Skip to main content

Data Protection (Monetary Penalties) Order 2010

Volume 717: debated on Monday 1 March 2010

Considered in Grand Committee

Moved By

That the Grand Committee do report to the House that it has considered the Data Protection (Monetary Penalties) Order 2010.

Relevant document: 6th Report from the Joint Committee on Statutory Instruments.

My Lords, this order relates to the power of the Information Commissioner to impose a civil monetary penalty on a data controller that seriously contravenes the data protection principles.

The order supplements the provisions of Sections 55A and 55E, which were inserted into the Data Protection Act 1998 by Section 144 of the Criminal Justice and Immigration Act 2008. These amendments provided the Information Commissioner with the power to impose civil monetary penalties.

This order, alongside the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010, which are subject to negative resolution, will bring the provisions on civil monetary penalties into force. The Government’s proposal is for these provisions to commence on 6 April 2010, along with other amendments to the Data Protection Act. The order was debated and approved in the other place last month.

The order contains provisions on data controllers’ written representations, cancellation, variation, enforcement and appeals against monetary penalty notices. The other statutory instrument provides details on the maximum penalty amount, which has been set at £500,000, and sets out information that a notice of intent and a monetary penalty notice must contain.

A civil monetary penalty may be served if the commissioner is satisfied that a data controller has committed a serious contravention of the data protection principles that is likely to cause substantial damage or substantial distress, and which was either deliberate or committed by a data controller that knew or ought to have known that there was a risk of this type of contravention occurring, but failed to take reasonable steps to prevent the contravention.

It is important to note that a number of conditions must be fulfilled before the commissioner can impose a civil monetary penalty. These conditions, which are explained in the guidance issued by the Information Commissioner, will ensure that only those contraventions that are sufficiently serious and deliberate or reckless warrant the issuing of a civil monetary penalty, and will ensure that the penalties are administered fairly.

The Government know how important it is to safeguard personal data. The ICO’s Annual Track survey 2009, recently published, shows that protecting people’s personal data is considered a top concern, only behind preventing crime. Only a small amount of data need to be misused for damage and distress to be caused.

There is widespread support for the introduction of this power. In particular, your Lordships will remember that the Data Sharing Review Report, the Thomas-Walport report, published in July 2008, specifically called for stronger penalties and sanctions and for the Information Commissioner to be given increased powers and resources to carry out his duties more effectively.

More recently, in November and December last year, we held a public consultation on the Government’s proposal to set the maximum amount for civil monetary penalties at £500,000. The large majority of respondents agreed that there was a need for such a power and supported its immediate introduction. In addition, there was cross-party support in another place for the introduction of this power.

Additionally, we have worked closely with the Information Commissioner’s Office and involved other stakeholders in the development of this policy. We held two stakeholder events to discuss the new regulations and the commissioner’s guidance on civil monetary penalties. The Information Commissioner’s guidance was also available for comment on the ICO website.

I stress that the majority of data controllers of course comply with the data protection principles, but a small number do not, and it is the irresponsible actions of those organisations that we are trying to address. We believe that civil monetary penalties will act as an effective sanction and deterrent against serious and careless or deliberate non-compliance. We estimate that the likely number of cases in which the Information Commissioner will use this power will be around eight a year.

It is clear that appropriate action must be taken where a data controller deliberately or recklessly contravenes the data protection principles—for example, when a data breach occurred because the data controller processed personal data in a completely unsecure environment, and knew that there was a high risk of a data breach but did not act to address that risk, such as by using unencrypted laptops which contained personal data.

To ensure that the ICO has the resources necessary for this new power and other new responsibilities under the DPA, the Government in October 2009 introduced a new fee structure for notification purposes. It consists of two tiers and will lead to greater funding for the ICO’s data protection work. The new fee structure reflects more accurately the costs to the ICO of regulating data controllers.

I will say a few words about how this power will operate. The commissioner will need to be satisfied that there has been a serious contravention of the data protection principles of the kind liable to a civil monetary penalty. The commissioner will consider each possible contravention on a case-by-case basis. The commissioner laid statutory guidance before Parliament on 12 January this year which sets out his interpretation of the power and how his office will assess the meaning of “substantial”, “serious contravention”, and “damage and distress”.

A number of safeguards are in place to ensure the fairness of this power. First, once the Information Commissioner is satisfied that a serious contravention has been committed, he must issue a notice of intent setting out the details of the contravention, the proposed penalty, next steps and how the data controller can make representations to the Information Commissioner. Next, a penalty notice would be issued only after representations had been received and considered by the commissioner, or after the deadline for representations to be received had elapsed. In addition, data controllers have the right to appeal to the General Regulatory Chamber against any penalty notice received. On points of law, those appeals can reach the upper tribunal and, further, the Court of Appeal. Finally, the IC’s guidance must set out how the power will be used. The Government therefore believe that sufficient safeguards are in place to ensure that the Information Commissioner is not the policeman, prosecutor, judge and jury, as was said in the other place.

As I have tried to explain, this order sets out some of the provisions required to ensure that the monetary penalty framework for serious contraventions of the data protection principles is robust and fair to data controllers and the Information Commissioner. Although the Data Protection Act already gives the Information Commissioner an effective framework with which to regulate the Act, the power to impose monetary penalties of up to £500,000 will provide the commissioner with an important additional tool. It will act as an effective sanction and a deterrent against non-compliance. The commissioner will have no financial incentive to issue monetary penalties because any money recovered as a result of the issue of these penalties will go to the Consolidated Fund, managed by the Treasury. The new powers will contribute to increased compliance with data protection principles and strengthen public confidence that data protection safeguards are observed. I beg to move.

I thank the noble Lord for his explanation of the order, which brings in a new and quite high monetary penalty of £500,000 for people in breach. I thought that it was the order itself that did this but, on going through it, I cannot see where the sum of £500,000 is mentioned.

I have the advantage of being briefed on this. The second, negative instrument that I referred to sets out the amount, and the two go together.

I had forgotten that there is a negative instrument as well as the affirmative one before us. As I said, it is quite a high figure and therefore it is only right to ask one or two questions. First, I am grateful to the noble Lord for reminding us that there has been consultation on this. As the Explanatory Memorandum makes clear, some 53 per cent of the respondents supported the proposal, believing it to be a fair and proportionate approach. Some 32 per cent were against the maximum penalty, but they were not united because that percentage again split more or less half and half, some in favour and some against. Would the noble Lord expand a little on that?

Secondly, I should like to know more about appeals, dealt with in Article 7 of the order. We are told that Section 49 and Schedule 6 have effect in relation to appeals, but I think the noble Lord explained that we go through the whole tribunal process even though there will be only something in the order of around eight cases a year.

Thirdly, I have some concerns about the costs of implementing the civil monetary penalties, which are dealt with in paragraph 10.2 of the Explanatory Memorandum. It states that the costs,

“will be met by the recent increase in the notification fee from £35 per year to £500 a year for those data controllers with either a turnover of £25.9M and 250 or more members of staff, or, public authorities with 250 or more members of staff”.

I am not clear from that whether those who do not meet the figures will pay just £35 a year, or will they not pay anything? Also, I do not see why we need quite such a large increase. A rise from £35 to £500 a year is quite a big percentage increase. The Minister is better at maths than I am, so he could tell me exactly what it is, or indeed he could look to his noble friend Lord McKenzie. I would guess that it is an increase of several hundred percentage points. I would be grateful to know why it was felt that such a large increase was necessary. No doubt the noble Lord will be given some advice on this before he comes to reply.

That deals with the various questions I have on the order. Again, we on this side do not object to the order, but we would be grateful for responses to our particular points.

My Lords, we support the order. Indeed, the amendment to the Data Protection Act which made it possible was introduced to the Criminal Justice and Immigration Bill following amendments from the Liberal Democrats.

The Liberal Democrats calculate that in 2007 alone a record 37 million items of personal data were lost, including the notorious case where the details of 25 million child benefit claimants were lost in the post. I should declare that I was affected by that. Matters have not improved noticeably since then and there have been additional high-profile cases, including, in 2008, the loss by an external contractor of a memory stick containing sensitive information about thousands of persistent offenders and, in 2009, the case where an employee of T-Mobile sold customers’ details to rival companies.

It is right that data controllers should be subject to sanctions when such breaches occur. However, the T-Mobile case raises a question about the operation of the new sanctions which I hope the Minister will be able to clarify. If a deliberate breach is committed by a junior employee and the organisation denies all knowledge of or responsibility for it, how will the Information Commissioner’s Office determine whether the data controller took reasonable steps to prevent it and, therefore, whether the organisation is responsible for the breach? I am aware that, to some extent, this is probably dealt with in the draft guidance, but it would be helpful to have an example, if the Minister can think of one, of how these provisions might have applied in the T-Mobile case.

It is also right that the Thomas-Walport review highlighted that the Information Commissioner’s Office should be given the powers and the resources to do its job properly. In conjunction with the new powers in the Coroners and Justice Act, we welcome this order’s move to give the ICO real teeth in data protection.

I have two questions, the first of which concerns the public response. The noble Lord, Lord Henley, has already raised some issues on this subject but my question is quite simple. We notice that the Ministry of Justice press release states that, of the 52 responses received, 27 agreed that £500,000 was the correct maximum level. Fifty-two responses is a small sample and I wonder for how long the consultation was open. My second question looks forward. While these measures are extremely welcome and we hope that they will go some way towards making data controllers more responsible, will the Government consider improving the regulations earlier on in the system rather than simply imposing penalties?

I refer the Minister to an excellent series of articles in the Economist this week, one of which proposes that regulations could require companies or data controllers to provide annual security audits. These will be similar to financial audits as exist for listed companies, and could be used by companies not only to improve their performance but to assist the regulator by providing evidence should a problem come to light subsequently. So we would like a data information annual audit, please.

That is all I have to say, other than to congratulate the Government on bringing forward the order.

I am grateful, again, to both noble Lords for their support and helpful questions. On the issue of why there is such a large increase in the tiered fees to the Information Commissioner, tier 2—the £500 tier—represents about 5 per cent of data controllers. For a data controller to be subject to a tier 2 penalty, it must have a turnover of more than £26.9 million and more than 250 staff. We believe that is an appropriate amount. Clearly the Information Commissioner’s Office needed some extra resources and we thought that this was a fair way of obtaining them. Everyone will pay at least £35.

I shall deal with the appeal processes. Following the imposition of a monetary penalty, a data controller may appeal the imposition of the penalty and/or the specific amount imposed. Those appeals go then into the tribunal system. Most cases will be heard in the first tier, with the most complex going to the upper tier. Appeals from the first tier to the upper tier can only be on a point of law. Appeals from the upper tier lie on a point of law again to the Court of Appeal.

As for the 32 per cent against the £500,000 maximum penalty, the respondents against the maximum figure were split between those wanting a penalty of up to £1 billion and those wanting a sum less than the £500,000. On balance, we felt that the penalty of £500,000 was proportionate. It will be reviewed in three years.

Of course the noble Baroness is absolutely right that the cases take place and the commissioner acts only after discussions have been had with the data controllers. The last resort is to use the law to get penalties so as to persuade against that data protection action. It is not to be used regularly—only about eight times a year, we hope—so she is right to mention the articles in the Economist this week. Any help that can be given to make sure that we do not get into this situation too often is very much to be welcomed.

The consultation period lasted six weeks.

There remains one outstanding matter: how the Information Commissioner will determine whether reasonable steps have been taken. The noble Baroness referred the Committee to the T-Mobile case and how provision might have applied to it. The Information Commissioner would need to investigate each case on its merits, of course. Each breach would be different and have its own character. Technical data security breaches will require different reasonable steps such as proper electronic data security, whereas a breach relating to an employee failure may require proper levels of staff training. I emphasise that the penalties available if the order is carried come after discussion and debate in an attempt to make sure that data protection really means what it says.

Motion agreed.