House of Commons portcullis
House of Commons
Session 2009 - 10
Publications on the internet
General Committee Debates
Delegated Legislation Committee Debates



The Committee consisted of the following Members:

Chairman: Hywel Williams
Featherstone, Lynne (Hornsey and Wood Green) (LD)
Howarth, David (Cambridge) (LD)
Jackson, Glenda (Hampstead and Highgate) (Lab)
Jones, Helen (Vice-Chamberlain of Her Majesty's Household)
Joyce, Mr. Eric (Falkirk) (Lab)
Ladyman, Dr. Stephen (South Thanet) (Lab)
Laing, Mrs. Eleanor (Epping Forest) (Con)
Prentice, Bridget (Parliamentary Under-Secretary of State for Justice)
Roy, Lindsay (Glenrothes) (Lab)
Scott, Mr. Lee (Ilford, North) (Con)
Sharma, Mr. Virendra (Ealing, Southall) (Lab)
Smith, Geraldine (Morecambe and Lunesdale) (Lab)
Syms, Mr. Robert (Poole) (Con)
Taylor, Mr. Ian (Esher and Walton) (Con)
Wood, Mike (Batley and Spen) (Lab)
Wright, Jeremy (Rugby and Kenilworth) (Con)
Miss A-M Griffiths, Committee Clerk
† attended the Committee

Sixth Delegated Legislation Committee

Tuesday 9 February 2010

[Hywel Williams in the Chair]

Draft Data Protection (Monetary Penalties) Order 2010
4.30 pm
The Parliamentary Under-Secretary of State for Justice (Bridget Prentice): I beg to move,
That the Committee has considered the draft Data Protection (Monetary Penalties) Order 2010.
It is a delight to serve under your chairmanship, Mr. Williams. I apologise for making people, particularly the Whip, my hon. Friend the Member for Warrington, North, a little nervous about whether I would make it here in time.
The order relates to the power of the Information Commissioner to impose a civil monetary penalty—a CMP—on a data controller who seriously contravenes the data protection principles. It supplements sections 55A and 55E of the Data Protection Act 1998, which were inserted by section 144 of the Criminal Justice and Immigration Act 2008. Those amendments provided for the Information Commissioner to serve a data controller with a monetary penalty notice. This order, alongside the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010, will bring the provisions on CMPs into force. We propose that they commence on 6 April 2010, along with other amendments to the 1998 Act. The order contains provisions on data controllers’ written representations, enforcement, cancellation, variation and appeals against monetary penalty notices. The 2010 regulations, which are subject to the negative procedure, provide details on the maximum penalty amount—that has been set at £500,000—and set out the information that a notice of intent and a monetary penalty notice must contain.
A CMP can be served if the commissioner is satisfied that a data controller has deliberately committed a serious contravention of the data protection principles that is likely to cause substantial damage or substantial distress, or committed a serious contravention of the data protection principles that is likely to cause substantial damage or substantial distress and they knew or ought to have known that there was a serious risk that the contravention would occur and that such contravention would be of a kind likely to cause substantial damage or distress, but they failed to take reasonable steps to prevent the contravention.
A number of conditions must be fulfilled before the commissioner can impose a CMP. Those conditions, set out in guidance issued by the commissioner and laid before Parliament on 12 January, will ensure that only those contraventions that are sufficiently serious and deliberate or reckless warrant the issuing of a CMP, and will ensure that the penalties are administered fairly.
It is clear that appropriate action must be taken if a data controller knowingly or recklessly breaches the data protection principles—for example, when a data controller sells sensitive personal data that have been obtained in contravention of the data protection principles; when a data breach occurred because the controller processes personal data in a completely unsecure environment and the controller knew that there was a high risk of a breach but did nothing to deal with that risk; or when a breach occurred as a result of employees of a controller using unencrypted laptops that contain sensitive personal data.
There has been widespread support for the introduction of this power. In particular, Members will remember that the data sharing review report, which was published in July 2008 by Richard Thomas, the then Information Commissioner, and Mark Walport, reflected the public’s call for
“a significant improvement in the personal and organisational culture of those who collect, manage and share personal data.”
They specifically called for “stronger penalties and sanctions” and asked
“that the Information Commissioner should be given increased powers and resources to carry out his duties more effectively”.
In November and December last year, we held a public consultation on the proposal to set the maximum amount at £500,000. The large majority of respondents agreed that there was a need for such a power and they supported its immediate introduction.
We have worked closely with the Information Commissioner’s office and we have involved other stakeholders in the development of the policy. We have held two stakeholder events to discuss the new provisions and the Commissioner’s guidance on civil monetary penalties. The guidance was also available for comment on the commissioner’s website during November and December last year.
The order is robust and fair to controllers and the commissioner. Although the Data Protection Act already provides the commissioner with a framework within which to regulate the Act, the power to impose monetary penalties of up to £500,000 will provide the commissioner with an important additional tool, which will act as an effective sanction and a deterrent against non-compliance.
These new powers will ultimately contribute to increased compliance with data protection principles and strengthen public confidence that data protection safeguards are observed. I commend them to the Committee.
4.36 pm
Mrs. Eleanor Laing (Epping Forest) (Con): I thank the Minister for her—
Mr. Robert Syms (Poole) (Con): Timely arrival.
Mrs. Laing: Her arrival was perfectly timely. I thank her for her long and careful explanation of why the Government are introducing the legislation at this time. We have discussed the matter in relation to various Bills in both Houses of Parliament, although it may not have been discussed at the length that it should have been on the Floor of the House owing to a guillotine. None the less, it has been discussed in this place and in another place.
Let me say in support of the Minister that the Opposition agree absolutely that data protection must be taken seriously. Contraventions of the rules on data protection are not mere administrative errors, but serious matters, and Parliament must define them as serious. However, it is right in certain circumstances that the penalty should be a monetary one, rather than a criminal one of imprisonment. I therefore support what the Minister has said.
There should be severe monetary penalties. We must make it absolutely clear that where data protection laws have been contravened, that is not, as the Minister rightly said, a mere administrative error. The misuse of data can be catastrophic for individuals, companies, organisations and, indeed, the Government. Those who are charged with the responsibility of safeguarding data must know that the duty on them is onerous. That is the message that my colleagues and I would like to send this afternoon.
Where data is not protected properly, the penalties should be severe and should be seen to be severe. One problem is that if we are not seen to take data protection and data security seriously, there will be a loss of confidence in all the structures that we operate, which depend on the proper use and the security of data. I therefore support in principle what the Minister has said.
None the less, one thing still worries me. The role of the Information Commissioner has grown as the use and importance of information and the keeping of data have grown, and the Opposition agree that he requires greater powers. I have no problem with that. However, I am still concerned, from just the usual principles of natural justice, that the commissioner is the policeman, prosecutor, jury and judge in such matters. I hope that the Minister can offer some comfort on those concerns. I would like to be able to agree with what the Government has laid before us this afternoon.
4.40 pm
Lynne Featherstone (Hornsey and Wood Green) (LD): I am grateful to the Minister for her explanation. We support the order. Indeed, the amendment to the 1998 Act that made the order possible was introduced under the Criminal Justice and Immigration Act 2008 following pressure from the Liberal Democrats. We are pleased that on this occasion, at least the Government listened, even if they did not go as far as we might have liked.
However, the T-Mobile case raises a question about the operation of the new sanctions, which I would be grateful if the Minister could clarify. If a deliberate breach, such as the T-Mobile one, was committed by a junior employee, and the organisation denied all knowledge or responsibility, how would the Information Commissioner’s Office determine whether the data controller took reasonable steps to prevent the breach and, therefore, whether they would be liable for it? I am aware that that is to some extent dealt with in the ICO draft guidance, but it would be helpful, by way of example, just to have some idea of how the provisions might have applied in the T-Mobile case.
It is also right, as the Walport-Thomas review highlighted, that the ICO should be given the powers and resources to do its job properly. In conjunction with the new powers under the Coroners and Justice Act 2009, we welcome the order’s move to give the ICO some real teeth when it comes to data protection. Otherwise, people will keep on losing data. If there is no comeback, they do not seem to be learning the lessons of embarrassment by public humiliation.
However, we note that concerns were made about the ICO budget. I have a question for the Minister in that regard. The documents accompanying the order state there will be a one-off cost of £100,000 for the ICO and a subsequent annual cost of £17,500. It is stated that that will be met by the recent increase in the notification fee for large data controllers from £35 to £500. Will the Minister tell us how secure the projected figures are? Can she guarantee that if there should prove to be a net shortfall, it will be met through increases to the ICO budget? It would be a shame if this sensible provision ended up worsening the situation, when the information commissioner is already under-resourced.
The right to privacy is increasingly under threat in the information age, both from deliberate incursions by the state and the disastrous effects of the incompetent handling of personal data. The order is a welcome step to restoring the balance in favour of protecting privacy. That is only one step though, and much more remains to be done to restore the right to privacy in this country. Unfortunately, the trend still seems to be in the wrong direction, whether it is towards ID cards or unlawful police retention of photographs and data about police protestors. To dwell on that further would be outside of the scope of today’s debate. I simply express the hope that the intention behind the order will become the norm rather than the exception when it comes to privacy.
4.45 pm
Mr. Robert Syms (Poole) (Con): I shall make just a few points. Is it a maximum fine or could there be multiple penalties on a company? How do we define a major breach? If a company lost three unencrypted laptops, would that result in three times the maximum fine or would it be classified as one breach of data? I am a little concerned about how we define a breach of the duties of a data controller.
I agree with my hon. Friend the Member for Epping Forest that if there is no form of appeal, that seems somewhat harsh or it may do in certain cases, because in most of our systems there are either ombudsmen or an appeals system to deal with a situation in which someone believes that they have been unfairly treated. That is quite an important point, on which I would be grateful for the Minister’s views.
Who keeps the fine? Does it stay with the Information Commissioner to finance the commissioner’s budget or does it go elsewhere? Do the Government have a view, on the basis of past experience, on how many fines are likely to be levied? The hon. Member for Hornsey and Wood Green made the point about the rise in the fee from £35 to £500. How many companies will that affect and what amount of money will be raised?
4.46 pm
Bridget Prentice: Let me answer the question asked by the hon. Member for Poole in addition to the hon. Member for Epping Forest about an appeal. There is of course an appeal. There is an appeal to the Information Tribunal, so although the hon. Lady’s description of the commissioner as policeman, judge and jury is to some extent true, there is an onward appeal to the Information Tribunal, which I hope gives the hon. Members some assurance. The other point of assurance is that if the commissioner takes action against a controller, the controller can go back to the commissioner and say, “Look at the steps we have taken.” The commissioner has to be reasonable in the way in which he approaches that. He can even receive written representations from a controller should he be taking action.
Mrs. Laing: I entirely accept the Minister’s point about the effective appeal to the tribunal and I thank her for making it.
Bridget Prentice: I am grateful to the hon. Lady. A question was asked about how we define a breach and whether the loss of three laptops is a greater breach than the loss of one and so on. The commissioner’s guidance defines what is a breach. Common sense tells us that cases will have to be decided on a case-by-case basis. The hon. Lady said that there was an onerous duty on controllers and she is right. The message that we want the order to send is that the duty is onerous, but the public believe that it is necessary, because it is private information that is in danger of being breached if people do not behave properly.
The hon. Member for Hornsey and Wood Green, in referring to the T-Mobile case, asked about a situation in which a junior employee committed the breach and how the provisions would apply. All I can say is that it would be for the Information Commissioner to consider the case on its merits. The guidance will, I think, help to clarify how the commissioner would go about doing that. Obviously, I cannot comment specifically on the T-Mobile case, as the commissioner is taking action in that area.
Mrs. Laing: On the point about the junior employee, would not the usual rules of vicarious liability and vicarious responsibility apply whereby if a junior employee made a mistake, the organisation as a whole would be responsible for not having had in place the systems that prevent a junior employee from making such a mistake?
Bridget Prentice: The hon. Lady makes a fair point. The commissioner would take into account whether there was some irresponsibility on the part of the controller in allowing the information to be available to such a junior employee, who is perhaps so far removed from the data protection issues that they either deliberately or unknowingly committed a breach. I think that the vicarious liability argument is a strong one and one that the commissioner would consider with some seriousness.
The hon. Member for Hornsey and Wood Green has asked how accurate the fee projection is. It was introduced only last October, so it is perhaps a little too early to say, but the matter will be reviewed and we will ensure that we get the right outcome. The hon. Member for Poole asked who keeps the fines and where they go. You will not be surprised to know, Mr. Williams, that they will go into the coffers of Her Majesty’s Treasury—no one should hold their breath hoping that something else will happen to them. They are not meant to be a way in which the commissioner can raise money for his own sphere of influence, but I suppose that in a sense that is all the more reason why he will conduct and administer the system fairly.
The commissioner tells me that he expects the number of breaches that he sees under this system to be in single figures. I hope that he is right and that he means very small single figures, because I hope that as a result of today’s deliberations, data controllers will know about the onerous responsibility that they have in protecting our data.
Question put and agreed to.
Resolved,
That the Committee has considered the draft Data Protection (Monetary Penalties) Order 2010.
4.52 pm
Committee rose.
 
Contents

House of Commons home page Parliament home page House of Lords home page search page enquiries ordering index


©Parliamentary copyright 2010
Prepared 10 February 2010