HoC 85mm(Green).tif

 

Science, Innovation and Technology Committee 

Oral evidence: Data security across Government, HC 1537

Tuesday 10 February 2026

Ordered by the House of Commons to be published on 10 February 2026.

Watch the meeting

Members present: Dame Chi Onwurah (Chair); Kit Malthouse; Dr Lauren Sullivan; Adam Thompson; Freddie van Mierlo; Martin Wrigley; Daniel Zeichner.

Questions 1 to 103

Witnesses

I: Dan Jarvis MP, Minister for Security, Home Office; Ian Murray MP, Minister for Digital Government and Data, Department for Science, Innovation and Technology; Aimee Smith, Government Chief Data Officer, Department for Science, Innovation and Technology; Vincent Devine, Government Chief Security Officer, Cabinet Office.


Examination of witnesses

Witnesses: Dan Jarvis, Ian Murray, Aimee Smith and Vincent Devine.

Chair: Welcome to today’s session of the Science, Innovation and Technology Committee. We will be looking mainly at data security across Government, following a series of high-profile data breachesin particular the 2022 leak of data by a Ministry of Defence official of data on Afghans who worked with the UK, which raised serious concerns for this Committee about data security across the public sector.

We will also be following up on our correspondence with various parts of Government, the publication last August of the previously secret Information Security Review, and a hearing that we held with the Information Commissioner last October.

This morning, we are very pleased to be hearing how Government are responding, and we are joined by two Ministers representing four Government Departments: Dan Jarvis MP, from the Cabinet Office and the Home Office, and Ian Murray from DSIT and DCMS, as well as two officials leading work on this critical subject. In the intervening time a number of other issues have arisen, which we will also be looking to discuss; in fact we are going to start off with one of those concerning phone theft. I am going to ask Kit to kick us off.

Q1                Kit Malthouse: For the purpose of the wider meeting, I draw attention to my entry in the Register of Members’ Financial Interests.

Minister Jarvis, perhaps you could clear up something that has mystified the Committee. In your role, you are in the thick of the discussions with the mobile phone companies around encryption, and obviously you put in enormous effort on behalf of the crime-fighting community in that regard. Why, then, is the Home Office so reluctant to similarly go into bat on phone theft, and in particular the barring of phones, or requiring Apple and others to bar phones from reconnecting once they are reported stolen?

Dan Jarvis: I should probably say, Chair, that I am here in my capacity as a Cabinet Office Minister, but I am mindful of your point about four Departments being represented.

Q2                Kit Malthouse: But you are also the Minister for Serious and Organised Crime, am I correct?

Dan Jarvis: I am, yes.

Q3                Kit Malthouse: We now understand that this is a serious and organised crime issue, in that there are large criminal organisations having these phones stolen, put into large batches and sent across the world, mainly to China and to Algeria, which we know from the connection records. We had the mobile phone companies before the Committee and said to them, “There is a very simple solution here, which is you make the phones worthless by not allowing them to reconnect to the cloud in other parts of the world.” They could do that with the flick of a switch, and they said they would not. Why would the Government not force them to do so?

Dan Jarvis: The Government need to be taking every possible measure to design out crime. We are doing a huge amount of work on the issue of serious and organised crime in more general terms. I am the Minister responsible for the National Crime Agency, and we are in the process of setting new strategic objectives for it.

You will be aware of the Government’s intentions around police reform, which provides a very valuable opportunity to restructure our police forces in order to deliver the maximum effect and the best operational capability. There are ongoing relationships across Government with tech companies and, where there are technical solutions that would be advantageous in terms of reducing criminality, the Government would, of course, want to proceed along those lines.

With my serious and organised crime hat on, it is not something that I have personally been involved with, in truth, because it sits within another Government Department. But I can give you an assurance that across different Government Departments, I am sure in terms of DSIT and certainly from the Cabinet Office and the Home Office, we want to work as closely as we possibly can with the tech companies to achieve the most successful outcome.

Q4                Kit Malthouse: Can we at least extract an undertaking from you today? Because one phone is being stolen every eight minutes in London—55 million quids worth just disappearing—with balaclava-clad gangs on bikes roaming the streets looking for opportunity and creating a sense of mayhem and disorder. The Metropolitan Police came to us basically pleading for our help on this issue.

We got the mobile phone companies, certainly Apple and Samsung—the operating system companies—in front of us, reluctantly. They offered huge word salads around everything they are trying to do and all the rest of it but declined our suggestions. Yet there is this simple fix. If the Met were to come and see you and say, “Minister, please can we have this?” Given that it is a serious and organised crime issue as much as anything, are you willing to say yes?

Dan Jarvis: There is a division of labour within the Home Office between myself, as the Minister responsible for the National Crime Agency, and Minister Jones who, as you will know, is the policing Minister. She has primarily been the lead for this particular issue, but I am very happy to take it away and discuss it with her. You make some entirely reasonable points but it is her lead, not mine, so I would want to consult with her; but I would be very happy to come back and provide a fuller response.

Q5                Chair: Officials were informed that we would be raising this today. Did they not communicate that to you?

Dan Jarvis: I was not aware that you were going to raise it today, but it is an entirely reasonable point that you are seeking to make. Given the importance of it, I would want to give you a more considered response, and given that the policy lead is Minister Jones in the Home Office, not myself, it is not unreasonable to reflect back.

Chair: We have been in correspondence for about nine months now.

Q6                Kit Malthouse: We have obviously been in correspondence with the Home Office about this issue and it has said no. We wanted an explanation today, which is why we briefed your officials that we would be asking these questions. This is why I said we are mystified. We just do not understand why you would not just say, “Making these things worthless in the hands of a thief is an easy switch to flick, we are going to do it, in the same way you are putting your efforts into dealing with the problems that encryption presents with serious and organised crime. As I say, that seems laudable. We understand the conflicts there, but we just cannot see this.

Dan Jarvis: You have made an entirely reasonable and powerful case. I was not aware that you were going to raise it with me today. I would want to consider it back in the Department with my colleague, the policing Minister. But I am very happy to give a commitment that we will come back to you in writing as quickly as we possibly can to respond to the points that you have made this morning.

Q7                Kit Malthouse: When you say consider it, what reason would there be for not doing it, do you think?

Dan Jarvis: As a former Minister yourself, Mr Malthouse, you will understand that given that I am not the policy lead for the matter that you are asking me about, it is not unreasonable for me to consult with the person who is, rather than give you a response on the hoof, which is not my way of doing business. You seem frustrated at my response.

Q8                Kit Malthouse: That is because we gave prior notice that we were going to ask this question. We expected the machine to allow you to come and say, “Yes, we will do it. We were hoping there would be a win for the consumer.

Dan Jarvis: I can only apologise because I was not given prior notice that you were going to get into this particular line of questioning. As I have said, you make a reasonable case, and I am making a commitment that I will look very closely at it with the policing Minister when I get back to the Home Office, and I will come back to you as soon as we are able.

Q9                Kit Malthouse: Okay, so could we ask, because we have been at this for some months now and the problem continues to accelerate, for a deadline to come back? Two weeks?

Dan Jarvis: A couple of weeks is not unreasonable. But again, I am making the point that I am not the policy lead for this particular issue. You have raised the case this morning, which is entirely within your right to do so. I would want to discuss it with the policing Minister and with colleagues back in the Home Office. Two weeks is not an unreasonable deadline. So let me give you a commitment that within two weeks, you will get a substantial policy response from the appropriate Minister in the Home Office.

Kit Malthouse: Thank you.

Q10            Chair: We appreciate that commitment. Just to underline the frustration of the Committee, we have had correspondence with two Home Secretaries on this issue. We have had a commitment to a mobile phone summit that would address this, organised by the Home Office.

Our most recent correspondence from the Home Secretary indicated that that summit is not going to take place and instead put it back to having discussions with the Metropolitan Police. Technology is something that is so powerful, and this is a way in which we can use it to immediately benefit consumers with regard to one of the most expensive things that they purchase. We are at a loss to understand why there is so little clarity on what the barriers are, and why there is a lack of action.

Dan Jarvis: Fair enough. I completely accept your point about the importance of technology. Let me raise it with the Home Secretary in terms of the correspondence that you have had with her previously, and with the policing Minister, and we will come back within your two-week deadline.

Q11            Chair: Okay. Thank you very much.

Let us now go to data security across Government and the Information Commissioner’s Office in particular, which, in response to the February 2022 Afghan data breach, decided not to open a formal investigation that it obviously has the powers to do. The reason it gave for not opening a formal investigation was that it wanted to work with the Ministry. Dan Jarvis, I will ask you, was the ICO right not to open a formal investigation?

Dan Jarvis: It is necessary for me to provide a bit of context and to make the point that the Defence Committee is looking very carefully at these matters. I know that you will have noted the statement from the Defence Secretary in July of last year.

Chair: Just to be clear, I wrote to the Cabinet Office in response to that statement so we have some familiarity with the context, but I am happy for you to summarise it again.

Dan Jarvis: It is also worth making the point that the McIvor Review of Data Protection Compliance within the MOD was commissioned by the Department’s executive committee in September 2023, in response to the incident to which you refer and to other previous incidents as well.

This was conducted by Neil McIvor, who was then the Chief Data Officer at the Department for Education, as I am sure you are aware. That made a number of recommendations, which the MOD has since worked to implement. Luke Pollard, our ministerial colleague in the MOD, wrote to the Defence Committee setting out the details of this review. Our collective Departments would, of course, be expected to support that process, and we will continue to assist that Committee with its inquiries in relation to this particular incident.

Vincent Devine: I am the Government Chief Security Officer, based in the Cabinet Office. You discussed with the commissioner himself at length the pros and cons of his approach to partnership with Departments, and the particular reasons why he felt it would not be particularly useful to open a new investigation or indeed issue a new fine in response to the 2022 breach. He drew your attention to the investigation that his team led in 2021, following a series of broadly similar—but not the samebreaches involving inter alia blind copy addresses being used wrongly. He also explained that in that case he had issued a fine.

His approach to the ARAP incident reflected both the investigation his team had carried out in 2021, and the new partnership approach he was developing with the Government. From the Government’s and my team’s perspective, moving to a relationship of partnership rather than opposition with the ICO is obviously a good thing, but the short answer to your question is that that is really a question for the ICO.

There is a wide range of experience in the ICO that we can draw on if we move to a truly partnership approach and draw on them earlier in the process, rather than following an incident. If we move to a more trusting relationship it will benefit the ICO too; we will share information much more openly not just notifiable incidents, but also near misses, for example.

The Committee may have seen the MOU that we have now signed with the ICO, which commits the Government to a really quite radically new approach to the relationship with the ICO. So I would see the commissioner’s decision on that particular incident, which he spoke about at length, as I say—I know the Committee has strong views on it—in that wider context of previous investigations into MOD in the same area for broadly similar reasons, and the wider context of partnership.

That is not a direct answer to your question as to whether it was the right decision, and you probably understand where I come from on that, but it is really a matter for the commissioner, in due course, in a couple of years, to see whether that was the right decision to take.

Q12            Chair: Just to recap, the breach revealed last July involved a spreadsheet with 18,000 lines of highly sensitive information: personal details about Afghans and others who worked for the Ministry of Defence and whose lives could be put in danger. There was then a series of other breaches, as you mentioned. The ICO decided that working with the Ministry of Defence, having already worked with the Ministry of Defence and having already delivered a report with a number of recommendations, was a better means of going forward than issuing a fine.

My question is this: is it your view that there is effective working between the ICO, the Ministry of Defence and across Government in order to improve information security?

Vincent Devine: First, there was clearly a very powerful response by the MOD to that particular breach, which was as effective as it could be in the circumstances. That was both the immediate response to protect the individuals to the extent that it could, and the wider review that the MOD executive committee commissioned from McIvor. We know, and the ICO knows, that those measures recommended by McIvor have been taken forward quite vigorously, so that general response to the MOD

Q13            Chair: So is your view generally that, yes, you are working well?

Vincent Devine: To your direct question

Q14            Chair: No, you did not, but are you working well together? Because you seem to be implying that we will not know that for another couple of years. But just to reassure us, you think that progress is being made in working with the ICO?

Vincent Devine: Undoubtedly.

Q15            Chair: Undoubtedly progress has been made. We will go into some more detail as to what that progress might be. But Minister Murray, you told this Committee in November that Government data is pretty secure. Is that still your view?

Ian Murray: Yes, very much so. Obviously, the incidents that you have opened up with are incredibly serious but, given that Government share and use data billions of times a week, Government data is, on the whole, very secure. Addressing your first question, in terms of that security our relationship with the ICO through the MOU is a real step forward for the whole of Government; this is not just an MOD issue now in terms of the way forward. These incidents, while incredibly serious, are, in the Government context of data, very rare. But they have set in motion a whole series of events, including the MOU, the reviews, and how we are now resolving those across Government.

We now have our new Chief Data Officer across the whole of Government. This is about governance, consistency, security, interoperability and tooling-up people to make sure that you can de-risk incidents that may happen. It would be wrong to suggest, from your question, that all data will be 100% secure for ever because human error is very difficult to take out of the system. But the whole point of the MOU with the ICO is to work in partnership to make sure we have the best possible systems to reduce the risk as much as possible.

Q16            Chair: The Information Security Review had 14 actions. Can you tell us how many of those have been completed?

Ian Murray: Thirteen and a half, I would say, if not all 14, on the basis that there are still some technical meetings to take place with regard to the governance structures. But in the sense of those recommendations, they have all been implemented, and actually, we have gone further in some areas in terms of cross-Government. Aimee, do you want to comment?

Aimee Smith: Since October last year we have accelerated a package of measures. So we have taken those 14 recommendations, and do not forget those recommendations were back in 2023.

Q17            Chair: They were all to be completed by January 2024.

Aimee Smith: Yes, so now they are all implemented and we have accelerated other packages of measures across Government to enable us to have a much tighter grip centrally about what progress we are making across all Departments in terms of protecting data and introducing security measures into all the Departments.

Q18            Chair: Ms Smith, your role as chief digital officer involvesif I have it rightyes, it says, “Working closely across Government to drive innovation and champion better access to data, supporting more informed decision-making and improved public services. It does not actually mention data security, data hygiene or data management, so is that part of your responsibility?

Aimee Smith: Yes. Just for the record, I am the Government’s Chief Data Officer as opposed to digital officer. But yes, it is an explicit accountability that I have in my role now, which is one of a package of measures that now has a single point of accountability for the co-ordination of data protection, compliance and risk. It will be my responsibility to make sure that Government Departments are aware of what they need to introduce in terms of the people, the process and the technologies that will, as far as we can, mitigate data protection loss.

Q19            Chair: Do you also believe that Government data is pretty secure?

Aimee Smith: Yes.

Q20            Kit Malthouse: Sorry, what is meant by pretty—“very, or moderately, on a scale of one to 10?

Ian Murray: It is not 100% because it would be incorrect and inaccurate to suggest that all Government data would be secure forevermore in every aspect.

Q21            Kit Malthouse: It is not 100%, so is it 90%, 80%, 70%? Where would you pitch it?

Ian Murray: I do not think it is about pitching because it is about making sure that you have the procedures in place, the accountability, the governance, the technological solutions that protect the data as much as possible across Government.

We are pretty secure, and that is why I used the word pretty last time. I would not want to put a percentage figure on it; it would be wrong to say 100% because you could never say with great certainty that you could secure every bit of data forevermore because human error comes into this. And in fact, the Afghan data breach and otherwise were human errors that we are trying to mitigate through technology, governance, structures and technology.

Q22            Chair: Yes, hang on, Kit; we will try to get more detail on what pretty means during the session. Because it is a really important point, I want to also follow up with Ms Smith: the Information Commissioner said that, “Cultural change is needed across the public sector to give data protection greater prominence. Do you agree with that? Is that your responsibility, and how are you hoping to achieve it?

Aimee Smith: Yes, it certainly is a critical factor, particularly in terms of reducing human error, which is the one thing that is the most difficult to mitigate against. I also think culture is about accountability and where we place accountability for data protection and where it is discussed. So it is my responsibility to make sure that those accounting officers in Government are aware of their responsibilities and that I report to them on how we are doing cross-Government and where Departments need support.

Q23            Chair: Is every Permanent Secretary raising this within their Department? How are you changing the culture?

Aimee Smith: There are a number of factors, so I will go from top down, if that is okay. Permanent Secretaries themselves will be part of the transformation board. This is already part of their accountability, and Cat Little has already written to them reminding them of that; that will be an agenda item that is discussed at transformation board, so they will be held to account there.

We have all Chief Data Officers across Government reporting to the Chief Data Officer Council, which I chair, holding them to account for the package of measures in their delivery. We will be jointly delivering those package measures and making sure that the right skills, people and the training are in place. As GDS we have already designed those principles and are rolling that out across Departments.

We are also responsible for the roles that we want to recruit to in Government, and making sure we recruit the right roles and skills. More broadly, the training and awareness campaigns that already exist across Government are being pushed out further into Departments, and in partnership with the ICO we have a new campaign to remind everybody in Government of what their responsibilities are.

Q24            Chair: What proportion of civil servants now understand the importance of data protection, and how will we be able to measure that this cultural change is complete?

Aimee Smith: The cultural assessment will be made partly on the baseline assessment done last year by the Cabinet Office. We have been asking Departments about where they see themselves, what measures they have introduced and what skills and roles they have, and we will now finally be able to use that as a baseline.

Q25            Chair: Is that public?

Aimee Smith: I do not know, I am just looking at my colleague.

Vincent Devine: I do not think it is.

Aimee Smith: This is the baseline assessment.

Vincent Devine: The baseline assessment. No, we have not made it public, but we could.

Q26            Chair: Is there a reason for that?

Vincent Devine: I would rather look forward, in response to that.

Q27            Chair: No, this is something I particularly want to get to, so can you let us know if that is not public? It is important to know where we are starting from for a particular question I want to ask with regard to that.

Dan Jarvis: Chair, with your permission I will just add a very quick point. You have heard about some of the cultural change and you have heard about some of the important processes. It is also important to make a point about leadership, that, as Ministers, we are accountable for the security of our information.

Chair: Yes; that is why you are here before us, and we appreciate that very much.

Dan Jarvis: We take that very seriously. So, that point having been made, Minister Murray and I are accountable to Parliament, to our colleagues in Government. Why are you smiling?

Chair: Yes. I am smiling because that is part of a committee, and that is part of Government.

Dan Jarvis: Yes, but it is important for us to evidence the seriousness with which we take these matters. These are not light matters, they are incredibly important, serious matters. We take them very seriously. It is right to say that the Afghan data incident was a big wake-up call and, as a consequence, we have seen quite significant cultural process change.

But as Ministers we think it is important to provide the leadership so that there is that understanding of the importance of it. These are not just processes; these are important things that we do across Government to make sure that we are best able to safeguard our information and data.

Q28            Chair: I appreciate that clarification, Minister, but how can you evidence the cultural change? This Committee has people, including myself, who have worked in and with IT and technology over many years. Cultural change, particularly with technology, is challenging, and I would like to see the evidence that cultural change is happening. While you are taking responsibility, you are not explaining to me how we can see that.

Dan Jarvis: We wrote to you in October and I am very happy to talk you through some things that we have been doing since, if that would be helpful.

Q29            Chair: We have heard about some things you are doing in terms of training being rolled out. But is there a way in which we can see that the cultural change has happened?

Dan Jarvis: Is it your point about the metric of success and how you judge that?

Chair: Yes

Ian Murray: It is about embedding it across Government, Chair; that is the key thing. The cultural change is a key part of that, of course, but there is technological change that sits alongside that, making sure that those safeguards are in place.

You change the culture by behaviour but also by practice and putting in the technological governance structures and authority structures in terms of making sure there are those reporting mechanisms, including with our ICO colleagues in partnership. You then change the culture on that side, but you also change the culture through practice and technological change that puts those barriers in place that people then come up against, and that then changes the way in which they do things.

Human error is the big part of this. Human error can happen by mistake, maliciousness or by a whole number of things, so putting those barriers in place changes the culture by practice and by people using them.

Q30            Chair: Thank you for that clarification. The reason I am so keen to get to some kind of measure here is that there are ways in which I see that that change has not happened.

For example, when Cat Little wrote to us in August, she said that, “A large number of Departments have adopted Microsoft 365 guidance for UK Government information protection labelling system. Doing what the manufacturer tells you that you should do to keep it safe is a very basic level of data hygiene, and only A large number of Departments had adopted that, not all Departments. Can you commit to all Departments adopting the basic data guidance from the manufacturer and software providers?

Aimee Smith: Yes, and we have already made quite significant progress towards that.

Q31            Chair: So do all Government Departments do that now?

Aimee Smith: Those that are on the Microsoft suite will have implemented the Microsoft guidance, are certainly aware and have either implemented it or they are getting direct support from DSIT and cyber-security teams to do that; 21 Departments have already accepted that guidance.

Q32            Chair: Okay, I find that such a very basic measure. I was on the Home Affairs Committee to look at the eVisa system, which has taken eight years to roll out and is still absolutely riddled with issues around data security, such as duplicate eVisas, or not having the right photographs or details on those eVisas. How does that reflect a change in data protection culture?

Vincent Devine: Sorry, I am just not familiar with that programme. I have not engaged with it, so I do not want to comment on that.

Ian Murray: I do not know the details, as Vincent says, of the actual eVisa system you are talking about, but maybe in general terms, from my perspective as DSIT in terms of looking after data. It actually seems to me that that is an operational rather than a data security issue, in terms of data leaks and what we are talking about on these issues, if I am understanding what you are suggesting.

Chair: No, so having the right person’s photograph on an eVisa is certainly an issue of data security as well as an operation issue, but a lot of data security issues are operational issues. EVisas are the biggest digital system delivery that I am aware of, certainly in the Home Office, so I am a bit surprised that you are not familiar with it. But maybe you could write to me with an assessment of where we are because I think it is important that we move on now.

Q33            Kit Malthouse: I think we are discovering what “pretty good” means, are we not? “Not great”.

Ian Murray: I do not think we should belittle the seriousness of the two incidents that we have had, and why we are here, in the sense that we are trying to put into context how serious these are but actually how rare they are in the context of the amount of data that Government hold and secure every single day. Billions of transactions, lots of data sharing between Departments and internally within Departments; huge amounts of personal data that moves around all the time.

Government are good at this stuff. It is secure. Not belittling the stuff that happened. It is slightly flippant to say that we are just trying to find out what pretty means, when in actual fact, we are putting it in the context of where Government sits on this, and the seriousness with which we are taking these issues in terms of implementing these recommendations.

Q34            Chair: It is incredibly important. Government have a dutybeyond the private sector’s, I would say—to keep its citizens’ data secure.

Kit Malthouse: Using that example, really, to find out if you are pretty good or just lucky.

Chair: Any data breach is a huge issue, particularly if we are rolling out digital ID, which is going to be the basis for Government services and delivery. Government have to get it right all the time.

Ian Murray: Exactly.

Chair: That is the standard that certainly I am looking to hold you to. I will be honest with you, Minister: I have not been reassured that that is the standard that you are holding yourself to, or that standard that you are delivering.

Dan Jarvis: Let us give that assurance then because that is obviously the standard that we are aspiring to achieve; that is where we want to get to. But the point that Minister Murray was making, entirely reasonably, is that there is human error, which accounts for some of these losses and incidents.

While you can put in all the processes that you like, and you can have the right culture and the right leadership, mistakes will be made. What we have to do is to minimise the risk of people making those mistakes, and where mistakes have been made, we have to ensure that we have the right procedures to sweep up after them. But please do not take away anything other than our absolute determination to achieve the best outcome; that is what we are all working to achieve.

Q35            Dr Sullivan: Just briefly on that point about people and culture and as we are the Science, Innovation and Technology Committee, what are the technological advances that you have now put in place? You mentioned earlier about the additional steps you have imposed. What are some of those things in order to protect human error, and are they technological?

Ian Murray: Let me give one example. If you are sending a piece of data, technology can automatically say to you if there are hidden files or hidden sheets, or if there is personal data that you might want to just check before you send it; it can give you that flag. At a very basic level that gives you a technological barrier but also a cultural change because you would then go back and reflect that there could be stuff in there that is hidden or that you are not aware of, so yes, there are technological solutions.

Q36            Dr Sullivan: Are they in place now?

Aimee Smith: Yes, we are already putting measures in place. As I said, there are dedicated teams focused on all Departments, targeting those who are struggling to implement those data loss prevention measures, helping and supporting them. So it is not just about saying “You already have this suite of capability available to you, particularly if you are on Microsoft, but actually teaching those Departments how to configure their systems to enable that to be automatic and, depending on the different nature of the data that those Departments hold, thinking about what that means. But that advice, support and technological configuration is already there.

As a Government, we have already published both the principles by which we want people to operate, and 90% of Departments are already operating and applying those principles. We have 71% of Chief Technology Officers saying they have data loss prevention as part of their suite, and we are helping them to configure it if they cannot. We are also now embedding the optimising Microsoft solutions into our cyber-security offer, so how we embed that data loss prevention and privacy enhancing technology is now starting to become business as usual.

Dan Jarvis: You are entirely right to ask about technical innovation; that is an important tool in our armoury in terms of trying to minimise and eliminate risks. But what we also have to do is focus human minds to try to get them to not make those mistakesnot least because there is a constant churn of the workforce.

It is like painting the Forth Road Bridge: you have to have that constant dialogue with staff. That is one of the reasons why we have partnered with the ICO to deliver an internal communications campaign, so that there is that kind of messaging constantly circulating around the system. Part of the messaging around that is to make the point that a simple admin error can have very significant impacts on individuals, for example a domestic abuse survivor or someone who is in witness protection.

The stakes and the consequences of making a mistake, as we have seen in recent times, can potentially be very high. We are seeking to focus people’s minds on the consequences of their actions to try to reinforce that culture of not making mistakes in the first place.

Q37            Chair: From the Cabinet Office position, can we be clear that these technological changes are implemented across Government, and the Cabinet Office takes responsibility for that? In our correspondence with the Cabinet Office we were told that each Government Department was responsible for its own standards.

Vincent Devine: It is the Cabinet Office and DSIT now, given we have put the digital centre of Government in DSIT. Each Department will have a different set of challenges and be managing a different set of data. So if you are sitting at HMRC or DWP, for example, you are managing quite a different set of problems. It is worth stressing

Q38            Chair: Are you setting standards across Government, or not?

Vincent Devine: We set minimum standards and we are available to assist Departments with their particular challenges. But if you are managing HMRC’s dataset, for example, you will have a set of protections around that that will be different from the set of protections around email traffic between policy-based Departments.

Where we have technical controls in placeparticularly any of these large operational delivery activities with a really wide set of really specific technical controls around the data on who can access the data, how many records they can access, the level of monitoring that is in place for unusual activity, the exfiltration limitationsthere will be a wide range of technical controls in addition to the general Microsoft 365 controls that we have around the majority of Government business. It is not just run-of-the-mill Microsoft 365, if I can use that phrase; this is a set of specific controls that we work with Microsoft on for the UK Government. It is quite an innovative bit of work of the last year and a half to use those.

Chair: Sorry, I want to move on now. Adam?

Q39            Adam Thompson: I would like to follow-up on some points we have been talking about on the Information Security Review and a couple of other things.

Minister Murray, the Government Digital Service has talked about plans to develop a mechanism enabling organisations to share files from source instead of relying on email attachment. Generally, globally, there is a move towards less email attachments, more on sharing from source. Can you update us on how that is progressing? Aimee, feel free to jump in if you need to.

Ian Murray: I will bring Aimee in, but just in general terms, Government share an awful lot of data every single day. I keep needing to emphasise that because there is an enormous amount of transactions, particularly with DWP and HMRC and particularly the big, personal data Departments, so we have to make sure we protect that properly.

As has been laid out by Minister Jarvis, it is our job to make sure that Government Departments do this consistently, but there is also training in terms of that cultural change, guidance and technological solutions that help us to do that. Reducing the reliance on email attachments is one way of trying to take some human error out of the system because you are able to build in those technological solutions at the point.

It is very difficult to build in a technological solution to an attachment to an email. Does it take away the risk 100%? Of course it does not and it would be unreasonable to suggest that that is the case, but there is now a suite of products in place to be able to do that, and it is Aimee’s and DSIT’s responsibility to make sure that is spread out across Government.

Q40            Adam Thompson: So basically, how is that going?

Aimee Smith: We are progressing towards it. At the moment we are focusing on making sure people know how to configure their systems to reduce human error of data loss prevention. The cultural change of the practice of not sharing email files is something we are still working on, but there is more than enough capability in the suites that existwhether Departments are on Google or in Microsoft—to enable them to share documents without ever having to release them, especially inside the Government estate, but also external to that.

We have standards about what you can and cannot email that are put out to Departments, and how they should be configuring their system. It is slightly more challenging in Departments to external recipients because they are on different legacy estates from each other, but in principle the mechanisms are there. We put out guidance towards the end of the year and are asking Departments to follow them.

The main thing to give you reassurance that there is going to be assurance is that we are building a team under me to be focused specifically on data protection and preventing data protection loss, which I do not think is a capability that Government have invested in centrally before. It is a real complement to what Vincent and his team are doing around information security more broadly but actually making sure that Chief Data Officers and their teams particularly are really making sure their Departments know how important this is. They already have their own capability to guide and advise; we are making sure we learn from mistakes and put preventative efforts in place to do that.

Q41            Adam Thompson: We are all pretty clear on the fact that the technology exists; it has existed for quite a number of years at this point. The culture problem that you have highlighted there is certainly not unique to Government, that is true across all Departments, but we go back to this point that Kit and others have been making today about everything being pretty good. We need to be the shining example of absolute best practice, do we not? So what are we doing to specifically address that culture issue that you highlighted?

Aimee Smith: For fear of repeating some of the answers, but to try to give you some clarity and confidence, it is going to be very difficult to measure cultural change in this regard because you are trying to measure human behaviour as it moves through Departments. But there will be really clear indicators to us at the central teamswhether that is in Cabinet Office or DSITabout whether cultural shifts are being made.

For instance, some will be about how Departments are or are not investing to reduce their legacy systems, how they are or are not applying AI to their digital heap to speed up their ability to do records management. It will be whether they are investing in the right kind of roles and skills to make sure they can continue to look after data to the right level.

We are here to provide the guidance and the frameworks to enable them to do those things. For the first time, you have that kind of centralised co-ordination and assurance capability that Departments were looking for independently before; quite frankly through a volunteer network of data protection officers or information security officers, who are incredibly experienced, very skilful and knowledgeable, but are not always the most senior people in the Department on data.

We have been relying on a process of volunteers to pull together a central position. In us, you are now looking through a central position at those who have accountability to make that work. That is the fundamental difference between what was happening when the Information Security Review was in place and where we are now with this package of measures.

Q42            Adam Thompson: Okay, that is all very reasonable. Moving on from that, do we have any means of, technologically speaking, assessing employees moving from using attachments to shared links, and so on? Without manually reading every email that comes through the system, can we examine how many people are still attaching files to emails?

Ian Murray: The technological suite exists to stop people from attaching files to emails. I am in fear of repeating myself, but cultural change happens through practice, and if you are unable to attach anything to your emails to send to anyone then that changes the culture by practice.

Q43            Adam Thompson: Are we inclined to put that enforcement step in place?

Ian Murray: This is best practice, and you are right: the Government should be leading by example and be the very best at this stuff; that is what we aspire to do.

Q44            Adam Thompson: Okay, so are you going to use the technology available to stop people attaching files to emails?

Ian Murray: Where appropriate, but it is part of the technological suite.

Aimee Smith: In principle that is ideal, but the challenge to a wholesale introduction of that is where you have Departments operating on various different legacy systems where emailing an attachment internally may actually be the only way that you can take information from one system to another. That is the complicated nature of what we are looking at across all the Departments and the arms-length bodies. So in principle we would be setting out how we want people to operate, but there is going to need to be some considered support, focus and investment for Departments to get there.

Q45            Adam Thompson: We are probably going to have to come back to this at some later date to assess how this is going. But it leads well into my final question: the Information Security Review has given us quite a lot of information, a lot of things to discuss and work on. Is there an intention, Minister Murray, to make that a more regular exercise, maybe annually, and to put regular progress reports of that out?

Ian Murray: As part of the MOU with the ICO, we committed to an annual assurance report. We have not quite yet bottomed out what will be in that report and how it will be reported to the public and to Parliament, but that annual assurance is quite a big undertaking, and quite a big commitment to make in partnership with the ICO. I would hope at that point that annual assurance statement would be able to be compared with previous years and give us a progress report in terms of how well we are doing.

But ultimately, as you would know, the proof of the pudding here will be in the eating. We would hope that there would be no more instances of Government data being leaked on the basis of what we are trying to achieve. We cannot say that that would 100% be the case, but in essence that is a backstop assurance of how much progress we are making.

Q46            Daniel Zeichner: Welcome to you all. Incidentally, you have a hugely complicated task; I do not underestimate the difficulty of this, not least because of the apparent fragmentation of Government that we are dealing with.

I am pleased to hear you have this new co-ordinating role. I am just fascinated to hear how it is going to work because, from my experience as a Minister, you have so many non-departmental bodies and arms-length organisations, how are you going to ferret your way through all this to find out what they are doing? Do you have the resources? What is the process?

Vincent Devine: I will tackle that. You touch on one of the key challenges we face: the Government are complex and a relatively federated organisation. The first thing is to send a clear signal from the centre, which Ministers have done, that this has to be a priority for Ministers and representatives. The Minister has written to his colleagues across Government on a number of occasions, and the cabinet secretary has made clear to permanent secretaries that this needs to be a priority. That means this is a board level, an ARAP level issue. So sending that signal down to Departments is key.

Setting clear policy baseline from the centre that is demanding but deliverable and reflects the particular requirements of each Department is key. Setting central training and awarenessyou talked about what will really change the culture from centreis all key. But then driving it into the Departments bloodstreams, and that will come from within the Departments.

I do not think there is any resistance in any Departments across Whitehall; we have all learned from the really challenging events of two or three years ago. This is something we talk about a lot with ALBs; the arm’s length bodies are the responsibility of the lead Government Department. We will reach out from the centre to support the big ALBs where they need technical advice or some support, but the responsibility for ensuring the ALB is behaving correctly and driving the right level of change is clearly with the Department. That is well understood and we have looked at that a couple of times over recent years, but it will be a challenge because of the complex and federated nature of Government.

It is also really worth stressing the different operations that are carried out in different parts of Government. They are dealing with completely different sets of challenges in different Departments, and we need to reflect that in our guidance.

Q47            Daniel Zeichner: I totally understand that point about different Departments having different challenges, but there is also the state of the current computer systems in many Departments and the legacy systems they have. I am sure they would all love to upgrade them, and in fact they are saying that all the time, but there are trade-offs here, are there not?

One of my worries is where the responsibility and accountability is going to lie. I hear what you say, Aimee, about there being accountability discussions, but for the people on the front line, they have a job to do and they are under pressure so they just want to make it work. Yet they are being stopped because their systems are not being upgraded. Who is responsible for that, in the end? Are you talking to staff on the front line, maybe through their trade unions, to actually get a genuine culture change, rather than just what many of us have experienced in our working lives, when someone up there says, “You will do this”, and you say, yes, yes, yes? We are all seeing the new passwords introduced, and the yellow sticky note on the computer to allow people to actually do their job. How do we make it real?

Aimee Smith: That is the biggest challenge for any organisation, is it not? I am only three months into Government, but I experienced 25 years of exactly what you are describing in policing and the law enforcement sector; people at the centre want to introduce some technology but they are too busy rolling around on the floor making arrests. How do you make that real for people?

Chair: I have that image in my mind now.

Aimee Smith: Sorry. But there is a reality that when you are designing frameworks and guidance from the centre, you do it in your ivory tower because it sounds right on paper but it does not translate very well to the front line.

More broadly, across DSIT and inside GDS we have a couple of things that we try to use to counteract that. First, we are committed to user research; so understanding how people already are, what their business processes are like, how they are using technology now and what problems they are coming up against. And then a real spirit of experimentation and partnership with Departments or cross-Departments to really test ideas, to see if relaxing data sharing in some regard and tightening data sharing in others is the way to change business process. It is not going to be quick on every occasion to do that, but we are certainly committed to looking at business process alongside technological change because otherwise you are introducing tech that does not fit business processes and people will find workarounds. So we are very alive to that fact, and that will be part of how we take forward the package of measures in thinking about the technological changes we want to introduce.

But to be honest, also the cultural and people asks we have of Departments and the things they need to think about; it is hard to do it at arm’s length, but that commitment to user research and experimentation to test what works rather than just imposing is what we are committed to doing going forward.

Ian Murray: That is the co-ordinating role of DSIT; the whole of modernising Government is part of that process. When you mention the fragmented nature of Government and our federated data systems, that is both a massive advantage and a huge challenge. Legacy systems is a huge challenge, but we are working through that and there is money in the spending review to try to resolve some issues.

But you are right. The biggest challenge from a cross-Government perspective, which is why it is sitting with GDS and in Government, including GDS local for local government services and helping our ALBs, is wholesale Government co-ordination to make sure people are able to, within Departments that are responsible for their own infrastructure, do it and invest in it. That is the biggest impediment we have to delivering this across Government, but it is working quite well. Government Departments are seeing the massive advantages of doing this, and therefore they are on a programme that DSIT is helping and assisting them with, including with external contractors and so on.

Q48            Daniel Zeichner: I absolutely applaud the ambition.

Moving on, with the best will in the world these things are going to happen againthere are going to be data breaches in future. You have announced a model action plan to follow in the event of a data breach; I am a bit surprised there was not one already. Why was there not one in place before? Is it just everybody sort of made it up when it happened?

Ian Murray: I am not sure it is a question for this Government.

Daniel Zeichner: No, exactly. You can say what you think.

Vincent Devine: There are a range of differences. We have had a cyber-instant management plan in place for some time; I think we have published that. We have had the procedures for working with the ICO in the case of a notifiable breach in place for some time, and we have had digital processes in place for some time. This is bringing all those together.

It is probably a fair criticism to ask why we did not have that in place before, but we are building it now and we are learning from how we have managed these incidents in the past because there are always several aims with an incident. First, to immediately triage the challenge you face. Secondly, to understand whether there are any immediate consequences for others working in similar areas. Thirdly, to learn long-term lessons. Put over that the different range of people you need to contact: we need to brief up to our Ministers, we need to reach out to the ICO, we need to work with affected individuals.

With learning lessons and putting that all in one place, we follow the same path each time and it is the right thing to do. But should we have had it in place before? That is probably a fair criticism, and I take that on the chin.

Q49            Daniel Zeichner: I welcome that, and what we are hearing reflects an adult recognition that things will go wrong and you need to have that in mind, rather than just assume it is not going to and then react when it does. There was an assurance exercise undertaken by the Cabinet Office in October 2025; will you publish its findings?

Vincent Devine: We will certainly publish the effect of its findings when we come to put out an annual assurance plan, which will be later this calendar year. I have not consulted Ministers on whether we will publish the findings of that in detail. I know that we found over 90% compliance across Government with the policies and processes we put in place. We also found a couple of areas where we were able to go and dig deeper to understand why that is not 100%, but can I take that away?

Q50            Daniel Zeichner: I took that to be that you will publish something this year, but you are not entirely at liberty to tell us quite how much you will publish?

Vincent Devine: That is what I said; I need to consult my Ministers.

Q51            Kit Malthouse: Forgive me if I feel obsessed with trying to gauge what “pretty good” means. Given that you have talked a lot about Departments that are on legacy systems, do you have compliance data that you are able to share with us? Is there any kind of RAG rating of Departments? Are you able to say, “There are 15,000 people in the Home Office, and 10,000 of them are on a legacy system that does not allow us to block email”? That kind of data. Rather than assuming we are pretty good because of the lack of a breach, how do we know from a compliance data point of view? Aimee, presumably you have that at your fingertips.

Aimee Smith: Not directly. What we have and what we are building is the ability to do that. That is what will come, certainly from a data protection perspective, with the arrival of—

Q52            Kit Malthouse: Is what you have told us so far anecdotally obtained?

Aimee Smith: No, it is part of the assurance exercise.

Vincent Devine: We RAG rate Departments annually against a range of security issues. We do not publish that. For each Department, we have a RAG rating across a range of different security compliance issues, and we will RAG rate the Department as a whole. We do not publish that. We will not publish that because it would offer opportunities to our adversaries.

Within each Department, I am very confident they are RAG rating the protection of their different datasets. I would expect all the most sensitive datasets—I would hope—to be green or amber, so green with some risks. There will be RAG ratings of all these sets. The datasets that I own I certainly have a clear understanding of the RAG rating and the compliance with processes. That will be the case across Government.

One of the really useful bits of work we did over the last two years was clarifying—to a much greater extent than we had previously—the information assets and information asset owners and their responsibilities. That includes understanding the risks posed to their assets, protections we have in place and the confidence risk RAG rating. I would be confident that across Departments they will have RAG ratings on the security of their data.

Q53            Kit Malthouse: Beneath those ratings, is there hard compliance data around numbers?

Vincent Devine: This goes right back to the question the Chair asked earlier about culture and outcomes. There is compliance data, but compliance data is not necessarily the same as security. Compliance with the policies and processes put in place is essential; you could say it is necessary but not sufficient. There is compliance data on all this stuff, but that is not quite the same as outcome data.

Ian Murray: Can I just add a quick statement back to Mr Zeichner’s question? The assurance exercise that Vincent talked about, in answer to that question, 90% of Government Departments were fully compliant with data protection and security principles across Government. The 10% is what Vincent—

Q54            Kit Malthouse: Sorry, 90% of Government Departments?

Ian Murray: Yes.

Q55            Kit Malthouse: Is that 90% by number of Departments or number of employees?

Aimee Smith: By Department responses to the assurance exercise.

Q56            Kit Malthouse: Right. So DWP, which is by far the biggest Department, could be non-compliant and you would still be at your 90%?

Ian Murray: Well, we do not want to go into individual Departments, but—

Q57            Chair: That is one of the things that we want to look at, actually.

Kit Malthouse: Sorry, I am just trying to get clarity on what you are telling us, right? If I am honest with you, it all seems a bit opaque. I do not know about you, Chair, but I cannot take any sense from here about whether the absence of incidents is indicative of good performance or whether it is just accidental.

Vincent Devine: I do not know the answer now, but we know the answer to the question of whether DWP is fully compliant with the process that we have in place, if we go and dig in the papers. I have an expectation, but I am not going to guess now without checking the data. Some 90% of the organisations we looked at are compliant with the processes and policies we have put in place, but I cannot answer on a specific Department right now.

Q58            Chair: Could you share with us the compliance metrics you have? The 90% of organisations and the list of things they were compliant with. Could you share with us what those were? Perhaps you have shared it already, and which Departments were compliant or not. Can you share that with us?

Vincent Devine: Can we take that away and I will provide advice to the Ministers?

Q59            Chair: The point Kit is making is that we are looking at measurable things, and we are trying to understand where we are now. Knowing what the compliance data is and how it is being measured would be an important part of that. The Home Affairs Committee, for example, heard that there were 48 legacy systems that formed the basis for eVisas. To go back to the discussion on operational versus security issues, that was one of the reasons why there were so many data errors and mistakes in security.

Can I ask that in addition to the compliance data, or perhaps the number of legacy systems by Department, you just let us know if that is something that you have? Minister Murray, you talked earlier about the enthusiasm to invest in new systems.

Ian Murray: From my perspective, we have measured—again, we will write to the Committee—and around 23% or 27% of systems across Government were legacy systems. That has been measured already. I would need to take advice from officials on whether we can supply a list of what they actually are. But actually, I would have no problem sharing those with the Committee, at least privately, so you could see those. That figure is in the public domain from analysis that has been done.

Chair: Okay, well, that sounds good. Should we move on?

Q60            Kit Malthouse: I do not know whether it sounds good at all, we will have to wait and see—

Ian Murray: May I just clarify? The legacy system is different—

Q61            Kit Malthouse: But if you said to me, “I’m selling you a second-hand car and it’s pretty good,” that does not sound showroom to me. I am just trying to gauge where we are.

Chair: We are with you on that.

Ian Murray: Can I just clarify that? The information from the legacy system issue is different from the 90% assurance information.

Chair: Yes, I recognise that. But I am just saying we have to have compliance, part of that is the assurance, then I would like to see what information we have on legacy systems. Great, okay. Now we are going to move to a slightly different area. I know that there is an issue that Martin is keen to raise.

Q62            Martin Wrigley: Thank you for coming before us today. Moving on to a different area entirely, in recent weeks I am fairly sure we heard Cabinet colleagues talking about Britain being Britain’s best customer in tech solutions. We have heard about building sovereign AI capabilities, and yet we see Palantir being mandated to be used across the NHS in every acute community and mental health provider. Its existing solutions are to be thrown out.

We have seen a £250 million contract extension with MOD because the general said it was not tech lock-in, it was just too difficult to replace them because it would have to redo all its tech, which is the definition of tech lock-in. Minister Jarvis, are you comfortable with the increasing prevalence of companies such as Palantir in the public sector? Especially in sensitive areas of NHS and defence, let alone the trials going on within the police forces and used within the Cabinet Office, as I understand it. Are you comfortable with that position?

Dan Jarvis: Thank you for your question. To give you assurance, let me say first that there are robust processes in place to make sure that Government contracts are always awarded fairly and transparently. As I am sure you will understand, Ministers across Government engage with a range of different companies as part of international travel. My understanding is that Palantir is a longstanding investor in the United Kingdom.

As would have been the case with previous Governments, this Government utilise a range of international suppliers based on operational requirements, value for money, and compliance with our legal and security obligations. All suppliers are subject to a rigorous process of due diligence. I am satisfied that we have the right processes in place.

Just to say one other thing, though, specifically about the company that you have mentioned, the recent partnership arrangements that have been announced are a matter of public record. Actually, it represents a vote of confidence in the UK that we have companies that want to work with the UK Government and want to invest in us as an entity. This will deliver very significant amounts of investment, which creates highly skilled jobs in the UK.

Q63            Martin Wrigley: It may have highly skilled jobs, and I can think of 350 million or another 250 million reasons why they want to invest there. However, I am not sure the transparency is quite as in the forefront as you might be implying there. What competitive tendering was going on in terms of the MOD expansion of the use of Palantir, and indeed, the NHS expansion of the use of Palantir? The NHS use was supposed to have external opportunities for adding modules into that system, which I understand has not actually yet occurred, unless you can tell me otherwise.

Dan Jarvis: What I can tell you is that you are asking me about contracts that have been awarded to Government Departments that I am not responsible for. In terms of the Ministry of Defence and the Department of Health and Social Care, as part of the preparation for this session, my understanding is that in both those Government Departments—as is the case across Government—there are robust processes in place to make sure that where contracts are awarded, they are done fairly and transparently.

That is my understanding of the circumstances of the two specifics that you cite, but I am not a Minister in either of those Departments. If you are—not unreasonably—wanting more information, then that is something we would need to take up both with the Ministry of Defence and with the Department of Health.

Q64            Martin Wrigley: I am more concerned about the security of the reliance on a single vendor across so many critical areas. This is now a critical component of several very serious areas in our national infrastructure. Are we depending too heavily on what could be a single point of failure?

Ian Murray: If it is helpful to Mr Wrigley, may I just maybe go through the processes here? DSIT takes a role in making sure that Government contracts are co-ordinated in the digital space, and some contracts you have mentioned already are part of that. We have a spend controls process. Anything over a contract price of £5 million goes through that process. It is signed off by Ministers and approved by Ministers in DSIT, where we can interrogate the contracts, the value for money, the sovereignty, and whether they comply with the Government’s security and privacy principles.

All that is taken into account and is then presented back to the Department. DSIT works with individual Departments in making sure that their tendering processes and contract award processes fit in with the Government agenda and those Government protections.

There are a number of layers of DSIT assurance processes that sit outside each individual Government Department, and we would expect every Government Department to apply those principles. That then comes back to DSIT in order for us to both help it shape what it is looking for and shape its contracts, but also to make sure that it is complying with all the Government policies on data security and principles, and those kinds of sovereignty issues you raise.

Q65            Martin Wrigley: In terms of those sovereignty issues, in terms of the Government’s agenda for building an AI sovereign capability, how much influence has that policy had on these contracts? Going forward, as we see the creation of a national police service, while we see Palantir being trialled in a couple of groups of police forces, will there be an opportunity for sovereign bids to actually look for that? We saw that the MOD contract—I think you told us—was looking at a lack of competition in some categories, and the MOD was not even looking elsewhere for an alternative. How is that actually helping to invest in sovereign capability-building within the UK?

Ian Murray: You are asking a general question about the MOD that I am not in a position to answer. But I can answer from a DSIT perspective that those issues, in terms of seeking market capability, are part of that assurance process from DSIT, and they would be part of the report that is presented to us. Therefore, there are robust processes in place. DSIT is trying to make sure it is embedding that advice and support across Government, for Government Departments in the digital space when it is contracting and tendering for certain services, to have that support, to make sure it is getting that right.

I cannot speak for the MOD in terms of how it does its processes, but I can assure you that all these contracts would have gone through that rigorous assurance process that DSIT runs.

Dan Jarvis: You make an entirely fair and important point about sovereign capability. Clearly, with regard to any sovereign capability, the Government will need to weigh a number of factors. But fundamentally, the most important factor that we have to weigh is what is in our best national security interests. That has to be set against other considerations, including value for money, because we have constrained resource. But I can give you an assurance of how seriously Government take these particular issues and how carefully we look at them.

I just wanted to respond briefly to the point that you made about the creation of a national police service. This is a bold policy that has been recently announced by the Home Secretary. Previous Governments—I do not say this in a judgmental way—have shied away from the significant reforms of police that instinctively most of us know we have needed to make for a long time. There is a huge opportunity here to look at the way in which we conduct policing operations and activities around the country and do it in a more effective, more joined up way, which will be operationally more effective but also better value for the taxpayer.

That is a process that is ongoing. It is a big body of work led by the Home Office to look at how we can do this. But let me give you an assurance that the absolute driving factors that underpin issues of both sovereign capability and the creation of a new national police service, will be operational effectiveness and national security. Of course, as I have said, any Government will have to weigh the value for the public purse as part of that process.

Q66            Martin Wrigley: It sounds like you are writing off UK start-ups in favour of an established American big player because nobody ever got fired for buying IBM.

Dan Jarvis: That is an entirely unreasonable conclusion to draw from what we have both just said.

Q67            Dr Sullivan: I just have a quick one, just to crystallise the concerns. We are living in a globally unstable world. The assurance we are looking for is that our data and data of people will not be held to ransom. Our data will be accessible, so what safeguards are there in place so that companies—not exclusively Palantir, but others—would not be able to hold us to ransom or put up the price and say, “Well, actually, this contract now needs far more”? What are those safeguards so that that data is protected and people are protected?

Dan Jarvis: I might just say a word. Let me agree with your basic assertion about the nature of the world we are operating in. Believe me, I spend a lot of time thinking about these things, and I can give you an assurance that the world is a very challenging place at the moment. Therefore, it is even more important that we make sure we have the appropriate gearing to guard against the nature of the threat we undoubtedly face from a range of different actors.

In that context, the point you make about data is important. There is a lot of work taking place across Government to look at how we can satisfy ourselves that we have the right procedures in place, in order to ensure the security of the information we need to safeguard. It would be useful to hear from Vincent though, because he will be able to give you a bit more detail about that.

Vincent Devine: There are two things there. Whenever we contract with a third party that is going to hold our information, there will be contractual safeguards on how it must hold that information, what it can and cannot do with that information, and our own access to that information. That will be in the contract. We do that routinely. We are doing that in a couple of areas I am involved in right now.

Where we are contracting, we should also be thinking about the exit from the contract, so we do not fix ourselves to a particular company, which at the end of a five to seven-year contract can hold us to ransom and put up the price. That is a routine part of our contractual thinking: what are our exit processes, and where will we begin to break to ensure we can have a full competitive tender for the next stage of that contract?

Q68            Dr Sullivan: If that is the current thinking, those contracts that were signed a few years ago may not have had that exit strategy thinking and that arrangement in place for how that data can then be transferred to another company. Is that the case, or are there ways around it?

Vincent Devine: We have been aware of that risk for at least the last five years. But I am aware of some contracts where we have faced that challenge towards the end of the contract, where we are relatively limited in what we can and cannot do by way of a competitive tender because of the relationship of dependence we have built with companies. We are pretty wise to that now. This is routine business. It is part of any gateway process for a contract to talk about what your exit clauses are, how you get out, and how you manage your data.

Q69            Martin Wrigley: If I can just come back on that, I am very pleased you are thinking about exit strategies because it is always the first question you should ask before buying a new system: how do we get out of it in the end? However, the recent MOD expansion of the services denies that entirely, because it is very clear that the MOD said, “We have to use this existing supplier because we can’t change from what we’re doing now.” It has no exit strategy there. That is absolutely transparent.

It is also clear that when challenged about certain potential uses of its system, Palantir went on to say, “Oh, we wouldn’t allow our system to be used for that.” It is still exerting control over how and where that system is used and what principles are applied, while also claiming to be a UK sovereign company, which it is clearly not. Your words are fine; the example of what we are seeing from the MOD in those statements does not ring true with the principles you are describing. How would you feel about that?

Vincent Devine: I know the Defence Secretary has gone on record on the point of Palantir contracts, I recall reading, but I do not recall precisely what he said. I am really reluctant to comment on a specific contract or on a specific company.

Q70            Martin Wrigley: It is not on the contract. It is about the comments and the reasons the MOD gave for actually giving that contract without competition, continuing to put another £250 million into Palantir.

Vincent Devine: I am really sorry. I recall reading it, but I do not recall precisely what the reasons were, so I am not going to offer any comment. I am sure I would support whatever it told you.

Q71            Chair: I understand there is going to be an urgent question on Palantir contracts later today, but I would like to build on the really important point that Lauren and Martin are making with regard to vendor lock-in and exit strategies. The Cabinet Office wrote to me, I think in July, to say, “The procurement and maintenance of official Government IT systems ultimately remains the responsibility of individual Departments.”

If that is the case, how on earth can you ensure that we do not have dependence on one particular provider across Government? You have spoken to us about the guidance you offer and robust processes that you believe are in place, but is there control and measurement of our dependence on particular companies such as Palantir?

Vincent Devine: On the Government systems, that is a question DSIT might want to take. The Government set out in plans for the digital Government how there would be greater control exercised from DSIT over the procurement of IT systems across Government. With respect, it is a departmental decision to find out. I do not know, Aimee, do you want to say anything more?

Aimee Smith: DSIT is moving towards a whole-of-Government approach to digital sourcing, and that is being worked on now. Not to comment on individual contracts, but there is a tension between Government Departments reassuring themselves through their own DPIA process and ethics process about the contracts they are about to take on for their data assets, which they own, and where we are trying to get to as a Government, which is what is a national asset? What is the impact of a national capability on that? Are those considerations taken into account when Departments are looking to source?

That is one of the things we will be looking to work on as we go forward, because we have talked a lot in strategies about data being a critical piece of infrastructure. The contracts you have seen so far are very much about Departments, and there is a point of balance for us going forward about a national asset and the impact of that versus a local asset.

Q72            Chair: A departmental asset, you mean?

Aimee Smith: Yes.

Chair: I think what you are saying is that you do not have control over Departmental digital procurement currently, but you hope to have so in the future, or you hope by—

Ian Murray: Anything over £5 million comes to DSIT for that assurance process, which takes into account all the issues that we have discussed already this morning in terms of security, vendor lock-in, market testing, issues around data protection, the laws that we have in this country around GDPR, and UK security standards. That all comes as part of that assurance process. Contracts are subsequently signed off for Ministers when they are satisfied with that process.

Q73            Chair: How many times has that process been invoked since it came into place, in terms of contracts being stopped or reviewed?

Ian Murray: There is not an incident that I can recall—I have been in this job since September—where it has been vetoed. But in actual fact, there is a lot of work that goes on before it gets to the stage of filling out that assurance report, to make sure things are in place properly. It is not an end-of-process event. It is a continual process.

Q74            Chair: Just to give a particular example, I have tried on many occasions to find out what proportion of Government data is using Microsoft or AWS: what is the provider? I am told that each Department knows it, and there is no cross-Governmental knowledge of whether we are locked into AWS, or Azure or something. Can you say to me that you have the answers to that question now, or that you will have the answer in the future, and that you can ensure that we are not having vendor lock-in in data services, for example?

Ian Murray: Your question poses the challenge and the tension and balance between both these issues, because DSIT is moving towards a whole-of-Government procurement approach in terms of digital and technology.

The difficulty is that if you do that whole-of-Government approach, you end up in a situation where your contracts are cross-Government rather than individually departmental. The issues of whether we use Microsoft, Google, AWS or any of those vendors then becomes a cross-Government issue, which may make the contracts larger and less diverse than individually, departmentally. That is the tension and the balance as a Government that we have to try to—

Q75            Chair: We are asking whether you are able, first, to measure it now. Is that yes?

Ian Murray: Yes, we are.

Q76            Chair: You are able to measure it now. I will get an answer to my question.

Ian Murray: There is a process going on in terms of procurement at the moment for some services.

Chair: You have shared some challenges.

Q77            Dr Sullivan: This is all about measuring and weight. It is about the weighting that the guidance, or the framework, has given to sovereign capability. The weighting that you as DSIT will be able to control and allow, to actually ensure that the weighting for sovereign data and data systems is there. Is there more pressure that we need to be putting on other Departments to make this happen? Data is a sovereign issue. Like you said, you can see the direction of travel, but we need to get to that direction of travel ASAP, really, do we not? Do you agree?

Ian Murray: I agree, but I would just caveat that with an understanding from each individual Department what data sovereignty is, because we do not have a definition of what data sovereignty is. Therefore, what does it mean?

Q78            Chair: Whose responsibility is it to deliver that definition of data sovereignty?

Ian Murray: There is no international definition of data sovereignty, and therefore—

Q79            Chair: We have had this conversation before.

Ian Murray: We have had this conversation before. It is a bit of a circular discussion because there is no global definition of data sovereignty. It means different things to different aspects of it, each of which have valid arguments for why that should be the definition of sovereignty. It is not an easy definition.

Q80            Chair: You have agreed with Lauren that data sovereignty is an important part of a whole-of-Government procurement approach, and now you are saying that we do not understand what data sovereignty is.

Ian Murray: I am saying we do not have a definition of data sovereignty.

Chair: We must have one in order to have a whole-of-Government—

Ian Murray: Let me just give you a couple of examples: does data sovereignty mean that the data stays within the confines of the country of the United Kingdom? Does it mean that the data is held by each individual? This is not an easy thing to work out, there is no global definition.

Q81            Chair: No, I am sorry. I recognise it is not. But we want to hear that you are working on a definition, because it has been clear to the Committee that it is an important part of a whole-of-Government approach to digital procurement. You are working on a definition?

Ian Murray: As Mr Wrigley says, the Government policy is about sovereignty in these issues.

Q82            Chair: Right, so you are working on a definition?

Ian Murray: I would not—

Chair: You seem reluctant to—

Ian Murray: I am reluctant to say yes because a definition is not necessarily easy.

Q83            Chair: Okay, we are running out of time, and I really want to ask about transparency with regard to engagement with tech and big tech. There have been a number of concerns around the Prime Minister’s meeting with Palantir. I have already mentioned last February in the US and the extent to which that was arranged through Peter Mandelson’s company, Global Counsel. Palantir gave us assurances that it went through the proper channels, but Peter Mandelson was the ambassador at the time.

We heard this week—I think yesterday—that Peter Mandelson offered to arrange meetings with tech companies for the Secretary of State for Health, Wes Streeting. At the same time, I know there is a freedom of information request to Ofcom, just to say which tech companies it has met, which it is refusing. Can I ask both Ministers, do you agree that transparency on engagement and meeting with these big tech platforms is important and something that the public have a right to?

Dan Jarvis: Yes.

Chair: Excellent, thank you.

Ian Murray: Yes, and from a ministerial perspective, our meetings are made public through our ministerial declarations.

Q84            Chair: Well, they are made public sometimes in arrears, and it is not always public how those meetings are arranged. But can I ask—particularly you, Minister Murray, as a responsible body for Ofcom—that you would encourage transparency with regard to how Ofcom is meeting, how often and whom Ofcom is meeting in the big tech companies?

Ian Murray: With all due respect, as we always say in these kinds of issues, it is not up to Ministers to direct Ofcom as the independent regulator. But I am sure it has just heard what you have said.

Q85            Chair: Minister Murray, have you met with Palantir?

Ian Murray: No.

Chair: Minister Jarvis, have you met with Palantir?

Dan Jarvis: No.

Chair: Great.

Vincent Devine: I should declare that I have met with Palantir. As part of transparency, that is on the record.

Q86            Martin Wrigley: We have met with Palantir because it has been in front of the Committee as well. DSIT looks at these contracts as they come through. The predication of these purchases is that these systems deliver what they are intended to at the beginning. I have been trying to find out through the National Audit Office whether Palantir in the NHS is delivering the level of promise that was made.

I remember when I was buying systems, it was Oracle, and it would do anything you wanted it to do before it came through the door. Then the reality was never quite as good as the slick salesman always promised you that it would be. It was a lot harder to make it deliver on its promises. Does DSIT monitor the effectiveness of these high-tech systems, which are actually working in a way that no one quite understands?

Ian Murray: Maybe Aimee can add to this, but if I could just rewind you to the start of your question when you said DSIT looks at these contracts as they are coming through: that is a small part of the process. DSIT works hand in glove with Government Departments at all stages to make sure that the tendering processes are correct, and to provide advice to Government Departments where they need it, in terms of both the process they need to go through and giving advice back to changing contracts and discussions as they are coming. It is not just about looking at them as they come through. There is a whole process of advice and support that is given through DSIT to Government Departments on these types of contracts.

Of course, through legislation, there is the ability through national security concerns to remove contracts and bar suppliers, if that is the case. Of course, in terms of the modernising Government policy, we are constantly reviewing and assessing technological change in Government and giving advice from DSIT. DSIT is trying to provide an overarching cross-Government support service for these kinds of technological contracts and technological changes across Government. That is something that is embedding in.

Q87            Martin Wrigley: Which is a good thing that we agree upon, and that is great, but the question is: are you actually looking at the real measures of success? Are these systems delivering what they promised to the extent that they promised? So far, the only example Palantir gave us was that it had improved the rota-setting of nurses and operating theatres to marginally improve the throughput of operations. Which is good, do not get me wrong. That is good. But it is not £330 million good.

Ian Murray: I cannot comment on individual contracts in the Department of Health and Social Care.

Q88            Martin Wrigley: I am asking about the process. Does DSIT monitor the effectiveness of these extensive, high-technology systems that are supposed to transform our Government Departments?

Ian Murray: No. It is the responsibility of each individual Government Department to monitor that the contract is delivering what it should be delivering.

Q89            Martin Wrigley: Do you think DSIT should be taking an overall view, since it is giving an overall direction, as you were just describing? Monitoring your own success? Measuring your own success? I will take that as a yes.

Ian Murray: Well, you are asking me a question that I am having to think through the practical implications of doing that. But if a contract were not delivering the outcomes, particularly for some big contracts, then I would expect each individual Government Department to take that up with the contractor.

Of course, DSIT always stands ready to help Government Departments in terms of those kinds of issues. As a Government Department, should we be monitoring the delivery on these contracts? I do not know if that would be desirable for DSIT to take a whole Government view on each individual contract.

Martin Wrigley: Why would that not be desirable? Take something such as an AI data warehousing system, which is a novel aspect to bring into these areas: why would you not be wishing to see whether that is as successful as was promised by the slick salesperson?

Ian Murray: Each individual Government Department should be doing that.

Chair: We are running out of time a little here, but I hope you will be able to stay with us. I know that Lauren has a couple of questions, which are directly related to the issues that you are raising, Martin, and may clarify them a little.

Q90            Dr Sullivan: This is about the ICO memorandum of understanding, which we mentioned just briefly before. How are we ensuring that the Departments are not getting too close to the regulator? There is an advice section, which is good, and the ICO should be providing advice. There is an enforcement and checking of homework section. How can we be assured that actually that is not getting too close and that there is that separation of powers and duties?

Vincent Devine: We should be incredibly close to the regulator. It has a range and depth of expertise that we should absolutely draw on. It has visibility, not just of incidents within Government, but incidents beyond Government that we can learn from. I do not worry, from my perspective, about getting very close to the commissioner. I met the commissioner three times over the last month. The commissioner briefed the Government security board in a really impactful way: that comprises senior representatives of a range of Departments and our technical experts from the agencies.

From our perspective, we cannot get too close to the regulator. You have legitimate questions for the regulator, having been a regulator myself in the past: are you getting too close to Government? I know the commissioner thinks very carefully about that and is very careful how we engage, but I would like us to get extremely close to the regulator. I want it to become absolutely a matter of course that when we are developing new capabilities, we do not consult the commissioner late in the day when we think there is potentially an impact on data. We go to the commissioner very early, right at the beginning of the process and say, “This is what we’re thinking of doing. What kind of dialogue do you think we should have?”

For Government, this is a very good thing. There are risks: we are opening the cupboard. We are showing the regulator what is really there. I would expect to get very honest and quite frank advice. Aimee, I might be wrong, but from our perspective, it is all good.

Aimee Smith: No, I am totally with you. It is absolutely critical that the person who describes what good looks like is someone we are in regular conversations with, a bit like Ofsted and schools, a bit like the inspectorate of policing. You need the people who are defining what good looks like to be close enough to you for you to be able to consistently check your own work against, but also ask advice about.

John Edwards made it really clear in the Government security board, his real test for us as a cross-Government capability is what goes into the assurance statement and how we will be looking to progress the maturity of Government around data protection. The relationship is good. It needs to be close. But I do not doubt that the regulator will hold us to account if we do not deliver on the things that we have committed to.

Q91            Dr Sullivan: Just from my experience in the past, seeing Ofsted inspections, say in schools or social services, there is then a briefing back the other way going, “This is what Ofsted is looking for. Make sure you’re saying these things to ensure that we get a good outcome.” With all the goodness of, “Yes, let’s be transparent, let’s show we are open,” there are obviously impacts where things go wrong, and there is the impulse to cover up and not be transparent. What checks and assurances can we have to make sure that it is a case of being open and transparent, and believing exactly what you say?

I can see the point of being open and transparent because you have the regulator there, and you can have a look at what is going on. But equally, there is human nature. How are we ensuring that that human nature of trying to cover up is not there throughout the systems? It is a very tricky question, I am sorry.

Ian Murray: That is more of a question for the regulator, because the regulator has a job to do in terms of holding the Government to account for breaches. But actually, the way we have seen this through the MOU is to work in partnership with the ICO to be able to develop the best practice we have, but also to get ahead of it in terms of new systems and ways that the Government may wish to work. The ICO can give us its expertise and advice on them at the start of a process, rather than waiting for breaches to happen and then coming in at the end of a process.

Both the regulator and Government have the same goals here: we want to be able to secure people’s data, and we want to use it for the public good. Us both having those goals from different aspects means that working in partnership is critical. The “Annual Assurance Report”, which may sound slightly dry and may be a slightly dry report, is hugely critical here. It is a massive undertaking from Government to put into the public domain our relationship with the ICO, in terms of these data issues. That is a huge step forward, in terms of transparency and the cultural issues that Dame Chi mentioned at the start of this session.

Being able to use instances that may happen, or potential instances or near misses, and feeding that back into the process for learning helps those cultural issues around seeing the ICO as a trusted source of advice, rather than it being a heavy-handed regulator of last resort.

Q92            Dr Sullivan: Yes, okay. That is really interesting. The next question I have is about the blueprint. When I go on the website about the blueprint, I expect to see it in blue. But in terms of the plan, last month there were six progress updates. Are we going to reach the end of the blueprint, in terms of the progress that is being delivered in that digital Government strategy?

Ian Murray: This is a huge project. The blueprint is very ambitious. I am glad it is on a website and not on paper, because that shows us that we are trying to modernise Government, for a start. In terms of the progress, this is a living, moving, breathing document. I was very clear when I came into this role that the blueprint should be something we seek to deliver, rather than it being something that Government produces and then it disappears into the ether. That is what I am quite keen to do.

We have launched some really good stuff already. Customer First is a huge initiative that we have launched, to try to make the interaction between Government and citizens much better. We have just passed 31 January, the end of the tax submission year for self-assessment. I am sure there were many people looking to try to get some advice from HMRC, in terms of those issues. The first project with DVLA is a really good way of trying to look at the DVLA systems and bring forward some innovative ways of having the customer put at the heart of those kinds of processes with Government.

The road map is not exhaustive. It should be a living, breathing document. I hope it is a living and breathing document. But my role is to deliver as much of it as we possibly can, as quickly as possible. Pace is the big issue in terms of trying to get this across Government. But we have discussed some issues already today: legacy systems, access to data, interoperability, how Government Departments are going at different stages.

Vincent very clearly has laid out the fact that different Government Departments have different data strategies, because they are dealing with different types of data in terms of sensitivity and wide-ranging personal data. This is not an easy thing to deliver, but we have to do this. This is about modernising Government across the piece.

Q93            Dr Sullivan: You have described it very nicely on the website. The kind of thing I want to drill down on is number five, which is funding for outcomes, procuring for growth; the argument we had earlier about sovereign capability and that sort of thing. Procuring for growth means that we need to invest in this country and its talent. How can we expand and add weight to your weighting of procuring for national interest and national companies?

Ian Murray: Again, this is a little chicken and egg because yes, we want to procure for growth, but we also want to build that sovereign capability. Having the ability to do both at the same time is quite difficult. Government should take a leading role in procurement, to give some frontier technologies an advantage. The Government should be a big customer to frontier technologies; to be able to give them the contracts they require to be able to move forward with some big things that they are doing. That is a huge issue, yes, of course.

Q94            Dr Sullivan: Absolutely. Last week we had the CEO of UKRI, which is obviously a huge, huge body. We met with him last week and discussed this move to a proof-of-concept funding. There is that gap between the small start-up and the small businesses, to the medium and the large space. There is that valley of death. Are you asking and directing him in those priorities, ensuring that we can keep those companies here and grow them here?

Ian Murray: This is something that generationally we have never cracked as a country, is how you not only bridge that valley of death, but how you have the start-up and the spin-out getting into medium and larger businesses, which help with that sovereign capability and a whole host of technological issues. That is something that UKRI has been tasked to look at in terms of how it gets there.

Of course, it might just be a cultural issue with the way in which the UK system works, but the difficulty is that when someone comes in to invest in a frontier technology or otherwise, the first thing that is asked—Mr Wrigley mentioned this—is, “What’s your exit strategy?” The exit strategy for UK businesses is not to get to medium or large, it is to seal and move on.

There is a cultural issue that we have to try to deal with. Some of that can be dealt with through financial mechanisms: Government being a customer being one of them, with UKRI investments going into some valley of death businesses. There is a bit of a structural issue, but Government are trying to bridge those structural issues by providing that gap funding in the middle through UKRI. It has three big pots that it would look at in terms of frontier technologies, but also in terms of the kinds of research and development that is investigative.

Q95            Dr Sullivan: From speaking to some businesses here, there is a dearth of capital that is made available to them. There are quite a few businesses that want to stay and grow here, but there just is not the capital. Speak with Treasury colleagues and pension colleagues about how we can really invest that capital.

Ian Murray: One of the key tasks—if I can put a small DCMS hat on as well as DSIT—is to try to find those products most suitable for not just different sectors, but also for different parts of the process in terms of investments. The British Business Bank, the National Wealth Fund, and UKRI’s funding are all part of that complicated matrix. Perhaps one of the things we have to do is not only simplify that complicated matrix, but make sure that businesses know how to access it.

Q96            Chair: One of the things that almost all start-ups and small businesses say is that given the choice between a grant, or even a loan, and an order—particularly an order from Government—they would much rather have the order from Government. That brings us back to how Government procurement is supporting UK companies and diverse supply chains.

Thank you so much for your patience and commitment in answering and coming before our Committee this morning. I want to finish off with just two questions, just to clarify some of what we have been discussing. We have heard a lot about how you are going to publish an assurance plan, we have had the blueprint, we also have had the road map. The road map is only on the Government website. It is a series of pages, not a document, so we are not going to be able to track how it is updated. It also does not have any detailed, measurable metrics in that road map.

Can you tell us how you will enable us to measure success against that implementation plan? Could you write to us with a list of all the plans and deliverables, in terms of assurance plans, statements, and so on, that we have discussed here?

Ian Murray: Yes. I am happy to do so and lay that out in detail. We intend to use flexible metrics with this, because the technology is advancing so quickly that we do not want to be tied to something that is inflexible enough to be meaningless. That process is being worked through as we speak.

Q97            Chair: We appreciate that. That is one of the challenges the Select Committee has, but we also cannot use flexible metrics to escape effective scrutiny.

Ian Murray: Shame!

Q98            Chair: We have to have effective scrutiny. That is certainly what we will be focusing on. We have talked about the responsibilities of DSIT, in terms of ensuring high standards of data security and data hygiene. Can you confirm that the Departments and public bodies that are not in compliance with the principles you set out in GDS for securing personal data will be prevented from adding their services to any future digital ID? Will that be the baseline before which they can add services if they are not meeting GDS requirements?

Ian Murray: The commitment in terms of digital ID is to have the most secure system and protections in place of anywhere across Government. Therefore, those standards are set.

Chair: I think that is a yes, though I am not sure.

Dr Sullivan: Will it be 100% secure or 90%?

Kit Malthouse: Or just pretty good?

Ian Murray: Pretty good, very good, outstandingly good. It will be exemplary.

Q99            Kit Malthouse: There is no binary: you are in because you comply, you are not in because you do not?

Ian Murray: No.

Q100       Kit Malthouse: So, somebody who does not comply could be part of the architecture?

Ian Murray: I would doubt it.

Q101       Kit Malthouse: So it is possible, but doubtful?

Ian Murray: Yes. Pretty good, yes

Q102       Chair: We will let you get back to us with the implications of the standards that we have talked about today for digital ID and whether they will need to be compliant in order to add their services to digital ID. The Committee—

Vincent Devine: In case there is any doubt, the clear direction is that digital ID will be an exemplar of security, it will meet all the standards we have set. We have also committed to working very clearly with the ICO right from the beginning of our programme. Just in case you go away worried that we are not absolutely committed to the highest level of security for digital ID: we clearly are. That is the direction that has been given by Ministers.

Q103       Chair: Okay, that is helpful. It sounds like it should meet the highest standards before being a service using digital—

Ian Murray: Not should”—will.

Chair: It will meet the highest standards.

Ian Murray: Yes.

Chair: Okay, so that is a further clarification, but we will look for that in writing. The Committee has heard, “Our data standards are going to be an exemplar, they are pretty good, but they can’t be 100%.” We will obviously form our own view as to what those standards are, but I really appreciate your coming here to discuss this with us. It is not an easy issue. Indeed, it is a subject in which there have been multiple failures in the public sector—in the private sector as well, but particularly in the public sector. We recognise the challenge that you face. Thank you for sharing your evidence with us today.