Friday, 3 September 2010

Privacy - UK regulator's response to government on data protection laws

I notice the UK Information Commissioner's Office has put up a response to the Ministry of Justice's call for evidence on how well current UK data protection laws are working - the consultation was only issued in July with an October closing date.

The ICO's response is, surprisingly (or perhaps not), very brief. Their points (emphasis added):

  • The current data protection principles are sound, but the law needs to achieve greater clarity of purpose and presentation. The principle of ‘privacy by design’ should be incorporated.
  • The law must provide greater clarity about what is personal data, with a more contextual approach to the sensitivity of information.
  • The law must be clearer about when consent is needed and what this involves.
  • The approach the law takes to the responsibilities of data controllers and data processors should better reflect modern business relationships.
  • The law needs more realistic rules for international data flows.
  • The law needs to be more in tune with the freedom of information regime and to recognise the impact of modern technology on what private individuals do with personal information.
  • Given that the point of the consultation was to help inform the UK's position in negotiating future reforms of the EU Data Protection Directive, which have been postponed to late 2011 anyway, I expect nothing much is going to happen for a long time.

    Still, it's interesting and useful to see a summary of what the UK privacy regulator considers are the most important issues with the current law.

    There's one major issue they've not mentioned, which I've stressed before in the PETs context: monitoring/enforcement - perhaps because they think it's to do more with money and/or internal issues within the ICO rather than the law?

    It seems to me there's a need to beef up monitoring and enforcement eg by increasing powers and by the government providing more resources to the ICO; certainly by the ICO using its teeth properly, giving those who breach data protection requirements at least a nip. Continued teeth baring really isn't good enough, there's no point barking if people think you're never going to bite. (To expand on Commissioner Reding's excellent quote "Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement"!)

    Lest anyone raises the recent £2.275 million fine imposed on Zurich Insurance for data losses (reported by eg ComputerWeekly and Out-Law), that was levied by the Financial Services Authority - not the ICO.

    See also European Data Protection Supervisor Peter Hustinx's views on reform of the Data Protection Directive and the collective EU data protection regulators' views on the future of privacy.

    ©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.