Reform of Data Protection Powers and Penalties

January 30, 2008

In a paper published by the ICO on its Web site, the Information Commissioner sets out the case for changes to be made to the Data Protection Act 1998. The changes seek to create:

• a penalty for knowingly or recklessly failing to comply with the data protection principles so as to create a substantial risk that damage or distress will be caused to any person
• a power for the Information Commissioner to inspect personal data and the circumstances surrounding its processing in order to assess whether or not any processing of the data is carried out in compliance with the Act.
• a power for the Information Commissioner to require a data controller to provide him with a report by a skilled person
• enhanced enforcement powers to enable the Information Commissioner to bring seriously unlawful processing to an immediate halt, to place formal undertakings on a statutory basis and to enable the Commissioner to take enforcement action to prevent breaches of the Act that are likely to occur
• a power to serve information notices on any person rather than just a data controller.

The Commissioner submits that introducing these changes would significantly increase the ability of his office to deliver its commitment to ‘Strengthening public confidence in data protection by taking a practical, down-to-earth approach – making it easier for the majority of organisations who seek to handle personal information well and tougher for the minority who do not’.

The ICO say that:
‘the additional but limited powers and penalties outlined above are very unlikely to be controversial in party political terms. They would help put the Information Commissioner’s Office (ICO) on a comparable footing to other UK regulators and to other EU data protection authorities whilst at the same time helping the Government to meet its commitment to build a regulatory regime in the UK that is effective, flexible and proportionate in tackling the mischiefs to which it is directed. They would also be a significant step forward in modernising the UK’s data protection regime by reflecting, in the powers of the regulator and the penalties that can be imposed, the enormous growth that has taken place in the collection and use of personal information and the associated potential for harm that can arise from unlawful processing. Most importantly they would send a clear message that data protection requirements cannot be ignored or dismissed. They must be taken seriously by every organisation that processes personal information’.

The full document can be accessed at