When does a DPA breach get an IC stare?
The Information Commissioner has announced an increased focus on serious data protection offenders in its latest strategy document, reflecting its policy of taking a "targeted, risk-driven approach". Instead of routine enforcement, the IC's office will concentrate on areas of deliberate and persistent flouting of data protection laws and where individuals are seriously prejudiced by the breaches. Launching the new strategy, Deputy Information Commissioner David Smith stated:
"Regulatory action will focus on those whose failure to comply with data protection results in serious consequences, either serious (perhaps career-threatening) harm to one individual, or less serious harm to many people. Other criteria for taking action includes deliberate, willful or cavalier conduct, or the need to set an example or clarify the law. We will be devoting less attention to minor or technical breaches where the consequence is less serious, because this will enable us to concentrate on abuses of significant public concern, especially where those responsible have been warned, or must know, that they are breaking the law."
This announcement comes as no surprise and reflects the IC's existing approach to enforcement. Though he has a number of powers (ranging from investigations and cautions to enforcement notices, injunctions and criminal prosecutions), the majority of tribunal decisions have involved large-scale breaches of the Data Protection Act (often involving direct marketing). When HFC Bank inadvertantly disclosed the email addresses of 2,600 customers last year, the IC decided not to act, presumably on the basis that HFC had apologised, given £50 to each customer, and contacted the IC immediately to admit the breach and try to rectify the situation. This reflects the IC's policy of intervening only where necessary.
The IC's announcement should not encourage small-scale offenders to ignore their obligations, however; there remains the risk of civil action from individuals for losses caused by breaches of the Act and the possibility of bad publicity for bad data handling practices. In addition, the IC will continue to act against those deliberately flouting their obligations or where it wants to make an example of someone.
I can't help wondering whether this has been a response to European Commission criticism last year of the UK's enforcement regime. If it is I don't believe that this strategic review will necessarily be enough and we may be in for a change in the law concerning enforcement.
Posted by: Des | November 25, 2005 at 05:51 PM