Skip to main content

Electoral Commission: Data Breaches

Volume 832: debated on Monday 4 September 2023

Private Notice Question

Asked by

To ask His Majesty’s Government, following recent disclosures of a data breach from the Electoral Commission, what action they are taking to mitigate the effects of this and to prevent data breaches across the public sector.

My Lords, since the Electoral Commission reported the incident to the National Cyber Security Centre, the Government have worked closely with the commission to provide it with expertise and support to deal with the incident and guard against the risk of future attacks. Through our government cybersecurity strategy, we are reducing the likelihood of data breaches in the public sector and the impact of the breaches that happen.

My Lords, given the supplementaries to the previous Question, which touched on this whole issue of security, security breaches and the awareness of government departments and individuals of what they should and should not do and how they should work with others, is my noble friend now absolutely clear about where this breach came from and whether it has been secured, let alone whether things will be better going forward?

It is a matter for the Electoral Commission, which is independent of government and accountable to Parliament through the Speaker’s Committee on the Electoral Commission. Since it reported the incident to the NCSC, we have been working closely to provide expertise and support. The Electoral Commission has made a statement that the breach was limited and not a great deal of new information has gone into the public domain, and it has given advice on what citizens might do. On the cause, I am not sure I have anything to add to the general comment I made on operational matters.

My Lords, if I am honest, the Minister’s answers are quite unsatisfactory and do not answer the question the noble Lord asked. She will recall consideration of the Elections Bill, during which many of us considered that the Government unnecessarily put in place measures to make it harder to vote. Now, it seems that the backdoor was open to hackers and perhaps more alarmingly, nobody noticed for 10 months. There are two issues about confidence here, the first of which is confidence in the integrity of the system, which the Government said they were interested in. Today, however, the Minister has not been able to give us any detail on what action is being taken to protect the electoral register. Secondly, how do we instil in the public confidence in continuing to register if their data can be hacked without anybody noticing for almost a year?

I may be able to help on that. An independent investigation into the attack revealed that the actors were able to access only reference copies of the closed electoral register and the commission’s email system. Those have information about electors including their names, addresses, electoral numbers and franchise markers. They do not contain more confidential information such as national insurance numbers, nationality data, age, or anonymous electors, so the extent of the breach was limited. However, I emphasise that the Electoral Commission is independent, and we have done our best to help it through our cybersecurity expertise in order to make sure that the hackers have been completely taken out of the system and there are no future risks. So, the public can feel reassured in that regard.

My Lords, on a related matter, for a long time there has been discussion about the commercialisation of the electoral register and it being available for sale. It seems to me that the principle of making available for sale something we are required to respond to by law for the proper conduct of elections is questionable. However, can the Minister at least indicate the scale of the income received from the sale of electoral registers, and the companies and organisations to which they are sold?

I do not have available any commercial information. It would be a matter for the Electoral Commission, and no doubt there is some information in its annual report. I am afraid I am new to this subject, but legislation sets out which individuals and organisations are entitled to receive copies of the open electoral register from local authorities. The commission, of course, uses the register for various purposes because it is a regulator. There are other organisations, as the noble Lord suggested, such as credit reference agencies, political parties and the Office for National Statistics—which does such an important job—which are entitled to receive copies of the register.

My Lords, the Elections Act extended voting rights to overseas citizens for their lifetimes. As it is implemented it will have to rely on a great deal of electronic communication, as the postal service will be far too slow. Have the Government considered that this lays our electoral records more easily open to hacking? Has thought been given to the problems of managing a system such as this? We want a great deal more people who live in distant countries to vote, but the time allowed in the electoral campaign for that will be very difficult to manage without the use of electronic systems.

Preventing interference in future UK elections is an absolute priority for the Government—we have to protect our democratic processes. The Government have set up a Defending Democracy Taskforce to drive forward work to protect UK democratic processes, which I hope will be of some comfort to the noble Lord. The taskforce works across government and with Parliament, the intelligence communities, the devolved Administrations, local authorities, the private sector and civil society—a whole of society approach. It has recently set up a new enduring election security capability: the joint election security and preparedness unit. This will make sure that we are fully prepared for the next general election and that there are not attacks on the integrity of our systems.

My Lords, data breaches in public life are hugely worrying, particularly if people’s lives are at risk. It might be slightly outside the Minister’s recall but is she aware, and have the Government taken an interest in the fact, that there was a huge data breach in Northern Ireland which actually put the lives of police officers at risk? We have just heard that the chief constable has resigned as a result of that. Would the Minister please ask the Home Secretary to look very seriously at this and at some of the other issues that are now coming out about the impartiality of the Police Service of Northern Ireland?

I am grateful to the noble Baroness for raising that point, not least since I raised it myself about 10 minutes ago when I was being briefed for this Question. There was some comfort to know, for today’s purposes, that it was not a cyber incident, but it was a very unfortunate security breach, linked, as she will know, to an FoI process error. We must learn from this. As I said in answer to the previous question, there is a combination of things that we must do to try to prevent this kind of thing ever happening again and to ensure that the impact is minimised, if and when there are breaches of the system. Obviously, that is what they are trying to do in relation to Northern Ireland.

My Lords, the stakes are very high when these data breaches take place, because they erode public confidence in allowing organisations to collect and use our private data. I am thinking in particular of the NHS, and its great reliance on data; if it can analyse and collect information, this could be of huge help in solving medical problems and curing diseases. To prevent these things in future, what is being done to ensure that the NHS computer system cannot be hacked and that people can have real confidence in it being allowed to collect their data?

I described the new, more resilient system that we have got. There is a big focus on cyber and cyberattacks; individual Government Ministers take that very seriously. We have set up a new system called GovAssure, which the Deputy Prime Minister announced in the spring, to make sure that different parts of the public sector are better prepared and able to deal with these points. The National Cyber Security Centre has been much strengthened—actually, it also does a very good job for outside organisations, as I remember from when I was involved in an NGO and on the Back Benches. We are making progress with these things. It is important that we use electronic data, as has already been said by several noble Lords. The key is to make people take the necessary steps—often personal steps—to ensure that systems are not opened up to hackers, attackers and hostile states.

My Lords, we all know that this incident happened in August 2021. It was brought to the attention of the Electoral Commission in October 2022, which made it public in August of this year. As a follow-on to my noble friend Lady Smith of Basildon’s question, could the Minister indicate why political parties and the public were not informed of this data breach that would impact all the public throughout the UK? Why did that not happen? In Northern Ireland, we have had the PSNI data breach, which impacts all the workforce, both service personnel and civilian staff. Maybe whenever she talks to the Cabinet Office, she could impress on it the need to ensure that political policing is ended.

That is a point well made. In a sense, the noble Baroness’s question is about why this took so long, especially in relation to the Electoral Commission. The Electoral Commission made a statement on this—it is, as I had to emphasise right at the beginning, independent and accountable to Parliament through the Speaker’s Committee—in which it said that it needed to take several steps to remove the hackers and that it was necessary to do that before making a statement. It also said that it was determined to protect against future hacking and that by making a public statement that would have been more difficult. However, the noble Baroness’s point is well made; being transparent with the public is an ambition that we all share—subject, of course, to security needs.

My Lords, may I follow that up with the Minister? Is she certain that the data breach notification requirements under data protection law were followed? As I understand it, the Electoral Commission said that it knew about this in October 2022, and yet the Information Commissioner’s Office appears to have been told only a month ago, and there are requirements—certainly there are under GDPR—for the public to be told, normally within 72 hours. What have the Government ascertained about whether these requirements were followed?

My Lords, I was going to make exactly the same point, but I was also going to add: who has taken responsibility for this breach at the Electoral Commission, and what action has been taken? It is very quick to punish the political parties when they cross the line, so what has been done there, or is this yet another example of something going completely wrong and no one taking responsibility?

I note the tone of my noble friend’s comment and understand the frustration that noble Lords in this House feel.

Did the breach include any of the marked registers from the polling stations—the noble Baroness must know what they are? Are they kept in digital form and, if so, for how long?

As I understand it, it was reference copies. The registers—as the noble Lord probably knows—are kept by local authorities and by the constituency election officers. I think the answer—I will certainly confirm it—is that the marked registers would not have been made available.

My Lords, I feel that the noble Baroness speaking on behalf of the Government is being slightly complacent about all of this. We of course welcome the fact that the Electoral Commission is an independent body, and we hope that that will continue. However, the whole purpose of hostile state actors in disrupting or breaching the security of the Electoral Commission is to undermine public faith and confidence in the institutions of the country, as the right reverend Prelate said. That has to be a fundamental concern of the Government. How will they address that and make sure that we can continue to have confidence in our institutions and that they cannot be undermined by state actors, as may have happened in this case?

On a positive note, I will repeat two big things. First, we set up the Defending Democracy Taskforce to drive forward work on protecting UK democratic processes, because we knew and feared, as long ago as last year when this was set up, that there could be problems, and it has now set up a new and enduring election security capability—the JESP unit. The second point is that all the work we are doing through the National Cyber Security Centre is making things better, although this is not an easy area—whoever tries to run this area would discover that. Therefore, things such as GovAssure, the work on cyber skills, the web check and the resilience framework that we talked about in answer to the previous Question, as well as training—which nobody has mentioned and which I know the noble Lord is always advocating—remain very important.