Data Protection (Monetary Penalties) Order 2010

I am grateful, again, to both noble Lords for their support and helpful questions. On the issue of why there is such a large increase in the tiered fees to the Information Commissioner, tier 2—the £500 tier—represents about 5 per cent of data controllers. For a data controller to be subject to a tier 2 penalty, it must have a turnover of more than £26.9 million and more than 250 staff. We believe that is an appropriate amount. Clearly the Information Commissioner’s Office needed some extra resources and we thought that this was a fair way of obtaining them. Everyone will pay at least £35. I shall deal with the appeal processes. Following the imposition of a monetary penalty, a data controller may appeal the imposition of the penalty and/or the specific amount imposed. Those appeals go then into the tribunal system. Most cases will be heard in the first tier, with the most complex going to the upper tier. Appeals from the first tier to the upper tier can only be on a point of law. Appeals from the upper tier lie on a point of law again to the Court of Appeal. As for the 32 per cent against the £500,000 maximum penalty, the respondents against the maximum figure were split between wanting a penalty of up to £1 billion and to a sum less than the £500,000. On balance, we felt that the penalty of £500,000 was proportionate. It will be reviewed in three years. Of course the noble Baroness is absolutely right that the cases take place and the commissioner acts only after discussions have been had with the data controllers. The last resort is to use the law to get penalties so as to persuade against that data protection action. It is not to be used regularly—only about eight times a year, we hope—so she is right to mention the articles in the Economist this week. Any help that can be given to make sure that we do not get into this situation too often is very much to be welcomed. The consultation period lasted six weeks. There remains one outstanding matter: how the Information Commissioner will determine whether reasonable steps have been taken. The noble Baroness referred the Committee to the T-Mobile case and how provision might have applied to it. The Information Commissioner would need to investigate each case on its merits, of course. Each breach would be different and have its own character. Technical data security breaches will require different reasonable steps such as proper electronic data security, whereas a breach relating to an employee failure may require proper levels of staff training. I emphasise that the penalties available if the order is carried come after discussion and debate in an attempt to make sure that data protection really means what it says. Motion agreed.