This is one of a series of articles appearing on OUT-LAW this
week to celebrate Data
Protection Day 2008.
In a paper presented to Government Thomas said that while the
Data Protection Act (DPA) carried a duty for data controllers to
comply with the principles of the Act there was no punishment for
not doing so.
"The precise form any penalty might take will require careful
consideration. The creation of a new criminal offence is an obvious
option," said the paper, which has been submitted to
Government.
Thomas said that he was not seeking for breach of a new offence
to be punishable by jail terms, but by unlimited fines.
Thomas's paper said that such a move would "be a significant
step forward in modernising the UK’s data protection regime by
reflecting, in the powers of the regulator and the penalties that
can be imposed, the enormous growth that has taken place in the
collection and use of personal information and the associated
potential for harm that can arise from unlawful processing."
"Most importantly [it] would send a clear message that data
protection requirements can not be ignored or dismissed. They must
be taken seriously by every organisation that processes personal
information," said the paper.
Thomas has also asked for the power to stop immediately any data
processing his office finds that is "seriously unlawful".
"The ICO [Information Commissioner's Office] would welcome
injunctive powers of intervention that would effectively stop the
unlawful practices from continuing pending any prosecution or other
enforcement activity," said the ICO document. At the moment the ICO
can issue an enforcement notice, but its effects are suspended
while any appeal to the Information Tribunal is heard. This, said
the note, can take months.
Thomas also repeats his request for the power to audit a
company's data processing without its permission. Until recently
the ICO needed permission to audit any body's practices.
In the aftermath of HM Revenue and Customs' loss of the personal
details of 25 million child benefit claimants, though, the
Government said that permission would not be needed for public
bodies.
Thomas has re-iterated his desire to have that power extended
into the private sector. He has even said that it would be hard to
carry on in his duties without it.
"Developments in EU legislation are placing requirements on the
ICO that are difficult if not impossible to meet without an
inspection power," said the submission to Government. "The Data
Retention (EC Directive) Regulations 2007 place the Information
Commissioner under a duty to monitor the application of the
Regulations with respect to the security of stored data. The
Commissioner will be unable to properly discharge this duty without
a power that gives him the right to inspect the security
arrangements made by service providers."
The Commissioner also requested other new powers, including the
power to force an organisation to provide him with a report by '"a
skilled person", such as that enjoyed by financial regulator the
Financial Services Authority, and the power to serve notices on
people other than data controllers.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
