Kit Malthouse (North West Hampshire) (Con)

- Hansard -

Copy Link

-

It is a pleasure to see your wisdom in the Chair, Sir Jeremy. Although I understand the impetus behind the change, I want to ask the Minister one or two questions about it. She and I have traded blows over this agenda in the past. She was my shadow for two years, so I congratulate her on her new position. I am sure she will do a fantastic job.

In considering this change, we have to ask ourselves why sharing was made so difficult in the first place. We have to trust that those who came before us, who put this legislation in place, considered that issue. The shadow Minister, my hon. Friend the Member for Stockton West, said that subsequent events have illustrated the need for agencies to work together more closely on the analysis of data for the prevention of the sorts of incidents he mentioned. Despite that, I think we have to come with a bit of scepticism about what the result of these regulations might be, and what liberties we might be trampling over. My questions are framed in that regard.

I was slightly alarmed by what the Minister said and the contents of the explanatory memorandum, and I was thinking about raising a point of order about the fact that the Government cannot really tell us why the competent authorities have been included in the list. It raises the question of why we are all here. We might as well have had a list that said, “Whoever we decide. Don’t ask questions.” It does seem a bit odd that we are passing regulations, but we are hampered in our scrutiny in asking questions about particular organisations. Nevertheless, I will ask the questions that I have about them and see what the Minister has to say.

First, I wanted to ask about the provosts. The list includes the provost marshals of the Royal Navy Police, of the Royal Military Police and of the Royal Air Force Police, and “The Provost Marshal for serious crime.” I had never heard of that person before, so perhaps the Minister could start by telling us who the provost marshal for serious crime is.

I understand that all the other organisations—certainly the police and chief constables—have very strong and automated controls on the data that they use, not least to the extent, for example, that every access that any individual makes to the police computing system is logged and maintained, and people are very often convicted for irregularly accessing material. However, given that these individuals are military and that we are living with the consequences of a major military data breach that has cost us many billions of pounds and put quite a lot of lives at risk, can the Minister reassure us that the processing of data between civil and military organisations will be done to the same standard, and that it therefore will be safe from leakage?

Regulation 2(o) states that,

“a body established in accordance with a collaboration agreement under section 22A of the Police Act 1996(9)”

can be classed as a qualifying competent authority. What type of body might that be? If we were to have an example of such an organisation, we might be able to form a view on whether it is appropriate for it to be on the list.

I have a question about the inclusion of Revenue and Customs. As the Minister may know, in the old days when Inland Revenue and Customs and Excise were two separate organisations, they had very different cultures. The culture at Customs and Excise was of kicking the door down. They were kind of “Moonfleet”, Daphne du Maurier-type anti-smuggling hard men and women, whereas at the Inland Revenue they were a little more intellectual and professional. In one, they wore suits; in the other, they wore flak jackets. When Gordon Brown amalgamated the two, unfortunately the muscular culture at Customs and Excise was translated and taken over at the Revenue, to the extent that they now both have more kick-in-the-door characters. So I am concerned about the amount of sensitive personal data that Revenue and Customs control at the moment; about the culture of that organisation and its increasing aggression over the last 20 years or so; and what implication that is going to have for the rest of us.

I understand that the Minister cannot tell us why this is being introduced, but is she able to tell us whether Customs and Excise will, as a result, be asked to routinely scan millions and millions of datapoints and people’s personal financial data to look for patterns of movement and transactions, for example? Or is this for use in relation to specific investigations? My general view is that, as with most things, the British people will accept a specific investigatory sharing regime, but may not accept a general fishing regime.

The same is true of the Land Registry, which is on the list. I understand that in the search for illicit funds or activity, specific inquiries and the processing of data is required, but on general scanning, particularly as the Land Registry becomes more and more digital and automated, I am nervous about us moving to a kind of American-style National Security Agency approach, where billions if not trillions of datapoints are collected on a regular basis and analysed by computers—artificial intelligence or whatever it might be—to look for patterns of behaviour. That may well be the way that we are going, but if we are going there, we should be transparent with the public about what we are doing, notwithstanding that the Minister cannot tell us why or what today.

I have two further questions. On supervision, what will the supervision over this necessarily covert process be? Does the ICO, which I presume will be the supervisory body, have the right security clearance at the right level that will allow it to access this operation of data sharing to the extent that it can satisfy itself that the statement that the Minister has made—that we are in compliance with all our human rights obligations and in compliance with the law—will be looked at? Within the Department, similarly, what will supervision of the effect of this data sharing be?

Thirdly, given that this will be new, is it likely to be brought to the Intelligence and Security Committee for review of its operation? That would be at least three layers of supervision over what is quite a large step up in capability—it is not unwelcome, but it is a large step up—by the Security Services and others.

Finally, I want to ask about risk assessment. The sharing of data between organisations could present a greater risk of leakage, or alternatively it could mean, if only one of them is maintaining the data to which the other has access, that there is less likelihood of leakage. We have talked about efficacy. The Minister did not say anything about the risks and benefits from a data security point of view.

As we have learned to our cost recently with the military, the transfer of data between organisations, whether sharing or otherwise, does run the risk of it falling into hands that it should not. Will these organisations therefore have to subscribe to a tighter data control regime than they would have done, to make sure that the possibility of that leakage is minimised?

Kit Malthouse

- Hansard -

Copy Link

-

The Minister said that these notices will be published; will these bodies be general powers or specific powers? Will the Government say, “We’re going to grant a notice on this for six months for a specific purpose,” or will it be just, “We’re going to let the Army share it with whoever, in perpetuity”? So, are the powers time limited?

Secondly, while I understand that the Minister cannot explain to us why, who or what regarding these organisations, as the hon. Member for Newton Abbot said, all of these organisations will be processing that data on third-party software, much of which will be owned by private corporations, many from overseas. Does this power extend to them, by proxy, because they are contractors to the primary organisation—which is, necessarily, by its nature, public sector—or will there be firewalls and controls therein as well?