UK gets hair trigger privacy penalty
ICO grows some teeth
THE UK'S DATA WATCHDOG which is becoming a force to be reckoned with now has power to crack down on organisations that make bungling exposures of personal data.
The Criminal Justice and Immigration Bill gave the UK's Information Commissioner the power to fine people and organisations for failing to look after people's personal data when it was passed into law last Thursday.
"The ICO will be seen with much more seriousness," said Hazel Grant, a contributing editor of the Encyclopedia of Data Protection.
"At the moment, someone in the private sector might say, 'what's the downside of breaching the Data Protection Act'?'," she said.
Until now, there wasn't much downside at all. If someone like HM Revenue & Customs lost 25 million child benefit records in the post, the ICO couldn't do anything about it because the Data Protection Act (DPA) exempted government from being prosecuted under the legislation.
If a private company like HSBC lost hundreds of thousands of customer records, the ICO might have flexed its muscles and sent a letter telling them to pull their socks up. Assuming the loss involved a breach of the DPA, then the ICO's warning was ignored, and then another data loss occurred, then the ICO might bring a prosecution.
Rosemary Jay, a privacy lawyer with Pinsent Masons and former legal advisor to the ICO said that, to be fair, most private firms did take data protection seriously.
"But there are stragglers," she said, "and this will be a welcome weapon in the armoury of the ICO to address those."
That armoury has been unwieldy, according to Ruth Boardman, a privacy lawyer at Bird & Bird. Most prosecutions under the DPA, she said, have been brought to the Magistrates Courts, where the maximum penalty was a mere £5,000 fine.
The DPA was so weak, said Boardman, that even when a clerk at the Department of Transport was caught selling data about vivisectionists to animal rights activists, he had to be prosecuted for malfeasance in public office.
Though the new law, introduced as an amendment to the DPA, doesn't give the ICO any greater power of prosecution, observers say the ICO didn't want them because it already lacks the resource to deal with the legal workload. Rather, a monetary penalty promotes it to a league nearer other regulators that are taken more seriously like the Financial Services Authority. µ
Comments
Oh?
And all this from a country that has cameras everywhere you look? Wow.What about departments of the government?
What about departments of the government?It seems to me that a fair portion of data loss comes from agencies in the government as well. It would be pointless fining them, as it would just mean a transfer of taxpayer money from one place to the other.
Far better, they recommend who should be fired for incompetence.
Oh wait; I am of course assuming that government departments are held as responsible as private companies for data loss, which would be fair right? But when has anything in politics been fair?
Under the street lamp again...
Shadders is right, but he understates the case. As far as I am aware, the vast majority of personal data leakage comes from the government. Even if there are leaks from private enterprise, they tend to be far smaller. Who but HMRC, for example, would even have zapiskas on 26 million of us wretched serfs? This reminds me of the old story of the drunk searching for his keys under a streetlamp. When a policeman comes to help him, he asks, "Is this where you dropped your keys, sir?" "Oh no," replies the drunk, "It was over there! But there's more light here..." The government is never going to regulate itself, so it makes great play of regulating the private sector - which is not where the problem is.Here's what
To answer that question: " What about departments of the government?"That's what these fines are for you see, if you leak that the government bungled yet again you invaded their privacy and get fined :)
You don't think they'd pass a law FOR the people do you? In 2008 - anywhere.