The Data Protection Act has been headline news in the past year or so. Various committees and independent reviews are investigating recent breaches of data security and in particular HM Revenue & Customs' loss of data reportedly comprising the banking details of 25 million recipients of child benefit. This was not an isolated incident, with many losses of data and breaches of the data protection requirements uncovered in the private and public sectors since that time. Unsurprisingly there have been numerous calls for a tightening up of the law and for more powers for the UK's enforcement body, the Information Commissioner's Office (ICO).

The powers of the ICO have been considered by various reviews and committees and several reports are expected this year. However, we already know much of what the ICO would like in terms of increased powers and penalties and some have already been introduced since the HMRC incident.

In December 2007, the ICO published what amounts to a shopping list of changes it would like to see made to the Act, and its views on why these changes need to be made. In November 2007, the prime minister gave an indication that the ICO's powers would be increased with the power to spot-check government departments. The ICO has publicly called for this audit power to cover all organizations, including private ones. It seems likely that should the government seek to change the legislation, the audit power would be extended to the public and private sectors.

A requirement to report data handling breaches is another likely addition to the Act should legislative change be tabled by the government. One difficulty with such legislation is defining the requirement to report so as not to require every single minor matter to be reported, which would make the system practically speaking unworkable. However, similar legislation is already in place in around 40 states in the US, and the European Commission has proposed that such requirements be introduced in Europe.

In addition to these proposals seeking to improve the security of data handling, two changes to the penalties for breaching the data protection rules have recently been made by the Criminal Justice and Immigration Act 2008 passed on May8. First, this Act provides a mechanism for increasing the penalties available under section 55 of the Data Protection Act which makes it an offence to disclose, obtain or procure the disclosure of personal information knowingly or recklessly without the consent of the data controller. The maximum penalty for an offence under section 55 can be increased by the Secretary of State up to a maximum of two years' imprisonment for a conviction on indictment.

The second change, brought in as new section 55A, is perhaps more controversial and concerns a new monetary penalty for data controllers who recklessly or repeatedly allow significant data breaches. It has the potential to provide a more powerful enforcement tool to the ICO, because at present a two-stage enforcement approach must be adopted, and data controllers can only be subject to criminal proceedings for breach of an enforcement notice. It will be some time before the true scope of the new power is clear. However, with calls for enhanced powers for the ICO from both the Information Commissioner himself and from a number of heavyweight committees, it seems likely that these changes herald a general tightening up of the UK's data protection regime with other new means of enforcement to come.

Ewan Nettleton and Ian Turner

Bristows
100 Victoria Embankment
London
EC4Y 0DH
United Kingdom
Tel: +44 20 7400 8000
Fax: +44 20 7400 8050
DX: 269 Chancery Lane
info@bristows.com 
www.bristows.com