The Ministry of Justice has responded to key proposals in a “Data sharing review” to upgrade the Information Commissioner’s Office’s weapons against abusers of personal data. Has HM Govt given the green light to compulsory security breach notification for example? Phil Lee shares the data.
Topic: Data Protection
Who: Ministry of Justice / Information Commissioner's Office
When: 24 November 2008
Where: United Kingdom
Law stated as at: 18 December 2008
What happened:
The Ministry of Justice ("MoJ") has published its detailed response to the report ("Report") of the "data sharing review" conducted earlier in 2008 by Dr. Mark Walpole and the Information Commissioner Richard Thomas. The Report, published on 11 July 2008, made a number of recommendations for enhancing the UK data protection regime, including proposals for various cultural changes, changes to the legal framework and regulatory body changes.
By and large, the MoJ has given a cautious 'thumbs up' to the majority of the Report's proposals, although it notes that one or two issues – such as proposals to prohibit sale of the edited electoral register – require further consideration. Some of the key points from the MoJ's report are set out below:
- No breach notification law: The MoJ agrees with Report's recommendation that a decision to notify ICO about a significant data breach should remain a matter of good practice, rather than a mandatory requirement under law. It notes that if the UK were to introduce 'the US system of mandatory breach notifications, we risk facing the same problems and mistakes that have occurred from the US experience'. Despite this, the MoJ goes on to say that ICO could 'take into account the failure of an organisation to notify any breaches of the data protection principles when considering enforcement action.' The onus is therefore on data controllers to act responsibly – those that try to cover up a serious data breach could find themselves facing the full brunt of ICO's new enforcement powers, whilst those that fess up may get off more lightly.
- ICO to get FSA-style fining ability? Turning to ICO's new fining powers under s.55A of the Data Protection Act 1998, ICO had proposed that its ability to issue penalties should "mirror" those available to the FSA, "setting high, but proportionate, maxima related to turnover" – a proposal that will undoubtedly cause alarm amongst many data controllers. Whilst the MoJ has been deliberately non-committal on this point, it has not ruled it out as a possibility, stating: "We can see the merits in using an existing established model and are considering the implementation of one similar to that operated by the Financial Services Authority."
- Data sharing code of practice: The MoJ also agrees that ICO should have a statutory obligation to publish and update a data sharing code of practice, and says it will introduce primary legislation to effect this. According to the MoJ, the aims of the code of practice will be twofold: "[to] provide practical guidance to the public, particularly data controllers and data processors, about how to share personal data in accordance with the requirements of the DPA; and [to] promote good practice in the sharing of personal data." To ensure that the code is put on an authoritative footing, the MoJ also says that breach of, or compliance with, the code may be taken into account by the courts.
- Fair collection, opt-ins and opt-outs: The MoJ agrees that organisations should adopt plain English approaches to preparing data handling literature, and notes that the term 'privacy policy' is often seen as a favourable, clearer alternative to the jargonistic 'fair collection notice'. It is also keen to stress the importance of providing clear opt-in and opt-out mechanisms, stating 'It is vital that opt-in and opt-out arrangements are clearly written and prominent so that people are clear about what they are agreeing to' and notes that ICO is preparing a code of practice on fair processing notices that will provide further guidance to organisations. This could signal a renewed emphasis by ICO on encouraging "fairer" fair processing notices – all too often organisations still bury their fair processing notices away in small print.
- An end to "selected third parties"? One of the more controversial aspects of the Report concerned ICO's proposal that organisations must publish and regularly update a list of any 'selected third parties' with whom they share data. Whilst broadly agreeing with this proposition, the MoJ says that there will be occasions 'when it is appropriate not to publicise details of information held and how it may be shared, for example, in cases of national security, confidentiality agreements and market sensitivity.' At face value, this appears to drive a coach and horses through the Report's proposition – data controllers will undoubtedly consider the identity of their 'selected third parties" as market sensitive information.
Why this matters:
The MoJ's response shows just how seriously the government is beginning to take data protection although, given the embarrassing series of data breaches arising out of central government over the past year or so, there was little it could do but support the Report's recommendations. As always, however, the proof is in the pudding and legislation will be necessary to effect some of the recommendations – specifically, its ability to impose FSA-style fines and to publish a data sharing code of practice. Just how supportive government is prepared to be will become clear only when draft legislation is published.