Information commissioner gets tough

The Office of the Information Commissioner is gearing up to get tough with UK businesses that fail to comply with the Data...

The Office of the Information Commissioner is gearing up to get tough with UK businesses that fail to comply with the Data Protection Act 1998, writes Sally Annereau.

The publication by the commissioner of a new enforcement strategy appears to signal the end of the honeymoon period enjoyed by businesses since the Act came into force on 1 March 2000. During this period the commissioner has concentrated on offering advice and guidance on how best to comply with the Act's provisions.

The past focus on promoting awareness and understanding of the law has led to a significant rise in the number of complaints and enquiries to the commissioner's office in recent years, although, as the enforcement strategy paper recognises, "The commissioner has been aware for some time that compliance casework has not resulted in a significant amount of enforcement activity."

The new enforcement strategy states that the commissioner will cast the net far wider in looking for breaches, rather than simply reacting to complaints as has been the case.

The commissioner will now consider breaches identified in a variety of ways, including as a result of enquiries from the public, reports in the press, and by monitoring external activities and new technologies.

An enforcement board has been established which is responsible for taking the strategy forward.

The information commissioner sits on the board and is joined by both deputies and the head of investigations.

The board's primary functions are to:

  • Identify compliance issues warranting further investigation

  • Prioritise programmes of investigative activity

  • Consider enforcement activity and make recommendations to the information commissioner on whether to take enforcement action.

The enforcement strategy also creates a dedicated enforcement team of specialists drawn from the compliance, investigations and legal departments to support the board and carry out its decisions.

In the year to 31 March 2003 the enforcement board is focusing on Web site compliance, along with issues to do with exercising access rights to central government paper files. The former is a wake-up call for any business operating a Web site but should not come as a complete surprise.

Earlier this year the commissioner funded a survey conducted by the University of Manchester Institute of Science and Technology into the level of compliance with the Data Protection Act by UK Web sites. The survey polled more than 900 organisations and conducted 180 interviews.

It identified, among other findings, that of the sites surveyed, 42% did not post any form of Web site privacy statement. Where a statement was displayed, only 5% reached recommended levels for intelligibility when assessed against a standard reading ease methodology.

The survey also revealed a low level of compliance with the Data Protection Act by smaller companies in unregulated sectors.

Central government departments would also be advised to pay attention to their subject access procedures. The increasing trend for data sharing between government departments and individual problems in exercising access rights has also made this a priority issue for the commissioner. However, it may be too early to gauge how aggressively the enforcement strategy will be implemented in practice.

The commissioner, Elizabeth France, has stepped down and we may have to wait until her successor, Richard Thomas, is in the post in December before learning the full extent of any changes. Thomas is currently director of public policy at the law firm Clifford Chance, and has previously served as a director of consumer affairs at the Office of Fair Trading.

In the meantime however, businesses and organisations would be well advised to review their practices.

Directors liable for neglect
Liability of directors under the Data Protection Act 1998:

Where an offence has been committed by a company and "is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director" or officer of the organisation, he or she is liable to prosecution as well as the organisation

Sally Annereau is a data protection analyst at law firm Taylor Wessing.

Read more on IT risk management