ENFORCEMENT BY THE INFORMATION COMMISSIONER

The Information Commissioner is the UK’s national supervisory authority as required by Article 28 of the Data Protection Directive and as such is responsible for enforcement of the DPA. According to the DPA the Information Commissioner has the following enforcement powers:

• to carry out assessments, which is exercisable only after the Information Commissioner has received a request from another person, meaning that the Information Commissioner may not carry out an assessment of their own volition;

• to serve information notices, special information notices and enforcement notices;

• to inspect premises and seize property;

• to commence court proceedings;

• to issue authorizations for transborder data flows.

The Information Commissioner has other powers, which are found outside the DPA. The Commissioner can require a credit reference agency to publish a notice of correction on an inaccurate credit file under section 159 of the Consumer Credit Act 1974. They can apply for an injunction under the Unfair Terms in Consumer Contract Regulations 1999, to prevent the continued use of an unfair contract term. They can also serve an enforcement order under section 213 of the Enterprise Act 2002, requiring a person to cease conduct harmful to consumers.

The Information Commissioner’s enforcement strategy

In November 2005 the Information Commissioner announced an enforcement strategy at the 2005 Annual Conference of the National Association of Data Protection and Freedom of Information Officers, with the launch of a document entitled ‘A Strategy for Data Protection Regulatory Action’.¹⁷⁰ This document shows that the Information Commissioner will not wait for a complaint from a data subject before taking action. In respect of the triggers to an investigation the Information Commissioner says:

The initial drivers will usually be: issues of general public concern (including those raised in the media); concerns that arise because of the novel or intrusive nature of particular activities; concerns raised with us in complaints that we receive; concerns that become apparent through our other activities.

The new enforcement strategy identifies the types of situations where enforcement action will be likely and unlikely. These are:

Likely (especially after warning): Repeated failure to take adequate security measures. Collecting and retaining detailed or sensitive personal information on a ‘just in case’ basis. Inaccurate or long out-dated information which impacts on career prospects. Seriously intrusive marketing – e.g. repeated failure to observe Telephone Preference Service requirements. ‘Professional’ breaches of Section 55 (unlawful obtaining) e.g. by private investigation agencies. Failure to notify despite reminders. Denial of subject access where it is reasonable to suppose significant information is held.

Unlikely: ‘Accidental’ non-compliance with the Data Protection Principles – which is recognised and where effective remedial action is swiftly taken. Single non-criminal breaches by small businesses caused by ignorance of requirements. Non-compliance which is not particularly intrusive and has not caused significant detriment – e.g. a single mail shot. Non-compliance where other pressures – e.g. damage to reputation – may be swifter and more effective than action by a regulator. Business vs. business disputes where there is no detriment to customers. ‘Domestic’ breaches of Section 55 (unlawful obtaining) e.g. feuding spouses or work colleagues – except where a significant abuse of trust is involved.

The enforcement strategy is supported by a Regulatory Action Division. The launch of this new division was announced by a press release on 15 June 2005.¹⁷¹ This division is assisted by a team of investigators and a team of lawyers.

In 2005 the Information Commissioner also issued a series of statements that reveal more information about the enforcement strategy. These show that landlords, private detectives, solicitors and accountants are receiving special attention. For professionals, solicitors,¹⁷² accountants and others, the message seems to be that notification offences will not be ignored. Private detectives need to be very concerned about unlawful obtaining of personal data in breach of section 55 of the DPA.

The Information Commissioner’s annual reports to Parliament, required by section 52 of the DPA, also contain very useful information about recent and current regulatory trends. For example in 2005 there were 12 successful prosecutions, eight under section 55 and four under section 21 of the DPA. The largest fine in 2005 was £2,500, with £3,000 costs. The 2004 Annual Report reveals seven successful prosecutions, all under section 55 of the DPA. The largest fine was £10,000, with £5,000 costs. The 2003 Annual Report reveals nine convictions, with most of them being under the Data Protection Act 1984. The convictions under the DPA were mainly for breach of section 55.¹⁷³

Assessments

Assessments at the request of the data subject are governed by section 42 of the DPA. In addition to these powers the Information Commissioner may also, with the data controller’s consent, assess a data controller’s processing for ‘the following of good practice’. This power is contained in section 51(7) of the DPA.

Information and enforcement notices

The rules governing information and enforcement notices are contained in Part V of the DPA, which is titled ‘Enforcement’. The Information Commissioner may serve an enforcement notice under section 40 of the DPA where they are satisfied that a data controller has contravened, or is contravening, any of the data protection principles. An information notice under section 41 of the DPA can be served after the Information Commissioner has received a request for an assessment under section 42 of the DPA or where the Information Commissioner reasonably requires any information for the purposes of determining whether the data controller has complied with or is complying with the data protection principles. A special information notice may be served under section 43 of the DPA, again after receipt of a request for an assessment, or when a court claim has been stayed under section 32 of the DPA.

The Information Commissioner may use information notices and enforcement notices in conjunction with one another. For example, an information notice might be used to acquire information that leads the Information Commissioner to conclude that one or more of the data protection principles have been contravened. If this is the case, the information notice might be followed by an enforcement notice. However, it is important to understand that the service of an information notice is not a mandatory prerequisite to the service of an enforcement notice; an enforcement notice can be served without a preceding information notice.

Enforcement notices

Section 40(1) of the DPA says that the Information Commissioner may only serve an enforcement notice where they are satisfied that the data controller has contravened, or is contravening, any of the data protection principles. Of course, the Information Commissioner will need reliable evidence before they can come to the conclusion that the data controller has failed to comply with the DPA, which may come from the data subject or another person or in response to an information notice or in exercise of a search warrant. If the Information Commissioner does not have sufficient evidence to justify an enforcement notice, the data controller can expect to have it cancelled.

A very important consideration for the Information Commission is whether the contravention complained of has caused, or is likely to cause, any person damage or distress, which echoes the court's responsibility in applications brought under section 10 of the DPA. The suffering of damage or distress is clearly an aggravating factor and in serious cases it is inevitable that the Information Commissioner will act.

The essence of an enforcement notice is that it requires the data controller to do things, or stop doing things, which may include stopping processing. Thus, where an enforcement notice requires the data controller to do something, or not do something, it will either ask the data controller to take ‘specified steps', or to refrain from taking specified steps. Thus, if the notice does not specify the steps to be taken, or not to be taken, it will be invalid.

The notice must state the time for compliance in that it must provide a deadline for when the data controller is required to refrain from taking steps. Where an enforcement notice tells the data controller to refrain from processing, it must also make it clear whether the prohibition against processing relates only to a specific purpose or only to processing done in a specific manner. Again, the time for compliance must be clear.

An enforcement notice must give the data controller sufficient information about the Information Commissioner’s reasoning behind their conclusion that there has been a contravention of the data protection principles. The notice must identify the data protection principles alleged to have been contravened and it must include the Information Commissioner’s reasons.

Unless the case is one of urgency, the time for compliance with an enforcement notice cannot be less than 28 days calculated from the date on which the notice was served on, or given to, the data controller. This period is specified in the Information Tribunal (Enforcement Appeals) Rules 2000¹⁷⁴ and it constitutes the time period for bringing an appeal against a notice. If the Information Commissioner considers that the case is one of urgency and that a shorter deadline is required, the enforcement notice must state this, giving the Information Commissioner’s reasons. However, the deadline for compliance with an enforcement notice cannot be less than seven days beginning with the day on which the notice is served.

Enforcement notices and inaccurate data

An enforcement notice may require a data controller to rectify, block, erase or destroy inaccurate data and any other data that contains an expression of opinion that appears to the Information Commissioner to be based on inaccurate data. This power complements the court's powers under section 14 of the DPA.

If personal data are inaccurate, the Information Commissioner also needs to consider whether the data controller has accurately recorded inaccurate data provided by the data subject or a third party (it will be recalled that this scenario is also addressed by section 14 of the DPA and by the interpretation to the fourth data protection principle). If the data controller has accurately recorded inaccurate information, the Information Commissioner has two options. First, the enforcement notice may require the data controller to rectify, block, erase or destroy the inaccurate data and any related opinion. Second, the enforcement notice may require the data controller to take the steps required by the interpretation to the fourth data protection principle and additionally, if the Information Commissioner thinks fit, it may require the data controller to supplement the inaccurate data with a statement of the true facts approved by the Information Commissioner.

The steps that are required by the interpretation to the fourth data protection principle are discussed in Chapter 3, but to recap, the data controller must take reasonable steps to ensure the accuracy of data received from the data subject or a third party and must ensure that if the data subject notifies it of an inaccuracy, that the data indicate this fact.

Finally, in cases of inaccuracy the enforcement notice may require the data controller to notify third parties to whom the data have been disclosed that the data have been rectified, blocked, erased or destroyed. Such a requirement may only be imposed where it is reasonably practicable to require the data controller to notify third parties and in considering whether it is reasonably practicable the Information Commissioner will have regard to the number of third parties to be notified.

Cancellation and variation of enforcement notices

Section 41 of the DPA prescribes the circumstances in which the Information Commissioner may cancel or vary an enforcement notice. In summary, the Information Commissioner may cancel or vary an enforcement notice if they consider that all or any of its provisions need not be complied with in order to ensure compliance with the data protection principles concerned. In these circumstances the enforcement notice may be cancelled or varied by the Information Commissioner giving written notice to the person on whom the enforcement notice was served.

Under section 41(2) of the DPA a data controller may apply to the Information Commissioner to have an enforcement notice cancelled or varied on the grounds that there has been a change in circumstances resulting in it not being necessary to comply with the notice fully or in part in order to ensure compliance with the data protection principles concerned. A request under these powers must be made in writing and only after expiry of the time for bringing an appeal, which is 28 days, calculated from the date on which the enforcement notice was served on, or given to, the data controller.

The power to cancel or vary does not apply to information notices or special information notices.

Information notices and special information notices

Information notices and special information notices are discussed in Chapter 2 of this book.

Appeals to the Information Tribunal

Section 48 of the DPA is concerned with appeals against enforcement notices and both kinds of information notice. Appeals against these notices are made to the Information Tribunal.

In addition to an appeal against the service of a notice, or as an alternative, a data controller may appeal to the Information Tribunal under section 48(2), against the refusal by the Information Commissioner to vary or cancel an enforcement notice following a request under section 41(2) of the DPA. An appeal can also be made under section 48(3), against the abridgement of time for compliance with a notice (in cases of urgency the Information Commissioner may reduce the 28-day time period for compliance with a notice to seven days). Finally, under section 48(4) a data controller may appeal a determination made by the Information Commissioner under section 45 that the processing is not for, or not only for, the special purposes or is not with a view to the publication of previously unpublished journalistic, literary or artistic material.

Orders that the Information Tribunal may make

Where the data controller makes an appeal against the service of a notice the Information Tribunal is required by section 49(1) of the DPA to address two considerations. First, it needs to consider whether the notice is in accordance with the law. This will require the Information Tribunal to examine whether the notice is properly served and whether it contains the correct information. Second, the Tribunal needs to consider whether the Information Commissioner ought to have exercised their discretion to serve a notice differently. When considering these matters the Information Tribunal is entitled to review determinations of fact upon which the notice was based.

If the Tribunal is satisfied that the notice is not in accordance with the law, or that the Information Commissioner should have exercised their discretion differently, it has two options. First, it can allow the appeal, which will result in the cancellation of the notice. Second, it may substitute the notice or the Information Commissioner's decision with a different notice or decision, provided that it is one that the Information Commissioner could have made. If the Tribunal is not satisfied that the notice is not in accordance with the law, or that the Information Commissioner should have exercised their discretion differently, it must dismiss the appeal.

Where an appeal is brought against the Information Commissioner's refusal to cancel or vary an enforcement notice the Information Tribunal may cancel it, or vary it, where it considers that it ‘ought’ to do so.

Where an appeal is brought against the Information Commissioner's decision to shorten the time for compliance with a notice the Tribunal may direct that the notice will have effect as if it did not contain the abridgement of time or that the abridgment of time will not have effect in relation to specific parts of the notice.

Where an appeal is brought against the Information Commissioner's decision that the processing is not for the special purposes, or is not done with a view to the publication of previously unpublished journalistic, literary or artistic material, the Information Tribunal may cancel the Information Commissioner's decision.

Appeals from the Information Tribunal

If the data controller is still dissatisfied after the Information Tribunal has given its decision, it may appeal to the court. In England, Wales and Northern Ireland the appeal lies to the High Court of Justice. In Scotland the appeal lies to the Court of Session. Appeals from the Information Tribunal can only be brought on a point of law by the data controller or the Information Commissioner.

Failure to comply with a notice

Section 47 of the DPA makes it a criminal offence to fail to comply with an enforcement notice, an information notice or a special information notice. The only defence that is available is that the data controller exercised all due diligence to comply. Of course, the data controller bears the burden of proof on the defence.

It is also an offence to make a false statement in purported compliance with an information notice or a special information notice. The offence is committed where the data controller knows that the statement is false, or is reckless as to the truth.

The power to enter and seize

Section 50 of the DPA gives the Information Commissioner the power to enter premises where they consider that there has been a breach of the data protection principles, or where they consider that an offence has been committed. The power is described in detail in Schedule 9 of the DPA.

The need for a warrant

The Information Commissioner may only enter premises where they have obtained a warrant from a judge. A judge will only issue a warrant if the Information Commissioner provides information that satisfies the judge that:

• There are reasonable grounds to suspect either: (i) that a data controller has contravened, or is contravening, any of the data protection principles; or (ii) that an offence under the DPA has been committed. The Information Commissioner must provide their evidence on oath.

• Evidence of the contravention or the offence will be found on the premises that the Information Commissioner wishes to enter.

It is important to note that execution of warrants is not confined to premises owned by the data controller or under the data controller's control. They can be directed to any premises, provided that the Information Commissioner overcomes the hurdle of satisfying the court that evidence will be found on the premises concerned.

If the court is satisfied that a warrant should be granted, it will draw up a document, the warrant itself, which will be taken by the Information Commissioner’s officers to the premises concerned when they go to ‘execute’ the warrant.

Warrants and prior warning

The court will not grant a warrant if the Information Commissioner has not given the occupier seven days’ written notice demanding access to the premises. If the Information Commissioner has given the required notice, the court will not grant a warrant unless:

• The demand for access has been unreasonably refused or, if access was granted, the occupier unreasonably refused to allow the Information Commissioner to do any of the things that can be authorized by a warrant granted by the court.

• After the refusal the Information Commissioner has notified the occupier of their intention to seek a warrant and the occupier has been given an opportunity to make representations to the court.

This rule does not apply in cases of urgency, however, or where written notice would defeat the purpose of the warrant, perhaps through the destruction or concealment of evidence.

Things authorized to be done by a warrant

A warrant allows the Information Commissioner’s officers to do the following things:

• Enter the premises identified in the warrant.

• Search the premises.

• Inspect, examine, operate or test any equipment found on the premises that is used, or intended to be used, to process personal data. Occupiers who are subject to a search can therefore expect their computers to be accessed by the officers.

• Seize any documents or other material found on the premises that may be evidence of a contravention of the principles or the commission of an offence.

The warrant entitles the Information Commissioner to do these things at any time within seven days of the date of the warrant. If the Information Commissioner fails to act upon the warrant, it will expire. The Information Commissioner must return all warrants to the court after they have been executed, or after they have expired.

Execution of warrants

The warrant must be executed at a reasonable hour, unless that would mean that evidence would not be found, in which case the warrant may be executed at any time, such as in the middle of the night when the occupier is unprepared. The occupier must be shown the warrant when it is executed and be given a copy of it, unless they are not present at the time, in which case a copy of the warrant must be left at the premises.

The person executing the warrant is entitled to use reasonable force, if this is necessary. Indeed, it is an offence for anyone to obstruct the execution of a warrant or to fail without reasonable excuse to give assistance to the person executing it.

If anything is seized during execution, the occupier is entitled to a receipt, but only if they ask for one. Items that are seized may be kept by the Information Commissioner for as long as is necessary, but the occupier is entitled to copies of documents seized if they ask for copies before the officers leave, subject to the proviso that if the person executing the warrant considers that providing copies would cause undue delay during execution they need not provide copies.

Exemptions

The powers conferred by a warrant are not exercisable in respect of personal data to which the national security exemption in section 28 of the DPA applies, nor are they exercisable in respect of communications between a professional legal adviser and their client in connection with the giving of legal advice about the client’s obligations, liabilities and rights under the DPA, or in connection with any legal proceedings concerned with the DPA.

If the occupier objects to inspection or seizure of any material on the grounds that either of these exemptions applies, the person exercising the warrant is entitled to request a copy of the material with the controversial parts removed.