UK gets hair trigger privacy penalty
12 May 2008 | 16:35 BST
ICO grows some teeth
THE UK'S DATA WATCHDOG which is becoming a force to be reckoned with now has power to crack down on organisations that make bungling exposures of personal data.
The Criminal Justice and Immigration Bill gave the UK's Information Commissioner the power to fine people and organisations for failing to look after people's personal data when it was passed into law last Thursday.
"The ICO will be seen with much more seriousness," said Hazel Grant, a contributing editor of the Encyclopedia of Data Protection.
"At the moment, someone in the private sector might say, 'what's the downside of breaching the Data Protection Act'?'," she said.
Until now, there wasn't much downside at all. If someone like HM Revenue & Customs lost 25 million child benefit records in the post, the ICO couldn't do anything about it because the Data Protection Act (DPA) exempted government from being prosecuted under the legislation.
If a private company like HSBC lost hundreds of thousands of customer records, the ICO might have flexed its muscles and sent a letter telling them to pull their socks up. Assuming the loss involved a breach of the DPA, then the ICO's warning was ignored, and then another data loss occurred, then the ICO might bring a prosecution.
Rosemary Jay, a privacy lawyer with Pinsent Masons and former legal advisor to the ICO said that, to be fair, most private firms did take data protection seriously.
"But there are stragglers," she said, "and this will be a welcome weapon in the armoury of the ICO to address those."
That armoury has been unwieldy, according to Ruth Boardman, a privacy lawyer at Bird & Bird. Most prosecutions under the DPA, she said, have been brought to the Magistrates Courts, where the maximum penalty was a mere £5,000 fine.
The DPA was so weak, said Boardman, that even when a clerk at the Department of Transport was caught selling data about vivisectionists to animal rights activists, he had to be prosecuted for malfeasance in public office.
Though the new law, introduced as an amendment to the DPA, doesn't give the ICO any greater power of prosecution, observers say the ICO didn't want them because it already lacks the resource to deal with the legal workload. Rather, a monetary penalty promotes it to a league nearer other regulators that are taken more seriously like the Financial Services Authority. µ
© 2007 Incisive Media Investments Ltd. 2007