Asked by: Suella Braverman (Conservative - Fareham and Waterlooville)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what steps he has taken to ensure transparency regarding the nature of the data compromised with the people affected by the Capita data breach.
Answered by Anna Turley - Minister without Portfolio (Cabinet Office)
Capita contacted all impacted members to inform them of the potential loss of data. Capita provided all impacted members with clear communications and also a subscription to Experian Plus that allowed members to monitor their online records for any signs of potential issues.
Capita also initiated an independent full review of their systems to review security and to identify any further potential data exfiltration. Capita cooperated fully with investigations into the breach with the Information Commissioner's Office and with Cabinet office in assessing any potential risks to the membership of the scheme.
Asked by: Suella Braverman (Conservative - Fareham and Waterlooville)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, whether his Department had made an assessment of the adequacy of Capita’s cybersecurity protocols prior to the March 2023 data breach.
Answered by Anna Turley - Minister without Portfolio (Cabinet Office)
The Cabinet Office (CO), which is responsible for managing the contract with Capita for the Royal Mail Statutory Pension Scheme (RMSPS), ensured the adequacy of Capita's cybersecurity protocols through a robust contractual framework. Capita is required to adhere to Government Security standards and the Security Schedule of the contract, which includes providing annual independent penetration testing by a National Cyber Security Centre-accredited team and maintaining security accreditations such as ISO27001 and Cyber Essentials Plus.
These standards and Capita’s security posture are overseen by CO Information Assurance professionals and captured via regular reporting and audits. It should be noted that all of the accredited RMSPS systems were not compromised during the Capita cyber attack and remained secure; however, a small number of scheme members were unfortunately impacted when some data was extracted from a separate Capita finance file related to compensation payments.
Asked by: Suella Braverman (Conservative - Fareham and Waterlooville)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, whether his Department plans to review its guidance on outsourcing contracts following the Capita data breach.
Answered by Anna Turley - Minister without Portfolio (Cabinet Office)
The Sourcing Playbook, which provides policy and guidance on sourcing decisions, is published by the Cabinet Office and is reviewed and updated regularly. The last update was 26 February 2025.
https://assets.publishing.service.gov.uk/media/64901fcc5f7bb700127fac5e/Sourcing_Playbook_Final.pdf
Asked by: Suella Braverman (Conservative - Fareham and Waterlooville)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what contingency plans he has in place if Capita is deemed unsuitable to continue administering civil service pensions.
Answered by Anna Turley - Minister without Portfolio (Cabinet Office)
Contingency plans are linked to contractual obligations placed on the pension administrator with several options available to the Cabinet Office in the event that a third party is unable to meet its contractual obligations. In the event of a catastrophic failure, the Cabinet Office has the right to step in to manage the contract.
Asked by: Suella Braverman (Conservative - Fareham and Waterlooville)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what steps his Department takes to ensure that employers share accurate (a) data and (b) instructions with Civil Service Pensions; and how often this is audited.
Answered by Anna Turley - Minister without Portfolio (Cabinet Office)
The Cabinet Office ensures employer data accuracy through a mandatory Interface Compliance Process, in place since 2018, which monitors the quality of all data and instructions against a 'right first time' standard. This process flags all Errors and Warnings on monthly submissions. The administrator, MyCSP, does not load the following month's data until all previous errors are corrected, ensuring a continuously maintained data quality. Compliance is audited weekly by the administrator, with summary reports provided to the Cabinet Office.
Asked by: Suella Braverman (Conservative - Fareham and Waterlooville)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what assessment he has made of the potential impact of the Capita data breach on the (a) integrity and (b) security of the Civil Service Pension Scheme.
Answered by Anna Turley - Minister without Portfolio (Cabinet Office)
Civil Service Pension Scheme members were not affected by the Capita data breach, as the incident impacted data held by the Royal Mail Statutory Pension Scheme and their members. Therefore, there was no impact on the a) integrity or b) security of the Civil Service Pension Scheme
Asked by: Suella Braverman (Conservative - Fareham and Waterlooville)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what steps he has taken to ensure that all Civil Service Pension Scheme members that were affected by the Capita data breach have been (a) notified and (b) supported.
Answered by Anna Turley - Minister without Portfolio (Cabinet Office)
No members of the Civil Service Pension Scheme were affected by the Capita data breach as the scheme is administered by MyCSP. However, a small number of members of the Royal Mail Statutory Pension Scheme were affected. All were notified and full support was provided by Capita.
Asked by: Suella Braverman (Conservative - Fareham and Waterlooville)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what estimate he has made of the (a) legal, (b) administrative, (c) remedial and (d) other costs to the public purse of Capita's data breach.
Answered by Anna Turley - Minister without Portfolio (Cabinet Office)
In respect of the data breach for the Royal Mail Statutory Pension Scheme members, there was no cost borne by the public purse. However, Capita’s data breach is known to have impacted both private and public sector organisations and is much broader than just pension schemes. We cannot comment on the impact on anything other than the Royal Mail Pension scheme.
Asked by: Suella Braverman (Conservative - Fareham and Waterlooville)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, whether his Department plans to make an assessment of how to improve civil service compliance with strict impartiality in (a) recruitment and (b) retention.
Answered by Georgia Gould - Minister of State (Education)
The Civil Service Commission’s Recruitment Principles explain the legal requirement that selection for appointment to the Civil Service must be on merit on the basis of fair and open competition. The Civil Service takes adherence to these principles very seriously. The Civil Service Commission publishes data regarding compliance and their most recent annual report for 2023/24 showed a 13% reduction in breaches compared to 2022/23.
For the centrally managed Senior Civil Service, departments are able to address flight risk with Pivotal Role Allowances (PRAs) for those delivering critical programmes and those responsible for implementing government priorities. All PRAs require the approval of the Cabinet Office and the Treasury and are assessed against strict eligibility criteria, including the business criticality of the role, the impact should the incumbent leave, the skills required and the level of flight risk. For grades below the SCS, departments have delegated authority to determine their own pay arrangements to reflect their recruitment and retention needs.
Asked by: Suella Braverman (Conservative - Fareham and Waterlooville)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, whether his Department has made an estimate of the issues which have led to the largest number of incidents of reported civil servants being found in breach of strict impartiality conduct.
Answered by Abena Oppong-Asare
The collection of any data with regard to breaches of the Civil Service Code would be a matter for individual departments.