MPs and Data Protection offences, part two.

In which I follow up a previous post, ask the ICO what action he is taking and consider the implications for ICO funding under proposed amendment of data protectionlaws

In a previous post I pointed out that 22 MPs who had been identified in October 2011 as not having registered with the Information Commissioner (ICO) were still showing as not being registered. As I said, failure to register in circumstances where there should be a registration constitutes a criminal offence under section 21 of the Data Protection Act 1998. The blog post got some interest, so I thought I should follow it up with this request to the ICO under the Freedom of Information Act 2000. The request can be seen on the excellent whatdotheyknow.com but I thought it would be useful to post a copy here:

Dear Information Commissioner’s Office

In October last year you disclosed to another requester a list of
46 MPs who had not renewed their section 18 DPA registration with
your office. You explained some of the procedure for enforcing the
statutory requirement to register, and explained that

“Prosecution is usually the last resort when all else fails and we
do give ample opportunity for the data controller to register. The
legal team are not currently considering any MPs for prosecution.”

It appears, from a check of your register that, currently, 22 of
those same MPs have still not registered, more than seven months
later. These are

Z1243695
NIGEL EVANS MP
Z1434043
GAVIN BARWELL
Z1939110
EDWARD LEIGH MP
Z9286519
KHALID MAHMOOD MP
Z1993957
JAMES CLAPPISON MP
Z1102604
ANGUS ROBERTSON MP
Z9256111
JIM SHANNON
Z927838X
DAVID SIMPSON
Z1577500
DAVID BURROWES
Z1538835
PAT DOHERTY MP MLA
Z2134863
MARGARET CURRAN
Z2241138
RACHEL REEVES MP
Z2241519
NIGEL ADAMS
Z2247846
STUART ANDREW
Z9938280
SHAILESH VARA MP
Z2342005
TRISTRAM HUNT
Z1893869
PAUL BERESFORD
Z1903198
CHRISTOPHER CHOPE MP
Z2378834
JESSICA LEE
Z8752516
ERIC JOYCE MP
Z2343491
ZAC GOLDSMITH MP
Z1728512
ADAM HOLLOWAY

I note that in several instances these MPs appear not to have
renewed their notification for over a year.

Please inform me, under the Freedom of Information Act 2000

1. What enforcement action has been taken against these MPs?
2. How many reminders each has been given (I understand you
normally operate a two-reminder, then enforcement, system)
3. In addition to these 22, how many other MPs have not renewed
their notification? (as more than seven months have elapsed I
presume there will be some additional notifications which have
lapsed).

I acknowledge that the online register does not guarantee to be
up-to-date.

As my previous post said, enforcement of this provision of the DPA does not appear to have stopped: I have seen no announcement to suggest this, and it would be odd, to say the least, if the ICO decided to turn a blind eye to one of the clear offences in the DPA. What would make it particularly odd is the fact that registration represents a huge revenue stream for the ICO, and the more data controllers who register, the greater the income. A fee is levied against a data controller when they register, which amounts to either £35 or £500, depending on the size of the organisation. The last set of accounts show that the income to the ICO from this stream was just short of £15 million.

Clearly it is in the ICO’s interest to enforce this requirement. A failure to enforce, or a perceived failure to enforce could lead to data controllers deciding it’s worth taking a risk by not registering, to save an annual £35 or £500 (they know they would get at least two reminders as it is).

Finally, I note that under amendments to the statutory scheme which will follow the enactment of a new European data protection Regulation, this requirement to register will probably be removed. I presume someone has thought about the effect this will have on the funding of the ICO? £15 million is a hell of a lot to lose, and, the office is underfunded as it is.