The recent reportedloss of HMRC discscontaining child
benefit details has once again thrown back into the spotlight
whether theinformation commissionershould be
given greater powers to deal with breaches of theData Protection Act 1998, say Elaine
Fletcher, senior associate, and Michael Bridgett, associate at
Eversheds LLP.
The information commissioner can already prosecute those who do
not comply with his formal request - an
Enforcement Notice - which requires either that the offending
processing stops or specified measures are taken to achieve
compliance.
Potentially unlimited fines can be imposed and, in addition,
individual officers can be personally prosecuted for "turning a
blind eye" to such notices. He also has a range of powers to
investigate possible breaches of the DPA, including requiring
information to be delivered up and to ask a court for a search
warrant to enter premises and seize evidence of non-compliance.
Government departments are however immune from such criminal
liability and so the only sanction in the DPA against HMRC for the
disc episode is compensation from the public purse to individuals
who can prove resulting damage or damage and distress.
The information commissioner's current powers are nevertheless
much weaker than some of his European counterparts and he has
called for a range of additional powers and measures including the
following:
- Requiring organisations to commission independent audits on
their data processing.
- Inspection rights to examine how personal data is handled.
- Security declarations to be given by some organisations in
their annual reports.
- Requiring organisations to notify his office of any data
security breach involving a real and substantial risk of
substantial damage or distress to individuals.
- A new criminal offence for knowingly or recklessly failing to
comply with any of the Eight Data Protection Principles, where this
results in real and substantial damage or distress to
individuals.
It is hoped these additional powers would result in
significantly improved compliance by organisations handling
personal data. However, this may not be enough to aid the
information commissioner in his quest. Current funding for his
office comes from the annual fee paid by organisations required to
notify the information commissioner of their personal data
processing operations. This issue is being examined by the Justice
Committee via proposals for graduated notification fees according
to the size of the organisation.
This funding is in stark contrast to that received by other
regulators such as the Health and
Safety Executive, which is in excess of £300m per annum. A lack
of funding is regarded by some to have stunted the information
commissioner's enforcement programme with lack of resources
resulting in limited enforcement notices being issued with even
fewer prosecutions.
This is not the first time the adequacy of the DPA in protecting
personal data has come under scrutiny. The European Commission has
questioned the government over its implementation of certain
European data protection requirements into UK law. More recently
the information commissioner successfully campaigned for the
introduction of custodial sentences for the illegal trade in
personal data, arguing that the existing penalty of unlimited fines
was not a sufficient deterrent.
The wave of public outrage that has met the HMRC disc loss and
the government's reaction has given considerable strength to the
information commissioner's plea. This coupled with Europe's keen
eye on the UK may see legislative action in the near future. With
increasing concern over the lack of ultimate criminal sanctions for
public sector breaches, any new legislation would need to cover
both the public and private sector to regain public confidence.
However, unless the funding issue is addressed the effectiveness of
these new powers, as with the existing ones, may be in
question.