The Minister of State, Home Department (Sarah Jones)

- Hansard -

Copy Link

-

I beg to move,

That the Committee has considered the draft Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025.

It is a pleasure to serve under your chairmanship, Sir Jeremy. This instrument, which was laid before the House on 7 July, specifies the qualifying competent authorities that will be able to apply for a designation notice under section 89 of the Data (Use and Access) Act 2025. Section 89, when commenced, will insert sections 82A to 82E into the Data Protection Act 2018. Although those provisions have already been debated and passed by Parliament, during the passage of the parent Act, in order to place the regulations in context I will briefly summarise their purpose.

Under the 2018 Act, authorities processing for law enforcement purposes and intelligence services are subject to two separate legislative data processing regimes for processing personal data. This precludes a joint controllership between the two entities and makes working together more difficult, especially in the context of public safety and national security. For example, an intelligence service and a police force working together on a joint investigation could not work from a single shared dataset setting out individuals of interest and related intelligence. Instead, each must have their own copy of the data, sharing data back and forth between one another and across data protection regimes to allow each to update their intelligence. This obviously decreases efficiency and reduces joint working capabilities.

There is a clear public interest in enabling closer joint working between law enforcement bodies and the intelligence services in matters of national security, as highlighted by reports into the Fishmongers’ Hall and Manchester Arena terrorist attacks. Once the provisions are in force, qualifying competent authority will, together with at least one intelligence service, be able to apply for what is called a designation notice from the Secretary of State under section 82A of the 2018 Act, where it is required for the purposes of safeguarding national security. This designation notice will allow the intelligence service and qualifying competent authority in question to form a joint controllership for that processing activity.

This change will align the legislation with the position under the Data Protection Act 1998, before the adoption of the GDPR. Under the 1998 Act, joint controllerships between the two organisations were permitted. The Data (Use and Access) Act 2025 inserts section 82(2A) in the 2018 Act, which introduces a power to make regulations specifying which competent authorities are able to apply for a designation notice alongside an intelligence service. Competent authorities are defined in section 30(1) of the 2018 Act as

“a person specified or described in Schedule 7”

to the Act, or “any other person” who has a statutory function for a law enforcement purpose and is therefore capable of processing data under the law enforcement regime.

The Home Secretary is exercising that power by introducing the draft Data Protection Act 2018 (Qualifying Competent Authorities) Regulations 2025, which specify 23 qualifying competent authorities. The regulations have been drafted in consultation with the partners operating in the area of national security. The regulations include competent authorities involved in areas where national security is a consideration. Given the sensitivities involved, the Government cannot go into detail publicly on the rationale behind the inclusion of individual authorities in the list. However, the authorities that have been included are those where there is reasonable potential for a joint controllership to be formed for the purpose of safeguarding national security. The list includes UK police forces—both territorial forces and other branches such as counter-terrorism police and military police—prison and probation services, and other bodies involved in law enforcement and offender management. The Information Commissioner’s Office was consulted on the proposed qualified competent authorities, and confirmed that it was content with those included.

As the threat to the UK’s national security evolves and changes, competent authorities may be added or removed from the regulations. The legislation requires amending regulations to be subject to the affirmative procedure. The UK and its citizens continue to face a wide array of threats from a diverse range of actors. The provisions within this instrument will strengthen the ability of our law enforcement and intelligence services to work more closely to protect our national security. I therefore commend the draft regulations to the Committee.

Sarah Jones

- Hansard -

Copy Link

-

I thank hon. Members and hon. Friends for a detailed inspection of this SI. It is right and proper that that inspection should happen; that is the point of democracy and I welcome the questions. To start with, I want to set out the principles to respond to some of the broad themes. First, there is a national conversation about data. We all worry about what happens to our data, where it goes and how it is held. There are three vehicles through which data flows that we are looking at. One is GDPR, which we all know and talk about often; one is part 3 of the DPA 2018, which applies to the police, the CPS and the courts; and one is part 4 of the DPA, which applies to GCHQ, MI5 and MI6. We are enabling sharing between the latter two.

The principle I want to stress is that it is not the case that somebody will ask for this data sharing and it will be given randomly. They will have to make the case and demonstrate that they need continued real-time data sharing. At the moment, one authority can ask the other for data, and they might need that data as a one-off. This instrument is designed to be used for continued real-time access to data where that data needs to be shared. It has come from what we learned from incidents such as Manchester Arena and Fishmongers’ Hall, where real-time sharing of data is needed. That is the principle.

I want to reassure colleagues that much consideration has been given to how this will operate and to make sure that data sharing is done correctly. As I said in my opening remarks, the Government consulted the Information Commissioner, which has confirmed that it is content with what we are laying out today. I hope that gives reassurance.

The right hon. Member for North West Hampshire asked whether this instrument will come to the Intelligence and Security Committee and about being satisfied that the Department was overseeing in an appropriate way. I am happy to write to him with more information. He will appreciate that a detailed debate on this took place prior to my arrival, but I have studied and talked with officials at length on the premise of this piece of legislation and I am very satisfied that the checks and balances are there.

I was asked whether there was a consultation with the bodies listed; there was. There was a question about what the provost marshal is. He—I say “he”, although I do not know whether it is a “he” or a “she”; I suspect it may be a “he”—is the head of the military police for each service. That is from the Police Act 1997. Again, I am happy to share more information on that with the right hon. Gentleman.

Another thing that might be reassuring to Members is that the notices will be made public. It is not that there will be no controls once the data is shared—the ICO oversight remains, so there will be a regime within which that data is controlled. Members should be reassured about that.

On the question why some of the bodies are on the list and others are not, as I said in my opening remarks we cannot comment on the rationale behind each individual authority included on the list, but I hope that my explanation of the premise from which we have approached this satisfies hon. Members. However, of course there is no restriction—this being a democracy—on Members’ continuing to ask these kinds of questions and making sure that we are doing everything that we need to do.

Sarah Jones

- Hansard -

Copy Link

-

I thank the right hon. Member for that intervention. As a couple of Members have asked about it, I was just coming to the point about the duration of time that these powers are given for. The duration lasts for up to five years, but it is subject to annual review by the Secretary of State.

The right hon. Member asked about the number of organisations under a notice. There is no specification on the number; it simply must be at least one competent authority and one intelligence service wanting to share the data. I should have said that the Intelligence and Security Committee is able to request information from the intelligence services under its purview, so these arrangements would not be excluded from that. I hope that is reassuring to the Committee.

To re-emphasise, there is a process here: the ICO will remain with the oversight and have the relevant security clearance, and it already oversees UK intelligence agencies. I can reassure Members that the right checks are there to ensure that this data is not given more widely than it should be.

I hope that that reassures hon. Members that these regulations are needed, and that they respond to our need to be able to act in real time in moving situations to protect the public, which is the fundamental principle behind our doing this. I hope that Members will understand that. I commend the regulations to the Committee.

Question put and agreed to.