Public Procurement: Data Offshoring

Question

14:58:00

Asked by

To ask His Majesty’s Government what assessment they have made of public bodies and services, including the NHS Digital app, procuring professional services through processes which purport to be “onshoring” to firms which contract third parties outside the United Kingdom to do the work; and what assessment they have made of the risk this poses to private data and cybersecurity.

Each contracting authority carefully considers and makes risk-based decisions on whether, and where, data can be offshored, and what restrictions are appropriate for service delivery and development activities. The new standard security schedules for all central government contracts, published on 1 October 2024, include greater controls over data offshoring and stronger security requirements. Buyers also have greater transparency over where, and how, their data is hosted and processed, and stronger remedies where suppliers do not follow buyers’ requirements. Outsourcing contracts also contain complementary provisions on the offshoring of this personal data under GDPR.

I thank the Minister for her reply. NHS Digital has contracted with Splunk, which subcontracts to the Bulgarian company Bright Consulting. This practice, which Splunk refers to as “onshoring”, began during the Covid-19 pandemic and continues to this day. Can the Minister reassure the House that under this practice of onshoring to third-party non-UK-based companies patient data really is safe? Is the taxpayer getting value for money by paying UK rates to a company that outsources the work for a considerable margin?

The government model services contract is one of three template contracts for use by government departments and wider government when procuring complex outsourced services. Value for money for taxpayers is central to good government procurement. The Government recognise the potential risk of data offshoring taking place without the explicit consent of public sector buyers. New standard security schedules for all government contracts include greater controls over data offshoring and stronger security requirements.

My Lords, thanks to a whistleblower, we learned on 4 August from the Daily Telegraph that, up to 2021 when it was discontinued, a chain of outsourcing resulted in software for our nuclear submarine engineers being developed by private companies in Minsk and Siberia. The Telegraph reported Ben Wallace, the then Defence Secretary, as saying that the breach left the UK’s national security “vulnerable to undermining”. Can my noble friend tell us whether this story is true? If it is true, where can we find a credible, comprehensive rebuttal? Otherwise, is it not likely that our deterrent will be undermined?

As my noble friend will appreciate, the Ministry of Defence took these reports extremely seriously. In response, on 6 September this year, Maria Eagle, the Minister of State for Defence, confirmed that both the MoD and Rolls-Royce Submarines had conducted an investigation into the matter. The Minister assured that the investigation found no evidence that Belarusian nationals had access to sensitive information and concluded that no change to the MoD procurement policy was required. The Ministry of Defence has set a policy of using Secure by Design. This is a modern approach whereby senior responsible owners, capability owners and delivery teams are accountable and responsible for delivering systems that are cybersecure. This includes ensuring new systems being bought or built carry out due diligence on the security of their systems.

My Lords, my dental practice changed its IT supplier a year ago. After going online to confirm an appointment and agree the usual dental practice use of my data, I was invited to check the IT supplier’s data. Seven layers down, it appeared that I gave permission for all my medical data to be used by the UK company, its parent US company and all its commercial subsidiaries. The practice has now got a new IT contractor. How well aware are clinical practices and surgeries of this underhand technique by major digital contractors?

The noble Baroness makes a really important point. I will speak to my noble friend Lady Merron, to make sure it is taken forward through DHSC. The Government are quite clear that government data is owned by the Government and any commercialisation should be agreed with His Majesty’s Government.

My Lords, obviously cybersecurity is vital for the NHS Digital app, as it is for anything. However, we know that the app is way behind, say, banking apps, which in this country are very good. Can the Minister make sure that NHS digital services are not held up by all the other stuff that is going on, because NHS apps are a vital part of NHS reform?

I think the security piece and the development piece can and should go in tandem, otherwise neither is sustainable. Three in every four people in England have already downloaded the app. This Government want to establish adoption through improved patient experience and system benefits, and to expand the services offer. This is part of making sure that more people can access the services they require.

My Lords, Microsoft gave a view to the Scottish Government in June this year that it could not guarantee that data held by public services on its Microsoft 365 and Azure hyperscale cloud infrastructure will remain in the UK. What mitigations are the Government looking at in the light of this statement by Microsoft?

I refer back to my initial Answer, which is that each contracting authority should carefully consider, and make risk-based decisions on, whether and where data can be offshored. We can get really hung up on offshoring, onshoring or where the data is stored, but we have to make sure that all data and cybersecurity are central to how we move forward with this type of procurement. This is why the Government are introducing a cybersecurity and resilience Bill, which will help ensure our cybersecurity for the future.

My Lords, further to the question from my noble friend Lord Browne, I think that the response from the MoD is not satisfactory. These Belarusians, although they might not have had access to highly classified information, were writing software that would be used within our nuclear deterrent. This cannot be satisfactory. Can the MoD give an answer, maybe through the Minister, to say that this is no longer allowed to happen? We all know how you can use software in various clever ways to cause real damage.

I will speak to my noble friend Lord Coaker and ask him to provide a letter responding to that point.

My Lords, the heart of this Question is the safety of public data and the resilience of services. As we saw with the ransomware attack on Synnovis in the summer, cyberattacks of these sorts on supply chains can cause significant disruption to public services. Can the Minister say exactly how the cybersecurity Bill that is coming up will improve the regulatory framework for the supply chain, and when exactly it will be brought forward?

I can give a bit more detail on what the Bill will focus on. I cannot give a precise date for when it will be brought forward, but it was in the King’s Speech, so we can anticipate it coming forward in due course in the relatively near future. The Bill will make crucial updates to the legacy regulatory framework by expanding the remit of regulation, putting regulators on a stronger footing and mandating increased incident reporting, which will give the Government better data on cyberattacks, including where companies or organisations have been held to ransom.

My Lords, the new Procurement Act will bring more transparency and new entry into contracting, which will help with these kinds of outsourcing and security issues. Will the Minister ensure that the disappointing delay in the commencement of that Act into next year is minimised? In the meantime, will the model services contracts that she mentioned ensure that patient data is kept in the UK or in a country with which we have a robust data- sharing agreement?

On the national procurement policy, our entire focus is on delivering change through our national missions. We will therefore be publishing a bold new procurement policy statement in February to harness the billions of pounds spent by public sector organisations each year and ensure that commercial activity aligns with our missions. We think it is really important that that statement is in place before the Procurement Act goes live, so that everything is aligned and as effective as possible. The Government recognise the potential risk of data offshoring, as I mentioned, and the new standard security schedules for all central government contracts include greater controls over data offshoring and stronger security requirements.