 billion over the next 10 years looks a little optimistic, especially as the impact assessment from the Department for Business and Trade accompanying the Bill fails to monetise any costs or benefits of the smart data elements. I think that the smart data concept is good but hope that we get it right.
Part 2 of the Bill deals with the digital verification services. Again, on the whole, I am supportive of this. The Bill should improve security of and trust in digital verification. As the noble Lord, Lord Arbuthnot, said, it is not about digital ID cards. However, a number of us raised a concern last time round. There is a danger that this could become a slippery slope towards a situation where people may find themselves compelled to use digital verification services and therefore excluded from accessing services or products if they are not able or willing to use digital verification. The “not willing” part of it is important. Some people are wary of putting detailed identity information online. I am increasingly wary, particularly as a resident of Dumfries and Galloway, where all medical records from NHS Dumfries & Galloway were recently hacked, stuck online for ransomware and probably published. Therefore, I have some sympathy with those who do not fully trust official systems. I am curious to hear what the Minister has to say in response to the comments from the noble Lord, Lord Markham, about increased cyber- security in the public sector, as that is a good example of where it has gone wrong.
I know that there is no intention on the part of the Government at this time to make the use of DVS compulsory, but it is quite easy to see other providers, such as estate agents, financial institutions and, as one noble Lord mentioned, employers, making it a requirement. While supportive, I think we need some protections to ensure that people are not excluded from services by that. I would be interested to hear the Minister’s thoughts.
On Part 5, the House of Lords Select Committee on the Fraud Act 2006 and Digital Fraud heard a number of times that banks and other financial institutions were unwilling to share data for fraud prevention purposes because they felt constrained by data protection rules. I suspect that they were wrong but am very pleased that data processing for the purposes of detecting, investigating or preventing crime is to be expressly included as a legitimate interest. I hope that the Information Commissioner will ensure that it is widely pointed out and that we will start to see greater co-operation between payment providers and the tech and telecoms companies where the vast bulk of frauds originate.
However, on the subject of the legitimate interest changes, I am concerned that the Secretary of State will be able to make changes to matters considered to be legitimate interests by regulation. That is a significant power in terms of data processing and potentially a retrograde step. It could also raise concerns with respect to the EU data adequacy points that I raised earlier. While the EU might be happy with what is currently proposed, the ability to change key aspects could raise alarm bells.
Other noble Lords have talked about automated decision-making, where I am also concerned about the weakening of rights. Currently, automated decision-making is broadly prohibited, with specific exceptions. This Bill would permit it in a wider set of circumstances, with fewer safeguards. In her introduction, the Minister seemed to indicate that the same safeguards would apply. As I understand it, that is the case only where special category data is used. I would be grateful if the Minister could explain whether I have got that wrong. It seems to me to increase the risk of unfair or opaque decisions. The noble Lord, Lord Arbuthnot, talked about the Horizon/Post Office scandal. That should certainly give us pause for thought. The computer does not always get it right. There are myriad examples of AI inventing false information and giving fake answers. It is called “hallucination”. The right to challenge solely automated decisions should be sacrosanct. Why have the Government decided to weaken those safeguards?
Finally, I am pleased to get on to a point that no one else has raised so far, which is an achievement. I note with relief that the abolition of the Biometrics and Surveillance Camera Commissioner has been removed. However, issues remain in these areas. In particular, the previous commissioner has described a lack of an overarching accountability framework around surveillance camera and biometrics usage. Can the Minister explain what the Government’s plans are for the regulation of surveillance camera and biometric use, especially facial recognition and especially as the use of AI expands into that area?
In summary, it is a much better Bill, but there is a lot of work to do.