By Grant Campbell, 2 June 2009 13:00
COMMENT
However progress on the preparatory work which is required for the power to become operational has been slower than many had hoped. Work is ongoing on the part of the ICO and the Ministry of Justice to put in place the guidance which the ICO is required to issue on how it intends to exercise the power, and the regulations which will set the level of the fines available to the ICO.
This is no doubt a challenging and time-consuming exercise and one that must be done properly if it is ultimately to be successful. However, as I write, there is still no formal, public commitment to its being complete by a certain date. (Informal indications are that the target long-stop date for the power's go-live is the end of this year.)
Fundamental change is required in many organisations if they are to regain the public's trust in their handling of personal information. The only sure-fire incentive to such change is the real and present threat of sanction. The current position - the risk of an unspecified level of fine at an undefined point in the future - is, unsurprisingly, not proving a suitable catalyst for wholesale attitude change.
The government and the ICO have an excellent opportunity to build on the momentum created by the press interest in data protection matters over the past year or so. However, to do that, it is vital that the new power becomes operational as soon as possible, and with as much fanfare as possible.
In particular, preparations for go-live of the power should not be sidetracked by other (still important) developments, such as the proposed further legislative changes in the Coroners and Justice Bill, or indeed the replacement (at the end of June) of Richard Thomas, the current Information Commissioner, by his successor Christopher Graham.
In the meantime, the Information Commissioner's ability to sanction continues to lag behind many of his European counterparts. Most organisations therefore content themselves with minimal improvements (if any) to their data protection practices and procedures, safe in the knowledge that (with the exception of those in the financial services sector, who are subject to the jurisdiction of the FSA) even a material data protection compliance failure is unlikely to have major, direct financial implications.
Grant Campbell is a partner and head of the technology, information and outsourcing group at law firm Brodies LLP.
Comments
There are 4 comments. Join the discussion
1. karen challinor
I think you'll find that the major thrust behind the strengthening of the ICO's powers was aimed fairly and squarely against businesses
the ICO is a bit toothless when it comes to enforcing the data protection act against government departments or even against individual ministers
I sincerely doubt the ICO will be able to put anyone from that side of the fence in jail any time soon
but the rest of us are fair game
2. Charles Smith
The problems with data losses will continue until the day when senior Directors go to jail for culpable data protection negligence.
This issue has been around since 1986. Failures in data protection are inexcusable.
3. James Button
Governments afraid of a gumming by the ICO (well - it sure could add a lot to government IT/IS project costs if the ICO could fine organisations.
Then again if, as recommended by Charles, there were jail sentences for the irresponsible , that could cut their pension costs.
Then again, considering the jail population, perhaps penalistic fines would be the way to go, with the exchequer effectively making the ICO into a profit centre!
4. Chris Goodman
Loss of data is almost invariably due to human error - carelessness or negligence - and as such the responsible person(s) must be sanctioned.
Corporate responsibility must not be an excuse for failure to prosecute responsible individuals and punish them.
This is especially so in the public sector where a corporate fine is just taxpayer fining taxpayer. In the public sector, or any organisation that receives taxpayer funding (eg BBC), it must become mandatory that only responsible individuals are punished. This may mean top level responsibility failures get severely dealt with but it must be so.