Draft Local Audit Bill ad hoc CommitteeMemorandum submitted by Liberty

About Liberty

Liberty (The National Council for Civil Liberties) is one of the UK’s leading civil liberties and human rights organisations. Liberty works to promote human rights and protect civil liberties through a combination of test case litigation, lobbying, campaigning and research.

Liberty Policy

Liberty provides policy responses to Government consultations on all issues which have implications for human rights and civil liberties. We also submit evidence to Select Committees, Inquiries and other policy fora, and undertake independent funded research.

Liberty’s policy papers are available at http://www.liberty-human-rights.org.uk/policy/policy-papers.php

Introduction

1. The Draft Local Audit Bill (“the Draft Bill”) was published by the Department for Communities and Local Government on 6 July 2012. Liberty is pleased to have the opportunity to feed into pre-legislative scrutiny of these proposals. The Draft Bill provides for the abolition of the Audit Commission, the body currently charged with ensuring that public money is properly used, and the repeal of its governing statute, the Audit Commission Act 1998. It introduces a new decentralised and privatised regime for the audit of local and public authority financial accounts, providing for local authorities to appoint their own auditors. This submission will focus solely on Part 6 of the Bill which makes broad provision for data matching and data mining at the Government’s imperative. This provision largely mirrors sections 32A–32H of the Audit Commission Act 2008 inserted by the Serious Crime Act 2007.1 Liberty briefed Parliamentarians to express concerns around the privacy implications of these provisions during the passage of the Serious Crime Act. Many of the same concerns arise in relation to Part 6 of the Draft Bill.

Data Matching and Data Mining: The Privacy Implications

2. With the development of computer technology has come not only the ability to store vast amounts of information but also the ability to automatically sort, extract and compare data. Data matching is the automatic, computerised searching of large volumes of personal data to determine how far different data sets match. Closely related to data matching is the process of data mining—looking at certain items of data or at patterns within data as indicators of a particular characteristic, tendency or behaviour. Specialised software is used to “profile” mass amounts of innocuous information in order to identify patterns or characteristics that might indicate some sort of unusual behaviour or impropriety. Data thrown up by these technologies, often without any initial human intervention, will inevitably highlight entirely innocent activity as patterns which appear suspicious. These kinds of data processing carry the clear potential to mislead, given that they operate, by necessity, on the basis of simplistic generalisations about human behaviour or stereotypes about the implications of personal characteristics.

3. The Draft Bill gives the Secretary of State the power to conduct data matching exercises or to contract with third parties to do this on his behalf.2 Information can be required from various local authority bodies3 and requested (under a voluntary scheme) from an unidentified—and presumably unlimited—set of “other” bodies, situated both within England and Wales and elsewhere.

4. Whilst the Data Protection Act 1998 (“the DPA”) provides important safeguards against the misuse of personal data, the proliferation of data matching and data mining technologies have brought new challenges. At the time the DPA was brought into force, processing more usually involved dealing with small amounts of data. The DPA is not well adapted to regulate mass data processing exercises. The second data protection principle, for example, permits data processing for “one or more specified purposes”, but all that is required is that the Information Commissioner be notified of these purposes. This framework allows for mass processing for multiple purposes subject only to the administrative requirement of notification. The limitations of our data protection framework mean that it is imperative that legislation providing for automated data processing be closely scrutinised for its impact on personal privacy. Our Human Rights Act 1998 (“the HRA”) provides the ideal overarching framework for this kind of analysis, protecting, as it does, a core of fundamental rights capable of accommodating significant technological developments.

5. Article 8 of the European Convention on Human Rights as protected by the HRA protects the right to respect for personal privacy. Whilst this not an absolute protection, interference with this right must be in pursuit of a legitimate aim, and crucially must be proportionate to that aim. One of the factors which can be weighed in the balance in determining the protection provided to personal privacy is the need to prevent crime and disorder. The rationale given for the data processing provisions set out in Part 6 is the need to detect and prevent fraud.4 Whilst we appreciate the damaging implications of fraudulent activity and in particular the impact on the public purse of social security fraud, as currently drafted Part 6 is broad and ill-targeted, providing inadequate protection for personal privacy.

The Effect of Part 6

6. Broadly, Part 6 provides that extensive data matching powers will be available to the Secretary of State with respect to data sets from a vast range of different bodies. Part 6 largely mirrors sections 32A–H Audit Commission Act which deal with the data matching capabilities of the Audit Commission. The main differences are that the relevant entity is now the Secretary of State—not the Commission—and the Draft Bill, unlike the Audit Commission Act, does not include certain medical bodies (and therefore medical and patient data) within the data matching regime.5 The decision not to include medical bodies on the face of the Draft Bill is a positive development as it narrows the information available, excludes a subset which is unlikely to be of particular value in the prevention and detention of fraud and protects some of the most sensitive data of all. However, as discussed below, we remain concerned about provisions of the Draft Bill which allow for the extension of the data matching regime by regulation.

7. Clause 84 sets out the general power to conduct data matching exercises, which encompasses both literally matching data sets to see how far they match and also identifying trends in that data.6 Clause 84(3) provides that the power is only exercisable for “the purpose of assisting in the prevention and detection of fraud”, however the Secretary of State may, by regulations, add to the purposes for which these exercises may be carried out.7

8. Clause 85 obliges certain relevant authorities to provide data at the request of the Secretary of State, if this data is reasonably required. A relevant authority includes any of a list of 27 categories of public body, which the Secretary of State may add to by regulation.8 Complementing Clause 85, Clause 86 gives the Secretary of State the power to request the provision of data from bodies not otherwise obliged to provide it (including bodies outside England and Wales.9 Clause 86(3) ensures that bodies choosing to provide such data will not be in breach of confidence if they do so. This does not include any disclosure of data which would breach the Data Protection Act 1998, nor any disclosure prohibited by Part 1 of the Regulation of Investigatory Powers Act 2000.

9. Clause 87 sets out the circumstances in which the Secretary of State may disclose the data or the results of the data matching exercise. This includes to audit authorities, local authorities acting with the function of a local auditor and in pursuance of any statutory duty. Clause 87(6) sets out restrictions on how this disclosed data is to be dealt with. Clause 88 gives the Secretary of State power to publish the results of the data matching exercise, but prohibits any such report from containing information from which an individual or body could be identified.10

10. Clause 89 is procedural and outlines the Secretary of States’ power with regard to setting a schedule of fees for data matching exercises. Fees will be levied on those obliged to provide information, and may be levied under the voluntary scheme set out at clause 86.

11. Clause 90 obliges the Secretary of State to establish, maintain and publish a code of data matching practice. The code is to be created only after consultation with various bodies.

12. As discussed above, Clause 91 gives the Secretary of State wide powers to add to the list of purposes for which data matching may be carried out. Clause 91(2) obliges the Secretary of State to consult with various persons, but she will have the final say on any regulations made to amend Part 6 in this respect.

Specific Concerns

The scope of data processing

13. Clause 84(2) states that “A data matching exercise is an exercise involving the comparison of sets of data to determine how far they match (including any identification of patterns and trends).”. The phrase in parentheses appears to give the Government licence to data mine, over and above data matching, by profiling innocuous mass data in order to indentify patterns or characteristics that might indicate some sort of unusual behaviour or impropriety. As a form of data processing, data mining is particularly problematic, allowing for large-scale and ill-targeted fishing expeditions liable to through up misleading or unreliable results. The Bill makes it mandatory for certain local bodies to provide information for data mining purposes and, although it removes the criminal sanction for not doing so, the reality is that vast swathes of personal data will in practice be made available to Government for vague and entirely speculative purposes.. Removal of the words in parenthesis would help to limit the extent to which Part 6 allows for the fishing expeditions which characterise data mining.

Voluntary provision of data

14. Clause 86 provides for the Secretary of State to use any data from any other body or person (ie any source at all not included within the mandatory regime applicable to “relevant authorities”) where this is voluntarily provided and does not contravene the DPA or the prohibition of unlawful interception. Liberty is concerned about the implications of this incredibly board provision. No attempt has been made to circumscribe the types of data which may be sought, their subject matter, nor the body which may be asked to provide the data. The risk is that bodies which retain particularly sensitive sorts of data, or information not obviously linked to the explicit purposes of the Draft Bill may be asked to supply data. This could include central Government departments which could provide access to NHS records and private bodies like banks, insurance companies and building societies. This, combined with the broad powers of disclosure set out at clause 87 of the Draft Bill and provision for the Secretary of State to extend by regulation the “reasons” to collect such data, allows for huge amounts of personal information to be collected, sifted, retained and disclosed.

15. Liberty believes that the Draft Bill should, as a minimum, list the bodies which may voluntarily provide data for the purpose of data processing under Part 6. This will allow for the case to be made for the inclusion of each and for the Government to make explicit how it expects data held by these bodies to assist in the prevention or detection of fraud.

Secretary of State regulation making powers

16. Clause 85 and 86, read together with Schedule 2, outline the bodies to which Part 6 applies—Liberty is concerned about the wide range of bodies included here. We raised concerns over similar provision in the Serious Crime Act 2007, although we are pleased that Part 6 appears to include a somewhat narrower range of bodies on its face, including the removal of a reference to medical bodies. However we remain concerned about the possibility of this list expanding at the Secretary of State’s imperative. This regulation making power, combined with the power to extend the purposes for which data may be processed create a real and worrying risk of function creep, without even the scrutiny provided by full Parliamentary oversight. As a minimum Liberty urges the Committee to consider the value of recommending the removing wide regulation making powers with the potential to significantly expand the scope of data processing under the Draft Bill, both in terms of the bodies included in the scheme, but more particularly in terms of the purposes for which data may be processed. If the Government feels there is a case for extending these powers, the most appropriate forum for realising such a significant reform is primary legislation which brings with it the benefit of full parliamentary scrutiny

Disclosure

17. The Draft Bill would give the Secretary of State the power to disclose information in accordance with the purposes provided for at clause 84; any additional purpose the Secretary of State may decide to incorporate; in pursuit of any statutory duty or to an audit authority in pursuit of its functions or the functions of the Secretary of State under Part 6. Whilst some disclosure would be required if the results of data possessing are to be of value for the prevention and detection of fraud (for example disclosure to law enforcement authorities), the disclosure regime set out in the Draft Bill is far broader than this. Liberty believes that disclosure should be strictly limited to law enforcement agencies for those purposes set out on the face of the Draft Bill, namely the prevention and detection of fraud. If the Government wishes to use the data processing provisions of this Draft Bill for other purposes, Liberty believes it should say so in primary legislation and make the case for the proportionality of this stark interference with personal privacy.

Conclusion

18. Large-scale and indiscriminate processing of revealing personal data has serious implications for the right to respect for individual privacy and other rights and freedoms that may indirectly also be compromised. Furthermore blanket data processing is no substitute for targeted, intelligence led, investigations based on suspicion of individual criminality. Liberty believes that Part 6 of the Draft Bill as currently formulated is not sufficiently circumscribed, failing to provide adequate protection for personal privacy. We urge the Committee, in particular, to consider the concerns set out at paragraphs 12–15 of this submission which relate to the breadth of provision for data processing and the disclosure of data.

October 2012

1 See Liberty’s House of Commons Second Reading Briefing on the Serious Crime Bill, available at: http://www.liberty-human-rights.org.uk/pdfs/policy07/serious-crime-bill-2nd-reading-commons.pdf.

2 Clause 84(1).

3 A list of the “relevant authorities” is found in Schedule 2 to the Draft Bill.

4 Clause 84(3).

5 See eg ss 32C(4) and (5) Audit Commission Act.

6 Clause 84(2).

7 Clause 91(1)(a).

8 Clause 4(2).

9 Clause 86(5).

10 Clause 88(2).

Prepared 16th January 2013