The current Information Commissioner’s swansong report bemoans red tape impeding enforcement efforts and big increases in complaints.
Topic: Data protection
Who: The Information Commission
Where: Wilmslow, Cheshire
When: July 2002
The Information Commission published its report for the year ending 31 March 2002. The last IC annual report signed off by the outgoing Information Commissioner, Elizabeth France, it highlights the big increase in data protection cases handled by the Commission, from 8,000 in the year to March 2001 up to 12,000 in the year to March 2002. The IC's surveys also indicate a significant increase, from 27% to 42%, in awareness amongst the UK population of the right to have access to any data which any third party holds about you.
In response to this increase in workload, staff numbers at the Commission have increased by over 40% and a decision has been taken to open Information Commission branch offices in Wales, Scotland and Northern Ireland. Another reported target is a fully electronic notification system for data controllers, allowing the notification process (a legal requirement for all those who process personal data) to take place from start to finish on-line.
On the enforcement front, the report bemoans the difficulties faced by the IC in taking swift and effective action against those who transgress data protection laws. Current rules require the Commission to first of all issue a detailed "enforcement notice" against any entity that it suspects of breaking data protections laws. These notices, the report indicates, are usually appealed against and the notice's effect is suspended whilst the appeal is pending. The enforcement notice will only be in force once either the appeal against it is withdrawn or the Information Tribunal has adjudicated in favour of the notice. After that, any repeat of illegal behaviour specified in the enforcement notice will be a criminal offence, subject to a defence of reasonable diligence, but to get to that point the Commission has to gather further evidence in order to launch a prosecution.
All of this means, the report complains, that even where businesses choose to ignore the requirements of the law it can be many months before the Commission is in a position to seek a criminal penalty from the courts. The limited resources of the Commission also mean that only a limited number of companies can be proceeded against at any one time. All in all, the report believes that there is a strong argument for reviewing the current enforcement mechanisms. It believes that the Government is sympathetic to amendments to these which will enable the Commission, without having to first serve an enforcement notice, to prosecute those who "knowingly or recklessly breach the Act and in doing so cause significant detriment to individuals".
Why this matters:
As we have often reported on marketinglaw.co.uk, the UK's data protection laws are still not fully understood by most businesses and are in equally large measure simply not being complied with or enforced. If the law in this area is not to fall totally into disrepute, there clearly has to be a significant change in not only general commercial awareness of the laws but also in the extent to which the laws are being policed. The Commission says the implementation in late 2003 of the forthcoming Communications Data Protection Directive in the area of marketing by email, SMS and fax may drive changes to simplify enforcement mechanisms, and as public awareness of these laws creeps above 50% it will very likely be consumer pressure as well as Brussels-driven legislation which will see the laws in this area being taken more seriously.