Publications on the internet
UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE
To be published as HC 572-iii
House of COMMONS
TAKEN BEFORE the
European Union Data Protection Framework Proposals
monday 17 September 2012
Rt Hon Lord McNally, Glenn Preston and Tim Jewell
Evidence heard in Public Questions 100–141
USE OF THE TRANSCRIPT
This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.
Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.
Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.
Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.
Taken before the Justice Committee
on Monday 17 September 2012
Sir Alan Beith (Chair)
Mr Robert Buckland
Mr Elfyn Llwyd
Examination of Witnesses
Witnesses: Rt Hon Lord McNally, Minister of State, Glenn Preston, Deputy Director for Information and Devolution, and Tim Jewell, Deputy Director, Legal Directorate, Ministry of Justice, gave evidence.
Q100 Chair: Lord McNally, Mr Jewell and Mr Preston, welcome. We are slightly depleted, not least because one of our members has been appointed as a Minister, another as a PPS and indeed half the Ministers in your Department at the Commons end of it are former members of this Committee.
I am not quite sure how the cards are being shuffled in terms of responsibilities of individual Ministers, but may we take it that as of now you are still responsible for the European Data Protection Directive and Regulation?
Lord McNally: Until midnight on Wednesday.
Q101 Chair: So it may change.
Lord McNally: It may change.
Q102 Chair: Is the policy likely to change?
Lord McNally: No.
Q103 Chair: We will rely on you for answers that will hold good for whoever takes over that responsibility. One of the issues that have been pursued in the UK Government’s development of their position is that they do not want domestic processing to be covered by the Directive in the UK, but they don’t believe that it is anyway. Why is it necessary to try to get it excluded if the legal position is secure and it can’t apply to domestic processing?
Lord McNally: We believe, as you say, Mr Chairman, that the legal position is secure and that, whatever the final outcome of negotiations on the Directive, the British position is protected, but we believe that it is also important to have as good and as effective a Directive as possible with which we are going to have to work. Therefore, we have stayed in the broader negotiations even though, as I say, we are absolutely secure in our position that it will not apply to domestic transfers of information.
Q104 Chair: Isn’t the practical conclusion of the British negotiating position that, if it was redrafted in the way we want it to be, it couldn’t apply to domestic processing in other countries either?
Lord McNally: That is why we are staying in. We believe-and we believe we have allies among other countries in the negotiations-that that is precisely the best outcome for the Directive as a whole. It is almost a belt-and-braces approach. We are securing our own position but we want to argue the case for keeping these matters to domestic control across the Community or the Union.
Q105 Chair: You will have noted that, when we had law enforcement agencies in giving evidence, they were sceptical about the need for a new Directive and quite concerned about aspects that might affect their ability to carry on the job in the way they currently do, particularly information sharing in circumstances when it may be very important to the detection and prevention of serious crime. What is your take on that?
Lord McNally: We have taken very seriously the advice that we have received from our law enforcement agencies. They have been very clear to us that they do get a great deal of benefit from participation in exchange of data with other law enforcement agencies. Indeed, another common-sense reason for us to stay in the negotiations is to make sure that what has proved to be a very effective and beneficial exchange of information is secured following the outcome of these negotiations.
The case we made for opting in as far as these negotiations are concerned is that we believe there is real national interest in making sure that exchanges and co-operation already in existence remain secure and whatever governing instrument comes out of the negotiation is also compatible with our national interests.
Q106 Chair: Privacy International expressed the concern that in some respects citizens’ rights were not as well protected under the Directive as, for example, they are under the Data Protection Act and that there was a mismatch between the across-the-board nature of the Data Protection Act and the more limited nature of the Directive. What is your reaction to that?
Lord McNally: I would be interested to see what their precise criticisms are on this. Of course, our citizens are protected by the Data Protection Act and that will continue. This carve-out for policing and security is to allow the specific needs of law enforcement authorities to be met, but I am not aware that in so doing we weaken the more general protections of the Data Protection Act.
Q107 Chair: One of the concerns is that there is now quite an extensive transfer of information between the law enforcement sector and the private sector. There are things like airline passenger information, to take just one example, where there will be one set of conditions in the private sector and a different set in the law enforcement sector.
Lord McNally: Yes. Where it crosses over I would hope that the protections will be as strong in the private sector. One of the dilemmas we face in these negotiations-and one that I am very aware of-is that, quite rightly, pressure groups like Privacy International are very keen to ensure that the legislation does protect the citizen. Looking across the piece, we are moving into an age where more information is held, available and transmitted. It is going to be a very difficult job to get the balance right between protecting the privacy and the rights of the individual citizen without building in so many safeguards, conditions and safety nets that the other benefit of the digital age is lost, which is the ability to exchange information freely.
I also sit on the Transparency Board chaired by Francis Maude. That is looking at the broader release of Government data. There is the same challenge there. How do you release as much data as possible to allow the entrepreneur to make good use of it in creating jobs and wealth without allowing practices to take place that genuinely would invade the privacy of the citizen? If you ask whether we have reached that state yet, I would say, no, that is why we are negotiating. We keep in mind both those objectives.
Q108 Steve Brine: It is nice to see you again at the Committee; thank you for coming. The Federation of Small Businesses has said in notes to us "that the Regulation as proposed will introduce"-in their view-"additional, and in some cases, unnecessary burdens on small businesses". Minister, I just wonder what your view would be of the impact that these data protection proposals would have on the growth of the digital economy in our country.
Lord McNally: Our intention is that it will have an entirely beneficial effect. Just as the single market gives us access to a market of 500 million, so legislation that will give some kind of harmony to the workings of this sector of the economy could and should be entirely beneficial. Why we are being, for want of a better term, awkward in these negotiations is that we do see that there are real threats to business if we allow the Regulations to emerge in such a way as to put an extra burden on business.
We are also very aware that small businesses could be particularly affected by some of the suggestions, such as an absolute commitment to appoint a data protection officer and some of the other regulations in the proposals, which might be easily absorbed by one of the data giants but which a small enterprise would find difficult. However, we don’t want to do it by a simple cut-off. It may be a relatively small business that is dealing with very highly sensitive data and we wouldn’t want them just to escape their responsibility simply by size. We are trying to get a proportionality into the structure of the Regulations that we don’t feel is there at the moment in what the Commission are putting forward.
Q109 Steve Brine: What happens if we are not successful in introducing the proportionality? Microsoft, who are obviously not one of the little boys, have said that they support the FSB’s views. You have the small and the large there saying that the Regulations should not be so prescriptive. I just wonder if the prescriptive nature of this Regulation is necessary to ensure the EU-wide harmonisation that the Commission are trying to get at. Wouldn’t a general Directive be a better approach?
Lord McNally: Yes. That is exactly what we will continue to argue. We think the Regulation is too heavy-handed and prescriptive in an approach to something that would be much better dealt with by a Directive that leaves a great deal more flexibility to domestic implementation.
Just to go back to a point that the Chairman made on the Directive covering the police and law enforcement agencies, yes, we do think it is a bit soon after the last tweak to this in 2008 to be looking at it again. It is a matter of balance whether you say that, since you are looking at the Regulation, which is much older, you might as well take another look at the police and law enforcement Directive at the same time. It is an argument for starting from square one again with that. From what I understand, the balance of the discussions so far has been much more about what’s in the Regulation and whether it could be better handled in a Directive rather than going back to square one with the police and law enforcement Directive.
Q110 Steve Brine: In conclusion, what I am trying to probe is the Government’s resolve on this matter. You say it is heavy-handed and prescriptive. The EU has form in this area and in lots of areas. I just wonder how far the coalition Government is prepared to push it. If you don’t feel that this is in the interests of our country, how far are you prepared to push it?
Lord McNally: We are not negotiating for failure. We believe that we have allies. As always with European Union negotiations, there is an element of the souk about the negotiations. The Commission come up with ideas and proposals and then others say, "No, thank you." Although the negotiations have been slow, we are not in a position where we feel that we can’t achieve our objectives. I emphasise that our objectives are very close to what you have just outlined. We want something that is proportionate, flexible and that doesn’t impede entrepreneurship by either large or small companies but does get the balance right in protecting the privacy of the citizen.
Q111 Jeremy Corbyn: I have a short supplementary question. You said you were worried about over-heavy regulation. Do you feel that the proposals or the outcome of all this discussion will be adequate protection against data mining and then profiling advertising to sometimes very vulnerable people?
Lord McNally: I hope so. In the two years that I have been in this job I have become aware that we are really at the dawn of a new era in terms of just how much information is in the hands of various organisations, and the possibility and capability of its misuse.
I will tell you a quick anecdote. It is no slur on Tesco but it is what was said to me. I went to see one of our organisations that was demonstrating to me their various capabilities. I said to the man who was doing it, "There are quite serious implications for civil liberties in this." He said, "I wouldn’t worry, sir. Tesco know much more about you than we do."
In a way it is true. The capacity to acquire information about the citizen and to cross-reference it is quite serious. All I can say is that we are alert to that and want to build it into both our domestic and EU legislation because that threat does exist. One can only say that I think parliamentarians and legislators at both European and national level have to be aware of that threat. In the new digital age it is the downside to what is also a very exciting opportunity in terms of exchanging information for the benefit of the citizen.
Chair: We will come in a later question to the issue of whether individuals can get out of all this. In the meantime, Mr Llwyd has a question.
Q112 Mr Llwyd: I am tempted to say that every little helps, but I won’t. That would be plain silly.
On the issue of perceived costs and benefits, the impact assessment and the summary published by the Commission make certain presumptions and certain statements. They believe it is going to deliver substantial administrative savings. However, we believe that the initial assessment suggests that the Commission’s thinking does not in fact provide a credible foundation underpinning the proposals that they have and the way in which they say it is going to save money and time.
I won’t detail exactly what they are, but we have certain misgivings about the way in which the Commission believe these savings are to be made. My question to you and your colleagues, Lord McNally, is whether the Department has yet been able to use its improved modelling capacity to make an assessment of the costs and also benefits to the UK of the proposals.
Lord McNally: First of all, we share your concern. The other thing I have learned in the last two years is that both domestic and EU organisations that claim the benefits for any particular policy initiative invariably are optimistic when they present the savings and benefits that are likely to come from it. We are doubtful. I do know that the Department is planning to do its own exercise. I don’t know if you would like to explain that, Glenn.
Glenn Preston: We are committed to doing our own impact assessment of the Commission’s proposals. The aim is for us to make that publicly available-so available to this Committee and the European Scrutiny Committees-before the end of this calendar year. That is proving challenging, partly because we are trying to get information out of the Commission on the basis of the methodology that was used for their own impact assessment, which is taking slightly longer than we hoped it would. That remains the aim. The purpose of producing that is to have a public discussion domestically but also with our EU partners about a proper analysis of the costs and the benefits, which we think was slightly lacking in the impact assessment provided by the Commission.
Q113 Mr Llwyd: I accept what you say, Mr Preston. This may be an unfair question, but I ask it anyway. Do you believe at this stage that the Commission’s estimate of €2.3 billion savings is reasonable and achievable?
Glenn Preston: No, we don’t. We have already provided an impact checklist to the Scrutiny Committees where we said we didn’t think that was an accurate reflection and that it was more likely to be a negative outcome on the basis of the Regulation as published in January. That is the analysis that we are doing. Obviously we would seek to change the content of that Regulation substantially. So part of what we will be doing is also looking at the different options that may exist if we end up with a very different instrument at the end of this, which is why it will take some time. We don’t share the view at the moment that it has a €2.3 billion benefit to the EU economy.
Q114 Mr Llwyd: Taking Lord McNally’s point, this €2.3 billion could be wildly optimistic.
Glenn Preston: It could be optimistic. I don’t know if it is wildly optimistic, but it certainly looks initially like it is optimistic. It is important to stress the point about this being on the basis of the Regulation as published at the start of the year. We would expect the final instrument, whether it is a Regulation or a Directive, to be considerably different and to be less burdensome and prescriptive. Therefore, it could well have a more beneficial impact if that is the case.
Q115 Mr Llwyd: This leads me on to my next question. The Information Commissioner gave this Committee estimates of the impact on his office. He said that, if his office fulfilled the minimum duties required of them in the Regulation, they would in fact be seeking a 56% increase in funding amounting to £8.4 million. A more realistic estimate, given the new duties being imposed, could well turn out to be £28 million. The Commissioner said, memorably I think, "This system cannot work. Nobody will pay for it."
My question is: how will the Government fund the additional resources estimated at a minimum of £8.4 million that the Information Commissioner’s Office will require?
Lord McNally: First of all, I would say that it is not only EU Commissioners that indulge in the politics of the souk; so do heads of Government organisations that want their organisation funding. I don’t know whether those figures are absolutely accurate. There are problems about some of these proposals in that ending charges would take an income stream away from the Information Commissioner.
Of course, this would need discussions with the Treasury and the Government as a whole. The Information Commissioner is right. If we want him or his successors to do their job, we have to give them the resources to do it. There would have to be a proper negotiation about how to run an effective office if the present funding structure doesn’t work. What I wouldn’t like to see is a kind of salami slicing of responsibilities to save money so that they can struggle on. I do believe that, whatever comes out of this, we need an Information Commissioner to be able to carry out the necessary responsibilities, both under data protection and under freedom of information. As a country, we have to be willing to give him or his successors the funding and the stability in order to do their job. In return, the Information Commissioner needs to run a tight ship and to run it efficiently and effectively.
Q116 Chair: I think what the Commissioner was saying was that in this country, where we have a relatively well-resourced Information Commissioner, it is inconceivable that so much more money could be spent. So what is it going to be like across the rest of Europe? In other words, he was drawing from the UK conclusion that the whole structure was unaffordable.
Lord McNally: I agree. Indeed, on Wednesday morning I will be in Brussels with our Information Commissioner talking to a panel of European parliamentarians and we will be making that very point. It is a point worth making. We often castigate ourselves on our record on these things. Our Information Commission Office is well resourced compared with other parts of Europe, although the Information Commissioner continually tells me how difficult it is to do his job on the budget he has. As I say, that is why one of the things we will be pointing out in the nicest possible way to the Commission is that having a wish list of extra responsibilities and tasks for the Information Commissioners across Europe is going to be genuinely wishful thinking because the resources simply won’t be there in the present circumstances to fulfil this wish list.
As I said before, our starting point is that that wish list would end up with the worst of all worlds, which is an over-prescriptive, over-bureaucratic, costly and business-stifling regime that would not give protection anyway to the citizen.
Q117 Mr Llwyd: Thank you for that. It is what Mr Preston was saying earlier: there will be work now done to see what the estimate truly is. I am probably stating the obvious, but no doubt you will be in close liaison with the Information Commissioner’s Office to see how they have come up with their figures.
Glenn Preston: Yes; that is absolutely right. We have already been working with them on the production of their estimates which they shared with this Committee. They have shared them with us too. We have to have that discussion in the context of the funding model for the Information Commissioner more generally.
We provide at the moment for grant in aid of about £4.5 million for all their freedom of information functions. We have this Select Committee’s recommendations to consider in the context of post-legislative scrutiny of that Act and any potential impact on the funding of the Commissioner alongside the EU proposals, where the notification system, as Lord McNally has already said, is due to disappear-so a big funding stream disappears for them-and potentially some other functions that other Departments are interested in giving to the Commissioner too. We are talking with them now both about the impact of these specific proposals as a burden on the Commissioner’s Office but looking more generally at how the Information Commissioner’s Office is funded, with a view probably to having to find a different method of funding him and his office.
Q118 Chair: The other part of what the Commissioner was saying to us was that the nature of the work he was going to have to do was not particularly beneficial. It would be much more process-related and questioning of firms about their failure to make the appointment of a data controller or data protection officer, rather than going after egregious failings and carrying out advisory work to raise standards and achieve better outcomes. Not only would money be spent on a cumbersome process but it wouldn’t achieve the outcomes which are desired.
Lord McNally: Indeed. I do think that we and the Commissioner are on the same page on this. The warnings that he has given from his vantage point are identical to the warnings that we have been giving to the Commission about the way they are going about it. There are just small things like wanting prescriptively to write in a specific 24-hour notice of a breach. That may be good guidance, but, if there has been a breach, it may be better to spend that first 24 hours trying to make sure that people are aware of it and that corrective actions are taken, rather than going through the tick-box of, "We have notified the Commissioner within 24 hours."
He has drawn attention to a range of practicalities for him that can be mirrored by the practicalities that will face companies in trying to match what we believe is an over-prescriptive regime. As I have said before, I am not pessimistic that we can’t achieve success in getting this changed.
Q119 Mr Llwyd: I am pleased to hear that final remark. When one considers that we are dealing with a fairly well-resourced Information Commissioner’s Office over here, how on earth is it expected that less well provided entities within the other European Union states are going to be able to comply? It is beyond belief really, isn’t it? It is rather difficult to imagine how the thing is going to be workable without much simplification and amendment, which no doubt you are working hard on now.
Lord McNally: I don’t think so. In a way, if they had the power-and they don’t-to steamroll this through, it would prove a pyrrhic victory for the Commission because it wouldn’t work. What we want is something that works.
Q120 Mr Buckland: I have this wonderful image in my head now, Lord McNally, of you haggling in the souk. Whether it is to buy a carpet or other item I don’t know, but I have this great image. It is the right image, if I may say so. It is a very fair characterisation of the nature of negotiation. We shouldn’t be shying away from the reality of it.
I want to look at some of the details of the proposed Regulation. I will start with Article 17, which is the so-called "right to be forgotten". It is a development on from the "right to erasure". It has been warmly welcomed and is seen as a step forward in terms of ordinary citizens being able to have their data removed from a database. Of course it is hedged with a number of qualifications, which again are entirely understandable. Is there not a danger that expectations are being unduly raised by the use of such slogans as "right to be forgotten", whereas the reality is going to be somewhat different?
Lord McNally: Yes, is the short answer. That is why, even from the very early stages of this, we have suggested that "right to be forgotten"-which is a great headline and a good soundbite-is not practical. Anyone who knows how information goes round the world in this technology knows that. What we are hoping to do, again, is to make it clear that the individual citizen does have rights to get data expunged or changed, but what we don’t want is to give particularly young people the idea that they can put things on social networks and that somehow they can recall it at will because they can’t.
There are a number of problems with the provision. For example, it creates a somewhat misleading right that may encourage reckless posting of information in the mistaken belief that it can be recalled. The UK supports strong deletion rights, but the term "right to be forgotten" is unhelpful given the details of the provision. We might suggest a change in the name in order that it better reflects the rights that are actually given. The way you have presented it is the right approach. We will use the technology that does exist and the rights that we can build in to give people control over their information but remind them of the reality that this is a technology where a complete right to be forgotten is unattainable.
Q121 Mr Buckland: It may be best to keep it simple and just call it a "right to erasure"- just keep it as it is.
Lord McNally: Yes.
Q122 Mr Buckland: I turn to the question of the rights to access data of subjects-subject access rights-which is covered in general terms in Article 15. In particular, I want to look at the debate that is being held about the merits of charging-of organisations being able to charge people to access their own data. It happens already. A £10 fee is often levied. It is the Government’s position that, unlike organisations such as Which?, the Government do not support access rights being universally exercisable free of charge.
At the same time the Government have their mydata programme, which aims to make it easier for consumers to have access to their data. How do the two positions sit with each other? Isn’t there a contradiction between the Government’s position on mydata and their attitude towards charging?
Lord McNally: There may be a slight rubbing up against the two objectives. As you have just said, the Government currently set a £10 fee for access. It is important to note that many organisations do not charge this fee; instead it serves as a useful filter to deter more speculative requests if those are problematic for the data controller. You had a similar discussion and debate when you came to freedom of information.
Chair: We came to a no-charging conclusion.
Lord McNally: This is a different issue from the mydata initiative. This would allow firms to sign up in order that data subjects can move their data around if they wish to. In each case we support the same principle of maintaining maximum flexibility for both the data subject and the data controller. Additionally, although there is a right to data portability in the proposed Regulation, we believe that this would be better suited to a consumer-focused internal market instrument.
I will be interested to see where we end up on this. As I say, the Information Commissioner does not want to lose an income stream. I don’t know whether it is a filter and deterrent. As I say, you had the same argument with freedom of information.
Q123 Mr Buckland: It is slightly different. Let’s take me. This is my data. It is my information. Why should I have to pay to have access to know what information about me is being held?
Lord McNally: That is a very powerful argument. I don’t know whether either of my colleagues can comment.
Glenn Preston: The purposes are different. The subject access request as it is written into the current Directive and the Data Protection Act is about access to sensitive personal data. It is not usually for the purpose of changing your utilities provider, for example. The mydata initiative is focused more on that transactional level of data so that you can speak to your mobile phone company or gas company and say, "Give me this in a readable format that I can hand to somebody else who will give me a better deal." The purpose of that is quite a different thing from the vast majority of subject access requests that people are using for very different personal reasons. We can see differences between the two things that can justify the charging point that you make.
Tim Jewell: Similarly, there is the wider point. If one looks towards the front of the Regulation about the principles that inform the holding by other people of data about oneself in any event, they are relatively restrictive, aren’t they? They are necessary for a specific purpose and only held in a proportionate way for as long as it is needed. Whilst it is quite right of course to say, "It is data about me", it is data which there was a valid purpose for that other person to hold for the duration that it is necessary for them to hold it for.
Q124 Mr Buckland: There is a worry amongst a lot of us that in various capacities we will have given personal data to organisations. Sometimes we tick boxes to make sure it is not shared; sometimes we don’t-perhaps we are in a rush to do things. I know it is up to individuals to exercise a degree of responsibility, but it becomes difficult for the individual to know precisely where his or her personal data is being held, doesn’t it? As Lord McNally properly concedes, there is a certain unfairness in seeking to charge people just to find out what should be their right to know about who or what organisation holds information about them.
Lord McNally: I think you are right. The concept of "This is my data" is very fundamental. As Mr Corbyn was saying, the bottom line with organisations that mine data and do profiling is that it is not their data; it is the individual’s. That has to be a very important principle in both drawing up the laws and in making sure that companies behave in a proper way.
Q125 Jeremy Corbyn: I would ask a short supplementary on that, and thank you for that point. If the EU draws up appropriate firewall regulations that prevent a supermarket chain or travel agent sharing information, what regulation could there be that somebody could base an internet provider outside the EU, collect information from commercial enterprises in the EU and then re-sell or re-advertise within the EU itself? Is there any way of preventing that?
Lord McNally: It is very interesting that you ask that question.
Q126 Jeremy Corbyn: Would you rather I didn’t?
Lord McNally: No. What I would say to the Committee, quite seriously, is what I said at the beginning. We are at the dawn of a new age. We are going to find all kinds of problems that will be thrown up that will need fleetness of foot and flexibility to deal with. This goes back within the EU to how poorly-resourced regimes will handle this. What happens if some island in the Caribbean suddenly becomes a data centre, rather like some of them have become banking centres. Suppose you have companies that have data headquarters in regimes that can’t possibly police them doing some of the things that you worry about.
My argument would be that that would strike me as a case for even greater international co-operation in dealing with some of these issues. I suspect they are issues that are coming down the track towards us in getting the balance right. That is why, in some ways, our argument for a slightly more flexible and lighter touch will allow us to be able to respond to some of these new challenges rather than having a rather sclerotic regulation that would be very difficult to change in response to new circumstances.
Q127 Jeremy Corbyn: The issue isn’t just the big companies. In a sense, you regulate, and the big supermarket chains and so on would probably accept the Regulations; they would have to. It is not that difficult for an individual either to hack in and collect information on somebody’s spending habits or use a rogue company to do it and access it via a Caribbean island or the Pacific or somewhere. Then they could set up a very attractive advertising opportunity to get through to a whole lot of individuals by e-mail, having illegally collected information on them. The individual receiving the advertising offers wouldn’t even know where the information had come from in the first place.
Lord McNally: I think that is probably true. That is a gamble. We are really only at the beginning of being able to look at some of this properly. We can be absolutely sure that, just as we are working hard to set up a regime that will be beneficial to the citizen and to entrepreneurs to run honest companies in an honest way, there will be those who will be looking at how to abuse these systems and technologies. As I say, that is one of the challenges of twenty-first century Governments.
Q128 Chris Evans: We have heard from a number of industry groups who have been concerned about the Regulation. In particular, the BMA talked about concepts of patient confidentiality, while the Newspaper Society raised issues about freedom of speech. What are your views on this Regulation? Do they impinge on these key concepts?
Lord McNally: On patient confidentiality, again, there is a slight overlap with our own transparency agenda. It is something of which we are aware. We are aware that the individual citizen is very concerned that their medical records are not able to be disseminated in an improper way. Our conclusions are that, with the way the proposals are put, there are sufficient protections for medical records, but it is something that we will keep closely in view. Have the BMA given us similar concerns?
Glenn Preston: I don’t think we have had them explicitly expressed to us directly. We do think the provisions in the Regulation are relatively strong on this particular point.
Q129 Chris Evans: Are you sure about that? In front of me I have something that says, "the BMA has serious concerns that Article 83 appears to permit the processing of health data, in identifiable form, for research purposes without any reference to consent."
Glenn Preston: That may have been in evidence to this Committee.
Q130 Chris Evans: Is that something they have said to you?
Glenn Preston: Not that I am aware of, but I don’t want to say for definite that they haven’t said it.
Chair: It is evidence to us, which we can certainly let you have.
Glenn Preston: It is evidence to the Justice Select Committee. That would be extremely helpful.
Q131 Chris Evans: Are they right to say that Article 83 appears to permit the processing of health data? If so, what protections are in place?
Glenn Preston: I think we should take this away from this session, but our take on the Regulation as it is drafted is that it already requires or has a classification for special category of personal data. There are specific measures in there that talk about how you safeguard that. There is also an exemption for the "right to be forgotten" for data concerning health, again subject to certain conditions and safeguards. It is quite well provided for in there. It sounds to me, on the basis of what you have just read out, Mr Evans, that we will need to have a specific discussion with the BMA to inform our negotiations in the working group in the Commission.
Q132 Chris Evans: I am quite concerned that the BMA have sent some evidence through to us but haven’t sent that to you, and you will be framing the Regulation. Obviously medical records are extremely sensitive. What level of safeguards would you like to see in place before they were released to researchers?
Glenn Preston: We feel that the safeguards written into the Regulation at the moment are significant.
Q133 Chair: The key issue is whether there can be any use of identifiable information without consent. The principle we have had hitherto is that identifiable information requires patient consent. This seems unclear in the Regulation.
Tim Jewell: If it is of assistance, it may be worth simply pointing out, of course, that there are two Articles that are relevant to this question. The first is that which relates to health itself, which is Article 81. That is where the person-specific questions most generally would arise. There is a first level of protection in relation to data relating to health.
The Article that you mentioned is Article 83, which is processing for historical, statistical and scientific research purposes. There, too, there is a hierarchy of protections, which begin with consent, which you mentioned, and then there are some narrow exceptions. As Mr Preston suggested, one has to look at the two together. It is not a single layer of protection. One starts with a health protection, and then only if the additional protections in Article 83 kick in can you process for historical, statistical and scientific research purposes.
Q134 Chris Evans: But it is still identifiable, isn’t it? The research is still identif-I am struggling here a bit with the word "identifiable". I didn’t put my teeth in.
Tim Jewell: As I understand it, it would be very much the exception. I can’t think of any instance of aggregated medical research of that sort, which is where the benefit is to be obtained, where an individual would be identifiable from the data itself. As I say, there is a consent requirement in Article 83 too where that would be requested, but it requires some more detailed consideration.
Lord McNally: It is a warning well taken because, as you rightly say, that is something where people are really very sensitive. I know that because the Transparency Board had a similar exercise when we were discussing releasing data from the national health service. Immediately there were stories in the newspaper that the Government were about to sell medical records and so on. There is a difference between data that is absolutely anonymised so that it can be used for proper research and assessment, but, even there, you have to be extremely careful that some of these clever chaps can’t cross-reference various sources of information to identify individuals. It is an awareness of the threat. Certainly we will take extreme care to make sure that medical records are properly protected under any proposals.
On the freedom of speech issue, Article 8 states very clearly that the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression should be open to exemptions or derogations.
Again, I ask my colleagues who are dealing with this daily, have we had from the media specific concerns on these? It does seem to me that Article 8, chapter 1, is very specific on this.
Glenn Preston: It pretty much replicates what was already there in the existing Directive. There has not been a great call for us to change or amend that. Certainly we don’t have any expectations that that is high on the list of things that people have been concerned about.
Chair: It is around the "right to be forgotten". One can imagine circumstances in which there would be a legitimate public interest in not allowing something to be forgotten.
Q135 Jeremy Corbyn: I want to raise a point on medical records. There have been reports recently of a number of hospitals outsourcing hospital letters to India. In the case of my local hospital, apparently 90,000 such letters have been drafted in India. They are e-mailed back to the UK, allegedly anonymised, and then the names are added in in the UK and the actual printed letter produced and sent out. Clearly, India is not within the EU restrictions and couldn’t be, for obvious reasons.
Whilst I am not suggesting there is any foul play at the moment or anything has gone wrong, there is clearly a danger, with a huge amount of medical information of a very large number of people being held by internet providers in a completely different jurisdiction. It is not beyond the wit of somebody with a devious mind to try and get hold of the patient name information and then you have a ready-made source of pressure, advertising and all kinds of things. It could become extremely dangerous. I am not suggesting anything bad has happened, but I think it is something we need to be aware of.
Lord McNally: I can only say yes. We go back to this eternal vigilance. As you say, we are dealing with technologies that make things possible and it is very important that we are alert to possibilities.
Q136 Chris Evans: I want to probe a bit on social media. The world has gone mad for social media. There has been an argument by the Brussels European Employee Relations Group that says that this Regulation is too focused on social media and it is lumping in things that every business has to deal with in terms of processing-employment records and so on-with social media. Do you agree with that premise that this is too focused on social media?
Off the back of that, my second supplementary question is: do you think the Regulation in general will keep pace with future technology or will we be revisiting this in future?
Lord McNally: Yes. I met the head of one of the big Japanese technology companies. Trying to show my credentials and that my technology was up to speed, I said to him, "You know, sir, I suspect that a lot of what we are trying to deal with now will be out of date in 10 years." He said, "Three years." Future-proofing for domestic or international purposes in this area is an ambition that is beyond us all. We have to keep the flexibility within what we are doing to be able to adjust to new circumstances.
You are right that some of the proposals seem to be over-concerned with social media, and the "right to be forgotten" slogan is part of that. Again, what we are really looking for is a coherent set of rules that will apply for all data controllers, which is simple and clear to understand and apply, but with a realisation that we are moving in an age of rapid change. I suspect that we will all be coming back to this as it develops.
Q137 Chair: One of the ways in which the Commission envisage that the change will be coped with is by delegated Acts. The Government and others have expressed some concern about the amount of delegation and therefore the departure from the decision-making processes that that Regulation requires and would involve.
Lord McNally: Yes. The House of Lords gets very excited about Henry VIII clauses in Bills. These look very much to us like Henry VIII clauses. We share the House of Lords’ disapproval of Henry VIII clauses where they can be avoided. This should not be taken as a statement of Government policy about future legislation.
Q138 Chair: I would like to feel that it is a statement of Government policy.
Lord McNally: We have made it clear that we are not in the business of signing blank cheques for the Commission. We understand and appreciate that there is concern about mission creep by the Commission. Therefore we will resist such clauses in the Regulation.
Q139 Chair: What do you see as the time scale for negotiation and eventual decision making?
Lord McNally: The Commission have a very ambitious time scale. They want to see substantial progress during the Cypriot Presidency, which is on now, and conclusion during the Irish Presidency, which is the first six months of next year. To be fair, the Cypriots have given priority to these negotiations and devoted the time to it, and as far as we understand, the Irish are taking a similar approach, but whether they will be successful or not, I don’t know. We are negotiating to get results, not to fit into a timetable. We are certainly not on a go-slow or anything else. We simply want to get the best practical result from the negotiations.
Q140 Chair: I suppose the worst outcome for business would be a bad result of negotiations. It is in businesses’ interests to get things cleared up as soon as possible so that they know the position.
Lord McNally: Yes; this is always true. Obviously, because there is pressure to get this settled before the present European Parliament term ends in 2014, and because the negotiations have been going on a number of years now, there is a push to try and get a satisfactory outcome. But that always cuts two ways. If the Commission want an early result, then it may well be that they have to make substantial concessions to get the kind of outcome that we want.
As I say, what we want is a lighter-touch and more flexible system, which can give the benefits of harmonisation without the downside of over-bureaucratising and over-burdening business, yet keeping very much in mind the kind of things that Mr Corbyn has been talking about. There are real threats out there to the citizen that also have to have their proper place in this exercise in legislation.
Q141 Chair: We will be reporting on this matter very shortly. I anticipate it will be at the beginning of Parliament’s return in October. We are very grateful to you, Lord McNally, to Mr Preston and Mr Jewell. We are also very intrigued to know to which of your ministerial colleagues you have passed this particular parcel.
Lord McNally: I was just going to say that it would be rude of me not to mention that I am going to Brussels tomorrow. One of the other points I should make is that this is a joint determination exercise with the European Parliament. That is why I am going to have these meetings with the MEPs. Therefore, at midnight on Wednesday I will be handing the torch over to Helen Grant, who I think is known to this Committee.
Chair: Indeed. She is a much respected former colleague. Perhaps the analogy of the torch is a more congenial one than that of the parcel. Thank you very much indeed.