Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Home Office:
To ask His Majesty's Government whether Amazon Web Services has the right to refuse an inspection from an independent auditor under its contract with the Home Office, agreed on 30 November, given that the contract states that the Home Office does not have a right to audit or inspect Amazon Web Services' physical infrastructure.
Answered by Lord Sharpe of Epsom - Parliamentary Under-Secretary (Home Office)
The supplier shall not process or otherwise transfer Home Office data outside of the United Kingdom unless the prior written consent of the Home Office has been obtained.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Home Office:
To ask His Majesty's Government why the new contract between the Home Office and Amazon Web Services, agreed on 30 November, is triple the cost of the Home Office's previous procurement of cloud computing services from Amazon Web Services in 2019.
Answered by Lord Sharpe of Epsom - Parliamentary Under-Secretary (Home Office)
The supplier shall not process or otherwise transfer Home Office data outside of the United Kingdom unless the prior written consent of the Home Office has been obtained.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Home Office:
To ask His Majesty's Government whether Home Office data processed by Amazon Web Services under their contract, agreed on 30 November, will be disclosable to foreign governments, as per section 3 of the GDPR data protection impact assessment attached in Appendix 2 of the Supplier Terms.
Answered by Lord Sharpe of Epsom - Parliamentary Under-Secretary (Home Office)
The Home Office holds one of the largest and most comprehensive data sets across Government. Ensuring this data is safe, secure, and is able to be fully utilised to the maximum benefit to the taxpayer is our primary concern. The Home Office agreement with AWS is based on predicted usage and is part of the Crown Commercial contract, called the One Gov Value Agreement 2 (OGVA2) which is a framework allowing all Government departments to combine to leverage an unprecedented discount on AWS services which would not be possible if each department held separate contracts.
AWS provide the below statement which reinforces our requirement under a shared responsibility model to secure our data in such a way that we retain control of any disclosure:
“Protecting the privacy of our customers is something that we take seriously at AWS. We recommend that customers encrypt their data as part of their overall security model when adopting cloud, and there are AWS services available to help you encrypt your data in transit and at rest (such as AWS Key Management Service and AWS CloudHSM). To be clear, the US Cloud Act / US Patriot Act do not give US Law Enforcement unfettered access to data, and only apply to evidence sought in connection with a crime over which the US has jurisdiction. We have a history of challenging government requests for customer information that we believe are inappropriate and, where we need to act to protect customers, we do; we will notify customers before disclosing any data and please be assured that content that has been encrypted is rendered useless without the applicable decryption keys.”
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Home Office:
To ask His Majesty's Government what, if any, security vetting is required for Amazon Web Service staff to handle Home Office data under the contract for the supply of cloud computing services agreed between the two on 30 November.
Answered by Lord Sharpe of Epsom - Parliamentary Under-Secretary (Home Office)
The supplier shall be required to comply with data protection legislation, together with specific confidentiality, data protection and data security obligations to protect Home Office data when required, including physical and logical security restrictions applicable to the supplier’s personnel from accessing and processing the Home Office’s data, in accordance with the AWS Security Standards.
This may include vetting to recognised standards when the specific work requires such clearance. The Home Office use “keys” which ensure its data is fully encrypted at rest and in-transit, such that AWS have no access.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Home Office:
To ask His Majesty's Government whether the contract between Amazon Web Services and the Home Office, agreed on 30 November, includes the guarantees, references or legally required elements for a processing contract under section 59(5) of the Data Protection Act 2018, or the requirements of the statutory code of practice for police vetting to permit lawful processing of law enforcement personal data; if so, what form they take; and whether law enforcement personal data are excluded from the contract if such safeguard provisions are not required.
Answered by Lord Sharpe of Epsom - Parliamentary Under-Secretary (Home Office)
The supplier has no access to any of the data hosted in the AWS cloud. Certain Policing services are hosted in this environment which are assured and approved for this use. The extent of the processing of personal data covered in the contract is the provision of storage.
The nature of the data stored is entirely under the control of the Home Office and, due to the security controls in place, AWS has no knowledge of what is stored, nor is it provided with instructions on the nature of the processing. By design, the contract does not contain details that would that are not necessary to disclose to AWS for it to be bound by a contract that provides the necessary protections to personal data. The Information Commissioner’s Office is aware of this approach. AWS has no access to any personal data under the controllership of policing or the Home Office.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government, further to their announcement on 3 July regarding the launch of a pornography review to tackle exploitative, abusive and illegal content online, what update they can provide on plans for that review.
Answered by Viscount Camrose - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
On 1 December, the government announced that Baroness Gabby Bertin has been appointed as the independent lead reviewer for the review of pornography regulation, legislation and enforcement. Details on her announcement and the review’s Terms of Reference can be found on gov.uk: https://www.gov.uk/government/news/illegal-pornography-abuse-and-exploitation-to-be-investigated-by-new-reviewer
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government whether Ofcom has any plans (1) to hold discussions with the British Board of Film Classification to support its regulation of online pornography sites, and (2) to collaborate with the Internet Watch Foundation, in relation to child sex abuse material.
Answered by Viscount Camrose - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
Ofcom, as the independent regulator of the Online Safety Act 2023 will decide on the stakeholder engagement it will carry out. It has said that it will engage with a range of stakeholders as it develops its guidance and codes of practice for the regulatory regime.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what is their anticipated timeline for the introduction of age verification measures to prevent children’s access to online pornography.
Answered by Viscount Camrose - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The Government is committed to having the Online Safety regulatory regime operational as soon as possible. During passage of the Act, we set an 18-month deadline for Ofcom to finalise certain guidance and codes of practice, including those relating to child safety duties and duties on regulated provider pornographic content.
Ofcom published its draft guidance for Part 5 of the Act (provider pornographic content) on 5 December 2023. The draft codes for children’s safety duties will follow in spring next year. Collectively, these documents will set out the steps firms should take regarding age verification and age estimation measures to prevent children’s access to online pornography. Once Ofcom has issued its final codes of practice and guidance, we will commence the corresponding duties.
We have been clear that we expect companies to take steps now to improve safety, and not wait for codes of practice or guidance to come into force before acting.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government what the timeline is for implementing the new National Security Unit for Procurement within the Cabinet Office, as set out in the Procurement Act 2023; and who will be responsible for leading it.
Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)
The National Security Unit for Procurement, based in the Cabinet Office, will investigate suppliers who may pose a risk to national security and assess whether companies should be barred from public procurements. The Unit was announced as part of stepped up measures to protect national security in government contracts and will be operational in time for commencement of the Procurement Act in autumn 2024, when debarment and exclusion powers come into effect.
The Cabinet Office will also lead on the new National Procurement Policy Statement (NPPS). Before laying the NPPS in Parliament a Minister of the Crown must carry out such consultation as the Minister considers appropriate and make any necessary changes as a result of it. Further details will be announced in the coming months.
Asked by: Lord Clement-Jones (Liberal Democrat - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government what is the consultation process and timeline for renewal of the National Procurement Policy Statement, and which Department will be responsible for leading this.
Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)
The National Security Unit for Procurement, based in the Cabinet Office, will investigate suppliers who may pose a risk to national security and assess whether companies should be barred from public procurements. The Unit was announced as part of stepped up measures to protect national security in government contracts and will be operational in time for commencement of the Procurement Act in autumn 2024, when debarment and exclusion powers come into effect.
The Cabinet Office will also lead on the new National Procurement Policy Statement (NPPS). Before laying the NPPS in Parliament a Minister of the Crown must carry out such consultation as the Minister considers appropriate and make any necessary changes as a result of it. Further details will be announced in the coming months.