Sarah Russell (Congleton) (Lab)

- View Speech - Hansard -

Copy Link

-

Happy new year to you, Madam Deputy Speaker, your team and everyone else in the House.

It is no overstatement to say that this is one of the most pressing issues of our time. I suspect that if we were not bringing forward this legislation it would only become apparent quite how pressing it had been when there was a major incident that lay it bare. I think it is one of the marks of successful government that we are, hopefully—I touch wood as I say this—managing to stay ahead of the curve on these incidents. There is nothing more important than national security relating to critical infrastructure. I think it is exactly what our constituents want to see us acting on, and I wish they saw more of us discussing issues on a cross-party basis, with broad agreement. It is welcome to see the Government taking these steps.

I particularly want to discuss the enhanced incident reporting duties on the digital service providers and the duties to inform customers. In short, I have real concerns about how those duties will play out in practice. From my experience of having advised whistleblowers in the financial sector, when there are obligations of this nature, some corporations unfortunately make more effort to avoid complying with them than to comply with them. It is an excellent piece of legislation, and I am not suggesting that the Government should have drafted it in any other way, but we need to look at our whistleblowing laws alongside it, because at the moment we do not have strong enough protections for whistleblowers within UK law. That applies both inside and outside employment settings—for example in relation to contractors and other third parties.

If we do not ensure that people have mechanisms by which they can anonymously report breaches of those sorts of obligations, and if we do not have the right protections for them when they are raising the concerns internally in the first place, we will not be able to make adequate use of the Bill’s excellent provisions. I want to impress upon the Minister how important it is that this legislation is looked at in that wider context.

Also within the wider context is a broader debate—lots of us have touched on this without specifically identifying it—about how we balance the risk across society and the cost of the risk. It is about the risk to individuals, national security, individual businesses and individuals within those businesses, such as directors or other senior leaders. It is about how we ensure that in our country we do not have large tech companies, major data centres and other big private sector businesses taking economic benefits without carrying risk. We need those businesses and they are crucial to us, but we do not want them taking the economic benefits of operating in our advanced economy while the Government and therefore the taxpayer carry all the risk and burden of the regulation.

It is great to see that the Bill contains provisions allowing for financial recovery in the enforcement action that we want to take. It is also fantastic that when it comes to the enforcement provisions and finances associated with it, we are looking at up to 4% of global turnover in terms of potential fines for not complying. My position as a former lawyer is always that I want to know that things are enforceable. There are good enforcement mechanisms in the Bill, and there is plenty of money that could potentially be at risk, which incentivises the kind of compliance that we want to see, but we need to look at the broader societal piece about how we balance the risks and opportunities in relation to tech in general.

I was going to talk quite a bit about my concerns about my local public services and how they can better manage cyber-security. The Legal Aid Agency cyber-attack enabled criminals to steal the details of anyone who had applied for legal aid between 2007 and 2025. The scale of the financial risks to those individuals cannot be overstated; the amount of personal data that that involved was absolutely huge. Six out of 10 secondary schools are now subject to cyber-attacks. The Cheshire Cyber Security Programme is in place to help local small businesses manage their cyber-risk. It provides training for up to five members of staff in small businesses. Our local police powers are being used to try to take proactive steps to improve the situation for our local small businesses.

Schools in academy trusts are spending quite a lot of money on cyber-insurance to try to protect against these risks. We have seen schools across the country shut down because they are unable to open following cyber-attacks. The public sector action plan that the Government published this morning is incredibly welcome in terms of cyber-risk, and I really look forward to the opportunity to go through it in more detail. We again need to look at the balance of cost within our society.

I would like to add to the comments of those who have suggested that we should review the Computer Misuse Act 1990 and the lack of current protections for researchers doing important work in this area. We obviously have several institutions that are currently engaged in cyber-security work, including the Alan Turing Institute and the National Cyber Security Centre. We need to make sure that they have the right remit, because this area is only going to expand when the complexities of AI are added. We must ensure that everyone is protected to do their job effectively. That means protecting individuals, businesses and our wider society.

Lastly, we need to move as quickly as we can on this. It is great that we are maintaining our EU alignment, because realistically the only way that we can continue to be a major player and have considerable influence over companies, many of which now have much larger budgets than major economies, is if we work in conjunction with other countries. That is what our ongoing relationship with the EU should be about.

I thank everyone who has been involved with work on the Bill. I think it is excellent, and it is completely the right direction of travel. It is a shame that the Government doing the right thing every day does not get more publicity, even when it is not likely to grab many headlines. It is about doing the work, getting the right structures in place and moving forward productively in a cross-party way where possible. It is about securing our nation and ensuring that our economy is on a strong footing. There is everything to be said in favour of that.