I welcome you, Mrs. Anderson, and all members of the Committee back to our consideration of the Bill.
I will urge that clause 42 does not stand part of the Bill on the basis that we intend to replace it with new clause 14. Clause 42 allows Her Majesty’s Revenue and Customs to share information with the Pensions Regulator to enable the regulator to perform its compliance activities. That data sharing is crucial in making sure that employers comply with the new duties created in the Bill. It is vital that the Pensions Regulator is aware of all employers who should register and how to contact them, if required. HMRC is the best source of this information because of its pay-as-you-earn activities. Clause 42 also allows HMRC to share information about non-compliance that it has collected through tax and minimum wage activities. This will help the Pensions Regulator to identify which employers are more likely not to comply with their duties.
However, the Government recognise that clause 42 has room for even tighter safeguards. In particular, under the clause, it would be possible for the regulator, or its agents or contractors, to disclose onwardly information received by them from HMRC without being in breach of the law. We have therefore tabled new clause 14 to replace clause 42 and address its deficiencies.
New clause 14 would make it even clearer that while the Pensions Regulator can make full use of transferred HMRC data for its internal functions, the onward disclosure of that data by the regulator would be prohibited in all but a defined set of five specified circumstances: first, when HMRC’s authorisation for onward disclosure has been obtained; secondly, when the data are needed for any criminal proceedings; thirdly, when the regulator is involved in proceedings, including civil proceedings, under its existing and new powers; fourthly, when the disclosure enables or assists the Pensions Regulator to carry out its functions; and, fifthly, when the data have been anonymised.
New clause 14 would also streamline legislation providing for data sharing between the two bodies. HMRC already shares information with the Pensions Regulator to assist with the regulator’s existing functions. However, a single gateway for data flow from HMRC to the Pensions Regulator would be both more transparent and more elegant than adding multiple patches to the old gateway set out in the Pensions Act 2004. New clause 14 would replace the existing gateway between HMRC and the regulator with one that would allow the flow of data for the regulator’s old and new functions. There would thus not be the difficulty of having information flowing from HMRC to the regulator through one of two separate gateways—there will be just one.
Furthermore, the new combined gateway will improve the regulator’s ability to carry out its existing functions, making clearer the ways in which it can and cannot onwardly disclose data received from HMRC. I am sure we will have a little fun on data—no doubt we can look forward to that—but the new clause is the result of our looking very carefully at the wording of the old clause 42 and taking a view that we could tighten it up to ensure that things were clearer. I hope that the Committee will be able to support the removal of clause 42 and, in due course, the insertion of new clause 14.
May I also welcome you back to the Chair, Mrs. Anderson?
Conservative Members called for proper sharing of information between the regulator and HMRC in earlier debates because we wanted it to be as easy as possible for employers to provide the required information to the authorities. We thus completely support the principle of new clause 14 and understand the reasons why the Minister wants to delete existing clause 42. He is right, however, that I will ask him about security, in particular with regard to data-sharing. Will there be secure transmission? Will the data be encrypted when they are passed from one organisation to another? This is extremely personal and private information about how much people have paid, how long they have worked somewhere, when they started, their home address, and so on. In the light of recent events, we seek as much reassurance as possible from the Minister.
I am following my hon. Friend’s argument intently. Did he see, as I did the other day, that the Ministry of Defence is apparently banning its staff from removing laptops from the building? That defeats the object of having a laptop, to an extent, but does he think that there should be a similar rule for these data?
My hon. Friend is absolutely right that laptops are extremely vulnerable. They can be left on trains and they can be stolen from cars, which has happened quite a lot recently. That is exactly the sort of practical detail relating to the passing on of these data on which it would be good to have reassurance from the Minister. The data would include the pay details of up to 7 million of our fellow citizens. Were something to go wrong, it would be on the scale of the child benefit data loss earlier in the year. The Committee is owed a full and detailed explanation of how the security will be planned, so I look forward to the Minister’s response.
It is a pleasure to welcome you back to the Chair and to serve under your chairmanship, Mrs. Anderson.
Having head the Minister, it is clear that new clause 14 is a significant improvement on clause 42, so we endorse his plan to substitute clause 42 with that new clause. It is clear that the motivation behind that is to ensure that there are appropriate safeguards for how the Pensions Regulator can make onward use of the information, which makes a lot of sense. The five reasons why the Pensions Regulator may distribute information onwards also make sense and fit with the proper discharge of its functions in the context of the Bill.
It would be useful to hear more from the Minister on the point that the hon. Member for South-West Bedfordshire mentioned about the safeguards for the practical transfer of data. This is not a question of having fun. I think that over the past two or three months, not just HMRC, but other Government organisations, have lost 33 million pieces of data, sometimes in small numbers and sometimes in large numbers. It is not just central Government, because the Scottish Government have had similar failings, so there is clearly a problem with those processes across Governments.
Will the Minister tell the Committee—it go on record in case the issue ever has to be considered again—what importance he attaches to safe and secure procedures? For example, does he envisage that the data would need to be encrypted before transfer to the Pensions Regulator? The procedure of CDs changing hands through the post with alarming frequency has been criticised several times, not least in the Government’s own review of the matter. Does the Minister set the highest store by ensuring that the procedures are as secure as possible? While the scale of potential data loss might not be as large as in previous cases, the loss of even one piece of datum is none the less one piece too many. Can the Minister give the Committee further reassurance on the practicalities behind the new clause so that it may be welcomed?
First, it is vital to ensure that data are transferred safely and securely. That is even more the case in the light of security breaches in recent months at HMRC and elsewhere. However, let me put the sort of data we will need in context. We will need the names and contact details of employers, the numbers of employees working for those employers and the numbers of people in pension schemes. We might need the names and national insurance numbers of those employees, but that would probably not be necessary in the vast majority of cases, and perhaps only when the regulator was carrying out a more detailed investigation. Therefore, the data being transferred will contain somewhat limited details.
It is still important, however, that the procedures for data transfer covered by the Bill are carefully developed and agreed in the coming years so that we can ensure that this is done properly. Those procedures will be informed by the outcome of various reviews that the Prime Minister commissioned following the HMRC data handling issues. We want to ensure that there is good data safety in government and that the framework of the Data Protection Act 1998 works. However, it is important that the legislation is sufficiently flexible to allow operational procedures to be refined in the light of reviews and best practice that are applicable to both HMRC and the regulator.
At present, the regulator’s procedures include electronic transfer, when possible, and encryption, when disk transfer is used. HMRC’s procedures already involve measures such as the monitoring and logging of access and the protection of physical transported media. HMRC’s procedures have been newly strengthened to include using automated electronic transfer whenever possible, encryption when physical transfer is needed, and approval of any significant bulk transfers from a senior member of staff.
In addition, the Data Protection Act sets out the framework enforced by the Information Commissioner and the courts, and continues unaffected by the Bill. Therefore, there are new procedures coming into effect to deal with this issue of data transfer. Current reviews have identified changes that need to be made, and we have four years to ensure that they are put in place. Any subsequent reviews that occur during the coming years will also be able to identify and set out any further changes that might be needed. We have the time to put those in place.
I can give a lot of reassurance on transferring data because of the long lead-in time. Current procedures will be applied, and any further new procedures that enable us better to secure the transfer of data can be put into place in the run-up to 2012. With those reassurances, I hope that hon. Members will be able to approve the changes that I have suggested.