The Committee consisted of the following Members:
Chair: Mr Peter Bone
† Adams, Nigel (Lord Commissioner of Her Majesty's Treasury)
† Afriyie, Adam (Windsor) (Con)
† Alexander, Heidi (Lewisham East) (Lab)
† Bowie, Andrew (West Aberdeenshire and Kincardine) (Con)
† Byrne, Liam (Birmingham, Hodge Hill) (Lab)
† Elmore, Chris (Ogmore) (Lab)
† Herbert, Nick (Arundel and South Downs) (Con)
† James, Margot (Minister of State, Department for Digital, Culture, Media and Sport)
† Jones, Andrew (Harrogate and Knaresborough) (Con)
† Jones, Mr Kevan (North Durham) (Lab)
† Lopez, Julia (Hornchurch and Upminster) (Con)
† Maclean, Rachel (Redditch) (Con)
† Newlands, Gavin (Paisley and Renfrewshire North) (SNP)
† Smeeth, Ruth (Stoke-on-Trent North) (Lab)
† Stevens, Jo (Cardiff Central) (Lab)
† Tomlinson, Justin (North Swindon) (Con)
Umunna, Chuka (Streatham) (Lab)
Leoni Kurt, Committee Clerk
† attended the Committee
The following also attended, pursuant to Standing Order No. 118(2):
Heaton-Harris, Chris (Vice-Chamberlain of Her Majesty's Household)
Second Delegated Legislation Committee
Monday 26 March 2018
[Mr Peter Bone in the Chair]
Draft Data Protection (Charges and Information) Regulations 2018
I beg to move,
That the Committee has considered the draft Data Protection (Charges and Information) Regulations 2018.
It is a pleasure to serve under your chairmanship, Mr Bone. The work of the Information Commissioner and her office is of fundamental importance and relevance, as can be seen with the Facebook and Cambridge Analytica incidents in the media last week. Data is a pivotal element of the digital revolution enabling a multitude of technological innovations that support growth and benefit society.
However, for those innovations to be successful, the Government and the general public must be confident that our data is not being misused. For that reason, we are modernising our data protection laws, through the Data Protection Bill, and providing new powers for the Information Commissioner.
An effective data protection regulatory framework is critical to retaining the right balance between innovation and privacy. That is particularly the case now, when data is at the forefront of the political agenda, both domestically, with the Data Protection Bill currently before Parliament, and internationally. That was highlighted in the Prime Minister’s recent Mansion House speech, which mentioned the UK’s high standards of data protection as one of the foundations that will underpin our post-Brexit trading relationship with the EU.
This changing data protection landscape has increased the responsibility of the Information Commissioner and the challenges she faces. With that increased responsibility comes an increased cost of delivery, so it is crucial that we ensure that the Information Commissioner and her office are adequately funded to fulfil their responsibilities, that the Government meet our responsibility under the general data protection regulation—GDPR—and that the ICO is funded for the effective performance of its tasks.
As with other similar organisations, it is only right and appropriate that this funding comes from charges levied on relevant stakeholders—in this case, data controllers. Currently, data controllers pay two tiers of charge: tier 1, for organisations with fewer than 250 staff or turnover of less than £25.9 million, is £35 per annum, and tier 2, for the remaining larger data controllers, is £500 per annum. Those charges have not increased at all since their introduction in 2001 and 2009 respectively.
The draft regulations will implement a new charging structure in order to fund the Information Commissioner’s data protection activities, which will come into force on May 25 this year, when the new Data Protection Act and the GDPR standards are due to take effect. The new structure is made up of three categories of charge: micro-organisations, including individuals, who will pay a charge of £40; small and medium organisations, which will pay £60; and large organisations, which will pay £2,900. The structure is designed to be closely aligned with the standard Government categorisation of businesses and organisations.
Furthermore, a £5 discount applies to all organisations that pay by direct debit. In effect, that will mean that micro-organisations that pay by direct debit will pay the same charge that they have paid since 2001. Similar to the current approach under the Data Protection Act 1998, public authorities will be categorised based only on their number of staff. In addition, charities and small occupational pension schemes will continue to automatically pay the lowest charge.
The new funding model for the Information Commissioner has three main policy objectives. It will ensure an adequate and stable level of funding for the ICO, build regulatory risk into the charge level and, finally, raise awareness of data protection obligations in organisations, thereby increasing their compliance. I will expand on what each will mean in practice.
First, in designing this new charging structure, the Government, in conjunction with the ICO, have given detailed consideration to the income requirements of the ICO now and in the future. The new charge levels recognise the increased funding required by the ICO under the new data protection regime and spread the funding provision appropriately across each of the three tier groups.
The charge levels have primarily been increased from the current level of fees to reflect the increased responsibilities of the ICO under the GDPR and the new Bill. For example, the GDPR will expand the Information Commissioner’s responsibilities in relation to mandatory breach notification and data protection impact assessments, as well as increasing the scope and scale of her existing activities.
In 2016 the Department for Digital, Culture, Media and Sport estimated that the ICO’s income requirements for its data protection functions will increase from approximately £19 million in 2016-17 to approximately £33 million in 2020-21. A financial forecast for the first year of operation under the GDPR—that is, 2018-19—sets the income requirement for the ICO at approximately £30 million. It is imperative for the ongoing success of the UK’s data protection regulatory framework that the ICO has the income it needs to continue fulfilling its vital functions to a standard.
Secondly, large organisations, including public authorities—local and national—often hold the most complex and sensitive datasets and, as such, represent a higher level of information risk. They will generally draw more heavily on the ICO’s resources than small organisations that process small amounts of personal data.
The charging structure has been designed to ensure that overall income from each group of data controllers—micro, small and medium, and large—adequately reflects the proportionate information risk accruing to each group, and to recognise that it would not be appropriate for large businesses and public authorities in effect to be subsidised by small and micro businesses, which make up the majority of the data controllers.
Thirdly and finally, in making the regulations, we are highlighting the importance of compliance with the UK’s data protection regulatory framework to data controllers, and are thereby increasing their awareness of the ICO as regulator and their own obligations.
The new draft regulations substantially replicate the current exemptions from paying notification fees, with some exceptions. The regulations will remove the exemption for some data controllers who are only undertaking processing for the purposes of safeguarding national security, and introduce clarification to the wording of the existing personal and household purposes exemption, to make it clear that homeowners using CCTV for such purposes are no longer required to pay a charge under the new scheme.
I appreciate that there is appetite from stakeholders to review the exemptions in general, and Government have committed to undertake a public consultation on the exemptions later this year. Members may be interested to hear that we are minded to consider an exemption for all elected representatives and Members of the House of Lords.
The Committee will all be aware that the ICO has been at the forefront of the news recently, and I assure Members that the new funding regime was designed to enable the commissioner to meet the challenges of large and complex investigations in the future. In conclusion, the work of the Information Commissioner and her office is fundamental to the success of our digital economy, which can only flourish with a strong data protection regime in place. It is therefore of vital importance that we provide the ICO with the level of income it requires to continue to deliver as a world-class data protection regulator.
It is a pleasure to serve under your chairmanship, Mr Bone.
The Minister referred to the exemption for Members of Parliament, including the House of Lords. This is really about saving taxpayers’ money. At present, I understand, we would be classed in the micro group, and the £35 a year that we will have to pay we would then reclaim from IPSA under the office costs allowance. If we do not pay by direct debit the cost will be £40—the £35 is paid if by direct debit. On top of that, there will clearly be the cost of IPSA’s processing. I do not need to tell colleagues the level to which that goes and the costs that it incurs.
The Minister says she will consult on this, but would it not be a good use of taxpayers’ money to either exempt us, or to have some system whereby IPSA could pay the £35 directly to the Information Commissioner? That would cut out a lot of the unnecessary administration that IPSA is famous for and would avoid, for example, a new Member who is perhaps not used to administration failing to do it for some reason.
I take on board that the Minister says she will consult, but I would try to get this done sooner rather than later. As outlined, it will cost the taxpayer twice, and it is after all taxpayers’ money that funds IPSA and our expenses. The fact that the Government are basically paying money back to themselves, obviously with the slice off the top for the costs of the administration of IPSA, is quite an inefficient way of administering this.
More broadly, I understand and accept what the Minister says about the need for finance for this area—the Information Commissioner faces a growing area—but what scrutiny and justification has the Information Commissioner given to the Government for this increase? A lot of small and medium-sized businesses will see this as an additional payment that they will have to make. If we are to ensure the robustness of the arguments, we need to ensure that the Information Commissioner is diligent and operating efficiently and that individuals can be assured that taxpayers’ money, whether raised this way or in other ways, is properly accounted for and justifiably used.
I very much welcome the draft regulations. As chair of the all-party parliamentary group on financial technology, I am conscious that huge demands will be placed on the ICO, which has always struck me as being pretty under-resourced, as has probably been evidenced by the Cambridge Analytica situation. I wonder if the ICO actually has the resources to go ahead and conduct a full investigation into that, so I very much welcome the increasing budget.
Given the new data protection laws, given that Brexit—if we are trying to stay at the forefront of financial technology and alternative finance—may require further work by the ICO and given that the Open Banking Implementation Entity has now come out with new standards for data portability, an enormous amount will be required of the ICO over the next two to three years, particularly as it adjusts. This uplift is necessary to fulfil its obligations.
My hon. Friend the Minister presented the draft regulations very well indeed, but I have a couple of quick questions. Will she enlighten us on how the £30 million figure has been calculated as the amount necessary for the ICO to fulfil its obligations? I emphasise that it seems particularly low, given the demands and potential demands on the ICO over the next 24 months.
I welcome the three-tier system; it is quite right that single users or very small companies pay a lower figure. I hope that, at some point in the future, we will look at the third tier, because that again seems quite low. If we consider the impact of one investigation with one of these larger firms, I can pretty much see the entire ICO budget going on one large organisation. Again, I would like to see that addressed in the future.
I very much welcome the exemptions. When it comes to the IPSA money, we have all had pain and scars. It is rather a circular motion, but I agree with the hon. Member for North Durham that, if the bill for Members or peers is £40, with IPSA it will probably end up being £80, given the bureaucratic costs involved. That may be worth looking at. Overall, I very much welcome the changes, but I would like a little more insight into where the £30 million figure comes from.
It is a privilege to serve under your chairmanship for the first time, I think, Mr Bone. I want to develop the points rehearsed by my hon. Friend the Member for North Durham and the hon. Member for Windsor. The Minister needs to rethink the consultation and these regulations for three reasons. First, as the hon. Member for Windsor rightly said, they are based on a budget of about £30 million for the Information Commissioner, which is an increase of about one third. The budget was set before the events of the past couple of weeks, when the implementation of GDPR was in mind. We did not foresee that the Information Commissioner would have to struggle for literally a week to get a search warrant to get into the offices of Cambridge Analytica. The idea that the Information Commissioner can investigate companies such as Facebook with a budget of £30 million is, frankly, fanciful.
We had a debate last week about the need to empower the Information Commissioner. When the Secretary of State intervened in the House a couple of weeks ago, he gave many of us the impression that that would happen under the Data Protection Bill, but the Minister walked back from that commitment in the Bill Committee last week. If we do not equip the Information Commissioner with the powers she needs to do her job and investigate some of the biggest companies on Earth, we need to look again at the budget and resources she has to do that job.
The second issue, as my hon. Friend the Member for North Durham rightly said, is that Government have declared that there will be a series of exemptions to the regulations sometime in the future. The Minister is inviting the Committee to agree the regulations this afternoon, and yet the exemptions will be organised and implemented sometime down the track. I do not think that is the right way round. The Minister should have organised a consultation on the exemptions before the regulations came to the Committee, and the exemptions should have been hard-wired into the regulations before the Committee was asked to agree to them.
The most significant problem that I want to flag up for the Minister is the appalling lack of consultation with local authorities. Something like 40,000 different data controllers were invited to respond to the consultation that led to the regulations, and 2,000 data controllers responded, but some affected parties, including minor stakeholders such as the Local Government Association, were not invited to contribute their views. That is a serious problem, because local authorities are some of the most important data controllers in the country, and they face a 480% increase in their charges.
It is not clear to me that the consultation was well organised. Events have moved on—I have some sympathy with the Minister about the fast-moving nature of her brief. I am afraid that the basics of the consultation should have been done differently, which is why I object to these regulations.
I thank hon. Members for their constructive and useful comments and questions. In response to the hon. Member for North Durham, we propose to consult on whether MPs and other elected officials, including parish councillors and local councillors, should be exempt. We should proceed with that consultation, and he is absolutely within his rights to contribute his thoughts about whether, if we go ahead with the exemption, it should just apply to local councillors and parish councillors. He can have his views on that.
It might have been a good idea to have consulted Members of Parliament, as my right hon. Friend the Member for Birmingham, Hodge Hill said. I am not calling for an exemption. The way it has been constructed is a waste of taxpayers’ money, because in addition to the cost of IPSA administering it, if people do not pay by direct debit, there is an extra £5 that can be claimed. That will add to the costs, which is silly.
I shall take the hon. Gentleman’s views back. At the moment, there is a proposal to consult. If hon. Members feel we should just pay it through IPSA, that is a perfectly valid view.
The hon. Gentleman also asked about the Information Commissioner’s accountability for the budget. The majority of micro-payers—very small businesses and organisations—are exempt for various reasons, chief among them that they do not process very much personal data in their day-to-day duties. In my Department, we keep the ICO budget under review on an annual basis, to ensure that the budget is adequate for the Information Commissioner’s requirements, but not overly generous.
I think the Committee is more worried about whether the ICO will have sufficient resources. That was the concern expressed by my hon. Friend the Member for Windsor and the right hon. Member for Birmingham, Hodge Hill.
I have no doubt that the Minister’s Department keeps the budget under review to see whether the Information Commissioner has enough resources, but what about how the money is spent in practice? As with many such quangos, the question is who is ensuring that the money is spent properly.
The Information Commissioner’s Office has a financial controller, a board, and a chief executive. It is held to account not just by my officials, but by the Secretary of State and me. I meet with the Information Commissioner regularly, and we assess through various means whether adequate financial controls are in place. To date, the ICO has proved that they are. Obviously, a significant uplift of at least a third in revenue, and all the additional headcount that that implies, will be a moment of transition, where the sort of problems that we have seen in other organisations may emerge. We will keep a very close eye on that, to ensure that they do not.
My hon. Friend the Member for Windsor was concerned that there were not enough resources, and that £30 million was too low. We will keep that figure under review. Certainly, the events of the past few weeks have shone a torch on just how much could be demanded of the ICO. As well as increasing the budget, and enabling the Information Commissioner to increase the number of staff that she has at her disposal, we have increased her powers. The right hon. Member for Birmingham, Hodge Hill said that in Committee I walked back from the commitments that the Secretary of State gave to reviewing the powers that we have given the Information Commissioner in the Bill. We have strengthened her powers, and we have discussed with her her desire for greater powers. We debated that in Committee, and I confirmed that we would review her powers before Report. The Secretary of State and I are honouring that commitment.
The Minister mentioned that she speaks regularly to the Information Commissioner. Has she had a discussion with her about why it took more than four days for a warrant to be issued for ICO staff to go into Cambridge Analytica’s offices?
Order. The instrument is very tightly drawn, and we are not going to talk about the wider aspects of data protection and Cambridge Analytica.
Thank you, Mr Bone, but I am happy to answer the question, as it was asked. I spoke to the Information Commissioner on the telephone at the beginning of last week, before it became apparent that that had taken so long. That indeed is one of the areas of powers that we are looking at, to reassure the hon. Lady.
I hope that I have dealt with the comments and questions to the Committee’s satisfaction and that the draft instrument will be agreed.
That the Committee has considered the draft Data Protection (Charges and Information) Regulations 2018.