Lord Stevenson of Balmacara
Main Page: Lord Stevenson of Balmacara (Labour - Life peer)Data Protection (Charges and Information) Regulations 2018
Lord Stevenson of Balmacara Excerpts
Lord Clement-Jones (LD)
I thank the Minister for her comprehensive introduction. We all accept the need for a well-resourced Information Commissioner’s Office. On Report, we welcomed what the noble Lord, Lord Ashton, who was the Minister at the time, had to say in response to an amendment from the noble Lord, Lord Puttnam, about the commitment to ensuring that the commissioner has adequate resources to fulfil her role as a world-class regulator and to take on the extra regulatory responsibilities set out in the Bill. There is no argument between us about the principles of funding the Information Commissioner’s Office. The pledges made by the noble Lord, Lord Ashton, were very welcome. We wish the Information Commissioner well with her extended role and her extended £33 million budget.
That does not come without a cost to data controllers. It is not simply a question of deciding the budget and then deciding what people pay, without considering affordability. Local authorities have put to me that they are very concerned at the lack of consultation offered to all affected parties, including the LGA, ahead of the new charging model. Apparently, approximately 40,000 data controllers were written to, inviting them to respond to the consultation: I understand that about 2,000 did so. However, not all affected parties were offered the opportunity to contribute. The consultation, and responses to it, are not publicly available, which differs from most government consultation. Will the Minister commit to publishing the outcome of the consultations?
Local authorities are concerned by what appears to be a rather arbitrary increase in the charges that they will have to pay to the ICO as data controllers. I also understand that it is proposed that elected representatives will be subject to a small increase in their charge. Under the new charging model, councils with 250 or more employees are defined as large data controllers and are subject to the highest fees under the SI. In practice, most councils that would have been paying £500 to register with the ICO will now have to pay £2,900. This is an increase of 480%; an inflationary increase would have seen the fees rise from £500 to £623.61. This comes at a time when local government is under significant financial pressure and local councils are receiving no additional government funding to help implement the GDPR.
It seems from the Explanatory Memorandum that the Government are considering an exemption for elected representatives, subject to a full review of exemptions in general. In the current process, there are exemptions from the requirement to register with the ICO. These include exemptions for those maintaining a public register, for staff administration purposes, for advertising and for accounting. I refer the Minister to paragraph 7.10 of the Explanatory Memorandum, where the Government state their intentions about the review.
On these Benches, we would definitely support an exemption for elected representatives. Councillors should not have to pay a charge to the Information Commissioner to correspond with their residents and should not incur a cost associated with their duties in representing their constituents. I am interested to hear what the Minister has to say about the review which is heralded in the Explanatory Memorandum.
Lord Stevenson of Balmacara (Lab)
My Lords, I agree with just about everything that the noble Lord, Lord Clement-Jones, said, particularly on the comments—they have been passed to me as well—from the Local Government Association, which seems to have been badly hit by the changes. He will remember, although I think this predates the Minister, that we went through some of the thinking behind the charges in what is now the Digital Economy Act. He will recall the debate and discussion at that time; it is good to see it coming through now in a form that we can look at.
I will not repeat some of the issues that have been raised because I come at this with a slightly different argument, although we arrive at roughly the same place. First, noble Lords could not have gone through the Data Protection Bill without recognising, as the Minister did, the huge amount of extra work and responsibility that will lie with the ICO after it went through. It is an astonishing step change. Yes, it is true that that is reflected in the additional resources, which will be calculated to flow from these changes and increases in the fee structure, but two questions arise. We are relying for the arithmetic on work that was done, as I understand it, by working through the new charge structure; the department has modelled the anticipated income generated to try to come up with something. Two things occur to me from that.
First, what happens if the calculations are wrong? As we speak, we are living through a situation in which a huge additional workload has suddenly landed on the ICO’s desk. Cambridge Analytica was not a household name before this week’s revelations but if the matter goes to court to get submissions, the ICO will have to prosecute and defend itself. I cannot quite see where that was built into things. I am not looking for a specific response but I want to sharpen the question. It is all very well being on a cost-recovery basis when the funds exceeds the expenses, but what happens when they do not? Who will carry the cost? Can the Minister comment on that? Secondly, would it be possible to get a bit more detail about how this plays out in real terms, given the reserves that are allowed to be carried forward and the implication for what work would have to be cut if it is not possible to carry forward deficits from year to year? We are talking about government accounting so, presumably, the NAO will be watching very carefully. I worry a bit about what will happen in the short term. I do not want a detailed response now but I would be happy to get a letter on that.
My second point is about the assertion made that somehow the structure we have here is a way of responding to what was described in paragraph 7.2 of the Explanatory Memorandum as building,
“regulatory risk into the charge level”.
I do not understand what risk is being assessed here. Again, this may need a more considered response. Is it the numbers? It is clear that there will be a lot more tier 1 organisations and therefore a lot of detailed administration and housekeeping, but does that equate to risk? I think not. I therefore wonder why the charge, relatively speaking, is being kept at roughly what it was before—it is still £40—and has been extended.
I do not think that the noble Lord, Lord Clement-Jones, made this point today but I am sure that he raised it in discussion in Committee and on Report. We are talking about a situation where it did not matter whether you registered with the system under the Data Protection Act 1998, despite the fact that the noble Lord did not get his amendment through on having a statutory register for these things. I am sorry about that. There will effectively be a register for all those who use data, which will be policed to some extent. Therefore, the chances are that anyone who was not paying before will certainly be caught now. There is a huge additional element here that has not been previously caught or considered. I am intrigued by that. Therefore, the comment made about not wanting micro-organisations to pay for their activities further up the scale struck me as a little odd. Perhaps we might come back to that.
Tier 2 includes the mid-range of the organisations. A lot of companies are in this area; in fact, the bulk of activity in the industry. Yes, they should pay for services received but I would hazard that they are extremely low-risk. I cannot believe that major breaches of personal data are happening in a large number of small and medium-sized enterprises. That bears comparison with the new third tier that has been introduced to look at large organisations; we are talking about Facebook and other organisations which I do not need to name. We are asking them only to pay a modest proportion more than small and medium-sized organisations. I do not know how that equates to risk. It seems that the evidence of this week is that 50 million Facebook accounts could have been picked up and used in some alleged way of trying to influence elections. We are talking about damage on a substantial scale, which is not the same, in any sense, as that which might occur to citizens—the local joiner, plumber or building firm mislaying their accounting records for a short period. However, I am prepared to listen to the arguments on that.
Baroness Chisholm of Owlpen
I thank the noble Lords, Lord Clement-Jones and Lord Stevenson, for their comments.
The noble Lord, Lord Clement-Jones, asked whether we will publish the results of the consultation. In response to interest from Peers and in the interests of transparency, they will be published shortly. Both noble Lords talked about the top tier. Indeed, as the noble Lord, Lord Stevenson, said, these regulations and the GDPR come into force on 25 May, so we are a bit short of time. The top tier has been raised significantly, and the amount has been set out to ensure appropriate funding for the ICO without leading to excessive surplus. However, I hear what the noble Lord, Lord Stevenson, said about large companies. It is important to remember that DCMS will review the income generated annually to ensure that it remains appropriate, so it can be checked.
The noble Lord, Lord Stevenson, also talked about large public authorities. It is important to remember that they hold a huge amount of sensitive data about members of the public; therefore they are subject to high levels of information risk. So we consider it appropriate that the regulation of these organisations is effectively subsidised; that means that they are paying a large sum, but the small and medium-sized businesses are not. It is important that they should not be unfairly charged. The new funding model is aimed at ensuring that the new charges are fair and reflect the risk of the organisations. The small and medium-sized businesses will not be paying any more than they have been, in real terms. It is the larger organisations that will be paying the most.
Lord Stevenson of Balmacara
I may not have made the case clearly enough. We have not seen the figures but the last time we asked about this we were told that the proportion of very small registrants—micro-companies and individuals—is really small. As we learned when the Bill was in Committee, an awful lot of people and loads of small companies and organisations—including parish councils, of which much was made—will have to appoint data controllers to make sure that their systems are up and adequate. That is right, but the shock of having to pay on a regular basis will be substantial. I want to make it clear that going from 10% to 100% of people involved in this will be a major change in people’s thinking.
Baroness Chisholm of Owlpen
They have been paying up until now, but a very small amount.
Lord Stevenson of Balmacara
Those that registered did pay, but very small numbers do. That is the point. I bet that no parish council has ever registered: every one will have to register. That is a big change.
Baroness Chisholm of Owlpen
I take the noble Lord’s point. However, more often than not they will be able to use somebody who is already on the parish council to do the work. They will not have to pay somebody extra to do it. We feel that this is the fairest way of doing it. Those with the least money are paying the least and those with the most money are paying the most. I think I have answered all the questions.
Lord Stevenson of Balmacara
It is not so much whether they should be paying—we probably accept that they should, though how much is in question—it is the fact that they were not consulted. The consultation exercise did not reach that far and the Minister was going to try to give some information about why that could have been.
Baroness Chisholm of Owlpen
In 2015, the ICO used the BDRC, an independent market research company, to conduct initial research about its funding structure. The contractors of the survey were provided with a sample of 10% of the register of the Information Commissioner’s Office, including all top fee-payers and a random sample of lower ones. In 2017, data controllers who responded to this initial research formed the basis of the targeted consultation on the new charges last year. This comprised a representative sample of data controllers, including public authorities, small businesses and other large organisations.
I thank noble Lords for their contributions on this important matter. I believe that the funding regime proposed today represents the best way of ensuring that the ICO is appropriately resourced for its increased role, while still keeping regulatory costs and burdens low for small businesses. I assure the Committee that, while the exemptions from paying charges have not significantly changed at present, they will be comprehensively reviewed with a view to updating them later this year. I beg to move.