The Information Commissioner has published an enforcement strategy setting out a new and more pro-active policy for following up on breaches of the Data Protection Act 1998. Collection of data on websites has been singled out as one area requiring particular scrutiny, following on from the survey conducted on the Information Commissioner's behalf earlier this year. Online businesses need to be more attentive to compliance than ever when collecting and processing information about customers and potential customers online.
The Commissioner has announced the setting up of a new Enforcement Board and Enforcement Team. The move heralds a more pro-active stance in terms of investigating and prosecuting breaches of the Data Protection Act 1998. Hitherto, the Commissioner's approach to enforcement has been re-active, prompted by formal complaints against businesses by members of the public.
The strategy document highlights the need for the Commissioner's office to initiate enforcement action in response to a range of factors beyond formal requests for assessment. These could include issues which have come to the Commissioner's attention through enquiries from the public, through consultation, through the passage of proposed legislation and from issues thrown up by technological developments.
So, in the future, initiatives such as the recent study into website compliance with the Data Protection Act will be an important source of enforcement actions. See this article on compliance and this article on the website watchdog. Indeed, this particular issue will be high on the agenda of the Commission's newly-formed Enforcement Team.
The New Enforcement Board and Team
The structure behind the new policy will comprise a new Enforcement Board and Team. The Enforcement Board will be made up of the Information Commissioner (who from 1st December will be Elizabeth France's replacement Richard Taylor), both Deputy Commissioners, two Assistant Commissioners and the Head of Investigations.
The functions of the Enforcement Board are as follows:
- to identify compliance issues warranting investigation and formulate and manage a strategic programme of investigation with a view to consideration of formal enforcement; and
- to consider prospective enforcement activity and make recommendations to the Commissioner.
The role of the Enforcement Team is as follows:
- to carry out the programme of investigation devised by the Enforcement Board and to pursue any resulting enforcement action;
- to identify additional areas of non-compliance that may be investigated through working closely with compliance teams; and
- to provide administrative support to the Enforcement Board.
The Enforcement Team will be made up of staff drawn from the Commissioner's Compliance, Investigations and Legal departments.
Priorities For Enforcement Action
At its first meeting on 12th July, the Enforcement Board identified two priority areas of investigation for the current financial year (i.e. up to 31 March 2003) as follows:
- compliance issues arising out of the Website Compliance Study (see this Olswang article);
- issues surrounding the exercise of the right of subject access to manual records (under section 7 of the Act) since 24 October 2001, held by Central Government Departments.
Businesses which use their websites to gather information about customers and prospective customers now need to be more attentive to compliance than ever.
For more information please contact a member of the E-Commerce or Data Protection teams.