Data Protection (Monetary Penalties) Order 2010

My Lords, this order relates to the power of the Information Commissioner to impose a civil monetary penalty on a data controller that seriously contravenes the data protection principles. The order supplements the provisions of Sections 55A and 55E, which were inserted into the Data Protection Act 1998 by Section 144 of the Criminal Justice and Immigration Act 2008. These amendments provided the Information Commissioner with the power to impose civil monetary penalties. This order, alongside the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010, which are subject to negative resolution, will bring the provisions on civil monetary penalties into force. The Government’s proposal is for these provisions to commence on 6 April 2010, along with other amendments to the Data Protection Act. The order was debated and approved in the other place last month. The order contains provisions on data controllers’ written representations, cancellation, variation, enforcement and appeals against monetary penalty notices. The other statutory instrument provides details on the maximum penalty amount, which has been set at £500,000, and sets out information that a notice of intent and a monetary penalty notice must contain. A civil monetary penalty may be served if the commissioner is satisfied that a data controller has committed a serious contravention of the data protection principles that is likely to cause substantial damage or substantial distress, and which was either deliberate or committed by a data controller that knew or ought to have known that there was a risk of this type of contravention occurring, but failed to take reasonable steps to prevent the contravention. It is important to note that a number of conditions must be fulfilled before the commissioner can impose a civil monetary penalty. These conditions, which are explained in the guidance issued by the Information Commissioner, will ensure that only those contraventions that are sufficiently serious and deliberate or reckless warrant the issuing of a civil monetary penalty, and will ensure that the penalties are administered fairly. The Government know how important it is to safeguard personal data. The ICO’s Annual Track survey 2009, recently published, shows that protecting people’s personal data is considered a top concern, only behind preventing crime. Only a small amount of data need to be misused for damage and distress to be caused. There is widespread support for the introduction of this power. In particular, your Lordships will remember that the Data Sharing Review Report, the Thomas-Walport report, published in July 2008, specifically called for stronger penalties and sanctions and that the Information Commissioner should be given increased powers and resources to carry out his duties more effectively. More recently, in November and December last year, we held a public consultation on the Government’s proposal to set the maximum amount for civil monetary penalties at £500,000. The large majority of respondents agreed that there was a need for such a power and supported its immediate introduction. In addition, there was cross-party support in another place for the introduction of this power. Additionally, we have worked closely with the Information Commissioner’s Office and involved other stakeholders in the development of this policy. We held two stakeholder events to discuss the new regulations and the commissioner’s guidance on civil monetary penalties. The Information Commissioner’s guidance was also available for comment on the ICO website. I stress that the majority of data controllers of course comply with the data protection principles, but a small number do not, and it is the irresponsible actions of those organisations that we are trying to address. We believe that civil monetary penalties will act as an effective sanction and deterrent against serious and careless or deliberate non-compliance. We estimate that the likely number of cases in which the Information Commissioner will use this power will be around eight a year. It is clear that appropriate action must be taken where a data controller deliberately or recklessly contravenes the data protection principles—for example, when a data breach occurred because the data controller processed personal data in a completely unsecure environment, and knew that there was a high risk of a data breach but did not act to address that risk, such as by using unencrypted laptops which contained personal data. To ensure that the ICO has the resources necessary for this new power and other new responsibilities under the DPA, the Government in October 2009 introduced a new fee structure for notification purposes. It consists of two tiers and will lead to greater funding for the ICO’s data protection work. The new fee structure reflects more accurately the costs to the ICO of regulating data controllers. I will say a few words about how this power will operate. The commissioner will need to be satisfied that there has been a serious contravention of the data protection principles of the kind liable to a civil monetary penalty. The commissioner will consider each possible contravention on a case-by-case basis. The commissioner laid statutory guidance before Parliament on 12 January this year which sets out his interpretation of the power and how his office will assess the meaning of "substantial", "serious contravention", and "damage and distress". A number of safeguards are in place to ensure the fairness of this power. First, once the Information Commissioner is satisfied that a serious contravention has been committed, he must issue a notice of intent setting out the details of the contravention, the proposed penalty, next steps and how the data controller can make representations to the Information Commissioner. Next, a penalty notice would be issued only after representations had been received and considered by the commissioner, or after the deadline for representations to be received had elapsed. In addition, data controllers have the right to appeal to the General Regulatory Chamber against any penalty notice received. On points of law, those appeals can reach the upper tribunal and, further, the Court of Appeal. Finally, the IC’s guidance must set out how the power will be used. The Government therefore believe that sufficient safeguards are in place to ensure that the Information Commissioner is not the policeman, prosecutor, judge and jury, as was said in the other place. As I have tried to explain, this order sets out some of the provisions required to ensure that the monetary penalty framework for serious contraventions of the data protection principles is robust and fair to data controllers and the Information Commissioner. Although the Data Protection Act already gives the Information Commissioner an effective framework with which to regulate the Act, the power to impose monetary penalties of up to £500,000 will provide the commissioner with an important additional tool. It will act as an effective sanction and a deterrent against non-compliance. The commissioner will have no financial incentive to issue monetary penalties because any money recovered as a result of the issue of these penalties will go to the Consolidated Fund, managed by the Treasury. The new powers will contribute to increase compliance with data protection principles and strengthen public confidence that data protection safeguards are observed. I beg to move.