Data Protection (Monetary Penalties) Order 2010

My Lords, we support the order. Indeed, the amendment to the Data Protection Act which made it possible was introduced to the Criminal Justice and Immigration Bill following amendments from the Liberal Democrats. The Liberal Democrats calculate that in 2007 alone a record 37 million items of personal data were lost, including the notorious case where the details of 25 million child benefit claimants were lost in the post. I should declare that I was affected by that. Matters have not improved noticeably since then and there have been additional high-profile cases, including, in 2008, the loss by an external contractor of a memory stick containing sensitive information about thousands of persistent offenders and, in 2009, the case where an employee of T-Mobile sold customers’ details to rival companies. It is right that data controllers should be subject to sanctions when such breaches occur. However, the T-Mobile case raises a question about the operation of the new sanctions which I hope the Minister will be able to clarify. If a deliberate breach is committed by a junior employee and the organisation denies all knowledge of or responsibility for it, how will the Information Commissioner’s Office determine whether the data controller took reasonable steps to prevent it and, therefore, whether the organisation is responsible for the breach? I am aware that, to some extent, this is probably dealt with in the draft guidance, but it would be helpful to have an example, if the Minister can think of one, of how these provisions might have applied in the T-Mobile case. It is also right that the Thomas-Walport review highlighted that the Information Commissioner’s Office should be given the powers and the resources to do its job properly. In conjunction with the new powers in the Coroners and Justice Act, we welcome this order’s move to give the ICO real teeth in data protection. I have two questions, the first of which concerns the public response. The noble Lord, Lord Henley, has already raised some issues on this subject but my question is quite simple. We notice that the Ministry of Justice press release states that, of the 52 responses received, 27 agreed that £500,000 was the correct maximum level. Fifty-two responses is a small sample and I wonder for how long the consultation was open. My second question looks forward. While these measures are extremely welcome and we hope that they will go some way towards making data controllers more responsible, will the Government consider improving the regulations earlier on in the system rather than simply imposing penalties? I refer the Minister to an excellent series of articles in the Economist this week, one of which proposes that regulations could require companies or data controllers to provide annual security audits. These will be similar to financial audits as exist for listed companies, and could be used by companies not only to improve their performance but to assist the regulator by providing evidence should a problem come to light subsequently. So we would like a data information annual audit, please. That is all I have to say, other than to congratulate the Government on bringing forward the order.