In 2000 the then Minister for London, Keith Hill MP, was prosecuted under the Data Protection Act 1984. He was fined £200 with £500 costs for an offence which the Daily Mail (so it must be true) says was “non-notification”. (I’ve tried hard to find more about Hill’s conviction – but even a contemporaneous Evening Standard story does not mention specific offences: if anyone knows or recalls more I’ll happily amend this post. For the time being, I’m proceeding on the assumption that the Mail is correct.)
Under the successor act, our current Data Protection Act 1998 (DPA), similar obligations and a similar offence exist. Section 17 states in broad terms that a data controller (a person who solely or jointly “determines the purposes for which and the manner in which any personal data are, or are to be, processed”) must not process personal data unless “an entry in respect of the data controller is included in the register maintained by the [Information] Commissioner” (IC). Accordingly (under section 18) a data controller must make a notification to the IC stating (again in broad terms) what data it is processing and for what purposes, and must pay a fee of either £35 or £500 (depending on the size of the organisation which is the controller). Section 19 describes the register itself and also provides that registration lasts for twelve months, after which a renewed notification must be made, with payment of a further fee.
Section 21 creates an offence the elements of which will be made out if a data controller processes personal data without an entry being made in the register. Thus, if a data controller processes personal data and has not notified the IC either initially or at the point of renewal, that controller will be likely to have committed a criminal offence (there is a defence if the controller can show that he exercised all due diligence to comply with the duty).
In 2008 the Mail reported that eleven government ministers were “flounting” (whatever that might mean – one presumes the sub meant “flouting”) the DPA by not having notified, or renewed notification of, their processing to the IC. The Deputy IC said at the time
It’s a statutory requirement and no one should get away with it. We will write to those people you have identified and remind them very clearly of their obligation under the law to notify. If they haven’t notified us within a reasonable period, or given us a good enough reason why they do not need to, we will consider prosecution, punishable in court by a fine of up to £5,000.
Well, it’s still a statutory requirement, still a criminal offence not to comply with that requirement and the sentence is still a maximum fine of £5000.
Bear this in mind when you learn that , currently (as at 24 October) 46 MPs have either failed to notify or failed to renew their notification. The worst example is one MP who has not renewed his notification since 1 July 2010. This is despite the fact that the IC has a policy of gently reminding such controllers that their processing may be criminally unlawful. I say “despite”, but perhaps I should say “because”. The IC’s policy appears to be to remind controllers three times
…our non notification process is to write to them asking for their comments and advise them to consider their need to notify. If the entity registers or provides a suitable explanation…that is usually the end of the matter and no further action is taken. If no response (or an inadequate response) is forthcoming then we write again explaining the requirement to notify and advising that failure to respond may result in the matter being passed to our legal team for consideration of prosecution. If there is still no response then the file is passed over for the legal team to consider the evidence and if they think there is sufficient evidence they will write advising that if no registration is received within 14 days or representations made as to why a prosecution should not be carried out then a summons will be issued. If registration is then forthcoming then that is the end of the matter and no further action is taken. Prosecution is usually the last resort when all else fails and we do give ample opportunity for the data controller to register. The legal team are not currently considering any MPs for prosecution.
No one realistically expects any prosecutor always to take a zero-tolerance approach, but notification is the very first step a data controller should take before processing personal data. Any processing which takes place without notification is, in strict but very clear terms, unlawful. The first thing I advise people who have a gripe about a data protection matter is to check whether the controller has made a notification. If it hasn’t you’ve won your fight with the first punch. And if nothing else, failure to notify is a strong indication that the data controller might not have the greatest respect for the personal data it is processing, and might also indicate other areas of non-compliance.
The IC is in a tricky statutory position. He is both the enforcer and, by virtue of section 51, the educator under the DPA. He can prosecute offences, but he must also promote the following of good practice by data controllers. However, he has other options open to him which are stronger than a gentle reminder but which fall short of prosecution. He can, of course, issue a caution under criminal law, but he can also issue an enforcement notice under section 40, which is a formal notice requiring the controller to take the action specified in the notice in order to bring about compliance with the Act. But another measure he can propose is to undertake a consensual audit of the controller’s processing (and, if he had his way, he would be able to require compulsory audits for all controllers). It would be interesting to know if he has used any of these options when data controller’s have shown little regard for the need to notify.
All this is me leading up to making the point that a failure by a significant number of MPs to comply with a statutory requirement under the DPA is not a minor issue. Mr Walsh, for the IC, says
In general terms, we have found that Data Controllers usually do renew their notification as a result of our reminders. This appears to be reflected in the relatively high proportion of MPs who are notified.
I would argue the opposite: 46 out of 650 means that 7% of the members of the parliament which passed the DPA appear to treat it in such a cavalier manner that they don’t consider it necessary to ensure that their registration is up to date, despite the fact that failure to do this can amount to a criminal offence. And the regulator responsible for ensuring compliance with the DPA, and enforcing its provisions seems quite happy to allow this to continue.
p.s. I must give credit to John Cross, who blogs at confirmordeny.org.uk for getting this information disclosed by the IC.