Question put, That the clause stand part of the Bill.

Clause 12 will introduce a new power for regulators to designate critical suppliers to organisations as in scope of the NIS regulations. These are suppliers that are so pivotal to the provision of essential digital or managed services that a compromise or outage in their systems can cause a disruption that would have serious cascading impacts for our society and economy; I am thinking in particular of the Synnovis incident in 2024, when 11,000 medical appointments were cancelled across London hospitals as a result of an attack on a pathology service provider.

The clause will ensure that the power to designate can be exercised only where suppliers pose a credible risk of systemic disruption and when the regulator has considered whether the risks to the supplier cannot be managed via other means. In other words, it is a very high bar indeed.

The clause provides safeguards for suppliers, which must be consulted and notified during the designation process. It also requires regulators to consult other relevant NIS regulators when they are considering whether to designate, or decide to do so, ensuring that they have an accurate understanding of how suppliers are already regulated.

Finally, the clause provides for designations to be revoked when risks no longer apply or when a supplier has met the thresholds for regulation as a relevant digital service provider or relevant managed service provider. It should be noted that the clause does not set out the security duties on critical suppliers; these will be defined in secondary legislation following an appropriate period of consultation.

By addressing supply chain vulnerabilities, this measure will strengthen the resilience of the UK’s essential and digital services on which the public rely every day. I commend the clause to the Committee.

The Clause merits close scrutiny, because it is the point in the Bill where risk is supposed to be addressed beyond the individual operator and into the supply chain. In plain terms, clause 12 will allow the regulator to designate a supplier as critical where disruption to that supplier would have a significant impact on the delivery of an essential or digital service. The trigger is impact, not size or sector. That approach is sensible, but I want to stress-test how it works in the context of operational technology.

Across power, telecoms, transport, water and industry, many essential services rely on the same family of industrial control equipment. Substations, signalling systems and industrial plants may look different, but they often run on identical controlled devices and firmware supplied by a very small number of manufacturers.

The risk is not hypothetical. A single vulnerability in widely deployed OT equipment can create a common mode failure across multiple sectors at the same time, even where each operator is individually compliant with its duties. At the moment, the Bill places obligations squarely on operators of essential services, but in OT environments, operators do not control the design of equipment, the firmware, the vulnerability disclosure process or the remote access arrangements that vendors often require as a condition of support.

As Rik Ferguson highlighted in written evidence to this Committee, uncertainty about how and when suppliers might be brought into scope can lead to defensive behaviour and late engagement. The risk is amplified in OT, where suppliers may discover vulnerabilities before operators do, and where one operator may report an issue, while others in different sectors, using identical equipment, remain unaware.

There is also a traceability problem. OT equipment is frequently sold through integrators and distributors. Manufacturers may not have a clear picture of where the equipment is ultimately deployed. Without that visibility, national-scale vulnerability notification and co-ordinated response become very difficult.

UK Finance has also drawn attention to the complexity of multi-tier supply chains and the need for clear accountability when regulatory reach extends upstream. The clause recognises that reality, but its effectiveness will depend on how consistently and predictably designation decisions are made across sectors.

My concern is not about the existence of the power. It is about whether, in practice, the power will be used early enough and clearly enough to address shared OT risks before they become cross-sector incidents. Operational resilience today depends less on individual sites and more on the security practices of a relatively small— I would say very small—number of OT suppliers that sit behind them. The clause has the potential to address that, but only if its application is focused on genuine systemic risk and supported by clear signals to suppliers and operators alike. For those reasons, the clause warrants careful consideration as the Bill progresses.

To understand the impact of what we are discussing, we obviously look at the impact assessment. We in this place are often accused of simply making rules and passing Laws with no real sense of the impact downstream, particularly on small businesses. Having worked in the tech sector for 10 years, with data centres and managed service providers, and worked to try to grow many small and medium-sized enterprises, I am acutely conscious of the need not to overburden them. It is clearly hugely important that the Government take account of the impact of the measures they are taking and the burdens they are imposing on small and medium-sized enterprises.

To understand the impact of this measure, it is important to know two things: first, how many companies will be impacted and, secondly, how much it is going to cost. While I am sure that the Minister will say that this provision on critical suppliers is great, and all very clear, it cannot really be that clear. Page 110 of the impact assessment states:

“DSIT is not able to estimate at this stage the number of SMEs or SME DSPs that will be designated as critical suppliers”; so we cannot tell how many there are. The same page also states:

“Specific duties will be set through secondary legislation so the exact cost of security measures is not possible to estimate.”

We do not know how many there are or how much the measure is going to cost, but Government Members will be whipped to say, “That’s okay—that can be done by someone else at another time.” We do not really have a strong sense of the impact on real-world businesses of what we are doing here. We also talked about the legal costs in an earlier sitting. I look forward to hearing the Minister’s reassuring words about how very clear the Clause is and how it is not just a blank cheque, even though we do not know how many people it will affect or how much it will cost them.

This Clause is one of the provisions that has given rise to widespread industry concern regarding its scope and implications. Business supply chains, particularly for large operators of essential services and multinational companies, are becoming ever more complex. The increased digitisation of service provision across the board means that the delivery of essential services can be vulnerable to severe disruption when the systems of critical supply chain entities are interrupted by cyber-attacks.

The Government have pointed to the 2024 cyber-attack on Synnovis, a pathology lab provider serving several London hospitals, as an example of the severe consequences that can flow from a cyber-attack on a key supply chain provider. In that case, the suspension of Synnovis services caused disruption to more than 11,000 appointments and operations. The attack caused at least two cases of serious harm to patients and, tragically, one patient’s death was attributed to the long wait for blood test results. Estimated financial losses from the attack exceeded £30 million.

The previous Government were conscious of intensifying supply chain risk, and consulted on measures to enable regulators to designate individual suppliers as critical if they provided an IT service on which an OES or RDSP was dependent for the provision of its essential service. The response to that consultation showed overwhelming support for the proposal, but stakeholders argued that the designation process would need to be transparent and based on engagement with industry. It is those vital elements of transparency and engagement, or rather the current lack of them, that are causing high levels of concern among supply chain entities that stand to be brought within scope of regulation when these provisions come into effect.

To break that down, preserving agility for the Secretary of State and regulators to respond to emerging risks has been recognised as both a strength and a weakness of the Bill. However, lack of certainty is a particular concern in a context of critical supplier designation, especially as this part of the Bill has the potential to bring in large numbers of small and even microbusinesses within the scope of regulation, potentially by multiple regulators. That is a daunting prospect for smaller companies, even taking into account the caveated duty on competent authorities to co-ordinate in the approach to regulation of critical suppliers in the proposed new paragraph 14L of the NIS regulations.

Several witnesses in oral evidence, including techUK and ISC2, made strong arguments that SMEs often lack the financial and human resources to develop cyber-security expertise and comply with regulation. Those organisations will need additional time to prepare, and a better indication of the criteria that might be used by regulators to determine which supply chain providers are critical. Industry bodies have called on the Government to ensure meaningful consultation on secondary legislation and guidance, to ensure that the measures are fit for purpose and capable of practical implementation. As part of the planned consultation, will the Minister commit to considering whether there are alternative approaches to regulation for increasing cyber-resilience in companies below a certain size?

The detail—such as it is—of clause 12 sets out the criteria under which entities can be considered for designation as critical suppliers. It is notable from the outset that critical suppliers can only be designated if they provide services directly to OESs, RDSPs or RMSPs.

In oral evidence, Dr Ian Levy of Amazon touched on the complexity of sophisticated supply chain arrangements for companies such as Amazon, and commented that the value of a contract with a supply chain entity and the potential impact caused by interruption “are not necessarily correlated”, which we have already covered several times this afternoon. What assessment has the Government made of the need for regulators to look further down supply chains to identify risks from entities that are not in direct contractual relationships with OESs? How far does that go, in terms of the dependency link in a complex supply chain providing OESs?

Further, can the Minister clarify what is meant by the stipulation that, to be a critical supplier, an entity must rely

“on network and information systems for the purposes of” providing services. Does that provision imply that a level of access to the OES’s IT systems, or access to shared IT systems, is necessary for a designation? As drafted, it appears that nearly any service using an IT system to manage its business would be in scope. That could include cleaners, taxi firms, caterers and so on—is that the intention of the provision? I will come back to that a bit later.

I will move on to the requirement that, to be a critical supplier, incidents affecting an entity would need to have the potential to affect the provision of essential services in a way that might have a significant impact on the economy or day-to-day function of society as a whole, or in any part of the UK. That concept is extremely vague and challenging for regulators to judge in practice. Some guidance is given about the factors to be taken into account in paragraph 4, but it remains too high level to be of practical use. The concept needs not only qualitative criteria, but quantifiable thresholds for metrics such as economic loss, geographical impact and the number of businesses or people who could be affected. Can the Minister confirm that that matter will be consulted on and refined, to provide much-needed clarity to regulators and supply chain entities?

The role for OESs, RDSPs and RMSPs in the critical supply designation process under the provisions is totally unclear. As drafted, the competent authority must consult with the proposed designated supplier and other interested competent authorities. However, the Bill is silent on the specific need for consultation with OESs, RDSPs and RMSPs—sorry, Hansard—that receive potentially critical services from those suppliers. That gives rise to the important question about what role OESs will have in informing regulators about the critical nature of various suppliers’ services, so that regulators can take that information into account in deciding which entities to designate. Perhaps that is implicit in the provision that contains the duty for regulators to consult “such other persons” as they consider “appropriate”, but there is no definitive obligation for regulators to consult OESs. That appears counter-intuitive, as those organisations are surely best placed to provide a starting point for which suppliers should be brought into the scope of regulation as critical services.

It was evident from the helpful testimony of senior officials from NHS Greater Glasgow and Clyde that OESs remain in the dark about what their role will be in determining which are the critical services providers for their organisation. The involvement of OESs, RDSPs and RMSPs in the designation process is also vital in determining whether the goods or services provided by a supplier that is under consideration for designation can be sourced from an alternative supplier. The existence of realistic alternatives may obviate the need for supply chain entities to be brought within the scope of regulation, but in practice it may be difficult for regulators to determine whether workable alternatives exist, particularly where services have been procured through highly technical, detailed and rigorous procurement processes.

Can the Minister clarify what the Government consider the role of OESs, RDSPs, and RMSPs should be in the critical supplier designation process? Given the number of gaps and uncertainties in the planned scheme for the designation of critical suppliers, can he update us on the likely timescale and scope of consultation on this critical issue? That is an issue that goes to the core of whether the Bill will be capable of practical implementation.

I will finish by giving a worked example to go through. I have gone through a lot of technical detail on how we envisage the regulator operating in practice, but a real-world example would be helpful for the Committee—and dare I say, the Minister—to see what the challenges are to having the clause operate as we would like. I totally understand the Government’s aim and intention by having this provision for services that are too big to fail—for want of a better argument—in terms of OESs. My concern is how it all works in practice. I go back to the NHS; that is my happy hunting ground to talk about, given my previous experience, but it is a helpful example.

As Members will know, an NHS trust will have a whole host of private sector providers doing different functions and services for that trust. Many trusts will have different parts of their workforce supplied by private sector providers, for example cleaners, porters, taxi services and patient transport. Locum doctor availability out of hours will often be from a private service provider—sometimes in-house, but often through a private locum agency. The purchase and supply of medicines and items, the maintenance of items and the estate, and emergency boiler works will all be through private service providers. IT services themselves will be private service providers, as is the computer hardware.

It would be helpful if the Minister could unpick this worked example. My concern is that, given limitations in access to the IT network, in the modern day I do not see any private sector provider that is supplying to an OES not doing so, in some way, shape or form, through the IT system or network. It strikes me that all those providers—unless people are communicating by letter or carrier pigeon—will be within the scope, so the criterion completely falls apart.

The Clause is drafted broadly, which is understandable, but in practice many of the supply chains, as my hon. Friend has ably demonstrated, involve several layers of providers and sub-providers. I would welcome clarity on how regulators are expected to approach designation in these cases, so that responsibility is clear and preparation can happen upstream, rather than only after an incident.

My hon. Friend has figured out what I am going to say in a moment, when it comes to the scoping of the regulator and that communication process. Such is the depth of the rabbit hole that the provision creates that, even though my hon. Friend’s Intervention did not go where I thought she was going, another problem has just come to mind.

What happens in the circumstance where a critical supplier that acts as a proxy for multiple critical suppliers? How does designation operate in that fashion? There are suppliers that essentially operate as a marketplace to a certain provision of services. Is it the marketplace that is regulated, or is it each supplier within the marketplace? A locum agency could hypothetically be an umbrella company for multiple different smaller locum agencies, each of which would share the corporate risk as part of that.

Going back to my first point, the idea that access to the IT network or system will somehow be discriminatory, or dichotomise between people who are in scope of this measure and people who are not, seems to me complete nonsense. It is difficult to see what organisations, if they provide a service to a modern OES, will be in scope of it.

Secondly, there is systemic or significant disruption. I often say that, if someone wanted to cripple a hospital, the best way to do that would be to stop the cleaners cleaning rooms, and to stop the porters pushing people around the hospital to get them to their appointments and moving beds. There is often a focus on doctors and on the rest of the core medical and nursing staff— I myself often focus perhaps a bit too much on doctors—but it really is a whole-team effort. In fact, the most critical people are often the people who might not be the subject of the most focus, such as the cleaners and porters.

If the cleaners stop work or do not turn up to work, the hospital grinds to a halt. If taxis are not taking people to and from hospital out of hours, or if the patient transport is not taking people to hospital, out-patient departments grind to a halt. If the locum companies that fill gaps in staff rotas are not available to do that, and there are substantial rota gaps that make the provision of services unsafe, the hospital also grinds to a halt. If it is not possible to get access to critical medicines, if staff cannot maintain the blood gas machine or the blood pressure machine, or if the boiler breaks down, the hospital grinds to a halt.

It is not just something as obvious as the tragic situation with blood and pathology testing that causes a hospital to grind to a halt. Indeed, I cannot think of many private sector provisions that would not have a substantial impact on a hospital if they were to be removed; if any other Member can, I will be very happy to stand corrected. However, just skimming through them, I can see that the removal of most of them would cause the hospital to grind to a halt. The idea that the significant impact definition will be a discriminatory factor regarding suppliers just does not work. Someone might say: “Ben, you’re completely wrong. We found some providers.”, but, if that situation arises, how will the arbitration occur in terms of the threshold?

I am not going to tell the hon. Gentleman that he is completely wrong—he should not worry about that. I will make another point. I wonder whether the distinction might be how time-sensitive losing a particular service would be. That is just a suggestion.

I thank the hon. Member so much for that Intervention about the time it would take to find an alternative supplier, because it will bring me on nicely to my point about alternative suppliers.

However, before I move on to that point, the hon. Gentleman made a very good point in his intervention, which I will address. To be subject to these provisions will create a regulatory burden, and therefore a cost burden, for an organisation that is designated to be a national critical supplier. If I was a supplier of services, I would want to have the best provision possible. I would want to be cyber-secure; I would want to have a gold-standard service. However, I might also be nervous of being designated as a critical supplier because of the regulatory burden that would impose on me, which would make me potentially less competitive in getting contracts because of the costs that would ensue. There would need to be an arbitration system where a company that is under threat of being designated a critical supplier could have a discussion or debate about whether that designation was relevant or not.

I will now move on to the point that the hon. Gentleman made about alternative services. I really have no idea at all how we can expect a regulator to delve into the complexities and the minutiae of what is available in a local economy to provide these services that the OES is receiving. Do we expect the relevant regulator to check what taxi services are available—actually available, rather than some sort of fantasy availability where they are available on paper, but not in reality—in the local ecosystem that could supply to that hospital, which is the operator of essential services? What is the scope of research that the regulator would have to do? What considerations would they need to take regarding how much the taxis cost and how effective they are? What about the procurement decisions and processes that have already been gone through?

Most public sector organisations have complex procurement rules when setting up their contracts—and that is before we even begin to consider health and safety concerns that are subject to regulatory provisions. For example, if the regulator decided that taxi services are under threat of becoming a critical supplier, then does the taxi service have the ability to deal with someone who has a cardiac arrest, needs oxygen or has a behavioural disturbance? Can it manage people with physical or mental disabilities? What is the scope of that particular service provision? The experts will be the people who commissioned it in the first place; yet on the face of the Bill there is no objective requirement for the regulator to speak to the OES in the first place about how this provision and service was procured.

In terms of the service being available—as per the point made by the hon. Member for Harlow about the time to shift through—how will that be evidenced and investigated? What resource is going into this? That is just for a taxi company. What about when we expand it—and this is just for the NHS—to cleaners, porters, locum agencies or medicines provision? Is the provision of services geographically circumscribed or will this be across the country? I am sure that one can find alternative services to provide taxis to St Thomas’ in Birkenhead, but that does not necessarily mean that it is available in a reasonable timeframe or sense, in terms of the designation of supplier.

Finally, when it comes to investigations and making assessments of this designation, how will the regulator know what it should look at? How does that conversation go? Does the hospital trust go to the regulator and say, “Hello regulator, here is a list of all the private service providers who are supplying our OES—and by the way, this list is going to change every single day, because these things are in flux and we secure things from different services”? What is the regulator going to do then? Is it on the regulator to go through this list and do an assessment and appraisal as to whether it is a critical service to the OES that we need to then get into the scope of regulation? Or does it work the other way around?

Does the regulator have to turn up and go through the company notes and records, some of which will be highly commercially sensitive? That is relevant when it comes to alternative providers when the discussion is taking place between the regulator and the OES about whether designation is available. Then, when a private sector organisation is being investigated as to whether it should get OES status, who has the burden of proof and what is the evidential burden on whom? Is it on the regulator to demonstrate that that organisation is a critical supplier, or is it on the hospital or the private company themselves? How can that be disputed and what is the appellate system?

The Minister has made it very clear that this Bill and these regulations are important and are going to have teeth and change things. If that is so, then by definition they will impose a cost and burden on business. We recognise that the legislation needs to be proportionate, but it is reasonable for any business that is about to be subject to a regulatory burden to be able to make representations and, if necessary, have their day in court to challenge the necessity of that designation.

I do not want to add spurious hypotheticals, so I will talk about the real world. I visited the Maypole special school in my Constituency the other day. It has 20 members of staff and 18 pupils. It has people coming from as far away as Wandsworth. It books the transport, and the transport is paid for by the local education authority in which the pupil lives. It is clearly critical that children get to the school—just as it would be for a hospital. Would it be up to members of staff at the Maypole school to find out whether Addison Lee used a managed service provider or a data centre? That seems quite a tricky thing to know about and then to fulfil.

I really appreciate my hon. Friend’s Intervention. It goes incisively to the heart of the concern about how these provisions are currently drafted. I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. We have a lot of OESs in this country. It may be the Minister’s and the Government’s intention to essentially have a proxy regulatory framework for suppliers to OESs going forward—it is being kept very loose, because there is some flexibility in that, but that in itself will be a problem.

I worry that a lot of providers are going to think to themselves, “Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?” Surely that is a concern that will have a chilling effect on organisations supplying to OESs, because of the risk of being found within the scope of this additional regulatory burden.

Don’t get me wrong; as I have said, companies should be taking cyber-security seriously, as should everyone. However, not everyone should be subject to the various regulations and data-sharing requirements that this Bill provides for. I suspect that many organisations will be very concerned. If there is a risk of designation as a critical supplier, companies will already be instructing lawyers and other organisations to manage that corporate risk.

If an organisation starts supplying to a hospital trust, or to whoever it may be, it might think, “Actually, we’re likely at risk of being designated, so we need to start doing some work and investment, either to challenge that designation or begin doing the preparatory work.” Maybe that is the intention: to effectively regulate the entire sector providing to OESs without actually lifting a finger in terms of regulation through this Bill. If that is the case, I am sort of sad, because I think it is better to be clear-cut about it. I would be grateful if the Minister answered that point directly.

Finally, in terms of OESs, we have already mentioned the fact that Government and local authority IT infrastructure and services are among the biggest risks in our system. I was really struck by the evidence from the NHS on Tuesday, in which our witnesses described data-sharing operations with adult social care, which is of course provided by local authorities.

It seems quite perverse, if I may say so, that a GP surgery, which is a private organisation, could be deemed a critical supplier to a hospital in terms of patient information sharing. Quite frankly, I would like the Minister to answer the question specifically: does he envisage primary care GPs being in scope because of data sharing of hospital records with NHS trusts? GPs could fall within scope as critical suppliers, while social care records, which are provided by local authorities, would not. There are all these weird situations that could emerge because of the scope and the looseness of these provisions, with all the consequent harms and problems. I look forward to hearing the Minister’s responses to my points.

First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.

The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.

The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.

Will the Minister give way?

I commit to giving way to the hon. Gentleman at the end of my speech. He asked about schools. I am happy to confirm that schools are not in the scope of the Bill.

In response to the Shadow Minister, I highlight that the five-step test is cumulative: a business must meet all the conditions to be designated as critical, not just one. I think that answers the series of logical puzzles that he tied himself up in.

I am very happy to confirm to the Committee that it is expected that regulators will use information gathered from their oversight of operators of essential services, relevant managed service providers and relevant digital service providers to identify potential critical suppliers for designation. They can also ask organisations for more information to support their assessments. Future supply chain duties will also require organisations to share supply chain risk assessments with regulators. A supplier can be designated only after the regulator has completed an investigation process, including serving notices and holding a consultation, and confirmed that the criteria are met. Designated suppliers will also have the right to challenge decisions through an independent appeals process.

Will the Minister give way?

I commit to giving way at the end of my speech to the Shadow Minister and the hon. Member for Spelthorne.

On the question of consultation, I am happy to confirm that the team in question has set up an implementation-focused effort. We have started to engage with regulators already, and there will be an extensive process of engagement on the Bill with business, as has been conducted historically.

The shadow Minister highlighted a number of logical puzzles. I have worked in a range of businesses and public sector organisations, and most have business continuity services. His hypothetical idea that businesses do not understand alternative provision, and whether they are or are not in a position of exposure, is well solved in the real world. I would give more credit to our expert witnesses from NHS Scotland than he did in recognising that they said that they frequently deal with the question of critical suppliers in co-ordination with competent authorities.

The Minister came back with an answer on proportionality, saying that it is not for Government to decide what is essential. He missed out the next bit, which is, “We’re just going to regulate critical suppliers and pass Laws about them, but we don’t know how many there are, and we don’t know how much the policy is going to cost.” Would he accept that characterisation as the logical conclusion of what he said?

The Minister also said that schools were not covered by the Bill. As far as I am aware, patient data and children’s data are two of the most precious things that we have, so I would like to know why schools are not covered by the Bill.

On the first point, I am afraid that I do not think that was an appropriate characterisation, because where the sectoral scope is clear and where there is a clear risk of critical national infrastructure and essential services being directly exposed, we have specified that in the Bill. We have looked at the impacts set out in the impact assessment. For the critical suppliers in those sectors—I would expect them to be very limited in number—we have made sure that regulators and businesses have the flexibility to set the requirements directly, rather than them being set here in Parliament.

I was going to intervene on the hon. and gallant Member for Spelthorne, but he is bigger than me. I recognise the points he made about the number of critical suppliers, but I come at the question from the other angle: doing nothing may leave critical suppliers at risk. Although we might not know the exact number, as he correctly asserted, it is important that we do something and introduce the regulations as soon as we can to protect our critical infrastructure.

I thank my hon. Friend for that point. This issue has not come out of nowhere. Industry and a number of organisations asked that we introduce the measures in the Clause.

Beyond the very clear five-step test for critical supplier designation, the Bill provides that the requirements on critical suppliers are proportionate. The reason why we have both the five-step test and the provisions in the Bill is that, in most cases, if the risk assessment suggests so, the security requirements set out in the Bill will be less onerous in most cases. They will be specified in secondary legislation and guidance.

On the question of schools, and more broadly the question of public sector authorities, I entirely accept that the handling of pupil data in schools is a critical aspect of our public service operations. The reason why public service authorities have largely been left out of the Bill’s scope is because we do not need to wait for the legislative process to act. We have been working, not least closely with the Government’s cyber-security strategy and the cyber action plan, to ensure that pupil data is kept securely and robustly.

The Minister is, of course, within his rights to snarkily dismiss the questions that I have raised, but I should point out that the stuff that is debated in Parliament, whether in Committee or on the Floor of the Chamber, is relevant when it comes to future legal disputes after a Bill is passed. The questions I have asked about the application of the Bill’s provisions will be important parts of the legal disputes that I expect will arise after its implementation. When people look back through the Minister’s dismissive comments, I hope they have other resources that they can go to for settling legal arguments. However, he may choose to respond fully now, or in writing if he cannot provide me with an answer.

I believe that where the Shadow Minister laid out any specific concerns, I was able to set out answers, not least on the process for the designation of critical suppliers and the availability of an appeals process. Where his points were more in the realm of specific hypothetical puzzles, I have stayed clear for precisely the reasons that he highlights. This is serious stuff that can form the basis of how businesses and others plan, rather than specific judgments that we ought not to speculate about in this House.

Question put and agreed to.

Clause 12 accordingly ordered to stand part of the Bill.