| Previous Section | Index | Home Page |
Stewart Hosie: The hon. Lady is making a valiant case, but she seems to be suggesting that any transaction that she wishes to carry out will require her to be scanned and checked against a central repository. I am sure that that contradicts the answer that we got from a Minister some time ago. From memory, I think that we were told that it would be up to each organisation to determine how the system was used. Is the hon. Lady really suggesting that every single transaction would be checked against a central repository?
Kali Mountford: I obviously did not say that, but Opposition Members have been implying that this mistake means the end of ID cards. I was simply suggesting that an added protection for us, in having an ID register, is the fact that it contains our biometrics. It is there in the proposed legislation that, if organisations want to use our biometrics, that additional safeguard is there for us. I think that it is an additional safeguard that many people would want to have.
Chris Mole: My hon. Friend is doing an excellent job of making the case that the Opposition have mis-juxtaposed the issue of ID cards with this issue. If we had ID cards, with the security that she is describing, the concerns about the loss of data would be nowhere near the same. Ordinary members of the public would know, for example, that if their bank had implemented that level of security using a biometric, the loss of basic data would not put them at the risk that they are now concerned about.
Kali Mountford: My hon. Friend makes the case even better than I could. That is precisely my point and Opposition Members do a disservice by trying to link the two, which is a mistake. Clearly, losing the discs was a mistake, but people need not be concerned that their loss could have led to a connection being established between their bank accounts and ID cards—if those cards were in place. The two need not be linked, so it is a mistake to talk about the death of ID cards. I certainly continue to support them and I know that my constituents also continue to support the ID card concept. As I say, it is a mistake to think that this issue means the end of them. I also think that it is a mistake to continue to parrot the idea that our data is out there in the country. I still believe that by the end of the inquiry we will have discovered that the data is safely stored somewhere in the system. I certainly hope so. Let us wait until the end of the inquiry before we start speculating about what has really happened.
2.30 pm
Mr. Stephen Dorrell (Charnwood) (Con): I think everyone in the House agrees that if confidential data about 25 million cases go missing, it amounts to a very serious event and it is absolutely right for my Front-Bench colleagues regularly to draw the Government to account for the system failure that led to it. I also strongly agree with the hon. Member for Twickenham (Dr. Cable) that this is not just a debate about a serious problem that emerged when the data went missing, as it should also be about something much more deep seated that has been revealed by the event—namely, what I regard as the lack of seriousness of the Government’s response to it.
It is quite telling that so much of the debate and so much of the Government’s response has been a virtually technical discussion about whether the data was encrypted, whether the CDs were password protected, whether they are still on Government premises, whether the banks delayed and other issues of process. There has been what I regard as depressingly little focus on the huge issue of principle that underlies the whole debate.
We should all recognise that the information held about each one of us by Her Majesty’s Revenue and Customs is immensely sensitive and should be regarded by it as having the highest degree of security. That was true in the days before information technology and before it became relatively easy for that information to be passed around the system. The whole structure of data protection that has developed since information has been typically handled through IT has merely reinforced a commitment to privacy, which has always been part of the tradition on the Inland Revenue side of HMRC and should be absolutely in the DNA of a tax-gathering organisation. It has always been part of the proud culture of our tax-gathering institutions that we cannot read in this country’s newspapers information about the tax affairs of private citizens, which happens more regularly elsewhere. My biggest concern as a result of this event is the sense that that proud tradition of security in the tax-gathering organisations is being put at risk. Why is it being put at risk? I think that it is because at exactly the same time as the risk of this material being easily disseminated as a result of the development of modern IT, there is less and less respect for this country’s traditional defences surrounding the principle of privacy. Let me enlarge a little on that point.
We are talking about data held by HMRC, to which the National Audit Office wanted access in order to do its job of ensuring a proper audit trail and proper control on the use of Government money. Nobody would disagree with that. What we have not heard in this public debate is any evidence that anyone has asked this question: the NAO wanted this information, so what information should have been provided to it? There has been a debate about whether it should have gone on CDs or should have been encrypted, but not about whether the information should have been provided to the NAO at all and, if so, which level of information. There was a discussion and a decision was taken—we believe, but we do not know—by a relatively junior official or junior manager. Let us not enter that debate, but a decision was taken at a relatively junior level that information should be provided by HMRC to the NAO in a more generous form than the NAO was asking for and purely on cost grounds. Nowhere in the debate can be seen what I would have hoped for—a sense within HMRC that this is highly confidential information, protected by law and in respect of which HMRC has the role of trustee on behalf of the taxpayer or benefit recipient, which should not be provided to anyone else, including the NAO, unless very clear reason is given within statute.
John Hemming: On that point, does the right hon. Gentleman agree that one alternative would have been for HMRC to say that it would not send a copy of its database to the NAO, but it would allow its experts and auditors to come to HMRC in order to audit the information?
Mr. Dorrell: I agree with the hon. Gentleman that if—it is a very big if—there were good reason for the NAO to see the information, the obvious way to do it would have been for the NAO to get on the train and travel to see it in the place where it was kept. If I may say so, that still omits what I consider to be the key issue at stake here, which is whether the NAO needed to see the information in the form provided. Since the NAO itself did not even ask for the information in the form provided, it amounts to a catastrophic failure not of system, but of culture, within the tax-gathering organisations. That is the theme that I want to focus on.
“This will save us £5,000, £10,000 or £20,000, so we will send them a disc because it is convenient”. No, sir. This is information in respect of which HMRC is trustee, so it should have a deep-seated culture in the very DNA of the organisation— particularly in the days of modern IT—that such information is its own for its own purpose and should not be made available to anyone else, including the NAO. The NAO, of course, has a job to do and must be able to do it, but that poses a question: how much information does it need and can it be provided in anonymised form or in a form capable of protecting the privacy of the individual? Yet none of those questions appeared even to have occurred to people in HMRC, much less properly considered, as they should have been, at a senior level within the organisation.
The failure revealed by those events is not a failure in respect of who has got the password or the technical defences of the information; it is a failure of culture at the very heart of government. What concerns me most is that the responsible Ministers do not appear to have recognised that this is not a failure of authority levels and technical trip words; they have not seen that it is a failure of culture, which goes much more to the heart of government. It is exactly the same issue highlighted during the inquiry into how we got drawn into the situation in Iraq, when the sofa style of government came in for so much criticism. It is the train of thought at the heart of the government that sees process as a bore and believes that men of good will do not have to go through legal processes or have a proper audit trail because we can somehow find our way quickly to the right solution because we are doing it all for the best of all possible motives. Once again, no, sir.
We fought a civil war to establish the principle that we live in a society based on law, and that—most important of all—within that society based on law, law binds Government. What I see in this whole sorry story is yet another illustration of the fact that the Government do not have a proper understanding of the importance of the principle that a society of laws must start at the top, and the culture at the top of government must respect the fact that it is bound by law and must act only within it.
When someone from the National Audit Office asked for this information, the instinct should not have been to say “As we are all working for the same Government, let us be helpful.” The instinct should have been first to say “No, you cannot have it”, and secondly to say “Why do you want it?”—not in order to be difficult or to obstruct, but because that is how people behave when they live in a society based on law and not on discretion.
2.41 pm
Rob Marris (Wolverhampton, South-West) (Lab): What a pleasure it is to follow a rather unfortunate speech, if I may say so, from the right hon. Member for Charnwood (Mr. Dorrell). I say “unfortunate” because although it was an extremely good speech that touched on some key issues, it was the sort of speech that should have been delivered by someone on the right hon. Gentleman’s Front Bench, and it rather showed up the threadbare nature of his Front Bench by looking at the bigger picture.
“as a result of this extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines.”—[ Official Report, 20 November 2007; Vol. 467, c. 1102.]
Those are the words used by my right hon. Friend the Chancellor in his statement last week, and I have to say, in a partisan way but trying to be dispassionate, that I rather prefer his approach to that of his opposite number the shadow Chancellor. I thought that the Chancellor spoke in a rather measured, considered, calm way, whereas the hon. Member for Tatton (Mr. Osborne) did not do himself justice. He tended far too much towards the bluster and rhetoric end of the spectrum.
The hon. Gentleman and his colleagues were, rightly I think, attacked by the Chancellor for trying to score cheap political points. I, as politician, do not have a problem with someone who is trying to score political points, and nor in my view should any politician; but trying to score cheap political points on the back of 25 million people’s records going missing is not helpful. Let me give an example of what I regard as a cheap political point made by the Opposition. Following at least two interventions from my hon. Friends, the hon. Member for Blaby (Mr. Robathan) repeatedly said from a sedentary position “Tory gain”. I consider that to be the sort of cheap political point that does not help the debate at all.
I much prefer the amendment tabled by my right hon. Friend the Prime Minister on behalf of the Government to the substantive motion tabled by the Opposition. While I think it important and helpful to have this debate—although I also think it is happening at a rather early stage in the unfolding of events—the amendment seems to me much more forward-looking and constructive than the Opposition motion, which strikes me as rather negative and, in fact, not at all constructive. That is not to say that it is completely without merit. It does draw attention to the fact that 25 million citizens’ records went missing, and notes that that represents a
“failure to protect the personal details”
of those citizens, which is absolutely right. The Chancellor of the Exchequer has apologised for that, and so has the Prime Minister.
Apologies in themselves, of course, are not enough, although they are important in almost any walk of life in terms of basic human decency and politeness. When we have a huge problem, however, as we do with the missing discs, I think that many people outside the House would say “There is a problem within Her Majesty's Revenue and Customs. Whom would I prefer to have on my side trying to sort it out?” It has been acknowledged throughout the House that it is a huge problem—nearly half the citizens of our country are involved—but although
those people might well conclude that they would rather have the right hon. Member for Charnwood on their side than those on his Front Bench, I think that many of them would prefer to have the Chancellor of the Exchequer and the Prime Minister on their side trying to sort out acknowledged problems.
John Hemming: The hon. Gentleman expressed support for the Government amendment, which refers to action taken by the Government. Does he not share my concern about the fact that the Government are not requiring every single disc sent out by HMRC from now on to be encrypted? At present, the only real difference is that a more senior person will have to sign off the loss of 25 million records.
Rob Marris: I think we should be a little careful about adopting that approach. Kieran Poynter is conducting a review whose interim recommendations are due to be delivered by 14 December. The hon. Gentleman has considerable experience in computer matters and I understand his request, or demand, for encryption, but I think that such a step would be too much in the tradition—on occasion, the Government have been rightly criticised for this—of setting up reviews and then failing to wait for their outcome before acting.
Rob Marris: If the hon. Gentleman will forgive me, I shall carry on for a bit. He raised the question of encryption. Today is 28 November, so 14 December is 16 days away. As far as I know, the absence of the Kieran Poynter recommendations and the Government’s response to them would not prevent any Government Department or agency wishing to encrypt from doing so straight away, and I would be surprised if that was not being done. Perhaps it is not. Perhaps the hon. Gentleman can tell us.
John Hemming: The Chancellor said that there was no requirement for encryption. So one more horse could bolt through the stable door that has not been closed before the review produces its interim recommendations.
Rob Marris: The hon. Gentleman is absolutely right, but for the moment I would prefer to wait for the Poynter review.
Stewart Hosie: I have a problem with the Government amendment. It asks us to support
“the steps which have already been taken to improve the department’s data transfer processes”,
but does not mention improving data access and copying processes. How can we support a proposal that makes no mention of security tokens, algorithm-based one-time passwords, USB cards, PINs or any of the other technical interventions that are required to stop the problem? All that we have are vague guidelines that have been breached at least three times in the past year in this Department alone.
Rob Marris:
I am grateful for what the hon. Gentleman has said, because it brings me conveniently to the next part of my speech, which concerns the relationship between Ministers, Government Departments and
Government agencies. Let me quote again from the Chancellor’s statement last week:
“In terms of protecting confidential data, Her Majesty’s Revenue and Customs is operationally independent of Ministers. It is established by statute and run by its chairman, Paul Gray, and a board of commissioners who are responsible for its operations”.—[ Official Report, 20 November 2007; Vol. 467, c. 1102.]
What is difficult for all politicians to deal with is how operationally independent agencies and staff are within Departments.
Stewart Hosie: As I do not have a copy of Hansard with me, I speak from memory, but did that paragraph not end with the Chancellor’s saying that the responsibility stopped with him?
Rob Marris: Overall the Chancellor of the Exchequer is responsible for the Treasury, and Her Majesty’s Revenue and Customs is an agency of the Treasury. The hon. Gentleman goes on about the technical ways in which the problem might be dealt with—logarithms, encryption and so forth—and such suggestions are helpful in the House of Commons, but I think that as politicians we should beware the temptation to micro-manage. The official Opposition consistently make allegations about the Prime Minister’s being a control freak, but when it comes to a terrible experience such as this, there seem to be calls from some parts of the House for micro-management.
Unlike some hon. Members on both sides of the House, I have done my own small bit before coming here, aged 46, in running organisations. I helped to run a small business in the shoe sector and was a partner in a law firm that had a turnover of approximately £30 million a year; it was not a huge organisation, and not a tiny one. Before anyone asks, let me declare an interest, inasmuch as I am a non-practising solicitor with the organisation Thompsons, in which I was a partner giving money, as declared in the register, to my constituency Labour party. I do not want any misunderstandings about that. I was a partner there for a number of years, so I have some experience—not a huge amount—of helping to run organisations.
If one is going to run a successful political, commercial or public sector organisation—I have no management training, along with the majority of Members, I suspect—one is constantly urged to delegate. When one delegates, one runs the risk that those to whom one has delegated a task will mess it up. That is in the nature of delegation, which is why so many people find it so hard to delegate; they cannot tolerate the thought of a foul-up.
When one has delegated, one has a responsibility to monitor the actions and sometimes inactions of those to whom one has delegated. When one finds that the person to whom tasks have been delegated has either failed to carry them out or has carried them out incorrectly, one should take decisive action to address those faults when they are discovered. One should of course have a process to monitor things so that one proactively discovers faults.
| Next Section | Index | Home Page |