(2 months, 2 weeks ago)
Lords ChamberTo ask His Majesty’s Government what assessment they have made of public bodies and services, including the NHS Digital app, procuring professional services through processes which purport to be “onshoring” to firms which contract third parties outside the United Kingdom to do the work; and what assessment they have made of the risk this poses to private data and cybersecurity.
Each contracting authority carefully considers and makes risk-based decisions on whether, and where, data can be offshored, and what restrictions are appropriate for service delivery and development activities. The new standard security schedules for all central government contracts, published on 1 October 2024, include greater controls over data offshoring and stronger security requirements. Buyers also have greater transparency over where, and how, their data is hosted and processed, and stronger remedies where suppliers do not follow buyers’ requirements. Outsourcing contracts also contain complementary provisions on the offshoring of this personal data under GDPR.
I thank the Minister for her reply. NHS Digital has contracted with Splunk, which subcontracts to the Bulgarian company Bright Consulting. This practice, which Splunk refers to as “onshoring”, began during the Covid-19 pandemic and continues to this day. Can the Minister reassure the House that under this practice of onshoring to third-party non-UK-based companies patient data really is safe? Is the taxpayer getting value for money by paying UK rates to a company that outsources the work for a considerable margin?
The government model services contract is one of three template contracts for use by government departments and wider government when procuring complex outsourced services. Value for money for taxpayers is central to good government procurement. The Government recognise the potential risk of data offshoring taking place without the explicit consent of public sector buyers. New standard security schedules for all government contracts include greater controls over data offshoring and stronger security requirements.