Data protection: where are the fines?

Regular readers of this blog (thank you!) will know that we consider the Information Commissioner’s lack of enforcement and regulatory powers to be a serious deficiency in the UK’s data protection and privacy law.

To emphasise the point yet again, the Information Commissioner has published details of the enforcement notices issued against 14 construction companies arising out of the misuse of personal data collected and sold by Ian Kerr trading as the Consulting Association. There are some big names listed in the Information Commissioner’s press release. The enforcement notices demand that the construction companies stop using Ian Kerr personal data, and comply with certain obligations that they already had under the Data Protection Act 1998.

Despite these serious breaches, there are no fines or compensation orders, as the Information Commissioner does not have the power to award fines or make orders. Have the construction companies got away with their blatant breach of the Data Protection Act 1998? Perhaps, but at least the enforcement notices contain an interesting final warning. In setting out in the notices that the construction companies must comply with certain data protection obligations, the Information Commissioner has ensured that any further breach of these obligations would also be a breach of the relevant enforcement notice.

Breach of an enforcement notice is a criminal offence. In addition, where that offence “has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly” (section 61(1) of the Data Protection Act 1998).

The officers of the 14 construction companies subject to these Ian Kerr enforcement notices ought to bear this in mind.

Information Commissioner hates lawyers?

We think the Information Commissioner has been reading too much Shakespeare, particularly Henry VI (Part 2).  One of the most cited quotes from the play is, of course:

“The first thing we do, let’s kill all the lawyers”. – (Act IV, Scene II).

Why do we say this?  Look at the ICO press releases for this year.   From these press releases, which industry sector would you consider to be the most in breach of the Data Protection Act 1998?  You’d have to say law firms, given that four of them have been prosecuted as against only one other company, The Consulting Association.  Is this right, given that at the moment public authorities seems to be doing a spectacular job of losing personal data on almost a daily basis?

It’s a Friday before a Bank Holiday.   Most lawyers in UK law firms will be looking forward to a rest after a busy week (traditionally law firms’ financial year end is 30 April).  So perhaps this post should be in the cateogry “tired and emotional”!

Enjoy the weekend.  Even the weather forecast is quite good!

Snooping and vetting

At Charles Russell we have a generic data protection email address – feel free to drop us a question for a short, informal reply:
dataprotection@charlesrussell.co.uk.

So it’s a little ironic in the week of the Ian Kerr Enforcement Notice (concerning an unlawful personnel vetting service – see ICO press release here), our dataprotection email box is getting filled with spam containing this:

Spam Vetting Service

Needless to say, we won’t be using this service.