Following up a post from last year, it appears that some MPs continue to flout their legal obligations under the Data Protection Act, potentially committing a criminal offence, and that the ICO doesn’t seem to be taking action. I’m happy to be told otherwise
Back in November last year I blogged on the fact that 46 MPs had apparently failed to comply with their statutory obligation to notify the Information Commissioner of their status as a processor of personal data. In general terms Section 21 of the Data Protection Act 1998 creates a criminal offence if a data controller processes personal data without an entry being made in the register held by the Information Commissioner (ICO). Although there are rumours that the obligation to register will be removed when the DPA is ultimately amended or repealed, following the enactment of the European Data Protection Regulation (currently in draft), all the relevant provisions are very much still in force.
At the time the ICO said
…our non notification process is to write to them asking for their comments and advise them to consider their need to notify. If the entity registers or provides a suitable explanation…that is usually the end of the matter and no further action is taken. If no response (or an inadequate response) is forthcoming then we write again explaining the requirement to notify and advising that failure to respond may result in the matter being passed to our legal team for consideration of prosecution. If there is still no response then the file is passed over for the legal team to consider the evidence and if they think there is sufficient evidence they will write advising that if no registration is received within 14 days or representations made as to why a prosecution should not be carried out then a summons will be issued. If registration is then forthcoming then that is the end of the matter and no further action is taken. Prosecution is usually the last resort when all else fails and we do give ample opportunity for the data controller to register. The legal team are not currently considering any MPs for prosecution.
Well, I’ve just checked that list of 46 MPs who had not renewed their registration as at October last year, and, according to the register (which I stress is, as the ICO says, not necessarily absolutely up-to-date), 22 of them still haven’t (bear in mind as well that there may well others whose registration has lapsed in the interim). Most of those 22 are those whose registration has lapsed for longest. The worst apparent example is one MP who has not renewed his registration since July 2010! That is potentially almost two years of illegal processing of personal data.
It is not as though the ICO never exercises his prosecution powers for non-registration. He certainly does – and has a “non-notification team” to deal with this sort of thing (although the last prosecution I can find was in March last year).
My checking was prompted by an exchange on twitter with Alistair Sloan, who made enquiries of the ICO about registrations by Members of the Scottish Parliament, and by the Respect Party. Alistair was told
Our Non-Notification Team, part of our Enforcement Department, have confirmed that the ICO has not contacted any members of the Scottish Parliament since 5th May 2011 in connection with Notification under the Data Protection Act 1998 (the DPA). Whilst this Team did work on a project which involved contacting MSP’s to remind them of the notification requirements under Part III of the DPA, this project took place some time before the date you have specified of 5 May 2011.
and
Having conducted thorough searches of our notification records we have been unable to find any register entry, either current or one which has lapsed, in the name of the Respect Party. Therefore, it appears that the Respect Party has not notified under the DPA at any time since its formation in November 2004.
but
all of the issues you have raised in respect of the notification status of the data controllers… above have been brought to the attention of our Non-Notification Team within our Enforcement Department. They will therefore consider what further action is appropriate in the circumstances
One assumes that the “further action” will be reminders. If the Respect Party now registers, I think it’s highly unlikely the ICO will take retrospective action for the seven-and-a-half years when it failed to do so. As it is, reminders appear to have failed to move 22 MPs to comply with their legal obligations, and no apparent action is being taken against them (I would love the ICO to correct me on this). One can’t avoid asking what sort of enforcement, what sort of deterrent is this?
informationrightsandwrongs 
Well said. There is something unbecoming about a regulator who is willing to make an example out of a solicitor or an estate agent, but lets politicians off the hook. There are ICO people – still in the same senior positions as when I worked there long ago – who think that everything can be smoothed over with a policy or a meeting, a bit of friendly persuasion. For those who that works on, fair play. For those who don’t, there should only be the big stick, and no excuses.
Good point. My husband’s employers flouted the DPA by asking a member of staff to view and secretly copy his private Facebook page. The Information Commissioner ruled that their dissemination and storage of this data (without purpose) was a likely breach of the DPA but unless we go through a court process for damages there is no incentive for change. There doesn’t seem to be any way to enforce this Act. The employer has simply said the have a policy on data protection and will read the ICO’s recommendations.
Pingback: MPs and Data Protection Offences, part etc etc | inforightsandwrongs
Pingback: Parties, party leaders and data protection registration | informationrightsandwrongs