3

Industry and Regulators Committee 

Corrected oral evidence: Regulators and growth

Tuesday 20 January 2026

10.05 am

 

Watch the meeting 

Members present: Baroness Drake (The Chair); Lord Best; Baroness Harding of Winscombe; Baroness Nichols of Selby; Lord Teverson; Viscount Thurso; Viscount Trenchard; Lord Udny-Lister; Baroness Valentine.

In the absence of Baroness Taylor of Bolton, Baroness Drake was called to the Chair.

Evidence Session No. 8              Heard in Public              Questions 92 - 105

 

Witnesses

I: Katie Pettifer, CEO, Food Standards Agency; John Edwards, Information Commissioner, Information Commissioner's Office.

 

 


36

 

Examination of witnesses

Katie Pettifer and John Edwards.

Q92            The Chair: Good morning, everyone, and welcome to this evidence session of the Industry and Regulators Committee on regulators and growth. This meeting is being broadcast live via the parliamentary website. Today we are taking evidence from Katie Pettifer, CEO of the Food Standards Agency, and John Edwards, the Information Commissioner. Welcome to you both. A transcript of the meeting will be published on the committee’s website. You will have the opportunity to make any amendments to the transcript where necessary. Hopefully, you have been advised that the committee will have a range of questions to put to you this morning. Perhaps I can open by inviting both of you to give us a brief introduction to your sectoror sphere of influence, in the case of the Information Commissioneryour role as a regulator, your main objectives and how growth fits into them.

Katie Pettifer: Good morning. Put simply, our job is to make sure people have food they can trust. In terms of the sector we regulate, there are nearly 600,000 food businesses in the UK, and we cover England, Wales and Northern Ireland. They employ about 4 million people in total. Collectively, we spend about £240 billion on food and drink every year. Our exports are worth over £20 billion and the sector contributes over £140 billion in gross value added (GVA) to the economy. It is absolutely critical that UK food is trusted by consumers and our international trading partners.

The Food Standards Agency is a statutory body with an overriding statutory objective to protect public health and otherwise to protect the interests of consumers in relation to food. We also have a whole set of regulatory functions around making sure that food is safe and is what it says it is. We run the assurance system to check that businesses are complying with the rules on food hygiene and food standards. We do that directly in some of the highest-risk areas, such as meat and on-farm dairy, but for most of the 600,000 businesses, local authorities deliver those checks. We manage around 2,000 food incidents a yearcontamination and outbreaks of food-borne diseaseworking with local authorities and businesses. We have a food crime unit, which directly investigates the most serious cases of criminality and fraud in the food system, and we have a wider role advising consumers, Governments and other public bodies on food safety. Finally, since EU exit we have taken on more functions, which include running the pre-market authorisation process for new food and feed products.

The best way in which we support growth is by doing our job wellmaintaining trust in food and avoiding the kind of major food incident which causes a critical loss of trust and costs the economy billions as well as being terrible for public health. We have the growth duty in England but not in Wales or Northern Ireland. However, across all three countries we have set the same guiding principles in our strategy, which include being innovative, being proportionate and making it easier for businesses to do the right thing.

The final thing worth saying is that we are quite unusual in that food is devolved. We advise three different Governments and work to three different sets of Ministers in our areas, but we recognise that, on the whole, businesses do not want divergence in rules across GB or the UK where they can be avoided. We tend to work very closely in those three countries to try to make decisions on a collective basis.

John Edwards: I am pleased to be here. The Information Commissioner’s Office (ICO) is the country’s principal data regulator. Our remit covers the use of personal data wherever it is held. That is a whole economy. The range of applications is infinite, bounded only by the limits of human activity, including commercial activity. That means we have to make some careful choices about how we have the greatest impact.

When I heard that I was to appear with the Food Standards Agency, I thought about what we have in common. Katie has hit on the fundamental element, which is that we are both concerned with maintaining trust. Trust is a fundamental precondition to people’s engagement in the digital economy. We have a role in demonstrating to individuals and consumers that there is a regime which ensures their personal data is adequately protected, but we also have a role in facilitating business compliance. Across many studies, the one consistent principal determinant of compliance with regulation is ease of compliance.

The regulation that we are principally responsible for, the UK General Data Protection Regulation (GDPR)we are also responsible for freedom of information, but I will not spend much time there—is a principles-based law. The great advantage of that is that it can apply to an enormous diversity of circumstances. The disadvantage is that, at the margins, it can create some uncertainty. It is not prescriptive. It does not say what businesses have to do in every conceivable circumstance. Our role in that capacity is to provide certainty, advise businesses what our expectations are and take the friction that uncertainty creates out of the economy.

We have had a growth imperative since 2017, so the initiatives of this Government, while welcome, are not new to us and have not caused a significant change to our approach to our regulatory responsibilities. However, we are very interested in promoting economic growth. This is not at the cost of or in some kind of zero-sum relationship with individuals’ rights and protections. These are complementary and are conditions precedent. So that is a sort of scene setting; I am happy to dive deeper into any particular areas that the committee is interested in.

Q93            The Chair: That is a good lead-in to my follow-up question. Do you have a model of what growth looks like for your sector? To what extent have the Government provided clarity on what that growth should look like, in your case in your sphere of influence or the whole economy, and how does that impact on your objectives? You have said that, since 2017, you have had this growth objective and have been taking friction from uncertainty out of the economy, but could you elaborate under the guise of that question?

John Edwards: There are two different angles that we can come to this question from. One is the idea that excessive regulation acts as a drag on growth. I think the role of the regulator is to take cost out of the economy. We do that by providing tools, clarity and guidance. For example, we produced a privacy statement generator. We have produced tools for businesses to undertake privacy impact assessments and the like. We will launch this spring a set of training materials for every organisation that is registered with us as a data controller. It is my view that no organisation should have to pay a third-party provider to understand the basics of the expectations of my office and of this House in relation to their carriage of personal data, so we can take that cost out. When we spend once at the centre, we save many multiples of times out in the sector.

The second dimension is that we can act as an encouragement for business to innovate. We can give them the confidence. We can take certain obstacles or impediments off the table. For exampleI am sure we will return to this pointas the tsunami of generative AI broke over the economy, there was a lot of uncertainty about how these technologies were regulated. In 2024, we consulted on a number of policy positions that cover the whole supply chain of AI, so we were able to give business the confidence that it could engage with and employ these technologies safely and to give an indication of how we would approach questions such as data minimisation, purpose limitation and the like in relation to both model creation and application level in businesses. That is quite important. Just to summarise, our approach to growth is both taking cost out of the economy and providing confidence to drive investment.

The other part of your question was whether the Government have set specific goals. I do not believe that we have sought or need that. We also have a statutory obligation to act independently, so while we share the Government’s view of the importance of growth and the role of regulators in it, and do not feel that it is an intrusion on our independence to reflect that in our strategic planning and the like, we think there is a limit to the granularity that Government can deliver in terms of directing an independent office such as ours.

The Chair: Given the rate of change in your sphere, whether it is digital engagement, AI or cyber risk, do you have a theory of change or a sense of why a policy or programme leads to certain impacts or outcomes? Do you have something as formal as that in your approach?

John Edwards: We adopt a theory of change approach. It drives us at a high level. It is hard to get too granular when talking about the whole economy and that infinite variety of data transactions that I described at the outset, but we use the theory of change model for assessing how we allocate resources to particular interventions. We are very interested in what outcomes we expect from an output and what the impact will be. We undertake ex ante and ex post assessments of that and we report back. We have been able to report, for example, that we believe we have generated £233 million of benefit for the economy through our interventions, across a range of metrics. We can provide more granular detail of those measurements to the committee, if that would be helpful.

The Chair: I think it would. If we could take up your invite, we will follow that up outside. Katie, you have got the spirit of the question. What is your model of growth? Are the Government providing clarity? There is also this whole theory of change. Would you like to respond in the context of your sector?

Katie Pettifer: I hinted at our model of growth in my answer to the last question. We believe that good proportionate regulation supports growth in the food sector; it does not hinder it. That is certainly what I hear from food businesses when we talk to them about food safety regulation. We were set up in the wake of BSE[1], which not only led to 200 deaths but cost the economy about £7 billion and another £1.5 billion in lost exports. We were born out of that crisis and deliberately set up to report to the Department of Health and Social Care, not Defra, because it was believed that there would be greater trust in the food system if we were not seen to be reporting to the department that represented its interests.

What we do is critical in creating a level playing field. Most businesses that want to do the right thing want to make sure that other businesses are doing it too, which supports that public trust. We get audited by our trading partners multiple times a year to check our controls and make sure they are willing to continue to accept our food. It is a really critical service that we provide for businesses day in, day out.

In terms of additional things that we do to support growth, three areas are very high on my radar. We do not have a strategic steer from the Government like some economic regulators, but I think we have a very clear idea of government priorities in this area. The first is the Sanitary and Phytosanitary (SPS) agreement, as part of the EU reset which the UK and the EU have said they will reach, on a common area for controls for animal and plant products, which includes basically all the food law we are covering. That involves aligning all the food law that we own at the Food Standards Agencyabout 80 of the 500 or so laws that are covered. The Government have said that this agreement could add £5 billion a year to the economy in the long term. It is clearly a massive priority. It could reduce friction at the border and remove costs for businesses. It has to be one of our biggest priorities to support negotiating that agreement and implementing it well.

The second area is modernising the way we regulate, without changing the standards that our food is held to in the UKI have heard no appetite for that. There is a lot that we can do around the way we make sure that businesses are complying with those standards. That brings in that 25% target we have from the Government on administrative burdens. We have a set of reforms in the regulatory action plan that are about making the local authority inspections more targeted and proportionate and making better use of data and intelligence. We are absolutely delighted that we have been asked by the Government in the recent Budget to pursue the work we have been doing on national-level regulation for the biggest businesses, which I am happy to talk about in more detail. There is a whole set of things we can do as a regulator in how we do our job that can really support businesses without in any way diminishing protection for consumers.

The third area is support for innovation and growth in new technologies. We are seeing a massive explosion in new technologies in food production. One of the priority growth areas for the Department for Science, Innovation and Technology (DSIT) is engineering biology. We are seeing a huge increase in the development of these kinds of technologies to produce new foods. We have an innovation hub which includes the sandbox on cell-cultivated products, which I am sure we will talk about in this session, and a set of other areas where we are trying to keep pace with those technologies and help innovators bring food safely to market. That supports consumer trust and brings clarity that helps them get investment, because they understand how the regulatory process is going to work and know that it will be fair and predictable.

The Chair: We will probably come back, if we may, to the interface with other countries regulations, because that is an interesting issue, but I have noted your point.

Q94            Baroness Valentine: My question is about the balance between predictability and flexibility. We have heard from businesses that they value regulatory predictability and stability to be able to make long-term plans and investment, but also flexibility to respond to new opportunities. Can you comment on how you balance those two things?

Katie Pettifer: Most of the regulation we deliver is set out in quite prescriptive assimilated EU law. The nature of the way those laws are made means they are often quite prescriptive on what businesses have to do and the processes we have to go through as a regulator. That can be very helpful for businesses, because it gives them a lot of clarity on what the expectations are on food hygiene, particular types of production and so on, but the drawback is that it is hard to change.

For example, the food hygiene rules on meat production say that you have to chill meat on site before it is transported. After the animal has been slaughtered, it has to be chilled and then transported. These days, you can get technology which would enable that chilling to take place in a lorry during transport to speed up the process, but the legislation does not allow it. So you get stuck in this situation where new technologies are not quite allowed for and it is difficult to adapt.

In some areas, we have more adaptability. A good example is in that pre-market authorisation regime. Under the novel foods legislation which we implement, although it is predictive about process, we have quite a lot of scope in working out how we determine whether something is safe. I think you heard this from Hoxton Farms. Its adaptability has been really useful because we are dealing with technologies that were never envisaged when this legislation was written. As a regulator, we are trying to develop guidance that says to businesses, “This is the approach we will take to determine that something is safe”, so they know what studies to commission and what research they need. That is quite a good model, where you have legislation that is relatively principles-based but the regulator can set out guidance in some detail for businesses, because that can be changed easily as time passes and as technologies develop.

Baroness Valentine: Can I just check I understood the first point you made? You said that EU legislation says you have to chill on site. Is that correct?

Katie Pettifer: It is now our legislation; we inherited it from the EU and have assimilated it into our law.

Baroness Valentine: So, in order to change that, you have to go back and change the legislation.

John Edwards: The flexibility side of the equation is a design feature of data protection law. As I mentioned at the outset, it is a principles-based approach that is capable of accommodating changes in business practices and technology. How it is to be applied is where the certainty dimension comes in. We have to be very responsive to these developments, both in an industry-specific, or even enterprise-specific, way and across the economy. On the latter, the AI guidance I mentioned earlier is a really good example.

On the former, we offer products such as our innovation hub and sandbox services. These are offerings into industry where we can say that if you are not sure how the law is going to apply to your innovation, come to us and we will work with you. In the sandbox, that is very hands-on. We are walking side by side to resolve questions of how the law applies. At the innovation hub level, we are responding to questions, and we are turning to queries within a specified service commitment; I think it is 10 days. Through our innovation hub, however—or through our wider business advisory services anyway—we had about 60,000 enquiries.

We work with partner regulators across industry as well; providing industry with coherent, connected approaches to emerging issues is really important. We work together in the Digital Regulation Cooperation Forum, which is made up of the Information Commissioner’s Office, the Competition and Markets Authority, the Financial Conduct Authority and Ofcom. We can identify cross-cutting issues there that industry could rightly expect would have a co-ordinated approach.

We do this, also, with our enforcement action. I hark back to the previous question briefly, with a little coda. There is an obligation under the law, for example, and it is one of many, that organisations must have adequate security measures to protect the data that they hold. When we investigate breaches, we identify the factors that have been wanting, that may have contributed, and issue penalties. Capita compromised the data of 6 million people of the UK, for example: we issued a fine of £14 million, and made the shortcomings very clear. We have done the same for Advanced Computer Software Group and for 23andMe, which had a “credential stuffing” vulnerability. If we see absences in multifactor authentication, we will show that the cost of not implementing these security measures will be exceeded by the cost of doing so.

I want to briefly mention another growth metric. I was speaking with Katie outside about the contribution that we make. Very often, the metric is about costs avoided: what has not gone wrong because we are there. Those are very difficult to measure, but we had a really interesting metric before Christmas; I want to caveat that we have not completed an investigation in this case. We do not know if there was a breach of standards or of legal obligations. The Jaguar Land Rover breach last year, however, had such an impact that it was a factor reported on as impacting GDP growth for the third quarter of last year. That is a really significant metric on the importance of paying close attention to the standards required under the law. Within that dynamic environment, we as regulators need to be constantly signalling to industry what our expectations are, which we do.

Baroness Valentine: Could I just take you both back to the innovation question? If you have got a sandbox and you are dealing with innovative challenges, can you comment on how you mainstream what you learn from that process?

John Edwards: For me, it is about getting a multiplier effect. These are not investments that we make just to deliver a private benefit to one industry. One of the criteria for entry into the sandbox would be the wider application across the sector in terms of whether this is going to deliver the clarity and certainty that industry requires. We are not engaging in these on the basis of commercial lack of confidence. We are saying that our learnings are something that we need to report out to the wider economy, so that everybody gets the benefit from it.

Katie Pettifer: Our situation is similar. In our cell-cultivated product sandbox, we are working with eight companies who are producing different types of cell-cultivated animal product in different technologies. All the products from the sandbox, the guidance that we produce, and the knowledge that we get has to benefit everyone, not just the sandbox participants. We will then use this in the sandbox guidance that we produce, and use it in the assessment of all the applications from these technologies that come to us, and it will go out to all companies that use it. We have set up a pre-application support service as part of the sandbox. It is not just for those eight companies; it is for any company that wants to bring an application in this area. We have put quite a lot of important guardrails in place to make sure that sandbox participants do not get any more favourable treatment in their actual application assessment than others. The whole point of the sandbox is for us to learn so that we can do a better job across the board.

Baroness Valentine: I have one follow-up question. That is one type of mainstreaming. From memory, however, one of the issues with the novelty products is the time that you can turn around whatever the issue is. I am wondering—if you manage to turn it around quickly, as in that particular example—whether you can mainstream that behaviour into the regulator?

Katie Pettifer: A lot of the things that enable us to speed the processes up—and we are 10 months into our sandbox, so we have not authorised any of these products yet—are greater clarity for the applicants and what they need going in. One of the biggest things that slows down our authorisation process is the back and forth, where our scientific committees look at something and ask for more information on the impact on the gut microbiome or similar. The company then has to go away and find more scientific evidence. If we can get that sorted up front, that is a principle that applies across the board.

The Chair: Turning our attention to risk, Baroness Harding, you had a question.

Q95            Baroness Harding of Winscombe: The Government have said that they would like regulators to become less risk averse. What is your approach to risk, and how is that changing as a result of the Government’s steer?

Katie Pettifer: It is really important that we distinguish between risk on food safety, risk to the public, and risk in how we go about doing our job. I have not heard anything from this Government or from the businesses that we regulate that sounds like them pushing to take more risk on food safety, or in any way to lower the standards that we apply to food in the UK. In fact, the Government are publicly on record saying that they are going to uphold high UK food standards in all the trade deals we are doing. We are not taking more risk on food safety. What we are doing is being more proportionate and more innovative in how we assess safety, and how we make sure those standards are being upheld.

One example is that we have already done a set of reforms to the market authorisation process that we inherited from the EU. Among other things, we removed a requirement that was in the process that specified—for certain foods like animal feed additives—that you had to come back every 10 years and go through the process again, regardless of whether the evidence had changed and what the circumstances were. Since the reforms that have now gone through Parliament and are being implemented, we have changed that. We now have the right to reassess at any time if the safety evidence changes—and you must tell us if the safety evidence changes. Instead of just churning through a process, we are actually being smarter about it. That has removed what was an onerous and in some cases unnecessary requirement on business. It could be argued that, if we are looking at it every 10 years without fail, maybe we would pick something up, and maybe we are taking risk there. I do not think that we are: I think that we have put in place a process that manages the risk.

Baroness Harding of Winscombe: How is the Information Commissioner’s Office assessing its risk appetite?

John Edwards: We regularly revisit our risk appetite. In terms of risk, we are hungry to try innovative approaches. There is internal risk that we are prepared to assume, and then there is the risk aversion that we see in the wider economy and that may be acting as a drag on growth. We calibrate our own risk appetite according to our licence to operate, for example, with regards to the expectations of stakeholders. But, out in the community, I am very conscious that the sorts of signals we send can cause business investment decisions to either veer towards risk aversion or risk-taking. It is a question of trying to find that Goldilocks zone where businesses are not needlessly withholding investment and innovation because of a fear of adverse regulatory outcomes. That brings us back to the approach that we take in providing certainty, trying to understand what may be driving those behaviours and providing the clarity about our approach so people know what to expect from us.

Baroness Harding of Winscombe: Have you changed your approach since the Government set out this challenge to regulators to be less risk averse?

John Edwards: I do not think so, because that was a generic challenge. If the Government had come and assessed our approach to risk, I am not sure that they would have found it wanting and would have said, “We need you to be more”, or less, or anything. I think we were in about the right place anyway.

Baroness Harding of Winscombe: I may be misunderstanding your respective types of reporting, but it is just quite striking that the Information Commissioner’s Office’s risk register is all internally referencing. Other than AI, your seven key risks in your last annual report are about internal process—six of them. Given the uncertainties and the challenge, as you say, of companies interpreting this principles-based regulation, I was surprised there was not anything more outward-looking in assessing the risk appetite, and a separation in the way that Katie is describing. The Food Standards Agency’s risk register, such as I could find it online, was almost entirely externally referencing. It is quite striking, the two different approaches.

John Edwards: That is a fair challenge. Our approach is informed by corporate reporting standards—that our audit and risk committee can commission audits, for example, and can report to the board about whether we are taking more risks than the board has said we are comfortable with. But in our approach to the wider economy, I do not think the fact that we have not reported on that in the same way indicates that we are neglecting the impact of risk in the wider economy and how our regulatory interventions can affect that. It is a really valid challenge, and I will take that back. Thank you.

Katie Pettifer: I will just add to that. Our full risk register is one of the very few documents we do not publish. We publish a summary, which is probably what you found. But on process, our risk appetite is set by our board every year. We are about to do it again in a couple of weeks’ time. That is where the types of steers we are getting factor into that discussion. I do not think we published the risk appetite either, but we have been very explicit in distinguishing between the types of risk. We are averse on food-safety risk, but we are open—that is the hungriest of the criteria we use—on risk in terms of reform of the way in which we go about doing our regulatory work.

Baroness Harding of Winscombe: How would the companies that you regulate know that if you are not publishing it?

Katie Pettifer: Through the way in which we go about our business. We hold our board meetings in public; we publish all of our board papers. We do have a discussion at the board about risk, in summary. It is just one of the things where in the detail we think it is better done, for a fuller discussion, in private.

Q96            Lord Teverson: I just wanted to follow up with John, really, on risk. I get what you are saying, but is not one of the follow-on effects—I have certainly come across it in information control—that particularly other public authorities hide behind General Data Protection Regulation (GDPR) in order not to do stuff? The effect on public sector organisations that do not have a risk appetite is to sometimes use GDPR as a reason not to do stuff that should be done, partly because it is very principles-based. I just wondered whether you ever confront. I am thinking of planning, particularly, where in a particular area you made a local authority pay quite a bit of money—quite rightly, I am sure. But then there was a reaction in the rest of that sector—“Hmm. We are going to be really, really careful about what we do in freedom of information and other stuff”—which then maybe gets in the way of some of the growth issues, in planning permissions or whatever. Do you ever look at that other side of the coin and say, “No, you are overinterpreting and you shouldn’t do that”?

John Edwards: Absolutely. I do not know the example that you are referring to, which has come from either environmental information regulation or the broader freedom of information, so I cannot really speak to that. But there are a number of reasons why organisations may be reluctant to share information, for example. Sometimes the easiest response to justify that is, “We cannot, because of GDPR”. Actually, when you drill down into it, there is not an apprehension that they are going to suffer some regulatory penalty; the real concern is, “You are asking me to invest money in making systems that are able to share across a sector, for example. But the benefit does not come back to my organisation, so we do not want to do it”. That is expressed in terms of aversion because of data regulation.

We are tackling that across the board. Every time I speak to Ministers, I ask them to let me know if the growth-promoting initiatives that they are asking their officials to execute on are being stalled because of apprehensions about limitations imposed by the regulations. I ask them to reality-check that with me, so that we can come in and say whether those are legitimate or whether there are ways of working around that. One area that I have zero tolerance for, for example, is a risk aversion to sharing data based on concerns about regulatory consequences where safeguarding of children is at issue. There should never—ever—be any reticence or reluctance for information to flow to the appropriate organisation to keep a child safe. I will never hear a school or a nurse or another organisation say, “We thought that if we raised these concerns, we would be in trouble with the Information Commissioner”.

Lord Teverson: Thank you; that is an interesting example.

The Chair: Staying with risk, now we come to the question of who bears that. Baroness Nichols, you have a question.

Q97            Baroness Nichols of Selby: Yes. As the Chair said, we are staying with risk, but in a different way. Who bears the risk if something goes wrong? Where is the balance between, say, people who can potentially be at risk and the companies that are putting those people at risk?

Katie Pettifer: Who bears the risk? The consequences are borne by people and businesses. People sadly die and get seriously ill every year from food-borne disease. We had hundreds of hospitalisations last year from an E. coli outbreak. The consequences for people when businesses get it wrong are very serious. But they are also very serious for businesses. The horsemeat scandal wiped £300 million off the share price of Tesco pretty much overnight, and businesses are very much aware of this. When the retained EU law Bill was going through, I was having a lot of conversations with trade bodies and big businesses saying, “What laws would you like us to remove in the food safety sphere?” The answer I got was, “None”. Good, reputable businesses would be doing these things anyway because they do not want to make people sick, and they want confidence that the other businesses are doing it too. They want their trading partners to know that they are doing it. All those who have to export would be doing this anyway. We are lucky as a regulator in our sector, as there is a very strong incentive on businesses to do the right thing.

John Edwards: Similarly, the consequences are visited upon the whole of the economy. At the individual level, we see people fleeing domestic violence exposed because of data breaches. We see millions exposed to identity theft through hacks, for example. But again, as Katie says, there are real economic consequences for the businesses. You see hundreds of millions of dollars of cost imposed on businesses such as Marks & Spencer, Co-op, Harrods and Jaguar Land Rover because of breaches of security. I caveat that we have not investigated those and I cannot say whether those intrusions constitute a breach of legal obligations, but the examples are instructive. More broadly, at a societal level, if organisations do not get it right and do not respect the trust that has been reposed in them as custodians of people’s individual data, then they lose their legitimacy. People will not engage. That cost flows through into GDP and growth figures, as we saw with that Jaguar Land Rover example last year.

Baroness Nichols of Selby: Secondly, how do you think you can support people and avoid, if you like, having the pendulum swing back the other way? If and when some of that additional risk crystallises, do you think the Government and Parliament need to be clearer in their backing for greater acceptance of risk in order for regulators to implement it?

Katie Pettifer: When things go wrong, and particularly when tragic things happen, it can always be very tempting to give a knee-jerk response, but it can also be a real opportunity to do something productive and good with businesses. I have in mind Natasha’s Law on allergens, after that absolutely tragic death. We worked very hard with the industry on designing and implementing that, as we do all the allergen measures. This is another area where, devastatingly, we still have deaths because businesses have not managed their allergens properly. There is an awful lot that businesses need to do to get this right, but they know it is really important and we work with them on it.

In avoiding the pendulum swinging the wrong way, you have to be very mindful and work with the industry so that what is introduced in the wake of something going wrong is proportionate and effective. One of our really useful tools is our Safer Food, Better Business guidance. We have a whole suite of guidance packs for different types of food businesses which tell them how to comply with food law. We have just gone through a big update of that. We keep it updated regularly so that there are direct ways. You will see local authority food safety officers hand it out when they go into a food hygiene inspection or give out the link and say, “Go and download this. This will make it really easy for you to know what you have to do”. We try to get directly to businesses so that they have clear guidance on what they have to do, so that they are not gold plating and are doing the right thing.

John Edwards: To the second part of your question, on whether Government and Parliament need to be clearer in their backing for greater acceptance of risk, I hear colleague regulators say that they do, particularly in financial services. It is a reasonable challenge to say: “If we take more risk, there could be consequences. Are you going to back us in that? That is not my area, so I cannot speak further to that, but in the field of data I do not think we are experiencing any signalling from the Government that we need to liberalise risk. I do not feel any vulnerability in our approach, if there is an issue that is a consequence of our risk approach.

We have to make allocative decisions every day about where we can have the greatest impact. That means we are going to miss things. We cannot do everything. I was before the Science, Innovation and Technology Committee of the other House before Christmas and was challenged on a number of decisions that we make. Each member of that committee had their own areas of interest which I could have devoted my entire budget to. Going back to my opening comments, there are infinite calls on our resources. It is absolutely critical that I come to places such as this and am transparent and able to explain the decisions and trade-offs that we are making. We might get that wrong at times, but I do not think I am experiencing any particular pressure from Government to move the risk pendulum in one way or the other.

Q98            Baroness Harding of Winscombe: I am surprised to hear you sound so definitive that there is no debate around the degree of risk on data protection, because other regulators that have given us evidence are saying that they want to see Government be clearer on the trade-offs and not leave them to make all the judgments between growth and risk. Are you really saying that it is completely black and whitethat there is no pressure from Government at all in the huge expanse of data regulation to change and move the dial on driving growth versus protecting data rights?

John Edwards: I think we are trusted to make those decisions and we do a defensible job at it. No, I do not feel pressure. My experience of Government since I have been in post for four years is that they recognise that it is the role of the regulator to make these calls. I have felt supported by all the Secretaries of State and Ministers that I have reported to.

The Chair: Staying with Baroness Harding’s point, it is not just the pressure point. I think the argument we are trying to dig into is that it is implicit in a strengthening of the growth objective that it would trigger a review of your risk appetite, unless you are challenging that basic point. Are the Government providing sufficient clarity as to how regulators manage that balance? Katie, how are you dealing with that?

Katie Pettifer: In terms of strengthening the growth objective, it is interesting. We have very clear legislation on both our overriding objective, which is protecting public health and the interests of consumers, and the actual functions we have to carry out. When going about our regulatory business, in most areas we do not have a lot of discretion. The growth objective probably weighs more on regulators that are weighing up 10 different objectives in making some decision that has significant economic consequences.

If we are deciding what sort of action is appropriate in response to a food safety incident, we could take a precautionary approach, which might have more costs for businesses in the short term and there might be more recalls, but we might avoid something going really wrong that is very damaging to growth, or we could take a less precautionary approach which might have less immediate cost for businesses but a greater risk of more damage to the economy in the longer term. It is very difficult to say which way the growth objective would tell you to go in those circumstances.

The kind of things that have really made a difference for us on growth are less about the balancing of statutory objectives and more about having the resources to do much more pro-innovation stuff with industry. The ring-fenced funding for sandboxes and so on has been a game-changer and a very clear signal from Government that they want us to put resource and effort into that area. Because we have had ring-fenced funding, we have been able to prioritise some businesses and technologies above others, which is quite hard to do as a regulator on the whole.

The other thing that has been really important is ministerial interest in reform and willingness to talk about it. We have been plugging away for years at some of the reforms that we are now doing under the regulation for growth action plan, and I am delighted that Ministers want to talk about them and help get legislative time available for us to do them, because access to legislation is the other really important thing.

John Edwards: Can I come back on this? I think there is a bit of confusion; perhaps I have not expressed myself very clearly. It is really important for the committee to recognise how central to our approach the statutory obligation of independence is. We get challenged on this internationally. The independence of the Information Commissioner’s Office is fundamental to its operating ability. Governments understand that, so I have not felt pressure to move our approach to risk.

It might help the committee if I compare and contrast. I think it was in 2023 that my Italian counterpart banned ChatGPT in that jurisdiction until it could be satisfied of certain things. We have not taken that approach. The Government have not said, “We don’t want you to regulate large language models”, or “We don’t want you to do this or that”, but we think that it is important for us to understand how these technologies can be used safely. We do not need the Government to tell us that. We understand that there is an enormous appetite for these technologies and that there will be enormous benefits in the economy to industries engaging with them, and we feel that it is our obligation to illustrate how this can be done safely and consistently with data protection law. That is not taking a “line to take” from the Government; it is a decision that we have come to independently.

Baroness Harding of Winscombe: I think my question might have been misinterpreted a bit as well. How are you, as an independent regulator, assessing whether you have the right risk appetite? I cannot see it in your annual report. You are rightly defending your independence. If I am a company or a consumer, how do I unpick how the Information Commissioner’s Office assesses the risk appetite and whether you think you have got it right?

John Edwards: We do impact analysis on our work. We engage with stakeholders. Every business in the country is a stakeholder, and we try to reality check our approach via proxies such as the Confederation of British Industry and the Federation of Small Businesses—we calibrate through a range of them. It is not a perfect science, but we are very interested in receiving that feedback. I do not think we have seen any significant challenge to our approach there.

​​​The Chair: Do you want to come back, Baroness Nichols, since it was your good question?

Baroness Nichols of Selby: I think it is very different for you two witnesses, because if something happens, you are there to advise how to deal with it, not to lower the risk levels. You are there to deal with breaches when they happen. It is very different in that you are trying to advise organisations on how not to get themselves into these difficult situations in the first place. I am not convinced that lowering the risk would help where either of you are, unlike others in building safety, partnerships, et cetera. That is a very different thing.

It is a difficult question for you two, because it concerns a different kind of regulation. What you have to do and what you are there to do is already set up, is it not? So that, if there is a data breach, you know you have to deal with it. You are not going to lower the risk on what you would deal with, or not, because what you have to deal with is already in statute, if you like.

Katie Pettifer: We have several good barometers—of public trust and of what business and trading partners think about us—that we use to calibrate. On how the growth duty might bite, and thinking about recalls, just a couple of weeks ago, Nestlé identified contamination in some of its lines of baby milk. When you look at it dispassionately, it was a very low-risk but highly emotive issue. It chose to do a very wide-ranging precautionary recall. That was not us; it was the business saying, “We want to be on the precautionary end of the spectrum.

Generally, we find that we have a similar risk appetite to businesses that do not want to get it wrong or take risk. We have a small-business and micro-business tracker survey, because it is often much harder to reach the smaller businesses. Some 94% say that the requirements set out in law are reasonable. That is a good barometer.

We generally have high levels of public trust. Of those who have heard of us, it is usually around 80%. People trust us to keep food safe, trust that food is safe in this country, and we usually get good results from our audits from other trading partners. Issues come up from time to time, but that is how I would judge whether we are getting it right in terms of the controls and the system.

The Chair: I am conscious that we have used up a bit of time on that, but it was an interesting point to delve into. Perhaps we could move on to the Government’s action plan.

Q99            Viscount Thurso: Good morning. John, I come to you first. My question is around your response to the government action plan. Before I ask that, may I quickly ask you one question based on the last discussion? You mentioned that your Italian counterpart had banned ChatGPT. We now know that ChatGPT hallucinates regularly in large measure, which is having an impact on academic studies. Also, there was a legal judgment in Scotland that proved to be largely false or had large chunks that came from that. Is that something you should be regulating, or that you are regulating? Do you have a role in that?

John Edwards: Absolutely. The challenge of hallucination is not a fundamental flaw; it is part of the evolution. I think of the technology, and how we approach that in a regulatory sense would be at the application end. Obviously, if a product is not fit for purpose, we would challenge it at that model end. But at the application end, we would be saying to organisations that are using that technology that our expectation is that you are taking steps to validate assumptions about personal data commensurate with the potential risk presented by it.

If it hallucinates a recipe based on the things you have in your fridge, there is not much risk, other than that you might get a meal that is not to your taste. But if it hallucinates on an application that can have real world impact on one of your customers or clients, then my expectation is that you are independently validating that until the technology develops to such a point that those external validations are not required.

Viscount Thurso: I shall now ask you what I was meant to ask you, around what you are doing differently in response to the Government’s action plan. Are you on track? There is a list of five commitments that you made. Are you on track on those? What comes next? Are there any barriers?

John Edwards: We are on track. They are not all entirely within our control. We proposed a number of initiatives that we would be able to execute with the participation of the Government. For example, we had the regulatory sandbox in place. It is continuing. We are expanding it and exploring opportunities for a multi-agency sandbox with our Digital Regulation Cooperation Forum partners. We will be producing an AI code of practice. That was one of the commitments to the growth challenge. Again, that is a product of the Data (Use and Access) Act. It will require a statutory instrument. We are expecting that this year, and then we can begin drafting that.

We have been working on the small and medium enterprise data essentials product, which will have a significant effect for smaller businesses that do not know how to manage the regulatory burden. We will be rolling that out in a couple of months. We have issued international data transfer guidance. That is a complex regulatory area, so, if we can simplify the guidance, that takes out cost from the system. All those are on track. We made a commitment also to supercharge a sandbox by exploring an experimentation regime. One of the inhibitions or barriers, as you described, for businesses coming into a sandbox might be that they bring an idea that is simply not provided for under the current law.

Our proposal to the Government was that if we were given the authority to disapply certain aspects of the General Data Protection Regulation (GDPR) regime to an initiative in a controlled environment, that could be attractive to business, but that will require an extra statutory power. We have been granted funds by Government up to £400,000 to feasibility-study that and check how we might go about it—so we are making progress with that as well. We propose that there could be gains in liberalising rules around online advertising and removing the obligation to obtain consent in certain areas, and we are working through that with stakeholders and the Department for Science, Innovation and Technology, because that would also require a statutory intervention. So we have made good progress on all those and we are continuing with our normal trajectory to try to constantly identify where we can take cost out for businesses by providing that kind of clarity.

Viscount Thurso: Katie, can I come to you? Before I do, can I ask you a question on something that we have done earlier? You mentioned that you regulate three countries, which presumably means that you do not regulate the fourth, Scotland. A lot of the legislation is UK. Do you have any difficulties there, or is that a perfectly happy relationship that works well?

Katie Pettifer: We have a really good relationship with Food Standards Scotland (FSS). The chief executive of FSS and I speak weekly and appeared just recently in front of the EFRA Committee together, talking about the whole UK. We are very joined up, and a lot of the work we do in parallel, with our teams working together. On things like market authorisations for new products, we effectively work as one. We have to take separate decisions and put them to our Ministers separately, but we make it work as effectively as we can.

Where it is difficult is not in the working between the two organisations but in the differing risk appetites across the UK. There are areas of food law where Ministers in the UK Government have taken a different approach; they have introduced precision breeding legislation, which is not in the rest of the UK. On each individual product authorisation, on every new product that comes to us, we have to get decisions from Ministers in England, Wales and Scotland. We tend to find with officials in those Governments, as we put things up to Ministers, that they have different risk appetites; potentially, they may want more work and consultation done in one country than in another. It is easy to say that the UK Government have given us a steer and we must go for it, but unless we have the same steer from the other two countries, it is hard to move as fast as the Government might want in some cases, because we have to take all three with us. If we do not, it is really unhelpful for businesses, because it adds complexity and cost.

Viscount Thurso: Have you got that risk in your risk register?

Katie Pettifer: We may have recently taken it out of the top-level one, because the multi-country working has been very good—but it has been a really big feature of our risk management and a big focus for our board. We work really hard to be genuinely three nation.

Viscount Thurso: Let me take you back to the question around the Government’s action plan. I think that you agreed on four things that you are doing. How is that going? Is there anything else? What are the next steps and what are the barriers?

Katie Pettifer: We have done it. We were asked for things that we could do by the end of the year and we have done them all—so in the action plan we have rolled out all the new approaches to food standards inspection and changed the statutory guidance on food hygiene that follows. We are now the competent authority for recycled plastics in GB, which is helping companies to use food-grade recycled plastic in exports to the EU. We have supported all the trade audits that we said we would, and published the first wave of guidance from our sandbox.

On next steps, this year our absolute top priority has to be to support the Sanitary and Phytosanitary (SPS) agreement. We lead on food safety in government—there is no team in our department doing the policy somewhere; our people are sitting in the negotiating teams advising Ministers—and then there is a huge piece of work to do with businesses on implementation. I am doing that with no extra funding, so there is a lot to absorb there.

We do have more pro-growth things that we want to do this year. In particular, I mentioned that budget request on national level regulation for the biggest businesses. It has been really helpful that the Government have, again, been prepared to fund us to do that, because all the funding I can muster has to go towards doing this SPS agreement well. That builds on a pilot that we did a couple of years ago with five of the biggest supermarkets. At the moment, basically, every store of a large supermarket chain is treated as if it is a separate business; it is inspected by the local authority in that area. We said, “Hang on a minute. All these chains have massive internal systems with lots of data reflecting what is going on in their stores. Could we look at them at a business level and make an assessment of whether their internal control systems and their data are good enough, with some checks on the ground, so that would save all the individual inspections, take more account of what they are doing as a business and enable us to spot trends and have a more holistic view?” Looking at a business level, that is a much more strategic way of engaging as a regulator.

We did that pilot and it was successful. We found ourselves spotting trends in the supermarkets data that they had not noticed, and it told us pretty much what the inspections told us was happening on the ground, because we ran the two in parallel. The Government have now asked us to develop that further.

We think it is really important that, as we do so, we do not just look at the big businesses but improve the system for the smaller ones. The vast majority of those 600,000 businesses are SMEs, and they really benefit from local authority food hygiene inspections, with environmental health officers going in, because that is a real source of expertise. They are not just there with a sort of tick box; they are teaching as they do it, talking to the business owner and giving them advice. So we want to keep making sure that that system works well, and there are things we can do to improve that. So that is the big stuff on our radar this year.

In terms of barriers, that local authority delivery system is a big one. There are 2,000 people in environmental health and trading standards teams doing it across the country. We all talk about creating a culture of innovation in our organisations; it is easy in the Food Standards Agency, but I have to get 2,000 people in 300-odd different organisations on board with that culture as well. Certainly, when we did this national level regulation trial, we got quite a lot of scepticism; I had a lot of environmental health professionals writing to our board, and we take questions before every board meeting, with concerns about that. So there is a journey to take people with us and to take all the Governments with us.

The other barrier is a financial and a bandwidth one. As I said, we need to put all the resource and effort we can into getting the SPS agreement right, and that will necessarily limit some of the other things we can do. Our sandbox funding runs out in a year, and our innovation research programme, which is looking at another type of engineering biology funding, runs out at the end of this financial year. So, unfortunately, there are some things we will not be able to continue unless we can find a way to fund them.

Q100       Lord Best: We have talked about the action plan and all the good things that you are doing. Part of it is the Government’s commitment to cut administrative costs for business by 25% during the lifetime of this Parliament. This is not only about compliance with the regulator’s requirements; it is also about the on-costs of, for example, delay. I have to say that we have heard criticisms of the Food Standards Agency in terms of the time taken to issue approvals for new products, which is a cost. Time is money. We heard how you can take 30 months compared with, I think, about a year in Singapore and indeed Australia, down under. Is this a real issue? Are we in trouble here?

Katie Pettifer: In terms of reducing regulatory burdens, there is a really important distinction, as you say, between the costs of complying with the regulationkeeping your fridge at the right temperature—and the costs of filling out the form to show someone you have kept your fridge at the right temperature, effectively, and it is the latter we are after. There is a lot that we can do to speed up that market authorisation process. We have already done one wave of reforms; I mentioned removing the renewal requirement. We also took out the requirement in law to do an individual statutory instrument for every single product, which was adding three months to the end of the process. We estimate that those changes we have just made will save around £0.25 million for the businesses that have applications in the system.

We would definitely like to look at whether we can speed that up further. We had another set of reforms ready for discussion on our board, and we had a board paper in June on them. Then the Sanitary and Phytosanitary (SPS) agreement was announced. If we realign with the EU, unless exceptions are agreed in these areas, we will no longer be making these decisions; it will be the EU doing the authorisation again. So, at this point, we have paused the reform to see what happens, because it is not a good use of taxpayers’ money, businesses’ time or Parliament’s time if we bring forward reforms that will immediately be superseded. However, if we were not in that world, I would be rushing.

The EU takes between four and a half and five years on the cell-cultivated products we are talking about. Our aim is to halve that. I heard Hoxton Farms say that Singapore takes a year. We work really closely with the Singaporean regulator and have learned a lot from it. It starts the clock at a different point in the process. It looks at the dossier for around the same amount of time as we do, but it counts it differently, so that is probably not the right comparison.

Lord Best: Okay. So that was unfair of our witnesses, was it?

Katie Pettifer: They were otherwise very complimentary so I am not complaining.

Lord Best: Yes—in other ways. John, what about implementing the action plans hopes for cutting administrative costs by 25%?

John Edwards: I know that, in your question, you differentiated between the underlying compliance cost and the overlay of administrative costs. Those lines are a little more blurred in our work. I do not see much extra administrative cost. I do not know whether the committee has heard evidence that our approach imposes such costs but, as I say, there is a bit of an overlap—or a blurring of the lines—between those two things.

For example, organisations have a transparency obligation: they need to explain to people what they are doing, and that needs to be available to us if we want to see it. That is both an administrative cost and a compliance cost. We try to reduce that through, for example, the privacy statement generator that I described earlier. We launched that in 2024; uptake has been slow but, in 2025, it was still used 12,000 times. If those 12,000 times have spared a small business the burden of finding out how to do it themselves and compiling it themselvesor spared it the cost of going to a legal adviser or someone else to get assurance that they are compliant—they have taken a lot of cost out of the economy.

We have also focused on making sure that our guidance is clear. For example, there are a number of amendments to the law brought in by the Data (Use and Access) Act. We will take the opportunity that this presents to update all of our guidance in order to ensure that businesses have easily accessible information on what their obligations are, at a very low cost.

Lord Best: Obviously, you trawl through all the regulatory rules you face to see whether you can declutter and get rid of some but, earlier on, you, Katie, talked about the need for legislation sometimes. One is in a long queue for that. How difficult is slimming and reducing unnecessary bureaucracy because of the legislative requirements that would go first?

Katie Pettifer: The things that we identify could be done tend to be small individual ones rather than a big overhaul. We keep a list but, generally, overhauling the regulation on food standards has not been a huge priority area for the Government.

Until we left the EU, this legislation was done by the EU, not by us, so we could not change a lot of it. If we realign, there will be a lot of things that we cannot change again, and there may be some that we have to live with as the price for the greater benefits that might come with an SPS agreement.

Lord Best: Right—there could be some delays in the time ahead. John, is the need for legislation to help get rid of things that are now past their sell-by date an issue for you?

John Edwards: It is not especially; I cannot call anything to mind. As I mentioned earlier, we made a couple of commitments to Government in response to the Christmas Eve letter that would require legislation. But we have just come through a fairly extended and extensive process of law reform, so any low-hanging fruit, in terms of legislative amendments, have been picked. Both the previous and this Government took the opportunity to identify what they thought were burdensome but non-productive elements of the regulation and to remove them, so I do not see that as an inhibition. I do not really have a shopping list of law reforms that would significantly change our ability to meet our growth commitments.

The Chair: We move on to regulatory approvals, and Lord Udny-Lister has a question.

Q101       Lord Udny-Lister: I want to stick with the cost issue. Both on this report and previous reports that the committee has been involved in, and interviews that we have had, companies and businesses have suggested that it would be better to pay more for faster regulatory approval and, in effect, to create fast lanes to get their paperwork through. Is this something that you do or is it something that you have considered?

Katie Pettifer: We do not charge for our market authorisations process at all. I do not think that we can. We have thought about it as part of thinking about our reforms. If we were to charge, given the nature of the process and the amount of time and expertise that it takes to assess these very detailed scientific dossiers, the charges would be quite high. Our concern would be that a paid-for fast lane would really advantage those companies that have deep pockets and could act as a real disincentive to the start-ups and innovators that are bringing in new technology. If we were going to do it, it would have to be very carefully thought about.

The other thing on my mind is that, when we announced our sandbox for cell-cultivated products, we got a lot of interest publicly, a lot of media interest and a lot of questions about whether we were letting companies mark their own homework, whether we were getting too close to the companies and whether we were fast tracking these dangerous technologies. I think there is a real perception risk as well: we were really careful to say that the sandbox is fast tracking our knowledge, not fast tracking the approvals. There is a risk that, if you have a paid-for fast track, you might put all sorts of safeguards around it to make sure that it operates very properly, but there is a public perception risk that it looks like regulatory capture or companies paying to skip bits of the process. That may be less of a risk in some areas of regulation, but in food, where public trust is so important, that is quite significant.

Lord Udny-Lister: John, does this apply to you at all?

John Edwards: No, I do not think it does, in the way that the question is put. The Information Commissioner’s Office (ICO) does not have a formal approvals process, so there is no business in the UK sitting around saying, “I wish the ICO would pull its finger out so that we could get on and deliver this innovation. Those businesses get to decide for themselves, based on their own risk appetites, whether their offering is ready to take to market. They sit with the risk that we might come around and enforce against them later, but that is why we offer our innovation advice service in our sandbox. I do not think that there is any scope for a fast track.

I toyed with this early in my term and I took some legal advice about whether we might offer a fee-based service, but the restriction there is that we would require a legislative ability to charge. In fact, the demand on the free services that we have indicates that there is probably not sufficient demand to go to that trouble.

Q102       Viscount Trenchard: Good morning. I would like to go further into the use of regulatory sandboxes, which we have already mentioned. First, Katie, what benefits has your sandbox provided for the Food Standards Agency? You have had one on the regulation of cell-cultivated meat, but I think it has been running for only just under a year. Do you have plans for others, or to use the learning gained from this experience elsewhere in your organisation? Do you think that the funding that is available for your sandbox is enough? 

Katie Pettifer: As you say, we are 10 months in on the sandbox for cell-cultivated products. Lab-grown meat is probably a short way of describing it. It is a genuinely groundbreaking technology. We have said that we hope the sandbox will enable us to develop knowledge and set out guidance. That means that, when we get applications from these companies, we will be able to process them faster. We have two applications in and validated already. We are expecting more, but at this stage we have not approved anything and ultimately the approval decisions will be for Ministers. 

The benefits I can talk about at the moment are more qualitative. There has been such a buzz around it. I think it is really sending a signal to the industry that the UK is serious about these technologies and that the UK is a good place to bring your business and invest in your business. Our business surveys are telling us that that businesses themselves are more confident about the process. The number saying they want to submit applications has nearly doubled. We are still talking about small numbers of businessesI think it has gone from seven to 13—but they know what data to include. We are told informallywe go out and talk a lot about it at conferences—that it is increasing investor confidence. We have been told by one investor that it is the primary driver behind their plan to invest in a UK-based cell-cultivated product company.

We have already had seven companies using our business support service, which is quite new. Internationally, we are now seen as one of a small group of regulators leading the way on this. In fact, Singapore, which has authorised several cell-cultivated products, has asked us to present a joint proposal for developing some international standards on these at Codex, which is the UN-based body that sets international standards on food. It has really punched above its weight.

I would also say that internally it has been wonderful in the Food Standards Agency (FSA) culturally. People who work on it are so excited about what they are doing. There is a real sense of groundbreaking work. We have extended that sense to a lot of other areas in our innovation hub. I think it has helped show everyone in the FSA about living our innovative principle and what it means.

You were asking about whether we were doing any more. We also have our innovation research programme, which is a separate but linked piece of work. It is not quite a sandbox because we are not working with specific companies. We are looking at precision fermentation as another technology which is increasingly being used in food.

Both of those are funded by the Department for Science, Innovation and Technology (DSIT). The sandbox is being funded until February next year and the innovation research programme is until the end of this financial year. There is a total of £3 million for both of them. It is enough to do what we are doing at the moment. It has enabled us to set up business support services in both and to produce new guidance, which is giving clarity for business. The problem is that the funding ends. For the innovation research programme that is a particular cliff-edge coming up at the end of March. I might scrabble together enough money to keep a couple of months going, but I cannot justify funding these things for ever, particularly when we are in this environment where we need to absorb a load of work on the Sanitary and Phytosanitary agreement. That is a concern for us, and we are having a lot of conversations with DSIT about what we do, because I really do not want to send a signal to the industry that we do not care about these areas, particularly at a time when we are in the middle of discussing whether to align with EU law. The answer for us is to work really closely with DSIT and see if we can find some solutions.

Viscount Trenchard: I can see how difficult it must be at the present time. Thank you very much.

John, the Information Commissioner’s Office (ICO) has had a pilot to test data innovation since 2020. How many companies are using your sandbox, and in which areas? Some companies have expressed concern about possible legal challenges. Do you think those concerns are justified? What has happened to your planned pilot on data innovations? Could you tell us how it is with your organisation on this?

John Edwards: Taking your first question, we have had 32 organisations, not all of them companies; I think the split is about nine public sector multi-agency applications and 23 private sector. It is averaging about five a year. They are in the health, finance, tech, transport and education sectors. We have had initiatives to identify problem gambling, the charity sector, and social media.

The variety of participants is really interesting. We have had a number of start-ups, for example. During 2025, we had start-ups like Kestrix, Tribela, IDUN, Animorph and Eclipse—the kinds of organisations that do not really have the resources to invest in the Magic Circle[2] level of advice. We also welcomed into the sandbox a Meta project, which was intended to identify how privacy-enhancing technologies might allow accurate measurement of the efficacy of online advertising in ways that maximised individual privacy protection. So there is quite a range.

To be completely open and frank with you, the volumes are not as I would have expected. We must take some responsibility for that. There is a chance that there is partially a marketing failure there. We have limited capacity, but I do not get a sense that the demand is outstretching that.

The sandbox does deliver tangible benefits to innovators and to the wider economy. On whether it is being used in numbers that in themselves have a material impact on our growth objectives, the presence of the sandbox still acts as a safety valve. For example, if organisations are going to Ministers, or to you, and saying, “This data protection law is inhibiting our ability to invest or develop new products”, the first challenge should be, “Well, have you actually asked the ICO? Have you looked at whether the sandbox might be a mechanism for delivering the kind of certainty that you’re seeking?”

We asked Government to address the issue that there could be inhibitions based on that concern about legality. If an organisation comes to the sandbox with an idea that depends on breaching data protection law, at our current settings, we are not able to accept that and say that we will join with you in figuring out how to do this. But what we took to Government, as I began to explain earlier, was a proposal modelled on approaches taken in Korea and Japan, I think, which allows a regulator to disapply, under certain conditions, aspects of the regulation in order to stress-test that business offering and identify and mitigate risks in a way which does not incur that potential liability. We are still exploring that with Government. We are undertaking a study, and we will hopefully be able to present the outcome of that later in the year. 

Viscount Trenchard: Thank you very much; that is very interesting.

The Chair: Thank you. Lord Teverson, you have a series of questions.

Q103       Lord Teverson: I am going to come back to the AI area a little. John, you have already talked a little bit about that in answer to Lord Thurso’s question, so I am going to start with Katie. Has AI impacted your business? Has it made you 25% more efficient already? How does it go?

Katie Pettifer: It would be a brave organisation that says no to the question of whether AI has impacted their business. It has, and it presents huge opportunities if we go about it in a thoughtful way. There are two real big areas in which we can use AI to do a better job for people and businesses. One is helping us do our job better as a regulator, and the other is enabling businesses to use it, and not getting in the way where we do not need to. I will take those in turn.

In terms of doing our job better, there is a set of things that we can use AI for, for efficiency. Like a lot of government organisations, we have been trialling Copilot. In six months, we saved some 3,000 hours of time on things like meeting notes and first drafts of stuff, so there are plenty of tools we can use to save time and public money. We want to go further. I am very keen to trial voice recognition—voice-to-text technology—in meat inspection. I have hundreds of staff based in abattoirs. Our vets and meat inspectors are in every abattoir in the country inspecting every animal, both before and after slaughter. That is not an environment conducive to having iPads to type stuff in, and it is messy for all sorts of reasons. That could save a lot of time in recording the inspection results, which currently a lot of them have to do manually. There are things like that.

We could do a lot more on triage of food incidents and routing to the correct teams and so on, but we always have to have a human in the loop. We are not looking at AI replacing any of our regulatory decision-making; it is more aiding it and helping us target it. That is the other big area for us as a regulator: targeting our activity. We have what we call a signals dashboard that is created by a combination of different AI tools that essentially scrape lots of information from websites around the world about what is going on on food safety, translate it, categorise it and produce something for us which enables us to say, “Oh goodness: there is a risk with enoki mushrooms that we need to think about for import. It is an early-warning system, and it helps us to target and to make some of our risk-based decisions. In those sorts of areas it is really useful.

As you say, we have to be careful when we get to things like generative AI and hallucination. We have a set of guardrails, and we always have a human in the loop. Everything is checked; it is not replacing our decisions. As I say, we use good data and we do not make wholesale use of commercial tools. We follow the Government’s AI strategy.

The other area is enabling those we regulate to use AI. The food industry is using it in so many different ways, and some of those get quite close to our areas of regulation. I will give you two examples. For abattoirs, we have just developed a protocol with the industry for the use of AI-based scanners to help them detect faecal matter contamination on carcases. It is a very detailed, technical thing. If you go to a meat-cutting plant or abattoir now, some of the biggest ones are using AI to position the cuts differently for every single animal as they go through. It is used a huge amount. We could go further and start using it in our inspection. New Zealand are trialling AI-based tools for meat inspection now. But the law says that every animal has to be inspected by a human, and if we start doing it unilaterally, they would not be able to export. So in that area, it is really important that we move with the international consensus.

The other one that springs to mind is assessment methodologies. We have been talking about applications on types of novel food. There are new assessment methodologies that use AI to assess things like toxicity of chemicals, which can replace animal testing, for example. We are expecting to get dossiers from companies that have used these, so we need to understand them. We are training all our people in them, and we are taking a very active role in the debate about how they are used in toxicology. Those are two really different AI examples. But yes, it is in every area of our business.

Lord Teverson: Do you manage to generate all that interest and activity from your existing colleagues and staff members? It is quite a big change, is it not? In order to get it right, you need some pretty precise technical knowledge so that you do not hallucinate, and to make sure that you are checking for the right things and the algorithms are not biased, for example. How do you get that expertise in an organisation like yours?

Katie Pettifer: We have some good people on it. We have done pilots over the course of the last few years in these areas, and our data and digital team were out doing pilots and seeing what worked quite early. I feel like we are in a good place on the curve, but like every part of Government, we are trying to upskill so that we can do more. It is also really important that we think about it not as a sort of tech thing over here, but as an absolute build into our business processes. I have an internal change programme going on, of which this is a strand, but we are also thinking about how we do our work differently. There is a risk that lots of organisations adopt the tools but do not then actually reap the benefits by changing the way they work; they are just an add-on.

Lord Teverson: Are you suggesting that your salary grades or levels do not inhibit what you are trying to here?

Katie Pettifer: We have some good people and we are trying to get more. We have the ability to do things with market-facing salaries, but we have the same issue as the rest of Government, in that ultimately, we pay an awful lot less than people could earn elsewhere. I like to think that in the Food Standards Agency we offer great benefit as well in the way we work, the culture and the feeling of purpose in the organisation. But it is hard to be competitive on money alone.

Lord Teverson: In the example you gave of supermarkets, looking at it at an organisational level, rather than just at site level, was AI used in that instance?

Katie Pettifer: We did not use it in the trial. We are thinking about it if we do this on a more permanent footing and a larger scale. We have something called an insight engine, which is an AI-based tool that can make sense of large amounts of data and tell you about trends, and which can categorise; we are currently using that to try to help. We collect data from all the local authorities, and we are trying to find ways of doing that that are less work-intensive for them. We would look at AI tools if we were to operationalise that.

Lord Teverson: That is really good, Katie; thank you.

John, you have already talked about this in answer to Lord Thurso’s question, but internally, have you used AI to increase your efficiency, from that point of view? Are there ways of doing that?

John Edwards: Yes. It is a very similar story to Katie’s, actually. Harking back to the risk appetite, we are fairly hungry to get the benefits of the technology here, but we have invested in Copilot licences as well. We have seen some of the same benefits that Katie describes. We think that there is potential. We are automating many of our processes—case creation, for example. We had about 60,000 inquiries last year, and we are not able to meet that demand. We think there is enormous potential to use AI to assist with that to provide customer-facing interfaces, so that people can access the range of guidance in ways that really suit them. We are working with—

Lord Teverson: Let us be clear on that. If someone is not certain about something in your area and they are trying to find out information, and you are trying to automate that, how does that work with the principles-based system? Does that not contradict that?

John Edwards: I do not think so. It may be that a chatbot returns an answer which is “It depends”, but there is enormous scope to make our guidance available and to use it to train a chatbot, for example. We need to have the kinds of mitigations I described to Lord Thurso to make sure we are capturing any errors or hallucinations in the customer-facing product. But there is enormous potential there that we have not yet fully tapped.

With Digital Regulation Cooperation Forum partners, we have received funding from Government to develop a digital library, and that will bring together those resources in a co-ordinated and coherent way that can be accessed by industry. We are very keen to make use of those. But we are also working with Government, and recognising the need that they have to gain these efficiencies. I am very interested in considering how we get the benefits of AI, and the administrative efficiencies, in ways that do not negatively impact on people’s rights, for example, in automated decision-making. It is really important that people have the right to have a human in the loop, and that rights to benefits are not simply decided based on an algorithm. We are working with Government on that. We are also working with industry, and we are looking, for example, at applying the automated decision-making framework to AI and recruitment. We have engaged with a number of sector participants that are offering these services, and we hope to release a report in spring of this year with our findings on how those technologies are being deployed.

Lord Teverson: One question on the £14 million fine: did you get to keep any of the money?

John Edwards: We do have a retentions capacity, which I think is capped at about £8 million a year. If a company wished to get the burden off its balance sheet in any one year, we would not get more than the total maximum cap. That applies across all our fines and is intended to cover the cost of enforcement. Some companies in the past have had multi-year repayment programmes; we can get that cap within each year.

Lord Teverson: I want to move on to whether you have key performance indicators (KPIs): presumably you have some sort. Obviously, you have an equivalent of profit and loss accounts. I would like to understand those, because I know from my own experience that KPIs can be quite dangerous on occasions: if you keep them too long, they distort the whole way you manage a business. I do not think that we want to read the document, but Katie has got it there.

Katie Pettifer: I have it here. We are a very transparent organisation, so we have a set of detailed KPIs that I use to manage performance in the organisation, and that our board’s business committee uses to scrutinise as well. We publish those quarterly, and they cover all areas of our regulation. We look at whether we approve new meat businesses in the timescale that we are meant to, for example, or the number of food incidents that we deal with of differing levels of severity. We also look at what our National Food Crime Unit is doing in response to food crime. We look at local authority performances at delivering all their inspections. They cover the whole gamut and are generally output-based measures, rather than outcome-based, because that is what I need day to day to manage and spot problems in the organisation. We also have a set of strategic indicators that we talk about with the board every year, and this allows us to know how things are going in the food system, and whether we are having an impact. This means we can look at foodborne disease, for example.

It is very hard to trace a direct correlation between that and our performance, but they give you a sense of whether things are going right or wrong. I mentioned earlier the types of scores that we get on consumer trust and business engagement, and we do a lot of feedback as well. Together that gives us a broad picture of performance. I do not think our KPIs are perfect. I would definitely be updating those on market authorisations if we were certain that we were going to keep doing that. I think, however, that they give us a good picture, and they are out there publicly. When the Government came to us and asked us to publish KPIs, we were able to give them.

Lord Teverson: Do Ministers dictate any of these KPIs, or do you sell them as being sufficient to the department?

Katie Pettifer: We are sponsored by the Department of Health and Social care, but it is a relatively arm’s-length sponsorship arrangement. Our board sets the direction for the Food Standards Agency, and it has agreed the KPIs. The Government are now having performance meetings with the regulators on their KPIs. We have had one with the Health Minister. It was very productive, as well as being a great opportunity to talk about some of the reforms. I think it fair to say—and this is great—that we got more interest from Government as part of this agenda than we had in previous years. While I completely agree that we are a public health body, one of the challenges of being with the Department of Health and Social Care is that it has a lot of very difficult stuff to deal with, and food safety is a very small part of that.

Lord Teverson: Until it goes wrong.

Katie Pettifer: Yes. Until it goes wrong, we do not tend to be very high on the ministerial radar.

Lord Teverson: You mentioned strategic KPIs. Throughout the whole meeting, you have been talking about food health in the sense of stopping short-term outbreaks and problems. Is not one of the biggest threats the damage we are doing to human beings over decades, as opposed to them eating something that is poisonous in the short term? Do you have KPIs in that area? I am talking about things like ultra-processed foods.

Katie Pettifer: In our strategy, we have three objectives: food must be safe, it must be what it says it is, and it must be healthier and more sustainable. The first two are areas where we directly regulate to try to achieve those; the third is an area where we are much more in support of others. In England, the nutritional quality of food is the responsibility of the Department of Health and Social Care. It used to be the Food Standards Agency, and about 10 years ago it was taken back in. We have said very explicitly that we want to help and see what we can do as a regulator to support healthy food. We have done a pilot with Department for Education on enforcing the school food standards. The Department of Health and Social Care has just asked us if we can help work up its new proposals for mandatory reporting by supermarkets.

We look at some of these areas as part of our strategic KPIs, but they are less directly within our regulatory responsibility. The only thing I would say—on long-term consequences versus the short term—is that some of the assessments we are making on approvals for food and all the individual additives in food go through this assessment process. We are looking at their long-term impact on health in terms of whether, for example, they cause cancer. Individually, however, what we are not doing is taking a look at people’s diet overall. That issue is with the Department of Health and Social Care.

Lord Teverson: John, do you have KPIs?

John Edwards: We do. Like those of the Food Standards Agency, ours are internally generated. I share your reservation about the incentive effects of KPIs, particularly those left over time. Similar to the Food Standards Agency’s, they are generally output-related rather than outcome-related. They are not measures of impact, but they are service commitments. One example is that we refer or close 80% of personal data-breach reports within 30 days.

Lord Teverson: Can you repeat that?

John Edwards: We receive data breach reports, as there is an obligation that industry has to report when something goes wrong. We have to do something with those, and we undertake to process 80% of them within 30 days. We are currently running at about 85%.

Lord Teverson: Do you mean starting the process and getting involved, so to speak? You are not necessarily completing it, because presumably it will vary hugely.

John Edwards: No, we complete it, but within our own system. By that we mean that we have assessed it, sought further information and decided whether we are taking further action, referring it for investigation or that there is no further action. We try to deal with 80% of those within 30 days; we are currently at 85%. We aim to resolve 80% of written enquiries within seven days; we are currently at 87.5%. I am only telling you the good ones, though. We are falling behind in some of our service commitments because of the unprecedented demand, which we are trying to understand. We have not been able to keep up with some of our customer inquiries, for example. They were running at about 60,000 last year, whereas there were about 40,000 the year before.

Lord Teverson: I am trying to work out how many that is per day. It sounds very substantial. What happens to the ones you do not manage to deal with?

John Edwards: It is not that we do not deal with them. It is that we do not deal with them in as timely a way as we would have liked.

Q104       Baroness Valentine: I am mulling on this exchange we have just had and the penalty for failing to meet key performance indicators (KPIs), because we quite often see that regulators fail to meet their KPIs and then nothing happens. Katie, I am just looking at your KPIs. You have local authority delivery on the one side and the Sanitary and Phytosanitary agreement on the other. Nothing is going to speed up. That does not smell to me like speeding anything up. But then, I cannot see what penalty there is going to be; everybody understands why.

Anyway, I am just looking at your new local authority delivery; I think I have the right bit of website, on new registrations. It says that a high number of unrated new food businesses presented a challenge, with some delays in initial inspections. That is direct economic growth constraint, failing to do that. We have touched on the other stuff. If you want to answer on that as part of what I am supposed to be asking you, please feel free to. But I cannot see how you speed up in that environment, and I cannot see who is going to make any of that different. Any observation on that is interesting because time is money, as Lord Best said.

My real question is supposed to be: what are you doing to work with other regulators in the UK—you have touched on some of that, obviously—to reduce the overall burden on companies or learn from good practice, and can Government do more to support this through, for example, the Regulatory Innovation Office? Again, my worry is that the Regulatory Innovation Office is doing the fun stuff, but is the boring stuff—like just speeding up—actually working through the system? Katie, do you want to answer first?

Katie Pettifer: Certainly, and I can pick up the local authority point because it is about working with other regulators there. That is the bit of my dashboard that is literally flashing red, as you can see. I am really pleased you raised it, because it is a matter of high concern to us—to the board—and every time I am in Parliament I am talking about it. It is a resourcing issue. The number of environmental health officers working on food has gone down by 15% in the last 15 years. The number of trading standards officers has nearly halved. Local authorities do not have the resources to go and inspect every business with the frequency that they used to. The system was designed for the high street of the 1990s, so that may not be the best way to do it in the future.

We can do things, first of all, to make the current system work as well as it can. I talked about our “regulation for growth” action plan. Two of the big-ticket items on that were about making local authority inspection more proportionate and more targeted at the riskiest businesses, making sure that they can make the best use of the resources they have, rather than having to go somewhere because the schedule says it. We are also doing what we can through performance management. We look at what every local authority is doing and when there are real dips—when they are really concerned that they cannot deliver the bare bones of the service—we are intervening. I am writing to the chief exec of the local authority and saying, “You are failing in your public protection duties”. That often helps the food team get more resources individually.

We are probably putting a lot more effort into that than some other areas of local authority delivery are receiving. That is helpful, but we also have work under way to support new people coming into these professions—apprenticeships and so on. Then the final area is this work I have just talked about that the budget announcement will enable us to do, which is looking at different ways of regulating. Are there more efficient ways in which we can provide the same level of protection through use of data—through looking at the big businesses? It is reforming the whole system. But you are right; it will keep creaking and gradually there will be less and less investment in that kind of expertise and help for businesses, and we are concerned that eventually that is going to lead to a deterioration in standards.

That is a dire example, but we have a set of stuff we can do with it. What I cannot do is magic up more money for local authorities. That is a wider problem.

There is collaboration more generally in all areas of our work. On managing incidents, we do a lot of joint work with the UK Health Security Agency or the Animal and Plant Health Agency, depending on what it is. We try to minimise duplication for businesses where they might have to deal with multiple regulators. For example, when my staff are in abattoirs, they do animal welfare checks on behalf of Defra, so that there does not need to be a separate set of staff in the abattoir doing it. We have a service level agreement. It works well. Across the food system, there are lots of places where we can do that kind of thing.

On the innovation side, there is a lot we can do, learning from other regulators. We have all talked about Singapore, but there are Food Standards Australian New Zealand (FSANZ)—and Israel. We have an advisory network of regulators—those who have done it—who have really helped input to our sandbox there. There is a really good international network of regulators. All the heads of food agencies in about 20 of them get together every year. We are about to have a session on innovation next month online, so we try and do an awful lot of learning from other regulators. I hosted all of the North Sea countries recently on a port visit, so we could all talk about how we do our border controls together and things like that. That is really important.

John Edwards: I have already mentioned the Digital Regulation Cooperation Forum (DRCF), which is a key cross-regulatory organisation. It is quite innovative and it is being copied internationally. We also work, of course, with the UKRN, the UK Regulators Network, and we are in regular contact with the Regulatory Innovation Office.

I have mentioned some of the work that we have done with the DRCF. We have the prototype one-stop shop, which will be the digital library, but it is also a forum which facilitates bilateral co-operation. We are working with the Financial Conduct Authority, for example, on open finance to ensure that secure data sharing can exist beyond banking, to boost competition and fuel innovation. We work with the Competition and Markets Authority, for example, in areas like AI to look at whether open models are better for consumers than closed models and how the data protection issues can be reconciled with the competition imperatives. There is a real overlap with Ofcom, for example, on online safety, particularly for children. We hear a lot about Ofcom regulating the content—the thing which is delivered to a child’s device—whereas we are interested in the underlying data processing which delivers that. There is a big overlap, and it is very important that we are closely co-ordinated. It is also important to co-ordinate on issues such as age verification. You will know that that was an important part of implementing the Online Safety Act, which Ofcom was charged with. But having an age-verification regime also has quite clear and significant data protection implications. Again, we work through the DRCF to produce joint statements, just to ensure that industry is not seeing any light between the two regulatory regimes.

Q105       The Chair: If we could move on to the final question, it will take us back to regulators in other countries. There are four parts to the question, but I will start with the first two. What are you doing to work with similar regulators in other countries—I know you anticipated that a bit earlier, Katie—and how important is international co-operation to growth in effective regulation in your own sectors or spheres of influence? John, do you want to open on that one?

John Edwards: In my field—as with Katie’s, I am sure—the world is so interconnected. Most of the largest companies in the world are data companies and are operating across jurisdictions. Data is moving around the world, so it is really important that we co-ordinate with colleagues. We do that in a number of fora, such as the Global Privacy Assembly, which brings together all data protection and privacy regulators in the world that meet the criteria. There is a collective of G7 data protection authorities, and we produce policy statements which ensure that not only do we have that horizontal connection domestically with regulators, but we are able to project to international firms a co-ordinated and connected approach.

At the more operational level, there is a collective called the International Working Group on Data Protection in Technology that produces multilateral position papers on emerging areas. It is really important, and industry appreciates that.

There is a great variety. Privacy-enhancing technologies, for examplehow do companies get the value of their data in ways that are privacy-protecting? We have common approaches to technologies such as homomorphic encryption—differential privacy and things like that. So there is an enormous number, and at the enforcement level we are increasingly trying to co-ordinate. When the issue with Grok emerged in the last couple of weeks, I asked my office to connect with other regulators internationally, because it is not an issue that is going to be resolved within one jurisdiction. We had a joint investigation with my Canadian counterpart into a breach at a genetic ancestry company called 23andMe, and that was a very successful collaboration. The connection internationally happens at all levels of our operations, from policy to enforcement to guidance.

Katie Pettifer: Likewise. I have spoken about this a little bit already, but you will have heard me say quite a few times during this session that companies, particularly in the food sector, want to export. What is happening internationally, and international norms are very directly relevant. In the meat sector, where we regulate directly, almost every abattoir is sending at least some animal parts for export, because there is not a market for all parts of the animal in the UK. We have to move in step with international regulators.

We are quite heavily engaged in several ways. I have mentioned learning from others, particularly those who are further ahead of us on some of the innovative technologies, which is incredibly useful. We have a real connection with those who are close trading partners. I have mentioned our North Sea subgroup. When we are doing things like tackling fraud in the food system, we are tackling serious and organised crime that is happening on an international level. Our National Food Crime Unit did an operation on European distribution fraud, which I think was with Portugal and Poland; the victim was in Denmark. We have to be able to operate on a real multilateral basis in lots of different areas of our regulation.

We have been very successful at influencing the international consensus on standards in food. I mentioned the body called Codex Alimentarius, which sets these standards. Until last year, and for several years before that, one of our directors was chair of it. We were very active in the working committees. We are going to have to up our influence in the game once again in the event of a Sanitary and Phytosanitary agreement, because we will then be providing, hopefully, our own evidence to the EU to support some of the decisions it is making. One of the things we would definitely want to see from that agreement is access to European bodies, systems and databases, so that we can feed in information as well as getting it. It is an international job.

The Chair: Taking that international co-operation down to what you do in the UK, to what extent can you recognise regulatory approvals in other countries to support a speedier processing of applications in the UK? Can you leverage what you know from one country to the speed with which you can do it in the UK?

Katie Pettifer: This is something we have looked at a lot, and our board has been particularly keen that we explore it. The law says that we have to make our own decisions, so the answer is: not to a great extent at the moment. What we have done is use the risk assessments done by the EU when they are published. Again, we cannot get the confidential information, but where we have products, and where people have applied to us and to the EU and the EU is further ahead, we have taken their risk assessment and used it to inform ours. That has taken the timescale down from months, or a year or more, to a matter of weeks. We still have to do a peer review, in effect, so that we can say that we have made our own decision. But that has been really helpful and we have done that for quite a lot of products—I think it is in double figures.

The Chair: Taking that a bit further, you could have regulatory convergence or divergence with other countries. You could get some sense of how that impacts your ability to help regulatory approvals and UK growth. If you have more alignment between countries, does that mean—between UK regulation and their country—you can speed up approvals? Are you heading that way?

Katie Pettifer: In terms of approvals, the critical thing is that if we align with the EU on all areas of food law, we will not be doing approvals any more. Every individual product approval from the EU will apply here. That is quite a fundamental change to our system. There will also be other real, specific benefits to businesses: they will save hundreds of pounds, for each consignment that goes across the border, if we do not have to have the full gamut of border checks. In the approval space specifically, that would be the implication.

The Chair: You quoted Europe, but what about the US and the UK? Are there particular issues there, or are they covered by the general comments you have made?

Katie Pettifer: The US has a very different system for food approvals, and one that it is reviewing at the moment. They have what is called the Generally Recognised as Safe system, where companies can put a lot more on the market without approval, and which they are now re-examining. Most of the regulators that we deal with and learn from tend to be in the Commonwealth countries, and in the EU, where the system is much more similar to ours.

The Chair: John, on the same point, to what extent can you leverage what other regulators do in dealing with the problems that you are faced with? On the convergence and divergence issue, how does that make you a more or less efficient regulator in the UK?

John Edwards: To set aside the approvals issue, I will just clarify that we do not have an approvals regime. There are other bodies that we engage with and try to align with. For example, we used to be part of the European Data Protection Board: we are no longer, but we do pay attention to what that body does. It comprises all 27 EU members’ data protection authorities that have come together. There is a regime called adequacy, which is the recognition by the European Commission of non-European countries’ regulatory standards as meeting a European standard.

I have convened an adequate countries group that brings together the 15 jurisdictions that have achieved the recognition of adequacy status. This means that we can have a common approach, and that we can work with the European Data Protection Board to make sure that we are all at least considering the same information, and have access to the thinking and resources that we need to consider how to approach novel issues. That is quite important. We engage with a number of other international fora: I mentioned the working party on data protection in technology and the G7. All these give us the ability to take regulatory cost out for businesses by providing—as much as domestic jurisdictions permit—a unified approach to a high level of data protection.

Lord Teverson: Is it not more than that, though? The European Union, and particularly the European Parliament, is especially jealous around data protection. Some time ago it actually stopped data going into the United States on the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system. Is it not far more strategic than that? We have to meet the regulatory requirements of the EU for commercial companies to actually swap data, and on where data can actually be stored in terms of data centres. It is that critical, is it not?

John Edwards: It is. Personal data transfers underpin about 40% of UK exports. It is absolutely critical to the economy that we have a system that guarantees protection of data, and we have a role in reducing its cost. I spoke to that briefly earlier. We have mutual recognition of the arrangements for protection of data in the US; we have that with the EU; we have it with our own adequacy regime, where the Government designate safe passage of data for designated countries.

The Chair: I am conscious that we have gone over time. Thank you very much indeed for attending and particularly for engaging fully with the questions; it is much appreciated. You are both very important regulators, and we will be reflecting closely on what you have said. Thank you very much; it is appreciated. I bring the session to a close.


[1] Bovine Spongiform Encephalopathy (or BSE) is commonly known as mad cow disease. An outbreak in the UK in the 1980s and 1990s led to human deaths as some people who ate infected beef contracted the human equivalent disease, variant Creutzfeldt–Jakob disease.

[2] Magic Circle is an informal term for the largest London-based legal firms.