The IC Report for 2000/1 reveals the limited action taken to enforce legislation that is probably amongst the most far reaching but misunderstood and uncomplied with, ever.
Topic: Data privacy
Who: Information Commission
When: July 2001
Where: Wilmslow Cheshire
What happened:
The Information Commission published its report for the year ending 31 March 2001.
This bears out concerns about the Commission’s resources and its ability to credibly enforce legislation that is still misunderstood and uncomplied with on a mass basis. Altogether in the twelve month period covered by the report, (coinciding with the first year in force of the 1998 Data Protection Act), just 23 alleged non- compliers were prosecuted, six formal cautions were given to entities who should have registered with/notified the Commission but had not, and a mere 4 Enforcement Notices served. This compared badly with previous years. Even in 1998/9 there were 59 prosecutions and 5 Enforcement Notices. The Commission asserts this should not be taken as an indication of reduced policing activity. Certainly there has been no let-up in demand for the IC’s services. The annualised figure of 4685 for “Requests for assessment” (enquiries from individuals believing their personal data is not being processed in compliance with the Act) received in 1999/2000 jumped to 8875 in 2000/1. In the same period 1200 calls were received complaining about unsolicited telephone and fax marketing. In many of these instances the Commission requested the taking of remedial action without formal action. Some of these case histories are summarised in the report and make interesting reading. They highlight, for example, the need to follow the third Data Protection Principle requiring that the amount of personal data collected is not excessive bearing in mind the purpose of the collection. An on-line Bank launched a range of investment products and the on-line application process included various mandatory fields of personal information which were not relevant to the product in question. On the contrary, they appeared to be relevant only to helping the bank identify future marketing opportunities. The Commission took no formal enforcement action, but recommended that the bank either remove the unnecessary questions or make them optional, with an explanation of their purpose.
Why this matters:
With the Data Protection Act 1998 coming fully into force in October 2001 (most of it is already-October is relevant mainly for manual records and personal records whose processing was “underway” in 1998) the Commission will continue to be hard-pressed to provide the minimum of enforcement action necessary to ensure the UK’s data protection legislation is taken seriously. However, for responsible marketers who want to collect customer data that is of any lasting value, compliance is the only option.