By Grant Campbell, 2 June 2009 13:00
COMMENT
More than a year after appearing on the statute books, the info watchdog's power to fine is not yet operational. Lawyer Grant Campbell urges those involved not to lose momentum.
Data losses have provided the UK press with an ongoing stream of stories for more than 18 months now.
The first big story, in November 2007, was HM Revenue and Customs' loss of discs containing child benefit data on 25 million people. Since then the press has been spoilt for choice of incidents of this nature, with a wealth of embarrassing headlines affecting the government and its contractors in particular.
The role of the Information Commissioner's Office (or ICO) as the independent body charged with policing and enforcing data protection legislation is to promote good practice and ultimately, as the regulator, to take enforcement action against organisations where they are found to have fallen short.
Currently, if the ICO hears of a security breach - either because the organisation affected has notified it of the incident or as a result of a complaint - the ICO has various assessment powers to allow it to establish the facts of the case and, crucially, to form a view on whether there has been a breach of data protection legislation.
However, even where the office concludes that an organisation has failed to comply with its statutory obligations to keep our information safe, in most cases the organisation at fault will at worst be required to give a formal undertaking to the ICO to comply in full with its data protection obligations in future, provided it co-operates with the ICO in resolving the situation.
Only in extreme cases might formal enforcement action be taken and, even then, the ICO still has no 'live' power to fine the organisation for its compliance failure.
The furore created by various high-profile data security scandals forced politicians to concede that the regulatory environment was inadequate. The government commissioned various investigations and reports and brought into force certain changes designed to improve internal procedures, including mandatory rules on data security provisions in central government contracts.
In the midst of all of this, the enactment in May last year of a power for the ICO to impose monetary penalties for serious breaches of data protection legislation emerged as an unexpected - but very welcome - strengthening of the regulatory regime. Suddenly it seemed that the lack of clout that has traditionally hindered data protection would become a thing of the past, with the protection of personal information finally becoming a board-level issue.
Click here for page two
Comments
There are 4 comments. Join the discussion
1. karen challinor
I think you'll find that the major thrust behind the strengthening of the ICO's powers was aimed fairly and squarely against businesses
the ICO is a bit toothless when it comes to enforcing the data protection act against government departments or even against individual ministers
I sincerely doubt the ICO will be able to put anyone from that side of the fence in jail any time soon
but the rest of us are fair game
2. Charles Smith
The problems with data losses will continue until the day when senior Directors go to jail for culpable data protection negligence.
This issue has been around since 1986. Failures in data protection are inexcusable.
3. James Button
Governments afraid of a gumming by the ICO (well - it sure could add a lot to government IT/IS project costs if the ICO could fine organisations.
Then again if, as recommended by Charles, there were jail sentences for the irresponsible , that could cut their pension costs.
Then again, considering the jail population, perhaps penalistic fines would be the way to go, with the exchequer effectively making the ICO into a profit centre!
4. Chris Goodman
Loss of data is almost invariably due to human error - carelessness or negligence - and as such the responsible person(s) must be sanctioned.
Corporate responsibility must not be an excuse for failure to prosecute responsible individuals and punish them.
This is especially so in the public sector where a corporate fine is just taxpayer fining taxpayer. In the public sector, or any organisation that receives taxpayer funding (eg BBC), it must become mandatory that only responsible individuals are punished. This may mean top level responsibility failures get severely dealt with but it must be so.