Data Protection: Legislation — Question

– in the House of Lords at 3:31 pm on 11th March 2015.

Alert me about debates like this

Photo of Baroness Ludford Baroness Ludford Liberal Democrat 3:31 pm, 11th March 2015

To ask Her Majesty’s Government what is their assessment of the case for updating domestic data protection legislation in the light of the reported comments by the Information Commissioner that European Union law requiring notification of data breaches is three years away.

Photo of Lord Faulks Lord Faulks The Minister of State, Ministry of Justice

My Lords, the Government do not have any plans to update domestic data protection legislation in respect of data breach notification in advance of agreement and implementation of the proposed EU regulation. The Government take the protection of personal data very seriously and believe that a strong system of breach notification will be an important element of a revised EU data protection framework, but that the changes should be made only once the package has been agreed in full.

Photo of Baroness Ludford Baroness Ludford Liberal Democrat

I thank my noble friend for that Answer. However, should the Government not act with greater urgency to incentivise organisations, from which we have seen a series of major scandals of lost data—whether through lost discs or laptops, or hacking—such as from HMRC, Sony, or health organisations? Would it not be salutary for them to have to report major breaches to the regulator and to customers, who might suffer fraud or identity theft? We cannot wait possibly three years until we get EU law. We need to prioritise this so that we encourage companies to get their act together on security.

Photo of Lord Faulks Lord Faulks The Minister of State, Ministry of Justice

In fact, companies, conscious of their reputation, do—and quite rightly, should—report any breach of security, as indeed Sony did. That would be good practice. The proposed regulation would provide an obligation to notify the breach no later than 72 hours after it occurs to the ICO or equivalent in the relevant country or the subject, but only where there has been a serious breach. I entirely accept the noble Baroness’s concern, but these things must be approached as a whole, which is what the Government intend to do.

Photo of Lord Pearson of Rannoch Lord Pearson of Rannoch UKIP

My Lords, have we become incapable of organising our own data protection? Why must we wait for the famous and inevitable incompetence of the EU to make a mess of it for us?

Photo of Lord Faulks Lord Faulks The Minister of State, Ministry of Justice

Data do not respect boundaries in quite the same way that the noble Lord does. We do indeed take a number of steps to protect our data—the ICO has a number of powers which it exercises regularly to control data. However, it is appropriate that our data protection legislation should be in harmony with that of the rest of the European Union.

Photo of Lord Deben Lord Deben Conservative

Would my noble friend not accept that it would be quite difficult to explain to companies which work all the way across the European Union that we were so fed up with the European Union that we did not do the sensible thing for them, which is to do through Europe the things that are best done in Europe?

Photo of Lord Faulks Lord Faulks The Minister of State, Ministry of Justice

My noble friend takes a slightly different view of this country in Europe. Certainly that is the approach that the Government take, although of course they make a major contribution themselves to the development. Indeed, I shall be attending on Friday a meeting at which we will discuss the final version of European data regulation, or at least the partial general approach to it over the forthcoming year.

Photo of Lord West of Spithead Lord West of Spithead Labour

My Lords, last year 81% of firms above SME level lost data and had data breaches, primarily by cyberattack, and the average cost to each firm was about £1.5 million to get that sorted out. Our voluntary agreement in terms of telling people that they have been attacked seems to be working well, but at board level there are still companies that do not have a CIO or board responsibility for data. Does the Minister not agree that that absolutely has to be done in every company if we are to stop this sort of thing happening?

Photo of Lord Faulks Lord Faulks The Minister of State, Ministry of Justice

The noble Lord makes a valuable point. He will know that the ICO monitors security breaches, and that if it finds that an organisation has failed to put in place measures to avert a security breach, it has powers to issue monetary penalties of up to £500,000. None the less, I entirely accept the essence of what he says.

Photo of Lord Kakkar Lord Kakkar Crossbench

My Lords, I declare my interest as professor of surgery at University College London. What assessment have Her Majesty’s Government made of the potential implications for biomedical research of the proposed revision to the data protection regulations from Europe?

Photo of Lord Faulks Lord Faulks The Minister of State, Ministry of Justice

The noble Lord makes a valuable point. One of the difficult tasks that have to be performed in assessing the appropriate stance to take on data is ensuring that medical research is not in any way compromised, while at the same time making sure that individuals’ data are adequately protected. This issue does not have a simple answer, but it is very much a relevant consideration.

Photo of Lord Foulkes of Cumnock Lord Foulkes of Cumnock Labour

Has the Minister seen the interesting data published today entitled Government Expenditure & Revenue Scotland, which shows exactly what I predicted in this House a few weeks ago—that if we had voted for an independent Scotland it would by now be bankrupt?

Photo of Lord Faulks Lord Faulks The Minister of State, Ministry of Justice

A fascinating insight, but a little way away from the Question.