(6 days, 1 hour ago)
Lords ChamberTo ask His Majesty’s Government what assessment they have made of public bodies and services, including the NHS Digital app, procuring professional services through processes which purport to be “onshoring” to firms which contract third parties outside the United Kingdom to do the work; and what assessment they have made of the risk this poses to private data and cybersecurity.
Each contracting authority carefully considers and makes risk-based decisions on whether, and where, data can be offshored, and what restrictions are appropriate for service delivery and development activities. The new standard security schedules for all central government contracts, published on 1 October 2024, include greater controls over data offshoring and stronger security requirements. Buyers also have greater transparency over where, and how, their data is hosted and processed, and stronger remedies where suppliers do not follow buyers’ requirements. Outsourcing contracts also contain complementary provisions on the offshoring of this personal data under GDPR.
I thank the Minister for her reply. NHS Digital has contracted with Splunk, which subcontracts to the Bulgarian company Bright Consulting. This practice, which Splunk refers to as “onshoring”, began during the Covid-19 pandemic and continues to this day. Can the Minister reassure the House that under this practice of onshoring to third-party non-UK-based companies patient data really is safe? Is the taxpayer getting value for money by paying UK rates to a company that outsources the work for a considerable margin?
The government model services contract is one of three template contracts for use by government departments and wider government when procuring complex outsourced services. Value for money for taxpayers is central to good government procurement. The Government recognise the potential risk of data offshoring taking place without the explicit consent of public sector buyers. New standard security schedules for all government contracts include greater controls over data offshoring and stronger security requirements.
My Lords, thanks to a whistleblower, we learned on 4 August from the Daily Telegraph that, up to 2021 when it was discontinued, a chain of outsourcing resulted in software for our nuclear submarine engineers being developed by private companies in Minsk and Siberia. The Telegraph reported Ben Wallace, the then Defence Secretary, as saying that the breach left the UK’s national security “vulnerable to undermining”. Can my noble friend tell us whether this story is true? If it is true, where can we find a credible, comprehensive rebuttal? Otherwise, is it not likely that our deterrent will be undermined?
As my noble friend will appreciate, the Ministry of Defence took these reports extremely seriously. In response, on 6 September this year, Maria Eagle, the Minister of State for Defence, confirmed that both the MoD and Rolls-Royce Submarines had conducted an investigation into the matter. The Minister assured that the investigation found no evidence that Belarusian nationals had access to sensitive information and concluded that no change to the MoD procurement policy was required. The Ministry of Defence has set a policy of using Secure by Design. This is a modern approach whereby senior responsible owners, capability owners and delivery teams are accountable and responsible for delivering systems that are cybersecure. This includes ensuring new systems being bought or built carry out due diligence on the security of their systems.
My Lords, my dental practice changed its IT supplier a year ago. After going online to confirm an appointment and agree the usual dental practice use of my data, I was invited to check the IT supplier’s data. Seven layers down, it appeared that I gave permission for all my medical data to be used by the UK company, its parent US company and all its commercial subsidiaries. The practice has now got a new IT contractor. How well aware are clinical practices and surgeries of this underhand technique by major digital contractors?
The noble Baroness makes a really important point. I will speak to my noble friend Lady Merron, to make sure it is taken forward through DHSC. The Government are quite clear that government data is owned by the Government and any commercialisation should be agreed with His Majesty’s Government.
My Lords, obviously cybersecurity is vital for the NHS Digital app, as it is for anything. However, we know that the app is way behind, say, banking apps, which in this country are very good. Can the Minister make sure that NHS digital services are not held up by all the other stuff that is going on, because NHS apps are a vital part of NHS reform?
I think the security piece and the development piece can and should go in tandem, otherwise neither is sustainable. Three in every four people in England have already downloaded the app. This Government want to establish adoption through improved patient experience and system benefits, and to expand the services offer. This is part of making sure that more people can access the services they require.
My Lords, Microsoft gave a view to the Scottish Government in June this year that it could not guarantee that data held by public services on its Microsoft 365 and Azure hyperscale cloud infrastructure will remain in the UK. What mitigations are the Government looking at in the light of this statement by Microsoft?
I refer back to my initial Answer, which is that each contracting authority should carefully consider, and make risk-based decisions on, whether and where data can be offshored. We can get really hung up on offshoring, onshoring or where the data is stored, but we have to make sure that all data and cybersecurity are central to how we move forward with this type of procurement. This is why the Government are introducing a cybersecurity and resilience Bill, which will help ensure our cybersecurity for the future.
My Lords, further to the question from my noble friend Lord Browne, I think that the response from the MoD is not satisfactory. These Belarusians, although they might not have had access to highly classified information, were writing software that would be used within our nuclear deterrent. This cannot be satisfactory. Can the MoD give an answer, maybe through the Minister, to say that this is no longer allowed to happen? We all know how you can use software in various clever ways to cause real damage.
I will speak to my noble friend Lord Coaker and ask him to provide a letter responding to that point.
My Lords, the heart of this Question is the safety of public data and the resilience of services. As we saw with the ransomware attack on Synnovis in the summer, cyberattacks of these sorts on supply chains can cause significant disruption to public services. Can the Minister say exactly how the cybersecurity Bill that is coming up will improve the regulatory framework for the supply chain, and when exactly it will be brought forward?
I can give a bit more detail on what the Bill will focus on. I cannot give a precise date for when it will be brought forward, but it was in the King’s Speech, so we can anticipate it coming forward in due course in the relatively near future. The Bill will make crucial updates to the legacy regulatory framework by expanding the remit of regulation, putting regulators on a stronger footing and mandating increased incident reporting, which will give the Government better data on cyberattacks, including where companies or organisations have been held to ransom.
My Lords, the new Procurement Act will bring more transparency and new entry into contracting, which will help with these kinds of outsourcing and security issues. Will the Minister ensure that the disappointing delay in the commencement of that Act into next year is minimised? In the meantime, will the model services contracts that she mentioned ensure that patient data is kept in the UK or in a country with which we have a robust data- sharing agreement?
On the national procurement policy, our entire focus is on delivering change through our national missions. We will therefore be publishing a bold new procurement policy statement in February to harness the billions of pounds spent by public sector organisations each year and ensure that commercial activity aligns with our missions. We think it is really important that that statement is in place before the Procurement Act goes live, so that everything is aligned and as effective as possible. The Government recognise the potential risk of data offshoring, as I mentioned, and the new standard security schedules for all central government contracts include greater controls over data offshoring and stronger security requirements.
(1 month ago)
Lords ChamberTo ask His Majesty’s Government what assessment they have made of the report, Making the grade: Prioritising performance in Whitehall, published by Reform on 1 May; and what steps they are taking in response.
His Majesty’s Government remain committed to attracting and retaining the most talented people to build a highly skilled and capable Civil Service. The recommendations contained within the Reform report are detailed and wide-ranging. Time is being taken to consider carefully all the recommendations. A number of activities are under way to continuously improve how talent recruitment and performance are managed.
My Lords, I thank the Minister for that encouraging reply. Reform emphasises the need for greater cognitive diversity in the Civil Service and a clear route for public service-minded and exceptionally talented applicants without a specific role to apply for. Will the Government set up a mid-career fast stream to bring in high-flyers experienced in other ways of working to help break the groupthink? Similarly, using “behaviours” in success profiles favours internal candidates, so will the Government scrap this and assess instead on skills and experience?
Success profiles provide a common framework for recruiters to assess the key attributes for roles, including skills and experience. Behaviours are not compulsory. The Government People Group is due to review the content and application of, and support for, success profiles in 2025 as part of continuing work to improve the quality and openness of recruitment. The Government are reviewing the options for a mid-career scheme as workforce demands in the next spending review are established. Many roles are open to external recruitment at all grades, with talent schemes such as the Future Leaders Scheme available to support rapid progression through to more senior levels. Regarding diversity of thinking, currently around 10% of those on the Future Leaders Scheme declare as neurodiverse.
My Lords, having discovered that, in this context, Reform is a think tank rather than a political party, I warmly welcome the recommendations in the report for the identification and development of talent in the Civil Service. Does the Minister agree that the Civil Service is more likely to respond to positive and constructive leadership than to the scapegoating and bad-mouthing from which it too frequently suffered under the last Government?
I thank the noble Lord for his clarification that this is the think tank, which might have been a useful clarification as a first point. The report looks at brand issues, and there is a quote within the report that the Civil Service brand is “battered”. One of the things that the report makes very clear is that, as a Government, we need the best people to get the best results for the country. In Keir Starmer’s message to the Civil Service on his succession to the role of Prime Minister, he made it clear that he knew how much civil servants believe in what they are doing for the country, and he said that they had taught him a great deal about what public service really means.
My Lords, one of the recommendations in the report is on the need for better succession planning for key roles and the need to keep an updated list ready for recruitment exercises. I urge the Minister to give due regard to this recommendation. This comes from my own experience with the Northern Ireland Civil Service. When you have a key person in a role performing an excellent job and he or she leaves, it can leave a huge gap, so this recommendation really is something to take on board.
All of us have probably come across points at which people are treated as almost indispensable. Part of the value of people stepping back and having a report of this kind is that we can focus on what those critical single points of failure are. I will feed back the noble Baroness’s comments to the relevant Minister.
My Lords, the Minister mentioned that retention of the exceptionally talented is a problem. I have been distressed in the last five years to discover that some of the most talented civil servants I worked with in the coalition have given up and left the Civil Service, partly because of the rapid turnover of Ministers, partly because of the way in which some Ministers treated their officials, and also because a number of Ministers always seemed to prefer advice from consultants to that from civil servants. In that context, can the Minister explain why the Government have just given—perhaps she inherited the idea from her predecessor—a £200 million contract to KPMG to train civil servants? To my knowledge, KPMG is not particularly expert in training governmental officials, and it would be much cheaper and more effective to ask the university sector to train civil servants instead. I declare an interest as I used, as a university academic, to train civil servants.
This is not an issue that I have got specific details on. I will go back and ask about it, but I assume that this would have been subject to a pretty rigorous procurement process.
My Lords, the Reform report feels HR led. While I agree with some of the recommendations, for example on the induction of outsiders, I know from my experience in business, as well as in Whitehall, that this is not the route to success. In a sense, the fewer HR directors there are, the better the policy and outcomes. What the report does not bring out is that public sector performance has been very disappointing in certain areas, particularly following Covid. Important services like probate, driving tests, property registration and tax collection are all lamentably slow. This is in stark contrast to the private sector, where you go bust if you do not serve the customer and manage well; you will not be sustained. In that context, does the Minister agree that rewarding the public sector with a huge pay rise and bigger pensions, without any link to productivity improvement, has been a real missed opportunity? This is the chance we have to help the public services, which I very much support, to improve themselves.
I previously quoted the report as saying that the Civil Service brand is “battered”, and part of our reset as a new incoming Government must be to reset the relationship between the politicians and civil servants. All of us fortunate enough to come on to the Front Bench have been incredibly well supported over recent weeks and months by the Civil Service. I also do not think we should get into a battle about private sector good or private sector bad, or public sector good or public sector bad—that does not serve any of us well.
My Lords, the Minister will be aware that concerns about a lack of rigorous performance management in the Civil Service, which is not unique to the British Civil Service, have been around for decades. While valiant attempts have been made by Ministers on both sides and by officials to remedy this, where there has been success, it has not been sustained. Will she accept, from one of those who has tried, that this will never be achieved on a sustainable basis until there is a dedicated full-time head of the Civil Service who has a proven track record of system leadership and a real mandate from the Prime Minister, with his statutory power to manage the Civil Service, and who is held accountable to an independent body, which could be a strengthened Civil Service Commission that reports to Parliament? Until then, we will continue to be in a position where the only organisation that looks at the internal workings of the Civil Service is the Civil Service itself.
As a relatively new Minister, I need to reflect on the noble Lord’s experience; he makes some very interesting points. I will look into the points he raised and get back to him if that is acceptable?
My Lords, can my noble friend expand a bit further on what the role of KPMG is in this as regards the senior service? I declare my interest as a former graduate in the Civil Service and as a former general secretary of the First Division Association. It would be very helpful if the Minister could be more specific about the role that KPMG is undertaking.
I will look into the role of KPMG further and I will revert to my noble friend on that point.
(2 months, 2 weeks ago)
Lords ChamberTo ask His Majesty’s Government what steps they are taking to support the horseracing and bloodstock industries.
The noble Lord has been a tireless champion for horseracing, which forms such a key part of our national sporting story. I am sure he is looking forward to the start of the Glorious Goodwood festival tomorrow and, like me, will have been thrilled to see Team GB’s first gold medal of the Paris Olympics in eventing this lunchtime. The Government recognise the significant contribution that racing makes to British culture and its particular importance to the British economy.
My Lords, I welcome the Minister to her place. She may have anticipated my sporting plans for later this week. Racing is the country’s second biggest spectator sport; it is worth over £4 billion a year to the economy, and it contributes to the Exchequer, employing tens of thousands of people. Yet it is not a sport that is in as good a financial state as it should be. The reason is that it receives a far lower share of betting turnover than in any of our peer group countries. As a result, prize money is far lower than in other countries, which poses a threat to the UK’s racing industry, which is a world centre of excellence.
I encourage the Government not to repeat the mistakes made, regrettably, by the previous Government and to look again at the clumsily introduced affordability checks, which have cost the racing industry some £50 million a year in lost revenue. Also, will they return to the table with the betting industry and the racing industry to secure an increase in the levy, which is long overdue, and look at its reform, making it index-linked for the future? None of that would cost the Exchequer a penny, but it would be of immense importance to the industry.
The Government entirely recognise the importance of the horseracing industry but also of the horserace betting levy to the industry and to the financial sustainability of the sport, which, as the noble Lord rightly states, contributes a considerable amount to the economy. I would be very happy to meet him to discuss the topic further and understand his views on the issue.
My Lords, could the Government go a little further when it comes to things such as the levy, when remembering that the vast majority of people who work in racing are doing so on something like the living wage? They are undertaking an activity that is often physically dangerous. A half-tonne of fight-or-flight response animal can take a fairly heavy toll on the human body in many circumstances. Can the Government make sure that they look at something so that this workforce is properly protected and supported?
The Government are committed to making sure that the sector is sustainable, but I would be interested in discussing further with the noble Lord the issues that he raises. We are committed to making sure that the levy is administered efficiently to best support racing. It is too soon for me to commit to the shape of future policy.
My Lords, I remind the House of my entries in the register of interests—specifically, my role as senior steward of the Jockey Club—and welcome the Minister to her place. If someone in the UK places a bet on racing overseas—in Ireland, for example—Irish racing benefits. If someone in Ireland places a bet on UK racing, Ireland benefits. Does the Minister think that is unfair? If she does, as I do, will she commit to extending the horseracing levy to bets placed in the UK on international racing and, in doing so, level the competitiveness between British and international jurisdictions?
I thank the noble Baroness for her welcome. As she will be aware, the previous Government undertook a review that concluded in April. It is too soon for us to comment on the process or what might emerge from that, but we are keen to work with all parties and explore all the evidence before setting out next steps.
My Lords, further to the two questions just asked by my noble friends, will the Minister reflect on the point regarding Ireland? The discrepancy in the prize money between the UK and Ireland has become very severe, with the result that a number of UK owners are now locating their horses in Ireland. What can be done specifically to address that problem?
I am aware of the difference between how different countries administer this. As I mentioned in my response to the noble Baroness, Lady Harding, the previous Government undertook a review that concluded only in April. It is too soon for us to comment on that process, but I am very keen to work with all parties and explore all the evidence before setting out next steps.
It is good to see a fair degree of agreement across the House that horseracing is very important. There are 4.8 million racegoers, and there is support right across the country, including from Her Majesty Queen Camilla and Lady Starmer. Does the Minister accept that the sport is disadvantaged? The competitiveness issue has been raised relative to France and Ireland on prize money, but it is also relative to Ireland in support for its bloodstock industry. How do the Government plan to remedy the situation, and is it possible for us to have a timetable?
As I have said to other questions from noble Lords, the previous Government undertook a review that concluded only in April. I am committed to working with noble Lords across the House to make sure that we get the right arrangements for the industry and the levy is administered efficiently to best support racing. It is too soon, however, for me to commit to the shape of future policy.
My Lords, I declare my interest as in the register. While we all want to tackle problem gambling, very wealthy punters who can comfortably sustain large losses really are not the issue. However, by driving them to the black market with poorly targeted affordability checks, the finances of racing have, as the Minister has heard, gravely damaged both a major national sport and an important rural industry. Will she make sure that any regulatory action proposed by the Gambling Commission is sensible and proportionate and, above all, avoids unintentional consequences?
Most people gamble without issue, but we recognise the huge impact that harmful gambling can have on individuals and their families. As the noble Lord states, however, there is a difference between those who can gamble without issue and those who come to serious harms, both in their lives and those of their families. As stated in the Government’s manifesto, we are absolutely committed to strengthening protections for those at risk. The Gambling Commission’s new survey which came out last week really helps to show the wider picture of gambling behaviour across Great Britain, and we will consider its findings very carefully.
My Lords, I am mystified again. With all the knowledge on that side, with the former Member for the South Downs and the noble Baroness, Lady Harding, who is—what is she in the Jockey Club?
With respect to the previous Government, they undertook a review of the levy, but it concluded only in April. If noble Lords bear with me, I will return to the matter as soon as is practical using a very evidence-based approach to make sure that we get the right arrangements in place for this important sector.
My Lords, following our departure from the European Union, the transportation of racehorses around Europe became much more difficult. What steps can be taken to assist that procedure?
Shall I just say yes? My understanding was that there were arrangements in place to facilitate the movement of racehorses around Europe. I will double check the facts on that and write to the noble Lord.
My Lords, considering the issues that have been raised today, would my noble friend—whom I welcome to the Front Bench—consider meeting her ministerial equivalent in the Irish Government? Would she also encourage the British Horseracing Authority and the Irish Horseracing Regulatory Board—which is all-Ireland—to meet to discuss the various industries? In my own area, we have a racecourse, and it is vital to the local economy and the tourism industry.
I would be delighted to meet my equivalent in the Irish Government, and I thank the noble Baroness for her question.
(2 months, 3 weeks ago)
Lords ChamberMy Lords, in begging leave to ask the Question standing in my name, I refer to my interests as an adviser to Performanta and as chair of the National Preparedness Commission.
The CrowdStrike software update caused an IT outage affecting millions of devices around the world. In the UK, while government emergency and security systems remained operational, our retail, transport and healthcare sectors were disrupted. I have huge sympathy for all those affected. COBRA officials’ meetings were convened and officials from across government and the devolved Administrations met throughout to monitor impacts and recovery and to update Ministers as appropriate. UK sectors have now returned to normal operations, and the Cabinet Office will work with partners to review the lessons learned.
My Lords, I am grateful to my noble friend for that reply. It highlights the vulnerability of all the systems on which the public and the private sectors rely, and how much they depend on the software and so on. Software manufacture is largely unregulated. Can the Government look at how they can strengthen the requirements for software providers to ensure the safety and security of what they supply to the public and private sectors? At the same time, will the Government remind all operators that they should plan for failure and for when something does not work? What are their back-up arrangements in the event of their software failing?
I thank my noble friend for that question and for his huge support for me in my previous role as chair of the London Resilience Forum. Although the outage is not assessed to be a security incident or cyberattack, the issues that he raises will be covered in the cybersecurity and resilience Bill included in the King’s Speech. This will strengthen our defences and ensure that more essential digital services than ever before are protected. For example, it will look at expanding the remit of the existing regulation, putting regulators on a stronger footing and increasing the reporting requirements to build a better picture in government of cyber threats.
My Lords, among the companies most adversely affected in this country were airlines. Many thousands of passengers were hugely inconvenienced. How should they be compensated, and should CrowdStrike be held accountable?
I think we all have huge sympathy for those affected. As the noble Lord rightly says, thousands of people were affected on the day. However, compensation is a matter for the individual operators and subject to consumer rules, which would cover any entitlement to compensation or refunds.
My Lords, in the light of recent events, we are clearly talking not just about bad actors. Does the Minister agree that there needs to be a rethink about critical national infrastructure and our dependence on a few overly dominant major tech companies for cloud services and software, which are now effectively essential public utilities? Will the Government reconsider how we are wholesale replacing reliable analogue communications with digital systems without any back-up?
The noble Lord raises critical issues, a number of which will be covered by the cybersecurity and resilience Bill. I would welcome the opportunity to discuss these issues with him further.
I warmly welcome the noble Baroness to her new role and look forward to working with her on the Bill she mentioned. This serious incident affected operations not only in the UK but right around the world. It appears that the system we had set up—co-ordination, monitoring, business continuity and back-up, which we heard about from the noble Lord, Lord Harris—worked well. Does the Minister agree that this area is about defending national assets and is likely to be increasingly important as the cyber and tech threat grows? Should it not therefore be a government priority?
I thank the noble Baroness for her question and her openness and engagement with me when she was a Minister. Her passion for improving resilience was clear in how she carried out the role. This is definitely a central concern of the incoming Government, which is why we introduced the cybersecurity and resilience Bill in the King’s Speech. I look forward to discussing that further with her and other noble Lords from around the House as it progresses through the legislative process.
My Lords, as the Government continue to consider the issues arising from this serious outage, I invite my noble friend the Minister to consider seriously the reports issued by the Joint Committee on the National Security Strategy, of which I have been a member, which deal with issues such as ransomware, against which the software was designed to protect us. These issues will only become more important in the years ahead.
My noble friend raises similar points to other noble Lords; Members across the House are quite rightly concerned about this. As part of the process of developing and taking the cybersecurity and resilience Bill through this House and the other place, all learning from a range of reviews, including some of the public inquiries that have reported and are yet to report, will be key to improving our country’s resilience.
My Lords, I welcome the noble Baroness to her place and will pick up on a point made by the noble Lord, Lord Clement-Jones. The noble Baroness is right to say that millions of devices throughout the country were affected, but they were, as I understand it, all devices using the Microsoft operating system. Is it not the case that the dominance that the Microsoft operating system has achieved in this country, reinforced by cautious corporate IT managers who always recommend it, has potentially become a threat to our security? I hope the Government are able to recommend that the Competition Commission or some other competent authority should look at this, with a view to reducing the dominance of Microsoft and increasing our resilience.
I thank the noble Lord for his question, which packed a lot in. I agree that the dominance of any particular software company or IT system is a risk to resilience, as government has known for some time. But we need to look at this as a whole and—I do not want to sound like a broken record—this will be covered by the cybersecurity and resilience Bill as it proceeds through the House.
My Lords, one of the public services specifically hit was the NHS, so why are systematic back-up systems not in place in the NHS for primary care and pharmacy? Who has been asked to take this forward to ensure that such systems are in place as a matter of urgency for those who are ill?
All relevant departments will take part in the review, and I will feed back the specific points made to the Cabinet Office and colleagues in the Department of Health. Going back to the previous point about the widespread use of specific software systems, this needs to be taken seriously as we move forward with the proposed legislation.
My Lords, one area of weakness is PNT, so how will we ensure that we still have traditional navigational and time signals of the correct type to enable all our systems to work? Will we maintain a task group to work in this area to try to resolve it by next year?
I will discuss my noble friend’s point with colleagues and will write back to him as soon as possible.
My Lords, a member of my family returning to the United States in the last few days has been very inconvenienced by what occurred. I ask the Minister to adequately look at the question of redress in any legislation that we now pursue in relation to data protection generally, and to AI for that matter. It is a vital component of the GDPR. I therefore ask her to look carefully at this and make sure that adequate redress is available across all these matters.
The Government are reviewing what happened and will implement any lessons learned as a matter of urgency. We appreciate the significant inconvenience caused to those affected, but it is a matter for individual operators. The consumer rules cover specific compensation entitlement. From my view, the essential point arising from the issues caused by CrowdStrike is the need to strengthen our resilience, which is what this Government intend to do.