April 2010 could see first fines by the Information Commissioner’s Office
One of the things I make no apology for going on about is privacy and data protection – I object to anyone collecting information about me in general (other than anything I freely choose to place in the public domain), and the millions of personal details that the various government bodies have left lying around in public, or just simply lost, means I have no need to make any case for highlighting data protection deficiencies.
You can combine the two in the private sector, as businesses seek to collect data about us all, amass them in corporate databases, and then sell the information to one another without any reference to those to whom the data refers. If they make a mistake, you’ll never know about it, or have any way to correct it. You can kiss your credit rating goodbye, or forget any jobs that involve, for example, children, if someone hits the wrong key somewhere.
Until now, there has been no way to issue fine to data controllers in charge of such information.
The Data Protection Act 1998 should act to help reduce such instances, but under the Data Protection Act (DPA) the Information Commissioner’s Office (ICO), responsible for enforcing the Act, cannot issue fines for breaches of the eight data protection principles at the heart of the law. From next April that will change and it will be able to issue fines for knowing or reckless breaches of the Act’s principles.
The introduction date is still to be officially confirmed though, and could be changed, and further work is still to be done with regard to the level of fines that can be issued.
The fines can be levied by the ICO when one of the eight principles have been seriously breached, but only if the ICO is convinced that the breach was deliberate or that the data controller knew, or ought to have known, of the contravention risk, and that the contravention would be likely to cause substantial damage or substantial distress and that the controller failed to take action to stop it.
Presumably the government will be treated as a special case, otherwise we will all be penniless as our taxes rise in order to pay the fines for the millions of records it will fail to protect in future, given its past and current performance in this area.
The data protection principles
Part I The principles
1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4 Personal data shall be accurate and, where necessary, kept up to date.
5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6 Personal data shall be processed in accordance with the rights of data subjects under this Act.
7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
No comments yet.