Government seeks evidence ahead of Data Protection Directive review

The Ministry of Justice (MoJ) will consult on how effective the Data Protection Act has been as a precursor to negotiations with Brussels on the reform of EU laws.

"The European Directive is set to be reviewed and I hope as many of you as possible will respond to this call for evidence," said minister of state for justice Lord McNally in the call for evidence. "It will give the Government a solid evidence base to use in negotiations with other European Union parties. I believe we have everything to gain from a sensible, proportionate and rights-based data protection framework, and one that works for you as businesses, service-providers and citizens."

"The way we go about our business has been radically transformed in the space of a generation," he said. "On the one hand, the digital revolution means that shops, online retailers, banks, Government agencies and departments can transact their business quickly and efficiently, tailoring their services to the needs of the individual."

"On the other hand, this involves disclosing information about ourselves, about our preferences, and even about our families and lifestyles," said McNally. "For some, this is a small price to pay for an effective, joined-up service. For others, it represents an uncomfortable intrusion into their private lives, and a worrying imbalance of power."

The Government has asked organisations whether or not the Information Commissioner's Office (ICO), which oversees compliance with the DPA in public and private sector bodies, has enough powers to regulate data protection properly.

"We would welcome evidence on the adequacy of these powers to ensure that the Information Commissioner is appropriately equipped to deal with serious breaches of the DPA," said the MoJ document.

The ICO was given new powers last year that came into force in April this year. It can now fine organisations £500,000 for serious data security breaches and can assess the data protection practices of Government departments without their permission whenever it likes.

"Given that these new powers have only recently come into force, it is difficult to assess to what extent they will have the anticipated impact on data protection compliance," said the document. "A review is likely to take place within five years on the effectiveness of these measures."

The MoJ is also keen to hear whether organisations think that biometric information identifying a person, such as fingerprints or DNA samples, should be specially protected as 'sensitive' personal data.

"We would welcome evidence about whether biometric personal data should be included within the scope of 'sensitive personal data'," it said. "Equally, there may be an argument for including other types of information within the definition of 'sensitive personal data' if their loss, disclosure or destruction could cause particular damage or distress. Obvious candidates might be credit information or bank account details."

The document also asks organisations their views on whether the UK should have a law forcing companies or bodies that lose personal data to disclose the security breach, a measure that has been put in place in many US states.

The answers to the MoJ's questions will be used to determine its stance in negotiations on a revision to EU data protection law to take place early next year, it said. The process is open for responses until 6th October.