Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government, further to the Written Answer by Baroness Neville-Rolfe on 2 March (HL5901), and the Written Statement by Baroness Neville-Rolfe on 23 May (HLWS788), whether the sharing of identity information in bulk would be lawful under the text of the statutory instrument as consulted on; and whether, and if so where, the published consultation response confirms whether changes have been made to prohibit bulk sharing following the consultation.
Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)
The statutory instrument, as consulted on, is an enabling instrument that will make it easier for people to prove who they are when accessing government services online. The draft regulations only allow specified public bodies to share data when an individual chooses to prove their identity online in order to access public services digitally.
As a specified objective under section 35 of the Digital Economy Act 2017 (the Act), the data sharing power would sit within the tightly constrained data sharing framework of the Act. Data sharing must be carried out with regard to the Act’s Code of Practice (the Code), which has been approved by Parliament. Any public body sharing information under Chapters 1, 3 and 4 of Part 5 of the Digital Economy Act 2017 is required to have regard to this Code when doing so.
Under the Code's data sharing principles, public bodies sharing information under the powers are required to minimise the amount of data shared, and ensure this is the minimum required for the purpose of achieving the specified objective, using methods which avoid unnecessarily sharing or copying of large amounts of personal information. Failure to have regard to the Code can result in a public authority or organisation losing the ability to disclose, receive and use information under the powers.
Due to the carefully defined data sharing power set out in the statutory instrument, and the rigorous data protection safeguards in place under the Act and Code, no changes have been made to the draft statutory instrument regarding “bulk sharing”.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government whether they will list the name, origin, and provenance of all data fields provided by the Cabinet Office “Gov.UK One Login” to the current “Basic Criminal Records Check Service” regarding an identity verified by (1) passport, and (2) drivers licence; and how long they retain each field after use.
Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)
When a person is seeking to use the ‘Request a Disclosure and Barring Service (DBS) basic check’ service online, they must first prove their identity via the GOV.UK One Login system. Once a user has successfully done so, GOV.UK One Login provides relevant data to DBS to confirm that the user is who they say they are. This data includes:
full name
date of birth
all addresses declared by the user, the dates they lived at each address, and the Unique Property Reference Number(s)
email address
phone number (if provided)
the level of identity confidence the user has reached
an encrypted security key
Where a user uses a passport to verify their identity:
passport number, ICAO issuer code, and passport expiry date
Where a user uses a driving licence to verify their identity:
driving licence number, expiry date, issue number and the organisation that issued the drivers licence
Each of the above fields is currently held in GOV.UK One Login for 6 months.
Only the ‘Request a DBS basic check’ service has access to the user’s data. The service only processes the minimum amount of data required to prove the user’s identity.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government whether the new Inter-Ministerial Advisory Group on Science and Technology will be afforded the same decision-making status as its predecessor, the National Science and Technology Council.
Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)
The National Science and Technology Council was established as a Cabinet committee in October 2021 to consider matters relating to strategic advantage through science and technology. The Cabinet committee list was updated in September 2022. In October 2022, the National Science and Technology Council was established as an inter-ministerial group responsible for delivering an ambitious UK science and technology strategy and to consider key science and technology issues. Where collective agreement is necessary for issues covered by an inter-ministerial group, it is sought in the usual way through a committee or ministerial correspondence.
Cabinet committees support the principle of collective responsibility, ensuring that policy proposals receive thorough consideration and collective agreement. Cabinet committee decisions have the same authority as Cabinet decisions.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what are their current requirements for the geographic location of servers used to store public data when procuring cloud services.
Answered by Lord True - Leader of the House of Lords and Lord Privy Seal
When procuring cloud services, departments should use the Technology Code of Practice principles and follow the government Cloud First policy. They should also follow NCSC security guidance and the Information Commissioner's Office’s guidance on adequacy of a country’s level of data protection. These policies and guidance provide clear guidelines of the things a department should consider, including security classification and best value for the taxpayer.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what estimate they have made of the impact of the SolarWinds cyberattack, first reported on 13 December 2020, on their (1) departments, and (2) agencies.
Answered by Lord True - Leader of the House of Lords and Lord Privy Seal
The reported SolarWinds compromise is a complex, global cyber incident, and the Government is working with international partners to understand its scale and assess any UK impact. This work is ongoing.
The National Cyber Security Centre has published guidance on their website.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government which (1) departments, or (2) agencies, have suppliers who have been affected by the SolarWinds cyberattack, first reported on 13 December.
Answered by Lord True - Leader of the House of Lords and Lord Privy Seal
The reported SolarWinds compromise is a complex, global cyber incident, and the Government is working with international partners to understand its scale and assess any UK impact. This work is ongoing.
The National Cyber Security Centre has published guidance on their website.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government how many direct contracts they have with SolarWinds; and of any such contracts, (1) which (a) departments, or (b) agencies, they are with, and (2) which contracts specify the use of the Orion Platform.
Answered by Lord True - Leader of the House of Lords and Lord Privy Seal
The reported SolarWinds compromise is a complex, global cyber incident, and the Government is working with international partners to understand its scale and assess any UK impact. This work is ongoing.
The National Cyber Security Centre has published guidance on their website.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government whether the Government Digital Service has undertaken a risk assessment of UK Government data being held with US cloud providers following the judgment by the European Court of Justice in the Schrems II case; and what the outcome of any such assessment was.
Answered by Lord Agnew of Oulton
The Government Digital Service (GDS) is currently reviewing cross government cloud policy and guidance, including the Cloud First policy. This includes reviewing the cloud hosting market and associated regulatory environment.
GDS is currently undertaking a risk assessment of all of its services and products (including GOV.UK) in relation to cross-border data flows. The new ECJ judgment will be considered as part of this assessment. The assessment will identify relevant data flows and make sure appropriate mitigation is implemented if necessary, following updates and guidance from the Information Commissioner's Office (ICO) and the European Data Protection Board (EDPB). GDS has engaged with other government departments via data advisory groups and data protection networks to ensure consistent mitigation.
Ultimately, however, it is a decision for individual government organisations where and how to store their data, provided it is done in a secure way and offers good value for money.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government what plans they have to revise the Government Cloud First policy following the judgment by the European Court of Justice in the Schrems II case.
Answered by Lord Agnew of Oulton
The Government Digital Service (GDS) is currently reviewing cross government cloud policy and guidance, including the Cloud First policy. This includes reviewing the cloud hosting market and associated regulatory environment.
GDS is currently undertaking a risk assessment of all of its services and products (including GOV.UK) in relation to cross-border data flows. The new ECJ judgment will be considered as part of this assessment. The assessment will identify relevant data flows and make sure appropriate mitigation is implemented if necessary, following updates and guidance from the Information Commissioner's Office (ICO) and the European Data Protection Board (EDPB). GDS has engaged with other government departments via data advisory groups and data protection networks to ensure consistent mitigation.
Ultimately, however, it is a decision for individual government organisations where and how to store their data, provided it is done in a secure way and offers good value for money.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask Her Majesty's Government, further to the judgment by the European Court of Justice in the Schrems II case, what assessment they have made of the use of US-based cloud providers to host UK Government data held in the UK.
Answered by Lord Agnew of Oulton
The Government Digital Service (GDS) is currently reviewing cross government cloud policy and guidance, including the Cloud First policy. This includes reviewing the cloud hosting market and associated regulatory environment.
GDS is currently undertaking a risk assessment of all of its services and products (including GOV.UK) in relation to cross-border data flows. The new ECJ judgment will be considered as part of this assessment. The assessment will identify relevant data flows and make sure appropriate mitigation is implemented if necessary, following updates and guidance from the Information Commissioner's Office (ICO) and the European Data Protection Board (EDPB). GDS has engaged with other government departments via data advisory groups and data protection networks to ensure consistent mitigation.
Ultimately, however, it is a decision for individual government organisations where and how to store their data, provided it is done in a secure way and offers good value for money.