Data Protection Bill

Further written evidence submitted by Robin Makin (DPB38)

1. This evidence relates to Part 4 Chapter 4. It should be read in conjunction with my first evidence submission dated 14.03.2018 regarding the notification regime required of Data Controllers.

2. For the reasons set out in the first evidence it is contended that after Clause 101 and before Clause 102 there is set out the proposed Clause

Suggested Clause

Registration by data controllers

Preliminary.

(1) In this Part "the registrable particulars", in relation to a data controller, means-

(a) his name and address;

(b) if he has nominated a representative for the purposes of this Act, the name and address of the representative; and

(c) the principal activity or activities undertaken by the data controller as set out by the registration regulations.

(2) In this Part-

"fees regulations" means regulations made by the Secretary of State);

"registration regulations" means regulations made by the Secretary of State under the other provisions of this Part;

"prescribed" except where used in relation to fees regulations, means prescribed by the registration regulations.

(3) For the purposes of this Part, so far as it relates to the addresses of data controllers-

(a) the address of a registered company is that of its registered office, and

(b) the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the United Kingdom.

Register of Data Contollers.

(4) The Commissioner shall-

(a) maintain a register of persons who have given registrable particulars, and

(b) make an entry in the register in pursuance of each notification of registrable particulars received from each data controller

(c) the register shall be updated on each working day and the record of the register on each occasion it is updated shall be permanently maintained

(5) Registration by a data controller is to be treated for the purposes of the registration obligation as having been made in the register on the date that the registrable particulars and payment of such registration fee or fees have been deemed to be received by the Commissioner as follows:

(i) By personal delivery to the office of the Commissioner - on the date of delivery

(ii) By First class post, document exchange or other service which provides for delivery on the next business day - Date of posting, or leaving with, delivering to or collection by the relevant service provider.

(iii) By fax – the date of completion of the transmission.

(iv) Other electronic method - Date of sending the e-mail or other electronic transmission.

(6) No entry shall be retained in the register for more than the relevant time except on payment of such fee as may be prescribed by fees regulations.

(7) In subsection (6) "the relevant time" means twelve months.

(8) The Commissioner-

(a) shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and

(b) may provide such other facilities for making the information contained in those entries available to the public free of charge.

Duty to notify changes

(9) The registration regulations shall include provision imposing on every person in respect of whom an entry as a data controller is for the time being included in the register maintained by the Commissioner a duty to notify to the Commissioner, of any changes to the registrable particulars as soon as reasonably practicable and in any event within 21 days of such changes occurring.

Offences

(10) Any person who fails to comply with the duty imposed by the registration regulations is guilty of an offence.

(11) A person who is guilty of an offence under subsection (1) is liable-

(a) on summary conviction, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both), and

(b) on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).

3. If the suggested Clause is included here then clauses 137 and 138 can be omitted in their entirety.

4. With regard to Clause 108 (Communication of a personal data breach) there needs to be a clear definition of a "serious personal data breach". It is possible that over time what is regarded as a serious personal data breach may change. Accordingly, it is suggested that there be a provision for the definition of serious data breach to be defined in regulations which can then be amended as required.

Suggested amendment to Clause 108 (1)

Replace with

(1) If a controller becomes aware of a serious personal data breach [a s defined by Regulation] in relation to personal data for which the controller is responsible, the controller must notify the Commissioner of the breach without undue delay.

March 2018

 

Prepared 15th March 2018