Data Protection Bill

Written evidence submitted by Robin Makin (DPB36)

1. The Government indicated that it will be ‘strengthening the law’. [1] In the 2nd reading of the Bill in the House of Commons on 05.03.2018 the Secretary of State stated "data belongs to citizens even when it is held by others-and sets new standards for protecting data while giving new rights to remove or delete it. Everyone will have the right to make sure that the data held about them is fair and accurate, and held in a way that aligns with rigorous principles."

2. However, the law will be weakened by abolishing the notification regime under the Data Protection Act 1998 in terms of the sanctions that currently exist on all Data Controllers required to notify to do so.

3. When the Bill leading to the Data Protection Act 1998 was introduced into Parliament the drafting instructions to Parliamentary Counsel were as follows:

‘We regard it as essential that there be a clear sanction for failure to make a mandatory notification; the obligation to notify is itself a cornerstone of the notification regime and we wish to place a distinct onus on controllers to take responsibility for ascertaining and discharging their obligations in this respect’.

4. There is a continuing need for Data Controllers to pay fees to fund the ICO. Any proposed new fee regime – currently set out in clauses 137 and 138 is going to be more unwieldy and is not going to be as effective and enforceable as maintaining something akin to the current registration regime. There will have to be a register with information to enable fees to be collected and so the issue is really one about the sanctions and consequences of not paying the fees required. In essence are they to be weakened and reduce Data Controllers compliance with their notification obligations to less than those required for TV licences?

5. Furthermore, the current proposals will mean that it will be more expensive for the Data Controllers. The current fee for most is £35 (and for some large organisations is £500) and would be less if most Data Controllers actually notified. The Government propose is to increase the fees with 3 categories

Tier 1 £40

Tier 2 £60.

Tier 3 £2,900.

https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf

6. Data Controllers who have not complied will have even less incentive to do so as there will not be the sanctions akin to the current notification regime. For so many Data Controllers have not known to notify under the current mandatory notification regime then they are unlikely to comply with other Data Protection obligations including those imposed by the incorporation of the GDPR.

7. Comments posted which were posted on the ICO website in response to proposals for ICO fees [ https://iconewsblog.org.uk/2017/10/05/ico-fee-and-registration-changes-next-year ] included:

(a) Simon Ghent says: October 5, 2017 at 2:07 pm

"416,000 on the database. Over 5 million businesses. Would you call that a success or failure?

How many successful cases did the ICO bring for not paying the £35 fee in the last financial year? Is the new fee structure designed for mass non compliance like the current one? When the ICO struggles with enforcing the DPA, PECR etc effectively what is to make us believe that you will enforce the new "fee" structure from April?"

(b) Drew Faulkner says November 1, 2017 at 4:29 pm

"… Getting concrete advice from the ICO is incredibly hard work – it’s invariably procrastination by default, with vague suggestions of advice being available in the future, and good luck with planning to be compliant with that advice…"

8. Although under the GDPR there is no mandatory obligation to require notification, Article 57.3 seems to imply that notification under the data protection impact assessment regime might be performed for a fee

9. Accordingly, there does not appear to be anything stopping the UK from maintaining a register and charging for those who do not have a data protection officer for being on the register and maintaining the offence of not allowing processing of personal data unless registered.  Indeed following Brexit the UK will have complete sovereignty over data protection in the UK.

10. The current regime provides (albeit currently almost completely unenforced [2] ) great protection because:

(a) Under the Data Protection Act 1998 (‘DPA’) it is an offence under Section 21 (1) to contravene section 17(1) [3] .

(b) Proceeds of Crime Act 2002 (‘POCA’) make the proceeds of unlawfully processing personal data criminal property [4] :

(c) If the processing of the data is unlawful (because those so processing are not registered with the ICO) then regulated persons and others should not be involved in matters connected with it. Potentially, any benefit is caught. [5]

11. In October 2009 the Information Commissioner’s Office (‘ICO’) adopted a new mission statement [6] : However, the most fundamental compliance – notification - by Data Controllers has been ignored.

12. Revenue from notification fees has not been collected. The amount lost to the public purse appears to be colossal. Yet whatever concerns have been raised and whatever auditing ought to have occurred has not addressed the problem. Undoubtedly it has been known that this is ‘an elephant in the room’ issue’. The lack of action has been and is unfair to law abiding Data Controllers who pay and have paid the registration/notification fee to the ICO (and seek to comply with their obligations under the Data Protection Act) and to citizens who are entitled to have information rights upheld (if Data Controllers have not known to notify then how can they be expected to have complied with the Data Protection Principles?) Furthermore, non-notification deprives the to the public purse and brings into disrepute upholding of the rule of law

13. The extent of the problem appears to have been, and is, colossal. By way of illustration there are 5.4 million businesses in the UK [7] and there are many others who are Data Controllers including public bodies However, as at the end of 2014/15 there were a mere 409,000 data controllers registered with the ICO. [8] Accordingly, the loss to the public purse of the failure to enforce the notification fee regime under the Data Protection Act is likely to have been in excess of £1 billion. This may even be a conservative estimate as the Act has been in force for approaching 20 years and so if there have been just 2 million who have not notified for 20 years and were due to pay £35 per year for each of those years the amount of revenue would have been £1.4 billion – a truly staggering amount of lost revenue.

14. It is understood that one major reason as to why the ICO have been reluctant to ensure that all Data Controllers who ought to notify do so because there has been no financial incentive for the ICO to do so.

15. The ICO appears to have been hampered in its work because of its funding model. In respect of data protection work it is understood that a budget is agreed for the following financial year (April to March) and if the ICO collect excess income, subject to some minor allowances the excess has to be remitted to the consolidated fund. In short there is no incentive for the ICO to collect all registration/notification fee income due and it does not do so. Furthermore there is no incentive to prosecute as to do so would only involve the ICO in work for which the costs involved would have to be met out of the limited budget.

16. The ICO and the sponsoring Government Department (now the DDCMS and formerly the MoJ) are understood to have been well aware of the situation and yet nothing has been done about it. [9] One question is why? Indeed, it has been thought, and a view expressed to me by a Member of Parliament that there is some desire for the ICO not to be effective and enforce the law.

17. The fee income paid by Data Controllers to the ICO ought to be retained in its entirety by the ICO and used for data protection. The existing problem of the Government dictating the resources of the ICO should not be perpetuated. However, such appears to be the intention of the Bill. See Schedule 12 paragraphs 9 and 10.

18. Although the ICO indicates in its evidence to the Committee that the Commissioner "upholds information rights in the public interest, … The Commissioner does this by … taking appropriate action where the law is broken. https://publications.parliament.uk/pa/cm201719/cmpublic/dataprotection/memo/dpb05.htm

19. The lack of desire on the part of the ICO to enforce the law is of major concern. With regard to an ongoing Police Investigation into offences including breaches of the notification regime the ICO were reluctant to co-operative with the Police and that the Government had to be contacted to facilitate some co-operation by the ICO with the Police. However, even that has still not resulted in progress being made!

20. By way of contract the BBC makes sure that it collects all the fee income due to it and those who do not pay the licence fee are prosecuted. Indeed the admirable review by David Perry QC TV Licence Fee Enforcement Review presented to the Houses of Parliament pursuant to section 77 of the Deregulation Act 2015 in July 2015 sets out extremely well why the criminal law assists in collect fees.

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/445212/166926_Perry_Review_Text-L-PB.pdf

21. The issue of the ICO’s lack of enforcement is no reason to abolish the existing law. Retaining and indeed strengthening the law would result in notification fees being collected and considerable extra funds available for the ICO assuming that the ICO are allowed to keep the fee income from Data Controllers. If this occurs then the ICO will be able to provide further training and guidance and those seeking to adhere to their data protection obligations will not have to pay for courses provided by external advisers as currently proliferate because the ICO will have the resources to provide everything required as almost everyone and not just the minority will be paying their share.

22. Collecting a smaller amount of income from every data controller by maintaining a register is the obvious way forward. The register will have the minimum information needed to collect from all Data Controllers the relevant fee necessary to effectively fund the ICO in its Data Protection activities. Maintaining the basis of the current law is essential to effective compliance with and enforcement of the law. It will maintain the critical cornerstone of putting the onus on Data Controllers to adhere to their obligations and ensure that if they do not there will not only be sanctions and the ICO will have the funds to enforce such compliance.

23. A suggested clause – in place of clauses 137 and 138 is as follows:

Registration by data controllers

Preliminary.

(1) In this Part "the registrable particulars", in relation to a data controller, means-

(a) his name and address;

(b) if he has nominated a representative for the purposes of this Act, the name and address of the representative; and

(c) the principal activity or activities undertaken by the data controller as set out by the registration regulations.

(2) In this Part-

"fees regulations" means regulations made by the Secretary of State);

"registration regulations" means regulations made by the Secretary of State under the other provisions of this Part;

"prescribed" except where used in relation to fees regulations, means prescribed by the registration regulations.

(3) For the purposes of this Part, so far as it relates to the addresses of data controllers-

(a) the address of a registered company is that of its registered office, and

(b) the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the United Kingdom.

Register of Data Contollers.

(4) The Commissioner shall-

(a) maintain a register of persons who have given registrable particulars, and

(b) make an entry in the register in pursuance of each notification of registrable particulars received from each data controller

(c) the register shall be updated on each working day and the record of the register on each occasion it is updated shall be permanently maintained

(5) Registration by a data controller is to be treated for the purposes of the registration obligation as having been made in the register on the date that the registrable particulars and payment of such registration fee or fees have been deemed to be received by the Commissioner as follows:

(i) By personal delivery to the office of the Commissioner - on the date of delivery

(ii) By First class post, document exchange or other service which provides for delivery on the next business day - Date of posting, or leaving with, delivering to or collection by the relevant service provider.

(iii) By fax – the date of completion of the transmission.

(iv) Other electronic method - Date of sending the e-mail or other electronic transmission.

(6) No entry shall be retained in the register for more than the relevant time except on payment of such fee as may be prescribed by fees regulations.

(7) In subsection (6) "the relevant time" means twelve months.

(8) The Commissioner-

(a) shall provide facilities for making the information contained in the entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and

(b) may provide such other facilities for making the information contained in those entries available to the public free of charge.

Duty to notify changes

(9) The registration regulations shall include provision imposing on every person in respect of whom an entry as a data controller is for the time being included in the register maintained by the Commissioner a duty to notify to the Commissioner, of any changes to the registrable particulars as soon as reasonably practicable and in any event within 21 days of such changes occurring.

Offences

(10) Any person who fails to comply with the duty imposed by the registration regulations is guilty of an offence.

(11) A person who is guilty of an offence under subsection (1) is liable-

(a) on summary conviction, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both), and

(b) on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).

March 2018


[1] Press release of 07.08.2017 https://www.gov.uk/government/news/government-to-strengthen-uk-data-protection-law

[2] Notwithstanding this the current Information  Commissioner, Elizabeth Denham is reported a saying in a press release issued by the Government on 22.03.2016:

[2] "The Information Commissioner’s Office has a global reputation for practical, innovative and responsive regulation"

[3] "Prohibition on processing without registration.(1) Subject to the following provisions of this section, personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the Commissioner under section 19 (or is treated by notification regulations made by virtue of section 19(3) as being so included)."

[4] Criminal conduct is conduct which-

[4] (a) constitutes an offence in any part of the United Kingdom, or

[4] (b) would constitute an offence in any part of the United Kingdom if it occurred there.

[4] Property is criminal property if-.

[4] (a) it constitutes a person’s benefit from criminal conduct or it represents such a benefit (in whole or part and whether directly or indirectly), and

[4] (b) the alleged offender knows or suspects that it constitutes or represents such a benefit.

[4] (c) Part 7 of POCA provides for various money laundering offences. A person commits an offence if he or she:

[4] • conceals, disguises, converts or transfers criminal property or removes it from England and Wales or Scotland or Northern Ireland;

[4] • enters in to or becomes concerned in an arrangement which he or she knows or suspects facilitates the acquisition, retention, use or control of criminal property;

[4] • acquires, uses or has possession of criminal property.

[4] (d) Part 7 of POCA requires financial institutions and businesses in the regulated sector to report to the UK Financial Intelligence Unit, which is part of the NCA, any suspicions about criminal property or money laundering. Even if a person is not in the regulated sector they must report any suspicions if they come across any suspicious activity through their trade, business or profession.

[5] Section 329 (1) A person commits an offence if he-

[5] (a) acquires criminal property;

[5] (b) uses criminal property;

[5] (c) has possession of criminal property.

[5] (f)  Section 329 (3) (c) of POCA provides

[5] "For the purposes of this section-

[5] (c) the provision by a person of goods or services which he knows or suspects may help another to carry out criminal conduct is not consideration.

[5] (g)  The Court of Appeal decided that where a person derives a financial benefit from a criminal offence, even if the underlying activity is otherwise lawful, the benefit constitutes criminal property: [2007] 1 WLR 2262.

[5] Section 328 (1) of POCA provides:

[5] "A person commits an offence if he enters into or becomes concerned in an arrangement which he knows or suspects facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person."

[6] "The ICO’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."

[7] See press release issued by Department for Business, Innovation & Skills on 14.10.2015

[8] The 409,000 data controllers generated income of £17,519,000 for the ICO.  A huge amount, many times what is collected is not: in consequence the Data Protection Act is not upheld as it ought to be.  Monies collected for the purposes of Data Protection have been remitted to the consolidated fund rather than used for the purposes they were collected for.  In previous years there have been remissions to the Consolidated Fund of over £2 million as follows:

[8] Year

[8]

[8] Collected by ICO

[8] Remitted to the Consolidated Fund

[8] 2013/14

[8]

[8] £16,528,000

[8] £781,000

[8] 2012/13

[8]

[8] £16,055,000 

[8] £359,000 

[8] 2011/12

[8]

[8] £15,484,000

[8] £446,000

[8] 2010/11

[8]

[8] £14,965,000

[8] £505,000

[8]

[9] As the MoJ’s record with regard to compliance with the Data Protection Act is poor [the MoJ is understood to be the only Data Controller to have had imposed on it two Civil Monetary Penalties by the ICO and appear to have had the most concerns raised about it than any other organisation] the issue is whether they are not committed to the effective enforcement of the DPA

 

Prepared 15th March 2018