Regular readers of this blog (thank you!) will know that we consider the Information Commissioner’s lack of enforcement and regulatory powers to be a serious deficiency in the UK’s data protection and privacy law.
To emphasise the point yet again, the Information Commissioner has published details of the enforcement notices issued against 14 construction companies arising out of the misuse of personal data collected and sold by Ian Kerr trading as the Consulting Association. There are some big names listed in the Information Commissioner’s press release. The enforcement notices demand that the construction companies stop using Ian Kerr personal data, and comply with certain obligations that they already had under the Data Protection Act 1998.
Despite these serious breaches, there are no fines or compensation orders, as the Information Commissioner does not have the power to award fines or make orders. Have the construction companies got away with their blatant breach of the Data Protection Act 1998? Perhaps, but at least the enforcement notices contain an interesting final warning. In setting out in the notices that the construction companies must comply with certain data protection obligations, the Information Commissioner has ensured that any further breach of these obligations would also be a breach of the relevant enforcement notice.
Breach of an enforcement notice is a criminal offence. In addition, where that offence “has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly” (section 61(1) of the Data Protection Act 1998).
The officers of the 14 construction companies subject to these Ian Kerr enforcement notices ought to bear this in mind.