2008 was another year of embarrassment for the public sector in terms of data losses and it is therefore no surprise that the Ministry of Justice has put forward a series of proposals to give the Information Commissioner an increased range of powers, some of which are mentioned in this article.
One of the most effective proposals is to give the Information Commissioner's Office (ICO) the power to inspect central Government departments and public authorities to audit their compliance with the Data Protection Act. As these inspections can be conducted unannounced, public sector bodies will need to be prepared to demonstrate good practice and should be reviewing their data protection practices now to ensure that they comply with the data protection principles.
At present, there are no proposals for private sector businesses to face compulsory data protection audits by the Information Commissioner's Office. The ICO would have liked the power to undertake audits in the private sector but, for now, that does not form part of the Ministry of Justice proposals.
There are, however, proposals for the ICO to carry out voluntary good practice assessments and this applies to the private sector. There may be advantages to applying to have a good practice assessment carried out. Section 55A of the Data Protection Act (a new section which was inserted in May last year) will give the ICO the power to impose fines for serious breaches of data protection law. Under the proposals from The Ministry of Justice, data controllers will be exempted from these financial penalties if a breach of data protection law is found during a good practice assessment. This has prompted fears that organisations could manipulate the exemption by registering for a good practice assessment before a known data protection problem becomes public so as to qualify for the good practice assessment exemption.
Other proposals from The Ministry of Justice include powers for the ICO to:
- impose a deadline and location for the provision of information necessary to assess compliance;
- impose financial penalties on data controllers for deliberate or reckless loss of data;
- publish guidance on when organisations should notify the ICO of breaches of data protection legislation; and
- publish a data sharing code of practice, which should provide practical guidance on sharing personal data.
The Ministry of Justice proposals are contained in the Government's response to the data sharing review, which was conducted by the Information Commissioner (Richard Thomas) and Mark Walport and published in July 2008. Full details for the Government's response to the data sharing review can be found at: http://www.justice.gov.uk/publications/response-data-sharing-review.htm
Businesses and organisations in both the public sector and the private sector should be aware of the proposals and should take steps to ensure their compliance with the data protection principles to avoid financial penalties and the unwelcome publicity that can arise from high profile breaches of data protection law.