In December 2007, the Data Sharing Review Secretariat sought responses to a range of questions on the steps that might be taken to improve the workings of the Data Protection Act 1998 with a particular focus on data sharing. SCL’s Privacy and Data Protection Interest Group has worked on a meaningful response, with Andrew Sharpe and James Drever of Charles Russell LLP leading. The response was submitted on 14 February and the full response can be read here
The response supports the call from the ICO for increased enforcement powers and highlights the need for increased funding to make enforcement effective. In the absence of increased funding, the response suggests that consideration ought to be given to requiring certain data controllers to be required to submit themselves to an independent data protection audit, with a submission of the auditor’s report to the ICO. The response is critical of the ‘universal tax’ that is levied by way of the current notification regime:
‘The notification regime … does not serve any practical purpose, other than the mechanism by which the ICO collects approximately £10m per year in fees. As the £35 annual registration fee is almost a universal tax, it would be more efficient if the ICO’s data protection work were funded by a grant in aid. We suspect that any such grant in aid would be more than offset by the amount of administrative fines that would be paid into the Consolidated Fund, if the ICO were to give enforcement powers to levy fines similar to, for example, the OFT or FSA’.
While seeing the current Data Protection Act and associated legislation as an improvement on its predecessors, the response suggests that there are still uncertainties surrounding the legislation. It states by way of example:
‘many data controllers appear uncomfortable with the fact that the [Seventh] Principle requires them to assess for themselves the question of appropriateness. Even after nearly ten years of the DPA, data controllers have not got used to the lack of prescriptive regulations on matters such as organisational and technical security measures, with a result that many, as has recently been shown by many high profile cases of accidental loss, do not have appropriate technical or organisational security measures in place.’
There is also, according to the response, a lack of ‘fear’ in many institutions, fear of the effects of non-compliance would ensure that the need for compliance was taken seriously at every level. In answer to the Secretariat’s question concerning impediments to effectiveness of the Data Protection Act, the response answers:
‘The main impediments are:
1. Ignorance and misunderstanding of the DPA and the work of the ICO. Data protection is an issue that seems to provoke indifference and indignation: long periods of indifference punctuated by spasms of indignation.
2. The belief that the “cure is worse than the illness”, and that government regulation of personal information is a burden to business and a fetter on the free movement of goods, capital – and information.
3. The occasional tendency for a response to regulation to have an unintended consequence, usually as a result of a misunderstanding of the DPA – well known examples including the failure by British Gas to notify Social Services of their cutting of pensioners’ gas supply and the inappropriate data retention policies adopted by Humberside Constabulary pre Soham and post the Bichard Report. The DPA tends to encourage a process-driven approach to data management, which creates its own abuses. Data retention is often poorly managed – this is a resource issue in many organisations.
4. The lack of prescriptive regulations or detailed guidance (although we note that more recently there has been more guidance forthcoming from the ICO) – as noted above, the purposive approach taken by the DPA appears to cause data controllers problems, as particularly under the English system data controllers appear to want more narrowly defined obligations.’
Lawful data sharing notices from public authorities come in for special criticism because of the lack of real choice for the public at large:
‘This is because the citizen has no effective choice in supplying or permitting many government departments or public authorities from processing their personal information. We consider that any data sharing regime should consider requiring unambiguous consent for sharing or processing that is beyond the direct and necessary purposes of the relevant data controller.’
SCL wishes to thank members of the Privacy and Data Protection Interest Group, and Andrew Sharpe and James Drever in particular, for their excellent work in compiling the response.