The Data Protection Act 1998 contains a lot of obligations, some requiring substantive thought and effort to ensure compliance.
On the other hand, some of the obligations are more straightforward, such as the obligation to register with the Information Commissioner if you are a data controller. It costs £35 (per year) and, once you've worked out what activities you need to declare, probably takes about ten minutes to fill in the form. Failure to register as a data controller is a criminal offence, assuming you are a data controller.
Two London based solicitors however have failed to comply with this most basic of requirements, despite repeated warnings from the Information Commissioner. As a result they have been named, shamed and fined £815 each.
This little episode shows three things to the world at large: if you process data you need to think about data protection; the Information Commissioner is not completely toothless; and Solicitors are not above the law. Whilst the fines are not exactly gargantuan in scale, the potential loss of reputation for individuals who are trusted with personal data could be significant.
This naming and shaming can only be a good thing and arguably doesn't go nearly far enough. Solicitors, particularly, should be held out as the acme of how data controllers should operate. If they can't be trusted to operate within the confines of the DPA with client information, there's little or no hope for an ordinary company to. It's going to take a lot more of these types of fines to raise the profile of the problem. After all, accumulated cases of small lapses of proper procedure that results in the loss of personal information are just as serious as the larger fiascoes that hit the headlines. Proper compliance with the DPA is a logical starting point to promote a culture where personal data and its loss, is taken much more seriously.
Posted by: Michael | March 13, 2008 at 01:51 PM