There are several parts to clause 109, which is about computer records. Subsection (1)
requires a person to produce a document or cause a document to be produced,
which is perfectly reasonable. It also
requires a person to permit the Commissioners or an officer of Revenue and Customs...to inspect
or, more importantly,
to make or take copies of or extracts from or remove a document.
That necessitates access to the computer, which is described later in the clause.
Subsection (2) refers to a provision applying if
any reference in the provision to a copy of a document were a reference to anything onto which information recorded in the document has been copied, by whatever means and whether directly or indirectly.
I shall return to that in a moment.
Subsection (3) states:
An authorised person may, at any reasonable time...check the operation of, any computer and any associated apparatus or material...in connection with a relevant document.
My problem is that, if the document is an e-mail, or an attachment to an e-mail, sent by a web mail service on a web server hosted overseas, or if the document is a web page or a page on a web-enabled application, again on an overseas-hosted web server, I am not sure how any of that can be done, particularly in respect of subsection (3), which allows the person to check
any computer and any associated apparatus
in order, for example, to remove the document.
That brings me directly to amendment No. 229, which is extraordinarily wide, in that it
makes any other provision in connection with a requirement
related to the person who produced the document or caused it to be produced, or the commissioners or an officer making or taking copies of or extracts from or removing the document. I am not sure how enforceable that will be, particularly in the case of the examples that
That brings me to the effect of amendment No. 229 on subsection (5), which states:
An authorised person may require...the person by whom or on whose behalf the computer is or has been so used.
That may be reasonable if the computer is accessible, but subsection (5)(b) refers to
any person having charge of, or otherwise concerned with the operation of, the computer, apparatus or material.
Again, amendment No. 229, which is about making any other provision to have access to remove a document from a person in subsection (5)
having charge of, or otherwise concerned,
brings into play innocent third parties, because presumably the clause is about licences and software as well as kit. Assuming that it is accessible and that it is not extra-territorial, it brings into play operations people, communications people, third-party maintenance people and so on.
There is a final issue with the clause. The document could have been created on a handheld device like a BlackBerry, which is deemed to be a computer, or it could be an attachment to an e-mail created on a handheld device, and that handheld device is no longer used by the taxpayer but someone has charge of itperhaps a sales rep for the same company based overseas on secondment for three or four months. Amendment No. 229 would allow any other provision to be made in connection with removing a document from a computer when it is completely inaccessible and may be overseas. Clause 109 in general is right, but amendment No. 229 allows almost anything to happen and I am concerned that it is too wide. There is also an issue of extra-territoriality, given that servers can be hosted almost anywhere and are not necessarily in the same jurisdiction as the person or the jurisdiction where the document was created.
Amendment No. 229 risks widening the scope of investigating people involved to include innocent third parties. It is also unenforceable. Notwithstanding the depth and breadth of clause 109, I am interested in whether the Minister thinks that amendment No. 299, which
makes any other provision in connection with
taking or making copies and extracting or removing documents from
any computer and any associated apparatus,
is enforceable. Having read amendment No. 229, I do not think that it can be done, other than through the normal judicial channels of seeking warrants in third-party countries if a web server happens to be hosted elsewhere. I am not sure that the amendment, which would allow other provisions to be made, is not so wide that it undermines and removes the assurances that the Minister gave in debates this morning, particularly in relation to domestic premises that were not business premises that might normally have been searched for documents.
I hope that that makes sense. I have been as clear as I can be. I look forward to hearing the Minister.
The Chairman: Before I call the hon. Member for Braintree, can I say that I shall certainly allow a reasonable debate on Government amendment No. 229? However, I should like to debate that in full, put the question on it and then, with the Committees leave and permission, put the question on Government amendments Nos. 230 to 233 together. I hope that I have the Committees permission to do that.
By the way, since I like to be helpful, there may be two Divisions in the Chamber at 6.30 pm and, with a quarter of an hour for each Division, that could take us up to 7 pm. It is not for me to limit or restrict the debate in this Public Bill Committee, but perhaps in the next few minutes the usual channels might intimate to the Chair what their plans are for the sitting this afternoon.
Mr. Newmark: Thank you, Sir Nicholas, for probably indulging me in what I am about to say. I am thinking in a similar vein to the hon. Member for Dundee, East, because I feel that there are a number of issues that Government amendments Nos. 229 and 230 to 234 do not address. Like the hon. Gentleman, I, too, have a problem with clause 109(3), which I will get to.
I am sorry that the hon. Member for Wolverhampton, South-West (Rob Marris) is not in the room, because his knowledge of background notes is always appreciated in situations such as this. The background note to clause 109 suggests that it is concerned with the standardisation of, rather than with substantive changes to, existing provisions. The note mentions explicitly the review of powers, deterrents and safeguards that were set up during the amalgamation of the Inland Revenue with HM Customs and Excise. However, there is no mention of the many reviews pending into data security, which form the real background to the clause and are a real cause for concern among members of the public and their professional advisers.
As midsummer approaches we are still waiting for Keiran Pointers final report on HMRC data loss, promised in the spring, but kicked into touch amid the Prime Ministers superabundance of bad news. Likewise, we are still waiting for the final review of the Cabinet Office report, Data Handling Procedures in Government promised in spring, but also missing in action. The interim report notes:
It is clear that more can be done to improve trust and confidence about the arrangements in place to protect information in Government... As a first step, Government should commit to enhanced transparency with Parliament and the public about action to safeguard information and the results of that action.
Nevertheless, Parliament and the public are still waiting. Also in the pipeline is the report by Richard Thomas, the Information Commissioner, and Mark Walport of the Wellcome Trust. Meanwhile, Sir Edmund Burtons review and recommendations into the MODs loss of laptops is as absent as its subject.
I mention all that to question whether this is an appropriate time for a standardisation of HMRCs access to computer data, considering that its procedures have already been visibly shown to be inadequate. The Government are pursuing the Governments favourite tactic of conducting a review into everything in order to stave off having to do anything. But there is no sense that any of the Governments industrious reviewing is
Given the palpable sense that trust has been eroded, I have a couple of questions for the Financial Secretary. The first concerns departmental spot checks by the Information Commissioner. The Prime Minister announced in November spot checks on departmental application of data protection principles and data handling procedures. How far has that process proceeded and how has the Information Commissioner specifically looked into HMRCs capacity to handle that kind of computer access situation authorised under the clause?
My second question concerns the Cabinet Office interim report on Data Handling Procedures in Government. Paragraph 31, which covers HMRC, states:
Specific actions already taken include the appointment of a senior official, Director of Data Security, and the appointment of Data Guardians to all areas within HMRC.
Yet I see no provisions in the clause relating to oversight by the director of data security or the detailed role of data guardians in the operations of these powers. Nor is there an explicit role for the Information Commissioner, despite the Cabinet Offices report also suggesting that legislative steps should be taken to enhance the ability of the Information Commissioner to provide external scrutiny of arrangements.
The hon. Member for Dundee, East, whom I should like to address as an hon. Friend but cannot for technical reasons, talked about subsection (3). It simply takes us back to the territory of any authorised person having a right of access to
any computer and any associated apparatus.
I know from my own experience in the private sector that we took our data security very seriously indeed because, if we had not, we would very likely have been sued. I can well imagine that IT managers are not at all pleased with the idea of undisclosed and unidentified, but nevertheless authorised persons, being able to root through their systems at will. That would be the position of a member of staff who provided reasonable assistance to an authorised person.
Stewart Hosie: There is another issue here. Because the clause talks about apparatus, if one considers best practice in backing up systems and saving data, I can imagine a company or an IT manager being seriously unhappy if a Revenue officer arrived and said, I am taking away all the back-ups to your system because we believe that somewhere on this in the last six months is a document that we need to see but we are not sure precisely what day you saved it on. What would happen if there was a catastrophic system failure, the data were in the depths of the HMRC, the system could not be reloaded and the company ceased being able to trade and began to lose money?
Mr. Newmark: As always, the hon. Gentleman raises an important point. People such as him and me, who work in the private sector, understand the practicalities that the Government have failed to address in their
My final point is about the emergence of a two-tier system of data security within HMRC. Members of the Committee know that our tax affairs, as Members of Parliament, are looked after by two very helpful ladies who work for HMRCs public department 1 near Cardiff. The interesting thing about public department 1 is that one lot of its computer records is apparently inaccessible by other authorised persons within HMRC. I believe that colleagues who were on a Select Committee visit to another part of HMRC once tried to look up their details but found that the request was blocked. It seems that even in the tax inspectors world, some are more equal than others.
The two-tier arrangement was also brought to light by my hon. Friend the Member for Blaby (Mr. Robathan) in Treasury questions some months ago, when he discovered that Members of Parliament cannot submit their tax returns online like mere mortals because the system is not deemed appropriate for us. The Financial Secretary said:
There are categories of individual for whom security is a higher priority.[Official Report, 24 January 2008; Vol. 470, c. 1626.]
I pursue this line of argument because if there are categories of person for whom security is a higher priority, surely there are also categories of business or transaction that require tighter security. I do not want to try your patience, Sir NicholasI am just finishing. Will the Financial Secretary clarify whether there will be similar gradations of risk in the way in which the powers in clause 109 are exercised? Will particularly sensitive businesses or records held by those businesses warrant scrutiny by a more thoroughly vetted authorised person, or will the system be one size fits all? Thank you for your indulgence, Sir Nicholas.
The Chairman: Before I call the Financial Secretary to speak, let me say that I used wide discretion in permitting some of what was said then, but I think that it might have been to the advantage of the Committee.
The Chairman: I hope not. I understood that by allowing the hon. Member for Braintree to range rather widely, we could do without a clause stand part debate.
|©Parliamentary copyright 2008||Prepared 11 June 2008|