The Minister of State, Department for Digital, Culture, Media and Sport (Margot James)

- Hansard -

Copy Link

- - Excerpts

I beg to move,

That the Committee has considered the draft Data Protection (Charges and Information) Regulations 2018.

It is a pleasure to serve under your chairmanship, Mr Bone. The work of the Information Commissioner and her office is of fundamental importance and relevance, as can be seen with the Facebook and Cambridge Analytica incidents in the media last week. Data is a pivotal element of the digital revolution enabling a multitude of technological innovations that support growth and benefit society.

However, for those innovations to be successful, the Government and the general public must be confident that our data is not being misused. For that reason, we are modernising our data protection laws, through the Data Protection Bill, and providing new powers for the Information Commissioner.

An effective data protection regulatory framework is critical to retaining the right balance between innovation and privacy. That is particularly the case now, when data is at the forefront of the political agenda, both domestically, with the Data Protection Bill currently before Parliament, and internationally. That was highlighted in the Prime Minister’s recent Mansion House speech, which mentioned the UK’s high standards of data protection as one of the foundations that will underpin our post-Brexit trading relationship with the EU.

This changing data protection landscape has increased the responsibility of the Information Commissioner and the challenges she faces. With that increased responsibility comes an increased cost of delivery, so it is crucial that we ensure that the Information Commissioner and her office are adequately funded to fulfil their responsibilities, that the Government meet our responsibility under the general data protection regulation—GDPR—and that the ICO is funded for the effective performance of its tasks.

As with other similar organisations, it is only right and appropriate that this funding comes from charges levied on relevant stakeholders—in this case, data controllers. Currently, data controllers pay two tiers of charge: tier 1, for organisations with fewer than 250 staff or turnover of less than £25.9 million, is £35 per annum, and tier 2, for the remaining larger data controllers, is £500 per annum. Those charges have not increased at all since their introduction in 2001 and 2009 respectively.

The draft regulations will implement a new charging structure in order to fund the Information Commissioner’s data protection activities, which will come into force on May 25 this year, when the new Data Protection Act and the GDPR standards are due to take effect. The new structure is made up of three categories of charge: micro-organisations, including individuals, who will pay a charge of £40; small and medium organisations, which will pay £60; and large organisations, which will pay £2,900. The structure is designed to be closely aligned with the standard Government categorisation of businesses and organisations.

Furthermore, a £5 discount applies to all organisations that pay by direct debit. In effect, that will mean that micro-organisations that pay by direct debit will pay the same charge that they have paid since 2001. Similar to the current approach under the Data Protection Act 1998, public authorities will be categorised based only on their number of staff. In addition, charities and small occupational pension schemes will continue to automatically pay the lowest charge.

The new funding model for the Information Commissioner has three main policy objectives. It will ensure an adequate and stable level of funding for the ICO, build regulatory risk into the charge level and, finally, raise awareness of data protection obligations in organisations, thereby increasing their compliance. I will expand on what each will mean in practice.

First, in designing this new charging structure, the Government, in conjunction with the ICO, have given detailed consideration to the income requirements of the ICO now and in the future. The new charge levels recognise the increased funding required by the ICO under the new data protection regime and spread the funding provision appropriately across each of the three tier groups.

The charge levels have primarily been increased from the current level of fees to reflect the increased responsibilities of the ICO under the GDPR and the new Bill. For example, the GDPR will expand the Information Commissioner’s responsibilities in relation to mandatory breach notification and data protection impact assessments, as well as increasing the scope and scale of her existing activities.

In 2016 the Department for Digital, Culture, Media and Sport estimated that the ICO’s income requirements for its data protection functions will increase from approximately £19 million in 2016-17 to approximately £33 million in 2020-21. A financial forecast for the first year of operation under the GDPR—that is, 2018-19—sets the income requirement for the ICO at approximately £30 million. It is imperative for the ongoing success of the UK’s data protection regulatory framework that the ICO has the income it needs to continue fulfilling its vital functions to a standard.

Secondly, large organisations, including public authorities—local and national—often hold the most complex and sensitive datasets and, as such, represent a higher level of information risk. They will generally draw more heavily on the ICO’s resources than small organisations that process small amounts of personal data.

The charging structure has been designed to ensure that overall income from each group of data controllers—micro, small and medium, and large—adequately reflects the proportionate information risk accruing to each group, and to recognise that it would not be appropriate for large businesses and public authorities in effect to be subsidised by small and micro businesses, which make up the majority of the data controllers.

Thirdly and finally, in making the regulations, we are highlighting the importance of compliance with the UK’s data protection regulatory framework to data controllers, and are thereby increasing their awareness of the ICO as regulator and their own obligations.

The new draft regulations substantially replicate the current exemptions from paying notification fees, with some exceptions. The regulations will remove the exemption for some data controllers who are only undertaking processing for the purposes of safeguarding national security, and introduce clarification to the wording of the existing personal and household purposes exemption, to make it clear that homeowners using CCTV for such purposes are no longer required to pay a charge under the new scheme.

I appreciate that there is appetite from stakeholders to review the exemptions in general, and Government have committed to undertake a public consultation on the exemptions later this year. Members may be interested to hear that we are minded to consider an exemption for all elected representatives and Members of the House of Lords.

The Committee will all be aware that the ICO has been at the forefront of the news recently, and I assure Members that the new funding regime was designed to enable the commissioner to meet the challenges of large and complex investigations in the future. In conclusion, the work of the Information Commissioner and her office is fundamental to the success of our digital economy, which can only flourish with a strong data protection regime in place. It is therefore of vital importance that we provide the ICO with the level of income it requires to continue to deliver as a world-class data protection regulator.

Margot James

- Hansard -

Copy Link

- - Excerpts

I thank hon. Members for their constructive and useful comments and questions. In response to the hon. Member for North Durham, we propose to consult on whether MPs and other elected officials, including parish councillors and local councillors, should be exempt. We should proceed with that consultation, and he is absolutely within his rights to contribute his thoughts about whether, if we go ahead with the exemption, it should just apply to local councillors and parish councillors. He can have his views on that.

Margot James

- Hansard -

Copy Link

- - Excerpts

I shall take the hon. Gentleman’s views back. At the moment, there is a proposal to consult. If hon. Members feel we should just pay it through IPSA, that is a perfectly valid view.

The hon. Gentleman also asked about the Information Commissioner’s accountability for the budget. The majority of micro-payers—very small businesses and organisations—are exempt for various reasons, chief among them that they do not process very much personal data in their day-to-day duties. In my Department, we keep the ICO budget under review on an annual basis, to ensure that the budget is adequate for the Information Commissioner’s requirements, but not overly generous.

I think the Committee is more worried about whether the ICO will have sufficient resources. That was the concern expressed by my hon. Friend the Member for Windsor and the right hon. Member for Birmingham, Hodge Hill.

Margot James

- Hansard -

Copy Link

- - Excerpts

The Information Commissioner’s Office has a financial controller, a board, and a chief executive. It is held to account not just by my officials, but by the Secretary of State and me. I meet with the Information Commissioner regularly, and we assess through various means whether adequate financial controls are in place. To date, the ICO has proved that they are. Obviously, a significant uplift of at least a third in revenue, and all the additional headcount that that implies, will be a moment of transition, where the sort of problems that we have seen in other organisations may emerge. We will keep a very close eye on that, to ensure that they do not.

My hon. Friend the Member for Windsor was concerned that there were not enough resources, and that £30 million was too low. We will keep that figure under review. Certainly, the events of the past few weeks have shone a torch on just how much could be demanded of the ICO. As well as increasing the budget, and enabling the Information Commissioner to increase the number of staff that she has at her disposal, we have increased her powers. The right hon. Member for Birmingham, Hodge Hill said that in Committee I walked back from the commitments that the Secretary of State gave to reviewing the powers that we have given the Information Commissioner in the Bill. We have strengthened her powers, and we have discussed with her her desire for greater powers. We debated that in Committee, and I confirmed that we would review her powers before Report. The Secretary of State and I are honouring that commitment.

Margot James

- Hansard -

Copy Link

- - Excerpts

Thank you, Mr Bone, but I am happy to answer the question, as it was asked. I spoke to the Information Commissioner on the telephone at the beginning of last week, before it became apparent that that had taken so long. That indeed is one of the areas of powers that we are looking at, to reassure the hon. Lady.

I hope that I have dealt with the comments and questions to the Committee’s satisfaction and that the draft instrument will be agreed.

Question put.