Data protection watchdog 'lacks teeth'

The Data Protection Commissioner (DPC) lacks the resources and political weight to enforce the Data Protection Act (DPA).

The attack is in response to high-profile security breaches at Barclays and Powergen over the last month, which left industry watchers convinced that the DPC is lacking both the staff and expertise to investigate and fine companies which breach data protection laws.

Caspar Bowden, the director of the Foundation for Information Policy Research, said: "They are hopelessly under resourced. If they are not careful one of these incidents could seriously back fire."

Yaman Akdeniz, director of Cyber-Rights & Cyber-Liberties, echoed Bowden's comments. He said: "Enforcement has always been a problem with the DPA."

Akdeniz added: "Elizabeth France [the Data Protection Commissioner] has limited resources and that's why her department is not doing enough."

Martin Brampton, operations director at Bloor Research, said: "I'm sceptical about the capabilities of the Data Protection office for the simple reason that they don't seem to be able to stop faxes going to people who don't want to receive faxes. That goes on month after month and they take no action. So how they're going to pursue the much more complex issues involved in IT, I don't know."

The DPC's 1999/2000 annual report noted a 36 per cent rise over the previous year in the number of complaints it was asked to investigate. The report stated that the complaints have placed "a huge burden on compliance staff. Unfortunately, but understandably, this has led to substantial backlogs".

In order to prosecute a company for breaking one of the eight data protection principles, the DPC needs to issue a formal enforcement notice first. Then, on the next offence, the DPC can prosecute.

Phil Jones, assistant Data Protection Commissioner, said: "The issuing of formal enforcement notices is a very detailed legal procedure and very time consuming. We can fine a company up to £5,000 in a magistrates court, or if they elect to be heard in a county court, the fine is unlimited. But it will cost companies a lot more than £5,000 in bad publicity."

The largest fine imposed by the Commissioner in 1999 was for £3,500 though none of last year's 130 convictions had to do with ecommerce security.

Anthony Reim, partner with UK law firm Philippsohn, Crawfords Berwald said: "The Act could provide much needed protection if enforced and if it were seen to be enforced.

"However, the DPC needs sufficient resources in order to tackle the problem. If faced with the realistic possibility of a substantial fine, perhaps linked to losses suffered, businesses would have to give serious consideration to the security measures they take to protect the personal data of consumers. We need to see effective enforcement of the Act as a warning to others."