Out-Law News 2 min. read

Expert warns that proposed ICO powers could be weak


The Ministry of Justice's plans to change the Information Commissioner's powers will weaken the privacy regulator, a privacy law expert has warned. The planned changes could give organisations a way to avoid penalties, the expert said.

Advert: free OUT-LAW Breakfast Seminars - 1. Making your contract work: pitfalls and best practices; 2. Transferring data: the information security issuesThe Ministry of Justice is consulting with the public on the funding and powers of the Information Commissioner's Office (ICO). The ICO has asked to be given more powers to help it combat misuse of personal data by organisations.

The Ministry of Justice has proposed that a system be introduced where organisations volunteer to have their privacy and data protection systems audited. This good practice assessment (GPA) would be carried out by the ICO, but the ICO itself does not back the plan.

"The IC understands the intention behind the Government’s proposal to allow data controllers to provide their consent for a good practice assessment when they register [as data controllers]," said its response to the consultation. "The ICO has done much to streamline the notification process for data controllers. It wishes to continue this process of simplification in so far as the legislative framework allows."

Privacy expert Dr Chris Pounder of information law training company Amberhawk said that any ICO efforts to cut down on red tape were being thwarted. "The Government’s proposals enhance the very bureaucratic elements of the Data Protection Act that most observers say should be diminished," he said. "Now organisations risk a criminal record if they don’t pay the correct registration fee, fail to keep their registration up to date, fail to keep their notified address up to date or who fail to register at all.”

Pounder also said that the GPA could offer organisations a way out of paying a fine.

The Ministry has proposed that organisations which ask for a GPA to be carried out be exempted from a monetary penalty notice. Pounder said that an organisation with a data problem might register for a DPA before the problem becomes public in order to qualify for that exemption.

"Organisations can protect themselves from a Monetary Penalty Notice when they register, but this excludes the thousands of data controllers who are exempt from registration," said Pounder. "They, apparently, can’t protect themselves."

The ICO also had concerns about the exemption. It said that it did not believe the exemption would encourage organisations to ask for a GPA.

"The IC is concerned at the lack of evidence behind the MoJ’s suggestion that giving data controllers an exemption from a civil monetary penalty will provide a significant incentive for data controllers to volunteer consent," it said. "Particularly if they are in the private sector and they receive legal advice, they are unlikely to expose themselves to the risk, whether real or perceived, that giving consent to a GPA might bring."

Pounder also said that the concept of a Monetary Penalty Notice was problematic when data lapses were committed by public bodies because the ICO could not keep the fines, it would have to pass them on to the Treasury.

"The concept of a Monetary Penalty Notice can become a kind of money merry-go-round. If applied to a public sector body, the penalty would take money from the public body and return to the taxpayer to a Treasury that gave that public body a budget in the first place," he said. “The Government’s proposals show all the signs of being cobbled together in great haste.

Dr Pounder, formerly a trainer with Pinsent Masons, now runs a new training business, Amberhawk. To request a copy of his analysis of the Government’s proposals, email [email protected].

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.