Clause 2 - Low or no reasonable expectation of privacy

Investigatory Powers (Amendment) Bill [Lords] – in a Public Bill Committee at 11:45 am on 7 March 2024.

Alert me about debates like this

Photo of Dan Jarvis Dan Jarvis Shadow Minister (Home Office) (Security) 11:45, 7 March 2024

I beg to move amendment 14, in clause 2, page 3, line 18, at end insert—

“(1A) This section does not apply to a bulk personal dataset unless it has been published in accordance with the Data Protection Act 2018.”

This amendment would ensure bulk personal datasets with low or no expectation of privacy have been published lawfully and in accordance with General Data Protection Regulation (GDPR) set out in the Data Protection Act 2018.

Photo of Judith Cummins Judith Cummins Labour, Bradford South

With this it will be convenient to discuss amendment 21, in clause 2, page 3, line 34, at end insert—

“(4) By way of example, bulk datasets of images obtained by CCTV and bulk datasets of Facebook posts are not to be considered datasets where the individuals to whom the data relates could have no, or only a low, reasonable expectation of privacy.”

Probing amendment regarding the scope of “low or no reasonable expectation of privacy”.

Photo of Dan Jarvis Dan Jarvis Shadow Minister (Home Office) (Security)

May I reflect on my gentle amusement at hearing the Minister’s remarks about a former shadow Security Minister and his onward passage to becoming Leader of the Opposition? I know that these are matters on which he speaks with great authority.

We have already had very helpful contributions from two senior Intelligence and Security Committee members. Questions about the meaning of “low or no reasonable expectation of privacy” in relation to BPDs have been raised throughout the Bill’s progress in the other place and on Second Reading in this House, including by members of this Committee. The amendment seeks to probe the meaning of the phrase, but I should be clear at the outset that I do not intend to divide the Committee on this or any other amendment on which I intend to speak.

I will set out two scenarios. It would be genuinely helpful if the Minister could clarify the limits to the factors relating to the Data Protection Act 2018. The first scenario is where the data can be attributed to a leak that, although unintentional, resulted in the unconsented publication of personal information in the public domain. Would a leak of the personal details and working patterns of the staff of Members of this House—a number of hon. Members will remember the one that happened in March 2017—be subject to a low or no reasonable expectation of privacy?

The second scenario is the deliberate and unlawful publication of personal information into the public domain. If there were a hack resulting in the unlawful publication of personal information into the public domain, would that information also be subject to a low or no reasonable expectation of privacy? Data breaches of that nature occur regularly: the personal information of more than 2 million Duolingo users was compromised last year. A user’s mastery of French verb conjugation is unlikely to be of interest to anyone, with the possible exception of our friends over the channel, but other personal information could be. The Duolingo data was put up for sale on the dark web, so it might be regarded as third party BPDs. It is important that the Minister clarifies the meaning of “low or no reasonable expectation of privacy” in relation to those two scenarios.

Labour Members are not opposed to the concept of “low or no reasonable expectation of privacy” in relation to BPDs. We want to ensure that the police and security services are not unnecessarily limited in their intelligence gathering, but there need to be parameters for what is considered fair game. There must be clarity on important definitions relating to personal data. I hope that the Minister will respond in the constructive spirit in which the amendment was intended.

Photo of Stuart McDonald Stuart McDonald Scottish National Party, Cumbernauld, Kilsyth and Kirkintilloch East

Clause 2 will remove the need for further judicial authorisation for personal dataset retention and examination if the datasets are deemed to fit into the low or no category, for which there is already authorisation, or if there is urgency. Many personal datasets can be contained within one warrant, so we have lots of questions about how proposed new part 7A will work. Amendment 14 demands an explanation of how the regime fits alongside data protection standards and how it applies to leaked and hacked datasets, as opposed to those that are lawfully obtained.

Our amendment 21 simply seeks to push the Minister to give examples of personal datasets that would be considered to have a low or no reasonable expectation of privacy. I refer hon. Members to a letter from the Chair of the Joint Committee on Human Rights, my hon. and learned Friend Joanna Cherry, which has been shared with us all:

“There is perhaps some ambiguity or confusion as to what data is envisaged to be caught by these provisions. For example, is it merely online encyclopaedias, Companies House registers or news articles; or would it also cover, for example, quite extensive discussions over the internet or mass voice or face images, as has been mentioned in evidence?”

That is the question that we are getting at here.

The whole concept of a reasonable expectation of privacy seems to have been borrowed from the US, where it has been criticised for permitting fairly intrusive surveillance at quite a considerable scale. To my mind, it difficult to grasp the concept or even understand how the test to be applied. It is bad not just for citizens in general, but for people who are having to make these decisions who are not absolutely clear whether or not they can consider a set of data to have a low or no expectation of privacy.

Would bulk datasets of CCTV images or Facebook posts be no/low? How can someone assess whether a bulk personal dataset falls into the category if they do not know all the information within it because they cannot see it until they have a warrant? If the dataset contains information about many thousands or millions of people, with different types of information about different people, how can there be one single level of expectation? People with a low expectation of complete privacy might reasonably have a high expectation that their data will not be retained and processed by the intelligence services.

Why is the sensitivity of the data not expressly mentioned in the Bill? That should surely be pivotal, particularly if the Government want to operate within our human rights obligations. There is no clarity in the Bill to reassure us that sensitive information such as health data would absolutely not be captured by these provisions. Why could that not be on the face of the Bill? Why is publication the important factor instead? Publication in the context of small Facebook groups, for example, does not mean that there are no expectations that security services would not hold that information.

Again, the US precedent is alarming. The Supreme Court rulings appear to suggest that as soon as someone shares any information with a third party, they are giving up on any expectation of further privacy. Making a phone call means that someone is sharing information with a third party about who they call, and it is therefore no longer private. That seems to me a dangerous approach when virtually everything we do involves sharing information with a third party.

I am very worried about how the clause could be interpreted. I absolutely understand the reasons why the powers have been sought, but I very much fear that the way in which the provisions have been drafted will leave them open to some rather more frightening propositions.

Photo of Kevan Jones Kevan Jones Labour, North Durham 12:00, 7 March 2024

My hon. Friend the Member for Barnsley Central has been trying to put a definition around this. That needs to happen. If it is not to be in the Bill, the Minister needs to put on the record exactly what his expectations are, because I can see this being challenged in court. Courts are very good at looking back at what is said and what is actually meant in Parliament, so it is quite important.

There are certain categories that no one has any problems with: open Companies House registers are available to anybody, for example, and so is the open electoral register. But how will the closed electoral register be dealt with? I would argue that people who want to be on the closed register would think that there was a reasonable expectation that that data would not be shared. We know that it is, but somebody might challenge that.

Likewise, there are telephone directories. I am not sure whether they are produced any more. Perhaps I am old-fashioned—I am showing my age now. [Interruption.] Well, I am sure they still exist in a digital format. Those who are old enough to remember will know that there was an ex-directory option for people who did not want their name published; someone could make a conscious decision that they did not want their private phone number to be in the public record. Now it must be all online, but how will that be dealt with? With a directory on which everyone’s number is publicly available, I would think that there was a reasonable expectation that that was public data; I think everyone would assume that. Where they are ex-directory, however, I think most people would reasonably expect their data not to be shared with anybody.

“No expectation of privacy” is very clear—it means things that are publicly available—but “no reasonable expectation” is a dance on the head of a pin. People’s interpretations of what is reasonable will be different. I am reassured that the agencies have protocols for dealing with that, and I am not suggesting for one minute that they will be on fishing expeditions, but we need some clarity on what it all means.

The hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East made a point about Facebook and other types of social media. For those who are interested, my “North Durham morning” posts are on Instagram, Facebook and Twitter, or X. I have been doing them for many years.

Photo of Peter Dowd Peter Dowd Labour, Bootle

Very nice they are, too.

Photo of Kevan Jones Kevan Jones Labour, North Durham

I have no reasonable expectation that those posts are private. I am not suggesting that the security services will want to look at North Durham mornings, but those posts are something that I have put in the public domain. That is fine, but it is different from what the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East was talking about. We might share a photograph or information on a small Facebook group, but do we expect everyone to have access to it? I am not sure that we do. Where does that fit into the definition of “reasonable expectation”? Would the individual think that it was available? That is the point.

Photo of John Hayes John Hayes Conservative, South Holland and The Deepings

The right hon. Gentleman is making a persuasive argument about public expectations of what is reasonable versus what the Bill says and what the agencies do. He is right that there are good operational validations through the agencies’ protocols, but perhaps the best way of explaining the marriage between expectation and what is real would be by example. It would be helpful to hear some examples from the Minister of how the powers that are currently used, and those that will be used under the Bill, are necessary and proportionate; for all these things are about necessity and proportionality. By example, we can probably put this matter to bed.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Yes. A point was also raised about leaked data. If something is leaked on the internet or any other portal and everyone has access to it, do we then assume that the security services think that it comes under “reasonable expectation”, even though the individual whose data it was perhaps did not want it out there?

I accept that under proposed new section 226B(4)(b),

“the authorisation is necessary for the purpose of the exercise of any function of the intelligence service”, which is fine. I do not think that people will go on fishing expeditions—we will come on to that issue later— but I note that the phrase “economic well-being” appears later in the Bill, but not in this part. When I have raised the point before, the Government have argued that the phrase is used in other legislation and that they want to be consistent.

If nothing is to be changed in the Bill today or on Report, the Minister needs to put something on the record so that it when somebody challenges this provision in future, which they will, the Government’s intention is clear now and can be interpreted later.

Photo of Owen Thompson Owen Thompson SNP Chief Whip

I will be brief. I back up the comments of the right hon. Member for North Durham: much more needs to be done to define clearly what we mean by “low or no”. In many ways, separating the two out would make everything clearer. Everybody can tell what “no expectation of privacy” means. It is when we get to low expectation of privacy that we have debates: “Is it this or is it that?”

The factors considered in determining whether something qualifies as low or no include

“the extent to which…the data has been made public”.

If there is no expectation of privacy, that is obvious, so I do not understand why we cannot have more clarity and say, “This is what we mean by no expectation of privacy, and this is what we mean by low.” It might be fine for us in this room to have an understanding of what we mean, but there needs to be public understanding.

We all know that every time we go on any website, we are asked to click to accept the cookies, and sometimes we cannot progress any further unless we do. Data is being gathered left, right and centre. With the best will in the world, not everyone reads every single line of the terms and conditions. We need to be absolutely clear about exactly what we mean so that legal challenges do not occur down the line.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

Before I address those points, I want to address the shadow Minister’s somewhat contentious argument that learning French is not a security issue —that was a bold innovation from him.

The points that have been raised are essential to understanding exactly why the Bill is so important. I will cover the “no” and “low” areas separately, for the reason that the hon. Member for Midlothian touched on. We all know what no expectation is; that has been largely covered, and the reality is that even the slightly more restricted version of the electoral register is shared with political parties, as the right hon. Member for North Durham knows.

Photo of Kevan Jones Kevan Jones Labour, North Durham

I agree with the Minister on party access— we get access to it, for example. However, does the person who ticks that box and takes their name out have a reasonable expectation? Do they know that it is being shared? No, they do not.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

That is what I was going to say. Although the register is not publicly available and therefore would not fit in this category, that is where we get to the line. The “no” is for publicly available data, and that is relatively clear.

The “low” comes in areas such as the idea of leaked papers, which somebody raised—forgive me, I cannot remember who. That is where the Bill sets out terms under which datasets should be considered, because of course it is impossible for me to give an answer that applies to every single dataset into the future. One example that came up recently, as right hon. and hon. Members will remember, is the Panama papers. One would not argue for a second that the people listed in those papers had an expectation of openness initially. However, after those papers had been published and republished over many years, at what stage do we really think the expectation of privacy is maintained?

That is where the dataset becomes low expectation. We have set out the oversight regime in another area of the Bill, but I will touch on it. The Investigatory Powers Commissioner has a range of responsibilities, the judicial commissioners have other responsibilities for approving warrants and IPCO has responsibility for overseeing the regime. That is where that is addressed—in slightly ways at each moment of influence and each moment of power, but everything is covered.

Photo of Kevin Foster Kevin Foster Conservative, Torbay

I am interested in the Minister’s example of the Panama papers. As he rightly says, when those papers were originally held by a bank or a financial institution, there would be an expectation of privacy. However, he is alluding to where they are sourced from. Those papers have been freely circulating on the open internet and anyone can download them, and it is at that point that the low or no expectation would come in. Rather than the nature of the document itself, it is the fact that it is easily available online that matters.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

My hon. Friend is absolutely right. The reality is that once papers are effectively public, the argument for privacy somewhat falls away. That is exactly where we are getting to in this area, which is why we have looked at how to oversee it and the different elements within it. Part 7A explains the oversight regime clearly and section 226A really gets to the nub of it.

It is important that we focus there, where the argument comes back to the essential element: when considering whether intelligence services have applied the test correctly, the judicial commissioner will apply the same principles that a court would apply on application for judicial review. We therefore have an internal legal process overseeing this before it would even get to any legal challenge. That is why it is more robust than some voices have gently suggested, and covers many of those internal challenges.

Amendment, by leave, withdrawn.

Photo of Stuart McDonald Stuart McDonald Scottish National Party, Cumbernauld, Kilsyth and Kirkintilloch East

I beg to move amendment 22, in clause 2, page 4, leave out lines 27 to 30.

This amendment is consequential on Amendment 23.

Photo of Judith Cummins Judith Cummins Labour, Bradford South

With this it will be convenient to discuss the following:

Amendment 23, in clause 2, page 5, leave out lines 1 to 14.

This amendment would remove proposed new section 226BA, thereby removing the ability to grant “category authorisations”.

Amendment 24, in clause 2, page 5, line 17, leave out “or a category authorisation”.

This amendment is consequential on Amendment 23.

Amendment 25, in clause 2, page 5, leave out lines 23 to 25.

This amendment is consequential on Amendment 23.

Amendment 26, in clause 2, page 5, line 34, leave out “or a category authorisation”.

This amendment is consequential on Amendment 23.

Amendment 27, in clause 2, page 5, line 39, leave out “or a category authorisation”.

This amendment is consequential on Amendment 23.

Amendment 28, in clause 2, page 7, line 3, leave out “or a category authorisation”.

This amendment is consequential on Amendment 23.

Amendment 29, in clause 2, page 7, line 27, leave out “or a category authorisation”.

This amendment is consequential on Amendment 23.

Amendment 30, in clause 2, page 8, leave out lines 6 to 15.

This amendment is consequential on Amendment 23.

Amendment 31, in clause 2, page 8, leave out lines 19 to 23.

This amendment is consequential on Amendment 23.

Amendment 32, in clause 2, page 8, line 37, leave out “or a category authorisation”.

This amendment is consequential on Amendment 23.

Amendment 33, in clause 2, page 8, line 41, leave out from “authorisation” to “they” on page 9, line 1.

This amendment is consequential on Amendment 23.

Amendment 34, in clause 2, page 9, leave out lines 14 to 16.

This amendment is consequential on Amendment 23.

Amendment 35, in clause 2, page 9, leave out from the beginning of line 38 to the end of line 13 on page 10.

This amendment is consequential on Amendment 23.

Amendment 36, in clause 2, page 11, leave out lines 17 to 29.

This amendment is consequential on Amendment 23.

Amendment 37, in clause 2, page 11, leave out lines 32 and 33.

This amendment is consequential on Amendment 23.

Photo of Stuart McDonald Stuart McDonald Scottish National Party, Cumbernauld, Kilsyth and Kirkintilloch East

First, unless I was distracted, I do not think I got a specific answer on the types of data mentioned in the amendment—for example a Facebook post, CCTV footage or anything else.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

Those are covered under sensitive data areas; they would not be covered under bulk personal data. The hon. Gentleman also mentioned health data, and he is absolutely right that I did not answer that. I should be absolutely clear: it is hard to envision a case in which health data would be considered “low or no”, unless it was of very ancient historical standing, or there were other exceptional reasons.

Photo of Stuart McDonald Stuart McDonald Scottish National Party, Cumbernauld, Kilsyth and Kirkintilloch East 12:15, 7 March 2024

I am grateful for that. Could the Minister perhaps follow up on that in writing? That is useful to have on the record.

This discussion is mainly about amendment 23; the other amendments are all consequential. Basically, the amendments would remove the concept of category authorisations from the Bill. Again, I take the same approach as the shadow Minister; I will not be pushing any of these amendments to a vote, but they are designed to probe and allow for debate on some of the important concepts in the Bill.

It is this clause, and the notion of category authorisations, that leads to the restricted judicial oversight of the “low or no” categories that are being retained. It would be useful for the Minister to give us an example here of what a category authorisation might look like. I am not on the ISC, so it is hard for me to understand exactly how broadly they might be drafted. I absolutely appreciate that there are operational reasons why the Government might have to be careful about the examples they give. However, to provide some reassurance, I am sure it would be possible to put on record what one of these authorisations might look like, just so we know how broadly they will be drafted, or indeed how focused they will be.

The Minister spoke a little about oversight at the end of his previous contribution, but it is the oversight of category authorisations that causes me some concern. The tests for a category authorisation set out in proposed new section 226BA of the Investigatory Powers Act 2016 are simply that it must be classed as “low or no” and that the decision has been approved by a judicial commissioner. There are none of the other tests that are set out for the individual authorisation, such as it being necessary for the

“exercise of any function of the intelligence service,” that it

“is proportionate to what is sought to be achieved,” or that there are various arrangements in place.

It seems to me that the degree of oversight at the stage of granting a category authorisation is far more restricted. That has a knock-on consequence: when the judicial commissioner comes to review the granting of a category authorisation, they are only then considering whether it applies to a “low or no” group of datasets. The judicial commissioner, even on the low-level judicial review criteria, does not look at whether the category authorisation will be necessary or proportionate, or any of the other tests for the other authorisation.

Photo of John Hayes John Hayes Conservative, South Holland and The Deepings

I do not want to do the Minister’s job for him, because I am sure he will say this anyway, but when an application is made by an agency for the acquisition and retention of bulk personal datasets, a specific case needs to be made in the warrant application, and a particular case has to be made where that application applies to exceptional material. That case is considered through the double-lock mechanism by both the judicial commissioner and the Minister. That case needs to specify the reason that it is necessary for operational purposes.

Photo of Stuart McDonald Stuart McDonald Scottish National Party, Cumbernauld, Kilsyth and Kirkintilloch East

It is useful to have that explanation. I understand that is the existing process, as the 2016 Act applies just now. However, my simple question concerns the fact that that does not seem to be what is set out here.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

I will just answer that directly, as the hon. Gentleman seems to be running away with this issue slightly. The test set out in proposed new section 226A still applies to all datasets. It is not removed; it goes through the whole thing.

Photo of Stuart McDonald Stuart McDonald Scottish National Party, Cumbernauld, Kilsyth and Kirkintilloch East

That is useful to know. I will pray in aid the fact that we did not have any witnesses; anything I say that is daft, and anywhere that I do not understand how the Bill operates, I will blame on the lack of witnesses.

That is useful to know. I will go away and look at that and make sure that that all makes sense to me. That just leaves me with my earlier request: can we have some examples of what a category authorisation looks like? I can imagine that they could be incredibly broadly drafted, but they could also be very narrow. It would be useful to get a better understanding of how they will operate.

My final point is that the Government’s case appears to centre quite largely on using the material for machine learning. We have heard about language, online encyclopaedias and whatever else. If nothing else, why not use this streamlined process on that category of information and keep the existing processes in place for everything else?

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

I welcome the spirit in which the hon. Gentleman approaches this issue. He is asking important questions, and I do not challenge at all the validity of the way he has approached the issue; in fact, I should put on record that I am grateful for the way the whole House, and this Committee in particular, have approached it. It is important that any questions that any Member has, particularly the questions honourably and reasonably raised by the hon. Gentleman, are addressed.

The hon. Gentleman’s question on category authorisation is important, because the individual authorisation authorises the retention or retention and examination of a bulk personal dataset, to which part 7A applies. In other words, for every individual dataset there will be an individual authorisation. The normal rule is that each individual authorisation must be approved in advance by a traditional commissioner, as my right hon. Friend the Member for South Holland and The Deepings quite rightly addressed.

A category authorisation does not itself authorise the retention or retention and examination of a dataset; rather, the category itself is the means by which the normal rule of prior judicial approval may be disapplied in respect of the individual authorisation of datasets that fall within the description approved by the category authorisation. As the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East knows, that allows for the internal authorisation of an individual dataset that falls within an existing category. By definition, those categories are narrow enough to be identifiable but large enough to be useful. The reality is that that must be done on a case-by-case basis, but under the watchful eye of not just the unit within the intelligence service that requests it, but a senior officer in that service and a judicial commissioner.

That oversight means that we have an effective way of ensuring that we are able to use bulk personal data as categorised in different areas in a speedy fashion to enable the detection and prevention of harm, but with the oversight regime that the hon. Gentleman quite rightly expects of any apparatus of the state. The intelligence services in particular, for reasons of operational necessity, operate in the shadows, and therefore require an extra guarantee of reliance.

Photo of Stuart McDonald Stuart McDonald Scottish National Party, Cumbernauld, Kilsyth and Kirkintilloch East

I will go away and consider what the Minister said. Our basic issue here is that a process is in place whereby every single individual dataset must be approved and have the approval and authorisation of a judicial commissioner. Under this scheme, if there is a category authorisation and then an individual authorisation under it, there will not necessarily be any involvement from a judicial commissioner. That is the bit that we have an issue with.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

May I come back straightaway on that? To be clear, category authorisations are reviewed by IPCO at the very latest a year—12 months—after the authorisation, but they could actually be reviewed at any point. I am afraid the idea that a category authorisation stands forever just because it has been allowed is not accurate—I know that is not what the hon. Gentleman is suggesting. The judicial commissioner would have oversight of the wider category authorisation, and the IPCO review means that the whole thing is checked at the very latest every 12 months, and probably more frequently than that.

Photo of Stuart McDonald Stuart McDonald Scottish National Party, Cumbernauld, Kilsyth and Kirkintilloch East

Again, I get all that, and I do not think that we are really at cross-purposes. However, we are talking about 12 months of access to datasets without necessarily having them before a judicial commissioner.

I do not think that anyone disputes that this is a slightly weaker form of oversight, which is because the services want to access this material at scale and regard the existing oversight mechanisms as cumbersome, slow and whatever else. We still ask the question of whether there is another way to do that that would still involve judicial commissioners but happen much more randomly and at scale. However, we will go away and consider that. I repeat my request—I know it is not easy—for some examples to reassure members of the public on how exactly this will work. That would be useful. In the meantime, I do not intend to push the amendment to a vote. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Photo of Dan Jarvis Dan Jarvis Shadow Minister (Home Office) (Security)

I beg to move amendment 15, in clause 2, page 5, line 14, at end insert—

“(4) The head of an intelligence service, or a person acting on their behalf, must notify the Investigatory Powers Commissioner as soon as is reasonably practical after a decision has been taken to include a bulk personal dataset within a category authorisation in effect under this section.”

This amendment would require that the Investigatory Powers Commissioner is notified when a new bulk personal dataset is added by an intelligence agency to an existing category authorisation.

Photo of Judith Cummins Judith Cummins Labour, Bradford South

With this it will be convenient to discuss amendment 38, in clause 2, page 11, line 21, at end insert—

“(1A) The report provided under subsection (1) must include an annex listing the bulk datasets retained or retained and examined under each category authorisation granted during the relevant period.”

This amendment would require information about the scale and nature of use of category authorisations to be provided to the Intelligence and Security Committee.

Photo of Dan Jarvis Dan Jarvis Shadow Minister (Home Office) (Security)

The issue of closing the gap between adding a bulk personal dataset to an existing category authorisation was raised on Second Reading by my right hon. Friend the Member for North Durham, who has a long-standing interest in these matters. I agree with the argument he made on Second Reading and the simple solution he proposed to close the gap: a one-line email to the Investigatory Powers Commissioner as soon as reasonably practical.

Any such email would not be seeking real-time approval and would not necessarily be reviewed by the Investigatory Powers Commissioner in isolation, but rather as part of a wider trend of what is being added to existing category authorisations. Labour does not seek to create additional work for the men and women who serve in our police and security services. On the contrary, a simple arrangement —to send a single-line email—would enhance wider oversight arrangements, while keeping extra requirements for the police and security services to an absolute minimum. In response to my right hon. Friend on the matter on Second Reading, the Minister said the IPA 2016

“allows the collection… with prior authorisation” and that

“This is intended to speed the process up.”—[Official Report, 19 February 2024; Vol. 745, c. 556.]

We do not intend to slow the process down through the amendment, as any such notification would be made after it had happened. I therefore ask the Minister whether the problem is the act of notifying the Investigatory Powers Commissioner as soon as reasonably practical, or the potential volume of notifications, that mean he deems it an unworkable arrangement. I would appreciate if he could be as open as possible in answering those questions. If the Government do not accept the amendment, perhaps a conversation could take place between my right hon. Friend the Member for North Durham, the Minister and myself to agree a practicable solution.

Photo of Kevan Jones Kevan Jones Labour, North Durham

As my hon. Friend the Member for Barnsley Central said, I raised the matter on Second Reading. In no way do I or other members of the ISC want to slow down the process or give more work to the hard-working men and women of our security services. However, as I understand it, the only reason put forward by the Government was that it would impair operational agility.

The amendment proposes, and what I proposed, is not for the security services to go through an authorisation, as my hon. Friend just said; it is literally an email saying, “This is what we are doing.” Members might ask why that is important. It is important because we are giving the security services new powers in the Bill and for IPCO to be informed in real time. I accept the retrospective look at them, but at least if there was a trend, we could see it.

The Government have also tried to argue that there is no need for more oversight because it is a low or no dataset, much lower than those governed by the existing section 7 of the IPA. We have just had the argument about the definition of “low” and “no”, but it means that we are giving the security services additional powers here. I am not for one minute suggesting that the internal protocols within those security services will lead to things that are just a free-for-all, as some might suggest, but it gives that assurance that there is oversight of what is happening in real time.

If we were asking for authorisation of each one, I would accept that it would be too burdensome and would slow down the process, but this is literally a one-line email so the IPCO knows what is needed. I do not understand why the Government are resisting that, except that—let us be honest, Minister—we have form on this. With the National Security Bill, there was an idea that it would be a weakness on the Government’s part to accept any amendments from the ISC. However, there was one slight change made with Lord West’s amendment, so there is possibly a change of attitude. I accept that the Minister respects the ISC—I am not sure it is the same for many people higher up in Government. But that should not be a reason not to accept this very simple amendment, which I think would give people reassurance that there is some real-time oversight of this. If an election was called in the next few weeks, this Bill—

Photo of John Hayes John Hayes Conservative, South Holland and The Deepings 12:30, 7 March 2024

I endorse what the right hon. Gentleman said. It is a straightforward matter. The Government could give way on this—because they already have the power to ask for it under existing arrangements—by making it a routine, light-touch process. I take the point that we do not want to impair the alacrity that is necessary for the agency. However, I think a simple change would satisfy the right hon. Gentleman, me, and many others.

Photo of Kevan Jones Kevan Jones Labour, North Durham

I agree entirely with the right hon. Gentleman. If the amendment goes into the wash-up of the Bill, things like that will have to be included anyway. I do not understand why the Government are dying in a ditch on quite a small amendment that would make no practical difference at all to the operation of this Bill. There are certain people—not including the Minister, who is quite a reasonable individual—who want to make sure that the ISC cannot claim credit for doing anything, which I think is quite sad. If the Minister cannot agree to the amendment as drafted, I echo the suggestion of my hon. Friend the Member for Barnsley Central that we draft an amendment that the Government are happy with on Report that fulfils our ambitions on oversight, but that is also practically and technically correct. [Interruption.]

Photo of Judith Cummins Judith Cummins Labour, Bradford South

I remind members of the public to please turn their electronic devices to silent as well.

Photo of Stuart McDonald Stuart McDonald Scottish National Party, Cumbernauld, Kilsyth and Kirkintilloch East

I will be very brief, because I fully support what the shadow Minister and the right hon. Member for North Durham have said. If we are going to go down the route of somewhat watering down the oversight of certain bulk personal datasets, we need greater transparency and accountability. Our amendment 38 has very similar motivations. It requires complete transparency with the ISC by listing all the bulk personal datasets that would be retained under a category authorisation in the report the Bill requires to be sent to the ISC. It answers the question of how we are supposed to know how these new powers will be and are being used unless we have one of these methods of transparency.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

If I may, I will come to the last point first. The information going to the ISC on this basis would be, as far as possible, the same as that going to the Secretary of State. Obviously, the operational data may not be included, depending on the relevant operational case. I hope that will reassure this Committee and, indeed, the ISC that the intention is to make sure that the ISC is as fully informed as possible.

On the point made by the right hon. Member for North Durham, he will know that the Bill, in many ways, has been a joint project between the Government and the ISC. I have spent many hours with members of the ISC, including the Chair, my right hon. Friend Sir Julian Lewis, and with various members of the Committee. Their input has been exceptionally important to me and has been included in many areas of drafting on this.

Turning to amendment 15, the right hon. Member for North Durham and the hon. Member for Barnsley Central, in many ways, have both been the Occam’s razor of the Bill process, not just here, but in other areas. They have been rightly keen that we should not include powers or requirements that would otherwise constrain or block processes or confuse the law. I understand the argument that hon. Members are making about a one-line email, but the reason that I am not convinced—though I am very happy to have the conversation suggested—is that the reality is that it is possible for IPCO to investigate at any point, and it must investigate at 12 months. Therefore, if we ask for a legal requirement on the services, that would force an extra legal duty into the various elements and it will be an extra change.

Photo of Kevan Jones Kevan Jones Labour, North Durham

I disagree with the Minister. Yes, IPCO can look back and can go in at any time to look at things, but if it does not know where the needle in the haystack is, how is it going to actually find it in the first place? This is not an onerous proposal, and I do not understand why the Minister is resisting it, to be honest. This measure would just send another reassurance to the public that, again, the extra powers being given to the security services, which I fully support, at least have some oversight. We need to address the Bill in detail and in such a way that we cannot be accused of handing over powers without also providing very light-touch reassurance that there is outside oversight. I accept that, in most cases, IPCO would not actually look at any of these.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

In the spirit with which the right hon. Gentleman has approached this, may I commit to meeting him and the hon. Member for Barnsley Central to discuss this?

Photo of Kevan Jones Kevan Jones Labour, North Durham

We might do it in the wash-up anyway.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

Well, the right hon. Gentleman could make a virtue of a necessity if he wishes. I certainly will. I shall enjoy meeting him to discuss this, and I hope that he will take that commitment in the spirit with which it is made.

Photo of Dan Jarvis Dan Jarvis Shadow Minister (Home Office) (Security)

I think that this has been a useful debate. There have been a number of sensible and constructive contributions from both sides of the Committee. The Minister has made a commitment to sit down and discuss this further, and I am grateful for that undertaking. As I have said, we do not intend to push this amendment to a vote.

Photo of Peter Dowd Peter Dowd Labour, Bootle

This is as good a time as any to raise this point. If we are going to give the powers to the security services, which nobody objects to with the appropriate oversight, and ask them to do more assessments, more dataset investigations and so on, does my hon. Friend agree that the Minister should give us assurances on resources? Given that we are asking the services to take on additional tasks in one fashion or another, does he agree that we have to set aside the resources? Perhaps, during his meeting with the Minister, he could tease that out a little bit more, because I do not want these powers and responsibilities to be given to the services without them having the appropriate resources— financial and staffing—to do their job.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Their budget was cut yesterday.

Photo of Dan Jarvis Dan Jarvis Shadow Minister (Home Office) (Security)

I am grateful to my hon. Friend the Member for Bootle. I am happy to give way to the Minister if he wants to respond directly to that point.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

The point about these powers is indeed to make better use of resources. One challenge is that many intelligence officers are tied up doing things that are no longer genuinely necessary for the protection of personal privacy, but they are following processes that, were they to be working for a private organisation —a company or whatever—would no longer be necessary because bulk personal data could simply be bought. Therefore, what we are actually looking at doing is using resources much more efficiently and therefore helping the protection of the British people, from a better financial position. However, the point made by the hon. Member for Bootle on resources is always one that I welcome.

Photo of Dan Jarvis Dan Jarvis Shadow Minister (Home Office) (Security)

I have nothing further to add, other than to beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 2 ordered to stand part of the Bill.