Suspecting mass on-line non-compliance with data protection laws by UK websites, Dame Elizabeth France is going on the attack.
Topic: Data Protection
Who: The Information Commission (“IC”)
When: Early January 2002
Where: UK
What Happened:
The Information Commissioner, who is responsible for enforcement of the Data Protection Act 1998 (“DPA”), has commissioned a survey to establish the extent of compliance with the DPA by UK websites. This is to be carried out during January and February 2002. It will cover all shapes and sizes of website. The idea is to use the results of the study to raise general awareness of data protection requirements and also to inform and direct future guidance and enforcement action. There are also no guarantees that caught-out website owners will not be the subject of enforcement action themselves.
All organisations in the UK currently operating websites and collecting personal data from those sites should remember that, even if they are collecting just names and addresses, the DPA will apply. Particularly in the light of this new IC initiative, they should be running a mini-audit to establish whether their sites have adequate data protection notices and disclosures as well as a privacy policy, whether they have notified the IC of their collection and processing of personal data, whether the notification that they have given the IC covers all their personal data processing practices, and whether their site meets the DPA security requirements. The DPA also places requirements on personal data processors as to how long personal data is held for, how it is disclosed to third parties and the steps that are taken to ensure that the information is kept up to date.
Why This Matters:
Although the resources of the IC are limited and enforcement action is therefore patchy, the IC is determined to ratchet up its regulatory efforts. Accordingly, businesses who may be quite justifiably daunted by the complexity of data protection legislation should not necessarily assume that if they lay low, the regulator's gimlet eye will overlook them. Penalties for non-compliance can be harsh. They include fines for failure to notify the IC of personal data processing. There are fines also for failure to keep the notification up-to-date so that it covers all personal data processing activities. Another penalty is being prevented from using any personal data at all until the data has been properly and compliantly collected, a measure that could stop all of a company's direct marketing activities in their tracks. Company directors also face potential personal liability where offences are attributable to their neglect, connivance or consent.