With the IC’s enforcement staff due to be doubled in 12 months and a more proactive stance promised against data privacy abusers, will it make any difference?
Topic: Data protection
Who: The Office of the Information Commission ("OIC")
Where: London
When: September 2002
What happened:
In one of her last speeches before stepping down, Information Commissioner Elizabeth France announced at a privacy and data protection conference that the OIC would in future be taking a much more aggressive stance on enforcement of the 1998 Data Protection Act. Ms France promised that the number of OIC enforcement staff would be doubled over the next year and that more backbone would be put into the OIC's policing activity by establishing an Enforcement Board and an Enforcement Team. Their brief will be to take a more pro-active position on compliance issues, as set out in an official paper entitled "The Commissioner's Enforcement Strategy". The paper accepts that the strategy adopted up until now of relying principally on the receipt of complaints before taking enforcement action has not resulted in significant levels of policing activity. Breaches of the law come to the attention of the OIC in a number of other ways, including reports in the press and questions and queries raised with the Office by members of the public. The plan is to follow up much more on these information sources.
The first area on which this new pro-active stance will focus is commercial websites.
Why this matters:
A recent survey commissioned by the software company Compuware and carried out by the marketing consultancy Vanson Bourne, has revealed admissions by 47% of the IT directors surveyed that they were "only vaguely familiar" with the 1998 Data Protection Act. The survey questioned 100 IT Directors from the UK's top 2000 organisations, and if its results were truly representative of the position here in the UK, then website operators should be acting quickly to increase awareness of the legislation amongst their staff and in particular appoint a dedicated "Data Protection Officer" to take frontline responsibility for compliance. They should also audit their websites and processing of personal data to ensure compliance with the legislation. This does not mean simply updating the site privacy policy. It also means reviewing the company's "backend" procedures to ensure that whatever the privacy policy says about the company's processing of personal data actually happens from day to day.
