On 20 November, to gasps from the House of Commons, the Chancellor of the Exchequer announced that HM Revenue and Customs (HMRC) had lost two CDs containing a copy of its entire child benefit database. This is one of the largest ever breaches of personal information security, anywhere in the world.
The resulting vigorous public debate about the way that government and major organisations handle our personal information still rages on.
The Data Protection Act
English law, notoriously, has no general right to privacy – although, as a by-product of article 8 of the European Convention on Human Rights, there is a developing cause of action for misuse of private information. Privacy protection remains piecemeal. The Data Protection Act 1998 (DPA 1998) plays an important role, but it is not the best-loved piece of legislation on the statute book: too many organisations use data protection as an excuse for petty obstructiveness.
In August last year a Conservative party policy group (co-chaired by John Redwood) suggested that the Act should be repealed, and that we should instead rely on “the general law of privacy” and codes of practice. This is not a proposal that is likely to be repeated. Post-HMRC the debate has been about strengthening DPA 1998, not abolishing it.
The Act’s critics have some good points to make. The Act is cumbersome and hard to navigate. It reflects a world where computers were large and free-standing items of equipment, rather than being mobile components of a ubiquitous digital network.
The eight data protection principles around which the Act is structured make good sense: personal information should be collected and used for specific purposes, should not be excessive in relation to those purposes, should be kept secure, and so forth. The penalties for breach, however, are modest.
Contrast the position of organisations regulated by the Financial Services Authority: Nationwide was fined £980,000 by the Financial Services Authority (FSA) in February last year for breaches of data security.
One possible approach is to give wider powers to the Information Commissioner (the statutory regulator): for instance, he could be enabled to carry out spot checks on data controllers to monitor compliance with the Act, regardless of whether there is evidence of breach.
A second possibility is to make it easier for individuals to enforce their rights under DPA 1998. At present, individuals can ask the Information Commissioner to assess whether the Act has been breached; but if they are dissatisfied with the outcome then their only recourse is to the ordinary courts, where they risk ruinous costs liabilities if they lose.
Meanwhile, data controllers wishing to dispute enforcement action taken against them by the Commissioner can appeal to the specialist Information Tribunal – which offers quicker, simpler procedures, and rarely awards costs against unsuccessful parties.
An enhanced role for the Information Tribunal – allowing it to hear claims brought by individuals – is well worth considering. A third and more far reaching suggestion was put forward in August 2007, in a report by the House of Lords Science and Technology Committee.
The report recommended that a data security breach notification law should be introduced, requiring data controllers to inform individuals whenever the security of their personal information was compromised. Many US states have enacted similar legislation.
Before the HMRC disaster became public knowledge, the Government had already announced a major review of the protection of personal information, to be carried out by Richard Thomas (the Information Commissioner) and Mark Walport (director of the Wellcome Trust). In this respect, if no other, the Government’s timing has been impeccable.
Public trust in the Government’s ability to protect personal information has been severely damaged. Yet at the same time a number of major Government initiatives (and not simply the ID cards project) depend on the storage of large amounts of personal information. If public trust is to be restored, urgent action is now required.
Timothy Pitt-Payne is a barrister at 11 Kings Bench Walk