My Lords, the Government do not have any plans to update domestic data protection legislation in respect of data breach notification in advance of agreement and implementation of the proposed EU regulation. The Government take the protection of personal data very seriously and believe that a strong system of breach notification will be an important element of a revised EU data protection framework, but that the changes should be made only once the package has been agreed in full.
I thank my noble friend for that Answer. However, should the Government not act with greater urgency to incentivise organisations, from which we have seen a series of major scandals of lost data—whether through lost discs or laptops, or hacking—such as from HMRC, Sony, or health organisations? Would it not be salutary for them to have to report major breaches to the regulator and to customers, who might suffer fraud or identity theft? We cannot wait possibly three years until we get EU law. We need to prioritise this so that we encourage companies to get their act together on security.
In fact, companies, conscious of their reputation, do—and quite rightly, should—report any breach of security, as indeed Sony did. That would be good practice. The proposed regulation would provide an obligation to notify the breach no later than 72 hours after it occurs to the ICO or equivalent in the relevant country or the subject, but only where there has been a serious breach. I entirely accept the noble Baroness’s concern, but these things must be approached as a whole, which is what the Government intend to do.
My Lords, have we become incapable of organising our own data protection? Why must we wait for the famous and inevitable incompetence of the EU to make a mess of it for us?
Data do not respect boundaries in quite the same way that the noble Lord does. We do indeed take a number of steps to protect our data—the ICO has a number of powers which it exercises regularly to control data. However, it is appropriate that our data protection legislation should be in harmony with that of the rest of the European Union.
Would my noble friend not accept that it would be quite difficult to explain to companies which work all the way across the European Union that we were so fed up with the European Union that we did not do the sensible thing for them, which is to do through Europe the things that are best done in Europe?
My noble friend takes a slightly different view of this country in Europe. Certainly that is the approach that the Government take, although of course they make a major contribution themselves to the development. Indeed, I shall be attending on Friday a meeting at which we will discuss the final version of European data regulation, or at least the partial general approach to it over the forthcoming year.
My Lords, last year 81% of firms above SME level lost data and had data breaches, primarily by cyberattack, and the average cost to each firm was about £1.5 million to get that sorted out. Our voluntary agreement in terms of telling people that they have been attacked seems to be working well, but at board level there are still companies that do not have a CIO or board responsibility for data. Does the Minister not agree that that absolutely has to be done in every company if we are to stop this sort of thing happening?
The noble Lord makes a valuable point. He will know that the ICO monitors security breaches, and that if it finds that an organisation has failed to put in place measures to avert a security breach, it has powers to issue monetary penalties of up to £500,000. None the less, I entirely accept the essence of what he says.
The noble Lord makes a valuable point. One of the difficult tasks that have to be performed in assessing the appropriate stance to take on data is ensuring that medical research is not in any way compromised, while at the same time making sure that individuals’ data are adequately protected. This issue does not have a simple answer, but it is very much a relevant consideration.