David Howarth (Cambridge, Liberal Democrat)

I beg to move amendment 108, in schedule 18, page 177, line 42, leave out Part 5.

Roger Gale (North Thanet, Conservative)

With this it will be convenient to discuss amendment 366, in schedule 18, page 178, leave out line 5.

David Howarth (Cambridge, Liberal Democrat)

This is a short point, although in view of the Minister’s comments about assessment notices this morning, it is worth making it more forcefully.

Amendment 108 seeks to amend a provision of schedule 18 that, in effect, provides that when the Information Commissioner has issued an assessment notice and discovers important information about whether the data controller is complying with the law, or even that there have been or may have been violations of the law, he is nevertheless not allowed to use that information when, for example, levying fines against the data controller.

That seems rather odd. It means that the enforcement process using the assessment notice will always lead to a dead end. I understood the Government’s case to be that it would encourage data controllers to comply with  assessment notices; they would know that they would not be liable to fines if they volunteered information, even if that information showed them to be at fault and in violation of the law. That argument did not strike me as being particularly powerful, as it seemed to be saying that voluntary compliance with the law is the only way in which assessment notices and other measures of that sort should work.

However, the Minister’s comments this morning have slightly changed the position. In the discussion about assessment notices, she said that one reason why there is no enforcement procedure for assessment notices in the main part of the Bill is that the Information Commissioner has all those other enforcement powers. The problem is that schedule 18 seems to be designed—amendment 108 draws attention to a good example of this—to remove the use of those enforcement powers when an assessment notice process has been used. The Government are now in a contradictory position on the relationship between assessment notices and the commissioner’s other enforcement options.

Henry Bellingham (Shadow Minister, Justice; North West Norfolk, Conservative)

I was going to take only five minutes, but in fact I shall take only five seconds, because that well-known law lecturer from Gonville and Caius has made all the points that I intended to make, so I shall simply endorse what he said.

David Howarth (Cambridge, Liberal Democrat)

My college was Clare.

Bridget Prentice (Parliamentary Under-Secretary, Ministry of Justice; Lewisham East, Labour)

Sadly, I may have to take slightly longer than five seconds. Section 51 of the Data Protection Act 1998 allows the Information Commissioner to assess the way in which a data controller processes personal information to see whether good practice is being followed. However, to conduct a good practice assessment, the commissioner needs to obtain the consent of, or be invited by, the data controller. The good practice assessment is largely an educational tool. It is valuable in encouraging data controllers to seek the commissioner’s help to ensure that they are meeting standards and receiving advice.

Proposed new section 41A, as inserted by clause 151, will allow the commissioner to issue an assessment notice on any Government Department or other designated public authorities to assess their compliance with data protection principles. The consent of those bodies will not be required to carry out an assessment under an assessment notice, so in effect it allows for a mandatory inspection by the commissioner.

On commencement of section 55A of the DPA, the commissioner will be able to issue a civil monetary penalty for serious breaches of data protection principles where those breaches are likely to cause substantial damage or distress. Section 55A will apply in cases of deliberate breach and where a data controller is aware that there is a risk of serious breach but fails to take reasonable steps to prevent it. Part 5 of schedule 18 amends section 55A to prevent the imposition of a monetary penalty based on information obtained from either a good practice assessment or the use of an assessment notice.

Amendment 108 would remove the exemption so that once section 55A came into force, data controllers could be issued with a civil monetary penalty on the basis of information obtained during one of the assessments. The proposal to exempt data controllers who consent to a good practice assessment from the civil monetary penalty was explored in the consultation on the Information Commissioner’s inspection powers and funding arrangements in 2008. There were a large number of responses from public, private and third sector organisations, of which almost three quarters indicated their support for that proposal.

In its response, Experian considered that the proposal would ensure that a good practice assessment was a joint approach, rather than a punitive measure. The Association of British Insurers also said that if a data controller was not immune from the civil monetary penalty, that would discourage consent for undertaking good practice assessments. Such assessments are meant to foster an open relationship between the commissioner and the data controller. They provide an opportunity for the data controller to seek advice on meeting standards. The exemption provides a strong incentive to consent to a good practice assessment and achieves the overall aim of lifting data protection standards across the board. Removing the link between an assessment and a monetary penalty, in line with the Hampton principles of adopting positive incentive schemes, reinforces the drive to improve standards.

A raft of strong enforcement measures are already available to the commissioner and they will continue to be available to him should he find something of concern in the course of a good practice assessment or an assessment under proposed new section 41A. We do not propose to provide any protection from prosecution in relation to criminal offences that might be discovered during a good practice assessment, nor do we propose to protect data controllers from other enforcement action. The commissioner can employ the remainder of his enforcement tools. For example, if he discovered a breach of the Data Protection Act during an assessment, he would still be able to take enforcement action. He could issue an enforcement notice under section 40 of the DPA to compel the controller to comply with their obligations. Failure to comply with an enforcement notice is a criminal offence. If the commissioner suspects that a controller has requested a good practice assessment in bad faith so as to escape the possibility of a monetary penalty, he retains his discretion to decline the assessment at all times.

I believe that the Bill as drafted represents a significant incentive for data controllers to consent to a good practice assessment. It maintains the balance between education and enforcement roles, and strengthens the overall effectiveness of the data protection regime. Similar considerations apply to assessment notices, which are a valuable tool in raising compliance levels and educating public bodies that are being assessed. They are not intended to be punishments for the public sector, but rather a way of establishing and spreading good practice. In any case, as I have said, the commissioner can still employ his other enforcement tools where required. I hope that on that basis, the hon. Gentleman will feel able to withdraw his amendment.

David Howarth (Cambridge, Liberal Democrat)

I understand what the Minister says. I ask only whether she will take some moments to  reconsider the position in the light of any changes that she might make to the assessment notice regime, especially if that regime applies to contracted-out public services. On that basis, I beg to ask leave to withdraw the amendment.