New Measures Announced to Help Interpret the UK Data Protection Act
UK Information Commissioner, Richard Thomas, January 14 announced a package of measures in response to calls for greater guidance on interpreting the Data Protection Act 1998 (DPA).
These measures include:
- strengthening the Data Protection Helpline to ensure swift assistance for organizations who are concerned about problems interpreting the Data Protection Act
- developing more practical and user friendly guidance for organizations
- a renewed call for responses to the ICO’s ‘Making Data Protection Simpler’ consultation originally announced in the summer of 2003
- a commitment to plain English in all ICO communications, avoiding wherever possible phrases such as “data subject” and “a Schedule 2 basis for processing”
The announcement explains that organizations will still be expected to seek their own legal advice, check existing ICO guidance and make their own decisions; but that ICO staff will be available to provide guidance where organizations genuinely believe that the results would offend common sense. (Statement from the Information Commissioner, 01/14)
The Data protection Act was recently cited by police and by British Gas as the reason for two disastrous failures that made headlines.
In December, Humberside police blamed the Act for their failure to keep details of nine separate allegations against Ian Huntley, the convicted murderer of schoolgirls Holly Wells and Jessica Chapman.
Mr Thomas was quoted in The Guardian January 14 saying: “It’s for the police to decide what purposes they’re holding information for, and as long as they are holding it for legitimate purposes, such as the investigation or prevention of crime, they can hold information in some cases for a very long time indeed.”
Humberside police had said that the Act required forces to delete information about suspects that had not led to a conviction. However, the Code of Practice for Data Protection, as published by the Association of Chief Police Officers (ACPO) in 1995 – the version of the Code that applied at the relevant time in Huntley’s case – did not say this.
In the case of British Gas, the company disconnected the supply of gas to Mr. and Mrs. Bates, due to an unpaid bill. Before it could do this, it had to send a welfare officer to their house. It did so, and Mr and Mrs Bates were offered the chance to be added to a priority list to receive care. They refused to give their consent to this and, many weeks later, were found dead in their home.
In the absence of consent and because sensitive personal data were involved, the only grounds under the Act that would have let British Gas contact others to seek help for Mr and Mrs Bates would be if it was in their “vital interests”. The weather was temperate and the couple were in reasonable health when the gas supply was cut off – so British Gas said they had no reason to believe the couple were vulnerable.
In commenting on the announcement of the new measures, Mr. Thomas said:
“It is ridiculous that organizations should hide behind data protection as a smokescreen for practices which no reasonable person would ever find acceptable….
The initiatives I have announced today will help organizations to comply with data protection principles in sensible ways and stop anyone ever again using data protection as a false excuse for their own short-comings.” (Out-law.com, 01/14)