Only a few days to go: We’re raising £25,000 to keep TheyWorkForYou running and make sure people across the UK can hold their elected representatives to account.Donate to our crowdfunder
With this it will be convenient to discuss Government amendments Nos. 230 to 234.
This is not the place for a stand part debate, but, as I have indicated, if in discussing any of the Government amendments it is convenient to make reference to matters that might delay us in a protracted stand part debate, my hearing will perhaps catch up after the reference has been made, as long as it is not too long.
I hope to catch your eye during the stand part debate, Sir Nicholas. I appreciate why the Financial Secretary moved the amendment formally. She says that the amendments are of a technical nature, but I thought that it would be helpful if she could briefly describe the significance of changing the references to “provision” to “enactment”, just so that the Committee is fully aware of the reason behind the amendments. I have no further comments at this time.
I heard what you said at the beginning, Sir Nicholas. I hope that you will not chide me, as I want to speak directly to amendment No. 229, but it is difficult to do that without discussing the context of clause 109 generally. I shall keep this as brief as I can and associate it with the amendment, when I can.
Thank you, Sir Nicholas.
There are several parts to clause 109, which is about computer records. Subsection (1)
“requires a person to produce a document or cause a document to be produced”, which is perfectly reasonable. It also
“requires a person to permit the Commissioners or an officer of Revenue and Customs...to inspect” or, more importantly,
“to make or take copies of or extracts from or remove a document”.
That necessitates access to the computer, which is described later in the clause.
Subsection (2) refers to a provision applying if
“any reference in the provision to a copy of a document were a reference to anything onto which information recorded in the document has been copied, by whatever means and whether directly or indirectly.”
I shall return to that in a moment.
Subsection (3) states:
“An authorised person may, at any reasonable time...check the operation of, any computer and any associated apparatus or material...in connection with a relevant document.”
My problem is that, if the document is an e-mail, or an attachment to an e-mail, sent by a web mail service on a web server hosted overseas, or if the document is a web page or a page on a web-enabled application, again on an overseas-hosted web server, I am not sure how any of that can be done, particularly in respect of subsection (3), which allows the person to check
“any computer and any associated apparatus” in order, for example, to remove the document.
That brings me directly to amendment No. 229, which is extraordinarily wide, in that it
“makes any other provision in connection with a requirement” related to the person who produced the document or caused it to be produced, or the commissioners or an officer making or taking copies of or extracts from or removing the document. I am not sure how enforceable that will be, particularly in the case of the examples that I gave, which would seem to introduce a degree of extra-territoriality in the clause itself and, further, in any other provision being made in connection with something that is extra-territorial and may be completely unenforceable.
That brings me to the effect of amendment No. 229 on subsection (5), which states:
“An authorised person may require...the person by whom or on whose behalf the computer is or has been so used”.
That may be reasonable if the computer is accessible, but subsection (5)(b) refers to
“any person having charge of, or otherwise concerned with the operation of, the computer, apparatus or material.”
Again, amendment No. 229, which is about making any other provision to have access to remove a document from a person in subsection (5)
“having charge of, or otherwise concerned”, brings into play innocent third parties, because presumably the clause is about licences and software as well as kit. Assuming that it is accessible and that it is not extra-territorial, it brings into play operations people, communications people, third-party maintenance people and so on.
There is a final issue with the clause. The document could have been created on a handheld device like a BlackBerry, which is deemed to be a computer, or it could be an attachment to an e-mail created on a handheld device, and that handheld device is no longer used by the taxpayer but someone has charge of it—perhaps a sales rep for the same company based overseas on secondment for three or four months. Amendment No. 229 would allow “any other provision” to be made in connection with removing a document from a “computer” when it is completely inaccessible and may be overseas. Clause 109 in general is right, but amendment No. 229 allows almost anything to happen and I am concerned that it is too wide. There is also an issue of extra-territoriality, given that servers can be hosted almost anywhere and are not necessarily in the same jurisdiction as the person or the jurisdiction where the document was created.
Amendment No. 229 risks widening the scope of investigating people involved to include innocent third parties. It is also unenforceable. Notwithstanding the depth and breadth of clause 109, I am interested in whether the Minister thinks that amendment No. 299, which
“makes any other provision in connection with” taking or making copies and extracting or removing documents from
“any computer and any associated apparatus”, is enforceable. Having read amendment No. 229, I do not think that it can be done, other than through the normal judicial channels of seeking warrants in third-party countries if a web server happens to be hosted elsewhere. I am not sure that the amendment, which would allow other provisions to be made, is not so wide that it undermines and removes the assurances that the Minister gave in debates this morning, particularly in relation to domestic premises that were not business premises that might normally have been searched for documents.
I hope that that makes sense. I have been as clear as I can be. I look forward to hearing the Minister.
Mr. Brooks Newmark (Braintree) (Con) rose—
Before I call the hon. Member for Braintree, can I say that I shall certainly allow a reasonable debate on Government amendment No. 229? However, I should like to debate that in full, put the question on it and then, with the Committee’s leave and permission, put the question on Government amendments Nos. 230 to 233 together. I hope that I have the Committee’s permission to do that.
By the way, since I like to be helpful, there may be two Divisions in the Chamber at 6.30 pm and, with a quarter of an hour for each Division, that could take us up to 7 pm. It is not for me to limit or restrict the debate in this Public Bill Committee, but perhaps in the next few minutes the usual channels might intimate to the Chair what their plans are for the sitting this afternoon.
Thank you, Sir Nicholas, for probably indulging me in what I am about to say. I am thinking in a similar vein to the hon. Member for Dundee, East, because I feel that there are a number of issues that Government amendments Nos. 229 and 230 to 234 do not address. Like the hon. Gentleman, I, too, have a problem with clause 109(3), which I will get to.
I am sorry that the hon. Member for Wolverhampton, South-West (Rob Marris) is not in the room, because his knowledge of background notes is always appreciated in situations such as this. The background note to clause 109 suggests that it is concerned with the standardisation of, rather than with substantive changes to, existing provisions. The note mentions explicitly the review of powers, deterrents and safeguards that were set up during the amalgamation of the Inland Revenue with HM Customs and Excise. However, there is no mention of the many reviews pending into data security, which form the real background to the clause and are a real cause for concern among members of the public and their professional advisers.
As midsummer approaches we are still waiting for Keiran Pointer’s final report on HMRC data loss, promised in the spring, but kicked into touch amid the Prime Minister’s superabundance of bad news. Likewise, we are still waiting for the final review of the Cabinet Office report, “Data Handling Procedures in Government” promised in spring, but also missing in action. The interim report notes:
“It is clear that more can be done to improve trust and confidence about the arrangements in place to protect information in Government... As a first step, Government should commit to enhanced transparency with Parliament and the public about action to safeguard information and the results of that action.”
Nevertheless, Parliament and the public are still waiting. Also in the pipeline is the report by Richard Thomas, the Information Commissioner, and Mark Walport of the Wellcome Trust. Meanwhile, Sir Edmund Burton’s review and recommendations into the MOD’s loss of laptops is as absent as its subject.
I mention all that to question whether this is an appropriate time for a standardisation of HMRC’s access to computer data, considering that its procedures have already been visibly shown to be inadequate. The Government are pursuing the Government’s favourite tactic of conducting a review into everything in order to stave off having to do anything. But there is no sense that any of the Government’s industrious reviewing is feeding back into legislation such as this. At the weekend, the Home Affairs Committee published its report into the emergence of a surveillance society in Britain, which warned of the erosion of trust between the citizen and the state. It noted the potential that the relationship between the two was on the verge of being changed for good.
Given the palpable sense that trust has been eroded, I have a couple of questions for the Financial Secretary. The first concerns departmental spot checks by the Information Commissioner. The Prime Minister announced in November spot checks on departmental application of data protection principles and data handling procedures. How far has that process proceeded and how has the Information Commissioner specifically looked into HMRC’s capacity to handle that kind of computer access situation authorised under the clause?
My second question concerns the Cabinet Office interim report on “Data Handling Procedures in Government”. Paragraph 31, which covers HMRC, states:
“Specific actions already taken include the appointment of a senior official, Director of Data Security, and the appointment of Data Guardians to all areas within HMRC.”
Yet I see no provisions in the clause relating to oversight by the director of data security or the detailed role of data guardians in the operations of these powers. Nor is there an explicit role for the Information Commissioner, despite the Cabinet Office’s report also suggesting that legislative steps should be taken to enhance the ability of the Information Commissioner to provide external scrutiny of arrangements.
The hon. Member for Dundee, East, whom I should like to address as an hon. Friend but cannot for technical reasons, talked about subsection (3). It simply takes us back to the territory of any “authorised person” having a right of access to
“any computer and any associated apparatus”.
I know from my own experience in the private sector that we took our data security very seriously indeed because, if we had not, we would very likely have been sued. I can well imagine that IT managers are not at all pleased with the idea of undisclosed and unidentified, but nevertheless “authorised persons”, being able to root through their systems at will. That would be the position of a member of staff who provided “reasonable assistance” to an authorised person.
There is another issue here. Because the clause talks about apparatus, if one considers best practice in backing up systems and saving data, I can imagine a company or an IT manager being seriously unhappy if a Revenue officer arrived and said, “I am taking away all the back-ups to your system because we believe that somewhere on this in the last six months is a document that we need to see but we are not sure precisely what day you saved it on.” What would happen if there was a catastrophic system failure, the data were in the depths of the HMRC, the system could not be reloaded and the company ceased being able to trade and began to lose money?
As always, the hon. Gentleman raises an important point. People such as him and me, who work in the private sector, understand the practicalities that the Government have failed to address in their amendments Nos. 229 and 230 to 234. There are, perhaps, weaknesses in how they are dealing with issues that have been raised in relation to clause 109. Even if the clause were urgently needed to standardise and consolidate HMRC’s procedures, could not the opportunity have been taken to embed specific provisions on oversight by the Information Commissioner?
My final point is about the emergence of a two-tier system of data security within HMRC. Members of the Committee know that our tax affairs, as Members of Parliament, are looked after by two very helpful ladies who work for HMRC’s public department 1 near Cardiff. The interesting thing about public department 1 is that one lot of its computer records is apparently inaccessible by other authorised persons within HMRC. I believe that colleagues who were on a Select Committee visit to another part of HMRC once tried to look up their details but found that the request was blocked. It seems that even in the tax inspectors’ world, some are more equal than others.
The two-tier arrangement was also brought to light by my hon. Friend the Member for Blaby (Mr. Robathan) in Treasury questions some months ago, when he discovered that Members of Parliament cannot submit their tax returns online like mere mortals because the system is not deemed appropriate for us. The Financial Secretary said:
“There are categories of individual for whom security is a higher priority.”—[Official Report, 24 January 2008; Vol. 470, c. 1626.]
I pursue this line of argument because if there are categories of person for whom security is a higher priority, surely there are also categories of business or transaction that require tighter security. I do not want to try your patience, Sir Nicholas—I am just finishing. Will the Financial Secretary clarify whether there will be similar gradations of risk in the way in which the powers in clause 109 are exercised? Will particularly sensitive businesses or records held by those businesses warrant scrutiny by a more thoroughly vetted authorised person, or will the system be one size fits all? Thank you for your indulgence, Sir Nicholas.
On a point of order, Sir Nicholas. In my opening remarks I raised a technical point and sought clarification from the Minister. There are significant issues to do with clause 109, including representations that have been made by professional bodies such as the Law Society, that have not yet been addressed. I do not think that a lengthy debate is necessary, but I think it would benefit the Committee to debate those issues if we could have that opportunity. Of course, your wisdom is not to be doubted.
Of course, if there is a demand for a stand-part debate, I am obliged to find time for it. If there is one, I hope it will be extremely brief and if there is any way that the hon. Gentleman, during the remarks the Minister is about to make, can seek clarification by way of intervention on one or more points, I am sure the Minister would be very happy to deal with it. Let us see how the debate proceeds.
Thank you, Sir Nicholas. I was conscious of the fact that the hon. Member for South-West Hertfordshire had indicated he hoped for such a debate and I was trying to structure what I was going to say accordingly, but I will try to answer all the points that have been raised in the debate so far, which I thought was particularly well developed by the hon. Member for Dundee, East. He raised a number of very valid questions and I will seek to deal with those as far as I am able.
On the more general points raised by the hon. Member for Braintree, I do not intend to be drawn into a discussion around when we anticipate a report from Kieran Pointer. It is very tempting to respond to some of the details and the sweeping generalisations that he presented, but I will resist the temptation. It may be worth noting that the Exchequer Secretary to the Treasury tells me that information she has received electronically indicates that right at this moment there is a story running that 38,000 customers of the firm Cotton Traders have had their credit card details stolen by somebody who has hacked into its website. The kind of security breach that we saw at HMRC is not, sadly, as rare as it should be, but the responsibility on organisations that hold data, particularly data as important as an individual’s financial information, is very clear and we have made it clear that the recent, well-publicised lapse of security at HMRC means that, for HMRC, data security is at the forefront of everything that it does. One might say that it should always have been so, but it certainly is now.
The Minister is making a statement and has been very open about the failings at HMRC, but there is a fundamental distinction between the public and the private sector. Most private sector data are kept voluntarily and the individuals who are involved work with some sort of provider or some sort of other business. That is in sharp contrast to data kept by the public sector which are kept on a compulsory basis. It is for that reason that there is, and should be, a higher barrier for data kept by the state rather than by private companies.
I absolutely agree with everything that the hon. Gentleman just said and I am sure that the report we will receive shortly will be of immense interest to the House as well as to the public. However, the existing provisions on which this clause is based have not given rise to security problems, there are already powers to deal with computers in the way that this clause is describing and HMRC staff are trained not to operate a taxpayer’s computer in what we might call a “live” environment, in other words, an environment within which the data itself might be affected by the change. The opposite of a live environment would be a safe environment within which the data can be read, but not affected by the individual reading it. That is in order to ensure that there is no risk of data loss.
Clause 109 explains HMRC’s powers where such documents are stored on computer memory or otherwise recorded and it already applies to all taxes, duties and other matters for which HMRC is responsible. Amendment No. 229 responds to a point made by the Law Society to put beyond doubt that clause 109 applies not only to enactments about production or inspection of documents, but also to related provisions. The effect is that, for example, the protections applying to documents that we have already discussed in part 4 of schedule 36 also apply to electronically held equivalents of those documents. The intention is that the protections that apply to those documents also apply to their electronic equivalents. Amendment No. 229 makes that clear.
The hon. Member for Dundee, East questioned whether the provisions of clause 109 go too wide. They do not go too wide as it sits under legislation. For example, protections in schedule 36 apply to requests under clause 109. He also rightly asked what would happen if an individual’s documents were created or held on websites maintained overseas. If the webpage can be accessed from a UK computer, it can be accessed under the power, as long as it is classified as a relevant document in a taxpayer’s power and possession. We have discussed how “relevant” would be defined.
That comes to the nub of the matter. The document is no longer accessible on a computer in the UK, but remains in cache memory somewhere on a web server hosted halfway round the world. Clause 109(3) appears to give authorised people entitlement to check that computer, and the amendment would certainly allow any other provision to do that to be made. That is extra-territorial, unenforceable and possibly illegal. I wonder why we have an amendment that would allow nominally something to happen that could not be done.
I have no reason to believe, from the advice that I have received, that that is not doable, as the hon. Gentleman suggests. I will respond to one or two of his points. Again, there is the tendency to dismiss the role of an authorised person. An authorised person will usually be a HMRC employer who has received appropriate training in information technology. HMRC also has a specialist team available to give advice. Electronic records are no different to paper records when it comes to boundaries and borders. For example, if a taxpayer keeps records in New Zealand, but those records relate to their UK tax affairs, HMRC can ask to see them. If the electronic record is stored offshore but forms part of a UK taxpayer’s records, HMRC can see it. HMRC already has those powers. Officers will not access taxpayers’ computers willy-nilly. They will only do so to view documents needed to check a tax position. Computers will only be removed for forensic examination in a case being considered for criminal prosecution. I hope that that gives some reassurance to the hon. Gentleman.
Amendments Nos. 230 to 234 correct a drafting error in that subsections (2) and (3) refer to provisions to which the clause applies. The amendments are necessary to ensure that the provision works as intended.
I make one final point regarding the hon. Gentleman’ very real concerns. HMRC officers can travel abroad only with the agreement of another country’s tax authority. Otherwise, HMRC has to ask another country to use its power to access the information. I hope that he will accept that the process is highly regulated and subject to scrutiny.
I appreciate that there will be a further debate, if members seek to catch your eye, Sir Nicholas, so I will curtail my comments. I hope that I have sufficiently answered the questions on our amendments to the clause.
Amendments made: No. 230, in clause 109, page 68, line 26, leave out ‘A provision’ and insert ‘An enactment’.
No. 231, in clause 109, page 68, line 27, leave out ‘provision’ and insert ‘enactment’.
No. 232, in clause 109, page 68, line 29, leave out ‘provision’ and insert ‘enactment’.
No. 233, in clause 109, page 68, line 37, leave out ‘a provision’ and insert ‘an enactment’.—[Jane Kennedy.]
‘an officer of Revenue and Customs,’.
Many of the wider points that I wished to make about the drafting of the clause have already been touched upon, so I shall make a concise contribution. The amendment would change the definition of an “authorised person” in subsection (9), so that instead of the commissioners being able to authorise a class of person, which would mean that they could allow anyone, even outside contractors or untrained individuals, to undertake the work in question, only an officer of Revenue and Customs could access and inspect information.
The purpose of the amendment, as I am sure is obvious to the Committee, is to define more tightly the category of people who will be able to access potentially sensitive information. My view, and that of my colleagues, is that that would go a long way towards addressing many of the concerns that people have rightly expressed about the sensitivity and privacy of a lot of the documentation that HMRC will be examining. We believe that it would be more appropriate for a more limited and defined category of inspectors to have access to that information.
In light of the amendment, may I ask the Financial Secretary why we have in the clause a definition of “authorised person”, rather than of “authorised officer”, which is used in schedule 36? No doubt she will pick up that point in responding to the hon. Member for Taunton.
I have two practical questions. First, will any guidance be produced to explain how the definition of “authorised person” will be applied and exactly whom we are talking about? Secondly, if a taxpayer is having their computer checked by someone performing the powers in the clause, how will they be able to ascertain whether the representative of HMRC or other person is an authorised person? What comfort will the taxpayer have in those circumstances that he or she is dealing with an authorised person?
Those were thoughtful questions. The amendment deals with a matter that I started to explain in my response to the debate on earlier amendments. As I said, an authorised person will usually be an HMRC employee or officer who has received appropriate training in information technology. HMRC also has a specialist team available for advice. However, there may be exceptional circumstances in which it is necessary to engage a specialist agent from outside HMRC. The clause is drafted to enable that to be done. That answers the question why we are using the word “person” rather than “officer”. It would apply if a taxpayer’s record keeping systems were of a kind that HMRC did not have the necessary internal expertise to check. I can envisage a number of circumstances in which that would happen, but it would be rare.
Appropriate steps would necessarily be taken to ensure that the taxpayer was certain of the legitimacy of the person concerned and that confidentiality was maintained. I shall want to give some thought to the exact question I was asked, which was how they will know that. I will respond to the hon. Member for South-West Hertfordshire later, perhaps in writing if he will allow me to do so. It was a sensible question and was rightly put. HMRC will want to be very clear about how that legitimacy will be determined. I hope that the amendment will not be pressed to a vote.
I have some concerns about the Financial Secretary’s assurances, not just on this amendment, but throughout the Bill. She gives them entirely in good faith, but they rely on guidelines and the good will and decency of HMRC and its employees, rather than on being defined in legislation. Having made that point, I beg to ask leave to withdraw the amendment.
I have received information through the usual channels that they will seek to go on after 7 o’clock. If there are two Divisions of 15 minutes each, that will take us to 7 o’clock. I say to the Committee and to the usual channels that I will have been in the Chair for three hours at 7.30. If it is the intention to adjourn the Committee at approximately that time, which is up to the Government Whip, I am happy to give the leeway of a few minutes. Other than that, I shall allow a break for dinner and refreshment. Does the Government Whip wish to comment on that?
Indeed, and I will read it to the Committee:
“Sir Nicholas, It is my intention to make up today all the time lost through Divisions in the Chamber. I have agreed this with the Opposition.”
I have indicated my intention, whether or not the Committee can meet that. I think that after three hours’ debate a break will be appropriate.
Bearing your strictures in mind, Sir Nicholas, I will keep my comments as short as possible. Clause 109 contains powers for HMRC to gain access to computer records. It works on the basis that documents stored on computers or copied to another form of electronic media should be treated as though they are documents or copies themselves. That seems a perfectly reasonable way to deal with the matter.
Subsection (3) gives an authorised person powers to
“obtain access to, and inspect and check the operation of, any computer and any associated apparatus”.
There does not appear to be any limitation on that power. Computer records are equated with documents and there are protections with regard to the production of documents, which we have been debating. However, those protections do not appear to apply to the powers to inspect and check the operation of computers. First, why are those protections not in place? Secondly, is it the intention that guidance will restrict the operation of subsection (3)? Thirdly, as she has done during the debates on part 7, will the Financial Secretary provide some comfort to the Committee by setting out how HMRC will operate these powers in practice to ensure that individuals whose records are held on computer as opposed to hard copy are not disadvantaged? I would be grateful for the Minister’s response, either now or after a few moments, when she may have had an extended opportunity to think about these questions and then inform the Committee.
Clause 109 forms part of a package of measures stemming from the review of powers, and, in essence, brings together existing provisions in two separate Acts, one applying to the former Inland Revenue, and the other to Customs and Excise. It ensures that documents include electronic versions of documents, and allows HMRC access to computers holding information required for a tax check. The hon. Member for South-West Hertfordshire asked whether guidance will follow the legislation. Indeed it will. We are bringing together two existing provisions, and where existing guidance is not adequate, new or amended guidance will be published, on which we will, of course, consult.
The clause extends beyond schedule 36 matters and applies to other taxes, to excise and to criminal prosecutions, hence the understandable concerns expressed in Committee. The hon. Member for Cities of London and Westminster sought a broader statement of the intent behind the clause. All the safeguards in schedule 36 prevent the clause from being used to bypass protections applying to written documents. When HMRC wishes to gain access to computers, as opposed to written documents, I would expect it to telephone the taxpayer and make the request, in the way discussed earlier, and to agree a time at which to inspect or remove the documents. In so far as it is possible, that will be done with the co-operation of the taxpayer. Where it is not agreed, the safeguards that we debated in earlier clauses will apply equally to the treatment of computers.
The only change is to the penalty provisions. The existing law has worked well, having first been introduced in 1985, which means that it predates this Government. However, it is important that I say a word or two about the penalty requirements. The Government amendments that bring together the equivalent provisions elsewhere in legislation will realign the separate penalties for obstructing an HMRC officer. The maximum penalty has been set at £300—lower than the previous maximums. Under the former Inland Revenue provisions, the penalty was £500, and under the Customs and Excise provisions, obstruction or failure is a criminal offence with a penalty, on conviction, of £2,500, which is a significant sum of money—a level 4 penalty on the standards scale. A fixed penalty is more easily understood and fits better with other HMRC fixed-penalty provisions. In the case of a serious obstruction, it would still be open to HMRC to prosecute under section 31 of the Commissioners for Revenue and Customs Act 2005. It would make sense to have a single, aligned provision dealing with access to computer records and would represent a simplification in that the two existing provisions will be repealed.
May I again seek to assist the Committee in the longer term? We are expected to conclude our deliberations on 19 June, which means that we will have six sittings left after this one. Because I am involved with the selection of amendments, I know that a considerable number of amendments have been tabled by the Government towards the end of the legislation, and that a considerable number have also been tabled by Her Majesty’s Opposition.
I hope that colleagues are aware of the expectation that we should complete by 19 June, and, if that is the case, that they will consider how they handle the rest of the Bill, and whether every speech is necessary or merely padding out the debate. I do not want to limit the debate. I want proper debate, but I want debate on the issues that are of importance to the Bill, and particularly to Her Majesty’s official Opposition and other Opposition parties.