Bulk personal datasets: interpretation

Investigatory Powers Bill – in a Public Bill Committee am 3:00 pm ar 26 Ebrill 2016.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Question proposed, That the clause stand part of the Bill.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

Part 7 of the Bill deals with bulk personal dataset warrants. In common with our position on other bulk powers in the Bill, the Scottish National party wishes the powers in part 7 to be removed from the Bill until such time as a convincing operational case has been made by the Government; that should be by way of an independent review of the necessity and proportionality of these powers.

The power to acquire bulk personal datasets does not currently exist. These are essentially databases held by either the private or the public sector. They are defined in the clause as,

“a set of information that includes personal data relating to a number of individuals” where

“the nature of the set is such that the majority of the individuals are not, and are unlikely to become, of interest to the intelligence service”.

This is where our concern lies. The powers in this part of the Bill will afford the opportunity and the power to recover huge amounts of personal information, largely relating to private citizens who are innocent and not under any suspicion whatsoever. Bulk personal datasets will cover both manual and electronic records. So, for example, they will cover medical records. The definition given of personal data is a broad one. It,

“has the same meaning as in the Data Protection Act 1998 except that it also includes data relating to a deceased individual”.

The acquisition, retention and examination of these databases will be governed by a warrant system similar to the one we have just considered for bulk interception and bulk hacking. The warrants will be issued under the double-lock system. The Committee has had detailed submissions on the SNP’s position on double-lock systems so I will not take time discussing that unnecessarily.

Part 7 talks about class warrants and specific bulk warrants. Class warrants concern applications for descriptions of personal data—for example, health data or travel data. Under the terms of the Bill that is the default type of bulk personal dataset warrant. Both the Joint Committee and the Intelligence and Security Committee recommended that class bulk personal datasets be removed from the Bill, yet they remain. The Intelligence and Security Committee reported that the acquisition, retention and examination of any bulk personal dataset is sufficiently intrusive that it should require a specific warrant, and I would say there is considerable force in that argument. It is instructive to look at what the Chair of the Intelligence and Security Committee said about part 7 and bulk personal datasets in his speech on Second Reading. It is sometimes represented as a full retreat from the position of the Intelligence and Security Committee, but that would be a misunderstanding. Mr Grieve said:

“The third issue is that the Committee expressed concern about the process for authorising the obtaining of bulk personal datasets. It is undoubtedly necessary and proportionate that agencies should have the power to obtain them”—

That is his view, not mine—

“because they can be vital to their work in helping to identify subjects of interest, but they largely contain private information on large numbers of people of no relevant or legitimate interest to the agencies at all”.

There was an intervention at that stage, but he went on to say:

“Intrusiveness needs to be fully considered as part of the authorisation process, which was why the Committee recommended that that could be done far better if class-based authorisations were removed from the Bill and a requirement made that Ministers should authorise the obtaining and periodic retention of each dataset”.—[Official Report, 15 March 2016; Vol. 607, c. 838-9.]

I have no doubt that the shadow Minister will have more to say about this aspect, but I draw attention to it at this stage because while my party’s opposition is based on the fact that we would like to see this part of the Bill removed completely until a convincing operational case has been made, there are others who, although content with aspects of it, have expressed severe reservations about the class warrants.

The other type of warrant is a specific bulk warrant that can be applied for when the requesting agency wants a bulk dataset that does not fall within a class described in a class bulk personal dataset warrant, or where it does fall within a class warrant but where the intelligence agency at any time considers that it would be appropriate to seek a specific bulk personal dataset warrant. Those specific bulk personal datasets may apply to the most sensitive type of databases, such as mental health hospital data or patient-identifiable female genital mutilation data.

The application must include a description of the dataset to which it relates and an explanation of the operational purposes for which the intelligence services wish to examine it. Specific bulk personal dataset warrants may also authorise obtaining, retaining and examining bulk personal datasets that do not exist at the time the warrant is issued but

“may reasonably be regarded as replacements for dataset A”.

That is the dataset that has been sought.

I would argue that there is an unjustifiable lack of information about the nature of bulk personal datasets and the way in which the data are used. Despite the requirement of a warrant for human examination of the bulk personal datasets, the little information that we have available about these bulk personal datasets is that they are routinely electronically analysed, and that happens at the intermediary stage, described by Eric King in his evidence to the Committee, after a bulk warrant has granted authority for the bulk personal datasets to be obtained. Before there is any warrant for individual human examination, there are computer analytics on what is largely information pertaining to individual innocent citizens about whom there is no question of any suspicion.

The Home Office has attempted to further its case for bulk personal datasets in supplementary written evidence to the Joint Committee on the draft Bill. It gave examples of the type of datasets obtained. One example was of firearms licences and also travel data, electoral roll and telephone directory datasets. It also gave examples of the purposes for which the datasets might be used, such as protecting major events, preventing terrorist access to firearms, identifying foreign fighters and targeting what were described as potential agents. The impact assessment for bulk personal datasets explains that they are analysed to identify subjects of interest.

I suggest that the examples given by the Home Office of the sort of datasets that are obtained are potentially misleading. For example, the electoral roll and the telephone directory are publicly available. I fully accept that it is rational that intelligence agencies have access to firearms licences, but that could be done by a consented procedure, whereby anybody who applies for a firearms licence has to consent to that information being available to the security services.

Similarly, in relation to travel data involving travel to conflict zones in the world, a potential route to consent would be for an application for any type of travel plans to any conflict zone to be available to the security services. I am a little unhappy about some of the examples that have been given. What has come up repeatedly in evidence before the Committee and in submissions to this Committee and the Joint Committee is a concern on the part of agencies and the public about medical records, in particular mental health records.

I am probing here. Is there any legitimate reason for the security services to require bulk access to the datasets of large numbers of innocent citizens’ medical records? That could be counterproductive. I take the example of mental health. We are becoming increasingly aware of the reality of mental health problems in our society and of how many people suffer from them, but some stigma is still attached. We all know that mental health problems can be readily treated, but people fear that they might lose their job, or their status in their social, professional or family circle if it becomes known that they have a mental health problem. I am not suggesting that the security services will advertise the fact that people have mental health problems—I am sure they will try to deal with such matters sensitively—but if the public are aware that what they say to their doctor, psychiatrist or clinical psychologist, or to some sort of helpline, will no longer be completely confidential, they may be less likely to seek help. That is a grave concern.

The fact that the agencies are already acquiring bulk personal datasets was avowed by the Intelligence and Security Committee in March of last year. At that stage, in its report, the Committee disclosed only limited information about bulk personal datasets, but it said about their content and nature:

“These datasets vary in size from hundreds to millions of records. Where possible, Bulk Personal Datasets may be linked together so that analysts can quickly find all the information linked to a selector”— for example—

“a telephone number or…from one search query”— and the datasets—

“may include significant quantities of personal information about British citizens”.

Apparently, none of the agencies was able to provide statistics about the volume of personal information about British citizens included in the datasets. The director general of MI5 also cryptically explained to the Intelligence and Security Committee:

“there are datasets that we deliberately choose not to reach for, because we are not satisfied that there is a case to do it, in terms of necessity and proportionality”.

Such important decisions about necessity and proportionality should not be left to the individual discretion of persons within the security services, no matter how high up they are.

It also became clear in the Intelligence and Security Committee that sensitive information held in the datasets collected by the security services included things such as an individual’s religion, racial or ethnic origin, political views, medical conditions, sexual orientation and legally privileged journalistic or otherwise confidential information, such as what whistleblowers or our constituents might impart to us as parliamentarians. The Intelligence and Security Committee also noted, in passing, that the agencies might share those datasets with what were described as “overseas partners”.

As I said in Committee last Thursday, however, the agencies have reported that they have disciplined and in some cases dismissed staff for inappropriately accessing personal information held in such datasets in recent years. I read excerpts from an article published in The Guardian last Thursday, although I do not propose to go into that again. On the one hand, it is good to know that the agencies are taking action to deal with such abuses, but on the other hand, the fact that such abuses have occurred, and in numbers, is indicative that the persons who work for the security agencies are like the rest of us, frail human beings open to temptation and inappropriate behaviour. We need to be careful to legislate in such a way that the risk of inappropriate interference with personal, private information of innocent British citizens is kept to an absolute minimum.

I am trying to say that putting on a firm legal footing the right of the security agencies to acquire bulk private and sensitive data of our United Kingdom population is a new and radical development. At present—I am sure I will be corrected if I am wrong—there is no legal authority for the agencies to acquire those datasets. The Intelligence and Security Committee put that rather diplomatically when it said:

“the rules governing the use of Bulk Personal Datasets are not defined in legislation.”

The Government tell us that, irrespective of this new legislation, the bulk personal datasets will continue to be acquired by the security services using the Security Service Act 1989 and the Intelligence Services Act 1994. This means that the Government use surveillance capabilities, such as hacking and interception, to obtain mass datasets from private companies or public bodies. There has also been some hint that there may actually be purchasing of mass datasets from the private sector.

The Government have not made a proper argument that it is necessary and proportionate to have and acquire bulk personal datasets, or that this has regard to our right to a “private and family life” under article 8 of the European Convention on Human Rights. The Intelligence and Security Committee has informed us that the agencies have told them that bulk datasets are

“an ‘increasingly important investigative tool’ to ‘enrich’ information obtained through other techniques”.

However, enriching information is not the same as obtaining information in a way that is necessary and proportionate. That is really the concern underlying the Scottish National party’s opposition to part 7 of the Bill. As a result of recent litigation, the organisation Privacy International received disclosure of internal documents which demonstrate the worrying way in which bulk personal datasets are being misused. Again, I refer to the Guardian article I mentioned last Thursday. For that and for the other reasons I have underlined, it is my party’s position that part 7 should be removed from the Bill until such time as there is a compelling operational case for the agencies to collect, process and link this personal data for the entire UK population.

I remind hon. Members of the Committee that David Anderson, said at paragraph 8(a) of his supplementary written evidence to the Joint Committee in January that his report, “A Question of Trust”

“contains no independent conclusions on the necessity for or proportionality of…the use of bulk personal datasets”.

That was his position, so his report cannot be prayed in aid of a strengthened operational case. At present, I would argue that there is no operational case to justify such incredibly intrusive powers.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I endorse much of what the hon. and learned Lady said, and I will not repeat it. These are very wide powers. As she pointed out, they are probably the widest of the bulk powers, because the Bill makes it clear that the nature of the set is such that the majority of individuals are unlikely to become of interest to the intelligence service in the exercise of its functions. So we are talking about some of the widest powers. I acknowledge that this legislation would put existing powers on to a clear statutory footing, and that is welcome for the same reasons that I have outlined on other occasions. However, scrutiny is needed when powers that were not avowed in the past are first avowed and then put on to a statutory footing.

Clause 174(2) says:

“‘personal data’ has the same meaning as in the Data Protection Act 1998”.

In that sense, it is consistent with the way in which personal data is dealt with in other legislation. The Information Commissioner’s Office provides guidance on the meaning of personal data. Just so that this can be clear for all Committee Members and for the record, according to the guidance issued by the Information Commissioner’s Office:

“Personal data means data which relate to a living individual who can be identified—

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”.

So it is the data themselves, and it is a wide range of data. It is any expression of opinion about that individual, and any indication of the intentions of the data controller.

One of the examples that the Information Commissioner gives is:

“A manager’s assessment or opinion of an employee’s performance during their initial probationary period will, if held as data, be personal data about that individual. Similarly, if a manager notes that an employee must do remedial training, that note will, if held as data, be personal data.”

That is very wide-ranging. There is a tendency in these debates to think that data are simply numbers or locations—specific hard pieces of data—but here we are talking about opinions about individuals.

For that reason, in the Data Protection Act, sensitive personal data—data dealing with the subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, and whether he or she has committed an offence—are subject to special safeguards. In other words, because of the wide nature of personal data, the regime in the Data Protection Act distinguishes between ordinary personal data and sensitive personal data, with a fairly obvious list defining sensitive personal data.

One of the Bill’s defects is that it does not take that graded approach to personal data. The question of health and mental health records has been raised on a number of occasions, including with witnesses who gave evidence, and I know it is a concern that is shared across the House. As I understand it, under the regime intended by the Bill, the security and intelligence agencies will take matters of sensitivity into account when they do their assessment. I say that for two reasons. Witnesses from those agencies told us in response to a question about mental health and health records that they currently apply internal guidelines about sensitive records, and paragraph 4.11 of the code of practice, under the heading “Intrusiveness of data”, says:

“When considering whether to retain and examine” bulk personal data,

“the Security and Intelligence Agencies will assess the degree or extent of the intrusiveness which retaining and examining the BPD would involve…Each dataset is assessed on a case-by-case basis, and in the round, having regard (amongst other things) to the following factors or indicators”.

There is then a list of indicators:

“Is there an expectation of privacy?…Does the data consist of more than basic personal details…? Is there information on a person’s activities or movements or travel? Does the data include ‘sensitive personal data’ within the meaning of section 2 of the Data Protection Act”,

which I have just referred to, and

“To what degree does the data, by virtue of its quality, nature or size, mean that, when it is examined, there will be a significant degree of intrusion into the privacy of individuals not of intelligence interest?”

Those are all important factors that obviously must be taken into account. The problem is that at the moment those are simply put as guidance for the security and intelligence agencies as a set of factors that need to be taken into account in the round when they do their assessment.

My broad point is that the careful distinction in the Data Protection Act between basic personal data and sensitive data needs to be reflected in the Bill in some shape or form, either in clause 174 or later, in clause 177, to which I have tabled amendments dealing with medical records and mental health records. Those amendments are pretty self-evident. The first set seeks to exclude such records from the provisions of bulk personal datasets altogether, and the second would set a higher threshold for accessing health and mental health records.

Photo of Lucy Frazer Lucy Frazer Ceidwadwyr, South East Cambridgeshire 3:30, 26 Ebrill 2016

I am conscious of people’s sensitivity about their personal data, particularly sensitive data, but does the hon. and learned Gentleman think that we ought to consider this issue in the context of the legislation? These data are there to be used for a specific investigatory purpose, and only that purpose. They are not meant to be used for any other purpose. Indeed, if they are used and disclosed, there are very many provisions about unlawful disclosure and the serious criminal penalties for that, which we examined at the beginning. Is that not the safeguard for people that we need to distinguish the use and abuse of material that is collected?

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I am grateful for that intervention. There is a particular sensitivity about health and mental health records. The very fact of their being retained, examined and filtered—because that is what will happen—is of huge concern to many people. That is why the amendments suggest that they be either excluded or subject to a higher test to prove that it is really necessary. Although it was not formal evidence, the Committee had a briefing session with the security and intelligence services where the question arose whether they do in fact access health records. In those exchanges, the answer was, “No we don’t, at the moment.” When I asked why, in those circumstances, it was necessary to have this power, the answer was: “Because we can’t rule out that at some future date it might be necessary to get these records, in circumstances that we cannot foresee at the moment—so we would not want to restrict the ability to get them.”

That was an honest answer about the way that these records are dealt with. In formal evidence, the answer was that the internal guidance does subject accessing mental health records to a higher threshold. In a sense, the agencies have thought this through for themselves. They have recognised the extra sensitivity of such records and have their own internal processes to make sure that they are applying a higher test. That is a good approach.

Photo of Joanna Cherry Joanna Cherry Shadow SNP Westminster Group Leader (Justice and Home Affairs)

I remember the evidence that the shadow Minister alluded to. Does he agree with me that, notwithstanding the fact that agencies are telling us to take steps to be more sensitive in relation to mental health data, the very fact that mental health data is going to be scooped up and available to others may act as a disincentive to certain members of the public to seek assistance with their mental health problems?

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

I am grateful for that intervention. I am concerned about that issue; that is why we need to give particular care and attention to the operation of these bulk powers in relation to sensitive personal data—and mental health data is among the most sensitive. In a sense, the second set of modifications that we will come to later is aimed at putting in the Bill what is in fact current practice. Therefore it would not inhibit what the security and intelligence services are doing, but would make it clear to citizens that a safeguard is in place and reduce their anxiety about the extent of the use of these bulk powers.

I will say more about that when I get to the amendments, but they are issues that go to the breadth of the bulk personal datasets that we are now dealing with.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

On the issue of medical records and the very sensitive data associated with them, and mindful of the remarks of the hon. and learned Lady and the hon. and learned Gentleman, we will be dealing with that issue when we discuss amendment 715. I do not want to spend too much time on it now, except to say that I, too, am aware of the obvious and profound issues associated with intrusion in that area. We will discuss them at greater length when we discuss the amendment, but I hear what is said. It is important that we study those matters with appropriate care, given that they are of such profound sensitivity.

Moving to the thrust of the argument and the content of the debate, the thrust of the argument is in two parts. First, why do we have this power and how is it used? Secondly, what are the safeguards—the measures in the Bill and those that already exist—that constrain the exercise of those powers, in the ways we all want, in the interests of good practice, privacy and so on? Let us deal with those in turn. To deal with the first, it might be appropriate to start with the ISC, because it has been cited. It said in its privacy and security report that the powers in part 7 of the Bill are an

“increasingly important investigative tool for the Agencies”.

It is important to point out that this part of the Bill does not provide any powers to the security and intelligence agencies. Bulk personal datasets may be acquired through investigatory powers such as interception and they may be shared by Government Departments or industry. The only purpose of part 7 is to ensure that where agencies hold bulk personal datasets, that data is subject to robust privacy safeguards as information acquired under the bulk powers in the Bill. That is an important new step and an important safeguard.

It is probably fair to say that, in that sense, this is not a power at all but a process. The powers are about the safeguards. The Bill introduces important new requirements in that sense, but it would be more accurate to describe bulk personal datasets as a matter of process and a matter of practice rather than as a power.

The reason that that information is stored in such a way is pretty clear. It can help to identify individuals who threaten our national security or may be of other intelligence interest and, significantly, to eliminate suspicion of the innocent without using more intrusive techniques. As with so many of the bulk issues that we have debated, that is often about the use of techniques that are, by their nature, subject to stringent safeguards and that obviate the need to use more intrusive methods to reach the same destination. Of course, that can establish links between subjects of interest to better understand a subject of interest’s behaviour and, in the course of an investigation, we can verify facts that lead us to identify those who seek to do us harm.

It is simply the case that the security and intelligence agencies would not be able to keep pace with the scale of events that are occurring in an increasingly interconnected world if we did not have access to those datasets. It would take longer to exploit lead intelligence and increase the risk of something being missed or misunderstood. It would lead to intelligence failures and, in the worst cases, to the loss of life.

It is unquestionably the case that curbing the use of bulk personal datasets would hinder the agencies, but I would go further. I think it is fair to say that doing so would endanger this country and its people. I know that that is not the intention of anyone on this Committee or anyone considering the Bill, but it is important to emphasise that these are powers for a purpose, and that purpose is the safety of the British people through the effectiveness of those missioned to keep them secure.

If there is a strong case for the existence of this data, in the way that it is held, what are the safeguards? First, it is instructive to look at the draft code of practice, as the hon. and learned Member for Holborn and St Pancras suggested. Having done so, members of the Committee will see safeguards covered in part 7 of that document. They are extensive. Paragraph 7.5 on access and information states:

“In relation to information held in bulk personal datasets, each Security and Intelligence Agency should have in place the following additional measures”.

It goes on at great length about what those measures look like. They deal with the people who can access the data and the qualifications for that examination. For example, the examination must be

“necessary for one or more of the operational purposes specified in the relevant class warrant”.

The paragraph suggests that disclosing information can only be done on the basis of whether doing so is or is not “proportionate”, that those involved in the process “should receive mandatory training” and that the whole process is closely monitored. It also makes it clear that

“Appropriate disciplinary action should be taken in the event of inappropriate behaviour being identified”.

Guidance is available, and the agencies’ internal procedures make it very clear that any inappropriate use of such information is regarded as an extremely serious disciplinary matter.

Sitting suspended for Divisions in the House.

On resuming—

Before we were interrupted, I set out the two elements of my argument. The first was a justification of why this work matters; collection of the data lies at the heart of our consideration. The second was to begin to consider the safeguards. I said that a breach of proper practice was regarded as a serious disciplinary issue inside the agencies; I can now describe that in more detail.

The intelligence services commissioner, Sir Mark Waller, made clear that the agencies take these matters very seriously indeed. He said,

“I review the possible misuse of bulk personal”


“and how this is prevented.”

He reported:

“The agencies take any deliberate misuse of the system seriously and sanctions include dismissal, revocation of security clearance and possible criminal prosecution.”

Furthermore he noted:

“Unacceptable uses are few in number”.

The agencies also make an assessment of whether a specific warrant is required, and the statutory code sets out clear guidance in that respect. All the datasets are subject to oversight by the commissioner in the way that I described. Going forward, the Bill provides very clear, robust safeguards, including a requirement for warrants to authorise the retention and examination of bulk personal datasets. The safeguards are comparable to those provided in relation to other powers under the Bill, and oversight is similar too.

In this brief debate we have been able to establish that some of the concerns about the storage of this kind of data are exaggerated, others are based on misunderstanding and some, sadly I have to say, are based on misinformation. I do not think that applies to any members of the Committee. The hon. and learned Member for Edinburgh South West described some of what the Government have said as misleading. I think, without putting words into her mouth, she might have better put it that it was insufficient in her estimation, rather than misleading. For I do not think she is one of those critics who, framed by doubt and shaped by guilt, is always ready to criticise what our Government do in our national interest. It seems to me that her scrutiny is, rather like that of the hon. and learned Member for Holborn and St Pancras, about trying to get the Bill in the best place it can be and trying to ensure the safeguards are adequate to protect privacy. I have already mentioned what she and the hon. and learned Gentleman said about medical records, for example.

We do need to be extremely cautious about how we access, store and use some sensitive data, but it would be very difficult indeed for the agencies were they not able to store that kind of data at all.

The Bill is certainly in the business of protecting citizens’ interests, but the protection of citizens’ interests has at its heart the defence of their safety and security. Of course, in an increasingly complicated and challenging set of circumstances, made so by the changes in the way people share, exchange and use information, it is right that the intelligence agencies should use the collection of this kind of data as part of the response to the challenges that we face.

The Committee will want to know that the Government are absolutely clear that the oversight should include the ability to study these matters in great detail. I have already mentioned the work that the ISC has done; but in dealing with warrants, the ISC, having seen further evidence, made clear, in the form of its Chairman, that it understood the significance of bulk powers. Class bulk personal dataset warrants provide an appropriate means of authorising the retention and use of datasets that are similar in nature and in the level of intrusiveness to the other measures. With such warrants, for example, not only would the judicial commissioner consider the collection of information, but the use of that information would be considered as well.

The draft code of practice, which was published alongside the Bill, provides clear factors that the security and intelligence agencies will need to consider in determining whether it is appropriate to use a class warrant, or whether it would be more appropriate to apply for a specific bulk personal dataset warrant—that was a point raised by the hon. and learned Lady. The argument was essentially, “Why use one when you could use the other?” The factors include whether the nature or provenance of the dataset raises particularly novel or contentious issues, whether it contains a significant component of intrusive data—she will have heard what I said about the sensitivity of that—and whether it contains a significant component of confidential information relating to members of sensitive professions.

In respect of that part of the argument made by the hon. and learned Gentleman and the hon. and learned Lady, when we were considering the previous clause on bulk powers, the Government have made it clear—although I do so again—that we are mindful of the circumstances of particular professions, including members of the legal profession, journalists and Members of Parliament. It is certainly true that the protection of those with whom they have contact—journalists’ sources, lawyers’ clients and MPs’ constituents—needs to be at the core of our considerations. It would be absolutely wrong to compromise any of those professionals in a way that undermines their credibility in the eyes of those who come to them with information, seeking advice, and so on.

We have gone some way down the road of satisfying critics who felt that the original proposals were not sufficient in that respect, but we are happy to look again at what steps could be taken to be confident about what we have done across the Bill.

Photo of Lucy Frazer Lucy Frazer Ceidwadwyr, South East Cambridgeshire 4:30, 26 Ebrill 2016

Does my right hon. Friend think that sometimes putting tests in very specific terms in primary legislation gives a certain rigidity, whereas greater flexibility would be possible if they were in a code of practice? As we heard—as the hon. and learned Member for Holborn and St Pancras said—the test is already being carried out in practice. Does my right hon. Friend agree that to create additional rigidity by putting the test in primary legislation might hamper the security services in due course?

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

With a certain power of prophecy, I made it known at the beginning of our considerations that it was likely that there would be a continuing debate that would have at its heart, considerations about what should be on the face of the Bill and what should be in supporting documentation. I did so perhaps not so much as a prophet as an experienced Member of this House, because I have never served, either as a shadow Minister or as a Minister, on any Bill Committee where that has not been a matter of debate. How far one goes in putting specific matters on the face of legislation is always a matter of fine judgment. Hon. Members know the argument very well.

Photo of Simon Burns Simon Burns Ceidwadwyr, Chelmsford

My right hon. Friend raises a very important point. All too often, too many people have a tendency to put things on the faces of Bills that are not altogether relevant and which could be done by secondary legislation. His point, therefore, is extremely valid.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

My right hon. Friend, who is a distinguished Member of this House, a former Minister of note, a sagacious figure now on the Back Benches, bringing that experience and quality to our considerations—what a delight it is to have him join us on this Committee—is right.

I was responding to my hon. and learned Friend the Member for South East Cambridgeshire accordingly that the debate about whether material is put in the Bill or in supporting documentation comes down to this point: those who wish to place things in the Bill do so because they want to firm them up, to make them more sure and certain. Of course, for much of what we wish to do it is vital that we pursue that course. Those who argue for material in supporting documentation do so on the basis exactly as my right hon. Friend says: that it allows greater flexibility. In an area as dynamic as this—I hinted at this earlier, but will make the point once more—I would have thought the argument for flexibility holds a great deal of water.

The last thing I want is to pass the Bill into law and for it to become an Act of which we can all be justly proud—every member of the Committee will deserve a certain credit—only to find that events have moved on and we are stuck with an excessively rigid Act incapable of being changed easily as needed.

Photo of Keir Starmer Keir Starmer Shadow Minister (Home Office)

Just to put this in context, when we talk about legal professional privilege, journalistic material and MPs’ correspondence, it is absolutely clear the Government have thought this through and put it on the face of the Bill, where they think it is relevant. We cannot get away with it—nobody can backslide into an argument that, in other areas, it is more flexible to put the measures in statutory instruments. Things like legal professional privilege have been thought through. Moves have been made by the Government—and I have acknowledged them—and it should be on the face of the Bill. I think the Minister knows that, because he has put it in the Bill in other areas and that is the right way to deal with that sort of material. Of course, it is more flexible, but in the end we would have a very thin, short, one section Act if we really wanted full flexibility. That is not the way forward.

Photo of John Hayes John Hayes Minister of State (Home Office) (Security)

The hon. and learned Gentleman is right. I do not want to be patronising in any way. I think for a beginner he has made a very promising start. That has been in part characterised by the consistency of his argument. One of the arguments he has used since we began this consideration is that the Bill needs, throughout its clauses, to be consistent. He is right in saying that, while we have made considerable progress in considering and dealing with the issue of the legal profession, there may be more work to do in respect of journalists and Members of Parliament.

With that thought—I do not want to exhaust the patience of the Committee any longer—I will sit down.

Question put, that the clause stand part of the Bill.

The Committee divided:

Ayes 7, Noes 2.

Rhif adran 89 Christmas Tree Industry — Bulk personal datasets: interpretation

Ie: 7 MPs

Na: 2 MPs

Ie: A-Z fesul cyfenw

Na: A-Z fesul cyfenw

Question accordingly agreed to.

Clause 174 ordered to stand part of the Bill.

Clause 175