This is the first in a series of articles appearing on OUT-LAW
this week to celebrate Data
Protection Day 2008.
For once data protection received some public empathy. No longer
was it blamed, as it once was by British Gas, for the death of
elderly people; now it could be the champion of our ever-harder
battles to keep our privacy intact.
The result was a flurry of announcements by Government seeming
to boost data protection. Read at face value it seemed as though
Prime Minister Gordon Brown was overhauling the data protection
landscape. As we will see, though, his plans amounted less radical
change than appearances suggested.
The Government announced a review by PricewaterhouseCoopers of
HMRC and the specific problem that arose there. It also announced a
security review by Cabinet Secretary Gus O'Donnell across the whole
of Government.
Also announced was a boost to the powers of the Information
Commissioner's Office (ICO) to carry out information policy audits
on Government departments whether or not it had their
permission.
These announcements followed news from before the HMRC leak that
the Government would issue guidance to journalists on new criminal
offences under the Data Protection Act (DPA) and a review of the
use of information in the public and private sectors.
This looks like a reforming programme at first, but the detail
tells another story.
The consultation document issued by the ICO in its review
focuses on data-sharing. The limited scope of the project suggests
that it is unlikely to lead to changes in the law. No doubt it will
result in recommendations on practice or interpretation, but no
major change seems likely.
There is pressure, though, for the review to go further in the
aftermath of the HMRC disaster and others that have followed, such
as the recent loss of army laptops containing thousands of
individuals' information.
O'Donnell's security review does not appear to be a detailed
assessment, let alone a root and branch review. It appears to have
been conducted by means of a general request to all departments
asking them to provide a return stating that they have proper
contracts in place, adequate security measures and so on. This is
not being conducted by the ICO and what the output will be in terms
of published materials or report we do not yet know.
As for the audit powers granted the ICO, these stretch only to
Government departments, leaving companies out of the forced-audit
loop. Commissioner Richard Thomas has long said that he wants to be
able to conduct audits on any organisation at any time, but that
power still eludes him.
Are there any other potential changes going on, then? The two
which seem most threatening to data controllers are the prospect of
breach notification and the proposal for a new offence of gross
security negligence. Both would penalise those who fail to offer
proper protection for data.
There have been calls for a data breach notification law that
would force organisations to tell people when it had compromised
their data security. Such laws are in place in 34 US states and in
New York City, and the House of Lords Committee on Internet
Security recommended the creation of such a law in the UK.
The European Union has also made a formal proposal for such a
law in its review of telecommunications regulation.
But the Government has rejected the Lords recommendation, and
the EU proposal only applies to telecoms companies, not to ordinary
data controllers.
Richard Thomas has called for a new offence to penalise those
who are grossly negligent with our data. This is not currently a
government proposal. It is recognised that such an offence would be
very hard to draft so as to catch the mischief at the right level.
While it might sound an attractive prospect it would be a very slow
burn.
So while data protection stays in the headlines the political
world can point to a range of measures being looked at. On closer
inspection, though, they are more limited in scope and restrictive
in recommendation than they might first appear.
So far then their effect is likely to be muted, and few changes
in the law can be expected any time soon.
By Rosemary Jay, Head of the Information Law team at Pinsent
Masons, the law firm behind OUT-LAW.COM. Find out how to win a copy of Rosemary's book, Data Protection
Law and Practice.
