POUNDER Chris on 12 May 2008 at 17:49 reported :>
> However, that offence was so widely drafted that it effectively
risked criminalising mundane activities
> such as the passing of personal details to suppliers for business
purposes.
> "Until we see these regulations we do not know the limits of when
the Information Commissioner can raise a penalty."
> "knowingly or recklessly failing to comply with the data protection
principles so as to create a
> substantial risk that damage or distress will be caused to any
person". That call appears to have been
> rejected with the introduction of a monetary penalty notice.
> and that a new criminal offence related to the principles "would be
a disproportionately heavy-handed penalty
> where there has been no intent or wilfulness in the data controller’
s non-compliance".
> and that the criminal courts might "not have the necessary technical
expertise to deal with data issues".
It appears the government are following the same logical processes
data protection practitioners do throughout their working life. I guess
that would all be something to do with the heirarchy of things which
constantly impinge on it. Thank goodness for retirement and the land of
milk and honey which ostensibly facilitates a fuller control of those
airier factors.
History will show what difference if any will exist in the protection
of personal data available under the DPA 1984; DPA 1998 and this
reported additional power. Certainly the indicators continue to exist
that individual privacy will officially continue to become more openly
structured and manageable.
As presented in the original e-mail it seems to have been clearly
stated the government are of the opinion the courts are generally
unable to identify deliberate breaches, and so may be steering a course
away from allowing the courts to determine a structured protection
around those areas of life, unless they are gearing up to train the
courts and improve their knowledge and expertise in those hard areas.
Generally the thrust of this appears as a stark contrast to the heavy-
handed methods generally followed in many other regulatory areas of
complaince by government, so overall, personally this leads me to
question the veracity of committment.
Ian W
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of POUNDER Chris
Sent: 12 May 2008 17:49
To: [log in to unmask]
Subject: [data-protection] Analysis of the power to fine
Information Commissioner gets power to fine for privacy breaches
OUT-LAW News, 12/05/2008
http://www.out-law.com/page-9110
The Information Commissioner has been given the ability to fine
organisations if their operational procedures cause a gross breach of
data protection principles. The move, which had not been expected by
privacy experts, follows a Government defeat in the House of Lords.
The provision is contained in the Criminal Justice and Immigration
Bill. The Lords backed an Opposition amendment to that Bill that would
have made any intentional or reckless disclosure of personal data a
criminal offence, with very few exceptions. However, that offence was
so widely drafted that it effectively risked criminalising mundane
activities such as the passing of personal details to suppliers for
business purposes.
During the debate that introduced that amendment, Lord Hunt of Kings
Heath for the Government argued that the move to introduce the offence
was premature.
Lord Hunt said: "the Cabinet Office is due to publish the findings of
its review into data handling procedures in government which will
describe how the Government have put in place a core set of minimum
mandatory measures to protect information that applies across central
government".
He added that the Government was "committed in principle to the
introduction of new sanctions under the Data Protection Act 1998 for
the most serious breaches of its principles" adding that changes should
only occur "in the light of the recommendations made in the various
reports and reviews we are embarked on at the moment".
Notwithstanding, the Lords passed the amendment by four votes.
Dr Chris Pounder, an information law specialist at Pinsent Masons, the
law firm behind OUT-LAW.COM, and editor of Data Protection Quarterly,
said that vote left the Government with three political choices when
the revised Bill returned to the House of Commons.
"The Government could leave the new criminal offence in the Bill, but
it knew that the offence was controversially wide; it could ask its MPs
to reject the amendment but risk headlines that the Government was
dithering in the face of widespread managerial failings to secure
personal data; or it could make alternative proposals," he said.
The Government chose the latter course of action, a move that has now
gained approval of both Houses of Parliament. As the Criminal Justice
and Immigration Bill is now an Act, these changes are now part of the
Data Protection Act.
"The new powers were not expected," said Dr Pounder. " I suspect
they've come as a surprise to the Information Commissioner as well."
The Information Commissioner now has the ability to serve a "monetary
penalty notice" on a data controller. The power will be exercisable in
circumstances where the Information Commissioner is satisfied that a
data controller has committed a serious contravention of the data
protection principles. The Act contains eight principles .
However, the Commissioner has to be satisfied that the contravention
was either deliberate or that the data controller knew, or ought to
have known, of the contravention risk, and that the contravention would
be likely to cause substantial damage or substantial distress, but he
failed to take reasonable steps to prevent that contravention.
The Commissioner will be able to determine the amount of the monetary
penalty in accordance with guidelines that he will make, albeit the
maximum penalty will be set out in regulations yet to be published by
the Secretary of State. The power will not apply retrospectively. Sums
recovered by the Information Commissioner by monetary penalties will be
payable into the Consolidated Fund, so the Commissioner will not have a
budgetary incentive to pursue those who might have breached the data
protection principles. There will be an Appeal process involving the
Tribunal.
Dr Pounder said some details of the new powers have yet to be
published.
"The Government amendments are paving measures that allow the
Secretary of State to define the nature of the monetary penalty notices
in regulations, he said. "Until we see these regulations we do not know
the limits of when the Information Commissioner can raise a penalty."
"In practice, it is difficult to see how a monetary penalty notice can
be served if an enforcement notice has not been served," he added.
"This means that if there is a serious data protection problem and the
Commissioner wants to hit the pocket of an organisation, then he would
have to serve an enforcement notice as well".
The Information Commissioner had previously called for a new criminal
offence of "knowingly or recklessly failing to comply with the data
protection principles so as to create a substantial risk that damage or
distress will be caused to any person". That call appears to have been
rejected with the introduction of a monetary penalty notice.
In the Commons, the Government said that "criminal liability is
generally reserved for unlawful behaviour that is sufficiently serious
to merit the most stringent liability that the law can impose" and that
a new criminal offence related to the principles "would be a
disproportionately heavy-handed penalty where there has been no intent
or wilfulness in the data controller’s non-compliance".
In addition "Criminal proceedings could result in a costly and time-
consuming process for data controllers and the Commissioner" and that
the criminal courts might "not have the necessary technical expertise
to deal with data issues".
See: Relevant amendments to Criminal Justice and Immigration Bill,
from page 4 (10-page / 99KB PDF)
This email is sent on behalf of Pinsent Masons LLP, a limited
liability partnership registered in England & Wales (registered number:
OC333653) and regulated by the Solicitors Regulation Authority. The
word 'partner', used in relation to the LLP, refers to a member of the
LLP or an employee or consultant of the LLP or any affiliated firm who
has equivalent standing and qualifications. A list of the members of
the LLP, and of those non-members who are designated as partners, is
displayed at the LLP's registered office: CityPoint, One Ropemaker
Street, London EC2Y 9AH, United Kingdom. The contents of this e-mail
and any attachments are confidential to the intended recipient. If you
are not the intended recipient please do not use or publish its
contents, contact Pinsent Masons LLP immediately on +44 (0)20 7418 7000
then delete it. Contracts cannot be concluded with us nor service
effected by email. Emails are not secure and may contain viruses.
Pinsent Masons LLP may monitor traffic data. Further information about
us is available at www.pinsentmasons.com.
_______________________________
How can you protect children online? Find out - http://www.tiscali.co.uk/protection
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|