The
Committee consisted of the following
Members:
Chairman:
Hywel
Williams
Featherstone,
Lynne
(Hornsey and Wood Green)
(LD)
Howarth,
David
(Cambridge)
(LD)
Jackson,
Glenda
(Hampstead and Highgate)
(Lab)
Jones,
Helen
(Vice-Chamberlain of Her Majesty's
Household)
Joyce,
Mr. Eric
(Falkirk)
(Lab)
Ladyman,
Dr. Stephen
(South Thanet)
(Lab)
Laing,
Mrs. Eleanor
(Epping Forest)
(Con)
Prentice,
Bridget
(Parliamentary Under-Secretary of State for
Justice)
Roy,
Lindsay
(Glenrothes)
(Lab)
Scott,
Mr. Lee
(Ilford, North)
(Con)
Sharma,
Mr. Virendra
(Ealing, Southall)
(Lab)
Smith,
Geraldine
(Morecambe and Lunesdale)
(Lab)
Syms,
Mr. Robert
(Poole)
(Con)
Taylor,
Mr. Ian
(Esher and Walton)
(Con)
Wood,
Mike
(Batley and Spen)
(Lab)
Wright,
Jeremy
(Rugby and Kenilworth)
(Con)
Miss A-M Griffiths,
Committee Clerk
attended
the Committee
Sixth
Delegated Legislation
Committee
Tuesday
9 February
2010
[Hywel
Williams in the
Chair]
Draft
Data Protection (Monetary Penalties) Order
2010
4.30
pm
The
Parliamentary Under-Secretary of State for Justice (Bridget
Prentice): I beg to
move,
That
the Committee has considered the draft Data Protection (Monetary
Penalties) Order
2010.
It
is a delight to serve under your chairmanship, Mr. Williams.
I apologise for making people, particularly the Whip, my hon. Friend
the Member for Warrington, North, a little nervous about whether I
would make it here in
time.
The
order relates to the power of the Information Commissioner to impose a
civil monetary penaltya CMPon a data controller who
seriously contravenes the data protection principles. It supplements
sections 55A and 55E of the Data Protection Act 1998, which
were inserted by section 144 of the Criminal Justice and Immigration
Act 2008. Those amendments provided for the Information Commissioner to
serve a data controller with a monetary penalty notice. This order,
alongside the Data Protection (Monetary Penalties) (Maximum Penalty and
Notices) Regulations 2010, will bring the provisions on CMPs into
force. We propose that they commence on 6 April 2010, along with other
amendments to the 1998 Act. The order contains provisions on
data controllers written representations,
enforcement, cancellation, variation and appeals against monetary
penalty notices. The 2010 regulations, which are subject to the
negative procedure, provide details on the maximum penalty
amountthat has been set at £500,000and set out
the information that a notice of intent and a monetary penalty notice
must
contain.
A
CMP can be served if the commissioner is satisfied that a data
controller has deliberately committed a serious contravention of the
data protection principles that is likely to cause substantial damage
or substantial distress, or committed a serious contravention of the
data protection principles that is likely to cause substantial damage
or substantial distress and they knew or ought to have known that there
was a serious risk that the contravention would occur and that such
contravention would be of a kind likely to cause substantial damage or
distress, but they failed to take reasonable steps to prevent the
contravention.
A
number of conditions must be fulfilled before the commissioner can
impose a CMP. Those conditions, set out in guidance issued by the
commissioner and laid before Parliament on 12 January, will ensure that
only those contraventions that are sufficiently serious and deliberate
or reckless warrant the issuing of a CMP, and will ensure that the
penalties are administered
fairly.
We
all know how important it is to safeguard personal data. The
Information Commissioners annual tracking survey for 2008-09
showed that protecting peoples personal
data was considered a top concern and as important as fighting crime.
Only a small number of data need to be misused for damage and distress
to be caused. As I am sure all hon. Members know, data controllers must
adhere to the eight principles set out in the 1998 Act, which include
ensuring that data processing is conducted lawfully and fairly. I
cannot stress too much the fact that the majority of data controllers
abide by the requirements of the Act, but a small number do not and it
is the irresponsible actions of that small number that we are trying to
address. We believe that CMPs will act as an effective sanction as well
as a deterrent against serious and careless or deliberate
non-compliance.
It
is clear that appropriate action must be taken if a data controller
knowingly or recklessly breaches the data protection
principlesfor example, when a data controller sells sensitive
personal data that have been obtained in contravention of the data
protection principles; when a data breach occurred because the
controller processes personal data in a completely unsecure environment
and the controller knew that there was a high risk of a breach but did
nothing to deal with that risk; or when a breach occurred as a result
of employees of a controller using unencrypted laptops that contain
sensitive personal
data.
There
has been widespread support for the introduction of this power. In
particular, Members will remember that the data sharing review report,
which was published in July 2008 by Richard Thomas, the then
Information Commissioner, and Mark Walport, reflected the
publics call for
a significant
improvement in the personal and organisational culture of those who
collect, manage and share personal
data.
They
specifically called for stronger penalties and
sanctions and asked
that the
Information Commissioner should be given increased powers and resources
to carry out his duties more
effectively.
In
November and December last year, we held a public consultation on the
proposal to set the maximum amount at £500,000. The large
majority of respondents agreed that there was a need for such a power
and they supported its immediate
introduction.
We
have worked closely with the Information Commissioners office
and we have involved other stakeholders in the development of the
policy. We have held two stakeholder events to discuss the new
provisions and the Commissioners guidance on civil monetary
penalties. The guidance was also available for comment on the
commissioners website during November and December last
year.
The
order is robust and fair to controllers and the commissioner. Although
the Data Protection Act already provides the commissioner with a
framework within which to regulate the Act, the power to impose
monetary penalties of up to £500,000 will provide the
commissioner with an important additional tool, which will act as an
effective sanction and a deterrent against
non-compliance.
These
new powers will ultimately contribute to increased compliance with data
protection principles and strengthen public confidence that data
protection safeguards are observed. I commend them to the
Committee.
4.36
pm
Mrs.
Eleanor Laing (Epping Forest) (Con): I thank the Minister
for her
Mr.
Robert Syms (Poole) (Con): Timely
arrival.
Mrs.
Laing: Her arrival was perfectly timely. I thank her for
her long and careful explanation of why the Government are introducing
the legislation at this time. We have discussed the matter in relation
to various Bills in both Houses of Parliament, although it may not have
been discussed at the length that it should have been on the Floor of
the House owing to a guillotine. None the less, it has been discussed
in this place and in another place.
Let me say
in support of the Minister that the Opposition agree absolutely that
data protection must be taken seriously. Contraventions of the rules on
data protection are not mere administrative errors, but serious
matters, and Parliament must define them as serious. However, it is
right in certain circumstances that the penalty should be a monetary
one, rather than a criminal one of imprisonment. I therefore support
what the Minister has said.
There should
be severe monetary penalties. We must make it absolutely clear that
where data protection laws have been contravened, that is not, as the
Minister rightly said, a mere administrative error. The misuse of data
can be catastrophic for individuals, companies, organisations and,
indeed, the Government. Those who are charged with the responsibility
of safeguarding data must know that the duty on them is onerous. That
is the message that my colleagues and I would like to send this
afternoon.
Where data
is not protected properly, the penalties should be severe and should be
seen to be severe. One problem is that if we are not seen to take data
protection and data security seriously, there will be a loss of
confidence in all the structures that we operate, which depend on the
proper use and the security of data. I therefore support in principle
what the Minister has said.
None the
less, one thing still worries me. The role of the Information
Commissioner has grown as the use and importance of information and the
keeping of data have grown, and the Opposition agree that he requires
greater powers. I have no problem with that. However, I am still concerned,
from just the usual principles of natural justice, that the
commissioner is the policeman, prosecutor, jury and judge in such
matters. I hope that the Minister can offer some comfort on those
concerns. I would like to be able to agree with what the Government has
laid before us this afternoon.
4.40
pm
Lynne
Featherstone (Hornsey and Wood Green) (LD): I am grateful
to the Minister for her explanation. We support the order. Indeed, the
amendment to the 1998 Act that made the order possible was introduced
under the Criminal Justice and Immigration Act 2008 following pressure
from the Liberal Democrats. We are pleased that on this occasion, at
least the Government listened, even if they did not go as far as we
might have
liked.
The
loss of huge amounts of personal data by Departments and by private
data controllers is unacceptable. In 2007 alone, the Liberal Democrats
calculated that a record 37 million items of personal data were lost,
including the notorious case where the details of 25 million
child benefit claimants were lost in the post. Things have not improved
noticeably since then, with high-profile cases including the loss in
2008, by an external contractor, of a memory stick containing sensitive
information about thousands of persistent offenders, and in 2009, the
case where an employee of T-Mobile sold customers details to a
rival company. It is absolutely right for data controllers to
be subject to sanctions when such breaches
occur.
However,
the T-Mobile case raises a question about the operation of the new
sanctions, which I would be grateful if the Minister could clarify. If
a deliberate breach, such as the T-Mobile one, was committed by a
junior employee, and the organisation denied all knowledge or
responsibility, how would the Information Commissioners Office
determine whether the data controller took reasonable steps to prevent
the breach and, therefore, whether they would be liable for it? I am
aware that that is to some extent dealt with in the ICO draft guidance,
but it would be helpful, by way of example, just to have some idea of
how the provisions might have applied in the T-Mobile
case.
It
is also right, as the Walport-Thomas review highlighted, that the ICO
should be given the powers and resources to do its job properly. In
conjunction with the new powers under the Coroners and Justice Act
2009, we welcome the orders move to give the ICO some real
teeth when it comes to data protection. Otherwise, people will keep on
losing data. If there is no comeback, they do not seem to be learning
the lessons of embarrassment by public
humiliation.
However,
we note that concerns were made about the ICO budget. I have a question
for the Minister in that regard. The documents accompanying the order
state there will be a one-off cost of £100,000 for the ICO and a
subsequent annual cost of £17,500. It is stated that that will
be met by the recent increase in the notification fee for large data
controllers from £35 to £500. Will the Minister tell us
how secure the projected figures are? Can she guarantee that if there
should prove to be a net shortfall, it will be met through increases to
the ICO budget? It would be a shame if this sensible provision ended up
worsening the situation, when the information commissioner is already
under-resourced.
The
right to privacy is increasingly under threat in the information age,
both from deliberate incursions by the state and the disastrous effects
of the incompetent handling of personal data. The order is a welcome
step to restoring the balance in favour of protecting privacy. That is
only one step though, and much more remains to be done to restore the
right to privacy in this country. Unfortunately, the trend still seems
to be in the wrong direction, whether it is towards ID cards or
unlawful police retention of photographs and data about police
protestors. To dwell on that further would be outside of the scope of
todays debate. I simply express the hope that the intention
behind the order will become the norm rather than the exception when it
comes to privacy.
4.45
pm
Mr.
Robert Syms (Poole) (Con): I shall make just a few points.
Is it a maximum fine or could there be multiple penalties on a company?
How do we define a major breach? If a company lost three
unencrypted
laptops, would that result in three times the maximum fine or would it
be classified as one breach of data? I am a little concerned about how
we define a breach of the duties of a data
controller.
I
agree with my hon. Friend the Member for Epping Forest that if there is
no form of appeal, that seems somewhat harsh or it may do in certain
cases, because in most of our systems there are either ombudsmen or an
appeals system to deal with a situation in which someone believes that
they have been unfairly treated. That is quite an important point, on
which I would be grateful for the Ministers
views.
Who
keeps the fine? Does it stay with the Information Commissioner to
finance the commissioners budget or does it go elsewhere? Do
the Government have a view, on the basis of past experience, on how
many fines are likely to be levied? The hon. Member for Hornsey and
Wood Green made the point about the rise in the fee from £35 to
£500. How many companies will that affect and what amount of
money will be
raised?
4.46
pm
Bridget
Prentice: Let me answer the question asked by the hon.
Member for Poole in addition to the hon. Member for Epping Forest about
an appeal. There is of course an appeal. There is an appeal to the
Information Tribunal, so although the hon. Ladys description of
the commissioner as policeman, judge and jury is to some extent true,
there is an onward appeal to the Information Tribunal, which I hope
gives the hon. Members some assurance. The other point of assurance is
that if the commissioner takes action against a controller, the
controller can go back to the commissioner and say, Look at the
steps we have taken. The commissioner has to be reasonable in
the way in which he approaches that. He can even receive written
representations from a controller should he be taking
action.
Mrs.
Laing: I entirely accept the Ministers point about
the effective appeal to the tribunal and I thank her for making
it.
Bridget
Prentice: I am grateful to the hon. Lady. A question was
asked about how we define a breach and whether the loss of three
laptops is a greater breach than the loss of one and so on. The
commissioners guidance defines what is a breach. Common sense
tells us that cases will have to be decided on a case-by-case basis.
The hon. Lady said that there was an onerous duty on controllers and
she is right. The message that we want the order to send is that the
duty is onerous, but the public believe that it is necessary, because
it is private information that is in danger of being breached if people
do not behave properly.
The hon.
Member for Hornsey and Wood Green, in referring to the T-Mobile case,
asked about a situation in which a junior employee committed the breach
and how the provisions would apply. All I can say is that it would be
for the Information Commissioner to consider the case on its merits.
The guidance will, I think, help to clarify how the commissioner would
go about doing that. Obviously, I cannot comment specifically on the
T-Mobile case, as the commissioner is taking action in that
area.
Mrs.
Laing: On the point about the junior employee, would not
the usual rules of vicarious liability and vicarious responsibility
apply whereby if a junior employee made a mistake, the organisation as
a whole would be responsible for not having had in place the systems
that prevent a junior employee from making such a
mistake?
Bridget
Prentice: The hon. Lady makes a fair point. The
commissioner would take into account whether there was some
irresponsibility on the part of the controller in allowing the
information to be available to such a junior employee, who is perhaps
so far removed from the data protection issues that they either
deliberately or unknowingly committed a breach. I think that the
vicarious liability argument is a strong one and one that the
commissioner would consider with some
seriousness.
The
hon. Member for Hornsey and Wood Green has asked how accurate the fee
projection is. It was introduced only last October, so it is perhaps a
little too early to say, but the matter will be reviewed and we will
ensure that we get the right outcome. The hon. Member for Poole asked
who keeps the fines and where they go. You will not be
surprised to know, Mr. Williams, that they will go into the
coffers of Her Majestys Treasuryno one should hold
their breath hoping that something else will happen to them.
They are not meant to be a way in which the commissioner can raise
money for his own sphere of influence, but I suppose that in a sense
that is all the more reason why he will conduct and administer the
system
fairly.
The
commissioner tells me that he expects the number of breaches that he
sees under this system to be in single figures. I hope that he is right
and that he means very small single figures, because I hope that as a
result of todays deliberations, data controllers will know
about the onerous responsibility that they have in protecting our
data.
Question
put and agreed
to.
Resolved,
That
the Committee has considered the draft Data Protection (Monetary
Penalties) Order
2010.
4.52
pm
Committee
rose.