Private Security Industry Bill [Lords]

[back to previous text]

Mr. Clarke: It is only prized by those who support the corporate state.

Mr. Bercow: I am certainly not an enthusiast for the corporate state, but that does not in any way preclude me from recognising the significant expertise as well as the representative character of the Confederation of British Industry. It is concerned, as I think the Minister will acknowledge, that the Bill could have a damaging impact upon the IT industry, and could hinder the Government's aim to make the United Kingdom the best place in the world in which to conduct e-business.

The argument is simple. The current wording of the Bill necessitates the amendment, as it is unclear whether the Bill covers people working in information technology such as systems administrators and IT support staff, whose duties range from the building of firewalls to the protection of a network from attack to educating employees on what sort of passwords to use. Given the difficulty that some businesses already have in recruiting specialised and experienced IT professionals, any proposal that endangers that species and makes their recruitment more difficult would exacerbate the present problem and should, if at all possible, be avoided by the Government.

We all know that there was extensive consultation in advance of the introduction of the Bill. We do not dispute that, and we have debated the Bill on many occasions. However, that consultation—quite properly—was with the organisations that it was envisaged would be affected by the Bill. The IT security sector did not originally expect to be affected and had no reason to think that the Government wanted it to be. However, it is now anxious that it might be.

That is a problem. The drafting of the Bill has seemingly inadvertently drawn in the IT security industry, as my hon. Friend the Member for Surrey Heath explained during our deliberations last week. Paragraph 5 defines the activities of security consultants as falling under the designated activities of clause 3, the conduct of which without a licence will be against the law. Security consultants are defined as those who give advice about taking security precautions or engaging security operatives. The wording makes no distinctions between physical and information security, or between tangible and intangible assets.

It therefore appears possible—I put the point no more strongly than that—that information security consultants, as no specific distinction is made between them and others, and they are not consciously excluded, could fall within the scope of the Bill, as bouncers and wheelclampers do. IT security consultants are not mentioned—the Minister will not dispute that, as it is an incontrovertible fact—in the exemptions to paragraph 5, which, as we know from debate, include exemptions for those giving legal and financial advice and for the activities of an accountancy body.

The inclusion of the IT sector is undesirable if it is deliberate, but in a sense is even more so if it is not deliberate. If it happens by default, that is deeply regrettable, as it would mean that no protection of the sector would have been provided alongside the regulatory mechanisms that the Government have decided are appropriate. We want inclusion by inadvertence even less than we want deliberate inclusion. IT security consultants could be licensed under a Bill that has been drafted without their being consulted.

The Minister will not be surprised by the fact that I want to refer to remarks that he made on Second Reading. He said that the Government had no current intention of bringing

    ``the information security industry within the scope of the new licensing regime established by the Bill''.—[Official Report, 28 March 2001; Vol. 366, c. 974.]

He went on to insert a significant and—from our point of view, and especially from the industry's—worrying caveat. It was that the Department of Trade and Industry would consult on whether that should be done in future. If it decided so to do, all that would then be required would be to impose a licensing requirement on the information security industry via secondary legislation. An unconsulted sector that did not expect to be threatened would find that it was, and would have precious little, if any, opportunity to do anything about it. The sledgehammer of secondary legislation would bring in regulation, direction and control that the industry never expected to be on the receiving end of.

As the Minister knows, the Confederation of British Industry believes, according to its parliamentary brief, that

    ``the information security industry . . . Should not be included in a Bill on which it was not consulted . . . Should not be the subject of secondary legislation when it hasn't been consulted on the relevant primary legislation . . . Should not have to show that regulation of this sector isn't needed when those proposing''

legislation, or allowing for it,

    ``have not had to make the case that it is''.

It further states that the sector

    ``Should not be potentially subject to a licensing regime that has come about through oversight rather than a considered and intentional government policy''.

Those reasons are cogent. The brief says:

    ``The CBI urges the Standing Committee to amend Schedule 2(5) to include an explicit exemption of IT security consultants. Although the secondary legislation can be drafted to exclude IT security consultants, the fact that the primary legislation was never intended to include IT security in the first place makes it preferable to amend the Bill itself.''

That way, we would have an assurance. The sector would have the greater peace of mind that it should enjoy. We ought to be conscious that we have significant power to affect the sector in this place. That power should be used for good and not for ill. I hope that the Committee will act immediately to end the confusion and uncertainty and remove a potential barrier to e-business.

At an earlier stage, there was some publicity about the CBI's concerns about the Bill. I hope that the Minister will take careful note of what the head of e-business of that organisation, Mr. Hickson, was quoted as saying, which was that he fears that the Government have

    ``gone from never having even dreamed of licensing IT security professionals, to proposing it by accident, to essentially challenging the industry to say why the profession shouldn't be licensed''.

That seems to be an inversion of responsibility.

I have tried to make important arguments as briefly as I can. I look forward to the Minister's reply. I am conscious of the fact that—I expect a cheer—this will be my last contribution in the Committee, so I thank you, Mr. Winterton, warmly and genuinely, for your fair, firm, tolerant and robust chairmanship. I say that to someone who I hope is now widely acknowledged in the House of Commons as one of the finest parliamentarians of our time.

The Chairman: I am not sure what to say.

Mr. Andrew Miller (Ellesmere Port and Neston): When I referred to this clause earlier, the hon. Member for Buckingham intervened on me and I undertook to think about his point and to respond. I have a lot of sympathy for his argument, as have several organisations including the British Computer Society, but I think that his solution is wrong for the problem. We must always keep in mind the word ``proportionate'' when considering our responsibilities in legislation, particularly human rights legislation. If we were to accept his solution, we could end up in the ridiculous position of dealing with the security of a cheap piece of plastic, such as a CD, floppy disk or tape, but not with the extremely valuable data it contained. That would create a problem of proportionality.

The solution lies somewhere in secondary legislation. It would be extremely helpful for the Minister to say unequivocally that at this stage there is no intention to incorporate the IT—

The Chairman: I am afraid that I must now ask the Minister to respond.

Mr. Charles Clarke: These amendments seek to limit the definition of security consultants to those offering advice about the taking of security precautions in relation to physical property. That would exclude those who advise on the security of information, and I interpret that to mean the IT sector. There has been concern in parts of that sector about how, if at all, the Bill applies to them. They are keen to establish whether the Government includes them in the definition of security consultant that is used in paragraph 5 of schedule 2. I had hoped to lay their fears to rest in a statement I made on Second Reading, but I am happy to restate the position. The definition used in the schedule is deliberately broad. We want it to remain useable in the face of changing security systems, in particular those using technology—and I acknowledge the point made by my hon. Friend the Member for Ellesmere Port and Neston (Mr. Miller). We also wish, as a fundamental principle, to ensure that the Bill targets the specialist providers of security services whom we want to regulate, but does not inadvertently catch groups who are not relevant to the aims of our policy.

The term security consultant, as used in paragraph 5 of schedule 2, means those who give advice about

    ``the taking of security precautions in relation to any risk to property or to the person''.

The licensing requirements under that definition will be brought into effect in due course by regulations, which will specify exactly which activities of security consultants are licensable. Activities not specified will not be licensable. However, as I said on Second Reading, I should like it to be clear to the industry and the Committee that the information security consultancy industry is not under threat of licensing at a future date under the Bill. I hope that that reassures my hon. Friend the Member for Ellesmere Port and Neston.

As I said on Second Reading, the Government believe that issues need to be explored with regard to confidence in the information security consultancy industry. That industry has a vital role to play in protecting the new economy from vandalism and other crimes. Our consideration of the Bill has started a valuable debate about how information security consultants can match or exceed the levels of confidence that the Bill will create for other security contractors. For that reason, the Department of Trade and Industry will consult the IT industry about the extent and effectiveness of existing precautions and about whether further action is required.

I look forward, as I hope the Committee does, to seeing the result of that consultation. I am certain that that is the best way forward, rather than the solution suggested in the amendments. I hope that I have convinced the hon. Member for Buckingham and that he will withdraw his amendment. We want to work with the industry, rather than against it, to solve these problems.

 
Previous Contents Continue

House of Commons home page Parliament home page House of Lords home page search page enquiries ordering index


©Parliamentary copyright 2001
Prepared 1 May 2001