Information Commissioner sets priorities for Data Protection enforcement
The Information Commissioner's Office has today (22 November 2005) launched a new Enforcement Strategy, which targets organisations that deliberately or persistently ignore their obligations under the Data Protection Act 1998.
Newly-appointed Deputy Information Commissioner, David Smith, unveiled the ICO's Regulatory Action Strategy today. He said: “A central duty of the Information Commissioner's Office is to ensure that personal information is properly protected. The majority of organisations recognise that keeping relevant, accurate and up to date records makes good business sense and we want to make it as easy as possible for them to follow the law. However, we will be targeting the minority who cause real harm when they flout their data protection obligations.”
The powers of regulatory action include criminal prosecution, civil enforcement and audit. The action the Information Commissioner's Office takes will be consistent with the five principles of good regulation, established by the Better Regulation Task Force. The new risk-based approach is also in line with the recommendations of the Hampton Review, which concluded that high risk businesses should face a greater burden of enforcement than those with the best records of compliance.
Mr Smith added: “Regulatory action will focus on those whose failure to comply with data protection results in serious consequences, either serious (perhaps career-threatening) harm to one individual, or less serious harm to many people. Other criteria for taking action includes deliberate, willful or cavalier conduct, or the need to set an example or clarify the law. We will be devoting less attention to minor or technical breaches where the consequence is less serious, because this will enable us to concentrate on abuses of significant public concern, especially where those responsible have been warned, or must know, that they are breaking the law.
“We will not place unreasonable demands on businesses selected for attention, but in return we will expect them to co-operate with us. Negotiation will continue to be our first option but businesses should be warned that we will not hesitate to take legal action where necessary. Such action will always be proportionate to the mischief it seeks to address.”
Next Steps? Read the UK Information Commissioner's
A Strategy for Data Protection Regulatory Action
Tell us what the new tough attitude means to you.