Data protection report card

Of the flood of e-commerce regulation and legislation that has entered the statute books over the last two years, it is becoming clear that the Data Protection Act is the issue which has most companies and individuals running for legal advice, either as data controllers or data subjects. The Act came into force on 1st March 2000 but for many businesses it did not really bite until the beginning of November 2001, when the exemption for paper files ended. A very few exemptions will continue until 2007.

The new Information Commissioner, Richard Thomas, has indicated that his office intends to take a far more proactive approach towards compliance issues under the 1998 Act.  It seems reasonable to assume that this thought process will also apply to the Commissioner’s other significant responsibility, Freedom of Information.  

According to the Information Commissioner’s explanation of this new strategy (strangely not yet mentioned on his website at www.dataprotection.gov.uk which though an excellent site could benefit from much more frequent updating), the Commissioner will now pay far closer attention to contraventions of the data protection principles. This is a welcome development since the number of requests for assessment under Section 42 of the 1998 Act has increased rapidly since 1 March 2000, yet the level of enforcement activity remains very low.

The Information Commissioner has established an “Enforcement Board” comprising the Commissioner, his two Deputies, two Assistant Commissioners, and his Head of Investigations.  Legal input is provided by the Legal Advisor to the Information Commissioner, but in an advisory capacity only.  

The objectives of the Enforcement Board are:

1. Identify compliance issues arising under the Data Protection Act and the Freedom of Information Act 2000 (and the Scottish equivalent) that warrant further investigation and might require consideration of enforcement action;
2. Identify, and prioritise, a programme of investigative activity; and
3. Consider prospective enforcement activity, making where appropriate recommendations to the Information Commissioner on whether the Commissioner should proceed with enforcement action.

The Enforcement Board will be supported by an Enforcement Team. This is to comprise staff drawn from the Information Commissioner’s Compliance Investigations and Legal Departments. This team will:

• Implement the programme of investigative activity drawn up by the Enforcement Board and pursue any resulting enforcement action;
• Identify additional areas of non-compliance that may warrant investigation through working closely with Compliance Teams;  and
• Provide administrative support for the Enforcement Board.

The first meeting of the Enforcement Board occurred on 12 July 2002.  Two priority areas of investigation were identified for the year ending 31 March 2003.  These were:

• a.  Compliance issues arising out of the UMIST Compliance Study discussed below;  and
• b.  Issues surrounding the exercise of the right of subject access to manual records (Data Protection Act 1998, Section 7) held by government departments.

The UMIST Compliance Study

UMIST is the University of Manchester’s Institute of Science & Technology.  Professor L A Macaulay of the university and Iain Bourne of the Information Commissioner’s office signed off the final report.  The final report can be found online at http://www.co.umist.ac.uk/news/dp_survey/ComplianceFinalReport.pdf and you’ll need to have installed Adobe Acrobat in order to open the file.

The  UMIST study used a two stage approach to the collection of data.  First, it independently analysed websites, including assessment of their privacy information for intelligibility, using standard readability indices.  Secondly, in-depth interviews were carried out by telephone interviews and face to face visits. During research, over 3,000 URLs were visited, from more than 900 companies, organisations and government institutions, and 200 interviews were conducted.  The study also involved the posting of information to websites using a fictitious unique identity created for the purposes of the study.  The website assessment team was told that wherever possible they must request no direct marketing communication.  A depressingly high number of organisations simply ignored this request and began spamming.

Websites falling in nine categories were examined.  Just over half the sample sites were retail operations, others included financial and insurance institutions, government agencies, travel sites and local authorities as well as sites aimed purely at children which was the second biggest group assessed.  

There were certainly some positive findings.  There was good general awareness of the Data Protection Act across both large and small companies.  Most viewed customer confidentiality as important and “good for business”. Collection rates for sensitive personal data were very low indeed, good news for the more vulnerable members of society perhaps?  However, the level of compliance with the Act was very variable according to the size of company.  Perhaps unsurprisingly, smaller companies operating within unregulated industry sectors exhibited a very low level of compliance, and those who did comply with the Act tended to do so more by accident than by design.  Particular points for concern were as follows.

a.  Retention of Data

There was a great deal of confusion and misunderstanding about data retention.  Less than 40% of sites had procedures for recording what personal data was collected.  Only 18% of sites told users how to get access to the data held about them.  Many small companies did not even realise they were “collecting” data.  They simply assumed that if they hadn’t explicitly asked for the data then they hadn’t “collected it”.  A particular problem was identified with the collection of free form data where the user can enter whatever additional information they choose in a box.  This form of data arises most often in e-mails, chat rooms and discussion groups.  Self-help, health and advice sites are examples of free form personal data being collected and stored.

b.  Responsibility for compliance

Many small companies automatically assumed they were protected through their I.S.P.  Most were unsure who was responsible for compliance if their data was held by the I.S.P.  The seventh data protection principle requires the use of  best efforts in relation to data security. However, most companies rarely used encryption although passwords were common. Back-up data was produced regularly, however no special security was applied to that data. Frequently there was often no policy for its destruction, which is a breach of the fifth data protection principle.

c.  Privacy statements = legal gobbledegook

If webmasters are taking advice from solicitors in relation to the layout of websites and/or the wording of the terms and conditions found in those sites, then something is going seriously wrong somewhere along the line.  The majority of privacy statements were found to be “completely unintelligible to the average Internet user”, a disappointing statistic in 2002 when the use of Plain English is supposedly on the up. Worse, 42% of sites did not post any form of privacy statement.

d.  Sensitive Personal Data/ Excessive Data

Interestingly, very few sites were found to collect sensitive personal data. Of the few websites that did collect sensitive personal data, the most common question asked related to physical or mental health. In addition, excessive information gathering does not seem to be a widespread practice overall, but there are indications that there are some sites which do collect excessive data.  For what reason does any website demand your National Insurance number?  Yet nearly 4% of sites did so.  

e.  Covert Data Gathering
The perennial problem of covert data gathering persists. The authors of the report have reserved a special warning for the use of bugs and cookies.  Web bugs, (also known as “web beacons, 1 x 1 GIFs” or “invisible GIFs”) are tiny objects embedded on a website.  They are usually invisible being only one pixel square.  Bugs are used for a variety of purposes such as an independent count of website traffic, monitoring “click though” traffic and gathering web browser statistics.  The concern is that a web bug can be used along with a cookie to create a profile of users.  This happens without users knowing anything about it – therefore they cannot give consent.  Recent European legislation has required a warning to users about cookies, but the position on Bugs is less clear.

Overall
Most UK companies seem to be well intentioned, but the translation of that intention is patchy and insufficient attention is being paid to user privacy rights. It will be interesting to discover whether the Enforcement Board manages to change things.

Paul Motion is a partner with Ledingham Chalmers and is the Convener of the Society’s Electronic Commerce Committee. This article represents a personal viewpoint.