In previous posts I have written about the apparent failure by several MPs to register with the Information Commissioner’s Officer (ICO) for data protection purposes. I have pointed out that a failure by someone to do so in circumstances where they should constitutes a criminal offence. In the last post I related that I had made a Freedom of Information Act (FOIA) request to the IC asking him what he was doing about these potential offences. I have now received the response.
In general terms Section 21 of the Data Protection Act 1998 creates a criminal offence if a data controller processes personal data without an entry being made in the register held by the ICO: the power to prosecute lies primarily with the ICO itself. MPs process personal data, and the very large majority properly register this processing (which costs them £35 a year – in contrast to the £500 notification fee for larger data controllers). However, FOI requests over recent months have revealed that several MPs have not only failed to do so, but their failure has continued despite the ICO reminding them of their obligation.
On 10 May I wrote to the ICO, naming the then 22* MPs who had not registered, and asking
Please inform me…
1. What enforcement action has been taken against these MPs?
2. How many reminders each has been given (I understand you normally operate a two-reminder, then enforcement, system)
3. In addition to these 22, how many other MPs have not renewed
their notification? (as more than seven months have elapsed I
presume there will be some additional notifications which have
lapsed)
(As for the third question, I was sent a spreadsheet showing (as at 24 May) all MPs and their notification record. (Interestingly, two MPs who have been elected to the House of Commons in the last two years have no registration showing at all – Debbie Abrahams and Louise Mensch)).
As for the second question, the ICO’s reply comes with an attachment showing that – with three exceptions – the 22 MPs in question had all received two reminders (one had received only one reminder, and two – because of a technical glitch – had received none). The reply also came with some explanatory comments to the effect that
it is the responsibility of the Data Controller to assess their data processing at that point and make a determination as to whether notification is still required…We provide a reminder service to notified entities to help them maintain their notification. However, because there are legitimate reasons why many Data Controllers may not need to renew their notification once it expires, we do not actively pursue all 350,000 of our annual renewals.
These points are well-made. However, regarding the first question (what enforcement action had taken place) I was told
no enforcement action has been taken against these MP’s.
By explanation a distinction was drawn between the “reminder” service, and the non-notification enforcement activities of the ICO, and
Our non notification activities are targeted at particularly high risk or under represented groups or sectors.
This seems to suggest that, even where non-notification – a potential criminal offence, remember – by MPs is drawn to the IC’s attention he will not take enforcement action unless MPs form part of a group of data controllers who are being specifically targetted by the ICO.
I’m really struggling with this. I understand the extreme resource pressures the ICO has to cope with, and I even understand that taking action against MPs ((perhaps as far as prosecuting them) is not a very attractive proposition for a sometimes beleaguered regulator, but the evidence points towards named MPs failing persistently to comply with a legal obligation – even when reminded by the regulator. If law makers break the law, and the enforcer turns a blind eye, why would anyone else feel the need to obey that law?
The full request can be seen at http://www.whatdotheyknow.com/request/enforcement_of_section_18_dpa/new
*One of the 22 – Shailesh Vara – appears since to have registered
informationrightsandwrongs 
It puts me in mind of a comment by the late and sometimes lamented Eric Heffer; they’re like a bunch of kippers – two-faced and no guts.
Yet once again, who is watching the watchers – and seemingly twiddling thumbs. At least somebody is watching the watchmen’s watch. Keep up the good work!
Interesting piece.
Its not clear how they could/would actively monitor whether all 650 MPs were constantly notified? The response suggests there are circa 350,000 entries and your criticism is focused on the failure of 22 MPs to be permanently notified – when the response explains its down to the MP to update their notification? What about other elected members, MSP’s etc – would they not also need to be routinely checked/cross referenced?
Would all this be an efficient use of public money? Would a Council take an MP to court to enforce a £35 debt on Council tax, just to send a message out to others?
I recall you previously noted an MP had been prosecuted – was this by the ICO? If so, it suggests they will follow up where appropriate. But it does seem they don’t view a zero tolerance policy as necessary – or perhaps viable? Either way, I’m not sure thats the same as concluding “he will not take enforcement action unless MPs form part of a group of data controllers who are being specifically targetted by the ICO”.
I do agree it appears more could be done here (no entries at all for 2 MPs seems very poor) – but think you might be overstating the extent of the problem.
Tim, I’d be really interested to hear the basis for the “two-faced and no guts comments”. Are you the same Tim Turner who commented elsewhere that “the Information Commissioner shows little willingness to take action against the private sector, and an almost obsessive tendency to fine local government”. Yet today the criticism is essentially the opposite way around. On the brightside, at least you’ve shoe horned another clever quote into a blog.
Well, they certainly could monitor whether all 650 MPs were registered, but, yes, that would means singling them out as a group to be monitored for compliance. I happen to think that members of the Parliament which passed the law which creates the offence would make a pretty sensible choice as a group to be monitored.
I’m afraid the analogy of a £35 debt on Council tax doesn’t wash (even so, I would expect a council to enforce against a non-tax-paying MP, when the non-payment was brazen and had been drawn to the council’s attention on several occasions – wouldn’t you?) Firstly, non-payment of council tax is not a criminal matter, and in any case the potential offence here doesn’t relate to the payment of a £35 fee – it relates to processing personal data without a notification being made on the Information Commissioner’s register. The ICO does initiate prosecutions but the evidence suggests he only does so when the controllers’ non-compliance has come to his attention as part of a campaign targetting certain groups (e.g. estate agents).
I’m just very surprised that since the original FOI request (not made by me, but by John Cross) in September last year, has not led to a reactive response from the ICO, rather than the proactive approach implied by targetting groups.
My original post quoted the Deputy IC saying in 2008, in response to a Daily Mail story about MPs’ non-compliance “It’s a statutory requirement and no one should get away with it. We will write to those people you have identified and remind them very clearly of their obligation under the law to notify. If they haven’t notified us within a reasonable period, or given us a good enough reason why they do not need to, we will consider prosecution, punishable in court by a fine of up to £5,000”. Why’s this not happening now? Is it because John Cross, and I, are not the Daily Mail?
Finally, Tim Turner will probably have his own response for you – but his comment about taking action against the private sector was in the context of fines for data breaches, not in the context of notification.
I’m not suggesting they shouldnt be monitored but infact you are suggesting they should be constantly monitored with a zero tolerance approach. Its fairly clear from the WDTK requests that this sector largely gets round to notifying,hence half of those not notified 6 months ago have now notified.
I understand and agree thats not a great state of affairs but just wonder as a tax payer whether pro actively chasing them is sensible when there are probably huge swathes of other organisations not notified. If over 90% of MPs are notified and only 60% of accountants, then if it was me Id focus my resources on the missing 40%. What about 90% of MPs against 80% of MSPs,where do you put resources in that scenrio?
Obviously the figures are just theoretical illustrations,the point being its not as simple as saying all MPs should be notified all of the time. That was my intention with the Council Tax scenario and likewise I wouldnt expect an MP charged for speeding at 73mph – despite the same could be said they are the law makers etc.
But again I agree having brought some specific examples to their attention previously more targeted work could and should have been done.
P.S. Should have said…”the watchmen’s watcher.”… Sorry
Good post.
In other words the ICO is effectively giving MPs, the creators of our laws, the license to break those same laws.
It not even about routine monitoring. They have been informed/already discovered the breach, they now have very little to monitor.
Always happy to acknowledge a fan, Pete G – hopefully you’ve found my other work elsewhere. However, you’ll forgive me for saying that my comments are entirely consistent – I’m actually and drearily making the same point. The ICO talks big but goes for small targets (two-faced, no guts). Chris Graham’s speeches are impressive and stirring, with an attitude that no stone will be left unturned, no organisation or sector can act with impunity, but the reality is different. Rather than issuing CMPs to big private sector organisations, they go after councils. Rather than prosecuting MPs for non-notification, they do estate agents. They have to concentrate scant resources, and the targets that they choose could be exemplars – big, powerful institutions and individuals whose fate would serve as a lesson for all. Instead, the ICO either thinks that politicians and major corporations really will mend their ways because of punishments meted out to minnows, or they’re currently too scared to take on the big boys. I will be the first to congratulate them if they ever do.
I thought they had previously prosecuted an MP? If thats the case (and Im only taking my lead from an earlier blog so might be mistaken) then that tells me the guts are there. It might be the wrong decision not to target those MPs not currently notified (as indeed the author argues) but accusations of lacking guts and being two faced seem petty,vindicative and frankly misplaced.
Likewise,you may disagree with some of the CMPs. I certainly do. But that doesnt justify the allegation that they ‘go after’ councils. You have argued yourself that private sector organisations dont report security breahces/incidents. By all means criticise the seemingly reactive enforcement policy,but if a council reports a breach deserving of a fine,what would you do, ignore it on the basis you want to get your private sector stats up? That,for me, would really be gutless.
For your allegation to be true you would need to show that 2 very similar scenarios were treated very differently from public/private sector organisation. That might be the case and if so Id be interested to hear more. Or even just explain which particular ‘big private sector organisation’ you think should have receiveded a fine (and why)? But the shock jock quotes dont add much for me.
As far as I know one MP has been prosecuted for failing to notify, and (see my original post) that was under the 1984 DPA. I presume the prosecution was brought by what was then kown as the Data Protection Registrar.
This was a very long time ago.
Pingback: MPs and Data Protection Offences, part etc etc | inforightsandwrongs
Pingback: The Met Police and Data Protection registration | inforightsandwrongs
Pingback: Back to Blacklists | inforightsandwrongs