Skip to main content

Language: English / Gàidhlig

Seòmar agus comataidhean

Meeting of the Parliament [Draft]

Meeting date: Thursday, May 9, 2024


Data Protection and Digital Information Bill

The Deputy Presiding Officer (Liam McArthur)

I ask members who are leaving the chamber to do so as quickly and quietly as possible.

The next item of business is a debate on motion S6M-13129, in the name of Richard Lochhead, on the legislative consent motion on the Data Protection and Digital Information Bill, which is United Kingdom legislation. I invite members who wish to participate to press their request-to-speak buttons now or as soon as possible. I invite Shirley-Anne Somerville to speak to and move the motion.


The Cabinet Secretary for Social Justice (Shirley-Anne Somerville)

The UK Government’s Data Protection and Digital Information Bill engages the legislative consent process in a number of areas. The bill is UK legislation that seeks to amend the current data protection framework and improve digital information services. I will focus on the four areas that fall under the legislative competency of the Scottish Parliament and for which consent is required. Those will help us to work towards a key ambition for the Scottish Government, which is to ensure that Scotland becomes an ethical digital nation in which people can trust public services to respect privacy and to be open and honest in the way that their data is being used. We want to maintain that commitment and build public services that are inclusive and practical in the digital domain.

First, the provisions enabling digital verification will mean that people will be able to choose to use that method to prove things about themselves in order to access a service. For example, using data that is held by the Department for Work and Pensions or His Majesty’s Passport Office, a trusted identification provider could check against data that has been provided by a customer when conducting a commercial transaction, such as booking a flight or using a financial service. That will be done at the request of the individual only and will aim to make transactions more efficient for them. Customers will benefit from smart data provisions when they are seeking lower prices or tariffs for energy bills. Smart data schemes will empower customers to make better use of their data to enable accurate tariff comparisons, compare deals and switch suppliers. The amendments to the Digital Economy Act 2017 could mean that enterprise agencies will be able to better target businesses to help them to comply with any relevant law, grow, engage in trade activities and become green and sustainable. Consenting to that will ensure that the people of Scotland do not miss out on the benefits of those measures, whether that is as consumers or while they are interacting with public services.

The sharing of law enforcement data is vital to ensuring that Scotland’s law enforcement agencies are able to co-operate with their counterparts in the UK and Europe, following our exit from the European Union. Police information-sharing agreements could help to mitigate the loss of law enforcement information that has been caused by Britain leaving the union. For example, an agreement with EU or EU member states could include real-time alerts on wanted or missing persons, which would allow Police Scotland to know that someone who it is questioning at the roadside is also wanted in connection with a serious crime in the EU, or that someone who is found in a vulnerable position in Scotland was recently reported missing on the continent.

Finally, agreement with clause 131 of the bill, regarding the power to provide information for social security purposes, would allow us to maintain the agency agreements for the delivery of social security payments in Scotland and safeguard the important work that Social Security Scotland does.

Overall, we feel that the amendments provide a benefit to the people of Scotland. Beyond the legislative consent motion, concerns have been raised that the bill may weaken the data protection framework that was put in place prior to Brexit and that currently aligns with the EU standard. Ministers and officials from the Scottish Government have engaged regularly with our UK counterparts over the past two years to ensure that our concerns about the bill have been heard. We have stressed our view to the UK Government that the bill’s benefit to organisations should not come at the expense of the rights of individuals and the continued adequacy decision from the European Commission, which allows for the easy flow of personal data from the UK to the EU. We do not believe that the motion that is being debated will impact those rights or data adequacy, which is why I ask the Scottish Parliament to give its consent and agree to the motion.

I move,

That the Parliament agrees that the relevant provisions in the Data Protection and Digital Information Bill, introduced in the House of Commons on 8 March 2023 and subsequently amended, so far as these matters fall within the legislative competence of the Scottish Parliament should be considered by the UK Parliament.

I invite Collette Stevenson to speak on behalf of the Social Justice and Social Security Committee.


Collette Stevenson (East Kilbride) (SNP)

Presiding Officer, thank you for the opportunity to contribute to the debate on behalf of the Social Justice and Social Security Committee. The UK Data Protection and Digital Information Bill has been making its way through the UK Houses of Parliament over the past couple of years, having been introduced on 18 July 2022 and paused between 5 September 2022 and 8 March 2023.

According to the UK Government, the purpose of the bill is to update and simplify the UK’s data protection framework. The bill seeks to reduce burdens on organisations while maintaining high data protection standards. The bill covers a wide range of policy areas, including data protection, smart data, digital verification and law enforcement data sharing.

Currently, the bill is at report stage in the House of Lords, and there is only a small window of opportunity in which this Parliament can consider the Scottish Government’s legislative consent motion before the bill completes its amending stages in the last house.

For the previous two legislative consent memorandums, the Economy and Fair Work Committee was designated lead committee. For the second supplementary memorandum, the Social Justice and Social Security Committee was designated lead committee. That is because the bill was amended by the UK Government on 29 November 2023 to include a power to require information for social security purposes. Those provisions were informed by the 2022 publication “Fighting Fraud in the Welfare System”. Clause 128 and schedule 11 to the bill will allow the UK Government to issue information notices that require third parties, such as banks, to provide information relating to all accounts that they hold, which are linked to people in receipt of welfare benefits.

Schedule 11 also contains provisions in relation to the publication and revision of a code of practice in relation to information notices, penalties for non-compliance, appeals, and amendments to the Proceeds of Crime Act 2002.

The committee acknowledges that the Scottish Government recommends legislative consent because it believes that the implications are theoretical only and unlikely to be applied to devolved benefits. Critically, however, the Scottish Government does not want to put at risk agency agreements with the Department for Work and Pensions. Conceivably, if the Scottish Government refused consent, the DWP could take the view that that undermined the principle that governs the agency agreements. As such, it would no longer be possible to follow the carefully planned process of transferring cases from the DWP to Social Security Scotland.

Having considered the memorandum, the committee agrees with the Scottish Government’s position, because full roll-out of the information-seeking powers will not occur until agency agreements have ended. Moreover, the initial focus is on universal credit, with no intention to use the powers for devolved agency agreement benefits. Therefore, we are also of the view that the implications are only theoretical.

It is because of those considerations and to ensure that there is no uncertainty that the committee recommends that the Parliament agrees to the legislative consent motion.


Murdo Fraser (Mid Scotland and Fife) (Con)

I am pleased to make a short contribution to the debate on the legislative consent motion on the Data Protection and Digital Information Bill. The bill was previously introduced at the House of Commons and, as Collette Stevenson has just reminded us, is currently in the House of Lords, awaiting its third reading.

The bill is largely uncontroversial and seems to have had general support from stakeholders. It aims to reform the UK’s data protection structure following withdrawal from the European Union. The bill will establish a framework for the provision of digital verification services, to enable digital identities to be used with the same confidence as paper documents. It will increase the fines for nuisance calls and texts under the privacy and electronic communications regulations and update those same regulations to cut down on the annoying pop-ups and banners that we all get, which require user consent.

The bill will also allow for the sharing of customer data through smart data schemes to provide services such as personalised market comparisons and account management, and, in England and Wales, it will reform the way in which births and deaths are registered, away from a paper-based system to an electronic register, something that we in Scotland dealt with a year or two ago as part of the Covid legislation.

On the question of law enforcement and natural security, the bill seeks to facilitate the flow of personal data to make it more accessible in order to crack down on crime. The bill will also create a new office of information commissioner, with extended and strengthened powers.

That is all generally welcome. In particular, I think that many of us will welcome action to crack down on nuisance calls and texts, which are an increasing menace. Just this week, I was speaking to a constituent who had been targeted by nuisance texts. Somebody had tried to take control of their phone and was sending out messages to everybody in their contact book asking for money to be transferred. Fortunately, nobody was caught out in that situation, but we know that nuisance calls and texts are a menace that is currently troubling society, so if we are able to increase the fines and crack down on that, it would be very welcome.

There has been general support for the bill from a lot of stakeholders. The current Information Commissioner, John Edwards, has welcomed the bill and said that data protection law needs to be updated and give people confidence that they can share their information, knowing that it will be dealt with in a safe and secure manner.

The bill has been welcomed by techUK, the trade association for technology, which believes that the bill will help to boost innovation while upholding privacy rights and EU adequacy, as well as by the Investing and Savings Alliance, which particularly welcomed what the bill says about smart data schemes.

In giving evidence to the Economy and Fair Work Committee, the minister, Richard Lochhead, talked about the advantages that the bill will provide. For example, for people who are dealing with the Department for Work and Pensions or His Majesty’s Passport Office, data could be checked between the two organisations, which would reduce the burden on the consumer of continually providing the same information to different Government agencies. That makes Government more efficient, and it makes it a much more efficient transaction for the consumer. There will be opportunities for consumers who are, for example, looking for lower prices when shifting their energy tariffs, because that smart data can be transferred much more easily.

This is a very welcome piece of legislation. I am encouraged that the Scottish Government is minded to consent to it in relation to the devolved areas that it touches on, and the Conservatives are happy to support the motion this afternoon.


Daniel Johnson (Edinburgh Southern) (Lab)

I begin with a moment of levity: if Murdo Fraser is concerned about nuisance text messages, maybe he should just unsubscribe from the Conservative group WhatsApp group.

I am grateful for the work that the committee has done. This is a technical but important piece of legislation, as data is incredibly important to the economy. Data has the power to drive growth and innovation, create new businesses across the country and transform our public services. However, as our lives gradually move further online, it is essential that citizens have control over their own data. That is why it is essential that data legislation is modernised and why we support the principle of the bill.

The Labour Party agrees that a new digital verification framework is required, and we support the UK Government’s aim to strengthen the enforcement powers of the Information Commissioner’s Office. However, I note our concerns, particularly with the way in which the UK Government loaded additional amendments at the last moment, ahead of the third reading. On the last day, 240 amendments were added to the bill, which made consideration and scrutiny of the bill as it went through the House of Commons at the third reading incredibly hard. For example, the bill will make it harder to make a successful subject access request and will remove the automatic right to human review in scenarios such as mortgage and loan approvals.

Although I note the comments made by the cabinet secretary around EU data adequacy, we must look carefully at the changes that the bill makes to general data protection regulation to ensure that we have standards in this country that are equivalent to those in Europe.

Despite those reservations, I agree with the cabinet secretary that consent should be granted by this Parliament, as the contents of the bill are theoretical and relate to devolved competencies, and to review such consent could be dangerous in terms of our ability to maintain pace and make use of the other beneficial provisions.

In summary, data has a huge role to play in driving growth and innovation and, indeed, the delivery of improved public services. However, to secure those benefits, we have to stay on top of the risks and, crucially, build public trust.

Labour will be supporting the legislative consent motion at decision time.

I invite the cabinet secretary to wind up the debate.


Shirley-Anne Somerville

As Daniel Johnson has quite rightly alluded to, this Parliament—and all Parliaments—need to recognise the power of data for individuals, the economy and public services. Although the bill is technical, it remains a very important bill for individuals, our public services and the benefit of the wider economy.

Today we have heard that the bill seeks to amend current data protection frameworks and improve digital services. I think that that is the right thing to do. As we have discussed, four areas are involved: data verification, smart data, amendments to the Digital Economy Act 2017 and police information-sharing agreements. In relation to my portfolio, the power to gather information for social security purposes is affected.

I thank the committee for its deliberations on the issue. I will not delay the chamber by going over what is in the bill, but I reiterate that we encourage Parliament to consent to it and agree to the motion. Daniel Johnson is right to raise concerns around data protection adequacy and the importance of the European Union angle. However, I reiterate we do not believe that the motion that is debated today would impact on rights for adequacy, which is why I ask the Scottish Parliament to give its consent and agree to the motion.

The Deputy Presiding Officer

That concludes the debate on the Data Protection and Digital Information Bill.

It is time to move on to the next item of business. However, I am conscious that we are missing a number of members who are pretty crucial to that item, so I will have to suspend the meeting briefly.

15:02 Meeting suspended.  

15:05 On resuming—