Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government how many personnel with privileged access to the One Login production environment held baseline personnel security standard, not full security check clearance, in each quarter since July 2022; and what proportion of those people were (1) contracted through Deloitte, and (2) working from outside the UK.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
GOV.UK One Login takes the security clearance and audit of personnel very seriously. Access to production is granted only to those that require it and is closely monitored. One Login has implemented a policy of SC clearance for all developer staff, which is higher than the Baseline Personnel Security Standard (BPSS) which is considered sufficient across many parts of government.
No staff based overseas has had any access to the GOV.UK One Login production environment.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government how many COVID-19 support schemes with total disbursements exceeding £100 million have been subject to a fraud and error measurement exercise by the Public Sector Fraud Authority; how many of those schemes have not undergone that exercise; and whether they will publish a list of all schemes assessed, including the methodology, timing and results of each exercise.
Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)
As set out in the 2021-22 Fraud Landscape Report, relevant departments reported conducting fraud and error measurement exercises covering higher risk spending both during and after the pandemic. These were undertaken in financial year 2021-22.
These fraud and error measurement exercises in six COVID-19 support schemes (those with the highest spend and assessed level of fraud risk) were reviewed by the Government Counter Fraud Centre of Expertise (now the Public Sector Fraud Authority, PSFA) against the Government Counter Fraud Function’s Fraud Loss Measurement Standard. Each of these six COVID-19 support schemes had expenditure totalling more than £100m each.
The PSFA concluded in 2022 that the fraud and error measurement exercises undertaken by these departments in respect of these six schemes did not meet the Government Counter Fraud Profession Fraud Loss Measurement Standard. The failure of the six measurements assessed by the PSFA does not mean the measurement exercises, and results, were without value.
The PSFA does not intend to publish a list of all schemes assessed, although a majority have already been published in the Annual Reports & Accounts of the respective departments.
The Covid Counter-Fraud Commissioner, who was appointed in December 2024, is also working closely with government departments and local authorities to tackle fraud linked to pandemic support schemes and recover public money. As set out in the Spring Statement, the government has accepted the Commissioner's early recommendation to improve incentives for departments to recover funds.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government, with regard to the report by the National Audit Office, Tackling fraud and protecting propriety in government spending during an emergency, published on 8 February 2024 (HC444), how the Public Sector Fraud Authority defines fraud resource levels of (1) no counter-fraud, (2) clearly mismatched, and (3) potential mismatched; how many government bodies they assessed for fraud resource levels; what methodology they used; and whether they will publish a list of the bodies falling into each of those categories.
Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)
As set out in the Public Sector Fraud Authority’s Treasury Minutes Progress Report to the Public Accounts Committee on the Sixty-ninth Report of Session 2022-23 (Tackling fraud and corruption against government), available here, we no longer define fraud resources levels in this way.
This is because it is not feasible to identify a ‘correct’ level of counter fraud and corruption investment. This level is dependent on multiple factors which are considered by individual departments and organisations. The optimum level varies, depending on each organisation's fraud risk appetite and the balance of the other risks they face.
Departments agree targets for their impact on fraud, and an overview is published in Cross Government Fraud Landscape report. We will publish an update on performance in tackling fraud in the next report which is due for publication in November 2025.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Work and Pensions:
To ask His Majesty's Government what estimate they have made of the fraud and error rates of (1) the £20 Universal Credit uplift, (2) the suspension of the minimum income floor for self-employed claimants, and (3) the increase in local housing allowance, during the COVID-19 pandemic.
Answered by Baroness Sherlock - Minister of State (Department for Work and Pensions)
They show that, as a result of the suspension of the MIF, the estimated rate of overpayments as a percentage of UC expenditure was:
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Work and Pensions:
To ask His Majesty's Government what estimate they have made of the amount lost to fraud and error under the Statutory Sick Pay Rebate Scheme; and if not, why not.
Answered by Baroness Sherlock - Minister of State (Department for Work and Pensions)
The Coronavirus Statutory Sick Pay Rebate Scheme was administered by HMRC.
HMRC estimates the amount lost to error and fraud for the Statutory Sick Pay Rebate Scheme is between 2% to 5% of the overall cost of the scheme. This equates to £2 million to £6 million in monetary terms.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government, further to the Written Answer by Baroness Jones of Whitchurch on 14 May (HL7009), whether the individuals who conducted the risk assessments for the One Login programme held certifications in governance and risk recognised by the UK Cyber Security Council, or an equivalent accreditation; and if not, what steps they have taken to ensure that such assessments meet government and ISO 27001-equivalent standards for competence.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
Yes. Individuals conducting risk assessments for GOV.UK One Login hold professional experience and qualifications aligned to knowledge areas and skills as defined by the UK Cyber Security Council.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government, further to the Written Answer by Baroness Jones of Whitchurch on 14 May (HL7013), whether the Cabinet Office Audit and Risk Committee was formally notified of the letter from the National Cyber Security Centre that warned of shortcomings and risks in the One Login system in September 2023; and if so, on what date they notified that committee; and whether they will place a copy of that letter in the Library of the House.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
Representatives for GOV.UK One Login, attended two meetings into programme risks with the Cabinet Office Audit and Risk Committee (COARC), once in June 2023 and then again in April 2024. On both occasions cyber security risks that took into account NCSC advice were presented. GDS also raised cyber security as its top risk to the Cabinet Office in its quarterly risk reporting, a process which is now replaced by DSIT risk reporting.
A copy of the letter will not be placed in the Library of the House, as it forms part of ongoing security measures and internal governance processes.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government whether they have carried out any operationally independent second-line security assurance on One Login documentation, in accordance with the Government Functional Standard 'GovS 007: Security', published on 30 July 2020.
Answered by Baroness Jones of Whitchurch - Baroness in Waiting (HM Household) (Whip)
Yes. We operate a three lines of defence process which includes employing a team of security experts, with additional scrutiny and assurance provided by GDS’s Chief Information Security Officer, the Cabinet Office’s central cyber teams and the National Cyber Security Centre.
The programme has continuously conducted multiple independent risk and threat assessments, such as regular IT Health Checks (ITHC) by NCSC accredited providers, and these will continue to be part of the programme’s operating approach. We follow the Cyber Assessment Framework (CAF) GovAssure process and completed an independent Cyber Assessment Framework security exercise in 2024, with continued work and collaboration with NCSC on future mitigations.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government, with reference to the payments to the Boston Consulting Group of £548,339 (Ref: 1037198127) categorised under “CDDO Strategy, Analysis and System Reform” in Cabinet Office transparency data for February 2024, whether the then Chief Operating Officer for the Civil Service had a role in approving the spending or underlying contractual arrangement.
Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)
The Chief Operating Officer for the Civil Service is not involved with the process for the approval of payments to suppliers. The purchase to pay process is managed between the Cabinet Office Finance team and the respective Contract Manager.
At the time of this work, the Chief Operating Officer for the Civil Service was a member of the Cabinet Office Investment Committee which was responsible for the approval of whole life investment spend for projects and programmes over £1m. In addition to this, all professional services spend over £100k required the approval from the Investment Committee and the Minister for Cabinet Office.
Asked by: Baroness Finn (Conservative - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government how many staff work in the No10 Implementation Unit; what is its current remit; and whether it has a role in “Plan for Change” and Mission Board monitoring.
Answered by Baroness Anderson of Stoke-on-Trent - Baroness in Waiting (HM Household) (Whip)
There is no No10 Implementation unit.