“Problem? Gordon’s looking into it” said a recent headline, and here’s another enquiry, possibly the 50th since our new PM arrived. This time the focus is public and private sharing of personal data, following certain goings on in the HMRC postroom, but why not tighten data laws now? Ray Coyle reports.
Who: Richard Thomas (Information Commissioner) and Dr Mark Walport (Science and Technology advisor to Government)
When: 12 December 2007
Law stated as at: 2 January 2008
In the wake of the much publicised loss of personal data by HM Revenue and Customs in October 2007, the Government has launched a review of the law in respect of the sharing of personal data. Much has been written about the circumstances surrounding the loss of the two CDs and this article will endeavour not to cover this well-worn ground. However, it does seem unusual that the security breach was, according to Gordon Brown, a result of "not following proper procedures" yet this procedural failure has led to, essentially, a review of the legal framework. It is difficult to see how one will prevent the other but that appears to be where we find ourselves.
The review will cover both the public and private sectors and focus primarily on the sharing of data. The scope of the review in this regard will not come as any surprise. The review will deal with such questions as proportionality in the case of personal data sharing and the balance between, on the one hand, allowing data sharing to enhance public services or reduce the burden on business and, on the other, ensuring that information is used for the purpose for which it is collected.
Enquiry straying beyond its logical remit?
However, there are other areas within the scope of the review that do not appear to naturally flow from the data loss incident in October. The review will include recommendations on the powers and sanctions available to the ICO and the courts. Given that the Information Commissioner, who has long lobbied for increased powers of enforcement, will be the co-author, it seems almost inevitable that the report will recommend that these powers and sanctions will be increased.
Within the context of the second principle of the Data Protection Act ("DPA"), the consultation paper asks, at question 12, "What further powers, safeguards, sanctions or provisions do you believe should be included in the DPA?". Given the long standing criticism of the maximum £5,000 fine for breach of the DPA, particularly when compared to the kind of fines that the Financial Services Authority can impose for the loss of personal data, sanctions are the obvious place for the Government to start.
It also seems likely that there will be a push for greater powers of audit for the ICO. Gordon Brown has stated that he wants the ICO to have the power to audit any public body's information policy with or without their consent. It is difficult to envisage such a provision applying to public bodies but not private ones. In fact, such a distinction would surely be seen as an admission by Government that data is less safe in their hands than in those of the private sector.
Why this matters:
A failure by an individual within public body to follow correct procedure should logically lead to a tightening of controls and procedures within that body. However, legislative review and change is often seen as the best form of (or, arguably, the best replacement for) action in the wake of a very public failure.
Given the scope of the review and a probable reluctance in Government to put public bodies under stricter duties and obligations than the private sector, it seems likely that the net result of this saga will be stiffer penalties for breach of the DPA and greater powers of audit for the ICO. There will probably be further changes to the regulatory regime but they are less predictable until the results of the consultation are published.
As we reported in Marketinglaw.co.uk in October of this year (http://www.marketinglaw.co.uk/articles/2007/9085.asp?), the labour dominated House of Lords Science and Technology Committee has been pressing Mr Brown to both increase the sanctions available to the ICO and also introduce mandatory security breach notification. It was our view that the Government would not be inclined to make these changes in the current political climate as they would be seen as unfriendly to business. Since the loss of two CDs in Tyne & Wear, it seems that, in the context of data protection law, the political climate has changed.
Why an enquiry?
A final question is why bother with an enquiry at all. The issues covered in the apparently hastily thrown together enquiry questionnaire are none of them particularly surprising or challenging and given the forceful and repeated submissions on these very same issues by one of the two individuals conducting the enquiry, the answers are surely for the most part a foregone conclusion and arguably not worth the delay and public money involved in yet another Brown "enquiry."