Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Allison Gardner ExcerptsTuesday 3rd February 2026
(2 days, 21 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
The Chair
Thank you. I am going to bring Allison Gardner in, because she has been waiting. You have two minutes, Allison.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
Jen Ellis: That is a great question, and a tricky one. We talk a lot about training and security awareness, and unfortunately I think it becomes yet another tick box: you start a job and watch your little sexual harassment training video, then you watch your cyber-security training video, and probably the former sticks with you better than the latter. I think we have to change that. We have to change that dynamic.
I go back to my last answer, which was that I think one of the strengths of the Bill is that, hopefully, it will enable the regulators to engage much more on this topic and therefore to engage their covered entities much more. That is what we need to see. We need to see the leadership in organisations engage with the topic of cyber-security, not as a chore, as a tick-box exercise or as that headline they read about JLR, but actually as something that matters to their organisation—as something they are going to engage with at a board and executive team level, all the way down through the organisation. Cultural change comes from the top, typically, and we need to see that level of change.
I do not think that there is anything specific in the legislation, as it is currently written, that says, “And this,” in flashing lights, “is going to change the human factors piece.” I think that the devil will be in the detail of the secondary legislation, and then in what the regulators specifically ask for. But there does need to be a general shift in the culture, whereby as sectors generally we start to talk more about this as a requirement. The financial services sector has talked about security for a long time—it has been a reality for it—but I am not sure how true that is, at breadth, in something like the water industry.
I hope that that will change. I hope that we will start to see having those conversations at the top levels, and then all the way down, becoming more of a cultural norm. Unfortunately, you cannot create culture change quickly. When it comes to talking about human factors, it is about people becoming much more aware of it and thinking more about it. That will take time—
The Chair
Order. Thank you very much, but I have to cut you off there.
Jen Ellis: Sorry for taking too long.
Kanishka Narayan
Q
Stuart McKean: You are going to hear the word “complex” a lot in this session. It is hugely complex. I would almost say that everyone likes to dabble. Everyone has little bits of expertise. Certain companies might be cloud-focused, or focused on toolsets; there are a whole range of skillsets. Of course, the larger organisations have multiple teams, multiple scopes and much more credibility in operating in different areas. As that flows down the supply chain, in many cases it becomes more difficult to really unpick the supply chain.
For example, if I am a managed service provider delivering a cloud service from a US hyperscaler, who is responsible? Am I, as the managed service provider, ultimately on the hook, even though I might be using a US-based hyperscaler? That is not just to pick on the hyperscalers, by the way—it could be a US software-based system or a set of tools that I am using. There are a whole range of parts that need to become clearer, because otherwise the managed service community will be saying, “Well, is that my responsibility? Do I have to deliver that?”.
You are then into the legislation side with procurement, because procurement will flow down. Although I might not be in scope directly as a small business, the reality is that the primes and Government Departments that are funding work will flow those requirements down on to the smaller MSPs. Although we might not be in scope directly, when it comes to implementing and meeting the legislation, we will have to follow those rules.
Dr Gardner
Q
Jill Broom: With the board, historically, cyber has not been viewed as a business risk, but as a technical problem to be addressed by the technical teams, instead of being a valuable, fundamental enabler of your business and a commercial advantage as well, because you are secure and resilient. That has been a problem, historically. It is about changing that culture and thinking about how we get the boards to think about this.
I think a fair amount of work is happening; I know the Government have written to the FTSE 350 companies to ask them to put the cyber governance code of practice into play. That is just to make cyber a board-level responsibility, and also to take account of things such as what they need to do in their supply chain.
Dr Gardner
Q
Jill Broom: Some of our members have pointed out that the number of organisations under cyber-regulations is very small, and it is only going to increase a small amount with the advent of this particular Bill. Similarly, in the different jurisdictions there are duties at the board level. There is an argument for it. The key thing is that we need to be mindful of it being risk-based, and also that there are organisations that could be disproportionately affected by this. I think it needs a little more testing, particularly with our members, as to whether a statutory requirement is needed.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
The Chair
Please, Gentlemen, do not feel obliged to answer each question.
Dr Ian Levy: On the diverse networks and where they are hosted, it is important to be clear that resilience changes as scale changes. When it comes to the statistical model used to talk about resilience for a national system, if you have, say, three physical data centres in the UK connected by a redundant ring, that has a well-understood statistical model, but as you get bigger and bigger and more diverse, the statistics change, so the way you analyse resilience changes. That is not specific to Amazon Web Services; it applies to any large-scale system.
The way that we talk about resilience needs to be thought through carefully. I would urge you to consider outcomes and talk about availability and resilience to particular events. If somebody drives a JCB into a data centre, in a national-scale resilience model that can have a big impact, but in a hyperscale it will not.
We need to be clear about what the regulation is trying to do. If you look at us as a data centre operator, it is very different from someone who is providing co-location services. We provide our data centres for the sole purposes of providing our services, which have a very particular resilience model that is very different from somebody sticking their own racks in a third-party data centre. Some of the terms need to be better defined.
In terms of balancing growth, regulation, oversight and so on, there is a fallacy about putting specific technologies into legislation, except in very specific circumstances. We talked about post-quantum cryptography and AI. They will affect resilience, but probably not in the way we think they will today, so I would caution about putting specific technology definitions on the face of the Bill.
Matt Houlihan: On the cross-border question, very quickly, there are clearly a lot of jurisdictions looking at legislation in this space. There is absolutely an opportunity in the UK to look at things, such as mutual recognition agreements, that would simplify the international regulatory landscape, but there is also the opportunity for the UK to lead in this space as a very well-respected and cyber-capable country.
Touching on getting the balance right on growth and security, we have seen some useful moves recently from the UK Government and previous Governments on looking at codes of practice, which are voluntary in nature but help engage companies, as the recent software security code of practice did with mine and Chris’s. Techniques like that offer a nice balance and engage companies, but get that message around growth absolutely right.
Dr Gardner
Q
My second question is for Ben. In combining AI and cyber, you are combining technologies that come with their own unique risks with cyber-security. I am interested in how you mitigate against that. I am intrigued because, when you talk about AI, I assume you are not talking about straightforward machine learning.
Chris Anley: In terms of what other things we could do, we have talked about voluntary codes. The value of voluntary codes was questioned in an earlier session; but the World Health Organisation best practice guide on handwashing, which is entirely voluntary, saved millions of lives in the recent pandemic. It is important to bear in mind that codes that help you to protect yourself are definitely valuable.
Other actions that are already taking place that we may want to extend on the basis of solid evidence and data are the cyber essentials scheme, for example, and the various codes of practice. The cyber governance code of practice for boards was mentioned earlier, along with the Government outreach and attempting to get boards to recognise that cyber risk is a business risk and an existential threat. We talked about the cyber assessment framework and how that is likely to be the scope within which this Bill is implemented. So, we do not necessarily need to do something new. The scope of the Bill, as we said, is 0.1% of the UK private sector. There is scope to expand the existing things that we are doing, especially cyber essentials, for example, raising the bar for small and medium-sized enterprises across the economy. There is a lot that we are already doing that we could do, that we already have the scope to expand, but obviously that must be done prudently and on the basis of solid evidence.
Dr Gardner
Q
Ben Lyons: That is something we think very deeply about. We see AI as helping to mitigate some of the risks from cyber-security by making it possible to detect attacks more quickly, understand what might be causing them, and to respond at pace. We are an AI native company and we have thought deeply about how to ensure that the technology is both secure and responsible. We are privacy-preserving by design. We take our AI to the organisation’s environment to build an understanding of what normality looks like for them, rather than vast data lakes of customer data. We take a lot of effort to ensure that the information surfaced by AI is interpretable to human beings, so that it is uplifting human professionals and enabling them to do more with the time they have. We are accredited to a range of standards, like ISO 27001 and ISO 42001, which is a standard for AI management. We have released a white paper on how we approach responsible AI in cyber-security, which I would be happy to share with you and give a bit more detail.
Chris Vince
Q
Matt Houlihan: I am very happy to. Two main comparators come to mind. One is the EU, and we have talked quite a bit about NIS2 and the progress that has made. NIS2 does take a slightly different approach to that of the UK Government, in that it outlines, I think, 18 different sectors, up from seven under NIS1. There is that wide scope in terms of NIS2.
Although NIS2 is an effective piece of legislation, the implementation of it remains patchy over the EU. Something like 19 of the 27 EU member states have implemented it to date in their national laws. There is clearly a bit of work still to do there. There is also some variation in how NIS2 is being implemented, which we feel as an international company operating right across the European Union. As has been touched on briefly, there is now a move, through what are called omnibus proposals, to simplify the reporting requirements and other elements of cyber-security and privacy laws across the EU, which is a welcome step.
I mentioned in a previous answer the work that Australia has been doing, and the Security of Critical Infrastructure Act 2018—SOCI—was genuinely a good standard and has set a good bar for expectations around the world. The Act has rigorous reporting requirements and caveats and guardrails for Government step-in powers. It also covers things like ransomware, which we know the UK Home Office is looking at, and Internet of Things security, which the UK Government recently looked at. Those are probably the two comparators. We hope that the CSRB will take the UK a big step towards that, but as a lot of my colleagues have said, there is a lot of work to do in terms of seeing the guidance and ensuring that it is implemented effectively.
Chris Anley: On the point about where we are perhaps falling behind, with streamlining of reporting we have already mentioned Australia and the EU, which is in progress. On protection of their defenders, other territories are already benefiting from those protections—the EU, the US, and I mentioned Portugal especially. As a third and final point, Australia is an interesting one, as it is providing a cyber-safety net to small and medium-sized enterprises, which provides cyber expertise from the Government to enable smaller entities to get up to code and achieve resilience where those entities lack the personnel and funding.
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Allison Gardner ExcerptsTuesday 3rd February 2026
(2 days, 21 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Chris Vince (Harlow) (Lab/Co-op)
Q
Stuart Okin: In the energy sector, we tend to use operational technology rather than IT systems. That might mean technology without a screen, so an embedded system. It is therefore important to be able to customise our guidance. We do that today. We use the cyber assessment framework as a baseline, and we have a 335-page overlay on our website to explain how that applies to operational technology in our particular space. It is important to be able to customise accordingly; indeed, we have added physical elements to the cyber assessment framework, which is incredibly important. We welcome that flexibility being maintained in the Bill.
Ian Hulme: Just to contrast with colleagues from Ofcom and Ofgem, ICO’s sector is the whole economy, so it is important that we are able to produce guidance that speaks to all the operators in that sector. Because our sector is much bigger, we currently have something like 550 trust service providers registered, and that will grow significantly with the inclusion of managed service providers. So guidance will be really important to set expectations from a regulatory perspective.
Natalie Black: To round this off, at the end of the day we always have to come back to the problem we are trying to solve, which is ensuring cyber-security and resilience. As you will have heard from many others today, cyber is a threat that is always evolving. The idea that we can have a stagnant approach is for the birds. We need to be flexible as regulators. We need to evolve and adapt to the threat, and to the different operators we will engage with over the next couple of years. Collectively, we all appreciate that flexibility.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
The ICO is a horizontal regulator working across all sectors. In your experience, would a single cyber regulator be a good idea? What would be the benefits and the challenges? I will allow Ofcom and Ofgem to jump in and defend themselves.
Ian Hulme: I suppose the challenge with having a single regulator is that—like ourselves, as a whole-economy regulator—it will have to prioritise and direct its resources at the issues of highest harm and risk. One benefit of a sectoral approach is that we understand our sectors at a deeper level; we certainly work together quite closely on a whole range of issues, and my teams have been working with Natalie and Stuart’s teams on the Bill over the last 18 months, and thinking about how we can collaborate better and co-ordinate our activities. It is really pleasing to see that that has been recognised in the Bill with the provisions for information sharing. That is going to be key, because the lack of information-sharing provisions in the current regs has been a bit of a hindrance. There are pros and cons, but a single regulator will need to prioritise its resources, so you may not get the coverage you might with a sectoral approach.
Natalie Black: Having worked in this area for quite some time, I would add that the challenge with a single regulator is that you end up with a race to the bottom, and minimum standards you can apply everywhere. However, with a tailored approach, you can recognise the complexity of the cyber risk and the opportunity to target specific issues—for example, prepositioning and ransomware. That said, we absolutely recognise the challenge for operators and companies in having to bounce between regulators. We hear it all the time, and you will see a real commitment from us to do something about it.
Some of that needs to sit with the Department for Science, Innovation and Technology, which is getting a lot of feedback from all of us about how we need it to co-ordinate and make things as easy as possible for companies—many of which are important investors in our economy, and we absolutely recognise that. We are also doing our bit through the UK Regulators Network and the Digital Regulation Cooperation Forum to find the low-hanging fruit where we can make a difference. To give a tangible example, we think there should be a way to do single reporting of incidents. We do not have the answer for that yet, but that is something we are exploring to try and make companies’ lives easier. To be honest, it will make our lives easier as well, because it wastes our time having to co-ordinate across multiple operators.
Bradley Thomas (Bromsgrove) (Con)
Q
Ian Hulme: Again, to contrast the ICO’s position with that of other colleagues, we have a much larger sector, as it currently exists, and we will have a massively larger sector again in the future. We are also funded slightly differently. The ICO is grant in aid funded from Government, so we are dependent on Government support.
To move from a reactive footing, which is our position at the moment—that is the Government’s guidance to competent authorities and to the ICO specifically—to a proactive footing with a much expanded sector, will need significant uplift in our skills and capability, as well as system development in order to register and ingest intelligence from MSPs and relevant digital service providers in the future.
From our perspective at the ICO, we need significant support from DSIT so that we can transition into the new regulatory regime. It will ultimately be self-funding—it is a sustainable model—but we need continued support during the transition period.
Sarah Russell
Q
Professor John Child: Yes. It is not the easiest criminal law tale, if you like. If there were a problem of overcriminalisation in the sense of prosecutions, penalisation, high sentences and so on, the solution would be to look at a whole range of options, including prosecutorial discretion, sentencing or whatever it might be, to try to solve that problem. That is not the problem under the status quo. The current problem is purely the original point of criminalisation. Think of an industry carrying out potentially criminalised activity. Even if no one is going to be prosecuted, the chilling effect is that either the work is not done or it is done under the veil of potential criminalisation, which leads to pretty obvious problems in terms of insurance for that kind of industry, the professionalisation of the industry and making sure that reporting mechanisms are accurate.
We have sat through many meetings with the CPS and those within the cyber-security industry who say that the channels of communication—that back and forth of reporting—is vital. However, a necessary step before that communication can happen is the decriminalisation of basic practices. No industry can effectively be told on the one hand, “What you are doing is vital,” but on the other, “It is a criminal offence, and we would like you to document it and report it to us in an itemised fashion over a period of time.” It is just not a realistic relationship to engender.
The cyber-security industry has evolved in a fragmented way both nationally and internationally, and the only way to get those professionalisation and cyber-resilience pay-offs is by recognising that the criminal law is a barrier—not because it is prosecuting or sentencing, but because of its very existence. It does not allow individuals to say, “If, heaven forbid, I were prosecuted, I can explain that what I was doing was nationally important. That is the basis on which I should not be convicted, not because of the good will of a prosecutor.”
Dr Gardner
Q
Professor John Child: I think the Bill does a lot of things quite effectively. It modernises in a sensible way and it allows for the recognition of change in type of threat. This goes back to my criminalisation point. Crucially, it also allows modernisation and flexibility to move through into secondary legislation, rather than us relying purely on the maturations of primary legislation.
In terms of board-level responsibility, I cannot speak too authoritatively on the civil law aspects, but drawing on my criminal law background, there is something in that as well. At the moment, the potential for criminalisation applies very much to those making unauthorised access to another person’s system. That is the way the criminal law works. We also have potential for corporate liability that can lead all the way up to board rooms, but only if you have a directing mind—so only if a board member is directing that specific activity, which is unlikely, apart from in very small companies.
You can have a legal regime that says, whether through accreditation or simple public interest offences, that there are certain activities that involve unauthorised access to another person’s system, which may be legitimate or indeed necessary. However, we want a professional culture within that; we do not want that outsourced to individuals around the world. You can then build in sensible corporate liability based on consent or connivance, which goes to individuals in the boardroom, or a failure-to-prevent model of criminalisation, which is more popular when it comes to financial crimes. That is where you say, “If this exists in your sector, as an industry and as a company, you can be potentially liable as an entity if you do not make sure these powers are used responsibly, and if you essentially outsource to individuals in order to avoid personal liabilities”.
Dr Gardner
Q
Professor John Child: Again, I have to draw back to the criminal law aspects. I think the Bill does the things it needs to do well; certainly, from the conversations I have had with those in cyber-security and so on, these are welcome steps in the right direction.
However, when you look at critical national infrastructure, although you can create layers of civil responsibility and regulation—which is entirely sensible—most of that will filter down to individuals doing cyber-security and resilience work. It is about empowering those individuals; within a state apparatus, that is one thing, but even with regulators and in-house cyber-security experts, individuals are working only within the confines of what they are allowed to do under the criminal law, as well as the civil regulatory system.
The reason I have been asked here, and what a lot of my work has focused on, is this: if you filter responsibility down to individuals doing security work for national as well as commercial infrastructure, you need to empower them to do that work effectively. The current law does not do that; it creates the problem of either doing that work under the veil of criminalisation, or not doing it, with work being outsourced to places where you do not have the back-and-forth communication and reporting regime you would need.
Dr Gardner
I think you are touching on the old problem of where liability lies when you have this long supply chain of diffused responsibility, but thank you.
Dave Robertson
Q
Professor John Child: That is a good question. It is certainly fair to say that all jurisdictions are somewhat in flux about how to deal with cyber threats, which are mushrooming in ways people would not have expected—certainly not in 1990, but even many years after.
The various international conventions—the OECD, the Budapest convention and so on—require regulation and criminalisation, but those are not nearly as wide as the blanket approach that was taken in this country. Some comparative civil law jurisdictions in the rest of Europe start from a slightly different place, in that they did not necessarily take the maximalist approach to criminalisation we did.
In a number of jurisdictions, you do not have direct criminalisation of all activities, regardless of the intention of the actor, in the same way that we do. So we are starting from a slightly different position. Having said that, we do see a number of jurisdictions making positive strides in this direction, because they need to; indeed, we see that at European Union level as well, where directives are being created to target this area of concern.
There are a few examples. We wrote a comparative report, incidentally, which is openly available. In terms of some highlights from that, there is a provision in French law, for example, where, despite mandatory prosecution being the general model within French criminal law, there is a carve-out relating to cyber-security and legitimate actors, where there is not the same requirement to prosecute. In the Netherlands, there was a scandal around hacking of keycards for public transport. That was done for responsible reasons, and there was a backlash in relation to prosecution there. There were measures taken in terms of prosecutorial discretion. Most recently, in Portugal, we saw a specific cyber-security defence created within the criminal law just last year.
In the US, it varies between states. In a lot of states, you have quite an unhelpful debate between minimalist and maximalist positions, where they either want to have complete hack-back on the one hand or no action at all on the other, but you have a slightly more tolerant regime in terms of prosecution.
So there are varying degrees, but certainly that is the direction of travel. For sensible, criminal law reasons that I would speak to, as well as the commercial benefits that come with a sector that is allowed to do its work properly, and the security benefits, that is certainly the direction of travel.
David Chadwick
Q
Richard Starnes: On what you say about the 18-month tenure, one of the problems is stress. A lot of CISOs are burning out and moving to companies that they consider to have boards that are more receptive to what they do for a living. Some companies get it. Some companies support the CISOs, and maybe have them reporting to a parallel to the CIO, or chief information officer. A big discussion among CISOs is that having a CISO reporting to a CIO is a conflict of interest. A CISO is essentially a governance position, so you wind up having to govern your boss, which I would submit is a bit of a challenge.
How do we help CISOs? First, with stringent application of regulatory instruments. We should also look at or discuss the idea of having C-level or board-level executives specifically liable for not doing proper risk governance of cyber-security—that is something that I think needs to be discussed. Section 172 of the Companies Act 2006 states that you must act in the best interests of your company. In this day and age, I would submit that not addressing cyber-risk is a direct attack on your bottom line.
Dr Gardner
Q
Richard Starnes: I think this should flow from the board to the C-level executives. Most boards have a risk committee of some sort, and I think the chair of the risk committee would be a natural place for that responsibility to sit, but there has to be somebody who is ultimately responsible. If the board does not take it seriously, the C-levels will not, and if the C-levels will not, the rest of the company will not.
Dr Gardner
Q
Richard Starnes: That is a very broad question.
Dr Gardner
I know, sorry. I collapsed it down from quite a few.
Richard Starnes: There is any number of different reasons. You have 12 competent authorities, at last count, with varying funding models and access to talent. Those could vary quite a bit, depending on those factors. I am not really sure how to answer that question.
Dr Gardner
Q
Richard Starnes: True, but I would submit that under the Companies Act that liability is already there for all the directors; it just has not been used that way.
Emily Darlington
Q
Richard Starnes: You just stepped on one of my soapbox issues. I would like to see the code of practice become part of the annual Companies House registrations for every registered company. To me, this is an attestation that, “We understand cyber-security, we’ve had it put in front of us, and we have to address it in some way.”
One of the biggest problems, which Andy talked about earlier, is that we have all these wonderful things that the Government are doing with regard to cyber-security, down to the micro-level companies, but there are 5.5 million companies in the United Kingdom that are not enterprise-level companies, and the vast majority of them have 25 employees or fewer. How do we get to these people and say, “This is important. You need to look at this”? This is a societal issue. The code of practice and having it registered through Companies House are the way to do that. We need to start small and move big. Only 3% of businesses are involved in Cyber Essentials, which is just that: the essentials. It is the baseline, so we need to start there.
Chris Vince
Q
Stewart Whyte: Anything that increases or improves our processes in the NHS for a lot of the procured services that we take in, and anything that is going to strengthen the framework between the health board or health service and the suppliers, is welcome for me. One of our problems in the NHS is that the systems we put in are becoming more and more complex. Being able to risk assess them against a particular framework would certainly help from our perspective. A lot of our suppliers, and a lot of our systems and processes, are procured from elsewhere, so we are looking for anything at all within the health service that will improve the process and the links with third party service providers.
Dr Gardner
Q
Brian Miller: That is a great question. I will touch on some different parts, because I might have slightly different information from some of the information you have heard previously. On reporting—Stewart will deal with the data protection element for reporting into the Information Commissioner’s Office—we report to the Scottish Health Competent Authority. It is important that we have an excellent relationship with the people there. To put that in context, I was speaking to them yesterday regarding our transition to the CAF, as part of our new compliance for NHS Greater Glasgow and Clyde. If there was a reportable incident, we would report into the SHCA. The thresholds are really well defined against the confidentiality, integrity and availability triad—it will be patient impact and stuff like that.
Organisationally, we report up the chain to our director of digital services, and we have an information governance steering group. Our senior information risk officer is the director of digital, and the chief information security officer role sits with our director of digital. We report nationally, and we work really closely with National Services Scotland’s Cyber Security Centre of Excellence, which does a lot of our threat protection and secure operations, 24/7, 365 days a year. We work with the Scottish Government through the Scottish Cyber Co-ordination Centre and what are called CREW—cyber resilience early warning—notices for a lot of threat intelligence. If something met the threshold, we would report to the SHCA. Stewart, do you want to come in on the data protection officer?
Stewart Whyte: We would report to the Information Commissioner, and within 72 hours we also report to the Scottish Government information governance and data protection team. We would risk assess the breaches and determine whether they meet the threshold for reporting. Not every data breach is required to be reported.
From the reporting perspective, it would be helpful to report into one individual organisation. I noticed that in the reporting requirements we are looking at doing it within 24 hours, which could be quite difficult, because sometimes we do not know everything about the breach within that time. We might need more information to be able to risk assess it appropriately. Making regulators aware of the breach as soon as possible is always going to be a good thing.
Lincoln Jopp
Q
Brian Miller: We would work with the Scottish Health Competent Authority as our regulator; I cannot speak for other regulators and what that might look like. We are doing work on what assurance for critical suppliers outside the Bill looks like just now, and we are working across the boards in Scotland on identifying critical suppliers. Outside of that, for any suppliers or any new services, we will assess the risk individually, based on the services they are providing.
The Bill is really valuable for me, particularly when it comes to managed service provision. One of the questions I was looking at is: what has changed since 2018? The biggest change for me is that identity has went to the cloud, because of video conferencing and stuff like that. When identity went to the cloud, it then involved managed service providers and data centres. We have put additional controls around that, because the network perimeter extended out into the cloud. We might want to take advantage of those controls for new things that come online, integrating with national identity, but we need to be assured that the companies integrating with national identity are safe. For me, the Bill will be a terrific bit of legislation that will help me with that—if that makes sense.
Dr Gardner
Q
Carla Baker: My comment on information sharing was about what else the Government could do. It was not necessarily specifically to do with the Bill. If you want me to elaborate on the wider issue of information sharing, I am happy to.
Dr Gardner
Particularly between regulators, and how that would work.
Carla Baker: I cannot necessarily talk in much detail about information sharing across regulators. It is more about information sharing across the technology industry that I can talk about.
Dr Gardner
Q
I will ask my actual question, and I am trying to get my head around this. You recommend mandating that company boards be accountable for mitigating cyber-risks, and as we know from the annual cyber-security breaches survey, there are declining levels of board responsibility for cyber in recent years, which links to whether there should be a statutory duty. I am a little worried about small and microbusinesses having to deal with that regulatory burden, especially if they are designated as critical suppliers. I am trying to marry those two things together, and the concern of where liability sits, because we are very dependent on service providers. I do not know if that makes any sense to you, but could you clarify my thinking?
Chris Parker: It is a concern. I will start off with a small point about where there is a statutory requirement, certainly for large companies. I personally believe—and I am pretty sure that most industry people I speak to would say this—that it would be very surprising if we did not have cyber-focused people on boards and in much bigger governance, as we would in a financial services company, where people who are expert in financial risk are able to govern appropriately. As we get smaller and smaller in scale, that is much harder to do.
The good news is that there are some brilliant—and I really mean that—resources available from probably the most underused website in the world, but the best one, which is the National Cyber Security Centre website. It has some outstanding advice for boards and governance on there. You can effectively make a pack and write a checklist, even if you are a very small company with a board of two people, and go through your own things and make sure your checklists are there.
The data and the capability are there to give support. Whether it is signposted enough, and whether we are helping on a local level, to make sure that people are aware of those things is perhaps something we could do better at in this country. But I am sure that industry will do our part, and we do, to share and reinforce the good sharing of things like that website, to guide good governance for SMEs especially.
Carla Baker: That board-level accountability is really important, and it is crucial for cyber-security. I think it is getting better—from the senior execs that I speak to in industry, there is more understanding—but generally speaking, there is a view that cyber-security is an IT issue, not a business issue. I am sure you have heard throughout the day about understanding the risks we have seen around vulnerabilities, and the incidents that have affected the retail or manufacturing sectors. Those are substantial incidents that have impacted the UK and have systemic knock-on effects. Organisations have to understand the serious nature of cyber-security, and therefore put more emphasis on cyber at the board level.
Should we be mandating board-level governance? That is useful for this debate to seek information and input on, but the burden on SMEs has to be risk-based and proportionate, however it is framed.
Dr Gardner
Q
Chris Parker: That is a harder question. There is precedent here—of course, we can think back to the precedents that this great building has set on allowing things such as, post-Clapham train disaster, the Corporate Manslaughter and Corporate Homicide Act 2007 putting it very firmly on boards, evolving from the Health and Safety at Work etc. Act 1974. We are not there yet, but do not forget that we are starting to legislate, as is everyone else in Europe and America who are on this journey.
I believe that we will see a requirement at some point in the future. We all hope that the requirement is not driven by something terrible, but is driven by sensible, wise methodology through which we can find out how we can ensure that people are liable and accept their liability. We have seen statements stood up on health and safety from CEOs at every office in this country, for good reason, and that sort of evolution may well be the next phase.
Carla and I talk about this a lot, but we have to be careful about how much we put into this Bill. We have to get the important bit about critical national infrastructure under way, and then we can address it all collaboratively at the next stage to deal with very important issues such as that.
Lincoln Jopp
Q
Chris Parker: I was referring to strategic and critical suppliers, which is a list of Government suppliers. We are advocating that the level of governance and regulatory requirement inside an organisation is difficult, and it really is. It requires quite a lot of work and resource, and if we are putting that on to too small a supplier, on the basis that we think it is on the critical path, I would advocate a different system for risk management of that organisation, rather than it being in the regulatory scope of a cyber-resilience Bill. The critical suppliers should be the larger companies. If we start that way in legislation and then work down—the Bill is designed to be flexible, which is excellent—we can try to get that way.
As a last point on flexibility—this is perhaps very obvious to us but less so to people who are less aware of the Bill—there is a huge dynamic going on here where you have a continuum, a line, at one end of which you have the need for clarity, which comes from business. At the other you have a need for flexibility, which quite rightly comes from the Government, who want to adjust and adapt quite quickly to secure the population, society and the economy against a changing threat. That continuum has an opposing dynamic, so the CRB has a big challenge. We must therefore not be too hard on ourselves in finding exactly where to be on that line. Some things will go well, and some will just need to be looked at after a few years of practice—I really believe that. We are not going to get it all right, because of the complexities and different dynamics along that line.
Carla Baker: This debate about whether SMEs should be involved or regulated in this space has been around since we were discussing GDPR back in 2018. It comes down to the systemic nature of the supplier. You can look at the designation of critical dependencies. I am sure you have talked about this, but for example, an SME software company selling to an energy company could be deemed a critical supplier by a regulator, and it is then brought into scope. However, I think it should be the SMEs that are relevant to the whole sector, not just to one organisation. If they are systemic and integral to a number of different sectors, or a number of different organisations within a sector, it is fair enough that they are potentially brought into scope.
It is that risk-based approach again. But if it is just one supplier, one SME, that is selling to one energy company up in the north of England, is it risk-based and proportionate that they are brought into scope? I think that is debatable.
Dr Gardner
Q
Kanishka Narayan: It is an important point. We know that the quality of current regulation for cyber-security varies across regulators. As an earlier panellist said, there is virtue in the fact that we have not set an effective cap on where regulators can go by having a single standard. At the same time, we need to make sure that we are raising a consistent floor of quality and proportionality judgments.
First, there is obviously constant oversight of each regulator through the lead Departments. In my case, for example, we consistently engage with Ofcom on a range of areas, including this one, to ensure the quality of regulation and that proportionality judgment is appropriately applied. Secondly, there is a clear commitment in the Bill for the Secretary of State to report back, on a five-year basis, on the overall implementation of the regime proposed in the Bill. That will be when we can get a global view of how the whole system is working.
The Chair
That brings us to the end of the time allotted for the Committee to ask questions, and to the end of the sitting. On behalf of the Committee, I thank the Minister for his evidence.
Ordered, That further consideration be now adjourned. —(Taiwo Owatemi.)
Mobile Phones and Social Media: Use by Children
Allison Gardner Excerpts(2 weeks, 2 days ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Madam Deputy Speaker (Caroline Nokes)
Order. The last time I was in the Chair for a statement on this issue, we ran out of time. It would be really helpful if colleagues ensured that their questions are short.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Organisations such as the Molly Rose Foundation highlight that evidence to support social media bans remains very uncertain and warn that blanket restrictions could unintentionally cause harm by pushing young people towards unregulated platforms, remove trusted online spaces, undermine digital literacy and, indeed, create a cliff edge at the age of 16. Does the Secretary of State agree that we must take a calm, evidence-based approach to this complex issue and ensure that children’s voices are central to the consultation?
Digital ID
Allison Gardner Excerpts(3 months, 3 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Liz Kendall
I think that when the British people—so many of whom now have online banking on their phones and store so much in their digital wallets—look at their friends, neighbours and colleagues across the channel and see that many across Europe have digital ID as a matter of course and that it makes their lives simpler and easier, their common sense will say, “We want a bit of that.”
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
As Chair of the all-party parliamentary group on digital identity, I welcome the Government’s proposals. However, many of my constituents have deep concerns and are seeking reassurance. In order to build trust in the digital ID system, it would help if people felt that they had choice and control over whether to use digital ID or not. As such, will the Secretary of State look again at the proposal for mandatory digital ID for adults and allow people a choice for non-digital alternatives, which incidentally would offer resilience against IT failure, and control over their data with a decentralised or federated data approach?
Liz Kendall
The Prime Minister has been very clear that it will be mandatory for right to work checks, but I can confirm to my hon. Friend that we do not want one big, centralised data set and that it will be federated. That is one of the lessons we learned from other countries. I am sure that there are many more things we will have to do to make sure that people’s data is secure, but this will give people more control because they will be able to see who accesses their data, and that is a good thing.
Data (Use and Access) Bill [Lords]
Allison Gardner Excerpts(8 months, 4 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Pete Wishart
The hon. Lady is spot on. The Minister continues to go on about licensing arrangements, and I think that is the territory we want to move this on to. We need to hear more about the Government’s ambitions right now, and about what they are planning to do. The hon. Lady should have a look at the submissions to the consultation from the big tech companies such as OpenAI—it is a horror show. An opt-out is even too far for them.
I have enjoyed working with Labour colleagues during these debates. They have said all the right things, and I think that, as usual, they recognise some of the difficulties in the sector, but I appeal to them now to support, in particular, new clause 2, if it goes to a vote. It is no good just saying all the right things; this is about voting in the right direction. There is no other chance, because this is the only opportunity. We must offer some protection to our creative sector over the next few years, because nothing else will appear during that time. We will all become involved in the consultation and we will all be taking part in the legislation when it comes here, but that is years away. This is the only thing that we can do to offer some support to the creative sector, and I urge everyone to support the new clauses.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
I welcome the opportunity to speak in support of the Bill and to address some of the amendment proposed, particularly Government new clauses 16 and 17.
New clause 17 is entitled “Report on the use of copyright works in the development of AI systems”. I am pleased to note, in subsection (3)(b), that the report will
“the effect of copyright on access to, and use of, data by developers of AI systems (for example, on text and data mining)”.
I also note that “developers” are specifically broken down into
“individuals, micro businesses, small businesses or medium-sized businesses”.
It is right to provide for that level of granularity. Similarly, I note that the report will
“consider, and make proposals in relation to… the disclosure of information by developers of AI systems about”
their use of copyright data to develop AI systems and “how they access” that copyrighted data,
“for example, by means of web crawlers”.
I am pleased to see discussions of licensing included in the report, and an exploration, again in granular detail, of the impact of a licensing system on all levels of developers. However, I would have liked to see an equal level of granularity for copyright owners to understand the effects of proposals outlined in subsection (3). Subsection (4) states that
“In preparing the report, the Secretary of State must consider the likely effect of proposals, in the United Kingdom, on… copyright owners”
as well as developers and users of AI systems. Although I note that new subsection (4) refers to individuals, microbusinesses and so on, I feel that there is a little vagueness as to whether this level of granularity is afforded to copyright owners as well.
Chris Bryant
That is not intentional. It is exactly the same level of granularity that we will go into in our reporting.
Dr Gardner
Well, I will just throw the rest of my speech away, then. I shall persevere. Will the report explore the effects of the proposed solutions and the resulting protections on individual creators?
Dr Gardner
There seem to be an awful lot of David Attenborough TikTok videos, but it is not him. I wonder whether this measure will apply to personality rights, and about the definition of a “small rights owner”. I will just squeeze that in.
Chris Bryant
Personally, I am in favour of doing something about personality rights, but it is one of the things that is in the consultation, to which will we respond. It is one of the things for which we will need to legislate in the round.
Dr Gardner
Perfect.
I asked the Secretary of State what reassurances can be given that smaller creatives, including microbusinesses and small creative businesses, will be considered in the report so that they can have confidence that the systems finally applied will work for them, particularly when we consider an individual’s early career—think of Ed Sheeran strumming away in his bedroom in his pre-fame days—and how they can protect their copyrighted works against the global tech giants.
New clause 16 addresses the economic impact on both copyright owners and AI developers, and I want to switch from talking about copyright owners to trying to defend the AI industry. If we do not get the controls right, we risk the mid and long-term success of the AI industry. If we do not get a fair solution for the creative and AI industries, we risk a reduction in the quantity, and potentially in the quality, of human-created data and an increase in AI-generated creative data.
I will briefly segue, because we are developing a lot of AI-created content that might be subject to copyright. A report recently pointed out that 18% of Spotify content is now AI-generated. People might remember the big hoo-ha when an AI-generated image won a photographic competition, which caused a lot of disturbance, but a lot of creative skill was involved in how the photographer developed and produced that image. No, it was not a photograph, but it is in a category of its own. I feel that is also creative content and copyrighted data, so there is a grey area.
If we start to generate more and more AI-created data and less and less high-quality human-generated data, because of the challenges to the creative industry, there is a danger that AI models will start scraping and training on AI-generated data, potentially leading to a reductive spiral into mediocrity, with some even suggesting that this could result in model collapse. On new clauses 16 and 17, I encourage the House to consider the impact of not employing proposals such as licensing and protecting the generation of new human-created content, given the risks posed to AI models and developers in the long term.
I will briefly comment on amendments 37 and 38, tabled by my hon. Friend the Member for Newcastle upon Tyne Central and West (Chi Onwurah). She ably outlined the reasons for the amendments, so I will not go into a lot of detail, but I want to point out that getting the definitions correct will prevent a loophole whereby AI companies can misuse personal data by claiming that their commercial development is scientific research. The amendments would provide transparency on the use of data by researchers in order to maintain confidence in this country’s ethical, legal and professional high standards in academic research. I hope the Minister will give careful consideration to the points I have raised.
I am now going to give my Whip, my hon. Friend the Member for Cardiff North (Anna McMorrin), a heart attack because I am going to refer to amendments 41 to 46 to clause 80 on article 22 of the UK GDPR, which is close to my heart. She is not to worry, though; I read those amendments with great interest and I understand the back-up they would provide, but although I am a newbie MP, as I read them—in my understanding, given the little work I did in my previous job with a regulator—I felt that they were more like secondary legislation. They could be considered for the future, particularly amendment 46, which includes some very welcome additions. However, when it comes to primary legislation, I feel that the Bill works better as it stands.
Creative Industries
Allison Gardner Excerpts(1 year ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
I rise not just as a member of the Science, Innovation and Technology Committee or as co-chair of the APPG on artificial intelligence, but as an academic with first-hand experience of building AI models. I will try to make a case—go with me on this one—that protecting our creative industry and the high-quality output it produces is vital not just to our vibrant creative sector, but to our rapidly evolving AI sector.
Back in the mists of time, when I was building a model for my PhD, I resisted the temptation to build a large dataset from any relevant data I could find. Instead, I chose to produce a smaller, high-quality dataset, which was risky, as it might not have been enough to create a reliable model and I might not have passed my PhD. My risk paid off. My model worked better than expected and, ever since, I have adhered to the principle that it is the quality of our data, not its quantity, that matters.
To mangle a metaphor, some say that data is the new oil or gold. Taking that metaphor forward, let us do a thought experiment. Let us say that the UK discovered vast reserves of gold, making us the second biggest provider globally. What should we do? Would we look at gold-hungry organisations and give them the gold for free, in the hope that they will invest in the UK? I should hope not.
By some estimates, the UK creative industry is the second largest globally. It is our gold. Should we give away this valuable asset for free? I hope not, for the sake of our creatives, but also for our new AI industry, in which this Government are rightly investing. The unlicensed and illegal use of copyrighted content for generative AI development has been equated by some with a form of theft. Not only is it unfair to make such acquisition legal via an opt-out system, but it risks creating a future of fool’s gold data as our creative industry loses control of its work and moves elsewhere, or simply gives up.
High-quality data is essential for the success of generative AI, but, as with gold—to overkill the metaphor—its reserves may be finite. Researchers predict that at the current rate, generative AI developers will have used all the publicly available stock of human-created text data between 2026 and 2032. In other words, we could run out next year. This means that, with limited new high-quality data, innovation and AI growth will be hindered, inviting model collapse.
Model collapse happens when generative AI models start training on their own lower-quality data. This is the fool’s gold of AI. If we wish to be competitive, both in the creative and AI industries, we as a country need to set ourselves above our competitors, not below them. We do this not by giving away our most valuable assets for free, but by protecting them so that we can keep generating more and more new high-quality data.
Generative AI developers, like all AI developers, are extremely data-hungry and keen to mine, mine, mine. If all we have left to offer them is fool’s gold—if our world-class British artists have to look elsewhere to make a living—the AI developers will likewise look elsewhere. Protecting our creative industry by not allowing the free use of data for model training purposes is therefore the right thing to do not only for our creative industry, but for our AI industry.
I therefore ask the Government to consider a longer-term view and retain the UK’s current copyright framework, to place the onus on generative AI developers to seek a licence for our creatives’ data—with a possible caveat for academic research—and to expand it to cover all generative AI models marketed in the UK. In conjunction, we must require meaningful transparency on data usage in a form that is accessible to artists and regulators. That would allow for enforceable regulation and enable the actual data creators, our creatives, to seek redress. I resist, as I always do, claims that that would inhibit innovation and growth. Based on my experience as a researcher and AI ethicist, I reject the notion that regulation inhibits innovation. It simply does not. Transparency of model development and data sources plus enforceable regulations are vital to encourage high standards and good quality AI.
By retaining our copyright framework and pioneering a licensing approach, we would guarantee that rights holders have control over their own creative output. Such an approach would give confidence to our creatives, allowing them to pursue sustainable, well-paid and productive careers, and provide enjoyment to us all, income and growth for the country and the high-quality output that is so valuable to generative AI developers. By taking that approach, we will remain what we are today—the gold standard of the creative industries—and that will enable us to rise up as the gold standard for AI development.
Gareth Snell
The Minister has stolen my thunder! As always, he has pre-empted what I was going to say. I was going to say that Stoke-on-Trent is a city that is steeped in history, but fizzing for the future of creativity. We are home to nine Arts Council England national portfolio organisations; we have a burgeoning CreaTech cluster in the Spode building; and we have some of the best performances of theatre-in-the-round at the New Vic theatre, which although not in Stoke-on-Trent is so close to the border it might as well be.
I highlight these points not for the flippant response I should have pre-empted from the Minister, but because all too often when we think about places where creativity happens and where arts and culture thrive, we do not think about places such as Stoke-on-Trent or other historical industrial cities. All too often, those places are written up as wastelands, with derelict buildings shown in articles in The Guardian, rather than the focus being on the things that make them special and strong: our heritage and our future.
Stoke-on-Trent is the only city in the UK that has world craft city status for our industrial history in the potteries. Some of the great creatives of our past are intrinsically linked to Stoke-on-Trent: Wedgwood, Spode, William Moorcroft, Clarice Cliff and Susie Cooper. They are people who had creativity not only in their artistry, but in their industry. They pioneered new methods of working so that we could have the finest bone china, and came up with new techniques for design; the illustrations on the plates, cups and tiles that we all enjoy were at the cutting edge of new methods, technologies, pigments and materials. The creativity that they drew upon as part of their industrial heritage remains, and we have the same skills and burning ambition to demonstrate who we are and what we do in Stoke-on-Trent today.
Some 4,000 jobs in Stoke-on-Trent are linked directly to the creative sector; if the supply chain is included, it would easily be two or three times that number. Some 638 artists and artist organisations are recognised by the Stoke-on-Trent and North Staffordshire Cultural Education Partnership. In 2019, there were 5.5 million tourist visits to Stoke-on-Trent—a narrative that we do not often hear from those who seek to denigrate the city I am proud to call home and represent in this place. Sadly, some of that snobbish approach to my city comes from our nearest neighbours, who seek to use the challenges that our city faces for their own short-term political gain. I doubt that will stop any time soon. However, we are home to “The Great Pottery Throw Down”, which is on Channel 4 on Sunday evenings; Keith Brymer Jones and the team have made pottery glamorous Sunday night TV viewing. It demonstrates that the history of who we are is still very much part of the society and city that we want to be.
Dr Gardner
I recently visited the impressive and very funky 1882 ceramics firm based in the World of Wedgwood in my Stoke-on-Trent South constituency, home of “The Great Pottery Throw Down”. The firm impressed upon me its challenges in attracting young apprentices, risking the loss of important creative heritage skills. Does my hon. Friend agree that we must remember the value of pottery and sculpture in our education curriculum review to protect this vibrant industry?
Gareth Snell
I agree with my hon. Friend. Our city has children in school who are unaware of our cultural heritage, which is their cultural heritage, and who do not play with clay in the way they should. We have schools that decommissioned their kilns, despite the fact that the children’s parents and grandparents would have trained in those schools, gone into the industry and made good lives for themselves from honest, hard work in what was essentially one of the country’s earliest creative industries.
My hon. Friend is also right about the pipeline of talent. The big creative companies in Stoke-on-Trent tell me that the University of Staffordshire is generating some of the highest quality, most talented graduates in the country. When it comes to computer games, technical productions and animations, the courses at the University of Staffordshire are rated as some of the best, if not the best, in the country. Only this week, three of the big digital creative bodies in Stoke-on-Trent—i-Creation, Lesniak Swann and VCCP—announced their new summer internship. That programme lines young graduates up with professionals working in the creative industry, and shows them what their job and career could be—a job and a career that has value, pride and potential economic benefits for my city, because of the nature of the work that we can bring in.
The Minister will know about the litany of success stories in our city from a Westminster Hall debate that he kindly responded to a few weeks ago. I will not bore the House by repeating that list this evening. Let me simply say that when the Government consider the future of the creative industries and where the talent pool should be—I know that the Minister agrees, so I hope that he reiterates it when he winds up—we should bear in mind that if we can make it work in places such as Stoke-on-Trent, we can make it work anywhere. Young people in my city who enjoy creative education and want to go on to do wonderful things, whether in music, drama, dance, tech or ceramics and pottery, deserve the same opportunities as a child from London or any metropolitan city in the north of England. I hope that, as the new Government foster a new partnership with places such as Stoke-on-Trent, the creative industries can be central to it, so that the names we speak of in 20 or 30 years’ time, when we undoubtedly have this debate again, will be the names of those young people.
Artificial Intelligence Opportunities Action Plan
Allison Gardner Excerpts(1 year ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Peter Kyle
I am grateful to the hon. Lady for her constructive comments. She mentions trust. Trust is incredibly important in this whole agenda. We have seen too many times in the past where a fearful public have failed to fully grasp the potential for innovation coming out of the scientific community in this country. We are not going to make that mistake. We understand from the outset that to take the public with us we must inspire confidence. We must have safety assured from the outset and that is a commitment I make today. If people are not safe and protected, and do not feel safe, they will not explore confidently all the potential that AI and the digital world presents to them, their families, their communities, their businesses and us as a country. We must ensure that they do so.
On intellectual property, a consultation is under way. The hon. Lady, along with the rest of the public and all interested parties, are very welcome to take part—indeed, I implore them to do so.
Growth zones present the most remarkable opportunity for parts of our country. We want to ensure not just that every part of the country benefits, but that those parts of the country that experienced deindustrialisation and suffered at the hands of the Conservative Government over 14 years of stagnation, chaos and the poor strategic planning of our economy, benefit the most. In the coming weeks we will announce the process by which we will select the future AI growth zones. I implore areas, regions and parts of our country that are interested to start looking at the Government’s direction of travel to see whether they can play a part, and whether they can get involved and start delivering AI growth zones in their area. There are parts of the country that will really benefit. We want to ensure that we have a set of local authorities and areas that are eager to take advantage of it.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Cities like Stoke-on-Trent, left behind by the previous Conservative Government, could significantly benefit from targeted AI investment. AI growth zones are one such opportunity. We have a great site in Stoke-on-Trent and energy innovations. Will the Secretary of State outline plans for using AI to drive investment towards the CreaTech hub that is Stoke-on-Trent?
Peter Kyle
The people of Stoke-on-Trent are extremely lucky to have such a strong advocate, not just for the infrastructure of the future but for the skills and the talent that exists across Stoke-on-Trent. I can assure my hon. Friend that we are eagerly awaiting any interest that Stoke-on-Trent shows in the growth zone area and in all the other announcements that came out in the plan today. We will not do “to” communities; we will partner “with” communities, areas and the nations of the United Kingdom to ensure that everyone benefits. Those who are hungry to embrace the agenda will have an active partner in my Department and this Government.
Technology in Public Services
Allison Gardner Excerpts(1 year, 5 months ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Thank you, Madam Deputy Speaker. I congratulate the hon. Members who have made their maiden speeches tonight. I, too, am honoured to make my maiden speech during this debate on the use of technology in public services, coming as I have from my previous role in the NHS AI and digital regulations service.
Mine is a new constituency, with the majority of the old Stoke-on-Trent South and the northern part of the Stone constituencies within its boundaries. The new Stoke-on-Trent South is hence a diverse area, combining a great industrial heritage of mining and ceramics with the agricultural and rural communities of Stoke-on-Trent and north Staffordshire. Our urban area centres around one of the six Staffordshire pottery towns of Longton, which proudly boasts the largest number of our iconic bottle ovens, including those of the Gladstone Pottery Museum, where “The Great Pottery Throw Down” was filmed. Naturally, ceramics and tableware are a major part of our history and culture. Indeed, you can spot a Stokie anywhere in the world, for they will be turning over any cup or plate to see whether it comes from Stoke-on-Trent—you know it! I invite Members present to join the “turnover club” and investigate the provenance of pottery and china right here in the Palace of Westminster.
Of course, our industrial strength extends beyond ceramics and includes innovative firms such as Goodwin, with high-tech mechanical and refractory engineering divisions, which I had the pleasure of speaking to last week. Goodwin, along with other excellent businesses, including Trentham’s Minuteman Press, offers dozens of high-skilled apprenticeships, giving our workers award-winning opportunities to develop key skills for the future. Indeed, within north Staffordshire we have Keele and Staffordshire Universities, a medical and veterinary school, and excellent further education colleges offering great courses and apprenticeships.
The rural part of the constituency includes Blythe Bridge and Barlaston, and extends to Tean, Swynnerton, Yarnfield and Oulton, with many villages in between. It is where my partner Jim’s family have lived and run their sawmills for generations. Walk anywhere in our countryside and you will see public footpath signposts made by Jim himself. History, land, family and a love for our north Staffordshire home—I am going to get emotional—are embodied in those signs.
Indulge me too as I mention my daughters, Chrissie and Lucy, and my sister Siobhan, and thank them, alongside Jim and his children, William and Sophie, for putting up with me in my passion to build a better future for everyone’s children in my constituency. Thanks are also due to the great team that supported me throughout.
With this new combined constituency, I must acknowledge the hard work of the two former Conservative Members, Jack Brereton and Bill Cash. Jack was MP for Stoke-on-Trent South from 2017. I commend him for his work in tackling the scourge of monkey dust, and for his ambitions for better transport across Stoke and north Staffordshire. I commit to continuing that important work, and welcome the moves being made by this Government to rebuild our transport services to be run for the people, benefiting our economy, opportunity and the environment. Bill Cash has had a parliamentary career spanning 40 years. Indeed, Bill was an MP before Jack was born. I wish Bill well in his retirement.
In Stoke-on-Trent South, Jack was preceded by the Labour MPs Rob Flello and George Stevenson. I thank George for his no-nonsense advice and support. I should also mention another MP called Jack: Jack Ashley, a Labour MP who I have the honour of being compared to. This is a formidable challenge to meet. Jack was elected in 1966, the year I was born and the year that we won the world cup, in which the great Stoke City player Gordon Banks played a key role. His statue stands proudly outside the bet365 stadium in my constituency. So 1966 was a good year all round, by my reckoning, as we can now add me to its accomplishments as the first female MP for Stoke-on-Trent South.
Jack Ashley became profoundly deaf while he was an MP and was reportedly the first deaf Member of any elected assembly. Although he initially thought that he would need to resign, he turned to technology, using a Palantype transcription system. Jack’s visit to the BBC’s Ceefax department even inspired a project to develop a computer program to convert stenographic outputs to TV subtitles. As a hard-of-hearing MP who wears AI-enabled hearing aids, it is fitting that I remember Jack Ashley in today’s debate.
It is the norm for MPs to claim in their maiden speech that their constituency is the most beautiful. I could, of course, argue that, describing our quintessential countryside, pretty villages and farms, the canals and of course the River Trent, or I could talk of the beauty I find in our industrial landscape—I am going to get emotional again.
However, I want to talk about the people, because it is in their spirit, their friendliness and their sense of community that true beauty lies—in the heart of the people. From Tracey, who runs Meir Watch, and Arfan, who owns Sizzlers pizzas, coming together to feed and clothe children in need, with no expectation of thanks or profit; to the fantastic PEGiS—the Parent Engagement Group in Stoke—who I had the pleasure to meet at their summer picnic, working to support SEND families, with no-nonsense women such as Michelle and Keeley cracking on and getting stuff sorted; or Jason, passionately fighting to clean up our waterways; Craig, battling grief from the loss of a friend to campaign for safer roads; and the village who reached out to me, worried about asylum seekers, not because they had given in to the politics of division and hate, but because they were worried that the children were not getting any schooling. When I attended their summer fête, they had reached out and invited the refugees to come and join in the fun—and come they did.
This is the heart of the people of my constituency, reaching out and caring for those in need without judgment, with friendly, no-nonsense, practical support, and believing in the power of community action. This is true beauty. I pledge to all the people in my constituency that I carry them in my heart and mind at all times. I am acutely aware of the trust they have placed in me. I will get some things wrong, no doubt, but know this: I will always do my best. I will work hard, I will always hold the vision of a better life for them and I will always fight for the place that is my home.
Before I turn back to the topic of this debate, technology in our public services, I will take one more little trip into history, if I may. In Barlaston we have the World of Wedgwood, where I like to treat myself to a genteel cream tea, drinking out of Wedgwood china and pretending I am posh. I heartily recommend visiting. The founder, Josiah Wedgwood, was a great innovator and entrepreneur who invented creamware and green glaze, to name just two. He understood that science—in his case, chemistry—practically applied in an industrial context turbocharged innovation and development. He was also a master marketeer, apparently, pioneering money-back guarantees, illustrated catalogues and buy one, get one free. If he were alive today, we can only imagine what his innovative and entrepreneurial spirit would make of this digital world.
Josiah was a polymath, and that is something worth noting. It is important that we recognise that in considering technological innovation, we must take a multidisciplinary approach, with the full participation of those who will implement, use, govern and be impacted by the technology day to day. Technology in the public services offers huge potential, but there are also risks if it is not properly developed and deployed, as we have seen with biased risk assessment models for child welfare and benefit fraud models.
In my previous career with the NHS, I saw the great potential that diagnostic technologies can offer, particularly in radiology, which I saw in action when I visited the radiology department at the Royal Stoke, for example. Such technologies can be transformative, streamlining pathways and saving hours of work, but they do not and should not replace human oversight. Proper governance and regulation are required, and always with a “safety first” principle. It must be transparent and accountable. I hope we get it right; in fact, we must. In delivering transformative change in our public services, we must develop the governance and regulation that will maximise the benefits and mitigate the risks—not just for the people of my constituency or the country, but because by moving forward to a bright new age with modern and innovative public services, as they once were and will be again, we can be an example to the world.
Madam Deputy Speaker (Caroline Nokes)
I call Chris Coghlan to make his maiden speech.