After lobbying the Home Office, the Lord Chancellor, and the Department of Constitutional Affairs, the Information Commissioner, Richard Thomas, has announced that the Government has agreed, in principle, that the Commissioner should have more power to inspect public and private bodies’ compliance with the Data Protection Act 1998 (DPA).
The Commissioner argues that, ‘Many information gathering activities are essential and beneficial to modern life. But balance is needed and there must be limits. No one wants their electronic footprint to expose every aspect of their daily life. Positive action is required to ensure the potential risks do not manifest themselves. Otherwise the trust and confidence which individuals must have in all organisations that hold information about them will be placed in jeopardy.’
The Information Commissioner’s Office (ICO) is the independent public body charged with safeguarding personal information by enforcing and overseeing compliance with the DPA. Where the Commissioner finds a case of non-compliance, he has the power to issue information and enforcement notices, carry out audits, and prosecute offenders. Unlike other regulators, however, the Commissioner does not have the right to carry out spot checks on organisations to ensure compliance with the Act.
Actually finding a case of non-compliance is, of course, much more difficult without this power. At present, the Commissioner must either have a warrant, or the data controller’s consent, to inspect any data they hold on other persons. This is unlikely where the controller does have something to hide and at least one high street bank has reportedly already refused the Commissioner access to its data. Surprise investigations on whether data held by controllers is relevant, accurate, and stored safely (as prescribed by the DPA) would not only help to identify cases of non-compliance but also have a strong deterrent effect on organisations – an important tool in light of the recent scandal involving the way several high profile high street banks dispose of their customers’ details.
The Commissioner has also called for the introduction of privacy impact assessments for organisations. These would require organisations to set out how they intend to minimise the threat of new surveillance methods to data subjects’ privacy. This system is already widely used in the US and Australia. It is also anticipated that the ICO will also regulate law enforcement agencies’ access to private data held by the private sector to ensure that any access is legitimate and purpose driven rather than a fishing exercise.
The Commissioner’s demand for more powers is backed by the European Commission and highlights increased concerns over the growth of the so-called ‘surveillance society’ in the UK. For example, the much hyped proposed introduction of ID cards, rapid growth of CCTV in cities, and the Government’s support of data sharing between public organisations. The Commissioner has stated that, ‘People now understand that data protection is an essential barrier to excessive surveillance… It is essential that before new surveillance technologies are introduced full consideration is given to the impact on individuals and that safeguards are in place to minimise intrusion.’
Despite support from several sectors, the Government has not yet signalled a firm commitment to granting the Commissioner new powers. If the powers are granted to the Commissioner, organisations in both the public and private sector will have to ensure they handle data in compliance with the DPA. Nonetheless, as stated by the Commissioner, the inquiry will, at the very least, ‘raise awareness of and stimulate debate on the issues relating to a surveillance society.’
Disclaimer
The material contained in this e-update is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.