Draft Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025
(Limited Text - Ministerial Extracts only)
Read Full debate
The Minister of State, Home Department (Sarah Jones)
I beg to move,
That the Committee has considered the draft Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025.
It is a pleasure to serve under your chairmanship, Sir Jeremy. This instrument, which was laid before the House on 7 July, specifies the qualifying competent authorities that will be able to apply for a designation notice under section 89 of the Data (Use and Access) Act 2025. Section 89, when commenced, will insert sections 82A to 82E into the Data Protection Act 2018. Although those provisions have already been debated and passed by Parliament, during the passage of the parent Act, in order to place the regulations in context I will briefly summarise their purpose.
Under the 2018 Act, authorities processing for law enforcement purposes and intelligence services are subject to two separate legislative data processing regimes for processing personal data. This precludes a joint controllership between the two entities and makes working together more difficult, especially in the context of public safety and national security. For example, an intelligence service and a police force working together on a joint investigation could not work from a single shared dataset setting out individuals of interest and related intelligence. Instead, each must have their own copy of the data, sharing data back and forth between one another and across data protection regimes to allow each to update their intelligence. This obviously decreases efficiency and reduces joint working capabilities.
There is a clear public interest in enabling closer joint working between law enforcement bodies and the intelligence services in matters of national security, as highlighted by reports into the Fishmongers’ Hall and Manchester Arena terrorist attacks. Once the provisions are in force, qualifying competent authority will, together with at least one intelligence service, be able to apply for what is called a designation notice from the Secretary of State under section 82A of the 2018 Act, where it is required for the purposes of safeguarding national security. This designation notice will allow the intelligence service and qualifying competent authority in question to form a joint controllership for that processing activity.
This change will align the legislation with the position under the Data Protection Act 1998, before the adoption of the GDPR. Under the 1998 Act, joint controllerships between the two organisations were permitted. The Data (Use and Access) Act 2025 inserts section 82(2A) in the 2018 Act, which introduces a power to make regulations specifying which competent authorities are able to apply for a designation notice alongside an intelligence service. Competent authorities are defined in section 30(1) of the 2018 Act as
“a person specified or described in Schedule 7”
to the Act, or “any other person” who has a statutory function for a law enforcement purpose and is therefore capable of processing data under the law enforcement regime.
The Home Secretary is exercising that power by introducing the draft Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025, which specify 23 qualifying competent authorities. The regulations have been drafted in consultation with the partners operating in the area of national security. The regulations include competent authorities involved in areas where national security is a consideration. Given the sensitivities involved, the Government cannot go into detail publicly on the rationale behind the inclusion of individual authorities in the list. However, the authorities that have been included are those where there is reasonable potential for a joint controllership to be formed for the purpose of safeguarding national security. The list includes UK police forces—both territorial forces and other branches such as counter-terrorism police and military police—prison and probation services, and other bodies involved in law enforcement and offender management. The Information Commissioner’s Office was consulted on the proposed qualified competent authorities, and confirmed that it was content with those included.
As the threat to the UK’s national security evolves and changes, competent authorities may be added or removed from the regulations. The legislation requires amending regulations to be subject to the affirmative procedure. The UK and its citizens continue to face a wide array of threats from a diverse range of actors. The provisions within this instrument will strengthen the ability of our law enforcement and intelligence services to work more closely to protect our national security. I therefore commend the draft regulations to the Committee.
The Chair
Kit Malthouse (North West Hampshire) (Con)
It is a pleasure to see your wisdom in the Chair, Sir Jeremy. Although I understand the impetus behind the change, I want to ask the Minister one or two questions about it. She and I have traded blows over this agenda in the past. She was my shadow for two years, so I congratulate her on her new position. I am sure she will do a fantastic job.
In considering this change, we have to ask ourselves why sharing was made so difficult in the first place. We have to trust that those who came before us, who put this legislation in place, considered that issue. The shadow Minister, my hon. Friend the Member for Stockton West, said that subsequent events have illustrated the need for agencies to work together more closely on the analysis of data for the prevention of the sorts of incidents he mentioned. Despite that, I think we have to come with a bit of scepticism about what the result of these regulations might be, and what liberties we might be trampling over. My questions are framed in that regard.
I was slightly alarmed by what the Minister said and the contents of the explanatory memorandum, and I was thinking about raising a point of order about the fact that the Government cannot really tell us why the competent authorities have been included in the list. It raises the question of why we are all here. We might as well have had a list that said, “Whoever we decide. Don’t ask questions.” It does seem a bit odd that we are passing regulations, but we are hampered in our scrutiny in asking questions about particular organisations. Nevertheless, I will ask the questions that I have about them and see what the Minister has to say.
First, I wanted to ask about the provosts. The list includes the provost marshals of the Royal Navy Police, of the Royal Military Police and of the Royal Air Force Police, and “The Provost Marshal for serious crime.” I had never heard of that person before, so perhaps the Minister could start by telling us who the provost marshal for serious crime is.
I understand that all the other organisations—certainly the police and chief constables—have very strong and automated controls on the data that they use, not least to the extent, for example, that every access that any individual makes to the police computing system is logged and maintained, and people are very often convicted for irregularly accessing material. However, given that these individuals are military and that we are living with the consequences of a major military data breach that has cost us many billions of pounds and put quite a lot of lives at risk, can the Minister reassure us that the processing of data between civil and military organisations will be done to the same standard, and that it therefore will be safe from leakage?
Regulation 2(o) states that,
“a body established in accordance with a collaboration agreement under section 22A of the Police Act 1996(9)”
can be classed as a qualifying competent authority. What type of body might that be? If we were to have an example of such an organisation, we might be able to form a view on whether it is appropriate for it to be on the list.
I have a question about the inclusion of Revenue and Customs. As the Minister may know, in the old days when Inland Revenue and Customs and Excise were two separate organisations, they had very different cultures. The culture at Customs and Excise was of kicking the door down. They were kind of “Moonfleet”, Daphne du Maurier-type anti-smuggling hard men and women, whereas at the Inland Revenue they were a little more intellectual and professional. In one, they wore suits; in the other, they wore flak jackets. When Gordon Brown amalgamated the two, unfortunately the muscular culture at Customs and Excise was translated and taken over at the Revenue, to the extent that they now both have more kick-in-the-door characters. So I am concerned about the amount of sensitive personal data that Revenue and Customs control at the moment; about the culture of that organisation and its increasing aggression over the last 20 years or so; and what implication that is going to have for the rest of us.
I understand that the Minister cannot tell us why this is being introduced, but is she able to tell us whether Customs and Excise will, as a result, be asked to routinely scan millions and millions of datapoints and people’s personal financial data to look for patterns of movement and transactions, for example? Or is this for use in relation to specific investigations? My general view is that, as with most things, the British people will accept a specific investigatory sharing regime, but may not accept a general fishing regime.
The same is true of the Land Registry, which is on the list. I understand that in the search for illicit funds or activity, specific inquiries and the processing of data is required, but on general scanning, particularly as the Land Registry becomes more and more digital and automated, I am nervous about us moving to a kind of American-style National Security Agency approach, where billions if not trillions of datapoints are collected on a regular basis and analysed by computers—artificial intelligence or whatever it might be—to look for patterns of behaviour. That may well be the way that we are going, but if we are going there, we should be transparent with the public about what we are doing, notwithstanding that the Minister cannot tell us why or what today.
I have two further questions. On supervision, what will the supervision over this necessarily covert process be? Does the ICO, which I presume will be the supervisory body, have the right security clearance at the right level that will allow it to access this operation of data sharing to the extent that it can satisfy itself that the statement that the Minister has made—that we are in compliance with all our human rights obligations and in compliance with the law—will be looked at? Within the Department, similarly, what will supervision of the effect of this data sharing be?
Thirdly, given that this will be new, is it likely to be brought to the Intelligence and Security Committee for review of its operation? That would be at least three layers of supervision over what is quite a large step up in capability—it is not unwelcome, but it is a large step up—by the Security Services and others.
Finally, I want to ask about risk assessment. The sharing of data between organisations could present a greater risk of leakage, or alternatively it could mean, if only one of them is maintaining the data to which the other has access, that there is less likelihood of leakage. We have talked about efficacy. The Minister did not say anything about the risks and benefits from a data security point of view.
As we have learned to our cost recently with the military, the transfer of data between organisations, whether sharing or otherwise, does run the risk of it falling into hands that it should not. Will these organisations therefore have to subscribe to a tighter data control regime than they would have done, to make sure that the possibility of that leakage is minimised?
Sarah Jones
I thank hon. Members and hon. Friends for a detailed inspection of this SI. It is right and proper that that inspection should happen; that is the point of democracy and I welcome the questions. To start with, I want to set out the principles to respond to some of the broad themes. First, there is a national conversation about data. We all worry about what happens to our data, where it goes and how it is held. There are three vehicles through which data flows that we are looking at. One is GDPR, which we all know and talk about often; one is part 3 of the DPA 2018, which applies to the police, the CPS and the courts; and one is part 4 of the DPA, which applies to GCHQ, MI5 and MI6. We are enabling sharing between the latter two.
The principle I want to stress is that it is not the case that somebody will ask for this data sharing and it will be given randomly. They will have to make the case and demonstrate that they need continued real-time data sharing. At the moment, one authority can ask the other for data, and they might need that data as a one-off. This instrument is designed to be used for continued real-time access to data where that data needs to be shared. It has come from what we learned from incidents such as Manchester Arena and Fishmongers’ Hall, where real-time sharing of data is needed. That is the principle.
I want to reassure colleagues that much consideration has been given to how this will operate and to make sure that data sharing is done correctly. As I said in my opening remarks, the Government consulted the Information Commissioner, which has confirmed that it is content with what we are laying out today. I hope that gives reassurance.
The right hon. Member for North West Hampshire asked whether this instrument will come to the Intelligence and Security Committee and about being satisfied that the Department was overseeing in an appropriate way. I am happy to write to him with more information. He will appreciate that a detailed debate on this took place prior to my arrival, but I have studied and talked with officials at length on the premise of this piece of legislation and I am very satisfied that the checks and balances are there.
I was asked whether there was a consultation with the bodies listed; there was. There was a question about what the provost marshal is. He—I say “he”, although I do not know whether it is a “he” or a “she”; I suspect it may be a “he”—is the head of the military police for each service. That is from the Police Act 1997. Again, I am happy to share more information on that with the right hon. Gentleman.
Another thing that might be reassuring to Members is that the notices will be made public. It is not that there will be no controls once the data is shared—the ICO oversight remains, so there will be a regime within which that data is controlled. Members should be reassured about that.
On the question why some of the bodies are on the list and others are not, as I said in my opening remarks we cannot comment on the rationale behind each individual authority included on the list, but I hope that my explanation of the premise from which we have approached this satisfies hon. Members. However, of course there is no restriction—this being a democracy—on Members’ continuing to ask these kinds of questions and making sure that we are doing everything that we need to do.
Kit Malthouse
The Minister said that these notices will be published; will these bodies be general powers or specific powers? Will the Government say, “We’re going to grant a notice on this for six months for a specific purpose,” or will it be just, “We’re going to let the Army share it with whoever, in perpetuity”? So, are the powers time limited?
Secondly, while I understand that the Minister cannot explain to us why, who or what regarding these organisations, as the hon. Member for Newton Abbot said, all of these organisations will be processing that data on third-party software, much of which will be owned by private corporations, many from overseas. Does this power extend to them, by proxy, because they are contractors to the primary organisation—which is, necessarily, by its nature, public sector—or will there be firewalls and controls therein as well?
Sarah Jones
I thank the right hon. Member for that intervention. As a couple of Members have asked about it, I was just coming to the point about the duration of time that these powers are given for. The duration lasts for up to five years, but it is subject to annual review by the Secretary of State.
The right hon. Member asked about the number of organisations under a notice. There is no specification on the number; it simply must be at least one competent authority and one intelligence service wanting to share the data. I should have said that the Intelligence and Security Committee is able to request information from the intelligence services under its purview, so these arrangements would not be excluded from that. I hope that is reassuring to the Committee.
To re-emphasise, there is a process here: the ICO will remain with the oversight and have the relevant security clearance, and it already oversees UK intelligence agencies. I can reassure Members that the right checks are there to ensure that this data is not given more widely than it should be.
I hope that that reassures hon. Members that these regulations are needed, and that they respond to our need to be able to act in real time in moving situations to protect the public, which is the fundamental principle behind our doing this. I hope that Members will understand that. I commend the regulations to the Committee.
Question put and agreed to.