On Tuesday 3 December, members of the House of Lords began Committee Stage – a detailed, line by line, scrutiny of the Data (Use and Access) Bill.
It is an incredibly important piece of legislation that will:
- pave the way for the ‘smart data’ model to be used in more sectors
- establish a trust framework for digital verification services
- place the national underground asset register on a statutory footing
- enable births and deaths to be registered electronically
- apply information standards to IT services within health and social care to make patients’ data more easily transferrable across the NHS
- remove the requirement for police to log a justification each time they access someone’s personal data
The Government have said the Bill will “harness the power of data for economic growth, support a modern digital government, and improve people’s lives”. I agree that there is a huge opportunity here and have been writing about the potential of open finance, smart data, effective data sharing in the NHS and the benefits of digital ID for years (see links to past posts below).
This is then a somewhat delayed but hugely welcome bill and Committee Stage affords us an important opportunity to discuss the detail, analyse every word and, if necessary, suggest changes, aka amendments (PDF).
On Tuesday the main themes up for debate were cyber security and, related to the digital verification services, concerns about accountability and digital inclusion.
Cyber security and cyber resilience
A series of amendments related to cyber security were put forward. Lord Arbuthnot proposed an addition to the bill that would give the Secretary of State or the Treasury scope to introduce requirements on third party recipients of customer data to publish regular statements on their cyber resilience against specified standards and outcomes. As he argued,
Third parties play a vital role in the modern digital ecosystem, providing businesses with advanced technology, specialised expertise and a wide range of services, but integrating third parties into business operations comes with cyber risks. Their access to critical networks can create vulnerabilities that cyber- criminals exploit. Third parties are often seen as easier targets, with weaker security measures or indirect connections serving as gateways to larger organisations.
Further consideration is to be given to the most effective means of driving the required improvements in cyber risk management, including, in my suggestion, making certain guidance statutory. This is not about regulating and imposing additional cost burdens, but rather creating the environment for digital trust and growth in the UK economy, as well as creating the right conditions for the sustainable use of emerging technologies that will benefit us all.
Lord Arbuthnot, House of Lords, 3 December 2024
Baroness Neville-Jones spoke in support of this proposed amendment, pointing out that a Department for Science, Innovation and Technology (DSIT) survey had found that although 75% of senior managers said that cyber security is high-risk, and an important priority, they had not translated that perception into responsibility in the firm for taking on the risk and managing it.
The Minister assured us that Government take this issue hugely seriously and have already committed to producing a Cyber Security and Resilience Bill within this Parliament that will underpin a lot of the protections in this Bill. The Minister was also confident that placing requirements (including security-related requirements) on third-party recipients in relation to the processing of data, as well as publication and formatting was already allowed for under the current drafting and did not think the addition necessary.
We came back to cyber security on the last day of Committee Stage, on 18 December 2024, when I introduced two proposals designed to protect legitimate cyber security activities.
The Computer Misuse Act 1990 was introduced to defend telephony exchanges at a time when 0.5% of us were online. If that was the purpose of the Act – that alone would suggest that it needs an update but the Act needs to be overhauled not only because it falls short of how society and technology have changed in those intervening years, but because it is currently putting every citizen in this nation at risk. The Act was introduced without a statutory public interest defence – effectively criminalizing the cyber-security professionals we charge with the job of keeping us all safe. Currently our cyber-security professionals are trying to keep us safe with one arm tied behind their backs.
Just two examples: vulnerability research and threat intelligence assessment and analysis. Both could find that cyber security professional falling foul of the provisions of the CMA 1990. Do not take my word for it. The 2024 annual report of the National Cyber Security Centre, rightly, highlights the increasing gap between the threats we face and its ability, and the ability of the cyber-security professionals community, to meet those threats.
Lord Holmes of Richmond, House of Lords, 18 December 2024
My amendments, in essence, perform one simple but critical task: to afford a legal defence for legitimate cybersecurity activities. That is all, but it would have such a profound impact for those whom we have asked to keep us safe and for the safety they can thus deliver to every citizen in our society.
My Lords, it is time to pass these amendments and give our cyber-security professionals the tools they need. It is time, from the legislative perspective, to keep them safe so that they can do the self-same thing for all of us. It is time to cyber up. I beg to move.”
Accountability and oversight of the digital verification service
Back to another important issue raised on day one of Committee Stage – the digital verification service proposals in the Bill. My colleague Lord Clement-Jones put forward a raft of amendments aimed at improving accountability and oversight of the digital verification service. Whilst welcoming the arrival of digital verification provisions he suggested there was a need for greater clarity and argued that “governance, accountability and effective, independent regulation” are missing from the bill as currently drafted, going on to highlight,
There is no mechanism for monitoring compliance, investigating malicious actors or taking enforcement action regarding these services. The Bill has no mechanism for ongoing monitoring or the investigation of compliance failures. The Government propose to rely on periodic certification being sufficient but I understand that, when pressed, DSIT officials say that they are talking to certification bodies and regulators about how they can do so. This is not really sufficient. I very much share the intention of both this Government and the previous one to create a market in digital verification services, but the many good players in this marketplace believe that high levels of trust in the sector depend on a high level of assurance and focus from the governance point of view. That is missing in this part of the Bill.
Lord Clement-Jones, House of Lords, 3 December 2024
Preventing Digital Exclusion
Another proposal by Lord Clement-Jones highlighted the risk of exclusion for those not able or willing to engage digitally. His amendment would enshrine a right to use non-digital verification services. This amendment would create a duty upon organisations to support digital inclusion by offering
non-digital verification services where practicable. As he said during the debate,
A significant proportion of the UK’s population lacks internet access, with this issue disproportionately affecting older adults, children and those from low-income backgrounds. This form of digital exclusion presents challenges in an increasingly digital world, particularly concerning identity verification.
Although digital identity verification can be beneficial, it poses difficulty for individuals who cannot or choose not to engage digitally. Mandating online identity verification can create barriers for digitally excluded groups. For example, the National Audit Office found that only 20% of universal credit applicants could verify their identity online, highlighting concerns for those with limited digital skills. The Lords Communications and Digital Select Committee emphasised the need for accessible, offline alternatives to ensure inclusivity in a connected world. The proponents of this amendment advocate the availability of offline options for essential public and private services, particularly those requiring identity verification. This is crucial as forcing digital engagement can negatively impact the well-being and societal participation of older people.
Lord Clement-Jones, House of Lords, 3 December 2024
I am fully supportive of these arguments and will be following the discussion closely. Committee Stage was wrapped up before the Christmas break and we will be back for Report Stage on 21st January.
Catch up
- Watch the Parliament TV recording.
- Read Committee Stage Debates on Hansard
Related posts
Data Use and Access Bill – Data Sharing and Data Protection Concerns – Lord Holmes of Richmond MBE
Here comes the government’s Data Bill – again | Computer Weekly
The transformative potential of the Data Protection and Digital Information Bill
AI in the NHS; turning a UK lead into a golden opportunity | LinkedIn
Fintech Reporting from Westminster – Lord Holmes of Richmond MBE
Department for Science, Innovation and Technology post about the digital verification service