(9 years, 8 months ago)
Lords ChamberIn fact, companies, conscious of their reputation, do—and quite rightly, should—report any breach of security, as indeed Sony did. That would be good practice. The proposed regulation would provide an obligation to notify the breach no later than 72 hours after it occurs to the ICO or equivalent in the relevant country or the subject, but only where there has been a serious breach. I entirely accept the noble Baroness’s concern, but these things must be approached as a whole, which is what the Government intend to do.
My Lords, have we become incapable of organising our own data protection? Why must we wait for the famous and inevitable incompetence of the EU to make a mess of it for us?
Data do not respect boundaries in quite the same way that the noble Lord does. We do indeed take a number of steps to protect our data—the ICO has a number of powers which it exercises regularly to control data. However, it is appropriate that our data protection legislation should be in harmony with that of the rest of the European Union.