No hiding place

It has unquestionably been a landmark year for the Office of the UK Information Commissioner. Previously responsible principally for education on and compliance with the 1998 Data Protection Act, the Commissioner’s remit has effectively doubled since the coming into force of the Freedom of Information Act on 1 January this year. With this in mind, the content of his recently published annual report raises some interesting issues for both businesses and members of the public alike.

The two hats which the Commissioner is now required to wear could at a glance be viewed as having conflicting purposes, the principal goal of data protection being to keep certain information from becoming public, and freedom of information the complete opposite. However, the overall issue is the fair and legitimate control of information, obviously in the nicest possible non-Orwellian way, the key being to balance individuals’ rights to a degree of privacy on one hand with the public’s right to information held by public bodies on the other.

The broad picture

Much of the Commissioner’s report relates to the substantial gearing up necessary in advance of enforcing and overseeing good practice under the Freedom of Information Act, which process involved the approval of nearly 600 publication schemes and the necessary expansion and reorganisation of his staff.

Whilst the Commissioner acknowledges that his office’s experience with complaints and enquiries under freedom of information has been understandably limited, given its very recent introduction, he believes it is already clear that it is making a difference, with a great deal of information having been published which would otherwise never have seen the light of day, and the majority of public sector bodies concerned taking their obligations seriously.

Addressing his office’s experience under data protection, the Commissioner acknowledges that making such a detailed area of law simple to understand is not an easy task, but points out that the basic underlying principles are not complicated, and having now been part of UK law for 21 years, it is increasingly recognised as containing important and inherent rights for individuals.

According to the Commissioner’s office records, the percentage of data controllers aware of people’s rights in respect of personal information held by them has stuck around the 90 per cent mark for the last four years. Despite the fact that this might be perceived as an impressively consistent high level of awareness, the Commissioner’s data protection-related workload increased from 11,700 cases in 2003 to 19,500 in 2004. Though this can mainly be attributed to his beginning to monitor the number of complaints and enquiries from data processors as well as from members of the public, it is still suggestive of a continuing lack of knowledge about the law’s requirements among those responsible for meeting them.

Business sense

In his report, the Commissioner took the opportunity to point out some significant areas of concern for businesses. It is vital for companies, in order to comply with the Data Protection Act, to keep the personal information they hold secure, accurate and up to date, and only for as long as they need it. As the Commissioner points out, it simply “makes good business sense to ensure the information you hold is accurate and up to date (why waste money on sending things to the wrong address?)”

Another concern, according to the Commissioner, is that “sadly, far too often we hear the cry ‘we can’t do this because of data protection’, where lazy or incompetent organisations wish to hide behind a false excuse”. Whilst I would not entirely agree with that analysis, I would concur with his further comment that the law very rarely stops a valid activity altogether, but more often merely regulates how information is handled so that there are no surprises or mistakes. Rather than laziness or incompetence, I suggest that frequently it is a misunderstanding of data protection law itself which is the problem. This can be easily overcome by appropriate training and advice, which need not dip too far into any company’s training budget.

A tragic example of this type was the failure of Lincolnshire Police to preserve and pass on records concerning Soham murderer Ian Huntley, in relation to which there were claims that the records were deleted to comply with the Data Protection Act. These claims were incorrect, as shown by the subsequent Bichard Inquiry, which came to the conclusion that to avoid such problems in the future, the police ought to build data protection requirements into a new code of practice on information management rather than treat it as a separate issue – an approach the Commissioner commends to other data controllers in his report.

Lawyers in his sights

Another more basic point for businesses to be aware of is that many are still failing to notify the Commissioner at all that they are processing data. The Commissioner’s office is not only aware of this, but has been methodically pursuing those who have failed to do so by simply choosing a profession and comparing the Register of Data Controllers against Yellow Pages entries and professional bodies’ memberships.

This practice of targeting certain professions and trades over the last year led, amongst others, to the successful prosecution of a solicitor in the north of England who, in addition to £3,500 of costs, was fined £3,150, subsequently reduced on appeal to £1,000. Indeed, the overall number of successful prosecutions under the Data Protection Act rose from eight to 12 in the last year, and the fines levied have not been insubstantial.

Worryingly for solicitors, the Commissioner also announced in a recent press release that he has launched a specific crackdown on law firms which are consistently failing to meet their obligations under the Data Protection Act, pointing out the staggering statistic that some 3,000 firms have not even notified as data controllers, which number represents over a quarter of all practices in the UK. In the press release, he points out the basic fact that any organisation which enters details about identifiable individuals onto a computer must notify the Information Commissioner’s office, and failure to do so can result in prosecution. The Commissioner has started the process of contacting those firms who have yet to notify to “remind them of their obligations”, but his patience may be wearing thin, as some firms were contacted earlier in the year and many have still not notified.

Practitioners would do well to heed this as a warning, as the £35 cost of notification pales into insignificance when compared with the possible fines for a breach of the Act, not to mention the consequent loss of business from damage to their reputation. It must also be stressed that notification is just the first step, and all data controllers should ensure that they:

• put a compliance policy in place which clearly states how data should be dealt with in line with the eight data protection principles;
• make sure employees are familiar with the policy and trained appropriately;
• communicate with all departments of their business, so that they can manage risk effectively and minimise potential mistakes; and
• carry out regular reviews of procedures and processes which involve personal data to ensure compliance with the Act.

Collaboration still preferred

Also evident from the Commissioner’s report is that, aside from compulsion and prosecution, the Commissioner’s office continues to be involved in many cases where problems between individuals and organisations holding their personal information are resolved through collaboration. Examples range from a bank revising its data protection training for staff to ensure people’s information is not sent to the address of their ex-partner, to obtaining an insurance company’s agreement that it would alter its policy renewal procedures so that customer consent is obtained before using credit card details given under a previous policy, which could well be out of date or not even their own.

It is evident that the Commissioner is becoming increasingly active in his data protection role, as well as embracing his new expanded role on freedom of information, all of which is good news for those who are compliant, but if you’re not up to speed with your obligations you had better beware, as the Information Commissioner is most definitely watching you.

Valerie M Surgenor is an associate with MacRoberts, specialising in IT and privacy law

BEAR IN MIND...

The UK Information Commissioner has a remit covering the Data Protection Act 1998 and the Freedom of Information Act 2000. There is a separate Scottish Information Commissioner, who is responsible for the Freedom of Information (Scotland) Act 2002, but does not have the corresponding jurisdiction under data protection.

The Editor is advised that the Law Society of Scotland’s Technology Committee is scheduled to discuss the Information Commissioner’s current investigation and would be pleased to assist the profession with any queries regarding data protection compliance.