Information Commissioner Richard Thomas has asked the Government to create a new offence of recklessly or knowing breaching data protection principles punishable by unlimited fines. He has also asked for other powers to be strengthened.
This is one of a series of articles appearing on OUT-LAW this week to celebrate Data Protection Day 2008.
In a paper presented to Government Thomas said that while the Data Protection Act (DPA) carried a duty for data controllers to comply with the principles of the Act there was no punishment for not doing so.
"The precise form any penalty might take will require careful consideration. The creation of a new criminal offence is an obvious option," said the paper, which has been submitted to Government.
Thomas said that he was not seeking for breach of a new offence to be punishable by jail terms, but by unlimited fines.
Thomas's paper said that such a move would "be a significant step forward in modernising the UK’s data protection regime by reflecting, in the powers of the regulator and the penalties that can be imposed, the enormous growth that has taken place in the collection and use of personal information and the associated potential for harm that can arise from unlawful processing."
"Most importantly [it] would send a clear message that data protection requirements can not be ignored or dismissed. They must be taken seriously by every organisation that processes personal information," said the paper.
Thomas has also asked for the power to stop immediately any data processing his office finds that is "seriously unlawful".
"The ICO [Information Commissioner's Office] would welcome injunctive powers of intervention that would effectively stop the unlawful practices from continuing pending any prosecution or other enforcement activity," said the ICO document. At the moment the ICO can issue an enforcement notice, but its effects are suspended while any appeal to the Information Tribunal is heard. This, said the note, can take months.
Thomas also repeats his request for the power to audit a company's data processing without its permission. Until recently the ICO needed permission to audit any body's practices.
In the aftermath of HM Revenue and Customs' loss of the personal details of 25 million child benefit claimants, though, the Government said that permission would not be needed for public bodies.
Thomas has re-iterated his desire to have that power extended into the private sector. He has even said that it would be hard to carry on in his duties without it.
"Developments in EU legislation are placing requirements on the ICO that are difficult if not impossible to meet without an inspection power," said the submission to Government. "The Data Retention (EC Directive) Regulations 2007 place the Information Commissioner under a duty to monitor the application of the Regulations with respect to the security of stored data. The Commissioner will be unable to properly discharge this duty without a power that gives him the right to inspect the security arrangements made by service providers."
The Commissioner also requested other new powers, including the power to force an organisation to provide him with a report by '"a skilled person", such as that enjoyed by financial regulator the Financial Services Authority, and the power to serve notices on people other than data controllers.
