We have just published on the website our response to the Government’s consultation on the Directive. However in our response, we have identified the issues in the context of the Data Protection Act 1998 so readers can see what the main problems are.
- There should be an extension of the Accessible Records definition to include employment records so that manual information on employees gain full protection from the Act. This would close an obvious loophole at a time when public and private sector organisations are facing difficult economic times and are likely to shed staff.
- The definition should include the situation where the data subject can provide the identification details that the data controller lacks. This change is relevant to the question of whether or not an IP addresses, URLs etc etc should be treated as personal data and places the data subject in control over his own privacy when using the internet.
- The definition should be changed to remove all the confusion caused by Durant. This can be done by removing the reference to the text that relates to “opinions” and “intentions”.
- Re sensitive personal data/biometrics: two Courts have concluded that photographs of data subject are likely to be sensitive personal data as they display racial features (e.g. skin colour). The proposed change ensures that to be sensitive personal data, there has to be a processing objective to reveal something about an individual’s health, race etc. The change is also useful in the determination of whether or not an individual’s biometric is sensitive personal data of not.
- Re Notification/Accountability Principle: The bureaucracy can be simplified, used far more constructively to promote Codes of Practice, provide more meaningful description of purposes and disclosures to Recipients, and can also be used to regulate an Accountability Principle
- Re the 1st and 6th Data Protection Principles: the Sixth Principle should be used to explicitly link the Data Protection Act with Article 8 of the Human Rights Act. In this way, the Information Commissioner should be able to use his powers in cases such assessing whether the retention of personal data on a national DNA database is lawful
- New Powers of the Commissioner. There needs to be a mechanism where the Commissioner can serve an administrative notice (a “Data Protection Practice Notice”) requiring a data controller to take certain steps by a certain time to ensure that any processing of personal data is in accordance with the Act. The data controller has the right of appeal to the Tribunal against the Notice and the data subject has a limited right of appeal to the Tribunal against the ICO’s decision not to serve a Notice. This mechanism is modelled on the FOI Decision Notice regime.
- New Powers of the Commissioner: The Information Commissioner should have the discretion, subject to appeal to the Tribunal, to be able to recover the costs associated with any Audit or Notice he issues. If we expect the Commissioner to protect individuals, then he should not be financially penalised when he does. In a time of austerity, this is especially important.
- Re the National Security exemption (Section 28 of the Act). The exemption should be changed to allow a Tribunal to hear the Commissioner’s case if he raises a matter of substantial public interest concerning the application of the national security exemption.
- Re the merging of Regulators: The Government should explore whether there are savings to be made, and privacy benefits to be gained, in merging the office of the Information Commissioner, Interception of Communications Commissioner, Surveillance Commissioner and the privacy interests of the Human Rights Commission and Financial Services Authority.
References: Changes to the Data Protection Directive 95/46/EC – 2010. The document contains comments on how to improve the Data Protection Act 1998, and provides several references as to how the legislation can be improved without waiting for agreement on a revised form of Directive 95/46/EC http://www.amberhawk.com/policydoc.asp
Comments