The recent reported loss of HMRC discs containing child benefit details has once again thrown back into the spotlight whether the information commissioner should be given greater powers to deal with breaches of the Data Protection Act 1998, say Elaine Fletcher, senior associate, and Michael Bridgett, associate at Eversheds LLP.
The information commissioner can already prosecute those who do not comply with his formal request - an Enforcement Notice - which requires either that the offending processing stops or specified measures are taken to achieve compliance.
Potentially unlimited fines can be imposed and, in addition, individual officers can be personally prosecuted for "turning a blind eye" to such notices. He also has a range of powers to investigate possible breaches of the DPA, including requiring information to be delivered up and to ask a court for a search warrant to enter premises and seize evidence of non-compliance.
Government departments are however immune from such criminal liability and so the only sanction in the DPA against HMRC for the disc episode is compensation from the public purse to individuals who can prove resulting damage or damage and distress.
The information commissioner's current powers are nevertheless much weaker than some of his European counterparts and he has called for a range of additional powers and measures including the following:
- Requiring organisations to commission independent audits on their data processing.
- Inspection rights to examine how personal data is handled.
- Security declarations to be given by some organisations in their annual reports.
- Requiring organisations to notify his office of any data security breach involving a real and substantial risk of substantial damage or distress to individuals.
- A new criminal offence for knowingly or recklessly failing to comply with any of the Eight Data Protection Principles, where this results in real and substantial damage or distress to individuals.
It is hoped these additional powers would result in significantly improved compliance by organisations handling personal data. However, this may not be enough to aid the information commissioner in his quest. Current funding for his office comes from the annual fee paid by organisations required to notify the information commissioner of their personal data processing operations. This issue is being examined by the Justice Committee via proposals for graduated notification fees according to the size of the organisation.
This funding is in stark contrast to that received by other regulators such as the Health and Safety Executive, which is in excess of £300m per annum. A lack of funding is regarded by some to have stunted the information commissioner's enforcement programme with lack of resources resulting in limited enforcement notices being issued with even fewer prosecutions.
This is not the first time the adequacy of the DPA in protecting personal data has come under scrutiny. The European Commission has questioned the government over its implementation of certain European data protection requirements into UK law. More recently the information commissioner successfully campaigned for the introduction of custodial sentences for the illegal trade in personal data, arguing that the existing penalty of unlimited fines was not a sufficient deterrent.
The wave of public outrage that has met the HMRC disc loss and the government's reaction has given considerable strength to the information commissioner's plea. This coupled with Europe's keen eye on the UK may see legislative action in the near future. With increasing concern over the lack of ultimate criminal sanctions for public sector breaches, any new legislation would need to cover both the public and private sector to regain public confidence. However, unless the funding issue is addressed the effectiveness of these new powers, as with the existing ones, may be in question.