Data Protection: Legislation Debate

Full Debate: Read Full Debate
Department: Ministry of Justice

Data Protection: Legislation

Baroness Ludford Excerpts
Wednesday 11th March 2015

(9 years, 9 months ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Asked by
Baroness Ludford Portrait Baroness Ludford
- Hansard - -



To ask Her Majesty’s Government what is their assessment of the case for updating domestic data protection legislation in the light of the reported comments by the Information Commissioner that European Union law requiring notification of data breaches is three years away.

Lord Faulks Portrait The Minister of State, Ministry of Justice (Lord Faulks) (Con)
- Hansard - - - Excerpts

My Lords, the Government do not have any plans to update domestic data protection legislation in respect of data breach notification in advance of agreement and implementation of the proposed EU regulation. The Government take the protection of personal data very seriously and believe that a strong system of breach notification will be an important element of a revised EU data protection framework, but that the changes should be made only once the package has been agreed in full.

--- Later in debate ---
Baroness Ludford Portrait Baroness Ludford (LD)
- Hansard - -

I thank my noble friend for that Answer. However, should the Government not act with greater urgency to incentivise organisations, from which we have seen a series of major scandals of lost data—whether through lost discs or laptops, or hacking—such as from HMRC, Sony, or health organisations? Would it not be salutary for them to have to report major breaches to the regulator and to customers, who might suffer fraud or identity theft? We cannot wait possibly three years until we get EU law. We need to prioritise this so that we encourage companies to get their act together on security.

Lord Faulks Portrait Lord Faulks
- Hansard - - - Excerpts

In fact, companies, conscious of their reputation, do—and quite rightly, should—report any breach of security, as indeed Sony did. That would be good practice. The proposed regulation would provide an obligation to notify the breach no later than 72 hours after it occurs to the ICO or equivalent in the relevant country or the subject, but only where there has been a serious breach. I entirely accept the noble Baroness’s concern, but these things must be approached as a whole, which is what the Government intend to do.