All 1 Debates between Lord Arbuthnot of Edrom and Lord Keen of Elie

Mon 6th Feb 2017
Digital Economy Bill
Lords Chamber

Committee: 3rd sitting (Hansard - continued): House of Lords

Digital Economy Bill

Debate between Lord Arbuthnot of Edrom and Lord Keen of Elie
Committee: 3rd sitting (Hansard - continued): House of Lords
Monday 6th February 2017

(7 years, 9 months ago)

Lords Chamber
Read Full debate Digital Economy Act 2017 View all Digital Economy Act 2017 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 80-IV Fourth marshalled list for Committee (PDF, 161KB) - (6 Feb 2017)
Lord Keen of Elie Portrait The Advocate-General for Scotland (Lord Keen of Elie) (Con)
- Hansard - - - Excerpts

My Lords, Part 5 of the Bill requires public authorities and specified persons to specify and meet specific legislative conditions and controls on the handling of personal information. As I have said on a number of occasions this evening, these provisions will be underpinned by codes of practice setting out data security requirements, including cybersecurity. A body that fails to meet these could be prevented from using the data-sharing powers. That is the context in which I turn to Amendments 105 and 106.

Amendment 105 would require all but the smallest of companies to conduct audits on their cybersecurity and to report annually on it and their data protection measures. Clearly, the Government recognise that effective cybersecurity risk management is important to the success of the economy and, indeed, to ensuring the safety and integrity of private citizens’ data. The Government conducted the Cyber Security Regulation and Incentives Review in 2016 to consider whether we need additional regulation or incentives to boost cyber risk management in the wider economy and it showed strong justification for regulation to secure personal data.

The Government will seek to improve cyber risk management through our implementation of the EU general data protection regulation in May 2018. Its requirement to report breaches to the Information Commissioner and individuals affected, and the fines that can be issued under it, will represent a significant improvement. These will be supplemented by a number of measures to more clearly link data protection with cybersecurity, including through closer working of the Information Commissioner and the National Cyber Security Centre. However, we will not seek to pursue further general cybersecurity legislation for the wider economy as would be required by Amendment 105.

We believe that mandating the inclusion of cyber risk information in annual reports, or the introduction of legal provisions for cyber audit, is unlikely to be an effective way of encouraging large-scale change in cyber risk management. Instead, the National Cyber Security Centre plans to work with stakeholders to develop guidance for investors. The long-term aim of the organisation is to include cybersecurity in the guidance it provides to businesses on the kind of information it wants to see in an annual report, and in the reports it provides to investors each year on every listed company.

Amendment 106 is very broad in its aims and, as such, could have unintended consequences for the diverse range of grants that the Government fund each year. The supporting audit and insurance regime would be costly and challenging to enforce given the diversity of grant recipients, including those from voluntary and research communities. Furthermore, this amendment is unnecessary as many of these checks are in place as a matter of routine. The level of cybersecurity risk in grants will continue to be monitored and consideration given to how recently launched grant standards could be used to strengthen guidance in this area. This provides a far more flexible and proportionate solution than legislation.

With respect to subsection (2) of the proposed new clause in Amendment 106, the Government are already taking tangible steps to reduce the level of cybersecurity risk in their supply chain. As of October 2014, suppliers of central government contracts that involve the handling of personal data or the supply of IT products and services must demonstrate they have met the technical requirements set out as part of either the government-owned Cyber Essentials scheme or a suitable equivalent. The scheme was developed jointly with GCHQ and industry to support organisations of all sizes and across all sectors in getting a good, basic level of online security in place. In response to my noble friend Lord Arbuthnot I would observe that, as of the end of December 2016, nearly 5,500 certificates had been issued under the scheme, and we have a strategy in place to significantly increase the adoption of the scheme over the coming year. With that explanation, I hope my noble friend will withdraw his amendment.

Lord Arbuthnot of Edrom Portrait Lord Arbuthnot of Edrom
- Hansard - -

My Lords, I am grateful to my noble and learned friend for his comments. From what he says I suspect that the Government are not quite there yet. However, I hope that my amendments will help to encourage them along a path of some form of regulation in this area. I suspect that the arguments my noble and learned friend used were similar to those that were first used when financial audit was suggested. However, I am grateful for what he has said. I am also particularly grateful to the noble Baroness, Lady Jones, for what she said and for the gracious way in which she said it. However, my amendments were aimed not so much at government as at business. I suspect that this will be part of a long-term campaign, so, with those words, I beg leave to withdraw the amendment.