In previous posts I have written about the apparent failure by several MPs to register with the Information Commissioner’s Officer (ICO) for data protection purposes. I have pointed out that a failure by someone to do so in circumstances where they should constitutes a criminal offence. In the last post I related that I had made a Freedom of Information Act (FOIA) request to the IC asking him what he was doing about these potential offences. I have now received the response.
In general terms Section 21 of the Data Protection Act 1998 creates a criminal offence if a data controller processes personal data without an entry being made in the register held by the ICO: the power to prosecute lies primarily with the ICO itself. MPs process personal data, and the very large majority properly register this processing (which costs them £35 a year – in contrast to the £500 notification fee for larger data controllers). However, FOI requests over recent months have revealed that several MPs have not only failed to do so, but their failure has continued despite the ICO reminding them of their obligation.
On 10 May I wrote to the ICO, naming the then 22* MPs who had not registered, and asking
Please inform me…
1. What enforcement action has been taken against these MPs?
2. How many reminders each has been given (I understand you normally operate a two-reminder, then enforcement, system)
3. In addition to these 22, how many other MPs have not renewed
their notification? (as more than seven months have elapsed I
presume there will be some additional notifications which have
(As for the third question, I was sent a spreadsheet showing (as at 24 May) all MPs and their notification record. (Interestingly, two MPs who have been elected to the House of Commons in the last two years have no registration showing at all – Debbie Abrahams and Louise Mensch)).
As for the second question, the ICO’s reply comes with an attachment showing that – with three exceptions – the 22 MPs in question had all received two reminders (one had received only one reminder, and two – because of a technical glitch – had received none). The reply also came with some explanatory comments to the effect that
it is the responsibility of the Data Controller to assess their data processing at that point and make a determination as to whether notification is still required…We provide a reminder service to notified entities to help them maintain their notification. However, because there are legitimate reasons why many Data Controllers may not need to renew their notification once it expires, we do not actively pursue all 350,000 of our annual renewals.
These points are well-made. However, regarding the first question (what enforcement action had taken place) I was told
no enforcement action has been taken against these MP’s.
By explanation a distinction was drawn between the “reminder” service, and the non-notification enforcement activities of the ICO, and
Our non notification activities are targeted at particularly high risk or under represented groups or sectors.
This seems to suggest that, even where non-notification – a potential criminal offence, remember – by MPs is drawn to the IC’s attention he will not take enforcement action unless MPs form part of a group of data controllers who are being specifically targetted by the ICO.
I’m really struggling with this. I understand the extreme resource pressures the ICO has to cope with, and I even understand that taking action against MPs ((perhaps as far as prosecuting them) is not a very attractive proposition for a sometimes beleaguered regulator, but the evidence points towards named MPs failing persistently to comply with a legal obligation – even when reminded by the regulator. If law makers break the law, and the enforcer turns a blind eye, why would anyone else feel the need to obey that law?
The full request can be seen at http://www.whatdotheyknow.com/request/enforcement_of_section_18_dpa/new
*One of the 22 – Shailesh Vara – appears since to have registered