UK Information Commissioner seeks extended legal powers
Giving evidence before the House of Lords Constitution Committee on Surveillance and Data Collection, the UK Information Commissioner Richard Thomas has proposed significant extensions of his Office’s powers. Noting that current Data Protection legislation imposes only minor penalties for negligent exposure of personal data, he proposed a new criminal offence of "knowingly and recklessly" flouting the provisions of the Act. He pointed out that only in the financial sector can this be pursued with effect at present, and then only by the Financial Services Authority under alternative legislation. Describing this situation as anomalous, the Commissioner gave the example of a hospital doctor leaving a laptop containing patient records unattended, a scenario he described as a "blatant breach". Challenged on the proportionality of this proposal in the context of General Practitioners, who are obliged to carry personal information around with them, the Commissioner responded that his focus would be quite narrow: concentrating on, for example, the situation where "a laptop with a lot of personal information is not sufficiently cared for and hadn’t been encrypted". He continued "... anyone ... holding personal information should know the basics for making sure that data is encrypted". Nevertheless, he stated that he would not seek to criminalise individuals for single instances of failure.
Another key proposal was a power of mandatory inspection. The Commissioner explained that his Office can currently only inspect the data processing of an organisation by consent, and only with very limited scope. He stated that he sees a need for a power of mandatory inspection, pointing out that his Office is effectively unique among regulatory agencies in not having this power. He believes that this power would encourage businesses "to take data protection seriously".
The Data Protection Act has so far proved rather ineffective, due both to the restricted powers of the ICO and the limited penalties that can be imposed. However the Commissioner is notably outspoken in defence of personal privacy, not least concerning the proposed national identity card, so these recommendations, although quite a dramatic departure, do not come as a huge surprise.
- Surveillance and Data Collection. Witnesses - Information Commissioner, Transcript of session (streaming audio - these proposals start at minute 42).