(9 years, 9 months ago)
Lords Chamber
To ask Her Majesty’s Government what is their assessment of the case for updating domestic data protection legislation in the light of the reported comments by the Information Commissioner that European Union law requiring notification of data breaches is three years away.
My Lords, the Government do not have any plans to update domestic data protection legislation in respect of data breach notification in advance of agreement and implementation of the proposed EU regulation. The Government take the protection of personal data very seriously and believe that a strong system of breach notification will be an important element of a revised EU data protection framework, but that the changes should be made only once the package has been agreed in full.
I thank my noble friend for that Answer. However, should the Government not act with greater urgency to incentivise organisations, from which we have seen a series of major scandals of lost data—whether through lost discs or laptops, or hacking—such as from HMRC, Sony, or health organisations? Would it not be salutary for them to have to report major breaches to the regulator and to customers, who might suffer fraud or identity theft? We cannot wait possibly three years until we get EU law. We need to prioritise this so that we encourage companies to get their act together on security.
In fact, companies, conscious of their reputation, do—and quite rightly, should—report any breach of security, as indeed Sony did. That would be good practice. The proposed regulation would provide an obligation to notify the breach no later than 72 hours after it occurs to the ICO or equivalent in the relevant country or the subject, but only where there has been a serious breach. I entirely accept the noble Baroness’s concern, but these things must be approached as a whole, which is what the Government intend to do.