WIREDGOV

The Information Commissioner’s Office (ICO) has today responded to the
Ministry of Justice’s (MoJ) call for evidence on the current data protection
legislative framework. The ICO has highlighted the key features it would
expect to see in any revised framework and welcomes the MoJ’s
recognition of the potential for changes. The ICO supports the review and
believes that there needs to be a common sense and modern day
approach to data protection.

The ICO has pointed out that although the current data protection
principles are sound, the law needs to provide more clarity for individuals
and for businesses. In particular the privacy watchdog wants more clarity
on the scope of the law including what constitutes personal data.
The law must be clearer on when consent is required to use personal
information and adopt a more pragmatic approach to the regulation of
international data flows. The allocation of responsibilities amongst those
handling personal data also needs to reflect the changing nature of
modern day business relationships

The ICO believes there needs to be better coordination between freedom
of information law and an appreciation that individual’s rights need to be
updated to bring them in line with the capabilities of modern technology.

David Smith, Deputy Commissioner and Director of Data
Protection at the ICO, said: "The ICO has welcomed the MoJ’s call for
evidence on the current framework. We have no doubt that this
framework, which includes the UK Data Protection Act and the EU Data
Protection Directive, can be improved so that the law is more effective in
practice. We need to ensure that people have real protection for their
personal information, not just protection on paper and that we are not
distracted by arguments over interpretations of the Data Protection Act.”

A full copy of the ICO’s response to the MoJ’s call for evidence can be
viewed here:

http://www.ico.gov.uk/upload/documents/library/data_protection/notices
/response_to_moj_dpframework.pdf.

If you need more information, please contact the ICO press office on 0303
123 9070 or visit the website at: www.ico.gov.uk

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public
interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the
Freedom of Information Act 2000, Environmental Information Regulations 2004
and Privacy and Electronic Communications Regulations 2003.

3. For more information about the Information Commissioner’s Office subscribe to
our e-newsletter at www.ico.gov.uk. Alternatively, you can find us on Twitter at
www.twitter.com/ICOnews.

 4. In 2009 the ICO published a report by the RAND Corporation to start the debate
about further safeguarding people’s privacy rights across Europe. A full copy of
the report can be viewed here:

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specia
list_guides/review_of_eu_dp_directive.pdf

5. Anyone who processes personal information must comply with eight principles,
which make sure that personal information is:

.  Fairly and lawfully processed 
.  Processed for limited purposes 
.  Adequate, relevant and not excessive 
.  Accurate and up to date 
.  Not kept for longer than is necessary 
.  Processed in line with your rights 
.  Secure 
.  Not transferred to other countries without adequate protection

6. The Data Protection Act (1998) does not cover the acts of interception of
communications or ‘hacking’ of personal information. The interception of
communications falls under the Regulation of Investigatory Powers Act (2000)
which is regulated by the Interception of Communications Commissioner.

7. The ICO has legal powers to ensure that organisations comply with the
requirements of the Data Protection Act. In using its regulatory powers, the ICO
considers the nature and severity of the breach which has occurred. Dependent
on circumstances, the powers the ICO has at its disposal include:

.  serving information notices requiring organisations to provide the ICO with
specified information within a certain time period;

.  serving enforcement notices requiring organisations to take specified steps
in order to ensure they comply with the law; 

.  issuing monetary penalties of up to £500,000 for serious breaches of the
Data Protection Act; 

.  conducting audits to assess whether organisations are processing personal
data in accordance with good practice; 

.  reporting to Parliament on data protection issues of concern;

.  prosecuting those who commit criminal offences under the Act. The ICO
prosecutes individuals and organisations for specific breaches of the Act
such as the illegal trading of personal data and non-notification.