My Lords, as this is a new stage of the Bill, I need to refer again to my entry in the register of interests. I have no current financial interest in any of the regulated companies for which I used to work, in one of which I held a senior role for a decade.
I welcome Amendment 7 and those following from it which change the remote access provision. The change from “remote access” to “view remotely” is quite significant. I appreciate the Minister’s willingness to consider it and particularly the Bill team’s creativity in coming up with this new phrasing. It is much
simpler and clearer than the phrasing we had before. We all understand what “view remotely” means. “Access” could have been argued over endlessly. I congratulate the Minister and the team for simplifying the Bill. It again demonstrates the value of some of the scrutiny we carried out on Report.
It is certainly rational to enable some form of viewing in some circumstances, not least where the operations of the regulated entities are outside the United Kingdom and where Ofcom has a legitimate interest in observing tests that are being carried out. The remote access, or the remote viewing facility as it now is, will mean it can do this without necessarily sending teams overseas. This is more efficient, as the Minister said. As this entire regime is going to be paid for by the regulated entities, they have an interest in finding cheaper and more efficient methods of carrying out the supervision than teams going from London to potentially lots of overseas destinations. Agreement between the provider and Ofcom that this form of remote viewing is the most efficient will be welcomed by everybody. It is certainly better than the other option of taking data off-site. I am glad to see that, through the provisions we have in place, we will minimise the instances where Ofcom feels it needs data from providers to be taken off-site to some other facility, which is where a lot of the privacy risks come from.
Can the Minister give some additional assurances at some stage either in his closing remarks or through any follow-up correspondence? First, the notion of proportionality is implicit, but it would help for it to be made explicit. Whenever Ofcom is using the information notices, it should always use the least intrusive method. Yes, it may need to view some tests remotely, but only where the information could not have been provided in written form, for example, or sent as a document. We should not immediately escalate to remote viewing if we have not tried less intrusive methods. I hope that notion of proportionality and least intrusion is implicit within it.
Secondly, concerns remain around live user data. I heard the Minister say that the intention is to use test data sets. That needs to be really clear. It is natural for people to be concerned that their live user data might be exposed to anyone, be it a regulator or otherwise. Of course, we expect Ofcom staff to behave with propriety, but there have sadly been instances where individuals have taken data that they have observed, whether they were working for the police, the NHS or any other entity, and abused it. The safest safeguard is for there to be no access to live user data. I hope the Minister will go as far as he can in saying that that is not the intention.
4 pm
Thirdly, Ofcom should carry out some kind of privacy impact assessment before requiring access. Again, that is standard practice in data protection terms and is a helpful discipline. If somebody at Ofcom is thinking, “Look, I’d really like to view one of these tests remotely”, there should be some kind of internal process where someone says, “I’m just going to look at the privacy impact of that and, if there are concerns, I’m going to work through them”. Doing this before the test is better than finding out after the
test that there was an issue; I speak from experience, having worked at a company that did all sorts of things that turned out to be serious mistakes from a privacy point of view. I do not want Ofcom to fall into the same trap.
Fourthly, I would like reassurance that these things will be time-limited. Again, this is not explicit in the Bill, but I hope the Minister will be able to say that the intention is that, when Ofcom asks to view things remotely, those are not going to be open-ended asks but will be a case of saying, “I want to view X remotely for this period of time”—a week, a month, whatever is required—and that there will not be continual viewing, which is where it potentially becomes problematic.
Finally, I want to make a suggestion in this area: that the Government encourage Ofcom, which will be the independent regulator once we have finished with this Bill, to maintain a public register of all the information notices that it issues—without sensitive information, obviously. The fact that Ofcom has sought access to, requested information from and been viewing data at a particular platform is a matter of public interest. It would provide huge reassurance to people in the United Kingdom using these services if they knew that any information requests will be made public and that there will be no secrecy involved in the process. That is my final request, particularly around remote viewing requests. Otherwise, people will create conspiracy theories around what remote viewing entails; the best way to prevent this is simply to have a register saying, “Look, if Ofcom asked company X for this kind of remote viewing, that will never be secret. There will always be an easy way for a citizen to found out that that happened”.
Having said that, we certainly welcome these changes. They are an improvement as a result of our debate and scrutiny on Report.