New scrutiny on data laws

Cross-government calls for the review of data protection procedures

The Lords committee called for greater powers for the ICO

The UK’s information security laws have come under debate across government as the issue of data protection rises up the political agenda.

A Conservative Party policy review last week recommended the repeal of the ‘expensive bureaucracy’ surrounding the Data Protection Act (DPA).

But a House of Lords committee on personal internet security has called for the government to increase the powers and effectiveness of the Information Commissioner’s Office (ICO), as well as introduce a law forcing firms to reveal breaches of data security.

The Earl of Erroll, who sits on the Lords’ science and technology committee, said the issues are all related.

‘The DPA doesn’t need a lot of tweaking, but there may be a lot of meaningless red tape that has grown up around it. At the same time the ICO does need to have more power,’ he said.

Current enforcement procedures are bureaucratic. A first-time offender must sign an undertaking to comply with the DPA; only if a second offence occurs can the ICO take action.

But this is an issue the data protection watchdog is trying to address and does not necessarily require legislative changes, said Louise Townsend, senior associate at law firm Pinsent Masons.

‘The ICO fleshes out how the Act is applied. The commissioner has already been proactive trying to engender a shift away from being unduly restrictive,’ she said.

The ICO has recently replaced a set of technical rules on data sharing with principles-based guidelines in an effort to ease the cost of compliance for business.

The Tory review quoted a figure of £2.3bn for the annual cost of data protection to UK firms ­ though this figure came from a 1998 Regulatory Impact Assessment document. A 2006 Department of Constitutional Affairs report put the price at £0.67bn.

The Ministry for Justice said the mechanisms which regulate and protect use of personal information are under continuous review.

‘As and when necessary we review with the commissioner his powers and protection to ensure they meet the needs of any developing policy,’ said a spokeswoman.

UPDATE: 28th August 2007

The Conservatives have admitted an 'error' in their figures.

'The correct recurring cost figure for the Data Protection Act is £667m (BCC’s Burdens Barometer 2006) but the figure actually used, wrongly, refers to the Working Time Regulations 1999,' said a spokesman.