Question to the Cabinet Office:

To ask His Majesty's Government on what date the Infected Blood Compensation Scheme will open to applications under the Infected Blood Compensation Scheme Regulations 2025; and whether those who are already registered with the UK Infected Blood Support Scheme need to make a new application.

Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)

In October 2024, the Infected Blood Compensation Authority (IBCA) opened the claim service to a small number of people. As of 6th May, a total of 677 people have been contacted to start their claim for compensation. Since they became law on 31 March this year, IBCA has been working under the Infected Blood Compensation Scheme Regulations 2025. Going forward, IBCA is aiming to contact an average of 100 people to begin their claims every week. The Government expects IBCA to begin payments to people who are affected, to whom the 2025 Regulations also apply, by the end of this year.

Regarding the Infected Blood Support Schemes (IBSS), all those invited to claim so far are registered with IBSS. People are required to go through an application process for compensation, as the Compensation Scheme is separate to IBSS, but those registered with IBSS are automatically eligible for compensation. Additionally, IBCA holds details for all those people who are registered on existing support schemes and can request other information, such as medical records and information about a person's condition and severity, from organisations who already have it. This should mean those claiming will be asked for the least amount of information possible needed to calculate the compensation they are due.

Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government whether the National Cyber Security Centre has warned about shortcomings with the One Login system, including risks of bulk personal data breach and mass impersonation fraud; and whether such warnings were shared with the Infrastructure and Projects Authority or the Cabinet Office Audit and Risk Committee.

Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)

The GOV.UK One Login programme works closely with the National Cyber Security Centre (NCSC) to identify and mitigate risks and align to the Cyber Assessment Framework (CAF). NCSC advises One Login on any key risks which should be prioritised as part of our security efforts. This independent review by NCSC is something we encourage and have continued to prioritise since the programme was established. As a Government Major Projects Portfolio programme (GMPP), the programme is subject to regular internal and external scrutiny and reporting. The Infrastructure and Projects Authority has reviewed the programme positively in the last three Assurance Gateway Reviews.

Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government how many critical and high-risk vulnerabilities remained open in the live One Login system on 1 April, and what is the target date for full remediation.

Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)

GOV.UK One Login follows the relevant security standards for government and private sector services, and we take addressing security concerns very seriously. As of 1 May, all critical and high vulnerabilities have been addressed. Risk mitigation will continue to be central to our approach to ensure we keep pace with the constantly changing cyber threat landscape.

Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government why they have not published a mandatory Data Protection Impact Assessment for One Login; whether they obtained explicit user consent for biometric processing prior to live rollout; and whether they conducted statutory prior consultation with the Information Commissioner’s Office.

Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)

It is not a mandatory requirement to publish a Data Protection Impact Assessment (DPIA). We do have an obligation to let citizens know how we are processing their data, which we do via a privacy notice published on GOV.UK. We continually develop our DPIA to take into account the new identity verification journeys, such as the no photo ID route. Nevertheless, we are working on a publishable version of our DPIA which will be easy to digest for the public. The One Login programme meets with the Information Commissioners’ Office (ICO) on a monthly basis, engaging openly on programme developments, including iterations of the DPIA, and has been doing so since 2022. The lawful basis for data sharing in place has been agreed by the ICO.

Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government how many instances of production environment access to the One Login system were recorded in each month since July 2022; and, for each month, how many of those instances involved individuals who did not hold full Security Check clearance at the time of access.

Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)

GOV.UK One Login takes the security clearance and audit of personnel very seriously. Access to production is granted only to those that require it and is closely monitored. As part of strengthening our approach to privileged access management, all individuals with production access to GOV.UK One Login must undergo a Security Check (SC), alongside further two-person checks for changes and audit loggings of actions. One Login has implemented a policy of SC clearance for all development staff; this is higher than Baselines Personnel Security Standard (BPSS) which is considered sufficient across many parts of government.

Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government whether any component of the One Login service was developed offshore without prior consultation with the National Cyber Security Centre; and whether the Government have retrospectively approved any such arrangements.

Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)

No personnel developed components of the One Login service offshore without prior consultation with the National Cyber Security Centre (NCSC). We undertook a risk assessment in consultation with the NCSC before any offshore development by a small number of developers took place.

Any code in GOV.UK One Login that was produced by overseas staff was further subjected to a review by a staff member with Security Check clearance in the UK before it was deployed to production. As of March 2025, there is no longer any off-shored development on GOV.UK One Login.

Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government whether the Cabinet Office has quantified the likelihood and potential impact of insider threats, unauthorised privileged access, and production environment compromise within One Login, as required by ISO 27001 standards and guidance from the National Cyber Security Centre for cloud-hosted government services; and whether they will place copies of such assessments in the Library of the House.

Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)

The GOV.UK One Login team collaborates closely with the National Cyber Security Centre (NCSC) to assess and mitigate risks associated with insider threats, unauthorised privileged access, and production environment compromise, aligning with the Cyber Assessment Framework outlined in the Government Cyber Security Strategy 2022-2030. Although the programme does not specifically pursue ISO 27001 certification, it adopts multiple overlapping controls and the risk management framework is based on the HMG Orange Book, which is closely aligned with ISO 27005 guidance on managing information security risks.

While assessments of insider threats have been made, copies of these assessments will not be placed in the Library of the House, as they are part of ongoing security measures and internal governance processes.

Question to the Department for Work and Pensions:

To ask His Majesty's Government what proportion of successful claims for (1) personal independence payment, and (2) universal credit with a limited capability for work and work-related activity payment, were made without any supporting medical evidence in the most recent 12-month period, broken down by (a) age cohort, (b) primary medical condition category, and (c) assessment modality.

Answered by Baroness Sherlock - Minister of State (Department for Work and Pensions)

The information requested is not readily available and to provide it would incur disproportionate cost.

The Department does not hold data centrally on whether any supporting medical evidence was provided for a claimant’s application. Obtaining such data would require a manual search of individual records.

Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government how many, and which, of the 39 outcomes in the National Cyber Security Centre Cyber Assessment Framework are complied with by Gov.uk One Login; and what steps they are taking to ensure Gov.uk One Login achieves all 39 outcomes.

Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)

The Government does not routinely comment on operational security matters. GOV.UK One Login works closely with the National Cyber Security Centre (NCSC) to identify and mitigate risks and align to the Cyber Assessment Framework (CAF). The programme is committed to achieving CAF compliance by the end of 2025/26, in line with Government standards.

Question to the Cabinet Office:

To ask His Majesty's Government whether there is a model contract for permanent secretaries; and if so whether they will place a copy in the Library of the House.

Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)

Contracts for Permanent Secretaries and all other SCS are not published publicly so we will not be placing a copy in the Library of the House.

Question to the Cabinet Office:

To ask His Majesty's Government what estimate they have made of the total cost of (1) redundancy, (2) severance, and (3) human resources consultancy, as a result of the planned reduction of 2,100 roles in the Cabinet Office.

Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)

The Cabinet Office has announced plans to restructure and reorganise, to create a more strategic, specialist, and smaller centre of government.

Savings will be made from non-pay budgets and pay budgets, and we expect up to 1,200 staff will leave the department in the next two years. Our priority is to achieve the necessary reductions through voluntary means or attrition. So far, 540 employees have been approved to leave through the Voluntary Exit Scheme, which is expected to cost £27 million. Estimates of the total cost of staff exits are under development. All exit payments will comply with the Civil Service Compensation Scheme. This is a long term investment as part of this government's commitment to reshape the way the British state delivers for and serves working people

These staff exits are separate to c.900 people who have moved out of the department through machinery of government changes. This includes the transfer of the Government Digital Service to DSIT to create the digital centre of government.

Question to the Cabinet Office:

To ask His Majesty's Government how many of the 2,100 Cabinet Office roles they plan to cut or move over the next two years are currently vacant or unfilled.

Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)

The CO has announced plans to restructure and re-organise, to create a more strategic, specialist and smaller centre of government.

We are currently working with the HR Directorate and our trade unions on the implementation of our directive, and will seek to achieve the necessary reductions through voluntary means and attrition.

Question to the Cabinet Office:

To ask His Majesty's Government whether they will place a copy of the desknote about direct ministerial appointments in the Library of the House.

Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)

As set out in our Written Answers on 22 October 2024 (PQ 6096) and 31 March 2025 (PQ 41100), we have been considering whether the commitment to publish guidance on direct ministerial appointments made by the previous administration was sufficient and appropriate for meeting the Committees’ recommendations. We will provide a further update in due course.

Question to the Cabinet Office:

To ask His Majesty's Government, with reference to the payments to the Boston Consulting Group of £548,339 (Ref: 1037198127) categorised under “CDDO Strategy, Analysis and System Reform” in Cabinet Office transparency data for February 2024, whether the then Chief Operating Officer for the Civil Service had a role in approving the spending or underlying contractual arrangement.

Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)

The Chief Operating Officer for the Civil Service is not involved with the process for the approval of payments to suppliers. The purchase to pay process is managed between the Cabinet Office Finance team and the respective Contract Manager.

At the time of this work, the Chief Operating Officer for the Civil Service was a member of the Cabinet Office Investment Committee which was responsible for the approval of whole life investment spend for projects and programmes over £1m. In addition to this, all professional services spend over £100k required the approval from the Investment Committee and the Minister for Cabinet Office.

Question to the Cabinet Office:

To ask His Majesty's Government how many staff work in the No10 Implementation Unit; what is its current remit; and whether it has a role in “Plan for Change” and Mission Board monitoring.

Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)

There is no No10 Implementation unit.

Found: Clause 59 LORD BURNS BARONESS FINN BARONESS COFFEY BARONESS CASH 217_ Clause 59, page 86, line 24

Found: Clause 59 LORD BURNS BARONESS FINN BARONESS COFFEY BARONESS CASH 217_ Clause 59, page 86, line 24

Found: Clause 59 LORD BURNS BARONESS FINN BARONESS COFFEY 217_ Clause 59, page 86, line 24, leave out subsection

Found: Clause 59 LORD BURNS BARONESS FINN BARONESS COFFEY 217_ Clause 59, page 86, line 24, leave out subsection