Aghast like all of us at lost CDs with millions of child benefit data files, the Commons “Justice Committee” invited Information Commissioner Richard Thomas along to share his thoughts on data privacy law reform. For Stephen Groom’s pick of the frank exchanges read on.
Who: The Information Commissioner and the House of Commons Justice Committee
When: January 2008
Law stated as at: 31 January 2008
The Information Commissioner Richard Thomas and his deputy David Smith were asked by the House of Commons Justice Committee to give evidence to them on data privacy and security issues.
This was after HM Revenue and Customs' loss of 2 CDs containing details of about 25 million child benefit claimants.
The session that followed contained some interesting insights into just some of the areas where we can expect to see significant changes in the coming year.
Commissioner Thomas told MPs he had been dissatisfied for a long time with the inspection powers currently conferred on the Information Commissioner's Office ("ICO").
Thomas said he found it a "bizarre situation" that unlike virtually all other data protection authorities around the world, as well as most other regulatory bodies in the UK such as the Food Standards Agency, the Financial Services Authority and the Health & Safety Executive, the ICO did not, except in very limited circumstances, have a power to carry out an inspection on any data controller without having to get their prior consent.
In light of this, Thomas was heartened that the Government was talking in terms of the ICO now having "de facto" power to carry out spot checks inside government departments. But the Commissioner said he had made it clear that this did not go anywhere near far enough. He wanted statutory power to make spot checks "across the piece."
In this context, Thomas mentioned that a "Governance of Britain" bill was due to be introduced later in this session of Parliament. His hope was that this could be the vehicle whereby suitable changes could be made to the Data Protection Act 1998, and this wasn't the only up and coming piece of legislation Thomas had his eye on.
MPs then turned their attention to sanctions and asked the Commissioner if a new power to impose fines or issue fixed penalty notices might appeal.
Thomas confirmed that a new criminal sanction would certainly go a long way to addressing the deficiencies in the existing law. Currently a criminal offence was only committed if an enforcement notice was served and the data controller in question was in explicit breach of that notice. This long, drawn-out process was very much, he said, a matter of "bolting doors after horses have disappeared."
A new power to impose a fixed penalty would also assist, and Thomas ventured to suggest this could come by way of the Sanctions and Redress Bill currently going through Parliament. Then he wanted to look at a power to impose civil penalties as well.
Hand in hand with the whole question of whether the Information Commissioner's Office needed more powers and sharper teeth went the issue of funding.
Richard Thomas pointed out that the entire data protection activities of the ICO had to be carried out for just £10 million a year. This compared with £269m. for the Financial Services Authority, £143m for the Food Standards Agency and £890m for the Health & Safety Executive.
The budget for ICO's Freedom of Information function was even smaller at £4.7m, but this was funded by Government "grant in aid" whereas the full £10m for data protection had to be funded from fees paid by data controllers who did their statutory duty and "notified" ICO that they were data controllers.
These fees were just £35 a year, regardless of whether the data controller was HM Revenue & Customs or "a sweet shop round the corner" as Mr Thomas put it.
This was described by the Chair of the Committee as "a patently absurd situation." Commissioner Thomas agreed. He said that if ICO was going to be given the additional powers it was pressing for, including the power to make spot checks on data controllers, notification fees would have to be increased quite substantially.
This could happen, Thomas went on, by way of introducing charges for specific "services" performed by ICO, such as searches or spot checks. Alternatively or in addition, the notification fee structure could be changed, either by way of a flat increase for all data controllers or by adopting a more discriminating approach, charging more for larger organisations on a sliding scale.
The latter seemed to be favoured by the Commissioner, although this would lack the simplicity of the current "£35 for all" system.
Corporate reporting obligation?
Another idea lofted by Commissioner Thomas was the introduction of a reporting duty, to be imposed on "certainly major organisations, public and private."
The obligation would be to include in the organisation's annual report "some sort of confirmation that the person signing off the report, whether it is the Minister or the Permanent Secretary or the Chief Executive, is satisfied that appropriate data security safeguards have been put in place."
Why this matters:
With this, available in full at here, the ongoing "data sharing" consultation reported previously on marketinglaw and the ICO's separate publication in January 2008 of a paper setting out its case for changes to the Data Protection Act 1998, available here.
Commissioner Thomas is certainly wasting no time in taking advantage of growing public concern over public and private sector data abuse.
It can surely be only a matter of time before the Government responds and takes active steps to reform the Data Protection Act 1998. Whether this will be in the form of yet another "Review" or concrete changes in a Bill remains to be seen.