The
Chairman: That is quite in order, Mr.
Hosie.
Stewart
Hosie: Thank you, Sir
Nicholas. There
are several parts to clause 109, which is about computer records.
Subsection (1)
“requires a
person to produce a document or cause a document to be
produced”, which
is perfectly reasonable. It also
“requires a
person to permit the Commissioners or an officer of Revenue and
Customs...to
inspect” or,
more
importantly, “to
make or take copies of or extracts from or remove a
document”. That
necessitates access to the computer, which is described later in the
clause. Subsection
(2) refers to a provision applying
if “any
reference in the provision to a copy of a document were a reference to
anything onto which information recorded in the document has been
copied, by whatever means and whether directly or
indirectly.” I
shall return to that in a
moment. Subsection
(3)
states: “An
authorised person may, at any reasonable time...check the
operation of, any computer and any associated apparatus or
material...in connection with a relevant
document.” My
problem is that, if the document is an e-mail, or an attachment to an
e-mail, sent by a web mail service on a web server hosted overseas, or
if the document is a web page or a page on a web-enabled application,
again on an overseas-hosted web server, I am not sure how any of that
can be done, particularly in respect of subsection (3), which allows
the person to
check “any
computer and any associated
apparatus” in
order, for example, to remove the
document. That
brings me directly to amendment No. 229, which is extraordinarily wide,
in that
it “makes
any other provision in connection with a
requirement” related
to the person who produced the document or caused it to be produced, or
the commissioners or an officer making or taking copies of or extracts
from or removing the document. I am not sure how enforceable that will
be, particularly in the case of the examples that
I gave, which would seem to introduce a degree of extra-territoriality
in the clause itself and, further, in any other provision being made in
connection with something that is extra-territorial and may be
completely
unenforceable. That
brings me to the effect of amendment No. 229 on subsection (5), which
states: “An
authorised person may require...the person by whom or on whose
behalf the computer is or has been so
used”. That
may be reasonable if the computer is accessible, but subsection (5)(b)
refers
to “any
person having charge of, or otherwise concerned with the operation of,
the computer, apparatus or
material.” Again,
amendment No. 229, which is about making any other provision to have
access to remove a document from a person in subsection (5)
“having charge
of, or otherwise
concerned”, brings
into play innocent third parties, because presumably the clause is
about licences and software as well as kit. Assuming that it is
accessible and that it is not extra-territorial, it brings into play
operations people, communications people, third-party maintenance
people and so
on. There
is a final issue with the clause. The document could have been created
on a handheld device like a BlackBerry, which is deemed to be a
computer, or it could be an attachment to an e-mail created on a
handheld device, and that handheld device is no longer used by the
taxpayer but someone has charge of it—perhaps a sales rep for
the same company based overseas on secondment for three or four months.
Amendment No. 229 would allow “any other provision” to be
made in connection with removing a document from a
“computer” when it is completely inaccessible and may be
overseas. Clause 109 in general is right, but amendment No. 229 allows
almost anything to happen and I am concerned that it is too wide. There
is also an issue of extra-territoriality, given that servers can be
hosted almost anywhere and are not necessarily in the same jurisdiction
as the person or the jurisdiction where the document was
created. Amendment
No. 229 risks widening the scope of investigating people involved to
include innocent third parties. It is also unenforceable.
Notwithstanding the depth and breadth of clause 109, I am interested in
whether the Minister thinks that amendment No. 299,
which “makes
any other provision in connection
with” taking
or making copies and extracting or removing documents
from “any
computer and any associated
apparatus”, is
enforceable. Having read amendment No. 229, I do not think that it can
be done, other than through the normal judicial channels of seeking
warrants in third-party countries if a web server happens to be hosted
elsewhere. I am not sure that the amendment, which would allow
other provisions to be made, is not so wide that it undermines and
removes the assurances that the Minister gave in debates this morning,
particularly in relation to domestic premises that were not business
premises that might normally have been searched for
documents. I
hope that that makes sense. I have been as clear as I can be. I look
forward to hearing the
Minister. Mr.
Brooks Newmark (Braintree) (Con)
rose—
The
Chairman: Before I call the hon. Member for Braintree, can
I say that I shall certainly allow a reasonable debate on Government
amendment No. 229? However, I should like to debate that in full, put
the question on it and then, with the Committee’s leave and
permission, put the question on Government amendments Nos. 230 to 233
together. I hope that I have the Committee’s permission to do
that. By
the way, since I like to be helpful, there may be two Divisions in the
Chamber at 6.30 pm and, with a quarter of an hour for each Division,
that could take us up to 7 pm. It is not for me to limit or restrict
the debate in this Public Bill Committee, but perhaps in the next few
minutes the usual channels might intimate to the Chair what their plans
are for the sitting this
afternoon.
Mr.
Newmark: Thank you, Sir Nicholas, for probably indulging
me in what I am about to say. I am thinking in a similar vein to the
hon. Member for Dundee, East, because I feel that there are a number of
issues that Government amendments Nos. 229 and 230 to 234 do not
address. Like the hon. Gentleman, I, too, have a problem with clause
109(3), which I will get
to. I
am sorry that the hon. Member for Wolverhampton, South-West (Rob
Marris) is not in the room, because his knowledge of background notes
is always appreciated in situations such as this. The background note
to clause 109 suggests that it is concerned with the standardisation
of, rather than with substantive changes to, existing provisions. The
note mentions explicitly the review of powers, deterrents and
safeguards that were set up during the amalgamation of the Inland
Revenue with HM Customs and Excise. However, there is no mention of the
many reviews pending into data security, which form the real background
to the clause and are a real cause for concern among members of the
public and their professional
advisers. 6
pm As
midsummer approaches we are still waiting for Keiran Pointer’s
final report on HMRC data loss, promised in the spring, but kicked into
touch amid the Prime Minister’s superabundance of bad news.
Likewise, we are still waiting for the final review of the Cabinet
Office report, “Data Handling Procedures in Government”
promised in spring, but also missing in action. The interim report
notes: “It
is clear that more can be done to improve trust and confidence about
the arrangements in place to protect information in Government...
As a first step, Government should commit to enhanced transparency with
Parliament and the public about action to safeguard information and the
results of that
action.” Nevertheless,
Parliament and the public are still waiting. Also in the pipeline is
the report by Richard Thomas, the Information Commissioner, and Mark
Walport of the Wellcome Trust. Meanwhile, Sir Edmund Burton’s
review and recommendations into the MOD’s loss of laptops is as
absent as its
subject. I
mention all that to question whether this is an appropriate time for a
standardisation of HMRC’s access to computer data, considering
that its procedures have already been visibly shown to be inadequate.
The Government are pursuing the Government’s favourite tactic of
conducting a review into everything in order to stave off having to do
anything. But there is no sense that any of the Government’s
industrious reviewing is
feeding back into legislation such as this. At the weekend, the Home
Affairs Committee published its report into the emergence of a
surveillance society in Britain, which warned of the erosion of trust
between the citizen and the state. It noted the potential that the
relationship between the two was on the verge of being changed for
good. Given
the palpable sense that trust has been eroded, I have a couple of
questions for the Financial Secretary. The first concerns departmental
spot checks by the Information Commissioner. The Prime Minister
announced in November spot checks on departmental application of data
protection principles and data handling procedures. How far has that
process proceeded and how has the Information Commissioner specifically
looked into HMRC’s capacity to handle that kind of computer
access situation authorised under the
clause? My
second question concerns the Cabinet Office interim report on
“Data Handling Procedures in Government”. Paragraph 31,
which covers HMRC,
states: “Specific
actions already taken include the appointment of a senior official,
Director of Data Security, and the appointment of Data Guardians to all
areas within
HMRC.” Yet
I see no provisions in the clause relating to oversight by the director
of data security or the detailed role of data guardians in the
operations of these powers. Nor is there an explicit role for the
Information Commissioner, despite the Cabinet Office’s report
also suggesting that legislative steps should be taken to enhance the
ability of the Information Commissioner to provide external scrutiny of
arrangements. The
hon. Member for Dundee, East, whom I should like to address as an hon.
Friend but cannot for technical reasons, talked about subsection (3).
It simply takes us back to the territory of any “authorised
person” having a right of access to
“any computer
and any associated
apparatus”. I
know from my own experience in the private sector that we took our data
security very seriously indeed because, if we had not, we would very
likely have been sued. I can well imagine that IT managers are not at
all pleased with the idea of undisclosed and unidentified, but
nevertheless “authorised persons”, being able to root
through their systems at will. That would be the position of a member
of staff who provided “reasonable assistance” to an
authorised person.
Stewart
Hosie: There is another issue here. Because the clause
talks about apparatus, if one considers best practice in backing up
systems and saving data, I can imagine a company or an IT manager being
seriously unhappy if a Revenue officer arrived and said, “I am
taking away all the back-ups to your system because we believe that
somewhere on this in the last six months is a document that we need to
see but we are not sure precisely what day you saved it on.”
What would happen if there was a catastrophic system failure, the data
were in the depths of the HMRC, the system could not be reloaded and
the company ceased being able to trade and began to lose
money?
Mr.
Newmark: As always, the hon. Gentleman raises an important
point. People such as him and me, who work in the private sector,
understand the practicalities that the Government have failed to
address in their
amendments Nos. 229 and 230 to 234. There are, perhaps, weaknesses in
how they are dealing with issues that have been raised in relation to
clause 109. Even if the clause were urgently needed to standardise and
consolidate HMRC’s procedures, could not the opportunity have
been taken to embed specific provisions on oversight by the Information
Commissioner? My
final point is about the emergence of a two-tier system of data
security within HMRC. Members of the Committee know that our tax
affairs, as Members of Parliament, are looked after by two very helpful
ladies who work for HMRC’s public department 1 near Cardiff. The
interesting thing about public department 1 is that one lot of its
computer records is apparently inaccessible by other authorised persons
within HMRC. I believe that colleagues who were on a Select Committee
visit to another part of HMRC once tried to look up their details but
found that the request was blocked. It seems that even in the tax
inspectors’ world, some are more equal than others.
The two-tier
arrangement was also brought to light by my hon. Friend the Member for
Blaby (Mr. Robathan) in Treasury questions some months ago,
when he discovered that Members of Parliament cannot submit their tax
returns online like mere mortals because the system is not deemed
appropriate for us. The Financial Secretary
said: “There
are categories of individual for whom security is a higher
priority.”—[Official Report, 24 January 2008; Vol.
470, c. 1626.]
I pursue this line of
argument because if there are categories of person for whom security is
a higher priority, surely there are also categories of business or
transaction that require tighter security. I do not want to try your
patience, Sir Nicholas—I am just finishing. Will the Financial
Secretary clarify whether there will be similar gradations of risk in
the way in which the powers in clause 109 are exercised? Will
particularly sensitive businesses or records held by those businesses
warrant scrutiny by a more thoroughly vetted authorised person, or will
the system be one size fits all? Thank you for your indulgence, Sir
Nicholas.
The
Chairman: Before I call the Financial Secretary to speak,
let me say that I used wide discretion in permitting some of what was
said then, but I think that it might have been to the
advantage of the Committee.
Jane
Kennedy: Thank you, Sir Nicholas. Will there be a stand
part debate on the
clause?
The
Chairman: I hope not. I understood that by allowing the
hon. Member for Braintree to range rather widely, we could do without a
clause stand part debate.
| 
