The UKInformation Commissioner's Office (ICO)has asked the government to make serious breaches of the
Data Protection Act a criminal offence, rather than attracting
fines as at present.
Under the ICO's proposals to the Ministry of Justice, the
government would introduce a criminal offence for knowingly and
recklessly flouting the Data Protection Act 1998. David Smith,
assistant commissioner, told the House of Lords' constitution
committee on November 14 that if patient records were left on an
unencrypted laptop on the back seat of a car, and these were
stolen, "that blatant risk should attract a criminal offence".
Smith added that it is "an anomaly" that only financial services
organisations can suffer serious consequences for such breaches,
such as the £980,000 fine levied on Nationwide building society
earlier this year by the Financial Service Authority.
The ICO is also asking for the right to inspect personal data
processing operations, which it can currently carry out only with
consent, although Smith said the ICO "would not inspect thousands
and thousands of organisations" if it wins such a right.
The government is already introducing criminal charges for those
who trade personal data, in clause 75 of the criminal justice and
immigration bill now before parliament. Richard Thomas, the
information commissioner, told the committee, "We are delighted
they have accepted our recommendation to increase the penalty."
In a 2006 report, What Price Privacy?, the ICO highlighted how
financial institutions, lawyers and journalists illegally obtain
personal data through private investigators and
published
a tariff of charges for different kinds of information.
Thomas also told the committee of his concerns on aspects of the
government's identity card scheme. "We continue to question why so
much transaction data will be collected," he said, referring to the
plan to retain in a central database an "audit trail" of every time
individuals' cards or records are accessed, adding that he was
meeting with the Identity and Passport Service on 14 November to
discuss secondary legislation to the Identity Cards Act.
Thomas also questioned the government's planned database of all
children, rather than just those known to be at risk, and also the
existing criminal record checks on those seeking to work with
children, which reveal any offence, however trivial and however
long ago. But he added that parts of government are increasingly
aware of threats to personal data, with the Department of Health
supporting the ICO proposal for increased penalties, as this would
help secure its
centrally-held health records for patients in England under the
Connection for Health scheme.
Last month Gordon Brown, the prime minister, asked Thomas to
review public and private-sector data sharing with Mark Walport,
director of the Wellcome Trust. Thomas told the committee that they
will report in mid-2008, with a consultation paper to be released
shortly. "We both agree, information sharing is no panacea," he
said.
Although it has useful and reasonable applications, information
sharing should not be carried out just for its own sake. "We will
be trying to identify where the boundary lines should be drawn," he
said.
When asked whether the public was concerned about information
sharing, Thomas pointed to research released on 14 November showing
that 94% of British adults surveyed are concerned that
organisations are selling their personal data without permission,
and that 90% believe organisations are failing to keep such data
secure.
The research, which was prepared by SMSR and surveyed 1000
people, showed a growing awareness of data protection, with 90%
aware of the right to see personal data, compared with 74% three
years ago.
Although the ICO is also requesting increased powers to be
consulted over new data-sharing schemes, Thomas said the ICO had
not always been vigilant, when questioned about the UK police DNA
database. As the result of a 2003 law, this includes the genetic
code of anyone arrested, regardless of whether they are found
guilty. Thomas, who was in the job when the law went through
parliament, said the ICO questioned, and continues to question, the
need for innocent citizens' DNA to be retained, but added, "Perhaps
we missed a trick in not shouting loud enough."
This article first appeared on the
website of
Infosecurity magazine.