The Information Commissioner – a toothless wonder

new articles Uncategorized

The fact that two CD’s with 24 million names have been lost by HM Revenue and Customs is not really surprising. Everyone knows how incompetent government departments are. A good day for the superannuated time servers who staff these machine bureaucracies means never having to say you are sorry.

The BBC’s website is now reporting that (surprise, surprise) the discs containing our personal data are definitely maybe still on government premises. Call me cynical but I suspect they will be ‘found’ within the next 48 hours. So some low ranking clerical officer has been suspended pending disciplinary action and HMRC Chairman Paul Gray has resigned but this is not good enough. If this happened in industry the whole senior management team would have to go.

With England loosing their crucial European Cup qualifier Mr. Darling and the senior management team at HMRC must be breathing collective sighs of relief as the heat moves to Steve McClaren and the thirteen muppets who played for England last night.

Very little of the coverage has focussed on the legislation or the potential litigation which might follow in the wake of this blunder. We are supposed to have laws requiring organisations in the public and private sector to treat personal data securely. The Data Protection Act 1998 came into force on 1 March 2000. Under this Act, anyone processing personal information must comply with eight principles of good information handling.

The eight principles state that the data must be: fairly and lawfully processed; processed for limited purposes; adequate, relevant and not excessive; accurate and up to date; not kept longer than necessary; processed in accordance with the individual’s rights; secure and not transferred to countries outside the European Economic area, unless there is adequate protection (

Data is defined as information which is about a living person which affects that person’s privacy in the sense that it has the person as its focus or is otherwise biographical in nature. It must also be held in a ‘relevant filing system’. Although there is currently much debate about the definition of ‘a relevant filing system’ there is no doubt that this data was held in such a system.

Individuals and organisations can, in theory, be held liable for infringing these eight principles but the problem is that the Information Commissioner’s Office, the agency responsible for enforcing data protection in the United Kingdom, is virtually toothless. They are understaffed and currently unable to undertake unannounced inspections or audits. The data has certainly not been lawfully processed as defined under the DPA (processing means obtaining, recording or holding information or carrying out any operations on the information or data such as disclosing it or making it available). Furthermore by losing these discs HMRC has not processed the data in accordance with the individual’s right and it has not been treated securely. The data may also have been transferred to countries outside the European Economic area without protection.

What action can be taken? Richard Thomas, Information Commissioner, said on 20th November: ‘This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches’. In The Information Commissioner’s Officer Data Protection Legal Guidance it states that the Commissioner is able to serve an enforcement notice upon a data controller (the person responsible for data within an organisation) who has contravened or is contravening any of the Data Protection Principles. Such a notice could require HMRC to ensure there was no repeat of the way in which this data was handled, although it is a little late in the day. However failure to comply with an enforcement notice is an offence unless the person charged is able to show that they exercised all due diligence to comply with the notice. Theoretically everyone who suspects they may be affected could make a request for assessment. On receiving a request for assessment the Commissioner is required to make an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of the Act. 24 million such requests might put the cat amongst the pigeons.

The reality is that there is little the Information Commissioner can do and this makes a mockery of the Act and the office of the Information Commissioner. It would seem we just have to sit back while our personal data travels around the world falling into the hands of crooks and paedophiles whilst Mr. Darling and the senior management team in this government department stand by watching us all hurling abuse at the England manager for a few days before the storm dies down. The effect of this incompetence will last for years, not days. England’s loss to Croatia on the other hand will soon be forgotten should we qualify for the next World Cup.

Danny Bernardi’s blog, From Under the Rotunda is at: